Registry authentication fails when secret contains only .dockercfg

[derkoe]

Secrets with type = "kubernetes.io/dockercfg" containing the pull secret in the field .dockercfg do not work.

OpenShift uses this type of secret for the internal registry - so, you cannot provide the type = "kubernetes.io/dockerconfigjson".

[derkoe]

This is not fixed with that commit since LoadFromReader does not use the old format. Only Load handles this case (distinguishing by file name).

[ckotzbauer]

I did a small research on this: I think the legacy .dockercfg is a subset of the newer .docker/config.json file which only supports the auths section (which is identically to the auths section in newer config-files). The code in LoadFromReader and LegacyLoadFromReader (which is called from Load when the old-file is detected) is almost the same regarding the auths section. So I think old files should be handled correctly too from LoadFromReader.

Can you give me an sanitized example of your .dockercfg file?

[derkoe]

This is the .dockercfg:

{
    "docker.example.com": { "username": "user", "password": "password" }
}

This is the .dockerconfigjson (where the aut is user:password base64 encoded):

{
    "auths": { "docker.example.com": { "auth": "dXNlcjpwYXNzd29yZA==" } }
}

[ckotzbauer]

A great, I missed that difference in the moring. 😉 Well I think I can patch this quickly in the evening. Thanks for the comparison!

[ckotzbauer]

This should be finally fixed now in 0.4.1 @derkoe. There's a unit-test now to keep this working. However, I don't know if the fact that there's no auth property in the .dockercfg is really official, as the official docker-code cannot handle an empty auth property. I ported the specific loading-logic to the application and modified it to make it work.

[derkoe]

Works like a charm! Thx