|
| 1 | +--- |
| 2 | +hip: 9999 |
| 3 | +title: "registries.conf support for OCI registry management" |
| 4 | +authors: [ "George Jenkins <[email protected]>", "Andy Block <[email protected]>" ] |
| 5 | +created: "2025-02-16" |
| 6 | +type: "feature" |
| 7 | +status: "draft" |
| 8 | +--- |
| 9 | + |
| 10 | +## Abstract |
| 11 | + |
| 12 | +[registries.conf][registries-conf] is a an alternative specification (to Docker's `docker/config.json`) for managing OCI registry configuration. That supports more advanced features, and has been standardized by other container ecosystem CLI tools (podman, buildah, skopeo, etc) |
| 13 | + |
| 14 | +Support would extend Helm's flexilbity with respect to OCI configuration, including repository prefixes and aliases. This HIP focuces on the implementation of supporting `registries.conf`. Further HIPs to be created for exposing functionality based on utilzing `registries.conf`. |
| 15 | + |
| 16 | +[registries-conf]: <https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md> "registries.conf specification" |
| 17 | + |
| 18 | +## Motivation |
| 19 | + |
| 20 | +`registries.conf` provides much more flexibible support for OCI registry management than the current Docker CLI based configuration format that Helm uses today. |
| 21 | + |
| 22 | +Including support for repository prefixes (allowing different credentials for different prefixes), registry mirrors, and registry "aliasing". Features Helm would like to introduce. But is currenly blocked by a lack of mechanism to store detail |
| 23 | + |
| 24 | +(in particular, the existing registry configuration Helm uses, Docker’s `$HOME/.docker/config.json`, etc do not support registry aliases nor prefixes) |
| 25 | + |
| 26 | +## Rationale |
| 27 | + |
| 28 | +Utilizing an existing specification / libraries enables Helm immediate build upon an existing standard. |
| 29 | +Rather than Helm inventing its own convention. |
| 30 | + |
| 31 | +`registries.conf` was picked as being a format intended for consumption beyond the Docker application container ecosystem. |
| 32 | + |
| 33 | +## Specification |
| 34 | + |
| 35 | +Helm will utilize the `registries.conf` specification when determinging OCI registry information (authentication credentials, etc): |
| 36 | +<https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md> |
| 37 | + |
| 38 | + |
| 39 | +`registries.conf` will be preferred, either when a `registries.conf` file already exists on the users system. |
| 40 | +Or when Helm supports and a user utilizes functionality that can not be supported by Docker's comnfigurtation file in the future. |
| 41 | + |
| 42 | +<!-- The usage of `registries.conf` will be forced, when in the future --> |
| 43 | + |
| 44 | +For example, a registry login command: |
| 45 | +```bash |
| 46 | +helm registry login "oci.example.com" --username foo --password bar |
| 47 | +``` |
| 48 | + |
| 49 | +Will result in the configration exerpt (if, and only if, `registries.conf` exists on the users local system): |
| 50 | +```toml |
| 51 | +# registries.conf |
| 52 | +[[registry]] |
| 53 | +prefix = "oci.example.com" |
| 54 | +``` |
| 55 | + |
| 56 | +```json |
| 57 | +# auth.json |
| 58 | +"auths": { |
| 59 | + ... |
| 60 | + "oci.example.com": { |
| 61 | + "auth": "Zm9vOmJhcgo=" |
| 62 | + } |
| 63 | +} |
| 64 | +``` |
| 65 | + |
| 66 | +Helm will use the package TBD for updating (and reading) `registries.conf`. |
| 67 | + |
| 68 | +If when reading a registries configation from `registries.conf` results in known configuration Helm doesn't support, Helm must error. |
| 69 | +e.g. `location` or non-empty URI path in `prefix`. |
| 70 | + |
| 71 | +An error reading `registries.conf` must result in an error for the user. |
| 72 | +Otherwise, users who expect configration from `registries.conf` to be effected, will have a unspected fallback. |
| 73 | + |
| 74 | +To account for existing configration in Docker’s registry configuration, Helm will prefer `registries.conf` when resolving OCI registries (including credentials). |
| 75 | +And fall back to the existing store mechanism if `registries.conf` does not contain an entry for the required OCI registry (including if `registries.conf` does not exist). |
| 76 | + |
| 77 | +Helm must expect (and even encourage) users to utilize other tooling to manage `registries.conf`. |
| 78 | + |
| 79 | +## Backwards compatibility |
| 80 | + |
| 81 | +Helm's fallback to Docker's registry configuration ensures the vast majority of existing user workflows remain the same. |
| 82 | + |
| 83 | +However, there are three potential incompatibility scenarios: |
| 84 | +2. A corrupt `registries.conf` will cause an error for existing workflows |
| 85 | +1. An invalid or incompatible with Helm `registries.conf` entry for the given OCI registry will cause the users workflow to fail |
| 86 | +3. Helm’s preference for `registries.conf` will break users who assume credentials are stored in Docker’s registry configuration |
| 87 | + |
| 88 | +The first two can mitigated by users ensuring their systems `registries.conf` is valid, and only includes configuration options Helm supports for the registries they plan to use with Helm. |
| 89 | + |
| 90 | +The last is mitigated by not using `registries.conf` initially unless it exists on the users system. |
| 91 | + |
| 92 | +## Security implications |
| 93 | + |
| 94 | +`registries.conf` introduces a new mechanism for storing OCI credentials, which may introduce credential management vulnerabilities specific to `registries.conf` / `auth.json` |
| 95 | + |
| 96 | +Transitive dependencies of the TBD package for managing registries.conf may introduce security scanner noise (which tends to be a problem in the container library ecosystem) |
| 97 | + |
| 98 | +## How to teach this |
| 99 | + |
| 100 | +Helm's documentation will need to be updated with details of Helm's `registries.conf` support, and fallback to Docker config. |
| 101 | + |
| 102 | +## Reference implementation |
| 103 | + |
| 104 | +<!-- |
| 105 | +Link to any existing implementation and details about its state, e.g. |
| 106 | +proof-of-concept. |
| 107 | +--> |
| 108 | + |
| 109 | +## Rejected ideas |
| 110 | + |
| 111 | +### Falling back to Docker’s config upon error reading registries.conf |
| 112 | + |
| 113 | +Falling back upon error means users who expect their configuration to be taken from `registries.conf` will unexpectedly have OCI configuration taken from Docker. |
| 114 | +Potentially resulting in difficult to diagnose failures authenticating to the repository. |
| 115 | + |
| 116 | +Rather than "failing fast" and requring users to ensure their configuration to be valid. |
| 117 | + |
| 118 | +## Open issues |
| 119 | + |
| 120 | +- Support for registies.conf in ORAS |
| 121 | +- Disucss Helm's/ORAS's usage of registries.conf with owners |
| 122 | + |
| 123 | +## References |
| 124 | + |
| 125 | +### ORAS credential store (registry configuration) docs |
| 126 | + |
| 127 | +https://pkg.go.dev/oras.land/oras-go/v2/registry/remote/credentials#NewStoreFromDocker |
| 128 | + |
| 129 | +### registries.conf specification |
| 130 | +https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md |
0 commit comments