README.md lies!

[dprotaso]

Note: Google Kubernetes Engine blocks access to the GCE metadata server

In fact it doesn't see https://cloud.google.com/kubernetes-engine/docs/how-to/metadata-concealment

Note: Metadata concealment only protects access to kube-env and the VM's instance identity token; it does not protect access to the node's service account.

It might be clear to indicate that you would need to specify the correct scopes when creating the cluster

[dekkagaijin]

I think that this feature has evolved over time. At one point, docker-credential-gcr was unable to access the metadata server (nor the service account's access token). I'll fix the doc to note the feature.

[millerhooks]

I'm pretty upset that gcloud recommends this tool and installation method(s) that do not work at all. On OSX both the gcloud install method and the go install method install docker-credential-osxkeychain which does not produce the expected behvior.

But did manage to take over how docker and gcloud were configured so now I can't authenticate or push to my registry.

This came in a loud nagging warning about incompatibility coming and then links to this unfinished pile. Now I have to sift through this and try to get my day back.

Credential management has been a problem, this looks like a great step forward, but it was a huge mistake not to test this workflow better. I don't even know where to start with untangling it because it touches so many things. I guess I'll just reinstall gcloud and docker and start fresh.

[dekkagaijin]

@millerhooks Can you elaborate on what setup flows you were trying, and what happens when you attempt to docker push/pull to GCR?

Newer versions of Docker will set docker-credential-osxkeychain, -wincred, or -secretservice as the default credential store during new installations, if possible.

gcloud docker recommends that users migrate to gcloud's Docker credential helper using gcloud auth configure-docker. This is our standalone credential helper which pre-dates the one baked into the gcloud SDK. The confusion is understandable, I'll make sure that that distinction is made front-and-center in the README for this repo.

[millerhooks]

@dekkagaijin thanks for the quick response! After a few minutes of just being horrified about not being able to push to dockerhub or my private registry, I realized my golang environment variables were not set up properly. I was right in the middle of some pretty unwieldy platform restructuring so it really knocked me for a loop.

WARNING: `gcloud docker` will not be supported for Docker client versions above 18.03. Please use `gcloud auth configure-docker` to configure `docker` to use `gcloud` as a credential helper, then use `docker` as you would for non-GCR registries, e.g. `docker pull gcr.io/project-id/my-image`. Add `--verbosity=error` to silence this warning, e.g. `gcloud docker --verbosity=error -- pull gcr.io/project-id/my-image`. See: https://cloud.google.com/container-registry/docs/support/deprecation-notices#gcloud-docker
ERROR: Docker CLI operation failed:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
error getting credentials - err: exec: "docker-credential-gcloud": executable file not found in $PATH, out: ``

ERROR: (gcloud.docker) Docker login failed.

This is where I ended up before just fixing my go environment. The instructions through the gcloud cli are totally confusing. I'm back up and running now I think!

[dekkagaijin]

Yeah, we tried to make things as easy and debuggable as possible with the configure-docker commands, but the fact is that there's quite a bit of environmental state that needs to be 'right' for the magic to work. Rest assured that a lot of planning and work went into replacing and deprecating one of gcloud's most popular commands :)

[millerhooks]

Now that it's there, I think it's great. I've got a handful of horrible solutions for managing JSON Service Account keys. I'm excited to get this into our ops toolchain ASAP.

Thanks for your work!

[dekkagaijin]

If your toolchain is running on GCE or App Engine Managed VM, you can associate your service accounts with that VM and docker-credential-gcr will automagically use its credentials.

[bweston92]

@dekkagaijin can your PR be merged? Looks like it was approved.

[dekkagaijin]

@jonjohnsonjr danke