wave
wave copied to clipboard
seqeralabs
Improve container credentials retrieval matching container repository names
Wave retrieves the container credentials to be used, querying Tower credentials for container-reg provider and looking for a matching registry name for the given repository e.g. docker.io given the repository docker.io/library/ubuntu.
However, this approach limits the possibility of authenticating repositories in the same registry owned by different users or organisations, requiring different credentials.
This issue aims to extend the credentials retrieval mechanism so that the entire container repository name is used to discover the matching credentials to be used, not just the registry name.
The implementation of this feature also requires that Tower allows, optionally, storing the full container name,
This issue requires changes both on Tower and Wave side
Tower
-
The field "Registry server" in the container crendentials should changed to "Registry or repository name"
-
The user can enter both values, such as
docker.ioordocker.io/username/repositoryname. Note: the tag should not be allowed, e.gdocker.io/username/repositoryname:xyzis not valid. When omitted it falls back todocker.io(like it's doing now) -
This value is continued to be stored in the field registry
Wave side
The credentials matching logic on Wave should be extend so that it tries to match the keys:
- a given repository name
- fallback to the registry name if there's no match for the repository (already implemented)
The relevant code is this
https://github.com/seqeralabs/wave/blob/1546fe5925ca801d48865a650824e979f353604d/src/main/groovy/io/seqera/wave/service/CredentialServiceImpl.groovy#L49-L74
Caveats
When entering container credentials in Tower the keys are validated using this code, and invoking this service on Wave
The service accepts a registry name i.e. docker.io not sure if it's possible to validate the credentials against a specific repository name e.g. docker.io/orgname/reponame
@pditommaso so this will allow collaborates to access private repos as described here https://docs.docker.com/docker-hub/repos/access/
I can not add a collaborator to my docker account,
Can you please add me to one of your private repo?
my username=hrma017
I've added you to the pditommaso/wave-tests repository
please make this repository private
I'd suggest using another repo for testing. Also, a bit more details about the expected behaviour.
Given a container repository e.g. host.com/foo/bar, and a list of possible choices, the algorithm should pick the best match. For example, having the following list:
host.comhost.com/foohost.com/foo/barhost.com/foo/bar/baz
The best match is clearly 3. When having partial matches, it should be taken the longest path having a partial match, for example, having those choices
host.comhost.com/foohost.com/fooohost.com/foo/bar/baz
it should be taken 2. Does it make sense?
Yes, once the registry is modified to return (optionally) the repository name
@pditommaso I have added functionality to check credentials against a repository but i am still not clear, where this algorithm to find best match for a container registry will go? should i add a List<String> possible matches in ValidateRegistryCredsRequest.groovy? https://github.com/seqeralabs/wave/blob/d15f1c3813dd71a169795e90e987c4a81950de80/src/main/groovy/io/seqera/wave/controller/ValidateRegistryCredsRequest.groovy#L9-L16
where this algorithm to find best match for a container registry will go?
Here. Now it's fetches all container cedentials, and then check for first one having a mahcing registry name, see here.
Instead, it should be assumed the field registry in the tower credential can be a simple registry name e.g. docker.io, and partial repository eg. docker.io/username or specific repo eg. docker.io/username/reponame. the goal is to pick the best match giving the current repository name.
![canny[bot] avatar](https://avatars.githubusercontent.com/in/43057?v=4 "Published by a pub.dev verified publisher"){kind=small}