-
Notifications
You must be signed in to change notification settings - Fork 228
Add loading credentials from docker cli config #833
Conversation
@darkowlzz thanks a bunch for working on this. I have tested this with Google Container registry, currently it will only work if I install gcloud on the machine and gcloud is authenticated with an account that has access to the registry:
However, docker allows to directly import credentials rather than relying on gcloud. This is done via docker login command and the daemon stores credentials at To authenticate docker i just use the following command: Here is how the config.json looks like:
I did install gcloud for testing and logged into my service account and was able to pull successfully:
It would be best if we could authenticate ignite similar to docker without the need of gcloud installation. |
@talhazubairbutt Thanks a lot of testing this. docker config: {
"auths": {
"gcr.io": {
"auth": "<token>"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.6 (linux)"
}
} I'm got curious about why you have the following error:
After some investigation, I found out that such GCP specific errors are due to the cred helpers in your docker cli config. When you have any cred helpers, the docker cli config loader will try to invoke the cred helper to get the auth token, refer https://github.com/docker/cli/blob/v20.10.6/cli/config/configfile/file.go#L326. |
@darkowlzz removing the credential helper from the config section indeed fixed the error and I was able to pull without authenticating gcloud. Can probably document this behaviour for other users as the error itself is a bit misleading. Docker on the other hand somehow worked even with the credential helper added, maybe docker tries all methods before throwing an error or has a different evaluation sequence. |
@talhazubairbutt Thanks for verifying. I'll add some docs with a note about credential helpers. 🙂 |
This adds a package pkg/runtime/auth with helpers to read the docker cli config and load the credentials for the host name of a given image. This is based on nerdctl's dockerconfigresolver. When using containerd as the runtime, the credentials from docker cli config is loaded into a containerd remote resolver and passed to the containerd remote option used for pulling. When using docker as the runtime, the credentials from docker cli config is loaded into the docker image pull options in the required format.
+1 to both in future follow-up
discussed test plan: We want an automated test for success/fail cases importing an image. Using an actual external registry would incur secrets-management and rate-limiting and third-party reliability concerns |
This adds a package
pkg/runtime/auth
with helpers to read the docker cliconfig and load the credentials for the host name of a given image. This
is based on nerdctl's
dockerconfigresolver
, refer: https://github.com/containerd/nerdctl/blob/v0.8.1/pkg/imgutil/dockerconfigresolver/dockerconfigresolver.go#L102 .When using containerd as the runtime, the credentials from docker cli
config is loaded into a containerd remote resolver and passed to the
containerd remote option used for pulling.
When using docker as the runtime, the credentials from docker cli config
is loaded into the docker image pull options in the required format. Based
on https://docs.docker.com/engine/api/sdk/examples/#pull-an-image-with-authentication .
When not logged in:
After logging in:
With docker as runtime:
TODO:
image
subcommand to pass the path to docker cli config.Fixes #794