Support for with-registry-auth flag #8

PirateSeal · 2024-12-09T22:58:27Z

Hello,

I've worked on an implementation for the with-registry-auth flag.

My current test works by reusing the DOCKER_HOST, DOCKER_SSH_KEY, DOCKER_USER vars to deploy a new stack specifically for the flag.

I'm using an ansible playbook to deploy a simple docker registry to the DOCKER_HOST, login in to it and pushing the latest alpine image for the test.

I've added the with_registry_auth input in the action.yml file.

tested on Ubuntu 24.04.1 LTS

Implement support for registry authentication in the stack deployment script. The deployment command is now constructed dynamically to include the `--with-registry-auth` flag if specified. Enhance the GitHub Actions workflow by adding a new job to test registry authentication. This includes steps to set up a private Docker registry, create a user, and push an image for testing. Update action inputs to include an option for registry authentication, allowing for more flexible deployments.

* feat: streamline Docker registry setup in CI workflow Refactor the CI workflow to utilize an Ansible playbook for setting up a private Docker registry. * feat: add logging for with-registry-auth flag in deploy command Adds a log message to indicate when the with-registry-auth flag is included in the Docker stack deploy command. This change improves visibility into the deployment process and helps with debugging by clearly showing the command's configuration.

jtwebman · 2024-12-10T04:04:10Z

Wow I ran into the same issue and was hoping this would work so I tested it! Here was my docker file step and it deployed with the flag no issues but it didn't seem to work? Looking into it more. Will see if I can't debug the issue.

deploy:
    runs-on: ubuntu-latest
    needs:
      - build-and-push-image
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.MY_PERSONAL_ACCESS_TOKEN }}

      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: https://ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: create env file
        run: |
          echo "GIT_COMMIT_HASH=${{ github.sha }}" >> ./envfile

      - name: Docker Stack Deploy
        uses: PirateSeal/stack-deploy-action@master
        with:
          name: serviceleadpages
          file: docker-stack.yaml
          host: serviceleadpages.com
          user: deploy
          ssh_key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
          with_registry_auth: "true"
          env_file: ./envfile

Logs from the run:

Running: /main.sh as: root in: /github/workspace
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu[13](https://github.com/jtwebman/serviceleadpages/actions/runs/12249166285/job/34170023085#step:6:14).5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
Adding SSH Key to SSH Agent
Agent pid [14](https://github.com/jtwebman/serviceleadpages/actions/runs/12249166285/job/34170023085#step:6:15)
Identity added: /root/.ssh/id_rsa (deploy@serviceleadpages.com)
Verifying Docker and Setting Context.
remote
Successfully created context "remote"
NAME        DESCRIPTION                               DOCKER ENDPOINT                        ERROR
default *   Current DOCKER_HOST based configuration   unix:///var/run/docker.sock            
remote                                                ssh://deploy@serviceleadpages.com:22   
remote
Current context is now "remote"
Sourcing Environment File: ./envfile
  File: ./envfile
  Size: 57        	Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d	Inode: 797004      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/ UNKNOWN)   Gid: (  118/ UNKNOWN)
Access: 2024-12-10 04:03:26.[15](https://github.com/jtwebman/serviceleadpages/actions/runs/12249166285/job/34170023085#step:6:16)6248324 +0000
Modify: 2024-12-10 04:03:26.156248324 +0000
Change: 2024-12-10 04:03:26.156248324 +0000
Adding with-registry-auth flag to command.
Deploying Stack: serviceleadpages
Updating service serviceleadpages_traefik (id: taak9fzihztr0nv8xuiss8t1y)
Updating service serviceleadpages_web (id: eoi1e55lk60s7[21](https://github.com/jtwebman/serviceleadpages/actions/runs/12249166285/job/34170023085#step:6:22)r0yfnfluob)
image ghcr.io/jtwebman/serviceleadpages:8ade574b59f49dd1a2ee62dae7651ba0ca2b9143 could not be accessed on a registry to record
Updating service serviceleadpages_db (id: hwrdq8xw0ikl1kaeudo4l82i0)
its digest. Each node will access ghcr.io/jtwebman/serviceleadpages:8ade574b59f49dd1a2ee62dae7651ba0ca2b9143 independently,
possibly leading to different nodes running different
versions of the image.

jtwebman · 2024-12-10T04:18:30Z

Ok I output the command it did add it. So the login step must not work like normal docker login call, hmmm This was the command it outputs with my setup docker stack deploy -c "docker-stack.yaml" "serviceleadpages" --with-registry-auth which is exactly what works locally.

smashedr · 2024-12-10T04:19:46Z

Thank you for the contribution, I should have time to dig into this tomorrow...

jtwebman · 2024-12-10T04:28:24Z

Ok I think I see the issue. You guys are making a new context. So my previous login isn't in scope anymore. So we need to have a login registry after the context is made and switched too.

jtwebman · 2024-12-10T05:16:56Z

Ok I created branch that added another command to let you run a register login before and that worked. Here is that PR that fixed it for me: #9

