Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow env vars to skip vendor specific keychain #1315

Merged
merged 2 commits into from
Apr 1, 2024
Merged

Allow env vars to skip vendor specific keychain #1315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5128c13
Allow env vars to skip vendor specific keychain
jabrown85 Mar 8, 2024
dff6494
Create README.md for auth package configuration
jabrown85 Mar 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions auth/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# auth

## Skipping Vendor Specific Keychains

The auth package has configuration available to skip vendor specific keychain implementations. If you are a platform handling credentials yourself, you may want to skip loading these keychains. This can improve performance as the helpers automatically get invoked based on the hosting environment and the registries being interacted with.

Set any of the following to `true` to skip loading the vendor keychain.

`CNB_REGISTRY_AUTH_KEYCHAIN_SKIP_AMAZON` - set to skip Amazon/AWS's ECR credhelper.
`CNB_REGISTRY_AUTH_KEYCHAIN_SKIP_AZURE` - set to skip Microsoft/Azure's ACR credhelper
23 changes: 19 additions & 4 deletions auth/keychain.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
"io"
"os"
"regexp"
"strings"

ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
Expand All @@ -18,6 +19,9 @@

const EnvRegistryAuth = "CNB_REGISTRY_AUTH"

// EnvRegistryAuthKeychainSkipFormat is the format string for the environment variable that can be used to skip the keychain for a specific vendor.
const EnvRegistryAuthKeychainSkipFormat = "CNB_REGISTRY_AUTH_KEYCHAIN_SKIP_%s"

var (
amazonKeychain = authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard)))
azureKeychain = authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper())
Expand All @@ -34,14 +38,25 @@
return nil, err
}

keychains := []authn.Keychain{envKeychain, authn.DefaultKeychain}

if vendorKeychainEnabled("amazon") {
keychains = append(keychains, amazonKeychain)
}
if vendorKeychainEnabled("azure") {
keychains = append(keychains, azureKeychain)
}

Check warning on line 48 in auth/keychain.go

View check run for this annotation

Codecov / codecov/patch

auth/keychain.go#L41-L48 

Added lines #L41 - L48 were not covered by tests
Comment on lines +41 to +48
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Were the calls to NewResolvedKeychain() omitted deliberately?


return authn.NewMultiKeychain(
envKeychain,
NewResolvedKeychain(authn.DefaultKeychain, images...),
NewResolvedKeychain(amazonKeychain, images...),
NewResolvedKeychain(azureKeychain, images...),
keychains...,

Check warning on line 51 in auth/keychain.go

View check run for this annotation

Codecov / codecov/patch

auth/keychain.go#L51 

Added line #L51 was not covered by tests
), nil
}

func vendorKeychainEnabled(provider string) bool {
providerUpper := strings.ToUpper(provider)
return os.Getenv(fmt.Sprintf(EnvRegistryAuthKeychainSkipFormat, providerUpper)) != "true"

Check warning on line 57 in auth/keychain.go

View check run for this annotation

Codecov / codecov/patch

auth/keychain.go#L55-L57 

Added lines #L55 - L57 were not covered by tests
}

// NewEnvKeychain returns an authn.Keychain that uses the provided environment variable as a source of credentials.
// The value of the environment variable should be a JSON object that maps OCI registry hostnames to Authorization headers.
func NewEnvKeychain(envVar string) (authn.Keychain, error) {
Expand Down
Loading