c8d/resolver: Use per-host HTTP client for auth requests#52600
Merged
Conversation
When using the containerd image store, each registry host entry carries its own HTTP client configured with the host-specific TLS settings (custom CAs from /etc/docker/certs.d, insecure-registries, etc.). hostsWrapper replaces the Authorizer on every host entry so that explicit auth credentials are used for token/OAuth requests. Previously it created a single authorizer before iterating the hosts, without supplying any HTTP client. The result was that token endpoint requests bypassed custom CAs and insecure-registry settings. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
github-actions
Bot
added
area/daemon
There was a problem hiding this comment.
Pull request overview
This PR fixes containerd image-store registry authentication so that token/OAuth requests use the per-registry-host HTTP client (and therefore respect host-specific TLS settings such as custom CAs under /etc/docker/certs.d and insecure-registries). This addresses reported failures where docker login succeeds but docker push/pull fails during token retrieval due to TLS verification errors.
Changes:
- Update
hostsWrapperto build adocker.Authorizerper registry host entry using that host’s configured*http.Client. - Extend
authorizerFromAuthConfigto accept an HTTP client and pass it to containerd’s authorizer viadocker.WithAuthClient(...).
Comment on lines
41
to
49
| return func(n string) ([]docker.RegistryHost, error) { | ||
| hosts, err := hostsFn(n) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| for i := range hosts { | ||
| hosts[i].Authorizer = authorizer | ||
| hosts[i].Authorizer = authorizerFromAuthConfig(*optAuthConfig, ref, hosts[i].Client) | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When using the containerd image store, each registry host entry carries its own HTTP client configured with the host-specific TLS settings (custom CAs from /etc/docker/certs.d, insecure-registries, etc.).
hostsWrapper replaces the Authorizer on every host entry so that explicit auth credentials are used for token/OAuth requests. Previously it created a single authorizer before iterating the hosts, without supplying any HTTP client.
The result was that token endpoint requests bypassed custom CAs and insecure-registry settings.