Fix fetching registry credentials when using Gcloud cred helper

[HiranmayaGundu]

When creating a container using a docker image from a private repository, testcontainers would fail to auth correctly, and would never fetch the image. i.e., FROM gcr.io/<image> would fail. This is not a problem when running the image directly. After a bit of digging, it seems like serverURL was being set as undefined, and it seems like the fix is to use the credentials object that has the server list.

I'm not sure how to go about adding a test for this, it needs a Dockerfile to a private repository that the project has access to.

[netlify]

✅ Deploy Preview for testcontainers-node ready!

Name	Link
🔨 Latest commit	9f0cc68
🔍 Latest deploy log	https://app.netlify.com/sites/testcontainers-node/deploys/66918f50ed4085000806c14d
😎 Deploy Preview	https://deploy-preview-764--testcontainers-node.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[HiranmayaGundu]

I'm not entirely sure if this is the correct fix -- just that it fixed my issue when I ran a test. I'm having difficulty running the entire suite locally. None of the tests failed at pulling an image fwiw

[javierlopezdeancos]

Hi @HiranmayaGundu, looking the problem of testing the functionality, could we test this functionality with a private access image in Docker Hub? 🤔

[HiranmayaGundu]

@javierlopezdeancos we could, but it would have to be a private docker hub image that the project has access to (and presumably one that i personally don't have access to)

[javierlopezdeancos]

hi @HiranmayaGundu yep, I think that should be an image created to someone from the docker organization to this proposes cc @eddumelendez @cristianrgreco

[kiview]

I don't think using Docker Hub for such an integration test makes sense, since community contributors would not have access to such a private image.

Can we replicate the scenario by starting a registry ourselves, or would the auth mechanism behave very differently?

If a maintainer of the repo (e.g. @cristianrgreco) can manually test that this works, I think it is also fine and we should not block the merging if the can't find a way to conveniently test it.

[HiranmayaGundu]

@javierlopezdeancos @cristianrgreco wanted to bump this for review 🙏🏽

[cristianrgreco]

Hi @HiranmayaGundu, thanks for raising this PR, I'll verify this works this weekend.

[HiranmayaGundu]

Thank you @cristianrgreco! Appreciate it 😄

[cristianrgreco]

@HiranmayaGundu I can't reproduce the issue using an image from AWS ECR. I'm creating a container as follows:

new GenericContainer("[ID].dkr.ecr.eu-west-2.amazonaws.com/[IMAGE-NAME]:latest")

I am running this after I have done a docker login.

After logging in I can see the registry key under auths in ~/.docker/config.json.

Could you share some more info:

• How to reproduce
• What your ~/.docker/config.json looks like for the registry you're failing to auth with via Testcontainers

[HiranmayaGundu]

@cristianrgreco This issue only occured for me when I tried to build an image, so when doing

const container =  await GenericContainer.fromDockerfile("./dockerfile").build();

where the docker file is

FROM <private repo>/image

The issue was consistently reproducible for me. I was using a private GCR repository for the base image.
my docker config looks like this

{
        "credsStore": "desktop",
        "credHelpers": {
                "asia.gcr.io": "gcloud",
                "eu.gcr.io": "gcloud",
                "gcr.io": "gcloud",
                "marketplace.gcr.io": "gcloud",
                "staging-k8s.gcr.io": "gcloud",
                "us.gcr.io": "gcloud"
        },
        "currentContext": "desktop-linux"
}          

[cristianrgreco]

I've tried as you said from a Dockerfile and it also works.

The difference between your setup and mine is that you have a cred helper setup for gcloud. This is supported so we'll need to further debug what's going on.

When you run:

docker-credential-gcloud list

Could you confirm that any of the keys in the response matches the gcr registry from which you're trying to pull the image? A match is considered if they're equal with or without protocol. If unsure please share the contents here, omitting any sensitive data.

If there's a match, run:

echo '<registry>' | docker-credential-gcloud get

Where registry is the exact same registry as you have in your Dockerfile. Do you get a response and does the ServerURL match? If not please share details as to what's mismatched.

[HiranmayaGundu]

When you run:
docker-credential-gcloud list
Could you confirm that any of the keys in the response matches the gcr registry from which you're trying to pull the image? A match is considered if they're equal with or without protocol. If unsure please share the contents here, omitting any sensitive data.

Yes, I have an exact match for the registry I am pulling from.

run:
echo '' | docker-credential-gcloud get
Where registry is the exact same registry as you have in your Dockerfile. Do you get a response and does the ServerURL match? If not please share details as to what's mismatched.

There is no ServerURL in the response, just a Secret and Username field

[cristianrgreco]

Looks like there's a lot of inconsistency around the Google credential helpers, see here as well: #739. I guess there's no harm in defaulting to the registry URL if the response.ServerURL is undefined.

@HiranmayaGundu are you OK to update the PR for this? I'm thinking registryAddress: credentialForRegistry => registryAddress: response.ServerURL ?? credentialForRegistry and a test in credential-provider.test.ts for it

[HiranmayaGundu]

Yeah, I can push the changes later today!

[HiranmayaGundu]

@cristianrgreco made the changes!

[cristianrgreco]

Thanks for the PR and for your patience in getting it reviewed and merged @HiranmayaGundu! I'm going to merge a couple of other patch changes and then do a release