feat: Support registries with disabled auth (#494)

* feat: Support registries with no auth.

* tests: Test registry with disabled auth.

* docs: Update provider documentation.

docs/index.md

@@ -181,6 +181,7 @@ Required:
 
 Optional:
 
+- `auth_disabled` (Boolean) Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`.
 - `config_file` (String) Path to docker json file for registry auth. Defaults to `~/.docker/config.json`. If `DOCKER_CONFIG` is set, the value of `DOCKER_CONFIG` is used as the path. `config_file` has predencen over all other options.
 - `config_file_content` (String) Plain content of the docker json file for registry auth. `config_file_content` has precedence over username/password.
 - `password` (String, Sensitive) Password for the registry. Defaults to `DOCKER_REGISTRY_PASS` env variable if set.

internal/provider/provider.go

@@ -131,6 +131,12 @@ func New(version string) func() *schema.Provider {
 								Optional:    true,
 								Description: "Plain content of the docker json file for registry auth. `config_file_content` has precedence over username/password.",
 							},
+							"auth_disabled": {
+								Type:        schema.TypeBool,
+								Optional:    true,
+								Default:     false,
+								Description: "Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`.",
+							},
 						},
 					},
 				},
@@ -226,11 +232,22 @@ func providerSetToRegistryAuth(authList *schema.Set) (*AuthConfigs, error) {
 		authConfig.ServerAddress = normalizeRegistryAddress(address)
 		registryHostname := convertToHostname(authConfig.ServerAddress)
 
+		username, ok := auth.(map[string]interface{})["username"].(string)
+		password := auth.(map[string]interface{})["password"].(string)
+
+		// If auth is disabled, set the auth config to any user/password combination
+		// See https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information
+		if auth.(map[string]interface{})["auth_disabled"].(bool) {
+			log.Printf("[DEBUG] Auth disabled for registry %s", registryHostname)
+			username = "username"
+			password = "password"
+		}
+
 		// For each registry_auth block, generate an AuthConfiguration using either
 		// username/password or the given config file
-		if username, ok := auth.(map[string]interface{})["username"].(string); ok && username != "" {
+		if ok && username != "" {
 			log.Println("[DEBUG] Using username for registry auths:", username)
-			password := auth.(map[string]interface{})["password"].(string)
+
 			if isECRRepositoryURL(registryHostname) {
 				password = normalizeECRPasswordForDockerCLIUsage(password)
 			}

internal/provider/provider_test.go

@@ -74,6 +74,22 @@ func TestAccDockerProvider_WithMultipleRegistryAuth(t *testing.T) {
 	})
 }
 
+func TestAccDockerProvider_WithDisabledRegistryAuth(t *testing.T) {
+	pushOptions := createPushImageOptions("http://127.0.0.1:15002/tftest-dockerregistryimage-testtest:1.0")
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(loadTestConfiguration(t, RESOURCE, "provider", "testAccDockerProviderDisabledRegistryAuth"), pushOptions.NormalizedRegistry),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("data.docker_registry_image.foobar", "sha256_digest"),
+				),
+			},
+		},
+	})
+}
+
 func testAccPreCheck(t *testing.T) {
 	cmd := exec.Command("docker", "version")
 	if err := cmd.Run(); err != nil {

scripts/testacc_cleanup.sh

@@ -2,6 +2,7 @@
 set -e
   
 for p in $(docker container ls -f 'name=private_registry' -q); do docker stop $p; done
+for p in $(docker container ls -f 'name=no_auth_registry' -q); do docker stop $p; done
 echo "### stopped private registry ###"
 
 rm -f "$(pwd)/scripts/testing/testingFile"

scripts/testacc_setup.sh

@@ -37,6 +37,13 @@ docker run -d -p 15001:5000 --rm --name http_private_registry \
   -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
   -e "REGISTRY_STORAGE_DELETE_ENABLED=true" \
   registry:2.7.0
+
+docker run -d -p 15002:5000 --rm --name no_auth_registry \
+   -v "$(pwd)"/scripts/testing/certs:/certs \
+  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry_auth.crt" \
+  -e "REGISTRY_HTTP_TLS_KEY=/certs/registry_auth.key" \
+  registry:2.7.0
+
 # wait a bit for travis...
 sleep 5
 # Login to private registry
@@ -49,10 +56,16 @@ for i in $(seq 1 3); do
   docker push 127.0.0.1:15000/tftest-service:v${i}
   docker tag tftest-service 127.0.0.1:15000/tftest-service
   docker push 127.0.0.1:15000/tftest-service
+
   docker tag tftest-service 127.0.0.1:15001/tftest-service:v${i}
   docker push 127.0.0.1:15001/tftest-service:v${i}
   docker tag tftest-service 127.0.0.1:15001/tftest-service
   docker push 127.0.0.1:15001/tftest-service
+
+  docker tag tftest-service 127.0.0.1:15002/tftest-service:v${i}
+  docker push 127.0.0.1:15002/tftest-service:v${i}
+  docker tag tftest-service 127.0.0.1:15002/tftest-service
+  docker push 127.0.0.1:15002/tftest-service
 done
 # Remove images from host machine before starting the tests
 for i in $(docker images -aq 127.0.0.1:15000/tftest-service); do docker rmi -f "$i"; done

testdata/resources/provider/testAccDockerProviderDisabledRegistryAuth.tf

@@ -0,0 +1,12 @@
+provider "docker" {
+    alias = "private"
+    registry_auth {
+      address       = "%s"
+      auth_disabled = true
+    }
+}
+data "docker_registry_image" "foobar" {
+    provider             = "docker.private"
+    name                 = "127.0.0.1:15002/tftest-service:v1"
+    insecure_skip_verify = true
+}