New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support for reading auth credentials from docker credential helpers #869
feat: support for reading auth credentials from docker credential helpers #869
Conversation
✅ Deploy Preview for testcontainers-go ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
@HofmeisterAn came with the idea of reading Thoughts? |
* main: chore(deps): bump github.com/compose-spec/compose-go from 1.9.0 to 1.11.0 in /modules/compose (testcontainers#865) chore(deps): bump github.com/docker deps from 23.0.0+incompatible to 23.0.1+incompatible (testcontainers#875) chore(deps): bump github.com/aws/aws-sdk-go libs in /modules/localstack (testcontainers#874) chore: simplify env vars for localstack module (testcontainers#873) chore: remove replace directive in modules (testcontainers#871) chore: bump testcontainers-go in Go modules (testcontainers#870)
…user and password are empty in the configuration file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👏
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was wondering the same thing as mentioned by @HofmeisterAn, can't testcontainers-go load the correct credentials automatically without the user explicitly configuring it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have two questions:
- Does the implementation cover the PAT? I am not sure if .NET is outdated, but we have something like this, that sets the
IdentityToken
property. - Don't you need to execute the creds store somewhere to receive the credentials? Or is that covered by the dependency?
PAT == Personal Access Token, right? There are two scenarios:
BTW, the identity token, when obtained from the cred-helper (see https://github.com/cpuguy83/dockercfg/blob/main/auth.go#L67 and https://github.com/cpuguy83/dockercfg/blob/main/auth.go#L161-L164) is returned as a password, pruning the user field. in any case I'm going to give it a try tomorrow with a local test and a personal token, and check how it goes 🤔 Thanks for raising this concern!
Indeed, it's the dependency the responsible of calling the credential helpers. See https://github.com/cpuguy83/dockercfg/blob/main/auth.go#L51 |
* main: chore: go mod tidy modules (testcontainers#920) chore(deps): bump dependencies (testcontainers#919) feat: convert pulsar example into a Go module (testcontainers#872) chore: update module dependencies (testcontainers#911)
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
I've tested this PR using private registries and private images on Docker Hub, and all our tests pass. Merging it |
Hey @mdelapenya, we're users of this package, and thanks for your work on it. We'd been relying on setting Docker credentials via RegistryCred, and after some mangling, I now have our code setting the DOCKER_AUTHCONFIG environment variable instead. One piece of feedback though: this PR claims to have "deprecated" RegistryCred, when in fact it made that feature stop doing anything at all. That presents quite confusing behavior for consumers. If you'd deleted those fields entirely, that at least we would've gotten a compilation error. As it it, there's an option (RegistryCred, and maybe a few others too) that exist but do nothing now |
@srabraham oh I'm sorry if this PR broke you (and all the users). I really thought we covered the deprecation paths for the fields, but it seems not. We could release a patch release bringing back the value of the deprecated fields if needed. How would you see that? I'd like to thank you for your honesty in this feedback, and would like to also recognize that deprecating things are not that easy. At the same time, we are trying to move to a much more stable state of the code and APIs to release a 1.0.0 version, and that could come with some breaking changes (unfortunately not this time 😥). I wish we'd communicate those changes in the best possible way through the release notes. |
@mdelapenya Thanks for that! We did figure out how to get it working; it just took a little time (EDIT: see code snippets here for a fix). The solution for us was to replace this, which we were using to set RegistryCred with this, prior to making a GenericContainerRequest as users of Bazel, our the one additional thing I'd add is that it'd be nice if this piece would fail if DOCKER_AUTH_CONFIG is set, but fails JSON unmarshalling. It's otherwise kind of confusing. e.g. I initially was confused after mistakenly passing in a base64-encoded string (rather than just bytes) |
@srabraham we could include that code snippet in the release notes for 0.19.0 as a workaround |
@srabraham I went ahead and updated the release notes for 0.19.0, tagging this PR as a breaking change. Again thanks for sharing your feedback in a positive way. We much appreciate it, and again, my apologies for the non-properly communicated breaking change. |
Thanks for all your assistance with this! Yep, users of pre-v1 software need to be cautious, and that's ok! If you or anyone else would like my above snippets in code form (rather than screenshots), here they are: https://gist.github.com/srabraham/52e65ea37db5580a091334e3d065fed9 |
What does this PR do?
This PR exposes a new method:
To implement it, we will internally check, in this particular order:
DOCKER_AUTH_CONFIG
environment variable, unmarshalling the string value from its JSON representation and using it as the Docker config.DOCKER_CONFIG
environment variable, as an alternative path to the Docker config file.~/.docker/config.json
For that, we are using https://github.com/cpuguy83/dockercfg, which already handles the location of the Docker config file using the
DOCKER_CONFIG
environment variable.Finally, now that we are able to read the Docker Auth configs, we are deprecating all previous manners to add them to the container definition (the container request, the buildFromDockerfile struct, and the reaper). Instead of using those fields, we are going to use the aforementioned extraction of the Docker Auth configs to populate them when needed.
In the case of building from a Dockerfile including a FROM clause consuming an image living in a private registry, the code will parse the Dockerfile alongside the build args, to extract all Docker images in it, trying to locate the Docker auth configs for each image. The build args will be interpolated in the case the image contains them.
Docs page has been updated with how Testcontainers for Go will autodiscover the Docker auth configs.
Why is it important?
It will allow consumers of the library to discover the auth credentials when working with images living in private registries.
We decided to provide that capability instead of automatically discovering it, but I'd not be opposed to do it if desired.
Related issues