search

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
https://www.nomadproject.io/
Other
14.91k stars 1.95k forks source link

Feature Request: Per-task docker auth helper #6186

Open dneray opened 5 years ago

dneray commented 5 years ago

As per the docs, it looks like the auth helper definition is only available as a global per repo setting https://www.nomadproject.io/docs/drivers/docker.html#plugin_auth_helper

It would be nice to be able to have the option to include this directly in the task definition. For my use case, I am trying to generate restricted short term credentials based on the specific repo being accessed.

Based on the code here https://github.com/hashicorp/nomad/blob/master/drivers/docker/driver.go it looks like this would be a relatively easy addition.

cgbaker commented 5 years ago

@dneray , this sounds like a useful feature. for your use case, were you going to submit the credentials with the task? one concern there would be if they were short-term, and some time later the task was rescheduled to another node, the credentials might have expired.

Would something like #4576 fulfill this use case?

dneray commented 5 years ago

@cgbaker, unless I am misunderstanding something, the auth helper would be invoked every time the task was scheduled to a new node through a call to authFromHelper https://github.com/hashicorp/nomad/blob/master/drivers/docker/utils.go so that shouldnt be an issue with the credentials expiring?

4576 looks useful but it doesn't seem to provide the granular per-task definition of the auth helper that I am hoping for.

cgbaker commented 5 years ago

yes, the auth helper is invoked every time. i was making sure that your use case didn't involve pre-generating credentials as part of the helper config. you're correct about #4576.

dneray commented 5 years ago

Awesome, thats for clarrifying. How does this look as an addition to the job spec?

task "example" {
  driver = "docker"

  config {
    image = "secret/service"

    auth {
      helper = ["docker-credential-helper", "arg1", "arg2"]
    }
  }
}
cgbaker commented 5 years ago

@dneray , Is there a reason why this needs to be different than the config syntax currently used in the client's plugin config: https://www.nomadproject.io/docs/drivers/docker.html#helper

dneray commented 5 years ago

@cgbaker ideally I would like to augment the existing config syntax to allow adding arguments to the credentials command.

Could also do something like this for consistency:

task "example" {
  driver = "docker"

  config {
    image = "secret/service"

    auth {
      helper = "docker-credential-helper"
      helperArgs = [ "arg1", "arg2"]
    }
  }
}
tgross commented 3 years ago

See also #9740