Skip to content

fix: preserve bearer credential helper tokens#612

Open
Harshal96 wants to merge 2 commits into
bazel-contrib:mainfrom
Harshal96:main
Open

fix: preserve bearer credential helper tokens#612
Harshal96 wants to merge 2 commits into
bazel-contrib:mainfrom
Harshal96:main

Conversation

@Harshal96

Copy link
Copy Markdown
Contributor

Fixes #573.

Summary

  • Add a container registry keychain adapter for Bazel credential-helper HTTP headers.
  • Treat Authorization: Bearer ... as a registry access token via AuthConfig.RegistryToken.
  • Keep Basic auth behavior unchanged.
  • Wire both img_tool and pull_tool registry auth paths to the new keychain.
  • Add mirrored tests and public documentation warnings.

Possible Breaking Changes

  • Authorization: Bearer ... from credential_helper / IMG_CREDENTIAL_HELPER must be an access token already; rules_img now passes it through and does not exchange it as an OAuth refresh token.
  • Docker helper username/password pairs cannot represent RegistryToken; the legacy helper-pair method still approximates Bearer as <token>, but registry auth now uses ContainerRegistryKeychain.

@malt3 malt3 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The implementation looks good.
One thing I'd like to change is how we document it.
I think the many warning messages throughout the different docstrings and markdown pages are not very helpful.

Instead, could you write a new documents under docs/ (e.g. docs/bazel-credential-helpers.md). In it, I would explain exactly how rules_img uses them:

During image pulling

  • Through Bazel's downloader when pulling base images via downloader = "bazel" (for downloading files from an OCI registry). Requires Bazel's --credential_helper flag to be set accordingly.
  • For downloading files from an OCI registry using the img tool in a repository rule (or indirectly via the module extension). Requires --@rules_img//img/settings:credential_helper to be set (or the credential_helper setting on the individual pull()).
  • Currently: NOT for downloading lazy layers (since we haven't found a good way to make the credential helper available for build actions)

During image loading and pushing

The primary use case here is to authenticate to the remote execution system (Bazel's remote cache).
Here, we ask the credential helper for URIs like https://{hostname}/build.bazel.remote.execution.v2.ContentAddressableStorage.

Additionally, you can use a Bazel credential helper for pushing (and pulling in some cases) content to (and from) a registry.
Here, I would add exactly how the request URI looks that we form and how the response can look like. I think actual JSON (with mocked secrets) is best to convey what we mean.
We can then explain what we do (some responses are used HTTP headers immediately, some are still used during a token exchange).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Undocumented difference between Bazel and rules_img credential helper

2 participants