notation login CLI #223
notation login CLI #223
Conversation
Signed-off-by: Steve Lasker <[email protected]>
Signed-off-by: Steve Lasker <[email protected]>
Signed-off-by: Steve Lasker <[email protected]>
Signed-off-by: Steve Lasker <[email protected]>
|
/cc @binbin-li for comments |
specs/notation-cli.md
Outdated
| --username value, -u value Username for registry operations | ||
| --password value, -p value Password for registry operations |
There was a problem hiding this comment.
How about environment variables associated with -u and -p like NOTATION_USERNAME and NOTATION_PASSWORD?
There was a problem hiding this comment.
| --username value, -u value Username for registry operations | |
| --password value, -p value Password for registry operations | |
| --username value, -u value Username for registry authentication | |
| --password value, -p value Password for registry authentication |
There was a problem hiding this comment.
Should we also support --password-stdin like docker cli does?
There was a problem hiding this comment.
For operations vs. authentication, I was thinking saying authentication was too obvious, and used the more generic, the -u/-p was used for multiple registry operations. If others feel different, I can change to either way.
| <server> The registry URL for authentication | ||
|
|
||
| GLOBAL ARGUMENTS | ||
| --plain-http Registry access via plain HTTP (default: false) |
There was a problem hiding this comment.
It seems we only support basic configurations. Will we support more parameters like --insecure and --ca-file as oras?
There was a problem hiding this comment.
@shizhMSFT, what is --insecure used for, and how common is the usage for --ca-file (I assume provides custom TLS trust store).
There was a problem hiding this comment.
--insecure is to skip the TLS cert check. Since notation is security oriented, we should not provide this functionality.
--ca-file is to specify the root CA cert to registry access. See oras-project/oras#217
There was a problem hiding this comment.
@shizhMSFT, I was thinking this would be done with the insecure registries option in config.
Does that still exist?
Seems calling --insecure is too tedious. For the scenarios/instances where https isn't supported, such as IOT environments, I just assumed the config would solve the problem and not something that's done ad-hoc requiring the cli to support it.
| ```console | ||
| notation login --help | ||
| NAME: | ||
| notation login - Provides credentials for authenticated registry operations |
There was a problem hiding this comment.
| notation login - Provides credentials for authenticated registry operations | |
| notation login - Login to a registry with credentials for authenticated registry operations |
| @@ -36,6 +37,7 @@ COMMANDS: | |||
| certificate, cert Manage certificates used for verification | |||
| key Manage keys used for signing | |||
| list, ls List signatures from remote | |||
| login Provide credentials for authenticated registry operations | |||
There was a problem hiding this comment.
| login Provide credentials for authenticated registry operations | |
| login Login to a registry with credentials for authenticated registry operations |
There was a problem hiding this comment.
Saying login, where the parameter says login feels redundant. I was just trying to find a synonym verb.
specs/notation-cli.md
Outdated
| --username value, -u value Username for registry operations | ||
| --password value, -p value Password for registry operations |
There was a problem hiding this comment.
| --username value, -u value Username for registry operations | |
| --password value, -p value Password for registry operations | |
| --username value, -u value Username for registry authentication | |
| --password value, -p value Password for registry authentication |
specs/notation-cli.md
Outdated
| --username value, -u value Username for registry operations | ||
| --password value, -p value Password for registry operations |
There was a problem hiding this comment.
Should we also support --password-stdin like docker cli does?
| <server> The registry URL for authentication | ||
|
|
||
| GLOBAL ARGUMENTS | ||
| --plain-http Registry access via plain HTTP (default: false) |
There was a problem hiding this comment.
@shizhMSFT, what is --insecure used for, and how common is the usage for --ca-file (I assume provides custom TLS trust store).
…mands Signed-off-by: Steve Lasker <[email protected]>
|
I've updated the PR to:
|
Updates for #119
Signed-off-by: Steve Lasker [email protected]