[BUG][Docker] Docker Hub Image Access Management blocks access to OpenAPITools container images

TBBle commented 2 years ago

Bug Report Checklist

[ ] Have you provided a full/minimal spec to reproduce the issue?
[ ] Have you validated the input using an OpenAPI validator (example)?
[ ] Have you tested with the latest master to confirm the issue still exists?
[x] Have you searched for related issues/PRs?
[x] What's the actual output vs expected output?
[ ] [Optional] Sponsorship to speed up the bug fix or feature request (example)

Description

User openapitools on Docker Hub is not a Verified Publisher, which means images in that account, e.g. openapitools/openapi-generator-cli, cannot be downloaded by users in organisations with Image Access Management enabled.

openapi-generator version

v4.3.1

OpenAPI declaration file content or url

N/A

Generation Details

N/A

Steps to reproduce

Be signed in to Docker Desktop for Windows with an organisation with Image Access Management enabled.
docker pull openapitools/openapi-generator-cli:v4.3.1

Failure result:

Error response from daemon: pull access denied for openapitools/openapi-generator-cli, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Related issues/PRs

Nothing I saw.

Suggest a fix

I assume the fix is to join the Docker Verified Publisher program if that's possible for free, open-source projects.

Alongside that, I'm recommending that my employer disable Image Access Management, as I'm sure we'll hit this problem again with other open-source projects, and the whole thing is pretty awful from a UX perspective anyway.

juvarebkaplan commented 2 years ago

I would like to sponsor this task by contributing USD$1000 for someone to address this issue and get into the Docker Verified Publisher Program.

TBBle commented 2 years ago

As a workaround, you can log out of Docker Hub in the CLI and the Image Access Management policy won't apply, then do your docker pull and log back in. That's pretty awful though, and if your company has enforced Docker Hub authentication then this workaround isn't usable. (Which is probably part of why that enforce-authentication feature exists, along with supporting license compliance for corporate Docker Desktop users)

juvarebkaplan commented 2 years ago

As a workaround, you can log out of Docker Hub in the CLI and the Image Access Management policy won't apply, then do your docker pull and log back in. That's pretty awful though, and if your company has enforced Docker Hub authentication then this workaround isn't usable. (Which is probably part of why that enforce-authentication feature exists, along with supporting license compliance for corporate Docker Desktop users)

We ended up turning it off all together but that is not the right long term approach. I feel this sponsorship would be beneficial to the community.

OpenAPITools / openapi-generator