From 6ea707babdcd54514e0884278ac624fb8bda19c1 Mon Sep 17 00:00:00 2001 From: Zhongpeng Lin Date: Tue, 19 Apr 2022 10:07:48 -0700 Subject: [PATCH] Support credential helpers in container_pull (#2034) --- container/pull.bzl | 15 +++++++++++++++ docs/container.md | 9 +++++---- toolchains/docker/pull.bzl.tpl | 1 + toolchains/docker/toolchain.bzl | 9 +++++++++ 4 files changed, 30 insertions(+), 4 deletions(-) diff --git a/container/pull.bzl b/container/pull.bzl index d5b2adfc2..921df3cf3 100644 --- a/container/pull.bzl +++ b/container/pull.bzl @@ -64,6 +64,13 @@ _container_pull_attrs = { """, mandatory = False, ), + "cred_helpers": attr.label_list( + doc = """Labels to a list of credential helper binaries that are configured in `docker_client_config`. + + More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers + """, + mandatory = False, + ), "import_tags": attr.string_list( default = [], doc = "Tags to be propagated to generated rules.", @@ -220,6 +227,14 @@ def _impl(repository_ctx): args.extend(["-timeout", str(repository_ctx.attr.timeout)]) kwargs["timeout"] = repository_ctx.attr.timeout + if repository_ctx.attr.cred_helpers: + kwargs["environment"] = { + "PATH": "{}:{}".format( + ":".join([str(repository_ctx.path(helper).dirname) for helper in repository_ctx.attr.cred_helpers]), + repository_ctx.os.environ.get("PATH"), + ), + } + result = repository_ctx.execute(args, **kwargs) if result.return_code: fail("Pull command failed: %s (%s)" % (result.stderr, " ".join([str(a) for a in args]))) diff --git a/docs/container.md b/docs/container.md index b51fe8e9e..0c95672c9 100644 --- a/docs/container.md +++ b/docs/container.md @@ -160,10 +160,10 @@ The created target can be referenced as `@label_name//image`. ## container_pull 
-container_pull(name, architecture, cpu_variant, digest, docker_client_config, import_tags, os,
-               os_features, os_version, platform_features, puller_darwin, puller_linux_amd64,
-               puller_linux_arm64, puller_linux_s390x, registry, repo_mapping, repository, tag,
-               timeout)
+container_pull(name, architecture, cpu_variant, cred_helpers, digest, docker_client_config,
+               import_tags, os, os_features, os_version, platform_features, puller_darwin,
+               puller_linux_amd64, puller_linux_arm64, puller_linux_s390x, registry, repo_mapping,
+               repository, tag, timeout)
A repository rule that pulls down a Docker base image in a manner suitable for use with the `base` attribute of `container_image`. @@ -196,6 +196,7 @@ please use the bazel startup flag `--loading_phase_threads=1` in your bazel invo | name | A unique name for this repository. | Name | required | | | architecture | Which CPU architecture to pull if this image refers to a multi-platform manifest list, default 'amd64'. | String | optional | "amd64" | | cpu_variant | Which CPU variant to pull if this image refers to a multi-platform manifest list. | String | optional | "" | +| cred_helpers | Labels to a list of credential helper binaries that are configured in docker_client_config.

More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers | List of labels | optional | [] | | digest | The digest of the image to pull. | String | optional | "" | | docker_client_config | Specifies a Bazel label of the config.json file.

Don't use this directly. Instead, specify the docker configuration directory using a custom docker toolchain configuration. Look for the client_config attribute in docker_toolchain_configure [here](https://github.com/bazelbuild/rules_docker#setup) for details. See [here](https://github.com/bazelbuild/rules_docker#container_pull-custom-client-configuration) for an example on how to use container_pull after configuring the docker toolchain

When left unspecified (ie not set explicitly or set by the docker toolchain), docker will use the directory specified via the DOCKER_CONFIG environment variable.

If DOCKER_CONFIG isn't set, docker falls back to $HOME/.docker. | Label | optional | None | | import_tags | Tags to be propagated to generated rules. | List of strings | optional | [] | diff --git a/toolchains/docker/pull.bzl.tpl b/toolchains/docker/pull.bzl.tpl index a2fb1a7ce..40fa8c689 100644 --- a/toolchains/docker/pull.bzl.tpl +++ b/toolchains/docker/pull.bzl.tpl @@ -7,5 +7,6 @@ def container_pull(**kwargs): fail("docker_client_config attribute should not be set on the container_pull created by the custom docker toolchain configuration") _container_pull( docker_client_config="%{docker_client_config}", + cred_helpers=%{cred_helpers}, **kwargs ) diff --git a/toolchains/docker/toolchain.bzl b/toolchains/docker/toolchain.bzl index b5f7edd28..7b925bcbf 100644 --- a/toolchains/docker/toolchain.bzl +++ b/toolchains/docker/toolchain.bzl @@ -160,6 +160,7 @@ def _toolchain_configure_impl(repository_ctx): Label("@io_bazel_rules_docker//toolchains/docker:pull.bzl.tpl"), { "%{docker_client_config}": str(repository_ctx.attr.client_config), + "%{cred_helpers}": str(repository_ctx.attr.cred_helpers), }, False, ) @@ -202,6 +203,14 @@ toolchain_configure = repository_rule( "docker tool (typically, the home directory) will be " + "used.", ), + "cred_helpers": attr.string_list( + mandatory = False, + doc = """Labels to a list of credential helpers binaries that are configured in `client_config`. + + More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers + """, + default = [], + ), "docker_flags": attr.string_list( mandatory = False, doc = "List of additional flag arguments to the docker command.",