How to pull private images with 1.0


#1

I have not had time to document this yet, so I figured I would write a quick post. If you are coming from Drone 0.8 you may be wondering how to configure credentials required to pull private images defined in your yaml, for example:

kind: pipeline
name: default

steps:
- name: build
  image: registry.company.com/my/image
  commands:
  - go build
  - go tets

In the above example, registry.company.com/my/image is a private registry and requires username and password to pull the image. To provide Drone with the credentials you need to create a secret named .dockerconfigjson, where the secret value is valid docker configuration file with your authentication credentials.

NOTE when you add the registry credentials as a secret you probably need to enable the secret for pull requests. I am pretty sure this is required, but I might be wrong. So for the moment, assume this is required.

The docker configuration file should look something like this:

{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "YW11cmRhY2E6c3VwZXJzZWNyZXRwYXNzd29yZA=="
		}
	}
}

If you are unfamiliar with this file please consult the official Docker documentation. Do not try to construct this file by hand. There is also a nice article about the config file format here: https://www.projectatomic.io/blog/2016/03/docker-credentials-store/


Option 2

The second option would be to pass this file to the agent. This will make the credentials available globally to all builds and all repositories. First you would mount the config file into your agent container:

docker run \
-v /root/.docker/config.json:/root/.docker/config.json

Then you need to pass the agent the path of the mounted file:

docker run \
-e DRONE_DOCKER_CONFIG=/root/.docker/config.json

For 1.0 RC3, how to setup GCR creds for private plugin pull
Pulling from a private registry
[solved] Drone 1.0.0-rc.5 - authorized docker repositories
#3

@bradrydzewski Per option 2, this is just going forward with 1.0? This doesn’t working with 0.8 currently, yea?


#4

correct, this thread is only applicable for 1.0


#5

Are you sure about the name of the secret? .dockerconfigjson starts with a dot and that’s not allowed for docker secrets nor kubernetes secrets.


#6

yes, I am sure this is the correct secret name in Drone.


#7

I was able to get this to work on my drone projects. Thanks for this, since global registry creds with k8s are currently undocumented I was having to pull the private base images by hand.


#8

I’d be curious to see a version of this that worked with something like AWS ECR that requires regularly refreshing the token.


#9

AWS ECR does not work using the methods described in this thread, because as you mentioned, it requires special logic to periodically generate docker credentials. You therefore need to use a plugin for this. There is a thread that discusses this in depth:

And in one of the comments a community-member posts a plugin they created:
https://github.com/davidbyttow/drone-ecr-registry-plugin