Allow env vars to skip vendor specific keychain

Vendor keychains can be slow or fail. This allows platform operators to skip them entirely.
buildpacks · Mar 8, 2024 · 1c42b78 · 1c42b78
1 parent 3a05fde
commit 1c42b78
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/auth/keychain.go b/auth/keychain.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"os"
 	"regexp"
+	"strings"
 
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
 	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
@@ -17,6 +18,7 @@ import (
 )
 
 const EnvRegistryAuth = "CNB_REGISTRY_AUTH"
+const EnvRegistryAuthKeychainSkip = "CNB_REGISTRY_AUTH_KEYCHAIN_SKIP_%s"
 
 var (
 	amazonKeychain = authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard)))
@@ -34,14 +36,25 @@ func DefaultKeychain(images ...string) (authn.Keychain, error) {
 		return nil, err
 	}
 
+	keychains := []authn.Keychain{envKeychain, authn.DefaultKeychain}
+
+	if vendorKeychainEnabled("amazon") {
+		keychains = append(keychains, amazonKeychain)
+	}
+	if vendorKeychainEnabled("azure") {
+		keychains = append(keychains, azureKeychain)
+	}
+
 	return authn.NewMultiKeychain(
-		envKeychain,
-		NewResolvedKeychain(authn.DefaultKeychain, images...),
-		NewResolvedKeychain(amazonKeychain, images...),
-		NewResolvedKeychain(azureKeychain, images...),
+		keychains...,
 	), nil
 }
 
+func vendorKeychainEnabled(provider string) bool {
+	providerUpper := strings.ToUpper(provider)
+	return os.Getenv(fmt.Sprintf(EnvRegistryAuthKeychainSkip, providerUpper)) != "true"
+}
+
 // NewEnvKeychain returns an authn.Keychain that uses the provided environment variable as a source of credentials.
 // The value of the environment variable should be a JSON object that maps OCI registry hostnames to Authorization headers.
 func NewEnvKeychain(envVar string) (authn.Keychain, error) {