Get Credentials from Kubernetes Secret

[HknLof]

Environment:
Kubernetes 1.21

• Jib version:
  jib-core-0.20.0
• Build tool: None
• OS: Any on K8s

Description of the issue:
One task encountered is to build images, push images, and run these deploy these images on Kubernetes at runtime.

Problem:
DockerConfigCredentialRetriever.java is sufficient for setups where the authentication token is not changed. But not sufficient for a setup with rolling keys. So, once a given docker-registry secret changes, this means a volume with the given secret needs to be re-mounted / the pod restarted.

Expected behavior:
It would be great to have an implementation KubernetesConfigCredentialRetriever.java, which either links to a ServiceAccount or new KubernetesConfigCredentialRetriever(String kubernetesSecret) instance to retrieve the credentials from a local secret.

[mpeddada1]

@HknLof There are a number of ways in which Jib gathers credentials. One of the ways is through reading the $HOME/.docker/config.json file. As described in this suggestion by @chanseokoh, if you follow the steps to mount a secret in a volume and copy/symlink the file to $HOME/.docker/config.json then that can be picked up by Jib.

Additionally, this documentation highlights GCR auth on GKE using Application Default Credentials. It describes how you can you can generate a JSON key from a service account, save the key as a secret and expose it through the GOOGLE_APPLICATION_CREDENTIALS env variable which will then be used by Jib.

Let us know if this what you're looking for.

[HknLof]

@mpeddada1 thank you for the information. That, is how I am working with Jib right now. For now, this is sufficient. Probably we will have our own CredentialProvider for the use case, where registry tokens might change. Thanks, for the fast reply :)