After some debugging in cue-lang/cue#4306 with the help from @mvdan, we found that CUE only looks at 1 of the common auth config files
I had the case that I had both ~/.docker/config.json file (from some non-docker tool that required credentials to be stored there, but those credentials were for a different host/registry) and /run/user/1000/containers/auth.json file (because I'm using Podman, and don't even have Docker installed), but CUE only looked at ~/.docker/config.json.
I tried running podman login ... but cue mod publish still failed, until I eventually tried this which made cue mod publish succeed:
podman login harbor.example.com --compat-auth-file ~/.docker/config.json
Over in ociauth package, CUE looks for multiple file locations, but it only takes auth from the first one it finds:
|
for _, f := range configFileLocations { |
|
filename := f(getenv) |
|
if filename == "" { |
|
continue |
|
} |
|
data, err := os.ReadFile(filename) |
|
if err != nil { |
|
if os.IsNotExist(err) { |
|
continue |
|
} |
|
return nil, err |
|
} |
|
f, err := decodeConfigFile(data) |
|
if err != nil { |
|
return nil, fmt.Errorf("invalid config file %q: %v", filename, err) |
|
} |
|
return &ConfigFile{ |
|
data: f, |
|
runner: runner, |
|
}, nil |
So suggested change:
- keep looking at multiple files
- but merge the list of auths together
Meaning, if:
Then CUE reads both and its internal config becomes:
{
"auths": {
"foo.example.com": {
"auth": "*credentials from ~/.docker/config.json*"
},
"bar.example.com": {
"auth": "*credentials from ~/.docker/config.json*"
},
"moo.example.com": {
"auth": "*credentials from $XDG_RUNTIME_DIR/containers/auth.json*"
}
}
}Bonus would be if it could log a message to the user in cue mod publish explaining when it's getting credentials from a non-CUE config file like this
After some debugging in cue-lang/cue#4306 with the help from @mvdan, we found that CUE only looks at 1 of the common auth config files
I had the case that I had both
~/.docker/config.jsonfile (from some non-docker tool that required credentials to be stored there, but those credentials were for a different host/registry) and/run/user/1000/containers/auth.jsonfile (because I'm using Podman, and don't even have Docker installed), but CUE only looked at~/.docker/config.json.I tried running
podman login ...butcue mod publishstill failed, until I eventually tried this which madecue mod publishsucceed:podman login harbor.example.com --compat-auth-file ~/.docker/config.jsonOver in
ociauthpackage, CUE looks for multiple file locations, but it only takes auth from the first one it finds:oci/ociregistry/ociauth/authfile.go
Lines 111 to 130 in 3adeb86
So suggested change:
Meaning, if:
~/.config/docker.jsoncontains:{ "auths": { "foo.example.com": { "auth": "*credentials from ~/.docker/config.json*" }, "bar.example.com": { "auth": "*credentials from ~/.docker/config.json*" } } }and
$XDG_RUNTIME_DIR/containers/auth.jsoncontains:{ "auths": { "bar.example.com": { "auth": "*credentials from $XDG_RUNTIME_DIR/containers/auth.json*" }, "moo.example.com": { "auth": "*credentials from $XDG_RUNTIME_DIR/containers/auth.json*" } } }Then CUE reads both and its internal config becomes:
{ "auths": { "foo.example.com": { "auth": "*credentials from ~/.docker/config.json*" }, "bar.example.com": { "auth": "*credentials from ~/.docker/config.json*" }, "moo.example.com": { "auth": "*credentials from $XDG_RUNTIME_DIR/containers/auth.json*" } } }Bonus would be if it could log a message to the user in
cue mod publishexplaining when it's getting credentials from a non-CUE config file like this