Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow docker-client to use its own authentication (docker login), if present, otherwise use configured registry auth #61

Open
peterhaaf opened this issue Nov 13, 2020 · 11 comments · May be fixed by #78
Assignees

Comments

@peterhaaf
Copy link

Hi,

i need to have both options: for auth.docker.io
a.) a paid team key
b. ) the option for pull secrets in K8s to give users the possibility to access their private repos.

Out of the Box, this did not work. So i changed

Add the authentication info, if the map matched the target domain.

    proxy_set_header Authorization $finalAuth;

to
if ( $http_authorization = "" ) {
set $myfinalAuth $finalAuth;
}
if ( $http_authorization != "" ) {
set $myfinalAuth $http_authorization;
}

    proxy_set_header Authorization $myfinalAuth;

Hope this helps others as well

Peter

@rpardini
Copy link
Owner

I'm very confused. Interested in your use-case though, what is the actual difference between a and b?

@peterhaaf
Copy link
Author

We are a very large Org, with users having private Docker.io Repos, where they need their own key.
Other users however only use public repos and may face the load restriction, if they are not using a company/team wide account key.

Without this change, an invidual key would get overwritten by the one specified in docker.auth.map and they could not access their images no more...

@peterhaaf
Copy link
Author

We use your proxy in front of a GKE Cluster, serving ~1600 Jenkins Instances

@rpardini
Copy link
Owner

Ok, so the case is something along these lines:

  • (some) docker clients do "docker login" with their own credentials (for docker.io) and pull public and private images
  • (some other) docker clients don't do any login, and pull public images only
  • docker-registry-proxy should only inject it's configured auth if the client didn't already include it
    is that it?
    glad to hear it's working for your GKE cluster.

@peterhaaf
Copy link
Author

peterhaaf commented Nov 14, 2020

docker-registry-proxy should only inject it's configured auth if the client didn't already include it
is that it? Exactly !

With this, users using only public images do not need to specify a pull secret in their Pod Spec.

The trick to make this work on GKE is a daemonset modifying the dockerd settings to use the proxy.
( I wish i could send you a PR, but processes prevent me from doing so ( at least for now ))

@salanki
Copy link

salanki commented Nov 16, 2020

I have exactly the same need as @peterhaaf. Would love to have it merged in. Thank you.

@rpardini rpardini self-assigned this Dec 2, 2020
@rpardini rpardini changed the title How to use a public and private Authorisation Allow docker-client to use its own authentication (docker login), if present, otherwise use configured registry auth Dec 2, 2020
@chdeliens
Copy link

I was looking for a proxy with caching of container images, stumbled upon your repo, and I was about to say "hey +1, I have the same need for passthrough authentication here" but then figured out that I just needed to remove the authentication from each of my pods' spec and use it to set up the proxy instead 😂 And this should not affect the overall security of my cluster. Will try this out soon :) Thanks @rpardini for this tool! 🙏

@salanki
Copy link

salanki commented Dec 11, 2020

@rpardini: You have a donation paypal, ETH, or Amazon wishlist? Your work is super helpful.

@gw0
Copy link

gw0 commented Feb 18, 2021

I believe this should be a configurable feature instead of default behavior.

I have a better use case: By default docker-registry-proxy should provide read-only/pull-only access to private Docker repos (like it does), but if someone needs to push, he should provide its own credentials (and those should be used for the push).

gw0 added a commit to gw0/docker-registry-proxy that referenced this issue Feb 18, 2021
@gw0 gw0 linked a pull request Feb 18, 2021 that will close this issue
@gw0
Copy link

gw0 commented Feb 18, 2021

This feature request is implemented in PR #78 if you set the env var ALLOW_OWN_AUTH=true. (It also provides an alternative ALLOW_PUSH_WITH_OWN_AUTH.)

@Heshmatkhah
Copy link

I have a similar need.
We have limited internet access in our company and different teams working on different projects and using different private registries and each person may have access to some of them.

We want a pull cache registry with internet access and set no authentication information (as we don't have authentication information of everyone) in our DMZ, and each person uses their own authentication information.

kiorky pushed a commit to corpusops/docker-registry-proxy that referenced this issue Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants