Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

client/driver: use correct repo address when using docker-credential helper #4266

Merged
merged 5 commits into from
May 15, 2018

Conversation

nickethier
Copy link
Member

Uses the server address instead of the image repo reference as the input to the docker-credentials helper.

fixes #3818
fixes #4221

@nickethier nickethier force-pushed the b-3818-gce-docker-cred-helper branch from 505f8a1 to 0ca49c0 Compare May 8, 2018 19:15
@nickethier nickethier force-pushed the b-3818-gce-docker-cred-helper branch from 0ca49c0 to bbb3d74 Compare May 8, 2018 19:17
CHANGELOG.md Outdated
@@ -10,6 +10,9 @@ IMPROVEMENTS:
* env: Default interpolation of optional meta fields of parameterized jobs to
an empty string rather than the field key. [[GH-3720](https://github.com/hashicorp/nomad/issues/3720)]

BUG FIXES:
* driver/docker: Fix docker credential helper support [[GH-3818](https://github.com/hashicorp/nomad/issues/3818)] [[GH-4221](https://github.com/hashicorp/nomad/issues/4221)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we say what case is fixed? I am assuming it worked for some subset of image specification formats

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it was a fluke that it worked for gcr as the implementation didn’t follow the current spec. Maybe it changed along the way? I don’t think it’s used much outside of GCE.

Copy link
Contributor

@dadgar dadgar May 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay the two I know of are GCR and AWS:
https://github.com/awslabs/amazon-ecr-credential-helper
https://github.com/GoogleCloudPlatform/docker-credential-gcr

Also we should like to only GH-4266. This PR should mark those two issues as closed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it looks like the aws helper's regex doesn't care whats after the hostname.

GCR is using URL.Parse and verifying the Host is a part of GCR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the gcloud helper which i just found out is actually an alias into the google cloud sdk expects the url to be one of these

// Ensure that the HTTPs prefix exists
if !strings.HasPrefix(repo, "https://") {
repo = fmt.Sprintf("https://%s", repo)
repoInfo, err := parseRepositoryInfo(repo)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we get a test

}

cmd.Stdin = strings.NewReader(repo)
// Ensure that the HTTPs prefix exists
repoAddr := fmt.Sprintf("https://%s", repoInfo.Hostname())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it safe to assume everyone uses https for internal hubs

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is whats passed to the helper. The docs only ever show examples with https, but even some of the major cloud registry helpers like AWS ECR and Google GCR strip the https if it exists comming in and do the look up based solely on the domain name.

https://github.com/awslabs/amazon-ecr-credential-helper/blob/master/ecr-login/api/client.go#L41-L43

https://github.com/GoogleCloudPlatform/docker-credential-gcr/blob/master/credhelper/helper.go#L252:16

require.NoError(t, err)
defer os.RemoveAll(dir)
helperPayload := "{\"Username\":\"hashi\",\"Secret\":\"nomad\"}"
helperContent := []byte(fmt.Sprintf("#!/bin/sh\ncat > %s/helper-$1.out;echo '%s'", dir, helperPayload))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guard this test from running on windows?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do build tags work on tests? Or should I skip if runtime.GOOS == "windows"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build tags work on test.

@nickethier nickethier merged commit 504a910 into master May 15, 2018
@nickethier nickethier deleted the b-3818-gce-docker-cred-helper branch July 11, 2018 01:32
@github-actions
Copy link

github-actions bot commented Mar 1, 2023

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
3 participants