Closed calder closed 5 years ago
This issue title is a little confusing to me because most people complain that this only supports secure registries (see https://github.com/bazelbuild/rules_docker/issues/376). 😄
As far as I can tell, www-authenticate: Negotiate
is a kerberos thing? Does docker support this already? I found https://github.com/docker/distribution/issues/1633, but no concrete spec or anything. I don't have any experience with kerberos, so I have no idea how you'd go about adding support for this.
Could you add some more info about what we'd need to do?
FWIW you're failing here: https://github.com/google/containerregistry/blob/master/client/v2_2/docker_http_.py#L238
We only expect basic and bearer challenges.
You would probably need to add some kerberos-token-getting-thing to this file, maybe as part of the keychain resolution: https://github.com/google/containerregistry/blob/master/client/docker_creds_.py#L229
@jonjohnsonjr your comment makes it sound like this requires a google/containerregistry change, is that correct? Should we migrate the issue there?
I believe we would need to add support for this upstream, yeah, but I'm actually not sure what we would need to do because I'm not familiar with kerberos. It makes sense to move this, but hopefully @calder can still provide a bit more context :)
Sorry, you can close this out for now and I'll reopen with better details if it becomes an issue again.
On Wed, Jun 27, 2018, 08:23 jonjohnsonjr notifications@github.com wrote:
I believe we would need to add support for this upstream, yeah, but I'm actually sure what we would need to do because I'm not familiar with kerberos. It makes sense to move this, but hopefully @calder https://github.com/calder can still provide a bit more context :)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bazelbuild/rules_k8s/issues/141#issuecomment-400714410, or mute the thread https://github.com/notifications/unsubscribe-auth/AADL_kBIZvbSQhUR_LNzrIUva8YROop_ks5uA6NzgaJpZM4Ub2zl .
Closing per requestor
Pushing images to Kerberos secured registries currently fails with
even after a
docker login
as the current user.