Using encrypted credentials (possibly re-using docker login credentials) for registry

[ac111]

The current schema allows for credentials to be supplied for each registry used in the deployment YAML, however these values are stored in cleartext. Can we use gpg / environment variables or possibly re-using existing docker login cached data here (the concern is sharing the YAML between operators or in a source-control repository in cleartext, and likely each user will have their own identity for authentication as well)?

[mpetazzoni]

If each user has their own credentials, and assuming they have correctly used docker login <registry> beforehand, you should be able to provide a YAML without registry credentials and it would still work, as the docker-py library would use the available local auth data:

registries:
  quay.io:
    registry: https://quay.io/v1/

$ cat .dockercfg | json_pp
{
  "https://quay.io/v1/" : {
    "auth" : "...",
    "email" : "..."
  }
}

I haven't tested this myself, but I believe this should work. Would you be able to try?

[ac111]

Thank you for the suggestion -- I tried providing a registry definition without the credentials and received an error when trying to parse the YAML file ("registry definition incomplete"). Unfortunately, the service pulls on remote hosts hang without the full registry definition in place, even with cached credentials (~/.docker/config.json) in place on the orchestration host.

[mpetazzoni]

Ok, I'd need to make Maestro allow for registries to be defined without username/password then.

[ac111]

Quick update on this -- I modified the code (fork) to not require the password entry, only username. The service pulls now work using the cached local docker login credentials for the registry.

[mpetazzoni]

Great, that's what I expected. Do you think you could send a PR?

[ac111]

Wondering if we can re-integrate the fork (cenx-cf), though it has a few additional changes aside from this change? Should this be PR'd separately?

[mpetazzoni]

Yes, make a separate PR please.