https://prefect.io logo
s

sark

09/25/2020, 4:57 AM
hi guys for google container registry authentication i got it to work with docker agent which can pull images for flows using docker storage but the flow containers themselves seem to fail to pull images how is the docker agent picking up the credentials? from my experimentation it seems to look at
~/.docker/config.json
but does this mean for flows i have to pack the credentials in the image, instead of being able to mount a volume when the container is run? i have looked at API documentation and couldn’t find any options for specifying volumes for flow containers
n

nicholas

09/25/2020, 4:59 AM
Hi @sark - can you explain what you mean by a flow container? Your Agent uses the authenticated state of your Docker daemon. If you're pulling images from the registry within your flow, the daemon inside the container will also need to be authenticated.
s

sark

09/25/2020, 5:00 AM
hi nicholas, i mean the container for the image corresponding to the docker storage for the flow
hmm how do i go about authenticating the daemon inside that container?
n

nicholas

09/25/2020, 5:05 AM
You'll need to follow one of the GCR authentication methods listed in the GCR documentation - perhaps storing a
Secret
with Cloud that contains the token or JSON key file that you need, then pulling the
Secret
in an upstream task and authenticating with the
gcloud auth
commands before trying to pull your images in a downstream task.
s

sark

09/25/2020, 5:06 AM
ah so the auth is done as a task within the flow itself!
n

nicholas

09/25/2020, 5:08 AM
That's the method I would use because it's explicit - of course there are other ways to tackle the problem 🙂
It also means that you can change out your auth tokens without needing to rebuild your image/register a new version of the flow
s

sark

09/25/2020, 5:10 AM
thanks, that makes sense
agree that it is good to be explicit
n

nicholas

09/25/2020, 5:10 AM
Happy to help!
2 Views