diff --git a/docs/index.md b/docs/index.md index 5bf06624..36874a8e 100644 --- a/docs/index.md +++ b/docs/index.md @@ -181,6 +181,7 @@ Required: Optional: +- `auth_disabled` (Boolean) Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`. - `config_file` (String) Path to docker json file for registry auth. Defaults to `~/.docker/config.json`. If `DOCKER_CONFIG` is set, the value of `DOCKER_CONFIG` is used as the path. `config_file` has predencen over all other options. - `config_file_content` (String) Plain content of the docker json file for registry auth. `config_file_content` has precedence over username/password. - `password` (String, Sensitive) Password for the registry. Defaults to `DOCKER_REGISTRY_PASS` env variable if set. diff --git a/internal/provider/provider.go b/internal/provider/provider.go index de404a00..b52deabb 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -131,6 +131,12 @@ func New(version string) func() *schema.Provider { Optional: true, Description: "Plain content of the docker json file for registry auth. `config_file_content` has precedence over username/password.", }, + "auth_disabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`.", + }, }, }, }, @@ -226,11 +232,22 @@ func providerSetToRegistryAuth(authList *schema.Set) (*AuthConfigs, error) { authConfig.ServerAddress = normalizeRegistryAddress(address) registryHostname := convertToHostname(authConfig.ServerAddress) + username, ok := auth.(map[string]interface{})["username"].(string) + password := auth.(map[string]interface{})["password"].(string) + + // If auth is disabled, set the auth config to any user/password combination + // See https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information + if auth.(map[string]interface{})["auth_disabled"].(bool) { + log.Printf("[DEBUG] Auth disabled for registry %s", registryHostname) + username = "username" + password = "password" + } + // For each registry_auth block, generate an AuthConfiguration using either // username/password or the given config file - if username, ok := auth.(map[string]interface{})["username"].(string); ok && username != "" { + if ok && username != "" { log.Println("[DEBUG] Using username for registry auths:", username) - password := auth.(map[string]interface{})["password"].(string) + if isECRRepositoryURL(registryHostname) { password = normalizeECRPasswordForDockerCLIUsage(password) } diff --git a/internal/provider/provider_test.go b/internal/provider/provider_test.go index c6aa89cb..fe95dba4 100644 --- a/internal/provider/provider_test.go +++ b/internal/provider/provider_test.go @@ -74,6 +74,22 @@ func TestAccDockerProvider_WithMultipleRegistryAuth(t *testing.T) { }) } +func TestAccDockerProvider_WithDisabledRegistryAuth(t *testing.T) { + pushOptions := createPushImageOptions("http://127.0.0.1:15002/tftest-dockerregistryimage-testtest:1.0") + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(loadTestConfiguration(t, RESOURCE, "provider", "testAccDockerProviderDisabledRegistryAuth"), pushOptions.NormalizedRegistry), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrSet("data.docker_registry_image.foobar", "sha256_digest"), + ), + }, + }, + }) +} + func testAccPreCheck(t *testing.T) { cmd := exec.Command("docker", "version") if err := cmd.Run(); err != nil { diff --git a/scripts/testacc_cleanup.sh b/scripts/testacc_cleanup.sh index d9117808..c1c2a2e7 100755 --- a/scripts/testacc_cleanup.sh +++ b/scripts/testacc_cleanup.sh @@ -2,6 +2,7 @@ set -e for p in $(docker container ls -f 'name=private_registry' -q); do docker stop $p; done +for p in $(docker container ls -f 'name=no_auth_registry' -q); do docker stop $p; done echo "### stopped private registry ###" rm -f "$(pwd)/scripts/testing/testingFile" diff --git a/scripts/testacc_setup.sh b/scripts/testacc_setup.sh index 4dbbd948..e4b36d4a 100755 --- a/scripts/testacc_setup.sh +++ b/scripts/testacc_setup.sh @@ -37,6 +37,13 @@ docker run -d -p 15001:5000 --rm --name http_private_registry \ -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ -e "REGISTRY_STORAGE_DELETE_ENABLED=true" \ registry:2.7.0 + +docker run -d -p 15002:5000 --rm --name no_auth_registry \ + -v "$(pwd)"/scripts/testing/certs:/certs \ + -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry_auth.crt" \ + -e "REGISTRY_HTTP_TLS_KEY=/certs/registry_auth.key" \ + registry:2.7.0 + # wait a bit for travis... sleep 5 # Login to private registry @@ -49,10 +56,16 @@ for i in $(seq 1 3); do docker push 127.0.0.1:15000/tftest-service:v${i} docker tag tftest-service 127.0.0.1:15000/tftest-service docker push 127.0.0.1:15000/tftest-service + docker tag tftest-service 127.0.0.1:15001/tftest-service:v${i} docker push 127.0.0.1:15001/tftest-service:v${i} docker tag tftest-service 127.0.0.1:15001/tftest-service docker push 127.0.0.1:15001/tftest-service + + docker tag tftest-service 127.0.0.1:15002/tftest-service:v${i} + docker push 127.0.0.1:15002/tftest-service:v${i} + docker tag tftest-service 127.0.0.1:15002/tftest-service + docker push 127.0.0.1:15002/tftest-service done # Remove images from host machine before starting the tests for i in $(docker images -aq 127.0.0.1:15000/tftest-service); do docker rmi -f "$i"; done diff --git a/testdata/resources/provider/testAccDockerProviderDisabledRegistryAuth.tf b/testdata/resources/provider/testAccDockerProviderDisabledRegistryAuth.tf new file mode 100644 index 00000000..6e48848d --- /dev/null +++ b/testdata/resources/provider/testAccDockerProviderDisabledRegistryAuth.tf @@ -0,0 +1,12 @@ +provider "docker" { + alias = "private" + registry_auth { + address = "%s" + auth_disabled = true + } +} +data "docker_registry_image" "foobar" { + provider = "docker.private" + name = "127.0.0.1:15002/tftest-service:v1" + insecure_skip_verify = true +} \ No newline at end of file