Finer grained auth system properties

[rmannibucau]

Right now auth can be set to "from" and "to" (-Djib.from.auth.username for ex) but this is really not convenient in a multimodule project with multiple images, in particular when from images don't come from the same repo - docker.io, custom.foo for example. Would be great to support something more specific like -Djib.registries.docker.io.auth.username or -Djib.registries.1.2.3.4.auth.username (ip) and password indeed.

[emmileaf]

Could you provide a bit more information on the set up you have in mind for multiple images from different repos? I wonder if configuring the credentials through different credHelpers in a docker configuration file instead of directly through auth (see authentication methods) would be more suited for a scenario like this.

[rmannibucau]

Hi @emmileaf ,

basically I have a project like that (very simplified but sufficient):

+
|- from-dockerhub-to-private-repo
`- from-private-repo-to-private-repo

The CI/CD has a setup based on environment variables (injected secrets), right now - since this feature is not in - it does something like:

init_jib() {
    jib_args="$MAVEN_ARGS -Djib.serialize=true"
    jib_args="$jib_args -Djib.allowInsecureRegistries=true -DsendCredentialsOverHttp=true"
    jib_args="$jib_args "-Djib.from.auth.username=$REGISTRY_DOCKER_USERNAME" "-Djib.from.auth.password=$REGISTRY_DOCKER_PASSWORD""
    jib_args="$jib_args "-Djib.to.auth.username=$REGISTRY_DOCKER_USERNAME" "-Djib.to.auth.password=$REGISTRY_DOCKER_PASSWORD""
    jib_args="$jib_args -Dhttp.proxyHost=$PROXY_HOST -Dhttp.proxyPort=$PROXY_PORT "-Dhttp.nonProxyHosts=$NON_PROXY_HOSTS""
    jib_args="$jib_args -Dhttps.proxyHost=$PROXY_HOST -Dhttps.proxyPort=$PROXY_PORT"
    jib_args="$jib_args -Dhttp.proxyUser=$HTTP_PROXY_USER "-Dhttp.proxyPassword=$HTTP_PROXY_PASSWORD""
    jib_args="$jib_args -Dhttp.proxyUser=$HTTP_PROXY_USER "-Dhttps.proxyPassword=$HTTP_PROXY_PASSWORD""
    export JIB_MAVEN_ARGS="$jib_args"
}

Then when invoking mvn it sets JIB_MAVEN_ARGS in on the command automatically. The idea there, would be to make all these properties (except proxy ones) specific to a repo (allowInsecureRegistries, auth.*).

Guess the only option would be to use $HOME/.docker/config.json or $HOME/.config/containers/auth.json (XDG_RUNTIME_DIR not being usable in the build container) but it has several pitfalls compared to today:

1. it requires to write a file - system props/env vars are way more friendly to builds than files for this kind of things + it avoids some security careness files imply,
2. it requires to tune jib.configDirectory to write the new file (changes the default value if the file is there - some builds populated it for programmatic jib usage - agree it is not that common but this has side effects)
3. it requires some specific binary to write the file properly (at least some base64 stuff) which makes the script even more complex (storing the dockerconfig in an env var is not desired for maintenance and password rotation)

So yes it can be a workaround but don't think it is a long term solution. Right now my workaround is to copy the public images in the private repo but I'd like to avoid it just by adding something like:

jib_args="$jib_args "-Djib.auth.docker.io.username=" "-Djib.auth.docker.io.password=""

[emmileaf]

Thank you for the additional information!

I wouldn’t exactly describe the use of docker configuration files as a workaround in general, given that it is versatile in configuring authentication for different registries (either through credHelpers or auths block). But I see that your setup could have more specific blockers for the convenience of this option - we will leave this feature request open to gauge community interest, and whether this would benefit other use scenarios.

[Abhijeetmishr]

@emmileaf Is this open for fix Should I give it a try ?