nomad-driver-podman icon indicating copy to clipboard operation
nomad-driver-podman copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add option to point at auth.json file

Open michaelerickson opened this issue 2 years ago • 2 comments

I was trying to keep container registry credentials out of the Nomad job specification. My idea was to store them in Vault and use a Nomad template to pull them. As far as I can tell, Podman doesn't let you override using a set of environment variables - rather you point it at an auth.json file on the command line, or use the REGISTRY_AUTH_FILE environment variable to tell it where to read credentials from see docs.

I did podman login on a host and noted the generated $XDG_RUNTIME_DIR/containers/auth.json file. I then grabbed the auth portion and stored it in Vault.

In the Nomad job specification I used a template to create a version of the auth file according to the format as below:

      template {
        data = <<EOH
        {
          "auths": {
            "ghcr.io": {
              "auth": "{{with secret "secret/data/github/creds"}}{{.Data.data.auth}}{{end}}"
            }
          }
        }
        EOH

        destination = "local/auth.json"
        change_mode = "noop" # We don't care if this value changes once we are running
      }

I then tried to get Podman to recognize that file using:

      env {
        HTTP_PORT          = "${NOMAD_PORT_http}"
        ENV                = "dev"
        # So Podman can find the auth file
        REGISTRY_AUTH_FILE = "${NOMAD_TASK_DIR}/auth.json"
      }

Unfortunately, Podman would not pick up the credentials. I viewed the created file under local and it looked correct to me.

The tasks all failed because the container could not be pulled from the registry.

My guess is that REGISTRY_AUTH_FILE is not available to the driver, so it isn't using it?

The feature that would be useful is adding an option to point the driver at the credentials file to use.

michaelerickson avatar Jun 08 '22 22:06 michaelerickson

You might also consider https://github.com/morningconsult/docker-credential-vault-login as an alternative method to get credentials from vault to podman, without actually involving nomad (despite the name, this also works with podman).

It assumes any job running on the host should have access to the same registry credentials, which might not be what you're looking for, and having nomad able to pull different registry creds from vault per job may still be handy to have.

optiz0r avatar Jul 02 '22 21:07 optiz0r

Thanks @optiz0r, I will take a look at that.

michaelerickson avatar Jul 05 '22 16:07 michaelerickson