Cannot push on registry with auth disabled

[luhhujbb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and docker Provider) Version

v1.3.1

Affected Resource(s)

• docker_registry_image

Terraform Configuration Files

provider "docker" {
  host = "unix:///var/run/docker.sock"
  registry_auth {
    address = var.docker_registry
  }
}

resource "docker_image" "public_docker_image" {
   name = "public_docker_image:tag"
}

resource "docker_tag" "my_private_docker_image_tag" {
depends_on = [
      docker_image.public_docker_image
    ]
  source_image = docker_image.public_docker_image.name
  target_image = "${var.docker_registry}/${docker_image.public_docker_image.name}"
}

resource "docker_registry_image" "my_private_docker_image" {
   depends_on = [
      docker_tag.my_private_docker_image_tag
    ]
    name = "${var.docker_registry}/${docker_image.public_docker_image.name}"
}

Expected Behaviour

When using docker push my_private_docker_image on a private registry with auth disabled, push succeed without specifying anything.

Actual Behaviour

It prompt an error:
Error: Error pushing docker image: Error response from daemon: Bad parameters and missing X-Registry-Auth: EOF
I've also try to add empty username and password on the registry_auth block and it doesn't work either.

Steps to Reproduce

1. choose a public image
2. start a private registry
3. terraform apply

[lenox-joseph]

Near as I can tell, the V2 registry wants something for the HTTP header X-Registry-Auth when pushing to registries that don't other have auth (most private registry configurations).
(also, you are going to want -e REGISTRY_STORAGE_DELETE_ENABLED=true set on your private registry for destroy to function).

I, as a test, hacked in:

    // start with a dummy because no-auth requires *something*
    auth := types.AuthConfig{Username: "yourname", Password: "pasword"}
    if username != "" {
        auth = types.AuthConfig{Username: username, Password: password}
    }
    authBytes, err := json.Marshal(auth)
    if err != nil {
        return fmt.Errorf("Error creating push options: %s", err)
    }
    authBase64 := base64.URLEncoding.EncodeToString(authBytes)
    pushOptions.RegistryAuth = authBase64

at func pushDockerRegistryImage().

Reference: https://stackoverflow.com/a/40677022

and I'll add it as a PR, but there's definitely some fragility around this and I don't know how to plumb in access from a config.

[luhhujbb]

I think there is a confusion x-registry-auth seems to be a header pass to docker daemon/engine to interact with docker registry but docker registry actually wants a bearer token as explained here : https://docs.docker.com/registry/spec/auth/token/ and here https://docs.docker.com/engine/api/v1.41/#section/Versioning
When auth is disabled on a registry it seems that one can send anything as x-registry-auth to docker engine as it's explained here: moby/moby#10983 (comment) and here fabric8io/docker-maven-plugin#102
So you're fix with dummy creds should work