Skip to content

Comments

feat: support independent credential helper and username/password auth for registries#3785

Open
vtomasr5 wants to merge 5 commits intoDokploy:canaryfrom
vtomasr5:support-credentials-helpers
Open

feat: support independent credential helper and username/password auth for registries#3785
vtomasr5 wants to merge 5 commits intoDokploy:canaryfrom
vtomasr5:support-credentials-helpers

Conversation

@vtomasr5
Copy link
Contributor

@vtomasr5 vtomasr5 commented Feb 23, 2026

What is this PR about?

Allow registries to configure both username/password (auths) and Docker credential helpers (credHelpers) independently, rather than forcing a mutually exclusive choice. Both auth methods can coexist in the same registry and are written to Docker's config.json in a single pass.

There are helpers for several registries, such as ECR, GCR, or a custom registry.

Colapsed:

Screenshot 2026-02-23 at 18 01 31

Expanded:

Screenshot 2026-02-23 at 18 01 47

Checklist

Before submitting this PR, please make sure that:

  • You created a dedicated branch based on the canary branch.
  • You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
  • You have tested this PR in your local instance. If you have not tested it yet, please do so before submitting. This helps avoid wasting maintainers' time reviewing code that has not been verified by you.

Issues related (if applicable)

Screenshots (if applicable)

vtomasr5 and others added 4 commits February 20, 2026 13:05
Allow registries to authenticate via external credential helpers (e.g., ecr-login, gcr, gcloud) instead of requiring stored username/password.
This writes credHelpers entries into Docker's config.json, letting Docker resolve authentication dynamically through helper binaries.

- Add RegistryAuthType enum and authType/credentialHelper columns
- Make username/password nullable for credential-helper registries
- Update config.json atomically via Python to preserve existing keys
- Skip docker login during builds for credential-helper registries
- Add auth type selector to registry form with conditional fields
- Return undefined authConfig so Docker uses helpers automatically
- Handle credential-helper registries in rollback pipeline
- Add test cases for credential-helper registry tag generation
Keep canary's 0146_bumpy_morg migration, remove our 0146_talented_avengers.
Our registry schema changes will be regenerated as a new migration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…h for registries

Allow registries to configure both username/password (auths) and Docker
credential helpers (credHelpers) independently, rather than forcing a
mutually exclusive choice. Both auth methods can coexist in the same
registry and are written to Docker's config.json in a single pass.

Schema changes:
- Add credentialHelperUrls column for per-registry helper URL targets
- Add shared validateRegistryFields() with independent validation

Service layer:
- Replace per-entry Python heredoc config writer with full-rebuild
  approach that queries all org registries and rebuilds config.json
- Read/write Docker config natively in TypeScript (local + remote)
- Move syncDockerRegistryConfig outside DB transaction to avoid
  visibility issues with uncommitted inserts

Deployment pipeline:
- Use field-presence checks (username && password) instead of authType
  enum to determine auth config for builds, uploads, and rollbacks

Frontend:
- Remove authType dropdown; show username/password always visible
- Add collapsible credential helper section (collapsed by default)
- Add credentialHelperUrls textarea (one URL per line)

Router:
- Test both auth methods independently when both are configured
- Add getErrorDetail() helper for descriptive test failure messages
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

11 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

const payload: any = {
registryName: data.registryName,
username: data.username,
authType: hasCredentials ? "credentials" : "credential-helper",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

authType logic doesn't match PR description - should support both auth methods simultaneously, not pick one

Suggested change
authType: hasCredentials ? "credentials" : "credential-helper",
authType: hasCredentials && hasCredHelper ? "credentials" : hasCredentials ? "credentials" : "credential-helper",

The PR description states both auth methods can coexist, but this code forces a mutually exclusive choice. If both methods are provided, the registry service (buildConfigFromRegistries) already handles writing both to config.json. The authType field appears to be metadata rather than controlling which auth to use.

Copy link
Contributor Author

@vtomasr5 vtomasr5 Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it doesn't have creds, then the user only wants to add a cred helper. This is supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant