Giters

regclient / regclient

Docker and OCI Registry Client in Go and tooling using those libraries.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Question] regctl repo ls with authentication

fedorbirjukov opened this issue · comments

commented

Question

I am trying to list the repositories in my private registry:

regctl repo ls myregistry.com

I am getting only those that do not require authentication.

I have tried adding --logopt '(reg=myregistry.com,user=myuser,tls=enabled)' --debug, even with pass=... in there. Here is the debug output I get:

time="2024-05-21T13:10:03+02:00" level=debug msg="Loading docker config" api= blobChunk=0 blobMax=0 helper= hostname=myregistry.com mirrors="[]" name=myregistry.com pathPrefix= repoAuth=false tls=enabled user=fbi
time="2024-05-21T13:10:03+02:00" level=debug msg="Loading host config" api= blobChunk=0 blobMax=0 helper= hostname=myregistry.com mirrors="[]" name=myregistry.com pathPrefix= repoAuth=false tls=enabled user=fbi
time="2024-05-21T13:10:03+02:00" level=debug msg="regclient initialized" VCSRef=766ee6291f882778207ff42207f9ca8b1da54e57 VCSTag=v0.6.1
time="2024-05-21T13:10:03+02:00" level=debug msg="Listing repositories" host=myregistry.com last= limit=0
time="2024-05-21T13:10:03+02:00" level=debug msg="http req" method=GET url="https://myregistry.com/v2/_catalog" withAuth=false

Is there a way to list all repositories? Or to have regctl use withAuth=true in the GET request from the debug output?

Version

VCSTag:     v0.6.1
VCSRef:     766ee6291f882778207ff42207f9ca8b1da54e57
VCSCommit:  766ee6291f882778207ff42207f9ca8b1da54e57
VCSState:   clean
VCSDate:    2024-05-14T13:18:19Z
Platform:   windows/amd64
GoVer:      go1.22.3
GoCompiler: gc

Environment

  • Running as binary or container: binary
  • Host platform: windows
  • Registry description: inedo proget v2023

Anything else

Deleting tags with regctl tag delete myregistry.com/myfeed/myrepo:mytag works like a charm.

commented

This one is a bit challenging to support because both the API (_catalog), and authentication, are not defined by OCI (though there's some slow work on the latter). regclient looks for an http 401 status (unauthorized) and the WWW-Authenticate header to trigger the authentication process. If the registry does not send those, but instead immediately returns a response to the API, regclient returns that response.

Many registries that provide different data to authenticated users will send a bearer authentication request to the client, and the client can either provide a login or request an anonymous bearer token from the authentication server, and regclient will do either depending on whether it has credentials for that registry host.

For this, I would push back to the registry implementation to work with OCI on the future direction of that spec so that this could be supported.

commented

Thanks. That's a pity there is no way to make it use authentication.