Don't use k8schain, statically link cloud cred helpers

sigstore · Jan 6, 2022 · 4281a29 · 4281a29
1 parent b6aaddc
commit 4281a29
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 13 deletions.
diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go
@@ -19,9 +19,12 @@ import (
 	"crypto/tls"
 	"net/http"
 
+	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
+	"github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api"
+	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
 	"github.com/google/go-containerregistry/pkg/authn"
-	"github.com/google/go-containerregistry/pkg/authn/k8schain"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/google"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"github.com/spf13/cobra"
@@ -69,10 +72,13 @@ func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Op
 	}
 
 	if o.KubernetesKeychain {
-		kc, err := k8schain.NewNoClient(ctx)
-		if err != nil {
-			panic(err.Error())
-		}
+		kc := authn.NewMultiKeychain(
+			authn.DefaultKeychain,
+			google.Keychain,
+			authn.NewKeychainFromHelper(ecr.ECRHelper{ClientFactory: api.DefaultClientFactory{}}),
+			authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
+		)
+
 		opts = append(opts, remote.WithAuthFromKeychain(kc))
 	} else {
 		opts = append(opts, remote.WithAuthFromKeychain(authn.DefaultKeychain))

diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/go-piv/piv-go v1.9.0
 	github.com/google/certificate-transparency-go v1.1.2
 	github.com/google/go-cmp v0.5.6
-	github.com/google/go-containerregistry v0.7.1-0.20211203164431-c75901cce627
+	github.com/google/go-containerregistry v0.8.0
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211215180950-ab77ea68f600
 	github.com/google/go-github/v39 v39.2.0
 	github.com/google/trillian v1.4.0
@@ -42,6 +42,8 @@ require (
 )
 
 require (
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211027214941-f15886b5ccdc
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20210203204924-09e2b5a8ac86
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect