Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: fix a bug where auth for private registries wasn't parsed correctly #24215

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

docker: fix a bug where auth for private registries wasn't parsed correctly #24215

wants to merge 13 commits into from
+399 −4

Conversation

pkazmierczak
Copy link
Contributor

In #23966 we introduced an official Docker client and did not notice that in contrast to our previous 3rd party client, the official SDK PullOptions object expects a base64 encoded JSON with username and password, instead of username/password pair.

This PR fixes the issue and adds e2e tests for Docker driver auth.

Fixes #24181
Internal ref: https://hashicorp.atlassian.net/browse/NET-11310

@pkazmierczak pkazmierczak self-assigned this Oct 15, 2024
@pkazmierczak pkazmierczak added this to the 1.9.1 milestone Oct 15, 2024
tgross
tgross reviewed Oct 15, 2024
View reviewed changes
drivers/docker/utils.go Outdated Show resolved Hide resolved
drivers/docker/utils.go Outdated
Comment on lines 154 to 162
// docker API calls require base64 encoded auth string
if auth.Username != "" && auth.Password != "" {
authConfig := registrytypes.AuthConfig{
Username: auth.Username,
Password: auth.Password,
}
encodedJSON, _ := json.Marshal(authConfig)
auth.Auth = base64.URLEncoding.EncodeToString(encodedJSON)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block of code gets used a few times with slightly different input checks. Maybe we should pull this out to a helper function with a signature like: func encodeAuth(cfg *registrytypes.AuthConfig) error. It can mutate the auth config with the Auth field or return an error if the encoding fails.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a1ae4c9

e2e/docker/docker_test.go
t.Cleanup(cleanup)

logs := job.TaskLogs("cache", "redis")
must.StrContains(t, logs.Stdout, "oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👻

tgross
tgross reviewed Oct 15, 2024
View reviewed changes
drivers/docker/utils.go Outdated
Comment on lines 214 to 215
Username: username,
Password: password,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see why we're creating a new AuthConfig object here, but cfg.Username and cfg.Password will be already set, right? Couldn't we use those values instead of passing in the username/password explictly? If not, we could just drop mutating the cfg entirely and have this return (string, error) instead.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ooof, missed that 🤦
d0c89d8 fixes it

@pkazmierczak
Copy link
Contributor Author

One other thing: the e2e tests are failing because the local registry isn't added to dockerd's "insecure registries." I'm not sure how to add it since we only know the registry address once we create it, I'll have to think about it.

@shoenig
Copy link
Member

shoenig commented Oct 15, 2024

The podman e2e test jumps through some fun hoops to setup a private registry that is auth enabled, can take a look for inspiration maybe. https://github.com/hashicorp/nomad/blob/main/e2e/podman/input/registry-auths.hcl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgross tgross tgross left review comments

@shoenig shoenig Awaiting requested review from shoenig

At least 1 approving review is required to merge this pull request.

Assignees

@pkazmierczak pkazmierczak

Labels
None yet
Projects
None yet
Milestone
1.9.1
Development

Successfully merging this pull request may close these issues.

Docker auth.config not working anymore in 1.9.0
3 participants
@pkazmierczak @shoenig @tgross