Skip to content

Commit

Permalink
Include cred helpers in keychain
Browse files Browse the repository at this point in the history
This adds implicit support for Google, Amazon, Azure and GitHub
container registries if the environment provides credentials.

Binary size increases from 22 MB -> 26 MB
  • Loading branch information
imjasonh committed Feb 7, 2022
1 parent 1425e4b commit eb157b2
Show file tree
Hide file tree
Showing 652 changed files with 116,184 additions and 11 deletions.
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,19 @@ logging in to a container image registry with a username and password, similar
to
[`docker login`](https://docs.docker.com/engine/reference/commandline/login/).

Additionally, if auth is not configured in the Docker config, `ko` includes
built-in support for authenticating to the following container registries using
credentials configured in the environment:

- Google Container Registry and Artifact Registry
- using [Application Default Credentials](https://cloud.google.com/docs/authentication/production) or auth configured in `gcloud`.
- Amazon Elastic Container Registry
- using [AWS credentials](https://github.com/awslabs/amazon-ecr-credential-helper/#aws-credentials)
- Azure Container Registry
- using [environment variables](https://github.com/chrismellard/docker-credential-acr-env/)
- GitHub Container Registry
- using the `GITHUB_TOKEN` environment variable

## Choose Destination

`ko` depends on an environment variable, `KO_DOCKER_REPO`, to identify where it
Expand Down
4 changes: 3 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,15 @@ module github.com/google/ko
go 1.16

require (
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211215200129-69c85dc22db6
github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21
github.com/containerd/stargz-snapshotter/estargz v0.11.0
github.com/docker/docker v20.10.12+incompatible
github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960
github.com/fsnotify/fsnotify v1.5.1
github.com/go-training/helloworld v0.0.0-20200225145412-ba5f4379d78b
github.com/google/go-cmp v0.5.7
github.com/google/go-containerregistry v0.8.1-0.20220127202146-ad9088610094
github.com/google/go-containerregistry v0.8.1-0.20220207182237-33725d2d7add
github.com/mattmoor/dep-notify v0.0.0-20190205035814-a45dec370a17
github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198
github.com/sigstore/cosign v1.3.2-0.20211120003522-90e2dcfe7b92
Expand Down
58 changes: 56 additions & 2 deletions go.sum

Large diffs are not rendered by default.

19 changes: 18 additions & 1 deletion pkg/commands/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,17 +25,34 @@ import (
"strings"
"time"

ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
"github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api"
"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/authn/github"
"github.com/google/go-containerregistry/pkg/name"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/daemon"
"github.com/google/go-containerregistry/pkg/v1/google"
"github.com/google/go-containerregistry/pkg/v1/remote"

"github.com/google/ko/pkg/build"
"github.com/google/ko/pkg/commands/options"
"github.com/google/ko/pkg/publish"
)

var (
amazonKeychain authn.Keychain = authn.NewKeychainFromHelper(ecr.ECRHelper{ClientFactory: api.DefaultClientFactory{}})
azureKeychain authn.Keychain = authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper())
keychain = authn.NewMultiKeychain(
authn.DefaultKeychain,
google.Keychain,
github.Keychain,
amazonKeychain,
azureKeychain,
)
)

// getBaseImage returns a function that determines the base image for a given import path.
func getBaseImage(bo *options.BuildOptions) build.GetBase {
cache := map[string]build.Result{}
Expand All @@ -50,7 +67,7 @@ func getBaseImage(bo *options.BuildOptions) build.GetBase {
userAgent = bo.UserAgent
}
ropt := []remote.Option{
remote.WithAuthFromKeychain(authn.DefaultKeychain),
remote.WithAuthFromKeychain(keychain),
remote.WithUserAgent(userAgent),
remote.WithContext(ctx),
}
Expand Down
3 changes: 1 addition & 2 deletions pkg/commands/deps.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (
"path"
"path/filepath"

"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/mutate"
"github.com/google/go-containerregistry/pkg/v1/remote"
Expand Down Expand Up @@ -63,7 +62,7 @@ If the image was not built using ko, or if it was built without embedding depend

img, err := remote.Image(ref,
remote.WithContext(ctx),
remote.WithAuthFromKeychain(authn.DefaultKeychain),
remote.WithAuthFromKeychain(keychain),
remote.WithUserAgent(ua()))
if err != nil {
return err
Expand Down
3 changes: 1 addition & 2 deletions pkg/commands/resolver.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ import (
"strings"
"sync"

"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"github.com/mattmoor/dep-notify/pkg/graph"
"golang.org/x/sync/errgroup"
Expand Down Expand Up @@ -213,7 +212,7 @@ func makePublisher(po *options.PublishOptions) (publish.Interface, error) {
if po.Push {
dp, err := publish.NewDefault(repoName,
publish.WithUserAgent(userAgent),
publish.WithAuthFromKeychain(authn.DefaultKeychain),
publish.WithAuthFromKeychain(keychain),
publish.WithNamer(namer),
publish.WithTags(po.Tags),
publish.WithTagOnly(po.TagOnly),
Expand Down
202 changes: 202 additions & 0 deletions vendor/cloud.google.com/go/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit eb157b2

Please sign in to comment.