问题
I'm trying to write code that can essentially do a docker inspect on images published to a private JFrog Artifactory, without having to actually pull the images themselves. I've been using a guide called Inspecting Docker images without pull for a breakdown of the API calls. The guide uses the public Docker Hub registry as its base - not Artifactory - which is a little different.
Basically, there are 3 API calls that need to be made:
- First get a token
- Then get a "digest" for a given image/tag
- Finally get the config corresponding to that digest
I have Artifactory configured to allow anonymous read access. So anyone who knows the URL can do a docker pull without needing to provide credentials, and it works. I have verified this.
Because it allows anonymous access, I first assumed that perhaps I could skip API call #1 (getting a token) and proceed directly to API call #2 (looking up the digest) without providing a token. However this is not the case. Artifactory returns an UNAUTHORIZED error in that case.
Next I thought, okay, fine, I'll just hit the token endpoint. But instead of auth.docker.io I'll change it to the subdomain of my Artifactory server, and POST to the /token endpoint there. That didn't work. Then I unearthed this portion of the official ContainerD code which actually has a conditional case specifically tailored to JFrog Artifactory built in.
It looks like Artifactory returns a 401 (Unauthorized) when you try to POST to the /token endpoint, and that moreover the Docker client is aware of this so falls back to trying a GET request. But here's where it gets a little fuzzy for me. I'm not a Golang programmer so I'm having some difficulty understanding what's going on in the Docker CLI Go code here.
I assumed it was simply changing the POST to a GET, but otherwise using the same URL (i.e. /v2/token). However, this doesn't work. When I try to hit that endpoint I still get an UNAUTHORIZED response. Looking further down that ContainerD code, it looks like it might be setting basic auth using a username and a secret. But I'm not sure what those values would be, since this is being done with anonymous access. Clearly it's hitting some token endpoint on my Artifactory server, since running docker pull is successful. I'm just wondering what the fallback API call really looks like? And what parameters/headers/auth need to be passed into it?
回答1:
Artifactory allows you to create an API key manually through their web interface (click into your user profile), and then you can use this key in place of password for subsequence API calls. The key can last till you refresh it.
See here on how to use the key/token
For programmatic token management, Artifactory's token api does not have the same endpoint as docker.io, see their documentation here.
来源:https://stackoverflow.com/questions/55484348/what-token-endpoint-does-jfrog-artifactory-use-for-its-docker-registries