search

dotnet / docker-tools

This is a repo to house some common tools for our various docker repos.
MIT License
124 stars 46 forks source link

Prepopulate credential cache for ACR #1352

Closed mthalman closed 4 months ago

mthalman commented 4 months ago

Fixes #1350

The changes from https://github.com/dotnet/docker-tools/pull/1321 don't work for long-running jobs. The presumption was that the necessary tokens would be retrieved up front when Image Builder runs a command. (It's necessary for the token to be retrieved right away while we still have a valid OIDC token from the pipeline. If you wait too long the OIDC token will expire, preventing you from retrieving any access tokens with it.) But this isn't true for the build command. It retrieves a token for the AzureScopes.ContainerRegistryScope scope at the end of the build when querying for digests of the pushed images. This is the first time an attempt is made to get a token for that scope. So no cached token exists for that scope. But by this point the OIDC token from the pipeline is expired, causing the error.

The solution is to simply prepopulate the cache by making a request to get the token for that scope at the beginning of the build command.

dotnet-issue-labeler[bot] commented 4 months ago

I couldn't figure out the best area label to add to this PR. If you have write-permissions please help me learn by adding exactly one area label.

dotnet-issue-labeler[bot] commented 4 months ago

I couldn't figure out the best area label to add to this PR. If you have write-permissions please help me learn by adding exactly one area label.