[PATCH 3/3] document usage of environment variable for container registry login

B. Niedermayr

unread,

Jul 12, 2024, 4:17:42 AM (5 days ago) Jul 12

to kas-...@googlegroups.com

B. Niedermayr

unread,

Jul 12, 2024, 4:17:42 AM (5 days ago) Jul 12

to kas-...@googlegroups.com

From: Benedikt Niedermayr <benedikt....@siemens.com>

This patch series introduces support for container registry login in kas
and kas-container.

Since there is currently discussion about introducing a container fetcher
into isar, this patch series is a first step to support registry login in
kas, so isar is able to make use of it.

Whether or not the container fetcher will be upstreamed to isar, it would be
useful though to have registry login support in kas to be able to use private
registries for the container images.

Im terms of configuration one can set the environment variable REGISTRY_AUTH_FILE.
When running in a gitlab CI environment the variables CI_REGISTRY,
CI_REGISTRY_USER and CI_JOB_TOKEN are automatically set by gitlab.

Setting these variables creates a login file for the container registry at
~/.docker/config.json. This file should be compatible with docker, podman
and even skopeo.

Note:
I had a discussion about wheter or not github supports the same/similar
variables as gitlab, but didn't find any solution yet.
So for now this supports gitlab CI only.

Benedikt Niedermayr (3):
introduce container registry login
kas-container: forward REGISTRY_AUTH_FILE to the container
document usage of REGISTRY_AUTH_FILE

docs/command-line/environment-variables.inc | 17 ++++++++++++---
kas-container | 5 +++++
kas/libcmds.py | 23 +++++++++++++++++++++
3 files changed, 42 insertions(+), 3 deletions(-)

--
2.34.1

MOESSBAUER, Felix

unread,

Jul 12, 2024, 5:40:45 AM (5 days ago) Jul 12

to Niedermayr, BENEDIKT, kas-...@googlegroups.com

On Fri, 2024-07-12 at 10:17 +0200, 'B. Niedermayr' via kas-devel wrote:
> From: Benedikt Niedermayr <benedikt....@siemens.com>
>
> The usage and influene of following variables is now documented:

Hi, please also add a section about this to the Credential Handling
page [1].

[1] https://kas.readthedocs.io/en/latest/userguide/credentials.html

>
> - REGISTRY_AUTH_FILE

IMHO it would be better to prefix this variable with KAS_, as it is kas
specific and not a well-known variable name.

Felix

--
Siemens AG, Technology
Linux Expert Center

Jan Kiszka

unread,

Jul 12, 2024, 5:44:42 AM (5 days ago) Jul 12

to MOESSBAUER, Felix, Niedermayr, BENEDIKT, kas-...@googlegroups.com

On 12.07.24 11:40, 'MOESSBAUER, Felix' via kas-devel wrote:
> On Fri, 2024-07-12 at 10:17 +0200, 'B. Niedermayr' via kas-devel wrote:
>> From: Benedikt Niedermayr <benedikt....@siemens.com>
>>
>> The usage and influene of following variables is now documented:
>
> Hi, please also add a section about this to the Credential Handling
> page [1].
>
> [1] https://kas.readthedocs.io/en/latest/userguide/credentials.html
>
>>
>> - REGISTRY_AUTH_FILE
>
> IMHO it would be better to prefix this variable with KAS_, as it is kas
> specific and not a well-known variable name.

It's aligned with
https://docs.podman.io/en/latest/markdown/podman-login.1.html to my
understanding.

Jan

Niedermayr, BENEDIKT

unread,

Jul 12, 2024, 6:23:54 AM (5 days ago) Jul 12

to Kiszka, Jan, kas-...@googlegroups.com, MOESSBAUER, Felix

Thought about this as well. I think it makes sense to prefix it with KAS_ since the meaning
of it differs slightly between outside and inside of kas.

Kas recognises this variable and copies the file given in that variable to the kas internal home
folder while not exporting it to the environment.
Podman and skopeo are indeed processing this environment variable (REGISTRY_AUTH_FILE), means they
will look into the specified location for the registry auth file instead of trying searching paths.
But kas doesn't forward it to the environment.

Maybe the KAS_ prefix clarifies that fact...

Benedikt

MOESSBAUER, Felix

unread,

Jul 12, 2024, 9:14:30 AM (5 days ago) Jul 12

to Niedermayr, BENEDIKT, Kiszka, Jan, kas-...@googlegroups.com

On Fri, 2024-07-12 at 10:23 +0000, Niedermayr, Benedikt (T CED OES-DE)

wrote:
> On Fri, 2024-07-12 at 11:44 +0200, Jan Kiszka wrote:
> > On 12.07.24 11:40, 'MOESSBAUER, Felix' via kas-devel wrote:
> > > On Fri, 2024-07-12 at 10:17 +0200, 'B. Niedermayr' via kas-devel
> > > wrote:
> > > > From: Benedikt Niedermayr <benedikt....@siemens.com>
> > > >
> > > > The usage and influene of following variables is now
> > > > documented:
> > >
> > > Hi, please also add a section about this to the Credential
> > > Handling
> > > page [1].
> > >
> > > [1]
> > > https://kas.readthedocs.io/en/latest/userguide/credentials.html
> > >
> > > >
> > > > - REGISTRY_AUTH_FILE
> > >
> > > IMHO it would be better to prefix this variable with KAS_, as it
> > > is kas
> > > specific and not a well-known variable name.
> >
> > It's aligned with
> > https://docs.podman.io/en/latest/markdown/podman-login.1.html to my
> > understanding.

Ah. Okay, didn't know this.

> >
> > Jan
> >
>
> Thought about this as well. I think it makes sense to prefix it with
> KAS_ since the meaning
> of it differs slightly between outside and inside of kas.
>
> Kas recognises this variable and copies the file given in that
> variable to the kas internal home
> folder while not exporting it to the environment.
> Podman and skopeo are indeed processing this environment variable
> (REGISTRY_AUTH_FILE), means they
> will look into the specified location for the registry auth file
> instead of trying searching paths.
> But kas doesn't forward it to the environment.

We do a similar thing with the AWS config as well. As long as this is
transparent to the user, it does not really matter how the
configuration in injected. However, if the syntax of the file is
different, we should also name the variable differently.

Anyways, the format of that file should be documented or a pointer to
the podman config should be added.

Felix

>
> Maybe the KAS_ prefix clarifies that fact...
>
>
> Benedikt
>

Niedermayr, BENEDIKT

unread,

Jul 12, 2024, 10:23:02 AM (5 days ago) Jul 12

to Kiszka, Jan, kas-...@googlegroups.com, MOESSBAUER, Felix

Ok then let's handle it similiar to the AWS config, since the syntax
doesn't differ.

V2 coming...

Benedikt

B. Niedermayr

unread,

Jul 12, 2024, 10:39:40 AM (5 days ago) Jul 12

to kas-...@googlegroups.com

From: Benedikt Niedermayr <benedikt....@siemens.com>

This patch series introduces support for container registry login in kas
and kas-container.

Since there is currently discussion about introducing a container fetcher
into isar, this patch series is a first step to support registry login in
kas, so isar is able to make use of it.

Whether or not the container fetcher will be upstreamed to isar, it would be
useful though to have registry login support in kas to be able to use private
registries for the container images.

Im terms of configuration one can set the environment variable REGISTRY_AUTH_FILE.
When running in a gitlab CI environment the variables CI_REGISTRY,
CI_REGISTRY_USER and CI_JOB_TOKEN are automatically set by gitlab.

Setting these variables creates a login file for the container registry at
~/.docker/config.json. This file should be compatible with docker, podman
and even skopeo.

Note:
I had a discussion about wheter or not github supports the same/similar
variables as gitlab, but didn't find any solution yet.
So for now this supports gitlab CI only.

Changes since V1:

- Squash documentation changes into the first patch to keep changes more atomic
- Add an appropriate documentation in the credentials section
for the container authentication file syntax.

