diff --git a/container/pull.bzl b/container/pull.bzl
index d5b2adfc2..921df3cf3 100644
--- a/container/pull.bzl
+++ b/container/pull.bzl
@@ -64,6 +64,13 @@ _container_pull_attrs = {
""",
mandatory = False,
),
+ "cred_helpers": attr.label_list(
+ doc = """Labels to a list of credential helper binaries that are configured in `docker_client_config`.
+
+ More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers
+ """,
+ mandatory = False,
+ ),
"import_tags": attr.string_list(
default = [],
doc = "Tags to be propagated to generated rules.",
@@ -220,6 +227,14 @@ def _impl(repository_ctx):
args.extend(["-timeout", str(repository_ctx.attr.timeout)])
kwargs["timeout"] = repository_ctx.attr.timeout
+ if repository_ctx.attr.cred_helpers:
+ kwargs["environment"] = {
+ "PATH": "{}:{}".format(
+ ":".join([str(repository_ctx.path(helper).dirname) for helper in repository_ctx.attr.cred_helpers]),
+ repository_ctx.os.environ.get("PATH"),
+ ),
+ }
+
result = repository_ctx.execute(args, **kwargs)
if result.return_code:
fail("Pull command failed: %s (%s)" % (result.stderr, " ".join([str(a) for a in args])))
diff --git a/docs/container.md b/docs/container.md
index b51fe8e9e..0c95672c9 100644
--- a/docs/container.md
+++ b/docs/container.md
@@ -160,10 +160,10 @@ The created target can be referenced as `@label_name//image`.
## container_pull
-container_pull(name, architecture, cpu_variant, digest, docker_client_config, import_tags, os,
- os_features, os_version, platform_features, puller_darwin, puller_linux_amd64,
- puller_linux_arm64, puller_linux_s390x, registry, repo_mapping, repository, tag,
- timeout)
+container_pull(name, architecture, cpu_variant, cred_helpers, digest, docker_client_config,
+ import_tags, os, os_features, os_version, platform_features, puller_darwin,
+ puller_linux_amd64, puller_linux_arm64, puller_linux_s390x, registry, repo_mapping,
+ repository, tag, timeout)
A repository rule that pulls down a Docker base image in a manner suitable for use with the `base` attribute of `container_image`.
@@ -196,6 +196,7 @@ please use the bazel startup flag `--loading_phase_threads=1` in your bazel invo
| name | A unique name for this repository. | Name | required | |
| architecture | Which CPU architecture to pull if this image refers to a multi-platform manifest list, default 'amd64'. | String | optional | "amd64" |
| cpu_variant | Which CPU variant to pull if this image refers to a multi-platform manifest list. | String | optional | "" |
+| cred_helpers | Labels to a list of credential helper binaries that are configured in docker_client_config.
More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers | List of labels | optional | [] |
| digest | The digest of the image to pull. | String | optional | "" |
| docker_client_config | Specifies a Bazel label of the config.json file.
Don't use this directly. Instead, specify the docker configuration directory using a custom docker toolchain configuration. Look for the client_config attribute in docker_toolchain_configure [here](https://github.com/bazelbuild/rules_docker#setup) for details. See [here](https://github.com/bazelbuild/rules_docker#container_pull-custom-client-configuration) for an example on how to use container_pull after configuring the docker toolchain
When left unspecified (ie not set explicitly or set by the docker toolchain), docker will use the directory specified via the DOCKER_CONFIG environment variable.
If DOCKER_CONFIG isn't set, docker falls back to $HOME/.docker. | Label | optional | None |
| import_tags | Tags to be propagated to generated rules. | List of strings | optional | [] |
diff --git a/toolchains/docker/pull.bzl.tpl b/toolchains/docker/pull.bzl.tpl
index a2fb1a7ce..40fa8c689 100644
--- a/toolchains/docker/pull.bzl.tpl
+++ b/toolchains/docker/pull.bzl.tpl
@@ -7,5 +7,6 @@ def container_pull(**kwargs):
fail("docker_client_config attribute should not be set on the container_pull created by the custom docker toolchain configuration")
_container_pull(
docker_client_config="%{docker_client_config}",
+ cred_helpers=%{cred_helpers},
**kwargs
)
diff --git a/toolchains/docker/toolchain.bzl b/toolchains/docker/toolchain.bzl
index b5f7edd28..7b925bcbf 100644
--- a/toolchains/docker/toolchain.bzl
+++ b/toolchains/docker/toolchain.bzl
@@ -160,6 +160,7 @@ def _toolchain_configure_impl(repository_ctx):
Label("@io_bazel_rules_docker//toolchains/docker:pull.bzl.tpl"),
{
"%{docker_client_config}": str(repository_ctx.attr.client_config),
+ "%{cred_helpers}": str(repository_ctx.attr.cred_helpers),
},
False,
)
@@ -202,6 +203,14 @@ toolchain_configure = repository_rule(
"docker tool (typically, the home directory) will be " +
"used.",
),
+ "cred_helpers": attr.string_list(
+ mandatory = False,
+ doc = """Labels to a list of credential helpers binaries that are configured in `client_config`.
+
+ More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers
+ """,
+ default = [],
+ ),
"docker_flags": attr.string_list(
mandatory = False,
doc = "List of additional flag arguments to the docker command.",