Skip to content

Latest commit

 

History

History
69 lines (55 loc) · 2.05 KB

README.md

File metadata and controls

69 lines (55 loc) · 2.05 KB

docker-credential-magic-proxy

Overview

docker-credential-magic-proxy is a HTTP proxy injecting the authentication header for accessing private docker registries. The credentials in $HOME/.docker/config.json or $DOCKER_CONFIG/config.json will be used for generating the authentication header. In addition, the docker credential helpers of GCR, ECR, and ACR are included to support the repositories.

Please note that the name of this project is inspired from https://github.com/docker-credential-magic/docker-credential-magic.

Build

HUB=${YOUR_DOCKER_REPO} make publish

Let's run

Here, we use GKE for demo purpose. The other platform (AWS or Azure) can be used with the similar settings.

Preparation

If GKE is used, the workload identity need to be enabled.

gcloud iam service-accounts add-iam-policy-binding [email protected] \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:PROJECT-NAME.svc.id.goog[magic/magic-service-account]"

Deploy Proxy

kubectl create namespace magic
cat <<EOF | kubectl apply -n magic -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: magic-service-account
  # In GCP, to access the private registry using the workload identity, service account need to be set up.
  # e.g.)
  # annotations:
  #   "iam.gke.io/gcp-service-account": "[email protected]"
---
apiVersion: v1
kind: Pod
metadata:
  name: docker-credential-magic-proxy
  labels:
    app: docker-credential-magic-proxy
spec:
  serviceAccountName: magic-service-account
  containers:
  - name: proxy
    image: ghcr.io/ingwonsong/docker-credential-magic-proxy/proxy:latest
    args:
    - "--proxy-port"
    - "5000"
EOF

Run Crane without local credentials

# Port forwarding to local address.
kubectl port-forward -n magic docker-credential-magic-proxy 5000:5000
# DOCKER_CONFIG is given here to ignore ~/.docker/config.json
DOCKER_CONFIG=/tmp crane ls localhost:5000/forwardto/gcr.io/YOUR-PRIVATE-REPO