Docker's registry password

[krismarc]

Dear Community,

just today, I've learnt the docker image is pulled each time the app is getting restarted. Somehow I though it works like with droplets and those are internally stored within CF until the next app deployment.

It means, if the password is changed the app can't be successfully restarted anymore.

I've also learnt about your recommendation about using 2 passwords. I can imagine this while using registry protected by secrets like in Azure or so. https://docs.cloudfoundry.org/devguide/deploy-apps/push-docker.html#private-repo

However, our internal registry is AD protected and there's no option to configure secondary password for the same user.

Imagine, we have hundreds of applications deployed this way and all of them are using the same user to access the registry. If the password would be changed we are in trouble.

Is there any option to address this? A magic way to update the password on existing app without re-pushing it? I couldn't find such an option using cf cli nor v3 api. I assume it's somehow internally stored within CF because initial password is passed only once when pushing the app as a variable CF_DOCKER_PASSWORD=YOUR-PASSWORD

eg. a direct update on the database level?

Looking forward for your support. Thank you.

Best regards,
K.M.

[johha]

Just a quick thought on this, have you tried updating the package? The package object has a field data.password for docker images. If you update the password of the corresponding app package the new password should be used during the next restart. The endpoint can be called e.g. with cf curl.

[krismarc]

Thanks! That's exactly what I am looking for (not sure how I missed it there). There's no payload example with those parameters. However, I believe I will handle that. I'll test it tomorrow and let you know.

btw, the documentation is a little bit confusing then. Actually, if it works, then there is different option than re-pushing the app.

[krismarc]

Unfortunately, seems to be not supported.

{
   "errors": [
      {
         "detail": "Unknown field(s): 'data'",
         "title": "CF-UnprocessableEntity",
         "code": 10008
      }
   ]
}

even in api documentation optional parameters are just about metadata keys

Optional parameters
Name Type Description
metadata.labels label object Labels applied to the package
metadata.annotations annotation object Annotations applied to the package

[krismarc]

I'm not Ruby expert but I assume having this supported shouldn't be a big deal if there are no 'conceptional' blockers.

cloud_controller_ng/app/actions/package_create.rb

Line 20 in 4019d2c

package.docker_password = docker_data.password

cloud_controller_ng/app/actions/package_update.rb

Line 10 in 4019d2c

def update(package, message)

I assume, more or less the same is done if it comes to eg. app rename

cloud_controller_ng/app/actions/app_update.rb

Line 17 in 4019d2c

def update(app, message, lifecycle)

Is here anyone who could comment on this?

[johha]

Looks like you could update docker credentials in the v2 API with a PUT /v2/apps/<guid> request. Implementation: https://github.com/cloudfoundry/cloud_controller_ng/blob/main/app/actions/v2/app_update.rb#L102-L110
@sethboyles @Gerg @moleske Any thoughts on this?

[krismarc]

@johha it worked! you're my hero :)
I assume this should be re-implemented in v3 as well, no?

[johha]

Lets see what some other contributors think. Maybe there was a reason for removing it in v3.

[Gerg]

I'm guessing this was just an oversight when implementing v3. It seems reasonable that we could support this on v3.

That said, docker packages are just references to the image in a remote repository, so not sure that re-pushing the app is that different from updating its package. You aren't uploading anything as part of the push process.

[sethboyles]

We'd be happy to review a PR that updates v3 to support this.

[kathap]

PR to support updating docker registry credentials can be found here: #3467