-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
First pass at rewriting the tokens/API section. #1732
Open
max-allan-cgr
wants to merge
3
commits into
chainguard-dev:main
Choose a base branch
from
max-allan-cgr:token-fun
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,6 +31,8 @@ If you have a container environment that was working fine but suddenly breaks wi | |
|
||
Before making API calls, you'll need to generate a token within the [Chainguard Registry](/chainguard/chainguard-registry/overview/). | ||
|
||
### For Public Images | ||
|
||
The Registry API endpoint for obtaining the token is: | ||
|
||
``` | ||
|
@@ -41,46 +43,58 @@ Where `IMAGE_NAME` is the name of the image that you want to pull the tag histor | |
|
||
For public images (tagged as `latest` or `latest-dev`), you can request a registry token anonymously, without providing any pre-existing auth. | ||
|
||
The following command will obtain a token for the **Python** image and register a variable called `tok` with the resulting value, which you can use in a subsequent command to obtain the tag history: | ||
The following command will obtain a token for the **Python** image and register a variable called `auth_header` with the resulting value, which you can use in a subsequent command to obtain the tag history: | ||
|
||
```shell | ||
tok=$(curl "https://cgr.dev/token?scope=repository:chainguard/python:pull" \ | ||
| jq -r .token) | ||
auth_header="Authorization: Bearer $(curl 'https://cgr.dev/token?scope=repository:chainguard/python:pull' \ | ||
| jq -r .token)" | ||
``` | ||
|
||
For images that are not public, you'll need to exchange your Chainguard token for a registry token. This assumes you've set up authentication with [chainctl auth configure-docker](https://edu.chainguard.dev/chainguard/chainguard-registry/authenticating/)): | ||
### For Private Images | ||
|
||
You'll need to use your Chainguard Docker credentials. This assumes you've set up authentication with [chainctl auth configure-docker](https://edu.chainguard.dev/chainguard/chainguard-registry/authenticating/): | ||
|
||
```shell | ||
tok=$(curl -H "Authorization: Bearer \ | ||
$(echo 'cgr.dev' | docker-credential-cgr get)" \ | ||
-v "https://cgr.dev/token?scope=repository:chainguard/python:pull" \ | ||
| jq -r .token) | ||
auth_header="Authorization: Bearer $(echo 'cgr.dev' | docker-credential-cgr get | jq -r .Secret)" | ||
``` | ||
|
||
To make sure your token is set, you can run the following command: | ||
You may use the `crane` tool to get your token instead: | ||
|
||
```shell | ||
echo $tok | ||
auth_header="$(crane auth token -H cgr.dev/ORGANIZATION_NAME/IMAGE_NAME)" | ||
``` | ||
Where `ORGANIZATION_NAME` is the name of your organization, for example: `company.com`, `IMAGE_NAME` is the name of the image, for example: `chainguard-base` (Note: the image name specified here does not need to be the same image you pass to the API later! But it needs to be a valid image from your registry.) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. A little confusing. Maybe:
I'm not sure if it's worth mentioning matching image names, just in case it changes. |
||
|
||
And you should get a long string token as output. | ||
|
||
You should now be ready to call the API, either manually or programmatically. | ||
|
||
## Calling the API | ||
|
||
Once you have your token available, you can run a `curl` query passing on your token within an `Authorization: bearer` header to the following endpoint: | ||
Make sure your authorization header is set, by running the following command: | ||
|
||
```shell | ||
echo $auth_header | ||
``` | ||
https://cgr.dev/v2/chainguard/IMAGE_NAME/_chainguard/history/IMAGE_TAG | ||
|
||
And you should get `Authorization: Bearer` followed by a long string (a [JWT](https://jwt.io/introduction)) as output. You can now run a `curl` query to this endpoint: | ||
|
||
``` | ||
https://cgr.dev/v2/ORGANIZATION_NAME/IMAGE_NAME/_chainguard/history/IMAGE_TAG | ||
``` | ||
Where: | ||
- For private images `ORGANIZATION_NAME` is the name of your organization, for example: `company.com`. | ||
- For public images `ORGANIZATION_NAME` is always `chainguard`. | ||
- `IMAGE_NAME` is the name of the image, for example: `chainguard-base` or `python`. | ||
- `IMAGE_TAG` is the tag that you want to pull history from. | ||
|
||
Where `IMAGE_NAME` is the name of the image, for instance: `python`, and `IMAGE_TAG` is the tag that you want to pull history from. | ||
For example, this is how you can fetch the tag history of **company.com's** **chainguard-base:latest** Chainguard image using `curl` on the command line: | ||
|
||
For example, this is how you can fetch the tag history of the **python:latest** Chainguard image using `curl` on the command line: | ||
```shell | ||
curl -H "$auth_header" \ | ||
https://cgr.dev/v2/company.com/chainguard-base/_chainguard/history/latest | jq | ||
``` | ||
|
||
Or for a public image such as **python:latest**: | ||
```shell | ||
curl -H "Authorization: Bearer $tok" \ | ||
curl -H "$auth_header" \ | ||
https://cgr.dev/v2/chainguard/python/_chainguard/history/latest | jq | ||
``` | ||
|
||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
link to crane https://github.com/google/go-containerregistry/tree/main/cmd/crane