Skip to content

feat: add UDS credential helper mode#412

Open
wangxiaoxuan273 wants to merge 2 commits into
containerd:mainfrom
wangxiaoxuan273:uds-mode
Open

feat: add UDS credential helper mode#412
wangxiaoxuan273 wants to merge 2 commits into
containerd:mainfrom
wangxiaoxuan273:uds-mode

Conversation

@wangxiaoxuan273

@wangxiaoxuan273 wangxiaoxuan273 commented Jun 29, 2026

Copy link
Copy Markdown

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #410

Please check the following list:

  • Does the affected code have corresponding tests, e.g. unit test, E2E test?
  • Does this change require a documentation update?
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have an appropriate license header?

Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an opt-in Unix-domain socket (UDS) transport for the existing HTTP-based credential helper flow, enabling local credential retrieval without exposing a TCP listener.

Changes:

  • Add uds credential mode implementation using libcurl’s CURLOPT_UNIX_SOCKET_PATH.
  • Extend ImageService::reload_auth() to route credentialConfig.mode == "uds" to the new loader.
  • Add a UDS-mode test case and document the new configuration mode in README.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/image_service.cpp Implements load_cred_from_uds() and wires uds into the auth reload path.
src/test/simple_credsrv_test.cpp Adds a gtest validating UDS credential server behavior (timeout + missing socket).
README.md Documents credentialConfig.mode: "uds" and provides a configuration example.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/image_service.cpp
Comment thread src/image_service.cpp
Comment thread README.md

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread src/image_service.cpp
@BigVan

BigVan commented Jul 2, 2026

Copy link
Copy Markdown
Member

LGTM
We might need to design a base class for CredentialProvider to integrate with various implementations, but let's leave that for later.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

Comment thread src/image_service.cpp
Comment on lines +212 to +213
int load_cred_from_uds(const std::string socket_path, const std::string &remote_path,
std::string &username, std::string &password, int timeout) {
Comment thread src/image_service.cpp
if (response.success() == false) {
LOG_ERRNO_RETURN(0, -1, "http request failed.");
}
ImageConfigNS::AuthConfig cfg;
Comment thread src/image_service.cpp
if (ret != 200) {
LOG_ERRNO_RETURN(0, -1, "connect to auth component failed. http response code: `", ret);
}
LOG_DEBUG(writer.string);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unix-domain socket (UDS) credential helper mode

3 participants