Allow docker-client to use its own authentication (docker login), if present, otherwise use configured registry auth

[peterhaaf]

Hi,

i need to have both options: for auth.docker.io
a.) a paid team key
b. ) the option for pull secrets in K8s to give users the possibility to access their private repos.

Out of the Box, this did not work. So i changed

Add the authentication info, if the map matched the target domain.

    proxy_set_header Authorization $finalAuth;

to
if ( $http_authorization = "" ) {
set $myfinalAuth $finalAuth;
}
if ( $http_authorization != "" ) {
set $myfinalAuth $http_authorization;
}

    proxy_set_header Authorization $myfinalAuth;

Hope this helps others as well

Peter

[rpardini]

I'm very confused. Interested in your use-case though, what is the actual difference between a and b?

[peterhaaf]

We are a very large Org, with users having private Docker.io Repos, where they need their own key.
Other users however only use public repos and may face the load restriction, if they are not using a company/team wide account key.

Without this change, an invidual key would get overwritten by the one specified in docker.auth.map and they could not access their images no more...

[peterhaaf]

We use your proxy in front of a GKE Cluster, serving ~1600 Jenkins Instances

[rpardini]

Ok, so the case is something along these lines:

• (some) docker clients do "docker login" with their own credentials (for docker.io) and pull public and private images
• (some other) docker clients don't do any login, and pull public images only
• docker-registry-proxy should only inject it's configured auth if the client didn't already include it
  is that it?
  glad to hear it's working for your GKE cluster.

[peterhaaf]

docker-registry-proxy should only inject it's configured auth if the client didn't already include it
is that it? Exactly !

With this, users using only public images do not need to specify a pull secret in their Pod Spec.

The trick to make this work on GKE is a daemonset modifying the dockerd settings to use the proxy.
( I wish i could send you a PR, but processes prevent me from doing so ( at least for now ))

[salanki]

I have exactly the same need as @peterhaaf. Would love to have it merged in. Thank you.

[chdeliens]

I was looking for a proxy with caching of container images, stumbled upon your repo, and I was about to say "hey +1, I have the same need for passthrough authentication here" but then figured out that I just needed to remove the authentication from each of my pods' spec and use it to set up the proxy instead 😂 And this should not affect the overall security of my cluster. Will try this out soon :) Thanks @rpardini for this tool! 🙏

[salanki]

@rpardini: You have a donation paypal, ETH, or Amazon wishlist? Your work is super helpful.

[gw0]

I believe this should be a configurable feature instead of default behavior.

I have a better use case: By default docker-registry-proxy should provide read-only/pull-only access to private Docker repos (like it does), but if someone needs to push, he should provide its own credentials (and those should be used for the push).

[gw0]

This feature request is implemented in PR #78 if you set the env var ALLOW_OWN_AUTH=true. (It also provides an alternative ALLOW_PUSH_WITH_OWN_AUTH.)

[Heshmatkhah]

I have a similar need.
We have limited internet access in our company and different teams working on different projects and using different private registries and each person may have access to some of them.

We want a pull cache registry with internet access and set no authentication information (as we don't have authentication information of everyone) in our DMZ, and each person uses their own authentication information.