Benedikt Niedermayr (2):

introduce container registry login
kas-container: forward REGISTRY_AUTH_FILE to the container

docs/command-line/environment-variables.inc | 17 ++++++++++++---
docs/userguide/credentials.rst | 24 +++++++++++++++++++--

kas-container | 5 +++++
kas/libcmds.py | 23 ++++++++++++++++++++

4 files changed, 64 insertions(+), 5 deletions(-)

--
2.34.1

B. Niedermayr

unread,

Jul 12, 2024, 2:24:20 PM (5 days ago) Jul 12

to kas-...@googlegroups.com

From: Benedikt Niedermayr <benedikt....@siemens.com>

Hi,

posting V3 since I just noticed a bug in gitlab CI and fixed it...

This patch series introduces support for container registry login in kas
and kas-container.

Since there is currently discussion about introducing a container fetcher
into isar, this patch series is a first step to support registry login in
kas, so isar is able to make use of it.

Whether or not the container fetcher will be upstreamed to isar, it would be
useful though to have registry login support in kas to be able to use private
registries for the container images.

Im terms of configuration one can set the environment variable REGISTRY_AUTH_FILE.
When running in a gitlab CI environment the variables CI_REGISTRY,
CI_REGISTRY_USER and CI_JOB_TOKEN are automatically set by gitlab.

Setting these variables creates a login file for the container registry at
~/.docker/config.json. This file should be compatible with docker, podman
and even skopeo.

Note:
I had a discussion about wheter or not github supports the same/similar
variables as gitlab, but didn't find any solution yet.
So for now this supports gitlab CI only.

Changes since V1:

- Squash documentation changes into the first patch to keep changes more atomic
- Add an appropriate documentation in the credentials section
for the container authentication file syntax.

Changes since V2:

- Fix gitlab CI run (create ~/.docker directory)

Benedikt Niedermayr (2):
introduce container registry login
kas-container: forward REGISTRY_AUTH_FILE to the container

docs/command-line/environment-variables.inc | 17 ++++++++++---
docs/userguide/credentials.rst | 24 ++++++++++++++++--
kas-container | 5 ++++
kas/libcmds.py | 28 +++++++++++++++++++++
4 files changed, 69 insertions(+), 5 deletions(-)

--
2.34.1

Benedikt Niedermayr

unread,

Jul 15, 2024, 7:44:09 AM (2 days ago) Jul 15

to kas-...@googlegroups.com

This patch series introduces support for container registry login in kas
and kas-container.

Since there is currently discussion about introducing a container fetcher
into isar, this patch series is a first step to support registry login in
kas, so isar is able to make use of it.

Whether or not the container fetcher will be upstreamed to isar, it would be
useful though to have registry login support in kas to be able to use private
registries for the container images.

Im terms of configuration one can set the environment variable REGISTRY_AUTH_FILE.
When running in a gitlab CI environment the variables CI_REGISTRY,
CI_REGISTRY_USER and CI_JOB_TOKEN are automatically set by gitlab.

Setting these variables creates a login file for the container registry at
~/.docker/config.json. This file should be compatible with docker, podman
and even skopeo.

Note:
I had a discussion about wheter or not github supports the same/similar
variables as gitlab, but didn't find any solution yet.
So for now this supports gitlab CI only.

Changes in v2:

- Squash documentation changes into the first patch to keep changes more atomic
- Add an appropriate documentation in the credentials section
for the container authentication file syntax.

Changes in v3:

- Fix gitlab CI run (create ~/.docker directory)

Changes in v4:

- refactored documentation in credentials.rst and environment-variables.inc.
In-place URLs references will be fixed in a separate patch.
- create .docker/config.json if REGISTRY_AUTH_FILE is not specified

Benedikt Niedermayr (2):
introduce container registry login
kas-container: forward REGISTRY_AUTH_FILE to the container

docs/command-line/environment-variables.inc | 17 ++++++++++---
docs/userguide/credentials.rst | 24 ++++++++++++++++--
kas-container | 5 ++++

kas/libcmds.py | 27 +++++++++++++++++++++
4 files changed, 68 insertions(+), 5 deletions(-)

--
2.34.1

Benedikt Niedermayr

unread,

Jul 15, 2024, 7:44:10 AM (2 days ago) Jul 15

to kas-...@googlegroups.com

Create a container registry authentication file that is
currently compatible with docker, podman and skopeo.
The format is specified here [1].

When REGISTRY_AUTH_FILE is set then use that file and copy it into the
kas home directory.

If CI_REGISTRY, CI_REGISTRY_USER and CI_JOB_TOKEN is set then
the required login data is added to the login file.

[1] https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md

Signed-off-by: Benedikt Niedermayr <benedikt....@siemens.com>
---

docs/command-line/environment-variables.inc | 17 ++++++++++---
docs/userguide/credentials.rst | 24 ++++++++++++++++--

kas/libcmds.py | 27 +++++++++++++++++++++
3 files changed, 63 insertions(+), 5 deletions(-)

diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index fce53e69229a..de81b5bae25b 100644

--- a/docs/command-line/environment-variables.inc
+++ b/docs/command-line/environment-variables.inc
@@ -132,14 +132,25 @@ Variables Glossary
| ``NETRC_FILE`` | Path to a .netrc file which will be copied to |
| (K,C) | the kas home dir as .netrc. |
+--------------------------+--------------------------------------------------+

+| ``REGISTRY_AUTH_FILE`` | Path to a container registry authentication file.|
+| (K,C) | |
++--------------------------+--------------------------------------------------+

+| | The required base64 encoded login data is |

+| | generated by kas. |
+--------------------------+--------------------------------------------------+

diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
index 1ce84e7e4fb6..a2589e7169a2 100644
--- a/docs/userguide/credentials.rst
+++ b/docs/userguide/credentials.rst
@@ -49,8 +49,9 @@ GitLab CI
~~~~~~~~~

When running in the GitLab CI, the ``CI_JOB_TOKEN`` can be used to access
-git repositories via https. kas automatically adds this token to the
-``.netrc`` file, where it is picked up by git. Further, kas configures git
+git repositories via https. If ``CI_SERVER_HOST`` is also set,
+kas automatically adds this token to the ``.netrc`` file,
+where it is picked up by git. Further, kas configures git
to automatically rewrite the urls of the repositories to clone via https
for repos stored on the same server. Technically this is achieved by adding
`insteadof` entries to the ``.gitconfig`` file.
@@ -58,10 +59,29 @@ for repos stored on the same server. Technically this is achieved by adding
For backwards compatibility, the git rewrite rules are only added if
``.gitconfig`` does not exists and no SSH configuration is provided.

+If the ``CI_REGISTRY``, ``CI_REGISTRY_USER`` and ``CI_JOB_TOKEN`` variables
+are set, kas automatically creates a login file for the container
+registry at ``~/.docker/config.json``. This file is compatible with
+docker, podman and even skopeo.
+
+In other words, if ``CI_REGISTRY``, ``CI_REGISTRY_USER`` and ``CI_JOB_TOKEN`` are
+set, kas creates the container registry login file.
+If ``CI_JOB_TOKEN`` and ``CI_SERVER_HOST`` are set, kas creates the ``.netrc`` file.
+
.. note::
Make sure to assign the correct permissions to the ``CI_JOB_TOKEN``.
For details, see `GitLab CI/CD job token <https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html>`_.

+Container Registry Authentication File
+--------------------------------------
+
+A file named ``config.json`` is saved as ``.docker/config.json`` in the kas home directory.
+It contains credentials for the container registry login.
+The syntax is specified `containers-auth.json specification <https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md>`_.
+The authentication file is compatible with docker, podman and skopeo.
+When running in the GitLab CI, the ``CI_JOB_TOKEN`` is appended to automatically grant access
+according to the job permissions.
+
Netrc File
----------

diff --git a/kas/libcmds.py b/kas/libcmds.py
index db28eef7344f..e7072ec034b3 100644
--- a/kas/libcmds.py
+++ b/kas/libcmds.py
@@ -29,6 +29,8 @@ import shutil
import os
import pprint
import configparser
+import json
+import base64
from git.config import GitConfigParser
from .libkas import (ssh_cleanup_agent, ssh_setup_agent, ssh_no_host_key_check,
get_build_environ, repos_fetch, repos_apply_patches)
@@ -168,6 +170,7 @@ class SetupHome(Command):
'AWS_SHARED_CREDENTIALS_FILE',
'AWS_WEB_IDENTITY_TOKEN_FILE',
'NETRC_FILE',
+ 'REGISTRY_AUTH_FILE',
]

def __init__(self):
@@ -220,6 +223,29 @@ class SetupHome(Command):
'login gitlab-ci-token\n'
'password ' + os.environ['CI_JOB_TOKEN'] + '\n')

+ def _setup_registry_auth(self):
+ os.makedirs(self.tmpdirname + "/.docker")
+ if os.environ.get('REGISTRY_AUTH_FILE', False):
+ shutil.copy(os.environ['REGISTRY_AUTH_FILE'],
+ self.tmpdirname + "/.docker/config.json")
+ elif not os.path.exists(self.tmpdirname + '/.docker/config.json'):
+ with open(self.tmpdirname + '/.docker/config.json', 'w') as fds:
+ fds.write("{}")
+
+ if os.environ.get('CI_REGISTRY', False) \
+ and os.environ.get('CI_JOB_TOKEN', False) \
+ and os.environ.get('CI_REGISTRY_USER', False):
+ with open(self.tmpdirname + '/.docker/config.json', 'r+') as fds:
+ data = json.loads(fds.read())
+ token = os.environ['CI_JOB_TOKEN']
+ base64_token = base64.b64encode(token.encode()).decode()
+ auths = data.get('auths', {})
+ auths.update({os.environ['CI_REGISTRY']: {"auth": base64_token}})
+ data['auths'] = auths
+ fds.seek(0)
+ fds.write(json.dumps(data, indent=4))
+ fds.truncate()
+
def _setup_aws_creds(self):
aws_dir = self.tmpdirname + "/.aws"
conf_file = aws_dir + "/config"
@@ -290,6 +316,7 @@ class SetupHome(Command):
logging.info(f'Running on {ci}')
def_umask = os.umask(0o077)
self._setup_netrc()
+ self._setup_registry_auth()
self._setup_gitconfig()
self._setup_aws_creds()
os.umask(def_umask)
--
2.34.1

Jan Kiszka

unread,

Jul 15, 2024, 8:16:39 AM (2 days ago) Jul 15

to Benedikt Niedermayr, kas-...@googlegroups.com

On 15.07.24 13:44, 'Benedikt Niedermayr' via kas-devel wrote:
> Create a container registry authentication file that is
> currently compatible with docker, podman and skopeo.
> The format is specified here [1].
>
> When REGISTRY_AUTH_FILE is set then use that file and copy it into the
> kas home directory.
>
> If CI_REGISTRY, CI_REGISTRY_USER and CI_JOB_TOKEN is set then
> the required login data is added to the login file.
>
> [1] https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md
>
> Signed-off-by: Benedikt Niedermayr <benedikt....@siemens.com>
> ---
> docs/command-line/environment-variables.inc | 17 ++++++++++---
> docs/userguide/credentials.rst | 24 ++++++++++++++++--
> kas/libcmds.py | 27 +++++++++++++++++++++
> 3 files changed, 63 insertions(+), 5 deletions(-)
>

This fails under scripts/checkcode.sh.

This paragraphs is redundant to me - if not confusing: There might be
both .docker/config.json and .netrc be generated. The above paragraph
may suggest it's an "either ... or". I would just drop it.

> +
> .. note::
> Make sure to assign the correct permissions to the ``CI_JOB_TOKEN``.
> For details, see `GitLab CI/CD job token <https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html>`_.
>
> +Container Registry Authentication File
> +--------------------------------------
> +
> +A file named ``config.json`` is saved as ``.docker/config.json`` in the kas home directory.
> +It contains credentials for the container registry login.
> +The syntax is specified `containers-auth.json specification <https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md>`_.

"The syntax is described in the `containers-auth.json specification ...`_."

Jan

Benedikt Niedermayr

unread,

Jul 16, 2024, 7:12:14 AM (yesterday) Jul 16

to kas-...@googlegroups.com

Create a container registry authentication file that is
currently compatible with docker, podman and skopeo.

The format is described here [1].

When REGISTRY_AUTH_FILE is set then use that file and copy it into the
kas home directory.

If CI_REGISTRY, CI_REGISTRY_USER and CI_JOB_TOKEN is set then
the required login data is added to the login file.

[1] https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md

Signed-off-by: Benedikt Niedermayr <benedikt....@siemens.com>
---
docs/command-line/environment-variables.inc | 17 ++++++++++---

docs/userguide/credentials.rst | 20 +++++++++++++--
kas/libcmds.py | 28 +++++++++++++++++++++
3 files changed, 60 insertions(+), 5 deletions(-)

index 1ce84e7e4fb6..2f7e3bb200be 100644

--- a/docs/userguide/credentials.rst
+++ b/docs/userguide/credentials.rst
@@ -49,8 +49,9 @@ GitLab CI
~~~~~~~~~

When running in the GitLab CI, the ``CI_JOB_TOKEN`` can be used to access
-git repositories via https. kas automatically adds this token to the
-``.netrc`` file, where it is picked up by git. Further, kas configures git
+git repositories via https. If ``CI_SERVER_HOST`` is also set,
+kas automatically adds this token to the ``.netrc`` file,
+where it is picked up by git. Further, kas configures git
to automatically rewrite the urls of the repositories to clone via https
for repos stored on the same server. Technically this is achieved by adding
`insteadof` entries to the ``.gitconfig`` file.

@@ -58,10 +59,25 @@ for repos stored on the same server. Technically this is achieved by adding

For backwards compatibility, the git rewrite rules are only added if
``.gitconfig`` does not exists and no SSH configuration is provided.

+If the ``CI_REGISTRY``, ``CI_REGISTRY_USER`` and ``CI_JOB_TOKEN`` variables
+are set, kas automatically creates a login file for the container
+registry at ``~/.docker/config.json``. This file is compatible with
+docker, podman and even skopeo.
+

.. note::
Make sure to assign the correct permissions to the ``CI_JOB_TOKEN``.
For details, see `GitLab CI/CD job token <https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html>`_.

+Container Registry Authentication File
+--------------------------------------
+
+A file named ``config.json`` is saved as ``.docker/config.json`` in the kas

+home directory. It contains credentials for the container registry login.
+The syntax is described in the `containers-auth.json specification <https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md>`_.

+The authentication file is compatible with docker, podman and skopeo.
+When running in the GitLab CI, the ``CI_JOB_TOKEN`` is appended to

+automatically grant access according to the job permissions.

+
Netrc File
----------

diff --git a/kas/libcmds.py b/kas/libcmds.py

index db28eef7344f..db394c371296 100644

--- a/kas/libcmds.py
+++ b/kas/libcmds.py
@@ -29,6 +29,8 @@ import shutil
import os
import pprint
import configparser
+import json
+import base64
from git.config import GitConfigParser
from .libkas import (ssh_cleanup_agent, ssh_setup_agent, ssh_no_host_key_check,
get_build_environ, repos_fetch, repos_apply_patches)
@@ -168,6 +170,7 @@ class SetupHome(Command):
'AWS_SHARED_CREDENTIALS_FILE',
'AWS_WEB_IDENTITY_TOKEN_FILE',
'NETRC_FILE',
+ 'REGISTRY_AUTH_FILE',
]

def __init__(self):

@@ -220,6 +223,30 @@ class SetupHome(Command):

