Expose azcontainerregistry.authenticationClient #20571
Comments
ghost
added
needs-triage
jhendrixMSFT
added
Container Registry
Client
ghost
added
the
needs-team-attention
|
@PSanetra Thank you for the feature request. When we reviewed our public surface of cc: @JeffreyRichter |
|
@tadelesh yes, see for example the discussion in the oras go library: oras-project/oras-go#476 Due to missing support to call the token exchage via the SDK, it is needed to implement the token exchange manually. I think generally manual implementation is currently needed when a client should be implemented that should be able to communicate with generic container or artifact registries. |
|
If I understand correctly, you mean you need to use oras-go to communicate with generic registries, only need azure sdk to do the auth, right? @JeffreyRichter could you help to evaluate this request? |
|
@tadelesh exactly 🙂 |
|
Let me see if I understand... If I am, this dependency brings in a ton of other dependencies (like Azure Core with HTTP pipeline/policy functionality, etc.). We also do not test this scenario (using our authenticationClient with some other non-Azure SDK package) and can't formally support this scenario even if we were to export this type. |
|
@JeffreyRichter yes, it would be nice if accessing Azure APIs, especially proprietary authentication, would be supported by the Azure Go SDK. For generic interaction with the container registry a generic library like oras is used, which supports more features than the azcontainerregistry library. E.g. copying artifacts between registries. As far as I see the token exchange endpoint is a public Azure Container Registry API (See docs). That api is just not publicly exposed in the azcontainerregistry library. |
|
@JeffreyRichter I have to add in my use case that specific endpoint is not the only reason to reference the azure-sdk-for-go. I am also using Additionally the |
|
@PSanetra I fully understand your requirement here. Since we want to provide a fully tested SDKs, we are still waiting for more feedbacks to see if it is a common scenario for our customers. I'll keep update in this issue. |
|
+1 on exposing the authentication client in the sdk. I'm contributing to project Ratify. We also leverage oras-go to interact with ACR. Currently we are using a deprecated 2019 preview version of the sdk which does expose the client to exchange the AAD token for the registry refresh token. If we want to upgrade to the latest sdk, we need this functionality. Any update on supporting this? |
|
@MartinForReal could you also put your requirement and user scenario here? we could evaluate it again. |
|
This is identical to a requirement we have in github.com/Azure/MSI-ACRPull - we are attempting to project ACR credentials into a Kubernetes secret to allow the Kubelet to use managed identities and workload identities for image pulls. We do not require an ACR client, but only the ability to do the AAD access token -> ACR refresh token -> ACR access token flow ourselves. We will manage rotation as necessary. I understand the hesitation to expose direct access to this information for an ACR client, as transparent credential management is nice. I hope you'd be OK with a separate package that exposes the authentication code in a stand-alone capacity, which the ACR client happens to use under the hood. |
|
@JeffreyRichter Since the requirement is only exposing the authentication client (the auto generated code is public, but we hide them manually), and we have tests for the client, I think we could do that. What's your opinion? |
|
@tadelesh @JeffreyRichter please take a look at a proof-of-concept decoupling of the client policy and token caching and management in my PR #23272. We certainly could take the route that @tadelesh mentions and simply expose the |
|
@chlowell can you please review this request since it is auth related. |
|
I put up a PR to expose the auth API client, constructor, options, etc #23285 |
|
Closed by #23285 |
|
@chlowell shall we have an ad-hoc release or release with next cycle? |
|
Next cycle. So far as I know, no one is blocked on a published release. |
|
Thanks for adding this support! @chlowell is there an approximate time frame of the next release? |
|
September 17 is the next scheduled release date. |
|
@chlowell Just pinging to see if the sdk is released? I can't seem to find it in the new releases. |
|
Thanks for pinging! It appears we all assumed someone else was shipping this one. I've started the release process, it will publish tomorrow as v0.2.2 |
|
@chlowell Thanks. |
Feature Request
To interact with the ACR api it is needed to get an ACR refresh token via the
/oauth2/exchangeendpoint and then using the refresh token to get an access token via the/oauth2/endpoint, like it is described in the ACR docs.Third party libraries which interact with container and artifact registry like
oras-goalready support using refresh tokens to get an access token, but currently the call to/oauth2/exchangeneeds to be implemented manually. It would be great if theazcontainerregistry.authenticationClientwas exposed, so that ExchangeAADAccessTokenForACRRefreshToken can be used from the offical Azure go sdk.Related: oras-project/oras-go#476
The text was updated successfully, but these errors were encountered: