operator-registry icon indicating copy to clipboard operation
operator-registry copied to clipboard
verified publisher icon operator-framework

Enable `opm` to use cred stores

Open m1kola opened this issue 6 months ago • 4 comments

It seems like opm fails to authenticate with a private registry when it encounters a Docker config such as this one:

{
  "credsStore": "osxkeychain"
}

So this prevents the users from using native key stores on their systems.

Also when working with private registries, such as AWS ECR, users often get short lived tokens. For ECR, for example, there is a handy credential helper which eliminates the need to manually log in each time the token expires.

opm, however, seem to ignore credsStore and just fails to authenticate. Meaning developers are forced to disable credsStore in order to work with ECR via opm

m1kola avatar Jun 20 '25 09:06 m1kola

Issues go stale after 90 days of inactivity. If there is no further activity, the issue will be closed in another 30 days.

github-actions[bot] avatar Sep 19 '25 01:09 github-actions[bot]

@m1kola For at least some of the opm subcommands, we updated the underlying registry client to use the containers/image library to do the heavy lifting. Have you tried the latest release of opm to see if it recognizes and uses credsStore?

joelanford avatar Sep 30 '25 16:09 joelanford

@joelanford just tried this with OPM v1.59.0. With the never version of OPM I was forced to create containers/policy.jso, so I created this one:

{
    "default": [{"type": "insecureAcceptAnything"}]
}

But opm alpha list bundles it still fails to authenticate:

FATA[0001] render reference "ecr-image-reference:1.1.1": failed to pull image "ecr-image-reference:1.1.1": initializing source docker://ecr-image-reference:1.1.1: reading manifest 1.1.1 in ecr-image-reference: authentication required

To make it work I had to:

  1. Remove all my docker-credential-* binaries from PATH
  2. Remove credsStore from Docker config.
  3. Run aws ecr get-login-password --region REGION | docker login --username AWS --password-stdin ACCOUNT.dkr.ecr.REGION.amazonaws.com to get plain text credentials into the docker config.

All this is because docker seems to use one of the existing helpers implicitly when logging in and only seems to write credentials in plain text if there are no cred stores in PATH.

m1kola avatar Oct 03 '25 08:10 m1kola

This is the area of the code that sets up the containers/image SystemContext and uses it. There's definitely some funkiness going on in getAuthFile to try and maintain as much backward compatibility as we can with the previous registry client.

Perhaps the comments and logic there can help you:

  1. piece together a way to get the credential helper to be honored
  2. or if not, we'd totally accept a patch to fix this if you can spot a bug with something that's happening there (preferably in a way that preserves the backcompat intent of that function).

joelanford avatar Oct 03 '25 17:10 joelanford