[Question] regctl repo ls with authentication
fedorbirjukov opened this issue · comments
Question
I am trying to list the repositories in my private registry:
regctl repo ls myregistry.com
I am getting only those that do not require authentication.
I have tried adding --logopt '(reg=myregistry.com,user=myuser,tls=enabled)' --debug
, even with pass=...
in there. Here is the debug output I get:
time="2024-05-21T13:10:03+02:00" level=debug msg="Loading docker config" api= blobChunk=0 blobMax=0 helper= hostname=myregistry.com mirrors="[]" name=myregistry.com pathPrefix= repoAuth=false tls=enabled user=fbi
time="2024-05-21T13:10:03+02:00" level=debug msg="Loading host config" api= blobChunk=0 blobMax=0 helper= hostname=myregistry.com mirrors="[]" name=myregistry.com pathPrefix= repoAuth=false tls=enabled user=fbi
time="2024-05-21T13:10:03+02:00" level=debug msg="regclient initialized" VCSRef=766ee6291f882778207ff42207f9ca8b1da54e57 VCSTag=v0.6.1
time="2024-05-21T13:10:03+02:00" level=debug msg="Listing repositories" host=myregistry.com last= limit=0
time="2024-05-21T13:10:03+02:00" level=debug msg="http req" method=GET url="https://myregistry.com/v2/_catalog" withAuth=false
Is there a way to list all repositories? Or to have regctl use withAuth=true in the GET request from the debug output?
Version
VCSTag: v0.6.1
VCSRef: 766ee6291f882778207ff42207f9ca8b1da54e57
VCSCommit: 766ee6291f882778207ff42207f9ca8b1da54e57
VCSState: clean
VCSDate: 2024-05-14T13:18:19Z
Platform: windows/amd64
GoVer: go1.22.3
GoCompiler: gc
Environment
- Running as binary or container: binary
- Host platform: windows
- Registry description: inedo proget v2023
Anything else
Deleting tags with regctl tag delete myregistry.com/myfeed/myrepo:mytag
works like a charm.
This one is a bit challenging to support because both the API (_catalog
), and authentication, are not defined by OCI (though there's some slow work on the latter). regclient looks for an http 401 status (unauthorized) and the WWW-Authenticate
header to trigger the authentication process. If the registry does not send those, but instead immediately returns a response to the API, regclient returns that response.
Many registries that provide different data to authenticated users will send a bearer authentication request to the client, and the client can either provide a login or request an anonymous bearer token from the authentication server, and regclient will do either depending on whether it has credentials for that registry host.
For this, I would push back to the registry implementation to work with OCI on the future direction of that spec so that this could be supported.
Thanks. That's a pity there is no way to make it use authentication.