Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not create temporary file when dealing with container registry credentials #521

Open
1 task
Tracked by #371
programmer04 opened this issue Aug 23, 2024 · 1 comment · May be fixed by #940
Open
1 task
Tracked by #371

Do not create temporary file when dealing with container registry credentials #521

programmer04 opened this issue Aug 23, 2024 · 1 comment · May be fixed by #940
Assignees
@programmer04
Labels
area/maintenance blocked enhancement New feature or request
Milestone
KGO v1.5.x

Comments

@programmer04
Copy link
Member

Problem Statement

Currently due to the limitations of oras-go the easiest (and basically the only possible, sensible way) is to deal with Dockder credentials when they are stored as a file. It doesn't provide API for supplying them in this format as a string, []byte or io.Reader, etc. Hence a temporary file is created to supply those credentials, see

gateway-operator/controller/kongplugininstallation/image/image.go

Lines 121 to 139 in c87be57

// CredentialsStoreFromString expects content of typical configuration as a string, described
// in https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry
// and returns credentials.Store.
// This is typical way how private registries are used with Docker and Kubernetes.
func CredentialsStoreFromString(s string) (credentials.Store, error) {
// TODO: Now we create temporary file, which is not great and should be changed,
// but it's the only way to use credentials.NewFileStore(...) which robustly
// parses config.json (format used by Docker and Kubernetes).
tmpFile, err := os.CreateTemp("", "credentials")
if err != nil {
return nil, fmt.Errorf("failed to create temporary file: %w", err)
}
defer os.Remove(tmpFile.Name())
defer tmpFile.Close()
if _, err = tmpFile.WriteString(s); err != nil {
return nil, fmt.Errorf("failed to write credentials to file: %w", err)
}
return credentials.NewFileStore(tmpFile.Name())
}

It's not the best approach from a security, maintainability, and extensibility point of view.

Proposed Solution

Submit PR to oras-go that will extend the API of this library to be able to consume credentials in Docker's config.json format not only from a file directly but from one of string, []byte or io.Reader.

In case something like that is not an option provide an implementation in KGO codebase.

Acceptance Criteria

  • Temporary file is not created as a workaround for dealing with credentials in Docker's config.json format
@programmer04 programmer04 added enhancement New feature or request area/maintenance labels Aug 23, 2024
@programmer04 programmer04 mentioned this issue Aug 23, 2024
Closed
12 tasks
@lahabana lahabana added this to the KGO v1.5.x milestone Sep 11, 2024
@programmer04 programmer04 self-assigned this Oct 25, 2024
@programmer04 programmer04 mentioned this issue Nov 27, 2024
Open
@programmer04
Copy link
Member Author

A PR for the upstream has been created oras-project/oras-go#850, waiting on a feedback

@programmer04 programmer04 linked a pull request Dec 18, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@programmer04 programmer04

Labels
area/maintenance blocked enhancement New feature or request
Projects
None yet
Milestone
KGO v1.5.x
2 participants
@lahabana @programmer04