imgpkg copy from/into the same registry with different creds fails authentication

[cjnosal]

What steps did you take:
Create two projects in a harbor registry.
imgpkg push to the first project
Create a read-only robot in the first project
Create a read-write robot in the second project
Try to imgpkg copy from one project to the other, providing both sets of robot credentials (following https://carvel.dev/imgpkg/docs/latest/auth/#via-environment-variables)

What happened:
imgpkg fails to pull with an authentication failure

What did you expect:
imgpkg copy to determine which credentials go with which project (or allow me to specify)

Anything else you would like to add:
When multiple creds are passed to imgpkg copy the hostnames (IMGPKG_REGISTRY_HOSTNAME_0 and IMGPKG_REGISTRY_HOSTNAME_1) are used to determine when to use each credential.
In this example, the hostname is the same.
Harbor robots are project-scoped, so copying between projects in CI requires two robots.

Workaround:
imgpkg copy -b --to-tar && imgpkg copy --tar --to-repo

Environment:

• imgpkg version (use imgpkg --version): 0.17.0
• Docker registry used (e.g. Docker HUB): Harbor v2.1.3-b6de84c5
• OS (e.g. from /etc/os-release): Debian 11 (container based on golang:latest)

---

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

[DennisDenuto]

@xtreme-conor-nosal thanks for creating this issue

This is a great improvement for the tool, since auth between the same registry with different creds has security benefits.

I'm curious to hear your thoughts on how to incorporate allowing multiple creds for the same registry.

Here's a couple of ideas:

1. Introduce an IMGPKG_REGISTRY_REPOSITORY_0 env variable. This will scope the set of IMGPKG_REGISTRY_*_0 credentials to a specific repository.
2. Increase the scope of IMGPKG_REGISTRY_HOSTNAME allowing wildcards and repository in this env variable.

I'm going to carvel accept this issue, meaning we plan on working on it :-)

[cjnosal]

In the simple case (where the bundle and all referenced images are in one project / accessible with one set of creds) it would be nice to specify _SOURCE and _DESTINATION creds explicitly, rather than making imgpkg figure out when to use _0 and when to use _1, but that wouldn't scale to the cases where referenced images are in different registries.

Renaming HOSTNAME so it can include a repo path would be simpler I think (fewer env vars to set), but adding REPOSITORY would be more backwards-compatible I assume.

[aaronshurley]

We expect that #245 will address this issue. We'll keep this open until the other work lands and this workflow is validated.

[DennisDenuto]

Closing this as it was implemented and released in https://github.com/vmware-tanzu/carvel-imgpkg/releases/tag/v0.18.0