Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to point at auth.json file #174

Closed
michaelerickson opened this issue Jun 8, 2022 · 2 comments · Fixed by #265
Closed

Add option to point at auth.json file #174

michaelerickson opened this issue Jun 8, 2022 · 2 comments · Fixed by #265
Labels
stage/needs-investigation theme/config type/enhancement

Comments

@michaelerickson
Copy link

I was trying to keep container registry credentials out of the Nomad job specification. My idea was to store them in Vault and use a Nomad template to pull them. As far as I can tell, Podman doesn't let you override using a set of environment variables - rather you point it at an auth.json file on the command line, or use the REGISTRY_AUTH_FILE environment variable to tell it where to read credentials from see docs.

I did podman login on a host and noted the generated $XDG_RUNTIME_DIR/containers/auth.json file. I then grabbed the auth portion and stored it in Vault.

In the Nomad job specification I used a template to create a version of the auth file according to the format as below:

      template {
        data = <<EOH
        {
          "auths": {
            "ghcr.io": {
              "auth": "{{with secret "secret/data/github/creds"}}{{.Data.data.auth}}{{end}}"
            }
          }
        }
        EOH

        destination = "local/auth.json"
        change_mode = "noop" # We don't care if this value changes once we are running
      }

I then tried to get Podman to recognize that file using:

      env {
        HTTP_PORT          = "${NOMAD_PORT_http}"
        ENV                = "dev"
        # So Podman can find the auth file
        REGISTRY_AUTH_FILE = "${NOMAD_TASK_DIR}/auth.json"
      }

Unfortunately, Podman would not pick up the credentials. I viewed the created file under local and it looked correct to me.

The tasks all failed because the container could not be pulled from the registry.

My guess is that REGISTRY_AUTH_FILE is not available to the driver, so it isn't using it?

The feature that would be useful is adding an option to point the driver at the credentials file to use.
@optiz0r
Copy link
Contributor

optiz0r commented Jul 2, 2022

You might also consider https://github.com/morningconsult/docker-credential-vault-login as an alternative method to get credentials from vault to podman, without actually involving nomad (despite the name, this also works with podman).

It assumes any job running on the host should have access to the same registry credentials, which might not be what you're looking for, and having nomad able to pull different registry creds from vault per job may still be handy to have.

@michaelerickson
Copy link
Author

Thanks @optiz0r, I will take a look at that.

@shoenig shoenig mentioned this issue Jul 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stage/needs-investigation theme/config type/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

driver: support for credentials helper and auth config file hashicorp/nomad-driver-podman
3 participants
@lgfa29 @optiz0r @michaelerickson