I'm trying to proxy a private Google Container Registry with Nexus 3 Repository OSS.
Not sure how to do the authentication bit.
I found a suggestion for Artifactory:
Create a new Docker remote registry repository
Uncheck the Enable Token Authentication flag
Set the URL as https://gcr.io
Under the advanced tab, set the username as _json_key
Under the advanced tab, set the password to the contents of the JSON Key File
Did not work with Nexus.
Any advice maybe pls ?
You need to use a service account with an API Key in order to authenticate,
take a look into this blog that shows how to create the private registry with Google container registry and Nexus OSS.
Related
I am running an application inside of Docker that requires me to leverage google-bigquery. When I run it outside of Docker, I just have to go to the link below (redacted) and authorize. However, the link doesn't work when I copy-paste it from the Docker terminal. I have tried port mapping as well and no luck either.
Code:
credentials = service_account.Credentials.from_service_account_file(
key_path, scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
# Make clients.
client = bigquery.Client(credentials=credentials, project=credentials.project_id,)
Response:
requests_oauthlib.oauth2_session - DEBUG - Generated new state
Please visit this URL to authorize this application:
Please see the available solutions on this page, it's constantly updated.
gcloud credential helper
Standalone Docker credential helper
Access token
Service account key
In short you need to use a service account key file. Make sure you either use a Secret Manager, or you just issue a service account key file for the purpose of the Docker image.
You need to place the service account key file into the Docker container either at build or runtime.
I read everything in this post and multiple others but nothing is working... I cannot use Google Credentials to access my git Repo in Google Cloud Platform
I have Jenkins running in a Docker Container in Google Cloud Platform. I have Source Code in a Google Cloud Repository that I want to use for a Build.
On the Google Cloud Platform side I created a Service User, gave the User the following Roles:
Project Worker
Source-Repository Admin
Storageobject creator
ComputeEngine creator
I created the JSON File and downloaded it.
On The Jenkins Side I installed the Google OAuth Credentials and the Google Container Registry Auth Plugin.
I added new Credentials "Google Service Account from private key" and added the json file.
So, if I now want to create a new Job (Freestyle or pipeline does not matter) I see the following:
I see the credentials I created but for the "Google Container Registry". As soon as I add the repository URL, "https://source.developers.google.com/p...." The Drop-down is cleared and all is gone.
I also took a look at the credentials.xml and job file, to see, if I can rewrite there something by myself. The Google Credentials do not have an credentialId like others...
<com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials plugin="google-oauth-plugin#0.6">
<module/>
<projectId>testprojekt</projectId>
<serviceAccountConfig class="com.google.jenkins.plugins.credentials.oauth.JsonServiceAccountConfig">
<jsonKeyFile>/var/jenkins_home/gauth/key8529180263669390055.json</jsonKeyFile>
</serviceAccountConfig>
</com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials>
I'm currently out of ideas... would be happy for any hint.
Thank you!
I am running Sonatype Nexus as a private docker-registry with ldap based auth ( or the relevant part, every user / server has its own authentication ).
I want to setup a second nexus server which will be a docker-registry proxy (cache/forward) to be used with --registry-mirror, mirroring the private registry stated above.
What i tried
I configere a docker registry proxy:
with a private registry as backend
and authentication towards the backend ( is that actually the right assumption?
and i configured a ssl-offloader as usual form https://proxy.domain.tld to they nexus docker-proxy port ( 10090 )
Then i configured the docker-engine with --registr-mirror=https://proxy.mydomain.tld
And used docker login https://proxy.mydomain.tld i could use the credentials i have in my ldap correctly, but since both the backend as also the proxy share the same ldap server, i am not sure against which i authed.
Problems/Questions:
a) I need to make the forward registry proxy authenticated "per user based"
b) can the proxy access the private registry authenticated ( using service account )
Does docker login in the case above actually authentiactes with the proxy or with the underlying private registry?
Does this setup work at all? Did i make a conceptual mistake?
It seems that you're asking that if you have a scenario like user->Nexus A->Nexus B, can Nexus A forward the credentials on to Nexus B?