My now github step

deploy:
    runs-on: ubuntu-latest
    needs:
      - build-and-push-image
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.MY_PERSONAL_ACCESS_TOKEN }}

      - name: create env file
        run: |
          echo "GIT_COMMIT_HASH=${{ github.sha }}" >> ./envfile

      - name: Docker Stack Deploy
        uses: jtwebman/stack-deploy-action@proposed_registry_login_change
        with:
          name: serviceleadpages
          file: docker-stack.yaml
          host: serviceleadpages.com
          user: deploy
          ssh_key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
          registry_auth: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
          env_file: ./envfile

And logout showing it push the container:

Running: /main.sh as: root in: /github/workspace
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu[13](https://github.com/jtwebman/serviceleadpages/actions/runs/12249867855/job/34171916216#step:5:14).5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
# serviceleadpages.com:22 SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
Adding SSH Key to SSH Agent
Agent pid [14](https://github.com/jtwebman/serviceleadpages/actions/runs/12249867855/job/34171916216#step:5:15)
Identity added: /root/.ssh/id_rsa (deploy@serviceleadpages.com)
Verifying Docker and Setting Context.
remote
Successfully created context "remote"
NAME        DESCRIPTION                               DOCKER ENDPOINT                        ERROR
default *   Current DOCKER_HOST based configuration   unix:///var/run/docker.sock            
remote                                                ssh://deploy@serviceleadpages.com:22   
remote
Current context is now "remote"
Sourcing Environment File: ./envfile
  File: ./envfile
  Size: 57        	Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d	Inode: 272938      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/ UNKNOWN)   Gid: (  118/ UNKNOWN)
Access: 2024-12-10 05:[15](https://github.com/jtwebman/serviceleadpages/actions/runs/12249867855/job/34171916216#step:5:16):16.652585259 +0000
Modify: 2024-12-10 05:15:16.652585259 +0000
Change: 2024-12-10 05:15:[16](https://github.com/jtwebman/serviceleadpages/actions/runs/12249867855/job/34171916216#step:5:17).652585259 +0000
Running register auth command.
WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Deploying Stack: serviceleadpages
Updating service serviceleadpages_traefik (id: taak9fzihztr0nv8xuiss8t1y)
Updating service serviceleadpages_web (id: eoi1e55lk60s7[21](https://github.com/jtwebman/serviceleadpages/actions/runs/12249867855/job/34171916216#step:5:22)r0yfnfluob)
Updating service serviceleadpages_db (id: hwrdq8xw0ikl1kaeudo4l82i0)
Finished Success.

jtwebman · 2024-12-10T05:22:27Z

Sorry about making another PR but it didn't make sense to keep the with_registry_auth flag anymore if you have to register then I know I now need to pass it. Still great work @PirateSeal!

PirateSeal · 2024-12-10T07:40:58Z

Ok I output the command it did add it. So the login step must not work like normal docker login call, hmmm This was the command it outputs with my setup docker stack deploy -c "docker-stack.yaml" "serviceleadpages" --with-registry-auth which is exactly what works locally.

Hello, for the context, I assumed that the user that is used for the deployment is already logged in to the registry. I should have clarified it somewhere.

I don't think it is this task's job to authenticate to the registry every time you use it so I would keep it as a requirement.

PirateSeal · 2024-12-10T08:36:01Z

PR #9 works indeed better than mine, though i'd still add a test job to ensure proper functionnality over time

jtwebman · 2024-12-10T15:25:58Z

@PirateSeal The issue is the job makes a new docker context. So if we wanted to have a step to make the context, then use the login context and then the docker swarm deploy that would work and we could stick with your way because I do agree it is messy this way.

As for the test in #9 let me think about how to test this as it really is just a eval there isn't really much to test besides I ran what you gave me and I added the flag --with-registry-auth anything else and now I am testing docker login and docker swarm itself.

smashedr · 2025-02-10T07:58:52Z

I have created a new PR with my idea of how to implement authentication. If we still need or want to allow a custom registry_auth command to be passed, please let me know in that PR and I can add the functionality back. Since there were 2 PR's I will be combining both here:

#13

smashedr · 2025-02-11T07:03:08Z

This feature was added in: #13

I took a slightly different approach vs an authentication command. Let me know if I left anything out!

https://github.com/cssnr/stack-deploy-action/releases/tag/v1.0.1

Thank you very much for the contribution and support. Please let me know if you run into any more issues...

PirateSeal added 7 commits December 9, 2024 20:38

change order of commands

b869a65

maybe fix docker login error

6c1ce9a

Redo DOCKER_PORT

bba9f4a

missing port in test flag

f5ed3be

Update test.yaml

2a9e057

jtwebman mentioned this pull request Dec 10, 2024

Add new registry_auth value that does docker login and pass the --with-registry-auth flag #9

Closed

smashedr mentioned this pull request Feb 10, 2025

Add Registry Authentication #13

Merged

5 tasks

smashedr closed this Feb 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Support for with-registry-auth flag #8

Support for with-registry-auth flag #8

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Support for with-registry-auth flag #8

Support for with-registry-auth flag #8

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!