registries.conf: configure credential helpers

Allow for configuring credential helpers in `registries.conf` files. Credential helpers are configured as a top-level field `credential-helpers`. This is an array of strings. Items listed in the array are consulted in the specified order when looking up or removing credentials. Note that there is a built-in credential helpers `containers-auth.json` for using auth files. If no global defaults are specified, we will fallback to using auth files. This assures backwards compat and a working default setting. The traces of the disabled "keyring" functionality have largely been removed. If we ever want to re-enable support, we can follow the example of auth files and specify a new built-in keyring helper. Using a built-in helper simplifies the code quite a bit since the code structure boilds down to conditionally dispatching helpers; everything's a credential helper with some special values for built-in helpers. Make sure that the execution paths are properly logged (debug level). Signed-off-by: Qi Wang <[email protected]> Signed-off-by: Valentin Rothberg <[email protected]>
containers · Apr 2, 2021 · f0555f0 · f0555f0
1 parent 114da27
commit f0555f0
Show file tree

Hide file tree

Showing 15 changed files with 486 additions and 140 deletions.
diff --git a/docs/containers-registries.conf.5.md b/docs/containers-registries.conf.5.md
@@ -16,6 +16,9 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
 `unqualified-search-registries`
 : An array of _host_[`:`_port_] registries to try when pulling an unqualified image, in order.
 
+`credential-helpers`
+: An array of default credential helpers used as external credential stores.  Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5).  The credential helpers are set to `["containers-auth.json"]` if none are specified.
+
 ### NAMESPACED `[[registry]]` SETTINGS
 
 The bulk of the configuration is represented as an array of `[[registry]]`
@@ -270,7 +273,7 @@ the destination registry is unambiguous. Pulling by digest
 tags.
 
 # SEE ALSO
-  containers-certs.d(5)
+ containers-auth.json(5) containers-certs.d(5)
 
 # HISTORY
 Dec 2019, Warning added for unqualified image names by Tom Sweeney <[email protected]>

diff --git a/go.mod b/go.mod
@@ -17,6 +17,7 @@ require (
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/ghodss/yaml v1.0.0
 	github.com/gorilla/mux v1.7.4 // indirect
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/imdario/mergo v0.3.11
 	github.com/klauspost/compress v1.11.13
 	github.com/klauspost/pgzip v1.2.5

diff --git a/go.sum b/go.sum