go-containerregistry: k8schain doesn't work with multiple Secrets

I’m trying to build an image checking operator for Kubernetes. Everything works perfectly except the auth part if multiple imagePullSecrets are specified. The authentication provider selects only the first one from keyring: https://github.com/google/go-containerregistry/blob/5cbd060f5c92/pkg/authn/k8schain/k8schain.go#L145. Is it by design?

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18 (5 by maintainers)

Most upvoted comments

Found this: https://github.com/kubernetes/kubernetes/blob/2e93b3924ae6eb2b6a2b914fe400a006bd676308/pkg/kubelet/kuberuntime/kuberuntime_image.go#L45-L76

Doesn’t exactly fit into how we expect auth to work (we really only expect one authconfig).

I can imagine plumbing this around and doing some typechecking in here to look for a magic method that returns multiple authconfigs instead of one… maybe:

// MultiAuthenticator is used to authenticate Docker transports.
type MultiAuthenticator interface {
	// Authorizations returns the values to use in an http transport's Authorization header.
	Authorizations() ([]AuthConfig, error)
}

Then we can drop into a loop on refresh until it works?

+2
jonjohnsonjr on Jun 24, 2021

Yep! Let me take a look here and see if we can support this in the near-term with the current state of the package 👍

+2
hasheddan on Jun 9, 2021
Read more comments on GitHub
← go-containerregistry: `crane delete` requests token with insufficient scope
go-github: DownloadContents can't download files from root of repo →