RFC: Use default key chain for authentication to the registry #254
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should allow simple specialisations of the resource to allow for specific container registry variants without changing the existing behaviour.
For example, to use this with GCR the existing registry-image image can be used as a base layer and then we can copy in a ~/.docker/config.json and optionally a credential manager to authenticate.
Our use case:
We exclusively use google container registry and currently authenticate using the
_json_key:service_account.json
hack described here concourse/docker-image-resource#73 (comment).A big drawback of this approach is that a developer can read this secret by printing it out in a task.
We want to be reasonably sure that any images that are stored in our production container registry have been built by Concourse so that we have some sort of an audit trail for what has been used to build the image. One approach to achieve this is to use the VM service account / application default credentials to authenticate. Ordinarily you would achieve this by using a credential manager and a docker configuration file.
For the
oci-build-task
anddocker-registry
resources we have a partial hack in place that does just that. i.e. a Dockerfile containingand a config file containing:
However, the
check
stage of the docker-registry resource does not work with this as it doesn't use docker directly. We'd like to get away from the docker-registry resource either way given that development is frozen on it and it is deprecated.This PR is largely untested, but I would like some feedback on the approach before continuing.