More flexibility when parsing docker config.json (or add a warning to docs)

[kpaulisse]

TL;DR: When parsing docker config.json, rules_oci should strip off everything after the hostname (or, if not, add a caveat to the documentation).

I spent more time than I'd care to admit tracking down a problem using oci_pull with a private Quay repository. The problem turned out to be that my $HOME/.docker/config.json file looked like this:

{
  "auths": {
    "https://quay.io/v2": {
      "auth": "<base64 encoded username:password>"
    }
  }
}

It turned out that the "hostname" was quay.io/v2 for the purposes of matching which credentials, which of course did not match quay.io that was one of the pre-configured patterns. Therefore the credentials were not being passed along and I was getting a 401 error trying to get the token.

My docker config file as shown above was working for oci_push in version 1.x at least.

After debugging I ultimately discovered that removing the /v2 from the Quay URL solved my problem.

{
  "auths": {
    "https://quay.io": {
      "auth": "<base64 encoded username:password>"
    }
  }
}

I am happy to make a contribution to solve this, and this contribution seems really easy, but I am wanting to ask for guidance first:

• Should I update _strip_host to strip off /v2 too, or /v\d+, or anything after a slash?
• Should I update docs/pull.md with a warning about the situation I encountered?
• Should we add a warning to _get_auth that credentials were found for quay.io/v2 but not quay.io (in my case), so the user has a hint where to look?

Thanks in advance!

[thesayyn]

This is an embarrassing issue,

rules_oci/oci/private/authn.bzl

Line 63 in 5ff4c79

# TODO: a principled way of doing this

i have left a TODO here for us to fix this in a principled way but never done it.

Any PR fixing this is welcome here.