feat: support for reading auth credentials from docker credential helpers #869
Conversation
mdelapenya
added
the
feature
✅ Deploy Preview for testcontainers-go ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
|
@HofmeisterAn came with the idea of reading Thoughts? |
* main: chore(deps): bump github.com/compose-spec/compose-go from 1.9.0 to 1.11.0 in /modules/compose (testcontainers#865) chore(deps): bump github.com/docker deps from 23.0.0+incompatible to 23.0.1+incompatible (testcontainers#875) chore(deps): bump github.com/aws/aws-sdk-go libs in /modules/localstack (testcontainers#874) chore: simplify env vars for localstack module (testcontainers#873) chore: remove replace directive in modules (testcontainers#871) chore: bump testcontainers-go in Go modules (testcontainers#870)
…user and password are empty in the configuration file
There was a problem hiding this comment.
I was wondering the same thing as mentioned by @HofmeisterAn, can't testcontainers-go load the correct credentials automatically without the user explicitly configuring it?
There was a problem hiding this comment.
I have two questions:
- Does the implementation cover the PAT? I am not sure if .NET is outdated, but we have something like this, that sets the
IdentityTokenproperty. - Don't you need to execute the creds store somewhere to receive the credentials? Or is that covered by the dependency?
PAT == Personal Access Token, right? There are two scenarios:
BTW, the identity token, when obtained from the cred-helper (see https://github.com/cpuguy83/dockercfg/blob/main/auth.go#L67 and https://github.com/cpuguy83/dockercfg/blob/main/auth.go#L161-L164) is returned as a password, pruning the user field. in any case I'm going to give it a try tomorrow with a local test and a personal token, and check how it goes 🤔 Thanks for raising this concern!
Indeed, it's the dependency the responsible of calling the credential helpers. See https://github.com/cpuguy83/dockercfg/blob/main/auth.go#L51 |
* main: chore: go mod tidy modules (testcontainers#920) chore(deps): bump dependencies (testcontainers#919) feat: convert pulsar example into a Go module (testcontainers#872) chore: update module dependencies (testcontainers#911)
|
Kudos, SonarCloud Quality Gate passed!
|
|
I've tested this PR using private registries and private images on Docker Hub, and all our tests pass. Merging it |
|
Hey @mdelapenya, we're users of this package, and thanks for your work on it. We'd been relying on setting Docker credentials via RegistryCred, and after some mangling, I now have our code setting the DOCKER_AUTHCONFIG environment variable instead. One piece of feedback though: this PR claims to have "deprecated" RegistryCred, when in fact it made that feature stop doing anything at all. That presents quite confusing behavior for consumers. If you'd deleted those fields entirely, that at least we would've gotten a compilation error. As it it, there's an option (RegistryCred, and maybe a few others too) that exist but do nothing now |
|
@srabraham oh I'm sorry if this PR broke you (and all the users). I really thought we covered the deprecation paths for the fields, but it seems not. We could release a patch release bringing back the value of the deprecated fields if needed. How would you see that? I'd like to thank you for your honesty in this feedback, and would like to also recognize that deprecating things are not that easy. At the same time, we are trying to move to a much more stable state of the code and APIs to release a 1.0.0 version, and that could come with some breaking changes (unfortunately not this time 😥). I wish we'd communicate those changes in the best possible way through the release notes. |
|
@mdelapenya Thanks for that! We did figure out how to get it working; it just took a little time (EDIT: see code snippets here for a fix). The solution for us was to replace this, which we were using to set RegistryCred
with this, prior to making a GenericContainerRequest as users of Bazel, our the one additional thing I'd add is that it'd be nice if this piece would fail if DOCKER_AUTH_CONFIG is set, but fails JSON unmarshalling. It's otherwise kind of confusing. e.g. I initially was confused after mistakenly passing in a base64-encoded string (rather than just bytes) |
|
@srabraham we could include that code snippet in the release notes for 0.19.0 as a workaround |
|
@srabraham I went ahead and updated the release notes for 0.19.0, tagging this PR as a breaking change. Again thanks for sharing your feedback in a positive way. We much appreciate it, and again, my apologies for the non-properly communicated breaking change. |
Thanks for all your assistance with this! Yep, users of pre-v1 software need to be cautious, and that's ok! If you or anyone else would like my above snippets in code form (rather than screenshots), here they are: https://gist.github.com/srabraham/52e65ea37db5580a091334e3d065fed9 |
What does this PR do?
This PR exposes a new method:
To implement it, we will internally check, in this particular order:
DOCKER_AUTH_CONFIGenvironment variable, unmarshalling the string value from its JSON representation and using it as the Docker config.DOCKER_CONFIGenvironment variable, as an alternative path to the Docker config file.~/.docker/config.jsonFor that, we are using https://github.com/cpuguy83/dockercfg, which already handles the location of the Docker config file using the
DOCKER_CONFIGenvironment variable.Finally, now that we are able to read the Docker Auth configs, we are deprecating all previous manners to add them to the container definition (the container request, the buildFromDockerfile struct, and the reaper). Instead of using those fields, we are going to use the aforementioned extraction of the Docker Auth configs to populate them when needed.
In the case of building from a Dockerfile including a FROM clause consuming an image living in a private registry, the code will parse the Dockerfile alongside the build args, to extract all Docker images in it, trying to locate the Docker auth configs for each image. The build args will be interpolated in the case the image contains them.
Docs page has been updated with how Testcontainers for Go will autodiscover the Docker auth configs.
Why is it important?
It will allow consumers of the library to discover the auth credentials when working with images living in private registries.
We decided to provide that capability instead of automatically discovering it, but I'd not be opposed to do it if desired.
Related issues