cue-lang
support registry auth via inline JSON in DOCKER_AUTH_CONFIG
Is your feature request related to a problem? Please describe.
While CUE supports DOCKER_CONFIG, creating the required directory structure and config.json file is often impractical in ephemeral environments like CI/CD pipelines.
Describe the solution you'd like I would like CUE to support a DOCKER_AUTH_CONFIG environment variable. This variable should accept the raw JSON configuration string (the content usually found in config.json) directly.
If DOCKER_AUTH_CONFIG is present, CUE should parse it for registry credentials, removing the need to create a physical directory structure or file on the disk. This creates a much smoother experience in ephemeral environments like CI/CD.
Describe alternatives you've considered Manual file generation in CI steps. Currently, we have to write shell scripts to shim the environment. For example
mkdir -p /tmp/docker-config
echo $DOCKER_CONFIG_JSON_CONTENT > /tmp/docker-config/config.json
export DOCKER_CONFIG=/tmp/docker-config
Sounds good to me. This seems like a recent addition to Docker (https://github.com/docker/cli/pull/6008) so that's why we don't support it yet.
How should this work in terms of precedence? That is, if both $DOCKER_CONFIG and $DOCKER_AUTH_CONFIG are set, which one should be used?
I would naively assume that it's the inline one, $DOCKER_AUTH_CONFIG, but https://github.com/docker/cli/issues/6156 seems to suggest that many users are unhappy with that.
I agree that DOCKER_AUTH_CONFIG implies a higher level of specificity and should therefore take precedence. However, rather than a blanket replacement, I suggest a merging strategy.
The environment variable should overlay the file-based configuration: credentials for different registries should coexist, but if there is a collision (same registry), DOCKER_AUTH_CONFIG should win. To avoid confusion, we should emit a warning log whenever a file credential is being overridden by the environment variable.
Understood. I think the merging could potentially be problematic if we wanted to write any of this config back to disk, but luckily we treat ${DOCKER_CONFIG}/config.json as read-only, so it doesn't matter that we merge the contents.
Note that this change will need to be made in the ociregistry module, and then pulled into this module. That's fine, but the library does not emit any logs, so if we want to report conflicts we'll have to record them in the ociregistry module and then report them in the cue module.
Does Docker merge the configs, though? Because we should ideally be mimicking whatever behavior Docker (or Podman) has. Doing something entirely different could lead to very confusing behavior for end users.
According to https://docs.docker.com/engine/release-notes/28/#2832, it seems DOCKER_AUTH_CONFIG has precedence: https://github.com/docker/cli/pull/6163.
I've played around with the changes required to support this: https://github.com/bogdanbojan/oci/commit/5635a0b134dd9d8254cf0d522f671dd943006dbb. I can go forward with a PR, if you guys would agree with it.
@bogdanbojan that looks about right. Can you send a patch via Gerrit? See our contributng doc for pointers. Once merged, we'd need a small follow-up to bump the dependency and test this in cmd/cue.
@mvdan Thanks! Added the patch via Gerrit just now.
Also, sorry for hijacking the thread so randomly - was interested in this as well 😅
no worries, the help is welcome!
the OCI repo patch is merged; the remaining work is bumping the dependency here, and probably adding a tiny integration test to cmd/cue/cmd/testdata/script/registry_auth.txtar too.
Awesome!
Will do those changes and raise a PR via Gerrit, if that's ok.
Thanks! Merged. I've subscribed to https://github.com/docker/cli/issues/6156 for now, so if upstream decides to tweak the priority logic between the two env vars, we can adapt accordingly.