feat: support independent credential helper and username/password auth for registries#3785
Open
vtomasr5 wants to merge 5 commits intoDokploy:canaryfrom
Open
feat: support independent credential helper and username/password auth for registries#3785vtomasr5 wants to merge 5 commits intoDokploy:canaryfrom
vtomasr5 wants to merge 5 commits intoDokploy:canaryfrom
Conversation
Allow registries to authenticate via external credential helpers (e.g., ecr-login, gcr, gcloud) instead of requiring stored username/password. This writes credHelpers entries into Docker's config.json, letting Docker resolve authentication dynamically through helper binaries. - Add RegistryAuthType enum and authType/credentialHelper columns - Make username/password nullable for credential-helper registries - Update config.json atomically via Python to preserve existing keys - Skip docker login during builds for credential-helper registries - Add auth type selector to registry form with conditional fields - Return undefined authConfig so Docker uses helpers automatically - Handle credential-helper registries in rollback pipeline - Add test cases for credential-helper registry tag generation
Keep canary's 0146_bumpy_morg migration, remove our 0146_talented_avengers. Our registry schema changes will be regenerated as a new migration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…h for registries Allow registries to configure both username/password (auths) and Docker credential helpers (credHelpers) independently, rather than forcing a mutually exclusive choice. Both auth methods can coexist in the same registry and are written to Docker's config.json in a single pass. Schema changes: - Add credentialHelperUrls column for per-registry helper URL targets - Add shared validateRegistryFields() with independent validation Service layer: - Replace per-entry Python heredoc config writer with full-rebuild approach that queries all org registries and rebuilds config.json - Read/write Docker config natively in TypeScript (local + remote) - Move syncDockerRegistryConfig outside DB transaction to avoid visibility issues with uncommitted inserts Deployment pipeline: - Use field-presence checks (username && password) instead of authType enum to determine auth config for builds, uploads, and rollbacks Frontend: - Remove authType dropdown; show username/password always visible - Add collapsible credential helper section (collapsed by default) - Add credentialHelperUrls textarea (one URL per line) Router: - Test both auth methods independently when both are configured - Add getErrorDetail() helper for descriptive test failure messages
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| const payload: any = { | ||
| registryName: data.registryName, | ||
| username: data.username, | ||
| authType: hasCredentials ? "credentials" : "credential-helper", |
Contributor
There was a problem hiding this comment.
authType logic doesn't match PR description - should support both auth methods simultaneously, not pick one
Suggested change
| authType: hasCredentials ? "credentials" : "credential-helper", | |
| authType: hasCredentials && hasCredHelper ? "credentials" : hasCredentials ? "credentials" : "credential-helper", |
The PR description states both auth methods can coexist, but this code forces a mutually exclusive choice. If both methods are provided, the registry service (buildConfigFromRegistries) already handles writing both to config.json. The authType field appears to be metadata rather than controlling which auth to use.
Contributor
Author
There was a problem hiding this comment.
If it doesn't have creds, then the user only wants to add a cred helper. This is supported.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this PR about?
Allow registries to configure both username/password (auths) and Docker credential helpers (credHelpers) independently, rather than forcing a mutually exclusive choice. Both auth methods can coexist in the same registry and are written to Docker's config.json in a single pass.
There are helpers for several registries, such as ECR, GCR, or a custom registry.
Colapsed:
Expanded:
Checklist
Before submitting this PR, please make sure that:
canarybranch.Issues related (if applicable)
Screenshots (if applicable)