Reading dockercfg files for authenticating with private registries

[diptanu]

Fixed #660 and #702

[dadgar]

LGTM. Related? #702

[diptanu]

@dadgar Oh yeah #702 is related too. Updating the CHANGELOG too.

[trenton42]

This issue is bigger than just having the https:// on the beginning of the repo address (you should never have to hand edit the auths section of config.json -- that part is generated by docker login). Nomad also looks for the completely wrong thing when looking up auths.

In docker.go it uses repo to look up the auth:

if authConfiguration, ok := authConfigurations.Configs[repo]; ok {
    authOptions = authConfiguration
}

But repo is returned by the docker client and all it does is split the tag from the rest of the docker image path. What this means is that nomad is not just looking for the server address in the auths, it is also looking for the image name. For example, on GCE I might have an image called gcr.io/some-project/some-image:v1.0. If you want this to work right now, you have to put an auth key in for ever single image you run. When nomad tries to look up an auth in config.json, it will look for a key called gcr.io/some-project/some-image, but what docker login actually puts in config.json is:

{
    "auths": {
        "https://gcro.io": {
            "auth": "<some token>",
            "email": "[email protected]"
        }
    }
}

What should happen is either:

1. Nomad uses authOptions.ServerAddress for the lookup (requires jobs to specify this in their config)
2. Parse the image name and determine the correct server name

TL;DR neither #660 nor #702 are fixed.

[waziers]

@diptanu why is this closed, @trenton42 is correct, this is still broken unless you manually re-write the config.json file

[trenton42]

@waziers I think this did actually get fixed recently. The hitch I found is that it does look at the SSL flag in the docker driver config of the job, so I had to set that to true.

[diptanu]

@waziers @trenton42 So what we have implemented there is Nomad to be able to use the dockercfg file specified by an operator. Nomad doesn't automatically do docker login or anything special to re-generate the dockercfg file on ECS, GCP, Quay or any other vendor specific platform currently. We expect the operator to have automation in place for re-generating the file.

The reason why this is hard to do is that the space is very fragmented and every registry provider has created their own way of authenticating with the registry and generate the credentials.

Also as @trenton42 has mentioned, if a registry is behind SSL, the SSL flag has to be set as true.

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.