Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Credential #2440

Closed
2020testuser opened this issue May 1, 2020 · 6 comments
Closed

Docker Credential #2440

2020testuser opened this issue May 1, 2020 · 6 comments

Comments

@2020testuser
Copy link

I'm trying to use the remote docker registry credentials in Jib which is called inside an image script in Tekton Pipeline.
Wondering whether there is a better/easy way to set the credential other than using Docker secret , call the secret in a ServiceAccount and tie the ServiceAccount to the TaskRun. Since, I'm using old version of Jib, I'm unable to use $DOCKER_CONFIG.

Environment:
Jib 4.0.4
Tekton Pipeline
Kuberenes

  • Build tool: Gradle
  • OS: Windows to run Kubectl and Kubernetes cluster is running remotely
@loosebazooka
Copy link
Member

loosebazooka commented May 1, 2020
edited
Loading

@2020testuser we specifically added support for $DOCKER_CONFIG in newer versions of jib so we could support this usecase. Supporting issues in older versions of Jib is pretty expensive for us given that the engineering team is quite small. There's always the avenue of paid support for GCP customers with support contracts (please use those channels if that is true).

Having said that, we do look in <user-home>/.docker/config.json, so if you can create a symlink to that that you could get it to work.

I really do suggest you find a way to upgrade your gradle version to something newer that 4.6, 5.6.4 is the last release of the gradle5 and should be supported by jib potentially till the end of the year

@chanseokoh
Copy link
Member

On Tekton (basically on Kubernetes), for some reason if you don't want to use a ServiceAccount, another way I can think of is to mount a secret as a volume. See this Kubernetes doc: "Using Secrets as files from a Pod". Once you have the file, you can copy or symlink it to <user home>/.docker/config.json. The filename must be config.json in old Jib versions.

BTW, Tekton has some complex issues around $HOME. Thus, you may want to override "user home" manually in your script (e.g., export HOME=/some/arbitrary/home, and also pass -Duser.home=/some/arbitrary/home to gradle to enable Jib to pick up /some/arbitrary/home/.docker/config.json (for example, as in here). However, these complications would go away if you could use $DOCKER_CONFIG in recent Jib versions.

But when using an old version of Jib, your Docker secret on Kubernetes should be the type kubernetes.io/dockerconfigjson. Old Jib versions do not support the old Docker secret type. When mounting a secret, the filename on k8s will be the "data key name". So for instance, with the example from the doc below, .dockerconfigjson is the key name and the filename mounted on k8s will be /your/mount/path/.dockerconfigjson.

apiVersion: v1
kind: Secret
metadata:
  name: myregistrykey
  namespace: awesomeapps
data:
  .dockerconfigjson: UmVhbGx...
type: kubernetes.io/dockerconfigjson

@chanseokoh
Copy link
Member

Here's another Tekton example to mount a secret.

@2020testuser
Copy link
Author

2020testuser commented May 1, 2020
edited
Loading

Yes, I agree. Migrating to latest Gradle/Jib is better. I'm using Gradle 4.6 and is the latest Jib supported in it?
I believe I got an error (when I tested latest Jib with Gradle 4.6 ) that Gradle 5.x is needed to run the latest Jib. If latest Jib should support Gradle 4.6, let me know. I will retest.
Thanks!

@loosebazooka
Copy link
Member

I was hoping you could push your company to upgrade gradle.

@chanseokoh
Copy link
Member

I'll close this issue, as there is no action item on the Jib side. To make it clear, I'm afraid we don't have a plan to lower the minimum Gradle version requirement from 5.x in future Jib versions.

Just in case, note that you can use Gradle 5.1 inside the gradle:4.6 image if you create a wrapper. Most Gradle applications use a wrapper to pin down a certain Gradle version anyway. For example,

$ # testing `gradle:4.6` locally with Docker
$ docker run --rm -it --entrypoint bash gradle:4.6
gradle@afd18baef446:~$ mkdir my-project
gradle@afd18baef446:~$ cd my-project
gradle@afd18baef446:~/my-project$ # now create a Gradle 5.1 wrapper: /my-project/gradlew
gradle@afd18baef446:~/my-project$ gradle wrapper --gradle-version=5.1
Starting a Gradle Daemon (subsequent builds will be faster)

BUILD SUCCESSFUL in 2s
1 actionable task: 1 executed
gradle@afd18baef446:~/my-project$ # /my-project/gradlew created
gradle@afd18baef446:~/my-project$ ./gradlew --version
Downloading https://services.gradle.org/distributions/gradle-5.1-bin.zip
.................................................................................
Unzipping /home/gradle/.gradle/wrapper/dists/gradle-5.1-bin/djumv4jisrix1ndp1lfpceh59/gradle-5.1-bin.zip to /home/gradle/.gradle/wrapper/dists/gradle-5.1-bin/djumv4jisrix1ndp1lfpceh59
Set executable permissions for: /home/gradle/.gradle/wrapper/dists/gradle-5.1-bin/djumv4jisrix1ndp1lfpceh59/gradle-5.1/bin/gradle

Welcome to Gradle 5.1!

@mpeddada1 mpeddada1 mentioned this issue Nov 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@loosebazooka @chanseokoh @2020testuser