Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to disable builtin credential handling #760

Open
malt3 opened this issue Jan 2, 2025 · 5 comments · May be fixed by #761
Open

Allow users to disable builtin credential handling #760

malt3 opened this issue Jan 2, 2025 · 5 comments · May be fixed by #761
Labels
enhancement New feature or request

Comments

@malt3
Copy link
Contributor

malt3 commented Jan 2, 2025

I have a custom Bazel credential helper that can derive working Authorization headers for oci registries. In one case, this is for ghcr.io, for which rules_oci has a token realm preconfigured.
This can lead to situations where my credential helper would inject the right headers for pulling an image, but the extra requests (and command executions for docker credential helpers) fail before I get there.

I would like to have a setting (like a repo_env var) for disabling the builtin credential handling completely, since my docker config may be missing or misconfigured.

Happy to implement such a setting, but I‘d like to know if that’s something that can be merged first.
@malt3 malt3 linked a pull request Jan 3, 2025 that will close this issue
Open
@thesayyn
Copy link
Collaborator

This is a good feature request, it needs little more thought though, maybe instead of having a disable switch, we implement a i don't care if it fails switch.

@thesayyn thesayyn added the enhancement New feature or request label Jan 20, 2025
@thesayyn
Copy link
Collaborator

I'd like to see this implemented either way, just spit balling before settling on one solution.

@malt3
Copy link
Contributor Author

malt3 commented Jan 20, 2025

By i don't care if it fails, do you suggest that the logic should be this?:

  • always try to use builtin credential handling
  • on success, use builtin credentials (this probably still leads to the external credential helper being called if it is configured, as far as I understand)
  • if new i don't care if it fails flag is set and builtin credential handling fails, fall back to credential helper instead of failing

Just making sure I understand your request. The implementation I tried in #761 right now would disable the builtin logic completely. Happy to adapt it to the logic above, if that's what you have in mind.

@thesayyn
Copy link
Collaborator

Yes, exactly. --credential_helper flag already overrides whatever comes out of starlark side, so even if the builtin authorization succeeds, bazel never uses that information because --credential_helper takes precedence.

i dont care if it fails flag is more useful because it can be used for public repos where credential helper fails but authorization was not needed in the first place, so it covers your use case and public repo use case.

@thesayyn
Copy link
Collaborator

Cross ref: #750

@thesayyn thesayyn mentioned this issue Jan 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oci_pull: add setting for disabling token retrieval in rules_oci malt3/rules_oci
2 participants
@malt3 @thesayyn