'login gitlab-ci-token\n'
'password ' + os.environ['CI_JOB_TOKEN'] + '\n')

+ def _setup_registry_auth(self):
+ os.makedirs(self.tmpdirname + "/.docker")
+ if os.environ.get('REGISTRY_AUTH_FILE', False):
+ shutil.copy(os.environ['REGISTRY_AUTH_FILE'],
+ self.tmpdirname + "/.docker/config.json")
+ elif not os.path.exists(self.tmpdirname + '/.docker/config.json'):
+ with open(self.tmpdirname + '/.docker/config.json', 'w') as fds:
+ fds.write("{}")
+
+ if os.environ.get('CI_REGISTRY', False) \
+ and os.environ.get('CI_JOB_TOKEN', False) \
+ and os.environ.get('CI_REGISTRY_USER', False):
+ with open(self.tmpdirname + '/.docker/config.json', 'r+') as fds:
+ data = json.loads(fds.read())
+ token = os.environ['CI_JOB_TOKEN']
+ base64_token = base64.b64encode(token.encode()).decode()
+ auths = data.get('auths', {})
+ auths.update(

+ {os.environ['CI_REGISTRY']: {"auth": base64_token}})

+ data['auths'] = auths
+ fds.seek(0)
+ fds.write(json.dumps(data, indent=4))
+ fds.truncate()
+
def _setup_aws_creds(self):
aws_dir = self.tmpdirname + "/.aws"
conf_file = aws_dir + "/config"

@@ -290,6 +317,7 @@ class SetupHome(Command):

logging.info(f'Running on {ci}')
def_umask = os.umask(0o077)
self._setup_netrc()
+ self._setup_registry_auth()
self._setup_gitconfig()
self._setup_aws_creds()
os.umask(def_umask)
--

2.34.1

Benedikt Niedermayr

unread,

Jul 16, 2024, 7:12:14 AM (yesterday) Jul 16

to kas-...@googlegroups.com

Mount the REGISTRY_AUTH_FILE into the container, so kas can use
it. The REGISTRY_AUTH_FILE specifies a a container registry authentication
file that is used by docker, podman and skopeo for container registry login.
The file syntax is described here [1].

[1] https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md

Signed-off-by: Benedikt Niedermayr <benedikt....@siemens.com>
---

kas-container | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/kas-container b/kas-container
index 169ea1bc4555..51c31e3cd710 100755
--- a/kas-container
+++ b/kas-container
@@ -512,6 +512,11 @@ if [ -f "${GITCONFIG_FILE}" ]; then
-e GITCONFIG_FILE="/var/kas/userdata/.gitconfig"
fi

+if [ -f "${REGISTRY_AUTH_FILE}" ]; then
+ set -- "$@" -v "$(readlink -fv "${REGISTRY_AUTH_FILE}")":/var/kas/userdata/.docker/config.json:ro \
+ -e REGISTRY_AUTH_FILE="/var/kas/userdata/.docker/config.json"
+fi
+
if [ -t 1 ]; then
set -- "$@" -t -i
fi
--
2.34.1

Benedikt Niedermayr

unread,

Jul 16, 2024, 7:12:14 AM (yesterday) Jul 16

to kas-...@googlegroups.com

Changes in v5:

- remove redundant/confusing section in credentials.rst
- fix checkcode.sh errors

Benedikt Niedermayr (2):
introduce container registry login
kas-container: forward REGISTRY_AUTH_FILE to the container

docs/command-line/environment-variables.inc | 17 ++++++++++---
docs/userguide/credentials.rst | 20 +++++++++++++--

kas-container | 5 ++++
kas/libcmds.py | 28 +++++++++++++++++++++

4 files changed, 65 insertions(+), 5 deletions(-)

--
2.34.1

Jan Kiszka

unread,

Jul 16, 2024, 7:15:40 AM (yesterday) Jul 16

to Benedikt Niedermayr, kas-...@googlegroups.com

Thanks, applied.

Jan

Reply all

Reply to author

Forward