Skip to content

DockerRegistryConfigAuthentication does not align with Docker CLI #45292

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Closed
wants to merge 1 commit into from

Conversation

nosan
Copy link
Contributor

@nosan nosan commented Apr 25, 2025

No description provided.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 25, 2025
Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
@@ -134,10 +132,10 @@ private Credential computeCredentialsFromHelper(String serverUrl) {

private CredentialHelper getCredentialHelper(String serverUrl) {
String name = this.dockerConfig.getCredHelpers().getOrDefault(serverUrl, this.dockerConfig.getCredsStore());
return (name != null) ? this.credentialHelperFactory.apply(name.trim()) : null;
return (StringUtils.hasLength(name)) ? this.credentialHelperFactory.apply(name) : null;
Copy link
Contributor Author

@nosan nosan Apr 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docker CLI does not Trim the helper name:

func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) credentials.Store {
	if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" {
		return newNativeStore(configFile, helper)
	}
	return credentials.NewFileStore(configFile)
}

// var for unit testing.
var newNativeStore = func(configFile *ConfigFile, helperSuffix string) credentials.Store {
	return credentials.NewNativeStore(configFile, helperSuffix)
}


func NewNativeStore(file store, helperSuffix string) Store {
	name := remoteCredentialsPrefix + helperSuffix
	return &nativeStore{
		programFunc: client.NewShellProgramFunc(name),
		fileStore:   NewFileStore(file),
	}
}

I think trim() here looks logical, I can't imagine that credential helper would have whitespaces.

Copy link
Contributor Author

@nosan nosan Apr 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've verified this today once again with the following JSON

{
	"credHelpers": {
		"662409547778.dkr.ecr.eu-central-1.amazonaws.com": " ecr-login "
	}
}

And indeed, Docker CLI does not trim the helper; it fails to use the helper and falls back to basic auth.

The push refers to repository [662409547778.dkr.ecr.eu-central-1.amazonaws.com/gh-44633]
1dc94a70dbaa: Preparing
f11551f94b2b: Preparing
7130a16bceef: Preparing
41ee45b75d9f: Preparing
97d38fb9a19d: Preparing
508c281dc5cd: Preparing
09173eaeddc8: Waiting
1a6d2f237874: Waiting
c059b6f20445: Waiting
cdd4575ae9b3: Waiting
f0e9078fd509: Waiting
109d6909a2e0: Waiting
417e5bfc3c82: Waiting
a838c55de6ff: Waiting
bea0a3dc2651: Waiting
9c1f69b4e68a: Waiting
0560872d3bba: Waiting
e7cd92e3f4c6: Waiting
95305ea8b76a: Waiting
5953c33dbcf5: Waiting
no basic auth credentials

Everything worked fine when I removed any leading and trailing whitespace from a helper.

{
	"credHelpers": {
		"662409547778.dkr.ecr.eu-central-1.amazonaws.com": "ecr-login"
	}
}

The push refers to repository [662409547778.dkr.ecr.eu-central-1.amazonaws.com/gh-44633]
1dc94a70dbaa: Pushed
f11551f94b2b: Pushed
7130a16bceef: Pushed
41ee45b75d9f: Pushed
97d38fb9a19d: Pushed
508c281dc5cd: Pushed
09173eaeddc8: Pushed
1a6d2f237874: Pushed
c059b6f20445: Pushed
cdd4575ae9b3: Pushed
f0e9078fd509: Pushed
109d6909a2e0: Pushed
417e5bfc3c82: Pushed
a838c55de6ff: Pushed
bea0a3dc2651: Pushed
9c1f69b4e68a: Pushed
0560872d3bba: Pushed
e7cd92e3f4c6: Pushed
95305ea8b76a: Pushed
5953c33dbcf5: Pushed
latest: digest: sha256:65a43497ecee869b28f7a93b7b6f638e42c2fe91ecff395dc2fbedddd0b7f260 size: 4500

They appear to use the configurations provided by users as they are, except the "" string, which is the default value for the string type in Go.

@philwebb philwebb changed the title Align DockerRegistryConfigAuthentication with Docker CLI DockerRegistryConfigAuthentication does not align with Docker CLI Apr 25, 2025
@philwebb philwebb added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 25, 2025
@philwebb philwebb added this to the 3.5.x milestone Apr 25, 2025
@mhalbritter mhalbritter self-assigned this Apr 29, 2025
mhalbritter pushed a commit that referenced this pull request Apr 29, 2025
See gh-45292

Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
@mhalbritter
Copy link
Contributor

mhalbritter commented Apr 29, 2025

Thanks @nosan !

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
type: bug A general bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants