Secure registry access with Dagger

Márk Sági-Kazár

2024-05-16 @ Dagger Community Call

Problem

OCI tools write credentials to the filesystem ¹
- docker login
- helm registry login
Writing sensitive info to the filesystem is a bad idea in Dagger
Need an alternative way to authenticate with container registries safely

How it works

helm registry login
Client may or may not contact the registry
Username and password are stored in a config file
Credentials are used to authenticate with the registry when pushing/pulling

In Daggerlang

var password *Secret

dag.Container().
    From("alpine/helm").
    WithSecretVariable("HELM_PASSWORD", password).
    WithExec([]string{
        "sh", "-c",
        "helm registry login ghcr.io --username me --password $HELM_PASSWORD",
    })
    WithoutSecretVariable("HELM_PASSWORD") // For good higiene

Config file ¹

~/.config/helm/registry/config.json

{
  "auths": {
    "ghcr.io": {
      "auth": "base64(username:password)"
    }
  }
}

💡 Idea

Can we mount that file as a secret into the container?

Yes, we can

// registry config file contents
const registryConfig *Secret

dag.Container().
    From("alpine/helm").
    WithMountedSecret("HELM_HOME/registry/config.json", registryConfig)

Taking it further

Let’s build a module for it!

var password *Secret

config, _ := dag.RegistryConfig().
    WithRegistryAuth("ghcr.io", "me", password).
    Secret(ctx)

dag.Container().
    WithMountedSecret("HELM_HOME/registry/config.json", config)

Find it as registry-config on Daggerverese!

One more thing…

var password *Secret

config := dag.RegistryConfig().
    WithRegistryAuth("ghcr.io", "me", password)

dag.Container().
    With(config.SecretMount("HELM_HOME/registry/config.json").Mount)