-
Notifications
You must be signed in to change notification settings - Fork 327
Feat/docker auth #2895
Feat/docker auth #2895
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine other than using a struct for Auth
. Could you also rebase the PR?
@evanphx thanks for the feedback! Updates are made and PR is rebased. |
@paladin-devops totally right, I missed Hostname. So let me pose a larger question to ya: would you be willing to extend this authentication setup to all the other contexts that Docker is accessed? That is one element that we need to cleanup anyway (and one that you very well might hit as well). Basically, build/registry/platform and pull/build should all use the same authentication scheme, where scheme I mean that the auth information is specified in the same way (same configuration variable names, etc). |
@evanphx I'd be willing to take that on! As I was developing this I also felt like it'd be a nicer UX for the auth to be consistent wherever Docker is used, and have more "user friendly" input options. |
@paladin-devops Super! Yes, please take a look at the referenced plugin components and see about making the have a common auth mechanism. Thanks! |
…e inputs as builder and platform.
… and align with docker builder.
After updating auth for other contexts of Docker within Waypoint, this project = "lab"
app "docker-auth-test" {
build {
use "docker" {
auth {
hostname = "registry.hub.docker.com"
username = "username"
password = "password"
}
}
workspace "pull" {
use "docker-pull" {
image = "paladindevops/alpine"
tag = "very-latest"
auth {
username = "username"
password = "password"
}
}
}
registry {
use "docker" {
image = "paladindevops/alpine"
tag = "very-latest"
auth {
username = "username"
password = "password"
}
}
}
}
deploy {
use "docker" {
auth {
username = "username"
password = "password"
}
}
}
} |
@evanphx I've updated the documentation as well. I intentionally left out the Email option (deprecated) and the Auth option (I can't find any documentation on its purpose). As per the struct, though, they are still allowed values since the API supports them, but didn't want to advertise deprecated/unknown inputs. Refs: |
@paladin-devops So I think I realized one reason I was confused about the hostname: In the registry build case, it's the hostname embedded in the image name that governs where the auth info goes. So maybe error out if they specify a Hostname to the auth block in registry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we need to still support EncodedAuth and probably at a minimum, move the Auth{}
to the right hand side of those empty checks.
@evanphx this build {
//default builder uses auth
use "docker" {
auth {
hostname = "registry.hub.docker.com"
username = "username"
password = "password"
}
}
//builder, private repo base image, auth provided - expected success
workspace "builder-auth" {
use "docker" {
auth {
hostname = "registry.hub.docker.com"
username = "username"
password = "password"
}
}
}
//builder, private repo base image, auth not provided - expected failure: authentication error
workspace "builder-noauth" {
use "docker" {}
}
//puller, auth used for private repo - expected success
workspace "pull-auth" {
use "docker-pull" {
image = "paladindevops/alpine"
tag = "very-latest"
auth {
username = "username"
password = "password"
}
}
}
//puller, encoded_auth used for private repo - expected success
workspace "pull-encoded" {
use "docker-pull" {
image = "paladindevops/alpine"
tag = "very-latest"
encoded_auth = "encoded_auth_string"
}
}
//puller, neither auth nor encoded_auth used for private repo - expected failure: authentication error
workspace "pull-noauth" {
use "docker-pull" {
image = "paladindevops/alpine"
tag = "very-latest"
}
}
//puller, no auth used for public repo - expected success (no auth required)
workspace "pull-public" {
use "docker-pull" {
image = "alpine"
tag = "latest"
}
}
registry {
//default registry uses auth
use "docker" {
image = "paladindevops/alpine"
tag = "very-latest"
auth {
username = "username"
password = "password"
}
}
//auth used for push to private repo - expected success
workspace "pull-auth" {
use "docker" {
image = "paladindevops/alpine"
tag = "very-latest"
auth {
username = "username"
password = "password"
}
}
}
//encoded_auth used for private repo - expected success
workspace "pull-encoded" {
use "docker" {
image = "paladindevops/alpine"
tag = "very-latest"
encoded_auth = "encoded_auth_string"
}
}
//auth used for private repo, hostname provided - expected failure: hostname not permitted in registry auth
workspace "hostname-test" {
use "docker" {
image = "paladindevops/alpine"
tag = "very-latest"
auth {
hostname = "registry.hub.docker.com"
username = "username"
password = "password"
}
}
}
}
} For reference, my Dockerfile with a base image in a private repo: FROM registry.hub.docker.com/paladindevops/alpine:latest
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Could you resolve the merge conflicts?
…t/docker-builder-auth
@paladin-devops Ok, we're in the home stretch! You'll need to include a changelog entry and then regenerate the website docs by doing: |
@evanphx I pushed my last changes I think right as the GitHub outage happened yesterday! Looking back at this I staged the doc changes for everything, not just the Docker docs. Before merging if you'd like me to undo the changes made to the non-Docker docs, lmk! |
@paladin-devops It looks like something in your configuration is adding extra spaces when you do the docs generation. Possibly a language server or IDE config? I'm not sure, but if you can't figure it out, I can push up the generated docs if you give me contributor access to your branch. |
@krantzinator thank you for the fixup! I'll try to figure out what's up with my formatting configs for future doc updates. In this case I was using Atom's |
Fixes #2577.
Uses AuthConfig type from Docker's Go API in order to authenticate to a private registry when an image is built. This is required if a base image is from a private repo.
Example build stanza with username/password auth configured:
All of the following parameters are supported (map of string):