If so, the answer is no. Nexus A would have its own credentials used to authenticate to Nexus B. Since Nexus A is trying to represent potentially the full contents of what is available in Nexus B, it may required elevated privileges to fetch content to satisfy the demands of all the users of A.
You should be able to structure A and B to serve the same content based on permissions though, just allow A to fetch it all from B.
I have the registry v2 container and docker_auth up and running. The registry uses self sign certificate which was created with my CA. I can pull and push images without any problem so the configuration is working properly.
I would like to have a UI for this registry to browse images. I have tried many of them:
https://github.com/kwk/docker-registry-frontend not support token based auth
https://shipyard-project.com only supports v1 registries
https://github.com/SUSE/Portus looks quite heavy weight for me
https://github.com/mkuchin/docker-registry-web i configure it with my keyfile and set the issuer. But i couldn't add my repo, it always returns 401. In the docker registry i found "token intended for another audience: \"mydockerrepo:5000\"". I tried with different names but none of them worked. I check the crt and key files and i use the correct crt-key pair.
Is there any other UI i should try?
Can somebody help me with the "audience" error message?
I'm using Sonatype Nexus as a Private Docker Registry.
While it works with authenticated users, trying to use anonymous user to pull images doesn't work. This happens only on a docker client.
Using the Nexus UI (not logged in) I'm able to browse images on my repo. But trying to pull the images I get an 'Unauthorized' error.
The following is a capture stream of communication between the Docker Client and the Nexus repository:
Wireshark packet capture
This is strange, as the anonymous access is enabled, and according to the docs, I may have a Docker Hosted Registry (with RW access through HTTPs port) and a Docker Group Registry, pointing to a Docker Hosted Registry, with RO/Anonymous access.
This feature was added in Nexus 3.6. According to the documentation:
Under Security > Realms, enable the “Docker Bearer Token Realm”
Uncheck “Force basic authentication” in the repository configuration
Nexus caused me quite some headache until i found a rather obscure sonatype post
that states not to change the anonymous realm.
So the steps I followed to get this working: (tested in Nexus 3.19.1 to 3.38.1)
Same as the Answer by #andrewdotn (Enable the Docker Bearer Token
Realm in the Security > Realms section)
Enable the anonymous access FOR the Local Authorizing Realm (as stated in the above mentioned link)
Create the docker(proxy) Repository (in this example to proxy hub.docker.com)
3.1. enable the HTTP / HTTPS endpoint (depending if you ssl to nexus or use a reverse proxy)
3.2. enable "Allow anonymous docker pull (Docker Bearer Token Realm required)"
3.3. enter "https://registry-1.docker.io" as "Location of the remote repository" (for the docker-hub)
3.4. set the "Docker Index" to use the docker hub index (aka.: "Use Docker Hub")
3.5. save
make sure your anonymous user has the right to read the new repository (the default anon-role will allow read access to quite a bit more, but should already allow anon pull)
4.1. (OPTIONAL) If you want to restrict the anonymous user as much as possible (i.e.: to only allow docker pull) crate a role "nx-docker_read" (or similar) and give it the "nx-repository-view-docker--read"*. (this will allow the any user in the group to pull images from any docker repository, that allows anon pull, but not see anything on the web-ui)
4.2. (if u did 4.1) now all that's left is to change the group of the anon user to ur new role (in my example "nx-docker_read") and remove it from "nx-anonymous" => anon-users can no longer brows nexus on the web-ui but can still pull images
Docker Registry API requires authentication for registry access, even for the pull operations so does Nexus 3.
Dockerhub always requires an access token, even for pulls.
But the reason why you can pull anonymously from dockerhub is that it uses a token server which automatically gives out access tokens to anonymous users.
This mecanism is not available for the moment with Nexus 3.0.1.
Perhaps it will be implemented (https://issues.sonatype.org/browse/NEXUS-10813).
So for the moment with Nexus 3, it will always require to be logged in before to pull an image (eventually with the anonymous user is your rights are setted this way).