Open rmannibucau opened 1 year ago
Could you provide a bit more information on the set up you have in mind for multiple images from different repos? I wonder if configuring the credentials through different credHelpers
in a docker configuration file instead of directly through auth
(see authentication methods) would be more suited for a scenario like this.
Hi @emmileaf ,
basically I have a project like that (very simplified but sufficient):
+
|- from-dockerhub-to-private-repo
`- from-private-repo-to-private-repo
The CI/CD has a setup based on environment variables (injected secrets), right now - since this feature is not in - it does something like:
init_jib() {
jib_args="$MAVEN_ARGS -Djib.serialize=true"
jib_args="$jib_args -Djib.allowInsecureRegistries=true -DsendCredentialsOverHttp=true"
jib_args="$jib_args "-Djib.from.auth.username=$REGISTRY_DOCKER_USERNAME" "-Djib.from.auth.password=$REGISTRY_DOCKER_PASSWORD""
jib_args="$jib_args "-Djib.to.auth.username=$REGISTRY_DOCKER_USERNAME" "-Djib.to.auth.password=$REGISTRY_DOCKER_PASSWORD""
jib_args="$jib_args -Dhttp.proxyHost=$PROXY_HOST -Dhttp.proxyPort=$PROXY_PORT "-Dhttp.nonProxyHosts=$NON_PROXY_HOSTS""
jib_args="$jib_args -Dhttps.proxyHost=$PROXY_HOST -Dhttps.proxyPort=$PROXY_PORT"
jib_args="$jib_args -Dhttp.proxyUser=$HTTP_PROXY_USER "-Dhttp.proxyPassword=$HTTP_PROXY_PASSWORD""
jib_args="$jib_args -Dhttp.proxyUser=$HTTP_PROXY_USER "-Dhttps.proxyPassword=$HTTP_PROXY_PASSWORD""
export JIB_MAVEN_ARGS="$jib_args"
}
Then when invoking mvn
it sets JIB_MAVEN_ARGS
in on the command automatically.
The idea there, would be to make all these properties (except proxy ones) specific to a repo (allowInsecureRegistries
, auth.*
).
Guess the only option would be to use $HOME/.docker/config.json
or $HOME/.config/containers/auth.json
(XDG_RUNTIME_DIR not being usable in the build container) but it has several pitfalls compared to today:
jib.configDirectory
to write the new file (changes the default value if the file is there - some builds populated it for programmatic jib usage - agree it is not that common but this has side effects)So yes it can be a workaround but don't think it is a long term solution. Right now my workaround is to copy the public images in the private repo but I'd like to avoid it just by adding something like:
jib_args="$jib_args "-Djib.auth.docker.io.username=" "-Djib.auth.docker.io.password=""
Thank you for the additional information!
I wouldn’t exactly describe the use of docker configuration files as a workaround in general, given that it is versatile in configuring authentication for different registries (either through credHelpers or auths block). But I see that your setup could have more specific blockers for the convenience of this option - we will leave this feature request open to gauge community interest, and whether this would benefit other use scenarios.
@emmileaf Is this open for fix Should I give it a try ?
Right now auth can be set to "from" and "to" (
-Djib.from.auth.username
for ex) but this is really not convenient in a multimodule project with multiple images, in particular when from images don't come from the same repo - docker.io, custom.foo for example. Would be great to support something more specific like-Djib.registries.docker.io.auth.username
or-Djib.registries.1.2.3.4.auth.username
(ip) and password indeed.