Skip to content

mz280: fix harbor authentication #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2025
Merged

mz280: fix harbor authentication #369

merged 1 commit into from
Nov 14, 2025

Conversation

@mzihlmann
Copy link
Collaborator

@mzihlmann mzihlmann commented Nov 8, 2025
edited
Loading

Fixes #280 chainguard-dev/kaniko#184

Description

docker cli auth (default provider) actually handles two credential sources internally. DOCKER_AUTH_CONFIG environment variable and /kaniko/.docker/config.json file. It always gives priority to the environment variable docker/cli#6171. This causes issues where users had read-only credentials for harbor configured instance wide in the environment variable and push credentials stored in the local configfile. Our usage of docker cli would ignore the push credentials and instead fail hard with the readonly credentials.

In a sense this is similar to the issue we had with google credential helper here GoogleContainerTools/kaniko#3328, where we implicitly used invalid credentials to authenticate to gcr, and then failed even though the repository was public. The underlying issue is that if authentication of the highest priority key fails, we just give up, instead we should try out unauthenticated and all keys in order by default, this way credentials can't be shadowed by "higher priority" ones.

As a stop-gap solution to improve the discoverability of these kind of issues we now explicitly log the used credential providers and add an additional warning if DOCKER_AUTH_CONFIG can shadow your other configs.

@mzihlmann mzihlmann marked this pull request as ready for review November 8, 2025 05:14
@mzihlmann mzihlmann requested review from 0hlov3, BobDu, babs and nejch November 8, 2025 05:14
@mzihlmann mzihlmann force-pushed the mz280-harbor-push-permissions branch from 65dd6bd to 27ca164 Compare November 9, 2025 08:55
@mzihlmann
Copy link
Collaborator Author

mzihlmann commented Nov 13, 2025

remember to update the list of issues, as there are quite a few in upstream and chainguard too

@mzihlmann mzihlmann merged commit 511f65c into main Nov 14, 2025
12 checks passed
mzihlmann added a commit that referenced this pull request Nov 16, 2025
@mzihlmann
Revert "mz280: log used credential sources explicitly (#369)"
592f582 
This reverts commit 511f65c, reversing
changes made to 5b6cfca.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0hlov3 0hlov3 0hlov3 approved these changes

@babs babs Awaiting requested review from babs

@nejch nejch Awaiting requested review from nejch

@BobDu BobDu Awaiting requested review from BobDu

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cannot push (login) to Harbor

3 participants

@mzihlmann @0hlov3