-
Notifications
You must be signed in to change notification settings - Fork 832
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support GCP Artifact Registry #1681
Comments
Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏 |
Are you sure this doesn't work? The code you are thinking of is only used for HEAD requests (which I don't even know if GCP support?). It should just fall back to doing a pull as normal if it cannot perform a HEAD request. And, when pulling it's not watchtower that does the authentication, it's the docker daemon itself. |
@piksel So it seems that it does try a normal pull but that fails and says authentication failed. Hope this gives more insight into the problem (: |
Can confirm, Watchtower does not work on Google Artifact Registry. |
Like I said, it's always the docker daemon that does the pull and authentication. The error even contains |
We authenticate with the repo by following the steps in the watchtower docs: https://containrrr.dev/watchtower/private-registries/ Where it says to authenticate with GCloud you would base64 encode the value of your service account key and insert that into a config.json, then mount that into the container. However when we do this watchtower errors out. When i try to authenticate manually it pulls the image just fine. |
Hm, it says that you should base64 encode it as This is the GCP docs for reference: |
Yes the whole thing is base64 encoded as described in the docs |
What do you mean by:
Are you saying that using the same config.json as you mount in the container can be used to authenticate with the |
Yes exactly, when i use the same config.json to authenticate with the docker CLI it works as expected |
Can you please post a redacted version of your |
@simskij Yeah sure i have posted it below:
|
And the bash echo -n "_json_key:$(cat gcloudauth.json)" | base64 -w0 |
@Kerwood |
And in your container config, have you prefixed your container image names with the registry they will be fetched from (and does it match |
Is your feature request related to a problem? Please describe.
Currently you cannot authenticate against the google artifact registry with the config.json file in watchtower.
The reason for watchtower failing authentication is because of the expected strings in the www-authenticate header. Currently watchtower expects both a realm and a service string but the artifact registry does not send any service string when sending a HTTP GET request.
example below:
This is not an issue when creating a config.json and authenticating against the artifact registry manually.
Describe the solution you'd like
Watchtower should be able to authenticate against the google artifact registry using the config.json file by not expecting a service string.
Describe alternatives you've considered
An alternative would be to build a container that have gcloud installed, this however would be a very bloated container compared to making the config.json file work
Additional context
No response
The text was updated successfully, but these errors were encountered: