New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugins/download: GitLab registry header auth #6045
Conversation
@DerGut given your work on the OCI downloader, it would be great if you could help to review this change. |
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Hi @gitu, sorry for the late reply! Thanks a lot for the contribution, I'm having a look at it now. |
This looks great! It's a bit unfortunate that we can't just reuse the I checked the places in So passing the My biggest remark is on the relationship between the I realize that their is no real way around introducing a new function+interface because we can't alter the existing one and don't have access to private functions from the I think calling What are your thoughts? |
plugins/rest/auth.go
Outdated
return nil | ||
} | ||
|
||
func (ap *bearerAuthPlugin) AuthHeader() (http.Header, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a comment explaining what it's for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tried to do that, can you have another look
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! Looks good 👍
I restructured that a bit so now they both call the same function (addAuthorizationHeader) that adds to the header map. I hope that clearly show that both functions (Prepare(req) and AuthHeader) essentially do the same thing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @gitu 👋 thanks for the changes!
I think they look great! I also like what you did with the func addAuthorizationHeader
👍
@ashutosh-narkar do you have any further questions?
The changes look good @gitu. As @DerGut mentioned, I was also wondering about the new |
@ashutosh-narkar that was my initial implementation but then that would effect all plugins and not only |
@gitu which plugins are you referring to here? In the current implementation only the |
@ashutosh-narkar to the 7 plugind that implement the |
@gitu your reasoning seems fair. @DerGut if we were to use |
@DerGut any thoughts here? |
The problem is that Other plugins make requests to external services during the var req http.Request
if err := plugin.Prepare(&req); err != nil {
// We can only assume that a plugin other than bearerAuthPlugin was used
}
opt := docker.WithAuthHeader(req.Header) We should be able to ignore the errors without problem but it feels odd that this is the only mechanism to decide whether we can use the modified request to call But I agree, that this approach could get rid of some additional complexity introduce by another interface. I tried follow a similar approach but only building the What do you think @gitu @ashutosh-narkar? |
@DerGut thanks for your rewrite, that basically did my naive initial solution in a much nicer way. |
92721a5
to
30a009b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also can you please fix the DCO check failure https://github.com/open-policy-agent/opa/pull/6045/checks?check_run_id=15183106996. |
* add auth to oci_downloader for gitlab registries * authentication has same workflow as public auth but with authenticated token fetch Signed-off-by: Florian Schrag <f@schr.ag>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the changes in this PR are needed?
OCI sourced bundles can not properly authenticate when using GitLab Registry.
See also: authorizer.go#L299
What are the changes in this PR?
Adds a not so elegant solution to get the header explicitly to containerd on, while not only relaying on the client to add the header, which doesn't work for gitlab.
Notes to assist PR review:
I'm not really sure if reflection is the way to go here, but it solves the problem quite elegantly and is only called on pulls.