-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker: fix a bug where auth for private registries wasn't parsed correctly #24215
base: main
Are you sure you want to change the base?
Conversation
tls_verify is a podman config property
drivers/docker/utils.go
Outdated
// docker API calls require base64 encoded auth string | ||
if auth.Username != "" && auth.Password != "" { | ||
authConfig := registrytypes.AuthConfig{ | ||
Username: auth.Username, | ||
Password: auth.Password, | ||
} | ||
encodedJSON, _ := json.Marshal(authConfig) | ||
auth.Auth = base64.URLEncoding.EncodeToString(encodedJSON) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This block of code gets used a few times with slightly different input checks. Maybe we should pull this out to a helper function with a signature like: func encodeAuth(cfg *registrytypes.AuthConfig) error
. It can mutate the auth config with the Auth
field or return an error if the encoding fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
t.Cleanup(cleanup) | ||
|
||
logs := job.TaskLogs("cache", "redis") | ||
must.StrContains(t, logs.Stdout, "oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👻
drivers/docker/utils.go
Outdated
Username: username, | ||
Password: password, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see why we're creating a new AuthConfig
object here, but cfg.Username
and cfg.Password
will be already set, right? Couldn't we use those values instead of passing in the username/password explictly? If not, we could just drop mutating the cfg
entirely and have this return (string, error)
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ooof, missed that 🤦
d0c89d8 fixes it
One other thing: the e2e tests are failing because the local registry isn't added to dockerd's "insecure registries." I'm not sure how to add it since we only know the registry address once we create it, I'll have to think about it. |
The podman e2e test jumps through some fun hoops to setup a private registry that is auth enabled, can take a look for inspiration maybe. https://github.com/hashicorp/nomad/blob/main/e2e/podman/input/registry-auths.hcl |
In #23966 we introduced an official Docker client and did not notice that in contrast to our previous 3rd party client, the official SDK
PullOptions
object expects a base64 encoded JSON with username and password, instead of username/password pair.This PR fixes the issue and adds e2e tests for Docker driver auth.
Fixes #24181
Internal ref: https://hashicorp.atlassian.net/browse/NET-11310