Seems that Artifact Registry username has changed

tarvitz commented 1 year ago

Today I've spotted the following behavior for docker-credential-gcr and docker-credential-gcloud:

$ echo "https://europe-west2-docker.pkg.dev" | docker-credential-gcr get
{"ServerURL":"https://europe-west2-docker.pkg.dev","Username":"_dcgcr__token","Secret":"REDACTED"}

$ echo "https://europe-west2-docker.pkg.dev" | docker-credential-gcloud get
{"Username":"_dcgcloud_token","Secret":"REDACTED"}

Here what I've got using different credentials and docker registry v2 API provided by Artifact Registry:

Issue:

#: U="_dcgcr__token", does not work
$ curl -u "${U}:${TOKEN}" https://europe-west2-docker.pkg.dev/v2/privategoogleprojectid/test/repo/manifests/test
{"errors":[{"code":"UNAUTHORIZED","message":"No valid credential was supplied."}]}

OK:

#: U="_dcgcloud_token", works like expected
$ curl -u "${U}:${TOKEN}" https://europe-west2-docker.pkg.dev/v2/privategoogleprojectid/test/repo/manifests/test
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 739,
         "digest": "sha256:b27f378865b05a9ea042435b4a256f37aaf6a92c445532ae8e4704c750a9d2e3",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      }
   ]
}

tarvitz commented 1 year ago

I think I might found a reason why _dcgcr__token stopped working. Need some time to reproduce my thoughts.

tarvitz commented 1 year ago

Here's some info, false alarm due to properly compiled helper works like expected. The issue appears only of the helper was built without specifying its version (for example 2.1.6).

$ go build -ldflags "-X github.com/GoogleCloudPlatform/docker-credential-gcr/config.Version=2.1.6 -w -s" \
    -o docker-credential-gcr main.go
$ echo "https://europe-west2-docker.pkg.dev" |  ./docker-credential-gcr get
{"ServerURL":"https://europe-west2-docker.pkg.dev","Username":"_dcgcr_2_1_6_token","Secret":"REDACTED"}
$ curl -u "_dcgcr_2_1_6_token:REDACTED" https://europe-west2-docker.pkg.dev/v2/googleprojectid/test/repo/manifests/latest
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 1138,
      "digest": "sha256:d64c396f90b6a35507dfed62d03d92e4a9c70b39a8fa5891c9992864fb2d47d5"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 3374446,
         "digest": "sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 5901486,
         "digest": "sha256:538c8f55312da22b96648ee2b3fa11e76fd8552a013058593e4928909b960921"
      }
   ]
}

lindsayismith commented 1 year ago

Yes, you're correct about the need for the version in the username. The check uses this:

"^dcgcr(?:[0-9]+_)*token$",

GoogleCloudPlatform / docker-credential-gcr

Seems that Artifact Registry username has changed #129