Cannot authenticate with multiple docker registries

[adam-lebon]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and docker Provider) Version

Terraform version:

Terraform v1.0.0
on darwin_amd64
+ provider registry.terraform.io/kreuzwerker/docker v2.13.0

Docker for Mac version:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  compose: Docker Compose (Docker Inc., 2.0.0-beta.1)
  scan: Docker Scan (Docker Inc., v0.8.0)

 Server Version: 20.10.6

Affected Resource(s)

• The provider configuration
• docker_image

Terraform Configuration Files

terraform {
  required_providers {
    docker = {
      source = "kreuzwerker/docker"
      version = "2.13.0"
    }
  }
}

provider "docker" {
  registry_auth {
      address = "registry.internal.example"
      config_file = file("~/.docker/config.json")
  }

  registry_auth {
      address = "registry.gitlab.com"
      config_file = file("~/.docker/config.json")
  }
}

resource "docker_image" "nginx" {
  name = "nginx:latest"
}

Debug Output

https://gist.github.com/adam-lebon/56444f77c781c44b88caafb01b78da27

Expected Behaviour

As descibe in the documentation, we should be able to configure authentication to multiple registries.

Actual Behaviour

The 2.12.0 release added a new parameter MaxItems: 1 to the registry_auth block which prevents the usage of multiple private registry.

This result in terraform returning a error when validating the provider configuration :

$ terraform apply

│ Error: Too many registry_auth blocks
│ 
│   on  line 0:
│   (source code not available)
│ 
│ No more than 1 "registry_auth" blocks are allowed

Steps to Reproduce

1. Create a minimal configuration with 2 registry_auth block
2. Add a docker_image resource
3. terraform apply

References

https://github.com/kreuzwerker/terraform-provider-docker/blob/master/internal/provider/provider.go#L75

[mavogel]

Hi, a current workaround/way you can do this is creating multiple providers

provider "docker" {
  alias = "one"
  
  registry_auth {
      address = "registry.internal.example"
      config_file = file("~/.docker/config.json")
  }
}

provider "docker" {
  alias = "two"
   
  registry_auth {
      address = "registry.gitlab.com"
      config_file = file("~/.docker/config.json")
  }
}

resource "docker_image" "nginx" {
  provider = "docker.one"
  name = "nginx:latest"
}

Or is this a feature request? :)

[github-actions]

This issue is stale because it has been open 60 days with no activity.
Remove stale label or comment or this will be closed in 7 days.
If you don't want this issue to be closed, please set the label pinned.

[lucapircher]

Hi,
I am experiencing the same issue. After updating from version 2.11 to 2.15 a single docker provider with multiple registry_auth blocks is not considered valid anymore. This is an unexpected breaking change. The documentation for registry credentials still provides an example with multiple registry_auth blocks.

I am currently wondering if this breaking change was intentional. If that’s the case, the documentation is out of date at the moment.

[incpac]

Hi,

The registry_auth block was changed to a maximum of one in 2.12. 2.11 still works.

The provided solution of using multiple providers won't work when you need to authenticate to different registries in the same container. For example, pulling from one private registry and pushing to another.

[mavogel]

Yes it was accidentally limited to 1 item in #102

[gk-fschubert]

@mavogel can you say when this issue will be fixed?

[binlab]

@mavogel I encountered this unpleasant "feature" when updating the provider. Can you explain why this was done?

[binlab]

Hi, a current workaround/way you can do this is creating multiple providers

This workaround can be but in limited cases as mentioned before. In general, it only complicates the infrastructure code and requires many changes to existing environments. The concept of a Docker client means multiple credentials for different registries without context switching or creating aliases. So the same behavior was expected (and worked until version 2.12) from the Terraform Docker provider

[Junkern]

v2.19.0 finally supports multiple docker registries :) Please let me know if you encounter any issues!