Merge pull request #345 from mstandley-tempus/add_additional_private_…

…registries add support for authenticating to additional docker registries
concourse · Jul 5, 2022 · 5ed1d3e · 5ed1d3e
2 parents 2745fcd + 50ff54d
commit 5ed1d3e
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -24,6 +24,23 @@ Note: docker registry must be [v2](https://docs.docker.com/registry/spec/api/).
 
 * `password`: *Optional.* The password to use when authenticating.
 
+* `additional_private_registries`: *Optional.* An array of objects with the
+  following format:
+
+  ```yaml
+  additional_private_registries:
+  - registry: example.com/my-private-docker-registry
+    username: my-username
+    password: ((my-secret:my-secret))
+  - registry: example.com/another-private-docker-registry
+    username: another-username
+    password: ((another-secret:another-secret))
+  ```
+
+  Each entry specifies a private docker registry and credentials to be passed
+  to `docker login`. This is used when a Dockerfile contains a FROM instruction
+  referring to an image hosted in a docker registry that requires a login.
+
 * `aws_access_key_id`: *Optional.* AWS access key to use for acquiring ECR
   credentials.
 

diff --git a/assets/common.sh b/assets/common.sh
@@ -117,7 +117,7 @@ log_in() {
   local username="$1"
   local password="$2"
   local registry="$3"
-  docker logout
+
   if [ -n "${username}" ] && [ -n "${password}" ]; then
     echo "${password}" | docker login -u "${username}" --password-stdin ${registry}
   else

diff --git a/assets/out b/assets/out
@@ -52,6 +52,20 @@ start_docker \
 	"${max_concurrent_uploads}" \
 	"$insecure_registries" \
 	"$registry_mirror"
+
+# idea to use base64 to iterate over an array of json objects
+# borrowed from https://www.starkandwayne.com/blog/bash-for-loop-over-json-array-using-jq/
+additional_private_registries_base64=$(jq -r '.source.additional_private_registries // []' < $payload | jq -r '.[] | @base64')
+
+# authenticate to additional registries (if any)
+for base64_line in ${additional_private_registries_base64}; do
+  additional_registry=$(echo $base64_line | base64 --decode | jq -r '.registry')
+  additional_username=$(echo $base64_line | base64 --decode | jq -r '.username')
+  additional_password=$(echo $base64_line | base64 --decode | jq -r '.password')
+  log_in "$additional_username" "$additional_password" "$additional_registry"
+done
+
+# authenticate to primary registry last
 log_in "$username" "$password" "$registry"
 
 tag_source=$(jq -r '.source.tag // "latest"' < $payload)
@@ -245,9 +259,10 @@ elif [ -n "$build" ]; then
   fi
 
   # NOTE: deactivate amazon-ecr-credential-helper so that builds go through with the DOCKER_BUILDKIT set
+  cp ~/.docker/config.json ~/.docker/config.json.bak
   cat <<< "$(jq 'del(.credsStore)' ~/.docker/config.json)" > ~/.docker/config.json
   docker build -t "${repository}:${tag_name}" "${target[@]}" "${expanded_build_args[@]}" "${expanded_labels[@]}" "${ssh_args[@]}" -f "$dockerfile" $cache_from "$build"
-  log_in "$username" "$password" "$registry" # This restores the credsStore: ecr-login to config.json if needed
+  mv ~/.docker/config.json.bak ~/.docker/config.json # This restores the credsStore: ecr-login to config.json if needed
 
 elif [ -n "$load_file" ]; then
   if [ -n "$load_repository" ]; then