fix: preserve bearer credential helper tokens#612
Conversation
malt3
left a comment
There was a problem hiding this comment.
The implementation looks good.
One thing I'd like to change is how we document it.
I think the many warning messages throughout the different docstrings and markdown pages are not very helpful.
Instead, could you write a new documents under docs/ (e.g. docs/bazel-credential-helpers.md). In it, I would explain exactly how rules_img uses them:
During image pulling
- Through Bazel's downloader when pulling base images via
downloader = "bazel"(for downloading files from an OCI registry). Requires Bazel's--credential_helperflag to be set accordingly. - For downloading files from an OCI registry using the img tool in a repository rule (or indirectly via the module extension). Requires
--@rules_img//img/settings:credential_helperto be set (or thecredential_helpersetting on the individual pull()). - Currently: NOT for downloading lazy layers (since we haven't found a good way to make the credential helper available for build actions)
During image loading and pushing
The primary use case here is to authenticate to the remote execution system (Bazel's remote cache).
Here, we ask the credential helper for URIs like https://{hostname}/build.bazel.remote.execution.v2.ContentAddressableStorage.
Additionally, you can use a Bazel credential helper for pushing (and pulling in some cases) content to (and from) a registry.
Here, I would add exactly how the request URI looks that we form and how the response can look like. I think actual JSON (with mocked secrets) is best to convey what we mean.
We can then explain what we do (some responses are used HTTP headers immediately, some are still used during a token exchange).
Fixes #573.
Summary
Authorization: Bearer ...as a registry access token viaAuthConfig.RegistryToken.img_toolandpull_toolregistry auth paths to the new keychain.Possible Breaking Changes
Authorization: Bearer ...fromcredential_helper/IMG_CREDENTIAL_HELPERmust be an access token already;rules_imgnow passes it through and does not exchange it as an OAuth refresh token.RegistryToken; the legacy helper-pair method still approximates Bearer as<token>, but registry auth now usesContainerRegistryKeychain.