I think there might be a serious design issue preventing the use of a Container Registry hosted base image in Circle 2.0. That, or I’m just missing something
https://circleci.com/docs/2.0/private-images/ tells you to authenticate with GCR by providing a username/password in the “image/auth” section. Okay. But did anyone actually try this ?
The trouble is that with GCR you’re supposed to use the JSON contents of the service account key file as the password : https://cloud.google.com/container-registry/docs/advanced-authentication
(like so :
docker login -u _json_key -p "$(cat keyfile.json)" https://gcr.io)
And here’s the catch :
The GCE+Circle 2 doc tells you to base64 encode and store the service account credentials into a GOOGLE_AUTH project variable, then decode/restore it into a JSON keyfile inside a “run” directive before use with gcloud.
I don’t think there’s a built-in base64 decoding facility in the image: auth: section in the Circle 2.0 config file, and this all happens before the “run” directives.
I don’t think I can skip the base64 encoding step either and store the raw JSON into a project settings env var directly…
Has anyone managed to make this work ?