search

google / go-containerregistry

Go library and CLIs for working with container registries
Apache License 2.0
3.11k stars 541 forks source link

crane: auth get doesn't work with default keychain on Mac M1 + Podman #1976

Open kostola opened 3 months ago

kostola commented 3 months ago

Describe the bug

On a Mac M1 laptop with Podman (running through Podman Machine), crane auth get <registry> fails with credentials not found in native keychain even if podman itself is successfully logged into the same registry.

Credentials are correctly stored in $HOME/.config/containers/auth.json

To Reproduce

  1. Login with podman to the target registry: podman login <registry>
  2. Try to retrieve credentials for the same registry with crane: crane auth get <registry>

Expected behavior

Crane should return the expected output for crane auth get: a JSON containing the credentials, like:

{"Username":"kostola","Secret":"<redacted>"}

Additional context

kostola commented 3 months ago

Looking at the code, the default keychain looks for credential into (in order):

  1. $HOME/.docker/config.json
  2. $DOCKER_CONFIG/config.json
  3. $REGISTRY_AUTH_FILE
  4. $XDG_RUNTIME_DIR/containers/auth.json

1 and 2 are Docker related, 3 is intended as explicit override by the user and 4 doesn't work because XDG_RUNTIME_DIR is not set in macOS.

Podman login docs, however, state that:

--authfile=path Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json on Linux, and $HOME/.config/containers/auth.json on Windows/macOS.

It seems like option 4 should consider the host OS.

nmcostello commented 1 month ago

Omg, I just independently wrote the same fix :facepalm:

2014

kostola commented 5 days ago

@jonjohnsonjr @imjasonh I am pinging you as top contributors. What do you think of this fix?