Support credential helpers in container_pull (#2034)

Author: linzhp

container/pull.bzl

@@ -64,6 +64,13 @@ _container_pull_attrs = {
             """,
         mandatory = False,
     ),
+    "cred_helpers": attr.label_list(
+        doc = """Labels to a list of credential helper binaries that are configured in `docker_client_config`.
+
+        More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers
+        """,
+        mandatory = False,
+    ),
     "import_tags": attr.string_list(
         default = [],
         doc = "Tags to be propagated to generated rules.",
@@ -220,6 +227,14 @@ def _impl(repository_ctx):
         args.extend(["-timeout", str(repository_ctx.attr.timeout)])
         kwargs["timeout"] = repository_ctx.attr.timeout
 
+    if repository_ctx.attr.cred_helpers:
+        kwargs["environment"] = {
+            "PATH": "{}:{}".format(
+                ":".join([str(repository_ctx.path(helper).dirname) for helper in repository_ctx.attr.cred_helpers]),
+                repository_ctx.os.environ.get("PATH"),
+            ),
+        }
+
     result = repository_ctx.execute(args, **kwargs)
     if result.return_code:
         fail("Pull command failed: %s (%s)" % (result.stderr, " ".join([str(a) for a in args])))

docs/container.md

@@ -160,10 +160,10 @@ The created target can be referenced as `@label_name//image`.
 ## container_pull
 
 <pre>
-container_pull(<a href="#container_pull-name">name</a>, <a href="#container_pull-architecture">architecture</a>, <a href="#container_pull-cpu_variant">cpu_variant</a>, <a href="#container_pull-digest">digest</a>, <a href="#container_pull-docker_client_config">docker_client_config</a>, <a href="#container_pull-import_tags">import_tags</a>, <a href="#container_pull-os">os</a>,
-               <a href="#container_pull-os_features">os_features</a>, <a href="#container_pull-os_version">os_version</a>, <a href="#container_pull-platform_features">platform_features</a>, <a href="#container_pull-puller_darwin">puller_darwin</a>, <a href="#container_pull-puller_linux_amd64">puller_linux_amd64</a>,
-               <a href="#container_pull-puller_linux_arm64">puller_linux_arm64</a>, <a href="#container_pull-puller_linux_s390x">puller_linux_s390x</a>, <a href="#container_pull-registry">registry</a>, <a href="#container_pull-repo_mapping">repo_mapping</a>, <a href="#container_pull-repository">repository</a>, <a href="#container_pull-tag">tag</a>,
-               <a href="#container_pull-timeout">timeout</a>)
+container_pull(<a href="#container_pull-name">name</a>, <a href="#container_pull-architecture">architecture</a>, <a href="#container_pull-cpu_variant">cpu_variant</a>, <a href="#container_pull-cred_helpers">cred_helpers</a>, <a href="#container_pull-digest">digest</a>, <a href="#container_pull-docker_client_config">docker_client_config</a>,
+               <a href="#container_pull-import_tags">import_tags</a>, <a href="#container_pull-os">os</a>, <a href="#container_pull-os_features">os_features</a>, <a href="#container_pull-os_version">os_version</a>, <a href="#container_pull-platform_features">platform_features</a>, <a href="#container_pull-puller_darwin">puller_darwin</a>,
+               <a href="#container_pull-puller_linux_amd64">puller_linux_amd64</a>, <a href="#container_pull-puller_linux_arm64">puller_linux_arm64</a>, <a href="#container_pull-puller_linux_s390x">puller_linux_s390x</a>, <a href="#container_pull-registry">registry</a>, <a href="#container_pull-repo_mapping">repo_mapping</a>,
+               <a href="#container_pull-repository">repository</a>, <a href="#container_pull-tag">tag</a>, <a href="#container_pull-timeout">timeout</a>)
 </pre>
 
 A repository rule that pulls down a Docker base image in a manner suitable for use with the `base` attribute of `container_image`.
@@ -196,6 +196,7 @@ please use the bazel startup flag `--loading_phase_threads=1` in your bazel invo
 | <a id="container_pull-name"></a>name |  A unique name for this repository.   | <a href="https://bazel.build/docs/build-ref.html#name">Name</a> | required |  |
 | <a id="container_pull-architecture"></a>architecture |  Which CPU architecture to pull if this image refers to a multi-platform manifest list, default 'amd64'.   | String | optional | "amd64" |
 | <a id="container_pull-cpu_variant"></a>cpu_variant |  Which CPU variant to pull if this image refers to a multi-platform manifest list.   | String | optional | "" |
+| <a id="container_pull-cred_helpers"></a>cred_helpers |  Labels to a list of credential helper binaries that are configured in <code>docker_client_config</code>.<br><br>        More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers   | <a href="https://bazel.build/docs/build-ref.html#labels">List of labels</a> | optional | [] |
 | <a id="container_pull-digest"></a>digest |  The digest of the image to pull.   | String | optional | "" |
 | <a id="container_pull-docker_client_config"></a>docker_client_config |  Specifies  a Bazel label of the config.json file.<br><br>            Don't use this directly.             Instead, specify the docker configuration directory using a custom docker toolchain configuration.             Look for the <code>client_config</code> attribute in <code>docker_toolchain_configure</code>             [here](https://github.com/bazelbuild/rules_docker#setup) for details.             See [here](https://github.com/bazelbuild/rules_docker#container_pull-custom-client-configuration)             for an example on how to use container_pull after configuring the docker toolchain<br><br>            When left unspecified (ie not set explicitly or set by the docker toolchain),             docker will use the directory specified via the <code>DOCKER_CONFIG</code> environment variable.<br><br>            If <code>DOCKER_CONFIG</code> isn't set, docker falls back to <code>$HOME/.docker</code>.   | <a href="https://bazel.build/docs/build-ref.html#labels">Label</a> | optional | None |
 | <a id="container_pull-import_tags"></a>import_tags |  Tags to be propagated to generated rules.   | List of strings | optional | [] |

toolchains/docker/pull.bzl.tpl

@@ -7,5 +7,6 @@ def container_pull(**kwargs):
         fail("docker_client_config attribute should not be set on the container_pull created by the custom docker toolchain configuration")
     _container_pull(
         docker_client_config="%{docker_client_config}",
+        cred_helpers=%{cred_helpers},
         **kwargs
     )

toolchains/docker/toolchain.bzl

@@ -160,6 +160,7 @@ def _toolchain_configure_impl(repository_ctx):
             Label("@io_bazel_rules_docker//toolchains/docker:pull.bzl.tpl"),
             {
                 "%{docker_client_config}": str(repository_ctx.attr.client_config),
+                "%{cred_helpers}": str(repository_ctx.attr.cred_helpers),
             },
             False,
         )
@@ -202,6 +203,14 @@ toolchain_configure = repository_rule(
                   "docker tool (typically, the home directory) will be " +
                   "used.",
         ),
+        "cred_helpers": attr.string_list(
+            mandatory = False,
+            doc = """Labels to a list of credential helpers binaries that are configured in `client_config`.
+
+            More about credential helpers: https://docs.docker.com/engine/reference/commandline/login/#credential-helpers
+            """,
+            default = [],
+        ),
         "docker_flags": attr.string_list(
             mandatory = False,
             doc = "List of additional flag arguments to the docker command.",