[Feature] Expose --username and --password in buildctl

[Shubhranshu153]

Description

Hi,

I Would like to expose the --username and --password option to buildctl build so that we can call the build without the credentials getting stored in ~/.docker/config.json.

Checking if this is something we can add as an enhancement to buildctl to be able to use buildctl directly in clients.

[AkihiroSuda]

I Would like to expose the --username and --password option to buildctl build so that we can call the build without the credentials getting stored in ~/.docker/config.json.

This is even worse because it leaks the password in ps.

Probably the options should be passed via an FD?
Or just set DOCKER_CONFIG to be a tmp dir

Related:

• [Buildkit] Refactoring builds function to interact with buildkit sdk containerd/nerdctl#4023 (comment)

[tonistiigi]

Buildkit isn't just talking to one registry like ctr image pull. Would at least need credentials per host. And indeed, static passwords in args is worse than files/env as source.

[Shubhranshu153]

As akahiro said, i like the idea of passing it as file descriptor and along with an option to pass it in as a path file
--config fd:<> / file:<>. i will try out a PoC and see if that works.

Thanks.