Setting up credential helper for GCP container registry + nerdctl

gunamata commented 1 year ago

Actual Behavior

I am filing this issue on behalf of a user, from this Slack conversation. https://rancher-users.slack.com/archives/C0200L1N1MM/p1670262356431799

I am not able to get the docker-credential-gcr working with nerdctl on macOS.

Steps to Reproduce

Download and copy the docker-credential-gcr to a folder on your PATH
Copy your credentials file to %APPDATA%/gcloud/application_default_credentials.json if Windows, or to $HOME/.config/gcloud/application_default_credentials.json on other OSs
Run docker-credential-gcr config --token-source "env,store"
Run docker-credential-gcr configure-docker

Try pull, push commands as usual. For example,

nerdctl pull hello-world
nerdctl tag hello-world [LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/hello-world:rdtest](http://location-docker.pkg.dev/PROJECT-ID/REPOSITORY/hello-world:rdtest)
nerdctl push [LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/hello-world:rdtest](http://location-docker.pkg.dev/PROJECT-ID/REPOSITORY/hello-world:rdtest)

Result

Above steps work on Windows. But, on macOS, throws below error while executing the push command.

error: failed to solve: error getting credentials - err: exit status 22, out: `Error: spawn docker-credential-gcr ENOENT`

Expected Behavior

Users should be able to run pull/push images from the GCP registry using nerdctl on macOS

Additional Information

No response

Rancher Desktop Version

https://github.com/rancher-sandbox/rancher-desktop/actions/runs/3626023941

Rancher Desktop K8s Version

NA

Which container engine are you using?

containerd (nerdctl)

What operating system are you using?

macOS

Operating System / Build Version

macOS

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response

jandubois commented 1 year ago

Does this work on macOS with Moby and the docker cli?

gunamata commented 1 year ago

Yes, it works on macOS with Moby and the docker cli.

jdgreenberger commented 1 year ago

Hi there, I'm the user referenced in this ticket. Wanted to clarify the problem a bit. I've tried to use nerdctl with the default gcloud auth strategy using nerdctl login and gcloud auth configure-docker us-central1-docker.pkg.dev. This strategy works when using the DockerCLI, but results in 403 auth errors when using nerdctl. As a remedy, @gunamata suggested I try using the latest dev version of rancher desktop and the docker-credential-gcr plugin. Using this strategy, I received the error error: failed to solve: error getting credentials - err: exit status 22, out: `Error: spawn docker-credential-gcr ENOENT. I am receiving the same error, however, when using the Docker CLI. The two slack threads should contain any other relevant context. https://rancher-users.slack.com/archives/C0200L1N1MM/p1669834094085999 https://rancher-users.slack.com/archives/C0200L1N1MM/p1670262356431799

jdgreenberger commented 1 year ago

This is preventing me from using the most basic functionality. Is there any workaround available?

brunohenriquy commented 1 year ago

Hey guys, any news about this? This is also preventing me from moving to Rancher Desktop.

dbeaudway commented 1 year ago

Same issue here, following

jandubois commented 1 year ago

The problem is that when Rancher Desktop is launched by launchd, which happens e.g. when started via the Finder, then it doesn't run with the PATH setup by the user's shell, but with a minimal configuration (e.g. just /usr/bin:/bin:/usr/sbin:/sbin). The credential forwarder therefore cannot find the credential helper at runtime.

For the current release, a workaround is to run Rancher Desktop directly from your shell:

$ /Applications/Rancher\ Desktop.app/Contents/MacOS/Rancher\ Desktop

You may need to leave that terminal window open as long as you run Rancher Desktop (I haven't tested this further), but GCR authentication should now be working.

We should use the PATH from the user's login shell to locate credential helpers in future releases.

brunohenriquy commented 1 year ago

The problem is that when Rancher Desktop is launched by launchd, which happens e.g. when started via the Finder, then it doesn't run with the PATH setup by the user's shell, but with a minimal configuration (e.g. just /usr/bin:/bin:/usr/sbin:/sbin). The credential forwarder therefore cannot find the credential helper at runtime.

For the current release, a workaround is to run Rancher Desktop directly from your shell:
$ /Applications/Rancher\ Desktop.app/Contents/MacOS/Rancher\ Desktop
You may need to leave that terminal window open as long as you run Rancher Desktop (I haven't tested this further), but GCR authentication should now be working.

We should use the PATH from the user's login shell to locate credential helpers in future releases.

It worked! Thanks @jandubois!

rparadinha commented 3 weeks ago

Do you have any predictions on when this user path correction will be included in the upcoming version?

rancher-sandbox / rancher-desktop