Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support auth from docker config #2560

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat: support auth from docker config #2560

wants to merge 10 commits into from
+236 −0

Conversation

skylenet
Copy link

@skylenet skylenet commented Oct 2, 2024

Description

Supports docker credentials from config (~/.docker/config.json). Read #2503

Is this change user facing?

yes

References (if applicable)

Fixes #2503

@gitguardian GitGuardian
Copy link

gitguardian bot commented Oct 2, 2024
edited
Loading

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
- - Generic High Entropy Secret 961d487 container-engine-lib/lib/backend_impls/docker/docker_manager/docker_auth_test.go View secret
- - Generic High Entropy Secret 41451af container-engine-lib/lib/backend_impls/docker/docker_manager/docker_auth_test.go View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@skylenet
Copy link
Author

skylenet commented Oct 2, 2024

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

False positive, it's just user:password b64 encoded in a test.

@skylenet
Copy link
Author

skylenet commented Oct 4, 2024

As @pk910 mentioned it to me, this will probably not work since the engine is running in its own container, so there's no access to the users config file there. So we might need to:

  • Option 1: Change this fetch the credentials at the kurtosis cli and then propagate them to the engine API.

  • Option 2: Mount the docker config dir to the engine container. Which will probably cause more problems due to it not having access to the different credential helpers that each system uses.

tedim52
tedim52 reviewed Oct 4, 2024
View reviewed changes
container-engine-lib/lib/backend_impls/docker/docker_manager/docker_auth_test.go
)

// WriteStaticConfig writes a static Docker config.json file to a temporary directory
func WriteStaticConfig(t *testing.T, configContent string) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make make this a private helper function if it's not used outside of the package?

tedim52
tedim52 reviewed Oct 4, 2024
View reviewed changes
container-engine-lib/lib/backend_impls/docker/docker_manager/docker_auth_test.go
return tmpDir
}

func TestGetAuthConfigForRepoPlain(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice tests : )

@tedim52
Copy link
Contributor

tedim52 commented Oct 4, 2024
edited
Loading

Good callout by @pk910. I think Option1 is the way to go here. I did a similar thing to propagate github auth credentials to the engine. Here is that PR: #2113. Specifically the github_auth_store finds the token and passes it to the engine. The engine then passes the token to each created enclave.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tedim52 tedim52 tedim52 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to do dockerhub login
2 participants
@skylenet @tedim52