cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon cloudfoundry

Docker password rotation

Open krismarc opened this issue 7 months ago • 2 comments

Since v2 goes to be removed. We would lack of an option to easily change currently used password for docker's user which is used to pull the image.

We have discussed this in following topics: https://github.com/cloudfoundry/cloud_controller_ng/issues/4390 https://github.com/cloudfoundry/cloud_controller_ng/issues/3304

What's the user value of this feature request? Currently to avoid restarting the application, there's an option to update the image registry user password by using v2 endpoint and it does all necessary steps behind scenes. In v3 this became more complicated and requires multiple actions to be performed.

Can be also achieved via cli, however, requires also multiple actions like:

  1. create new package - with new password and the image url from current droplet) cf create-package test --docker-image "<image_path>"
  2. stage that new package cf stage-package test --package-guid <new_package_guid>
  3. set current droplet to the one just staged cf set-droplet test <new_droplet_guid>

Would be nice to have this wrapped in something more elegant and easier to use.

Who is the functionality for? Docker based applications

How often will this functionality be used by the user? Whenever image registry user password is changed.

Who else is affected by the change? I don't think so.

Is your feature request related to a problem? Please describe. Whenever password needs to be rotated, there's also a need to sync it in CF. With v2 it was easy. With v3 it's more complex and would be nice to have some common option to perform such an action.

Describe the solution you'd like I'd like to change docker user password without a need to restart the application. There's no reason to do it right away. However, actual options like cf restage or cf push does it immediately.

krismarc avatar Jun 06 '25 07:06 krismarc

In terms of this feature. I'd also see beneficial to have current commands extended eg.

  1. cf set-droplet test (with no droplet guid provided so it takes the latest - as stage-package does)
  2. delete options for package and droplet
  3. cf restage with an option to prevent application being restarted (if user updated the password using v3, it would apply his changes)

krismarc avatar Jun 06 '25 07:06 krismarc

Eventually, this operation to be adjusted:

CF_DOCKER_PASSWORD="pwd" cf push main --docker-username <user_name>

currently it leads to an exception:

# CF_DOCKER_PASSWORD="pwd" cf push main --docker-username user_name
Incorrect Usage: '--docker-image, -o' and '--docker-username' must be used together

This could actually re-use current image and just restage the app without restarting it.

krismarc avatar Jun 06 '25 07:06 krismarc