As described in #24547, if using runImage in private registry which was built upon images in public registry, image pulling would fail because apply a basic auth on no-auth-required public registry.

Take the following configuration as explanation, basic auth should only be applied when the image tag was prefixed with docker.example.com/, should never be applied when the parent images of this image was belong to docker.io.

bootBuildImage {
    docker {
        builderRegistry {
            username = "username"
            password = "password"
            url = "https://docker.example.com/v1/"
        }
    }
    imageName = "docker.example.com/app"
    runImage = "docker.example.com/run:base"
}

The solution is quite simple:

  • Just add n field registryUrl in DockerConfiguration, and save the url into it during the construction.
  • Check wether the image domain was contained in registryUrl, if so, apply the basic auth, otherwise do not apply.

This only support username/password authentication, not for token authentication beause it doesn't provide an url.

Comment From: pivotal-issuemaster

@WqyJh Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

Comment From: pivotal-issuemaster

@WqyJh Thank you for signing the Contributor License Agreement!

Comment From: scottfrederick

Thanks for the suggestion, but this approach doesn't cover all the use cases we'd want to consider when the builder and run images are in different registries. We'll keep the issue open to consider other approaches.