Fix bundle push authentication error

go-containerregistry now raises error when both keychain and auth are set(google/go-containerregistry#1334). With this commit, tkn will ignore keychain when auth is provided with flag. fixes: #1718
tektoncd · Sep 28, 2022 · 7d958cf · 7d958cf
1 parent b72b958
commit 7d958cf
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/pkg/bundle/flags.go b/pkg/bundle/flags.go
@@ -20,8 +20,7 @@ type RemoteOptions struct {
 // ToOptions outputs a list of `remoteimg.Option`s that can be passed into various fetch/write calls to a remote
 // registry.
 func (r *RemoteOptions) ToOptions() []remoteimg.Option {
-	keychains := authn.NewMultiKeychain(authn.DefaultKeychain, PodmanKeyChain)
-	opts := []remoteimg.Option{remoteimg.WithAuthFromKeychain(keychains)}
+	var opts []remoteimg.Option
 
 	// Set the auth chain based on the flags.
 	if r.bearerToken != "" {
@@ -34,6 +33,12 @@ func (r *RemoteOptions) ToOptions() []remoteimg.Option {
 		}))
 	}
 
+	// Use local keychain if no auth is provided. It's not allowed to use both.
+	if len(opts) == 0 {
+		keychains := authn.NewMultiKeychain(authn.DefaultKeychain, PodmanKeyChain)
+		opts = []remoteimg.Option{remoteimg.WithAuthFromKeychain(keychains)}
+	}
+
 	transport := http.DefaultTransport.(*http.Transport)
 	if r.skipTLS {
 		transport.TLSClientConfig.InsecureSkipVerify = r.skipTLS