add X-Registry-Auth header support

[vrothberg]

• Support the X-Registry-Auth http-request header.

• The content of the header is a base64 encoded JSON payload which can
  either be a single auth config or a map of auth configs (user+pw or
  token) with the corresponding registries being the keys. Vanilla
  Docker, projectatomic Docker and the bindings are transparantly
  supported.

• Add a hidden --registries-conf flag. Buildah exposes the same
  flag, mostly for testing purposes.

• Do all credential parsing in the client (i.e., cmd/podman) pass
  the username and password in the backend instead of unparsed
  credentials.

• Add a pkg/auth which handles most of the heavy lifting.

• Go through the authentication-handling code of most commands, bindings
  and endpoints. Migrate them to the new code and fix issues as seen.
  A final evaluation and more tests is still required after this
  change.

• The manifest-push endpoint is missing certain parameters and should
  use the ABI function instead. Adding auth-support isn't really
  possible without these parts working.

• The container commands and endpoints (i.e., create and run) have not
  been changed yet. The APIs don't yet account for the authfile.

• Add authentication tests to pkg/bindings.

Fixes: #6384
Signed-off-by: Valentin Rothberg [email protected]

[vrothberg]

Manual tests were successful. I am now working on testing that in the apiv2 tests.

[vrothberg]

Manual tests were successful. I am now working on testing that in the apiv2 tests.

I looked into running a local registry and found a blocker, unfortunately pretty late in the process. The Docker compat endpoints don't expose a tlsVerify parameter that we could set to false. Hence, the server fails pulling because we're creating our own certificate. One workaround would be to use a custom registries.conf where we're setting the local registry as insecure and that's where I am stuck.

There is no way to point Podman to a custom registries.conf. The e2e tests are using a REGISTRIES_CONF_PATH env variable but that's a NOP as there's no code using that at all.

For now, I suggest to merge the PR as is and to trust that my local smoke tests work.

However, I believe we need a way to point Podman to a custom registries.conf. Buildah exposes a --registries-conf which I suggest to add to Podman as well.

[vrothberg]

@baude @jwhonce @edsantiago @mheon PTAL

[edsantiago]

How hard would it be to add our own, undocumented, unsupported, tlsVerify to the API?

[vrothberg]

How hard would it be to add our own, undocumented, unsupported, tlsVerify to the API?

A simple 1 minute change. If that's acceptable, this would certainly be the quickest way forward.

[mheon]

Can we restrict it so it's not available outside of the tests?

[vrothberg]

Can we restrict it so it's not available outside of the tests?

We could via an env var, for instance. But I think this would make it sufficiently complex to justify adding a --registries-conf flag.

[mheon]

We have plenty of basically-undocumented unit-testing-only flags like that, so I'm on board

[jwhonce]

Just one improvement for the API usage.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [vrothberg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vrothberg]

Back to WIP:

We now support both, single-auth headers and multi-auth headers. Multi-auth headers are the same as the ones from projectatomic docker. This way, we are compatible with vanilla Docker and the projectatomic/RHEL Docker which we can/will also use for the new libpod endpoints.

It's now wired into the compat endpoints. Libpod endpoints are still missing along with unit, apiv2 and integration tests.

[vrothberg]

Dev update:

• All encoding and decoding of the authentication headers is working now.
• Bindings have been updated for pull, push along with CLI parts. We can now also set headers in the bindings requests which accounts for the high amount of changed files.
• We can send credentials AND entire auth files now. This required some massaging of c/image and lead to docker/config - get all credentials image#928.
• Note that there's a new pkg/auth that the bindings and the sever share.

I'll continue on Monday and wire in support for all commands/endpoints that support --authfile and or specifying credentials. Once that's done, I will have a look at testing. I tried to get a local registry running in apiv2-test but failed miserably. I may need @edsantiago's bash skills to get that part done in a sane way.

Since so many tests require a local registry, I would love to have make local-registry target which runs a registry:2 container with "known" credentials that may be dumped at a known location. This would be nice for local development but it would also prevent us from having duplicate code for setting up a registry across the e2e, system, api and potentially bindings tests. @edsantiago, is that something you could do (assuming there's time)?

[vrothberg]

Note that we first need to get containers/image#933 in.

[vrothberg]

Also, once #6269 is merged, we can add auth tests.

[jwhonce]

Is identitytoken going to be implemented in a follow on PR?

[jwhonce]

How much does this grow the remote client?

[vrothberg]

This would effectively revert the changes from @baude and rebump from 33M to 41M.

[vrothberg]

I want to go back to the initial approach of sending all credentials over to the server (see containers/image#942 (comment)). The amount of work and complexity is getting out of hand.

[vrothberg]

This would avoid repulling the k8s stuff back in :)

[vrothberg]

Is identitytoken going to be implemented in a follow on PR?

Can you elaborate on that? Identity tokens are already supported via the c/image backends and accounted for in the header.

[vrothberg]

Looking at the podman stats with json output flakes now.

[vrothberg]

Looking at the podman stats with json output flakes now.

Fixed in #6403

[vrothberg]

Note: I vendored a commit of c/image (non release). I agreed with @rhatdan to do this until c/image has new release. It's acceptable for an RC at least.

[rhatdan]

LGTM

[mheon]

/lgtm