From c372eb3b5d8a4d1a24e21409ab85448bdcac3944 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Mon, 12 Sep 2022 22:20:33 +0300 Subject: [PATCH] feat: add keychain instead of auth to fix different repository problem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- README.md | 5 +++++ pkg/publish/default.go | 14 +++++++++----- pkg/publish/options.go | 35 +++++++++++------------------------ 3 files changed, 25 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 16afc2a982..7efb0ca050 100644 --- a/README.md +++ b/README.md @@ -115,6 +115,11 @@ e.g.: - `KO_DOCKER_REPO=gcr.io/my-project`, or - `KO_DOCKER_REPO=my-dockerhub-user` +`ko` will default to storing sboms in the same repo as the image it is building. But there is an environment variable +named `COSIGN_REPOSITORY` that enables you to specify a different repository for storing sboms. + +`KO_DOCKER_REPO=my-dockerhub-user COSIGN_REPOSITORY=gcr.io/my-project/sboms` + # Build an Image `ko build ./cmd/app` builds and pushes a container image, and prints the diff --git a/pkg/publish/default.go b/pkg/publish/default.go index b0f58cc994..cb58c47541 100644 --- a/pkg/publish/default.go +++ b/pkg/publish/default.go @@ -40,8 +40,8 @@ type defalt struct { base string t http.RoundTripper userAgent string - auth authn.Authenticator namer Namer + keychain authn.Keychain tags []string tagOnly bool insecure bool @@ -54,7 +54,7 @@ type defaultOpener struct { base string t http.RoundTripper userAgent string - auth authn.Authenticator + keychain authn.Keychain namer Namer tags []string tagOnly bool @@ -67,8 +67,9 @@ type Namer func(string, string) string // identity is the default namer, so import paths are affixed as-is under the repository // name for maximum clarity, e.g. -// gcr.io/foo/github.com/bar/baz/cmd/blah -// ^--base--^ ^-------import path-------^ +// +// gcr.io/foo/github.com/bar/baz/cmd/blah +// ^--base--^ ^-------import path-------^ func identity(base, in string) string { return path.Join(base, in) } // As some registries do not support pushing an image by digest, the default tag for pushing @@ -90,6 +91,7 @@ func (do *defaultOpener) Open() (Interface, error) { t: do.t, userAgent: do.userAgent, auth: do.auth, + keychain: do.keychain, namer: do.namer, tags: do.tags, tagOnly: do.tagOnly, @@ -105,6 +107,7 @@ func NewDefault(base string, options ...Option) (Interface, error) { t: http.DefaultTransport, userAgent: "ko", auth: authn.Anonymous, + keychain: authn.DefaultKeychain, namer: identity, tags: defaultTags, } @@ -203,7 +206,8 @@ func (d *defalt) Publish(ctx context.Context, br build.Result, s string) (name.R // https://github.com/google/go-containerregistry/issues/212 s = strings.ToLower(s) - ro := []remote.Option{remote.WithAuth(d.auth), remote.WithTransport(d.t), remote.WithContext(ctx), remote.WithUserAgent(d.userAgent)} + ro := []remote.Option{remote.WithAuthFromKeychain(d.keychain), remote.WithTransport(d.t), remote.WithContext(ctx), remote.WithUserAgent(d.userAgent)} + no := []name.Option{} if d.insecure { no = append(no, name.Insecure) diff --git a/pkg/publish/options.go b/pkg/publish/options.go index ead9fd4050..c063dc5034 100644 --- a/pkg/publish/options.go +++ b/pkg/publish/options.go @@ -16,14 +16,19 @@ package publish import ( "crypto/tls" - "log" "net/http" - "path" "github.com/google/go-containerregistry/pkg/authn" - "github.com/google/go-containerregistry/pkg/name" ) +type staticKeychain struct { + auth authn.Authenticator +} + +func (s staticKeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) { + return s.auth, nil +} + // WithTransport is a functional option for overriding the default transport // on a default publisher. func WithTransport(t http.RoundTripper) Option { @@ -44,9 +49,9 @@ func WithUserAgent(ua string) Option { // WithAuth is a functional option for overriding the default authenticator // on a default publisher. -func WithAuth(auth authn.Authenticator) Option { +func WithAuth(a authn.Authenticator) Option { return func(i *defaultOpener) error { - i.auth = auth + i.keychain = &staticKeychain{a} return nil } } @@ -55,25 +60,7 @@ func WithAuth(auth authn.Authenticator) Option { // authenticator on a default publisher using an authn.Keychain func WithAuthFromKeychain(keys authn.Keychain) Option { return func(i *defaultOpener) error { - // We parse this lazily because it is a repository prefix, which - // means that docker.io/mattmoor actually gets interpreted as - // docker.io/library/mattmoor, which gets tricky when we start - // appending things to it in the publisher. - // - // We append a fake path "ko" to KO_DOCKER_REPO in order to - // make parsing out the registry easier. - repo, err := name.NewRepository(path.Join(i.base, "ko")) - if err != nil { - return err - } - auth, err := keys.Resolve(repo.Registry) - if err != nil { - return err - } - if auth == authn.Anonymous { - log.Println("No matching credentials were found, falling back on anonymous") - } - i.auth = auth + i.keychain = keys return nil } }