Closed dprotaso closed 6 years ago
I think that this feature has evolved over time. At one point, docker-credential-gcr was unable to access the metadata server (nor the service account's access token). I'll fix the doc to note the feature.
I'm pretty upset that gcloud recommends this tool and installation method(s) that do not work at all. On OSX both the gcloud install method and the go install method install docker-credential-osxkeychain
which does not produce the expected behvior.
But did manage to take over how docker and gcloud were configured so now I can't authenticate or push to my registry.
This came in a loud nagging warning about incompatibility coming and then links to this unfinished pile. Now I have to sift through this and try to get my day back.
Credential management has been a problem, this looks like a great step forward, but it was a huge mistake not to test this workflow better. I don't even know where to start with untangling it because it touches so many things. I guess I'll just reinstall gcloud and docker and start fresh.
@millerhooks Can you elaborate on what setup flows you were trying, and what happens when you attempt to docker push/pull
to GCR?
Newer versions of Docker will set docker-credential-osxkeychain
, -wincred
, or -secretservice
as the default credential store during new installations, if possible.
gcloud docker
recommends that users migrate to gcloud
's Docker credential helper using gcloud auth configure-docker
. This is our standalone credential helper which pre-dates the one baked into the gcloud SDK. The confusion is understandable, I'll make sure that that distinction is made front-and-center in the README for this repo.
@dekkagaijin thanks for the quick response! After a few minutes of just being horrified about not being able to push to dockerhub or my private registry, I realized my golang environment variables were not set up properly. I was right in the middle of some pretty unwieldy platform restructuring so it really knocked me for a loop.
WARNING: `gcloud docker` will not be supported for Docker client versions above 18.03. Please use `gcloud auth configure-docker` to configure `docker` to use `gcloud` as a credential helper, then use `docker` as you would for non-GCR registries, e.g. `docker pull gcr.io/project-id/my-image`. Add `--verbosity=error` to silence this warning, e.g. `gcloud docker --verbosity=error -- pull gcr.io/project-id/my-image`. See: https://cloud.google.com/container-registry/docs/support/deprecation-notices#gcloud-docker
ERROR: Docker CLI operation failed:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
error getting credentials - err: exec: "docker-credential-gcloud": executable file not found in $PATH, out: ``
ERROR: (gcloud.docker) Docker login failed.
This is where I ended up before just fixing my go environment. The instructions through the gcloud
cli are totally confusing. I'm back up and running now I think!
Yeah, we tried to make things as easy and debuggable as possible with the configure-docker
commands, but the fact is that there's quite a bit of environmental state that needs to be 'right' for the magic to work. Rest assured that a lot of planning and work went into replacing and deprecating one of gcloud
's most popular commands :)
Now that it's there, I think it's great. I've got a handful of horrible solutions for managing JSON Service Account keys. I'm excited to get this into our ops toolchain ASAP.
Thanks for your work!
If your toolchain is running on GCE or App Engine Managed VM, you can associate your service accounts with that VM and docker-credential-gcr
will automagically use its credentials.
@dekkagaijin can your PR be merged? Looks like it was approved.
@jonjohnsonjr danke
In fact it doesn't see https://cloud.google.com/kubernetes-engine/docs/how-to/metadata-concealment
It might be clear to indicate that you would need to specify the correct
scopes
when creating the cluster