search

kubewarden / kwctl

Go-to CLI tool for Kubewarden users
https://kubewarden.io
Apache License 2.0
73 stars 15 forks source link

Can't use alternative docker config file #476

Closed kravciak closed 1 year ago

kravciak commented 1 year ago

Current Behavior

If I use DOCKER_CONFIG or --docker-config-json-path I can't push to registry.

I need to provide authentication for private registry. For this I need to add registry to docker auth section (or create my own config and pass it as parameter).

It seems kwctl can use default system docker config file, but I can't use any other file.

# Pushing with auth from default docker config works
~ kwctl push --sources-path=sources.yaml registry://ghcr.io/kubewarden/policies/pod-privileged:v0.2.5 172.18.0.2:30678/kubewarden/policies/pod-privileged:v0.2.5
2023-04-06T09:44:23.814729Z  WARN rustls::conn: Sending fatal alert BadCertificate    
Policy successfully pushed: 172.18.0.2:30678/kubewarden/policies/pod-privileged@sha256:5ddb9b97ac5e466ae81c34b856d526eed784784024133ba67b1a907f63dfa0a2

# Referencing the same file from DOCKER_CONFIG variable is broken
~ DOCKER_CONFIG=/home/kravciak/.docker/config.json kwctl push --sources-path=sources.yaml registry://ghcr.io/kubewarden/policies/pod-privileged:v0.2.5 172.18.0.2:30678/kubewarden/policies/pod-privileged:v0.2.5
2023-04-06T09:44:53.355041Z  WARN rustls::conn: Sending fatal alert BadCertificate    
Error: could not push policy

# Same when I set it from command line
ε kwctl push --docker-config-json-path=~/.docker/config.json --sources-path=sources.yaml registry://ghcr.io/kubewarden/policies/pod-privileged:v0.2.5 172.18.0.2:30678/kubewarden/policies/pod-privileged:v0.2.5
2023-04-06T09:51:43.276381Z  WARN rustls::conn: Sending fatal alert BadCertificate    
Error: could not push policy

~ cat ~/.docker/config.json
{
    "auths": {
        "172.18.0.2:30678": {
            "auth": "dGVzdHVzZXI6dGVzdHBhc3N3b3Jk"
        }
    }
}

~ cat sources.yaml 
insecure_sources:
  - 172.18.0.2:30678
  - 172.18.0.2.nip.io:30678

Environment

kwctl 1.6.0-rc5

viccuad commented 1 year ago

Can reproduce locally here. we either use the default path for the dockerconfigjson, or we set the env var DOCKER_CONFIG: https://github.com/kubewarden/kwctl/blob/main/src/main.rs#L426 so crate docker_credential's get_credential() finds the config: https://github.com/kubewarden/policy-fetcher/blob/main/src/registry/mod.rs#L97 docker_credential always prioritizes DOCKER_CONFIG (that we set to pass custom paths) and if not present, uses the default path: https://github.com/keirlawson/docker_credential/blob/master/src/lib.rs#L64-L66

It seems to me that somewhere along that codepath, DOCKER_CONFIG is not being honoured.

flavio commented 1 year ago

The problem is similar to the one we experienced with policy-server. The docker crate looks for the config.json file defined under default docker home directory. If you set the DOCKER_CONFIG environment variable, the crate will try to open ${DOCKER_CONFIG}/config.json.

Our kwctl flag was used to point to the file, not to the directory holding the file. It was used like that: --docker-config-json-path=~/test/dockerconfig.json. This results in the code trying to open ~/test/dockerconfig.json/config.json!

The cli should be used like that: ~/test/; then it will look for ~/test/config.json. In the previous example, this will not work, since the file is named dockerconfig.json instead of config.json.

We could propose a change to the docker-credential maintainer, or we could:

I'm in favor of doing this change (instead of approaching the upstream maintainer)

viccuad commented 1 year ago

Agree on doing the change and erroring if the file doesn't exist.

jvanz commented 1 year ago

Me too. I was about to start working on a fix for this issue and I liked with the one where we check if the path is a file.