Struggling with configuring authentication for proxy registry

[StefanKock]

Hello,

We would like to use this tool to funnel access to public repositories over our own proxy registry (which is a Harbor instance). The purpose of our proxy registry is to handle authentication towards Dockerhub etc. and to cache artifacts to be resilient against downtimes or artifact removal of registries outside our control.

harbor-container-webhook looks to be exactly we need, but we struggle to set up the authentication against our proxy registry.

Challenges:

1. We don't want/need checkUpstream: true because the access to the upstream repo is often restricted by rate limit, auth, paywall or firewall.
2. We struggle to have authSecretName in the correct format. Providing a working example in the documentation would be helpful.
3. We set authSecretName but it seems to be only in use with checkUpstream: true (see code). Is this correct? Why? Can it be changed?
4. We are confused if authSecretName is used for the matched repo (upstream) or the replaced repo (own proxy).

It would be helpful to get some guidance on this.

[cnmcavoy]

The secret needs to be a docker auth secret and needs to look like this: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#log-in-to-docker-hub

The example there should be what your secret contents look like:

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "c3R...zE2"
        }
    }
}

The private registry in the secret is what will be matched on for the rewritten (replaced) repo.

[paretl]

Hello, about point 3 of @StefanKock

It could be awesome if the mutating webhook also change the imagePullSecrets parameter on the pod by using the authSecretName that we inject

In the current state, we have to change the imagePullSecrets everywhere the registry is changed

What do you think about that @cnmcavoy ?

[NelsonIg]

Hello, about point 3 of @StefanKock

It could be awesome if the mutating webhook also change the imagePullSecrets parameter on the pod by using the authSecretName that we inject

In the current state, we have to change the imagePullSecrets everywhere the registry is changed

What do you think about that @cnmcavoy ?

It would be helpful to mention this in the documentation if not done already. Thanks for the information.

[paretl]

@cnmcavoy I am preparing a PR with this change

Hello, about point 3 of @StefanKock

It could be awesome if the mutating webhook also change the imagePullSecrets parameter on the pod by using the authSecretName that we inject

In the current state, we have to change the imagePullSecrets everywhere the registry is changed

What do you think about that @cnmcavoy ?