search

bazelbuild / rules_k8s

This repository contains rules for interacting with Kubernetes configurations / clusters.
Apache License 2.0
290 stars 136 forks source link

Support Kerberos Docker registries #141

Closed calder closed 5 years ago

calder commented 6 years ago

Pushing images to Kerberos secured registries currently fails with

CRITICAL:root:Error publishing provided image: Unexpected "www-authenticate" challenge type: Negotiate,

even after a docker login as the current user.

jonjohnsonjr commented 6 years ago

This issue title is a little confusing to me because most people complain that this only supports secure registries (see https://github.com/bazelbuild/rules_docker/issues/376). 😄

As far as I can tell, www-authenticate: Negotiate is a kerberos thing? Does docker support this already? I found https://github.com/docker/distribution/issues/1633, but no concrete spec or anything. I don't have any experience with kerberos, so I have no idea how you'd go about adding support for this.

Could you add some more info about what we'd need to do?

FWIW you're failing here: https://github.com/google/containerregistry/blob/master/client/v2_2/docker_http_.py#L238

We only expect basic and bearer challenges.

You would probably need to add some kerberos-token-getting-thing to this file, maybe as part of the keychain resolution: https://github.com/google/containerregistry/blob/master/client/docker_creds_.py#L229

fejta commented 6 years ago

@jonjohnsonjr your comment makes it sound like this requires a google/containerregistry change, is that correct? Should we migrate the issue there?

jonjohnsonjr commented 6 years ago

I believe we would need to add support for this upstream, yeah, but I'm actually not sure what we would need to do because I'm not familiar with kerberos. It makes sense to move this, but hopefully @calder can still provide a bit more context :)

calder commented 6 years ago

Sorry, you can close this out for now and I'll reopen with better details if it becomes an issue again.

On Wed, Jun 27, 2018, 08:23 jonjohnsonjr notifications@github.com wrote:

I believe we would need to add support for this upstream, yeah, but I'm actually sure what we would need to do because I'm not familiar with kerberos. It makes sense to move this, but hopefully @calder https://github.com/calder can still provide a bit more context :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bazelbuild/rules_k8s/issues/141#issuecomment-400714410, or mute the thread https://github.com/notifications/unsubscribe-auth/AADL_kBIZvbSQhUR_LNzrIUva8YROop_ks5uA6NzgaJpZM4Ub2zl .

chrislovecnm commented 5 years ago

Closing per requestor