New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
opm render - Does not seem to allow multiple auth to the same registry #935
Comments
It looks like the in-process registry client used by I wonder if we could use what containerd/skopeo/buildah/podman use to perform authorization? This seems like the code that understands path-specific auth keys: https://github.com/containers/image/blob/main/pkg/docker/config/config.go |
Hi @tonyskapunk, This is a valid use case that the command should support. Potentially updating the code to use the path-specific keys @joelanford mentioned is the correct approach. Since this would change the existing behavior, it would be more of a feature than a bug. We would look to implement it. The reason |
+1 this is happening to me as well. Is there some workaround? |
Hi @exdx, @joelanford , thanks both for looking into this. |
Seems I got bit by this as well. I was wondering why my authorization wasn't working, but it seems it's because of multiple auths in the same file and |
#919 (comment) is a work around that works for me. I was even able to do it from within a |
Hello! It's been a while since this was created, and was wondering if this is still considered to be added as a feature. And if there's any effort around this so far. Thanks! |
This has not been prioritized to be done by any of the core contributors. We would happily accept a PR here if anyone is willing to work on it! |
opm does not allow multiple authentications in the same registry, e.g. quay.io, quay.io/ns, quay.io/ns/repo as reported in operator-framework/operator-registry#935 The wrapper will split the auths and try one at a time to attempt the authentication. Change-Id: If7daa16647f295697a887585f7d03454ba5b1207
opm does not support multiple registry authentications, operator-framework/operator-registry#935 the opm-auths is a wrapper script that adds this support. Using the wrapper script in the places where opm is used to add that support Depends-on: 29331 Change-Id: I2eb8c3c688cdf28fe3cd2eb2a17d306f2ab9844a
opm does not support multiple registry authentications, operator-framework/operator-registry#935 the opm-auths is a wrapper script that adds this support. Using the wrapper script in the places where opm is used to add that support Depends-on: 29331 Change-Id: I2eb8c3c688cdf28fe3cd2eb2a17d306f2ab9844a
@tonyskapunk I finally had some time to see if I could improve this. If you have a chance, would you be able to build |
👋 @joelanford Thanks for taking the time to implement this, I'll happily give it a test and provide some feedback. |
@joelanford I tested the changes and it seems to cover what was reported in here 🎉 Here an example of the config and the diff levels used to test the {
"auths": {
"quay.io": {
"auth": "some-valid-creds-here",
},
"quay.io/some-ns": {
"auth": "some-valid-creds-for-ns-here"
},
"quay.io/test-ns/test-image-bundle": {
"auth": "some-valid-creds-for-test-ns-image-bundle"
},
"quay.io/test-ns": {
"auth": "some-valid-creds-for-test-ns"
}
}
} |
The opm-auths is a wrapper script provided by dci-openshift-agent that brings support for multi-entry registry authentication when using opm. The opm client lacked the functionality as reported in: operator-framework/operator-registry#935 But lately it was added in: operator-framework/operator-registry#1165 Now it is available in the stable ocp clients: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable/
Currently
opm render
does not seem to allow multiple auth to the same registry in its auth file (~/.docker/config.json
)Say you have an auth file as this example:
Tools like podman, skopeo, buildah. Or even
opm index
will allow entries like the above, following the order from more-specific to less specific. [1]This is quite useful when using multiple credentials to different namespaces/images in a registry.
The current output obtained through
opm render
using a file like the above is:While podman has no issues with it:
Please note that in the example above I'm using
~/.docker/config.json
as currently there's no way to specify another file, but issue #919 has reported that.[1] https://man.archlinux.org/man/community/containers-common/containers-auth.json.5.en#FORMAT
The text was updated successfully, but these errors were encountered: