Google容器注册表Golang Moby身份验证 [英] Google container registry golang moby authentication

问题描述

我正在使用Google容器注册表来托管我的Docker映像.我还将Moby客户端用于golang与之交互.我正在使用 JSON服务密钥方法，该方法似乎可以很好地与RegistryLogin.响应文本为登录成功".但是，我不知道如何在ImagePull中使用返回的身份验证密钥.在引擎盖下，RegistryAuth似乎可以设置作为X-Registry-Auth标头传递的任何字符串，Google似乎在任何地方都没有提到这一点.

I'm using google container registry to host my docker images. I'm also using the moby client for golang to interact with it. I'm using the JSON service key approach which seems to work fine with RegistryLogin. The response text is Login Successful. However, I have no idea how to use the returned authentication key with ImagePull. Under the hood setting RegistryAuth appears to set whatever string passed as the X-Registry-Auth header, Google doesn't seem to mention this anywhere.

我尝试将返回的键作为RegistryAuth传递，我尝试运行RegistryLogin，然后不使用RegistryAuth进行提取.我尝试了base64编码我的身份验证配置，并在RegistryAuth中发送它.无论如何尝试，我都会收到来自守护程序的错误响应:找不到存储库xxx:不存在或没有提取访问权限".运行docker登录，然后使用相同的详细信息进行docker pull在cli上工作正常.我的代码是:

I've tried passing the returned key as RegistryAuth, I've tried running RegistryLogin and then just pulling without RegistryAuth. I've tried base64 encoding my auth config and sending that in RegistryAuth. No matter what I try I get "Error response from daemon: repository xxx not found: does not exist or no pull access". Running docker login and then docker pull with the same details works fine on cli. My code is:

authConfig := types.AuthConfig{
    Username:      "_json_key",
    Password:      string(decodedKey),
    ServerAddress: "https://gcr.io",
}

_, err = engine.Client.RegistryLogin(ctx, authConfig)
if err != nil {
    return err
}

responseBody, err := engine.Client.ImagePull(ctx, image, types.ImagePullOptions{
})
defer responseBody.Close()

if err != nil {
    return err
}

decodedKey是JSON密钥文件的内容.有什么想法让它正常工作吗?

decodedKey is the JSON key file content. Any ideas how to get this to work?

推荐答案

(我假设您已经弄清楚了，或者已经找到了另一种方法，但是我会在这里为下一个人记录下来)

(I assume you've already figured it out or have figured out an alternative method, but I'll document it here for the next person)

您需要将其封送为JSON，然后进行base64编码.除了代码docker cli .

不幸的是，当我尝试包含github.com/docker/cli/cli/command时，由于cli repo的供应商目录被包含在go的包源路径中而导致出现此错误:

Unfortunately, when I tried to include github.com/docker/cli/cli/command I got this error, due to the way the cli repo's vendor directory gets included in go's package source path:

./gcp.go:73:47: cannot use authc (type "github.com/docker/docker/api/types".AuthConfig)
as type "github.com/docker/cli/vendor/github.com/docker/docker/api/types".AuthConfig
in argument to command.EncodeAuthToBase64

Go编译器无法识别它们是同一类型，这很烦人.但是复制功能非常简单:

The Go compiler doesn't recognize that they are the same type, which is annoying. But it's simple enough to replicate the functionality:

buf, _ = json.Marshal(authConfig)

regauth := base64.URLEncoding.EncodeToString(buf)

pullopts := types.ImagePullOptions{RegistryAuth:regauth}

responseBody, err := engine.Client.ImagePull(ctx, image, pullopts)

...

*恕我直言，更好的实现是使用类型. pullopts中的RequestPrivilegeFunc 可以从http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token即时获取access_token字段.这样一来，就无需担心应用安全性.我自己还没有尝试过.

*IMHO, a better implementation would be to have a types.RequestPrivilegeFunc in the pullopts that gets the access_token field from http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token on the fly. That way there's no app credentials to worry about securing. I haven't tried that yet, myself.

希望能有所帮助，尽管已经晚了18个月. :)

Hopefully that helps, despite it being 18 months late. :)

FWIW，Google支持无法提供有关此的任何信息，并且gcr.io和docker文档也没有提供太多帮助.解决方案是先设置 cli auth ，然后再入侵自定义版本的docker cli工具，这样我就可以了解实际情况.

FWIW, Google support wasn't able to provide any information about this, and the gcr.io and docker documentation didn't provide much to go on, either. The solution was in getting the cli auth set up and then hacking a custom version of the docker cli tool so that I could see what was really going on.

* EDIT :因此，我尝试了此操作，但是从未调用过PullOptions中声明的AFAICT PrivilegeFunc函数.我不知道为什么.太糟糕了，这似乎是一种更干净的解决方案.上面的程序代码对我有用.

*EDIT: So I tried this but AFAICT the PrivilegeFunc function declared in PullOptions is never called. I have no idea why. Too bad, it seemed like a much cleaner solution. The procedural code above works for me, though.

这篇关于Google容器注册表Golang Moby身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！