Pull through proxy does not support basic auth #3153
Description
The pull through registry proxy appears to only support Bearer authentication requests. Attempting to proxy to a site like docker.pkg.github.com fails since they require basic auth:
$ curl -v https://docker.pkg.github.com/v2/ 2>&1 | grep -i www-auth
< Www-Authenticate: Basic realm="GitHub Package Registry"
Looking through the code, this looks like configureAuth is only returning credentials when authUrls finds a bearer scheme in the following:
I'm planning to start hacking on this shortly. I'm also looking at what it might take to provide a more complete v2 authentication similar to that found in the engine code at: https://github.com/docker/docker-ce/blob/master/components/engine/registry/auth.go
Method to reproduce:
Compose file that looks like:
version: '3.7'
networks:
cache:
name: cache
volumes:
github-cache:
name: github-cache
services:
github-cache:
image: registry:2
restart: unless-stopped
environment:
REGISTRY_LOG_LEVEL: debug
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
REGISTRY_PROXY_REMOTEURL: https://docker.pkg.github.com
REGISTRY_PROXY_USERNAME: $GITHUB_USER
REGISTRY_PROXY_PASSWORD: $GITHUB_TOKEN
REGISTRY_HTTP_TLS_CERTIFICATE: /host/reg.pem
REGISTRY_HTTP_TLS_KEY: /host/reg-key.pem
networks:
- cache
volumes:
- type: bind
source: .
target: /host
read_only: true
- type: volume
source: github-cache
target: /var/lib/registry
builder:
image: docker:dind
command: ["--registry-mirror", "https://hub-cache:5000", "--debug"]
privileged: true
restart: unless-stopped
networks:
- cache
volumes:
- type: bind
source: ./ca.pem
target: /etc/docker/certs.d/github-cache:5000/ca.crt
read_only: true
Set the credentials in .env or export them in your shell. Feel free to remove the TLS and ca.crt lines if you don't want to generate a TLS key. Then:
docker-compose up -d
docker-compose exec builder sh
docker pull busybox
docker tag busybox docker.pkg.github.com/$username/$project/busybox:latest
docker login docker.pkg.github.com
docker push docker.pkg.github.com/$username/$project/busybox:latest
docker pull github-cache:5000/$username/$project/busybox:latest
You'll need to specify your username and project above. The last line will fail with a "not found" error even though the image was just pushed, since the credentials were never sent. A similar workflow is successful with Gitlab's registry since it uses Bearer auth.
Background: I realize this doesn't work for the registry-mirror setting in the docker engine since that only goes to Hub which supports Bearer. Instead, I'm looking to adjust my CI pull's to hit the cache instance directly and want to support multiple registries in the workflow.