docker-credential-magic / docker-credential-magic Goto Github PK

YAML file in this repo which contains the mappings. Magician built using this file, and users can override this when augmenting an image using a flag such as --mappings=mymap.yml

In magician, always push the image, skip Docker daemon entirely.

If users want this locally, they can use a -t localhost:5000/....

If no -t flag is provided, attempt to mutate in place (push over existing tag)

Should be able to point to another directory containing mappings (besides the built in ones)

Right now the images are being augmented with all binaries. Should allow user to select one, a few, or all

I was following the Usage section in the README just after installed the tool. After running the following command, it throws an error.

$ echo "index.docker.io" | docker-credential-magic get

[magic] getting helper executable for domain: Directory '/Users/furkan.turkal/Library/Application Support/magic/etc' does not exist.
Hint: Try running "docker-credential-magic init"

It had better to point this out in the usage instructions, before running the get:

$ docker-credential-magic init

Thanks!

Use a module such as cobra to build the docker-credential-magic CLI (vs. raw os.Args)

See https://golang.org/pkg/embed/

Should provide guidance on how this can be used outside of an image

Ideally, when a new version of one of the supported helpers is released, a new version of this tool is built and released, so that we do not need to manually bump versions and perform releases.

Cleanup pkg/mutate and add godoc comments on public methods

Discovered in helm/helm#10557

$ cat ~/.docker/config.json 
{
	"credsStore": "magic"
}
$ bin/helm pull oci://public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart --version v0.0.8
Error: error getting credentials - err: exit status 1, out: `credentials not found in native keychain
[magic] exec "docker-credential-ecr-login": exit status 1`

If I remove ecr.aws from the mapping file with

cat "$(docker-credential-magic home)/etc/aws.yml" | grep -v "ecr.aws" > ./aws.yml && mv ./aws.yml "$(docker-credential-magic home)/etc/aws.yml"

then this works:

$ bin/helm pull oci://public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart --version v0.0.8
Pulled: public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart:v0.0.8
Digest: sha256:299d8b520291ade6d136a7529b7fd44338d58b5b8239813aed97e8fd81ca1f00

Running the ECR helper directly:

$ echo "public.ecr.aws" | docker-credential-ecr-login get
credentials not found in native keychain

Important to note, I am not authed to AWS on this machine.

Looks like we introduced ecr.aws in #37 cc @rothgar

Is this a bug in docker-credential-ecr-login then? Should that binary give us an empty token response?

Bug, goreleaser pipeline needs to run only after helpers fetched etc.

If no helper is matched, and no existing config file (#12), then allow anonymous operations

All code that makes up the docker-credential-magic binary is nested under cmd/docker-credential-magic/. Should clean this up and move some of this into new pkg/ directory.

Once #12 is complete, should attempt to cover various scenarios in unit tests

Should be able to know the version of the tool(s)

Similar to GAR/GCR test, make sure ecr-login credential helper works as expected to push/pull from ECR

Similar to GAR/GCR test, make sure acr-linux credential helper works as expected to push/pull from ACR/MCR

Currently it is still required to append domains manually to ~/.docker/config.

Somehow enumerate all domains per helper and append them to this file.

Also, determine the correct user (not always /root/.docker)

hello folks, I'd like to help with this issue to make that happen. GoReleaser has all the support that I mentioned in the title of the issue, so, we can use them to make our binaries more secure.

Please feel free to assign this issue to me 🙋🏻‍♂️

@jonjohnsonjr

On build, push the image to remote if --push flag is used

Should use docker-credential-magician/<version> as user agent

On a mac, with ~/.docker/config.json containing the following:

{
        "auths": {},
        "credsStore": "magic"
}

And using with cosign attach sbom (cosign), and a registry at localhost:5000.

For some reason, many many docker-credential-magic processes are spawned and causes system OOM. Unsure if its a bug here, GGCR (the underlying registry lib), or cosign. Or possibly something wrong with the local registry at port 5000.

Solved with pkill -9 docker-credential-magic

instead of instructing users to modify ~/.docker/config.json

If DOCKER_CREDENTIAL_MAGIC_CONFIG, try using XDG

Add badge to README linking to the godoc

Cleanup the README so people can use this thing

Each helper should have a namespace they occupy (for example ecr or amazon for ecr-login). This way, if new helpers come along they will not conflict

In order to run integration tests locally, take inline scripts out of the github actions yaml and place into bash script(s) / robot framework

CI broken now that no longer using docker daemon

Should test changes on incoming PRs

Should remove fmt.Println from within pkg/magician

If a new helper is to be supported, it should be very easy for people to add their changes

Currently only Linux x86-64/AMD64 is supported for magician, but should support more. Possibly release separate binaries if we are still embedding the credential helpers.

Right now, the .magic image is pushed to local Docker daemon. Allow user option of where to put this thing

Currently it is assumed /usr/local/bin is in the PATH, but should probably put them somewhere custom and append this to the PATH.

If an image already has a a ~/.docker/config.json or DOCKER_CONFIG env var set, then this should be set in some env var such as ORIG_DOCKER_CONFIG, and the magic helper should fallback to use this if no domains match

Add goreleaser etc. to release binaries for multiple platforms