Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

notation login CLI #223

Merged
merged 5 commits into from
Jul 12, 2022
Merged

notation login CLI #223

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0444dcf
notation login CLI
SteveLasker Jul 6, 2022
5ccecd2
resolve merge conflicts
SteveLasker Jul 6, 2022
0c16151
add accidentlal removal of list back
SteveLasker Jul 6, 2022
3a888a3
add accidentlal removal of list back
SteveLasker Jul 6, 2022
317dc30
Update to use environment variables and remove -u/-p on all other com…
SteveLasker Jul 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 35 additions & 19 deletions specs/notation-cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ The CLI commands are what's currently available in [notation v0.7.1-alpha.1](htt
- [certificate](#certificate): Manage certificates used for verification
- [key](#key): Manage keys used for signing
- [list](#list): List signatures from remote
- [login](#login): Provide credentials for authenticated registry operations
- [plugin](#plugin): Manage KMS plugins
- [pull](#pull): Pull signatures from remote
- [push](#push): Push signature to remote
Expand Down Expand Up @@ -36,6 +37,7 @@ COMMANDS:
certificate, cert Manage certificates used for verification
key Manage keys used for signing
list, ls List signatures from remote
login Provide credentials for authenticated registry operations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
login Provide credentials for authenticated registry operations
login Login to a registry with credentials for authenticated registry operations

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Saying login, where the parameter says login feels redundant. I was just trying to find a synonym verb.

plugin Manage KMS plugins
pull Pull signatures from remote
push Push signature to remote
Expand Down Expand Up @@ -121,12 +123,39 @@ USAGE:
notation list [command options] <reference>

OPTIONS:
--username value, -u value username for generic remote access [$NOTATION_USERNAME]
--password value, -p value password for generic remote access [$NOTATION_PASSWORD]
--plain-http remote access via plain HTTP (default: false)
--help, -h show help (default: false)
```

## login

```console
notation login --help
NAME:
notation login - Provides credentials for authenticated registry operations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
notation login - Provides credentials for authenticated registry operations
notation login - Login to a registry with credentials for authenticated registry operations


USAGE:
notation login [options] [server]

OPTIONS:
--username value, -u value Username for registry operations [$NOTATION_USERNAME]
--password value, -p value Password for registry operations [$NOTATION_PASSWORD]
--password-stdin Take the password from stdin
--help, -h Show help (default: false)

POSITIONAL
<server> The registry URL for authentication

GLOBAL ARGUMENTS
--plain-http Registry access via plain HTTP (default: false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems we only support basic configurations. Will we support more parameters like --insecure and --ca-file as oras?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shizhMSFT, what is --insecure used for, and how common is the usage for --ca-file (I assume provides custom TLS trust store).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--insecure is to skip the TLS cert check. Since notation is security oriented, we should not provide this functionality.

--ca-file is to specify the root CA cert to registry access. See oras-project/oras#217

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shizhMSFT, I was thinking this would be done with the insecure registries option in config.
Does that still exist?
Seems calling --insecure is too tedious. For the scenarios/instances where https isn't supported, such as IOT environments, I just assumed the config would solve the problem and not something that's done ad-hoc requiring the cli to support it.


EXAMPLES
# Login with provided username and password
notation login -u <user> -p <password> registry.example.com

# Login using $NOTATION_USERNAME $NOTATION_PASSWORD variables
notation login registry.example.com
```

## plugin

```console
Expand Down Expand Up @@ -156,12 +185,9 @@ USAGE:
notation pull [command options] <reference>

OPTIONS:
--strict pull the signature without lookup the manifest (default: false)
--output value, -o value write signature to a specific path
--username value, -u value username for generic remote access [$NOTATION_USERNAME]
--password value, -p value password for generic remote access [$NOTATION_PASSWORD]
--plain-http remote access via plain HTTP (default: false)
--help, -h show help (default: false)
--strict Pull the signature without lookup the manifest (default: false)
--output value, -o value Write signature to a specific path
--help, -h Show help (default: false)
```

## push
Expand All @@ -176,9 +202,6 @@ USAGE:

OPTIONS:
--signature value, -s value, -f value signature files (accepts multiple inputs)
--username value, -u value username for generic remote access [$NOTATION_USERNAME]
--password value, -p value password for generic remote access [$NOTATION_PASSWORD]
--plain-http remote access via plain HTTP (default: false)
--help, -h show help (default: false)
```

Expand All @@ -203,9 +226,6 @@ OPTIONS:
--output value, -o value write signature to a specific path
--push push after successful signing (default: true)
--push-reference value different remote to store signature
--username value, -u value username for generic remote access [$NOTATION_USERNAME]
--password value, -p value password for generic remote access [$NOTATION_PASSWORD]
--plain-http remote access via plain HTTP (default: false)
--media-type value specify the media type of the manifest read from file or stdin (default: "application/vnd.docker.distribution.manifest.v2+json")
--help, -h show help (default: false)
```
Expand All @@ -226,10 +246,6 @@ OPTIONS:
--cert-file value certificate files for verification (accepts multiple inputs)
--pull pull remote signatures before verification (default: true)
--local, -l reference is a local file (default: false)
--username value, -u value username for generic remote access [$NOTATION_USERNAME]
--password value, -p value password for generic remote access [$NOTATION_PASSWORD]
--plain-http remote access via plain HTTP (default: false)
--media-type value specify the media type of the manifest read from file or stdin (default: "application/vnd.docker.distribution.manifest.v2+json")
--help, -h show help (default: false)
```