Support dynamic push credentials obtained from registry

Author: manics

binderhub/build.py

@@ -91,6 +91,18 @@ class BuildExecutor(LoggingConfigurable):
         config=True,
     )
 
+    push_secret_content = Unicode(
+        "",
+        help=(
+            "Content of an implementation dependent secret for pushing image to a registry. "
+            "For example, if push tokens are temporary this can be used to pass the token "
+            "as an environment variable CONTAINER_ENGINE_REGISTRY_CREDENTIALS to "
+            "repo2docker."
+            "If provided this will be used instead of push_secret."
+        ),
+        config=True,
+    )
+
     memory_limit = ByteSpecification(
         0,
         help="Memory limit for the build process in bytes (optional suffixes K M G T).",
@@ -394,7 +406,23 @@ def submit(self):
             )
         ]
 
-        if self.push_secret:
+        env = [
+            client.V1EnvVar(name=key, value=value)
+            for key, value in self.extra_envs.items()
+        ]
+        if self.git_credentials:
+            env.append(
+                client.V1EnvVar(name="GIT_CREDENTIAL_ENV", value=self.git_credentials)
+            )
+
+        if self.push_secret_content:
+            env.append(
+                client.V1EnvVar(
+                    name="CONTAINER_ENGINE_REGISTRY_CREDENTIALS",
+                    value=self.push_secret_content,
+                )
+            )
+        elif self.push_secret:
             volume_mounts.append(
                 client.V1VolumeMount(mount_path="/root/.docker", name="docker-config")
             )
@@ -405,15 +433,6 @@ def submit(self):
                 )
             )
 
-        env = [
-            client.V1EnvVar(name=key, value=value)
-            for key, value in self.extra_envs.items()
-        ]
-        if self.git_credentials:
-            env.append(
-                client.V1EnvVar(name="GIT_CREDENTIAL_ENV", value=self.git_credentials)
-            )
-
         self.pod = client.V1Pod(
             metadata=client.V1ObjectMeta(
                 name=self.name,

binderhub/builder.py

@@ -381,11 +381,12 @@ async def get(self, provider_prefix, _unescaped_spec):
             .lower()
         )
 
+        image_without_tag, image_tag = _get_image_basename_and_tag(image_name)
         if self.settings["use_registry"]:
             for _ in range(3):
                 try:
                     image_manifest = await self.registry.get_image_manifest(
-                        *_get_image_basename_and_tag(image_name)
+                        image_without_tag, image_tag
                     )
                     image_found = bool(image_manifest)
                     break
@@ -457,7 +458,13 @@ async def get(self, provider_prefix, _unescaped_spec):
             image_name=image_name,
             git_credentials=provider.git_credentials,
         )
-        if not self.settings["use_registry"]:
+        if self.settings["use_registry"]:
+            push_token = await self.registry.get_credentials(
+                image_without_tag, image_tag
+            )
+            if push_token:
+                build.push_secret_content = json.dumps(push_token)
+        else:
             build.push_secret = ""
 
         self.build = build

binderhub/registry.py

@@ -329,6 +329,14 @@ async def get_image_manifest(self, image, tag):
                 raise
         return json.loads(resp.body.decode("utf-8"))
 
+    async def get_credentials(self, image, tag):
+        """
+        If a dynamic token is required for pushing an image to the registry
+        return a dictionary of login credentials, otherwise return None
+        (caller should get credentials from some other source)
+        """
+        return None
+
 
 class FakeRegistry(DockerRegistry):
     """