rarkins
commented
5 years ago Unfortunately this is a technical limitation with no immediate solution. Our plan is to eventually allow secrets to be uploaded via the Dashboard instead of encoded in config, but that's going to take a bit of work first.
I'm not familiar enough with GCP to know if there's a better way. For AWS's ECR we dynamically generate long authentication keys at runtime by using a standard key/secret pair in config. Potentially if GCP support generating JSON keys at runtime using a shorter username/password then it's an option.
If you would be OK with this read-only key file being seen by us (Renovate hosts) then I could add it manually for you to our backend if you can send it to us via email or some other method that satisfies you.
ajcann
What Renovate type are you using? Hosted App
Describe the bug In order to authenticate to Google Container Registry with a read-only service account one must use the username '_json_key' with the password being the service account's json key file (something like 2500 characters). When trying to encrypt this service account json file at https://renovatebot.com/encrypt, I see 'false' in the browser and 'Message too long for RSA' in the browser console. It appears the max accepted characters is ~245.
Perhaps there is another way to authenticate to GCR with a read-only service account?
Reference: https://cloud.google.com/container-registry/docs/advanced-authentication#access_token
Did you see anything helpful in debug logs? 'Message too long for RSA' in browser console at https://renovatebot.com/encrypt
To Reproduce Steps to reproduce the behavior:
Expected behavior The string is encrypted and the resulting encrypted string can be used in renovate's encrypted block