docker-credential-magic / docker-credential-magic Goto Github PK
View Code? Open in Web Editor NEWA magic shim for Docker credential helpers ๐ช
License: Apache License 2.0
A magic shim for Docker credential helpers ๐ช
License: Apache License 2.0
YAML file in this repo which contains the mappings. Magician built using this file, and users can override this when augmenting an image using a flag such as --mappings=mymap.yml
In magician, always push the image, skip Docker daemon entirely.
If users want this locally, they can use a -t localhost:5000/...
.
If no -t
flag is provided, attempt to mutate in place (push over existing tag)
Cleanup the README so people can use this thing
Should be able to know the version of the tool(s)
If no helper is matched, and no existing config file (#12), then allow anonymous operations
Add badge to README linking to the godoc
If a new helper is to be supported, it should be very easy for people to add their changes
Currently only Linux x86-64/AMD64 is supported for magician, but should support more. Possibly release separate binaries if we are still embedding the credential helpers.
In order to run integration tests locally, take inline scripts out of the github actions yaml and place into bash script(s) / robot framework
Add goreleaser etc. to release binaries for multiple platforms
On a mac, with ~/.docker/config.json
containing the following:
{
"auths": {},
"credsStore": "magic"
}
And using with cosign attach sbom
(cosign), and a registry at localhost:5000
.
For some reason, many many docker-credential-magic processes are spawned and causes system OOM. Unsure if its a bug here, GGCR (the underlying registry lib), or cosign. Or possibly something wrong with the local registry at port 5000.
Solved with pkill -9 docker-credential-magic
hello folks, I'd like to help with this issue to make that happen. GoReleaser has all the support that I mentioned in the title of the issue, so, we can use them to make our binaries more secure.
Please feel free to assign this issue to me ๐๐ปโโ๏ธ
Similar to GAR/GCR test, make sure acr-linux
credential helper works as expected to push/pull from ACR/MCR
Use a module such as cobra to build the docker-credential-magic
CLI (vs. raw os.Args
)
Each helper should have a namespace they occupy (for example ecr
or amazon
for ecr-login
). This way, if new helpers come along they will not conflict
If an image already has a a ~/.docker/config.json
or DOCKER_CONFIG
env var set, then this should be set in some env var such as ORIG_DOCKER_CONFIG
, and the magic helper should fallback to use this if no domains match
Should provide guidance on how this can be used outside of an image
Ideally, when a new version of one of the supported helpers is released, a new version of this tool is built and released, so that we do not need to manually bump versions and perform releases.
If DOCKER_CREDENTIAL_MAGIC_CONFIG
, try using XDG
On build, push the image to remote if --push
flag is used
Should remove fmt.Println
from within pkg/magician
Bug, goreleaser pipeline needs to run only after helpers fetched etc.
Should be able to point to another directory containing mappings (besides the built in ones)
All code that makes up the docker-credential-magic
binary is nested under cmd/docker-credential-magic/
. Should clean this up and move some of this into new pkg/
directory.
Should test changes on incoming PRs
Currently it is still required to append domains manually to ~/.docker/config
.
Somehow enumerate all domains per helper and append them to this file.
Also, determine the correct user (not always /root/.docker
)
Right now, the .magic
image is pushed to local Docker daemon. Allow user option of where to put this thing
instead of instructing users to modify ~/.docker/config.json
Should use docker-credential-magician/<version>
as user agent
Right now the images are being augmented with all binaries. Should allow user to select one, a few, or all
Currently it is assumed /usr/local/bin
is in the PATH, but should probably put them somewhere custom and append this to the PATH.
I was following the Usage section in the README just after installed the tool. After running the following command, it throws an error.
$ echo "index.docker.io" | docker-credential-magic get
[magic] getting helper executable for domain: Directory '/Users/furkan.turkal/Library/Application Support/magic/etc' does not exist.
Hint: Try running "docker-credential-magic init"
It had better to point this out in the usage instructions, before running the get
:
$ docker-credential-magic init
Thanks!
Similar to GAR/GCR test, make sure ecr-login
credential helper works as expected to push/pull from ECR
Discovered in helm/helm#10557
$ cat ~/.docker/config.json
{
"credsStore": "magic"
}
$ bin/helm pull oci://public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart --version v0.0.8
Error: error getting credentials - err: exit status 1, out: `credentials not found in native keychain
[magic] exec "docker-credential-ecr-login": exit status 1`
If I remove ecr.aws
from the mapping file with
cat "$(docker-credential-magic home)/etc/aws.yml" | grep -v "ecr.aws" > ./aws.yml && mv ./aws.yml "$(docker-credential-magic home)/etc/aws.yml"
then this works:
$ bin/helm pull oci://public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart --version v0.0.8
Pulled: public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart:v0.0.8
Digest: sha256:299d8b520291ade6d136a7529b7fd44338d58b5b8239813aed97e8fd81ca1f00
Running the ECR helper directly:
$ echo "public.ecr.aws" | docker-credential-ecr-login get
credentials not found in native keychain
Important to note, I am not authed to AWS on this machine.
Looks like we introduced ecr.aws
in #37 cc @rothgar
Is this a bug in docker-credential-ecr-login
then? Should that binary give us an empty token response?
Cleanup pkg/mutate
and add godoc comments on public methods
CI broken now that no longer using docker daemon
Once #12 is complete, should attempt to cover various scenarios in unit tests
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.