morningconsult / docker-credential-vault-login

Automatically gets docker credentials from Hashicorp Vault
Apache License 2.0
77 stars 11 forks source link

Rootless podman support #59

Closed optiz0r closed 3 years ago

optiz0r commented 3 years ago

Feature Description

This credential helper almost works with rootless podman, but not quite. Specifically the config file makes reference to hardcoded file paths, so can't be used by more than one user at a time without some compromises. This makes sense for docker, where it's the docker daemon making the request, so they're always coming from the root user, and a single set of approle and cache files could be used.

Possibly some of the paths in the configuration are actually handed by vault-core rather than this helper.

I can make it work hackily by making these three file locations world-readable, or with a group owner which includes all podman users. The cache file is silently ignored if not writeable, and the helper returns the registry credential OK, just with extra load on the vault server as it's authenticating each time. It's not great from a security perspective that the role/secret files are shared between users though, as it means all users have the same access to all registries.

If these three configuration items could be read from environment variables, or allow interpolation of say $HOME then I think this helper could be used trivially with podman from multiple users, each with their own private set of credentials.

optiz0r commented 3 years ago

Just realised I can solve this by exporting DCVL_CONFIG_FILE to point to a separate config file per user which points at their home directory for the role/secret/cache files. Requires having each user set themselves up to use it, but is good enough for now :)