Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support plaintext credentials as multi-call binary
The Docker CLI supports storing/managing credentials without a credential-helper, in which case credentials are fetched from/saved to the CLI config file (`~/.docker/config.json`). This is all managed entirely by the CLI itself, without resort to a separate binary. There are a few issues with this approach – for one, saving the credentials together with all the configurations make it impossible to share one without the other, so one can't for example bind mount the config file into a container without also including all configured credentials. Another issue is that this has made it so that any other clients accessing registry credentials (such as https://github.com/google/go-containerregistry) all have to both: - read/parse the CLI `config.json`, to check for credentials there, which also means they're dependent on this type and might break if the type changes/we need to be careful not to break other codebases parsing this file, and can't change the location where plaintext credentials are stored. - support the credential helper protocol, so that they can access credentials when users do have configured credential helpers. This means that if we want to do something like support oauth credentials by having credential-helpers refresh oauth tokens before returning them, we have to both implement that in each credential-helper and in the CLI itself, and any client directly reading `config.json` will also need to implement this logic. This commit turns the Docker CLI binary into a multicall binary, acting as a standalone credentials helper when invoked as `docker-credential-file`, while still storing/fetching credentials from the configuration file (`~/.docker/config.json`), and without any further changes. This represents a first step into aligning the "no credhelper"/plaintext flow with the "credhelper" flow, meaning that instead of this being an exception where credentials must be read directly from the config file, credentials can now be accessed in the exact same way as with other credential helpers – by invoking `docker-credential-[credhelper name]`, such as `docker-credential-pass`, `docker-credential-osxkeychain` or `docker-credential-wincred`. This would also make it possible for any other clients accessing credentials to untangle themselves from things like the location of the credentials, parsing credentials from `config.json`, etc. and instead simply support the credential-helper protocol, and call the `docker-credential-file` binary as they do others. Signed-off-by: Laura Brehm <[email protected]>
- Loading branch information