Bump go-containerregistry, remove k8s-pkg-credentialprovider #431
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Move to cloud credential helpers recommended by GGCR: https://github.com/google/go-containerregistry/tree/main/pkg/authn#emulating-cloud-provider-credential-helpers
Signed-off-by: Joao Pereira <joaod@vmware.com>
Signed-off-by: Joao Pereira <joaod@vmware.com>
neil-hickey
approved these changes
Sep 1, 2022
| resp.Header().Set("Docker-Content-Digest", h.String()) | ||
| resp.WriteHeader(http.StatusCreated) | ||
| return nil | ||
| // check err type?? |
There was a problem hiding this comment.
a TODO? Or just thought? Looks like we are ignoring any error that the Mount() comes back with now.
There was a problem hiding this comment.
This is just a temporary pkg that we are waiting it to be merged in ggcr so we can remove it from imgpkg
Signed-off-by: Joao Pereira <joaod@vmware.com>
This was referenced Sep 2, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move to cloud credential helpers recommended by GGCR:
https://github.com/google/go-containerregistry/tree/main/pkg/authn#emulating-cloud-provider-credential-helpers
We had to fix our test registry to reject mount requests properly with a 202 due to the changes in google/go-containerregistry#1388
Manually validated against GCP and Azure ambient credentials, both of them work and fail gracefully when access to the metadata server is blocked.
Based on the PR #409
Apart from the removal of the dependency on k8s-pkg-credentialprovider this PR also changes the default behavior of imgpkg. The keychains no longer get loaded by default, in order to load a particular keychain the environment variable
IMGPKG_ACTIVE_KEYCHAINSneeds to be set. The Keychains that are supported are:gkeEnabled access to the GKE authentication helpersaksEnabled access to the AKS authentication helpersecrEnabled access to the ECR authentication helpersgithubEnabled access to the Github authentication helpersTo enable multiple keychains you can provide them in a comma separated list like
export IMGPKG_ACTIVE_KEYCHAINS=gke,aks,ecr,githubThis PR also starts the deprecation process for the environment variable
IMGPKG_ENABLE_IAAS_AUTH. For now, if set to true, it is similar to doingexport IMGPKG_ACTIVE_KEYCHAINS=gke,aks,ecr,github. In the future, this flag will no longer be used.