feat: Support basic auth and bearer auth login to registry

Signed-off-by: Tosone <i@tosone.cn>
sigstore · Oct 18, 2023 · e89f4ab · e89f4ab
1 parent 022fa26
commit e89f4ab
Show file tree

Hide file tree

Showing 21 changed files with 137 additions and 63 deletions.
diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go
@@ -44,6 +44,7 @@ type RegistryOptions struct {
 	KubernetesKeychain bool
 	RefOpts            ReferenceOptions
 	Keychain           Keychain
+	AuthConfig         authn.AuthConfig
 
 	// RegistryClientOpts allows overriding the result of GetRegistryClientOpts.
 	RegistryClientOpts []remote.Option
@@ -53,15 +54,24 @@ var _ Interface = (*RegistryOptions)(nil)
 
 // AddFlags implements Interface
 func (o *RegistryOptions) AddFlags(cmd *cobra.Command) {
-	cmd.Flags().BoolVar(&o.AllowInsecure, "allow-insecure-registry", false,
+	cmd.Flags().BoolVar(&o.AllowInsecure, "registry-allow-insecure", false,
 		"whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing")
 
-	cmd.Flags().BoolVar(&o.AllowHTTPRegistry, "allow-http-registry", false,
+	cmd.Flags().BoolVar(&o.AllowHTTPRegistry, "registry-allow-http", false,
 		"whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing")
 
-	cmd.Flags().BoolVar(&o.KubernetesKeychain, "k8s-keychain", false,
+	cmd.Flags().BoolVar(&o.KubernetesKeychain, "registry-k8s-keychain", false,
 		"whether to use the kubernetes keychain instead of the default keychain (supports workload identity).")
 
+	cmd.Flags().StringVar(&o.AuthConfig.Username, "registry-username", "",
+		"registry basic auth username")
+
+	cmd.Flags().StringVar(&o.AuthConfig.Password, "registry-password", "",
+		"registry basic auth password")
+
+	cmd.Flags().StringVar(&o.AuthConfig.RegistryToken, "registry-token", "",
+		"registry bearer auth token")
+
 	o.RefOpts.AddFlags(cmd)
 }
 
@@ -113,6 +123,10 @@ func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Op
 			github.Keychain,
 		)
 		opts = append(opts, remote.WithAuthFromKeychain(kc))
+	case o.AuthConfig.Username != "" && o.AuthConfig.Password != "":
+		opts = append(opts, remote.WithAuth(&authn.Basic{Username: o.AuthConfig.Username, Password: o.AuthConfig.Password}))
+	case o.AuthConfig.RegistryToken != "":
+		opts = append(opts, remote.WithAuth(&authn.Bearer{Token: o.AuthConfig.RegistryToken}))
 	default:
 		opts = append(opts, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 	}

diff --git a/doc/cosign_attach_attestation.md b/doc/cosign_attach_attestation.md
diff --git a/doc/cosign_attach_sbom.md b/doc/cosign_attach_sbom.md
diff --git a/doc/cosign_attach_signature.md b/doc/cosign_attach_signature.md
diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md
diff --git a/doc/cosign_clean.md b/doc/cosign_clean.md
diff --git a/doc/cosign_copy.md b/doc/cosign_copy.md