search

cirruslabs / cirrus-ci-docs

Documentation for Cirrus CI 📚
https://cirrus-ci.org
MIT License
347 stars 109 forks source link

Get Docker registry config from HashiCorp vault #1106

Open julien-carsique-sonarsource opened 1 year ago

julien-carsique-sonarsource commented 1 year ago

Expected Behavior

Be able to provide the Docker registry config with an HashiCorp vault instead of an encrypted variable:

registry_config: VAULT[path/to/secret data.config]

Real Behavior

Currently, only registry_config: ENCRYPTED[...] can be used. The substitution seems to happen before the vault resolution.

Related Info

The goal is being able to benefit of botth https://cirrus-ci.org/guide/writing-tasks/#hashicorp-vault-support https://cirrus-ci.org/guide/linux/#working-with-private-registries

fkorotkov commented 1 year ago

That is correct and it is expected. The Vault resolution works on the Cirrus Agent side after container is being created. The registry config is getting configured on Cirrus Cloud side (which might not even have access to your private Vault) before a container is shceduled.

I assume you are using your private EKS of GKE cluster. Doesn't it already has access to your private registry?

julien-carsique-sonarsource commented 1 year ago

EKS cluster, yes. The goal is to provide authenticated access to other registries than ECR, like Docker Hub.