opal cedar
I want to pull a base image from a private harbor and publish it to a also-provate harbor.
In this case, the registryAuth required for pull and the registryAith required for publish are two different things. (To be precise, the Url of the registry is the same, but the user information to be authenticated is different.)
Please let me know how to resolve this.
If implemented as shown below, a pull will result in a 401. (Authentication information is correct)
func main() {
ctx := context.Background()
// initialize Dagger client
client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stderr))
if err != nil {
panic(err)
}
defer client.Close()
ref, err := client.
Container().
WithRegistoryAuth("registry", "pulluser","pullPassword").
From("my-image:1.0.0").
WithExec("hogehoge...").
WithRegistoryAuth("registry", "pushUser","pushPassword").
Publish(ctx, "registry//my-custom-image:1.0.0") //#nosec
if err != nil {
panic(err)
}
fmt.Printf("Published image to :%s\n", ref)
}
molten tangle
If implemented as shown below, a pull will result in a 401. (Authentication info...
Hey @opal cedar 👋 ,
Probably not related to your issue but I see a typo here: WithRegistoryAuth instead of WithRegistryAuth
molten tangle
Are you able to pull the image locally ?
e.g: docker pull demo.goharbor.io/PROJECT/REPOSITORY@sha256:9f8d5ad72666b00dc6424de7330baa02c6b27254dcc185c84eaf7cf1fed61db2
austere nimbus
@opal cedar have you validated that your push credentials are working as expected?
this should work as you're doing it now. Can you try publishing something without doing the pull first just to validate? Basically something like this:
client.Container().
WithNewFile("/foo", dagger.ContainerWithNewFileOpts{Contents: "bar"}).
WithRegistryAuth("my-registry", "my-username", client.SetSecret("regpwd", "bar")).
Publish(ctx, "registry://my-image:1.0.0")
It works if you use an image that does not authenticate at the time of pull.
func main() (string, error) {
ctx := context.Background()
// initialize Dagger client
client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stderr))
if err != nil {
panic(err)
}
defer client.Close()
src := client.Host().Directory(".")
builder := client.Container().Build(src)
responses := make([]string, len(addresses))
container := client.Container().WithRegistryAuth("harbor.example.com", "my-username2", client.SetSecret("pushpwd", "bar"))
for _, address := range addresses {
response, err := container.Publish(ctx, strings.TrimSuffix(address, "\r"), dagger.ContainerPublishOpts{PlatformVariants: []*dagger.Container{builder}})
if err != nil {
panic(err)
}
fmt.Printf("Published image to :%s\n", response)
}
}
Also, the respective credentials will be correct, as the Build-only run will also succeed
func main() (string, error) {
ctx := context.Background()
// initialize Dagger client
client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stderr))
if err != nil {
panic(err)
}
defer client.Close()
src := client.Host().Directory(".")
builder := client.Container().
WithRegistryAuth("harbor.example.com", "my-username1", client.SetSecret("pullpwd", "foo")).
Build(src)
}
However, when I run the following code, I get a 401 authentication error on pull.
func main() (string, error) {
ctx := context.Background()
// initialize Dagger client
client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stderr))
if err != nil {
panic(err)
}
defer client.Close()
src := client.Host().Directory(".")
builder := client.Container().
WithRegistryAuth("harbor.example.com", "my-username1", client.SetSecret("pullpwd", "foo")).
Build(src)
container := client.Container().WithRegistryAuth("harbor.example.com", "my-username2", client.SetSecret("pushpwd", "bar"))
for _, address := range addresses {
response, err := container.Publish(ctx, strings.TrimSuffix(address, "\r"), dagger.ContainerPublishOpts{PlatformVariants: []*dagger.Container{builder}})
if err != nil {
panic(err)
}
fmt.Printf("Published image to :%s\n", response)
}
}
Is the first set of credentials overwritten by the credentials just before publishing...?
austere nimbus
oh yes, that's the case
what you need to do is something like:
ctr, err := client.Container().WithRegistryAuth("pull", "bar").From("private-registry/my-img).Sync(ctx)
ctr.WithRegistryAuth("push", "baz").Publish(ctx, "private-registry/new-img")
the fact that you call Sync between the two operations, will allow you to use different credentials
as the Sync operarion allows to force the pipeline execution up to that stage