Impossible to use a private gcr.io base image on Circle 2.0?

docker
cci-20

#1

Hi,

I think there might be a serious design issue preventing the use of a Container Registry hosted base image in Circle 2.0. That, or I’m just missing something :slight_smile:

https://circleci.com/docs/2.0/private-images/ tells you to authenticate with GCR by providing a username/password in the “image/auth” section. Okay. But did anyone actually try this ?

The trouble is that with GCR you’re supposed to use the JSON contents of the service account key file as the password : https://cloud.google.com/container-registry/docs/advanced-authentication
(like so : docker login -u _json_key -p "$(cat keyfile.json)" https://gcr.io)

And here’s the catch :
https://circleci.com/docs/2.0/google-container-engine/
The GCE+Circle 2 doc tells you to base64 encode and store the service account credentials into a GOOGLE_AUTH project variable, then decode/restore it into a JSON keyfile inside a “run” directive before use with gcloud.

I don’t think there’s a built-in base64 decoding facility in the image: auth: section in the Circle 2.0 config file, and this all happens before the “run” directives.

I don’t think I can skip the base64 encoding step either and store the raw JSON into a project settings env var directly…

Has anyone managed to make this work ?


#2

Hey @renaudguerin -

I was able to get this working by adding this:

docker: 
  - image: gcr.io/project/image-name
    auth:
      username: _json_key
      password: $GCR_CREDS

I put the contents of keyfile.json into an environment variable for the build called GCR_CREDS, which is then passed in.


#3

Thanks, so that means it’s okay to put raw JSON inside these variables after all
Good news, but I wonder why the docs recommend base64 encoding first.


#4

I hope the documentation team adds this. @renaudguerin, very helpful.


#5

Opened an issue to address this https://github.com/circleci/circleci-docs/issues/1534


#6

Hi,

I have https://github.com/circleci/circleci-docs/pull/1542 up with this addition to the config, but I need a review from @renaudguerin if possible because I just guessed that it shouldn’t replace the existing step.

Thank you!
Michelle


#7

Hi @michelle-luna and @rohara ,

If it’s definitely okay to put raw JSON inside an env variable that the docker:auth directive will use, then this makes the base64 encoding steps explained elsewhere moot.

Were the base64 encoding steps you recommend just extra precaution, or are they actually required in some cases ?

The docs should probably decide one way or the other and be consistent with it.


#8

Hi,

Thanks @renaudguerin for the help to get this doc corrected, it is fixed now (I missed this post and was waiting for comments in the PR) sorry it took so long.

Regards,
Michelle


#9

@michelle-luna @rohara

I see this updated the google container engine page (GCK), but Using private images is the first page I found on google, and it seems there is an AWS ECR section. I suggest adding a GCR section there and moving the content from the GCK page.


#10

#11

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.