-
-
Notifications
You must be signed in to change notification settings - Fork 795
allow for docker registry password to be a file #2419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
"trigger.dev": patch | ||
--- | ||
|
||
Allow for DOCKER_REGISTRY_PASSWORD to be a file path |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,13 +8,13 @@ import { env } from "../env.js"; | |
import { getDockerHostDomain, getRunnerId, normalizeDockerHostUrl } from "../util.js"; | ||
import Docker from "dockerode"; | ||
import { tryCatch } from "@trigger.dev/core"; | ||
import { readFileSync } from "fs"; | ||
|
||
export class DockerWorkloadManager implements WorkloadManager { | ||
private readonly logger = new SimpleStructuredLogger("docker-workload-manager"); | ||
private readonly docker: Docker; | ||
|
||
private readonly runnerNetworks: string[]; | ||
private readonly auth?: Docker.AuthConfig; | ||
private readonly platformOverride?: string; | ||
|
||
constructor(private opts: WorkloadManagerOptions) { | ||
|
@@ -43,15 +43,21 @@ export class DockerWorkloadManager implements WorkloadManager { | |
username: env.DOCKER_REGISTRY_USERNAME, | ||
url: env.DOCKER_REGISTRY_URL, | ||
}); | ||
} else { | ||
this.logger.warn("🐋 No Docker registry credentials provided, skipping auth"); | ||
} | ||
} | ||
|
||
this.auth = { | ||
private auth(): Docker.AuthConfig | undefined { | ||
if (env.DOCKER_REGISTRY_USERNAME && env.DOCKER_REGISTRY_PASSWORD && env.DOCKER_REGISTRY_URL) { | ||
return { | ||
username: env.DOCKER_REGISTRY_USERNAME, | ||
password: env.DOCKER_REGISTRY_PASSWORD, | ||
password: getDockerPassword(), | ||
serveraddress: env.DOCKER_REGISTRY_URL, | ||
}; | ||
} else { | ||
this.logger.warn("🐋 No Docker registry credentials provided, skipping auth"); | ||
} | ||
|
||
return undefined; | ||
} | ||
|
||
async create(opts: WorkloadManagerCreateOptions) { | ||
|
@@ -162,7 +168,7 @@ export class DockerWorkloadManager implements WorkloadManager { | |
|
||
// Ensure the image is present | ||
const [createImageError, imageResponseReader] = await tryCatch( | ||
this.docker.createImage(this.auth, { | ||
this.docker.createImage(this.auth(), { | ||
fromImage: imageRef, | ||
...(this.platformOverride ? { platform: this.platformOverride } : {}), | ||
}) | ||
|
@@ -270,3 +276,32 @@ async function readAllChunks(reader: NodeJS.ReadableStream) { | |
} | ||
return chunks; | ||
} | ||
|
||
function getDockerPassword(): string | undefined { | ||
if (!env.DOCKER_REGISTRY_PASSWORD) { | ||
return undefined | ||
} | ||
if (!env.DOCKER_REGISTRY_PASSWORD.startsWith("file://")) { | ||
return env.DOCKER_REGISTRY_PASSWORD; | ||
} | ||
|
||
const passwordPath = env.DOCKER_REGISTRY_PASSWORD.replace("file://", ""); | ||
|
||
console.debug( | ||
JSON.stringify({ | ||
message: "🔑 Reading docker password from file", | ||
passwordPath, | ||
}) | ||
); | ||
|
||
try { | ||
const password = readFileSync(passwordPath, "utf8").trim(); | ||
return password; | ||
} catch (error) { | ||
console.error(`Failed to read docker password from file: ${passwordPath}`, error); | ||
throw new Error( | ||
`Unable to read docker password from file: ${error instanceof Error ? error.message : "Unknown error" | ||
}` | ||
); | ||
} | ||
} | ||
Comment on lines
+280
to
+307
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Don’t throw on password file read failure; use structured logging and return undefined Throwing here can crash the call site (see auth() comment). Prefer logging and returning undefined so the caller can skip auth. Also, use the project’s structured logger instead of console.* and fix minor style nits. Apply this diff: function getDockerPassword(): string | undefined {
if (!env.DOCKER_REGISTRY_PASSWORD) {
- return undefined
+ return undefined;
}
if (!env.DOCKER_REGISTRY_PASSWORD.startsWith("file://")) {
return env.DOCKER_REGISTRY_PASSWORD;
}
const passwordPath = env.DOCKER_REGISTRY_PASSWORD.replace("file://", "");
- console.debug(
- JSON.stringify({
- message: "🔑 Reading docker password from file",
- passwordPath,
- })
- );
+ moduleLogger.debug("🔑 Reading docker password from file", { passwordPath });
try {
const password = readFileSync(passwordPath, "utf8").trim();
return password;
} catch (error) {
- console.error(`Failed to read docker password from file: ${passwordPath}`, error);
- throw new Error(
- `Unable to read docker password from file: ${error instanceof Error ? error.message : "Unknown error"
- }`
- );
+ moduleLogger.error("Failed to read docker password from file", {
+ passwordPath,
+ error,
+ });
+ return undefined;
}
} Add this module-level logger once near the top of the file (outside the selected range): // Module-level logger for helpers outside the class
const moduleLogger = new SimpleStructuredLogger("docker-workload-manager"); 🤖 Prompt for AI Agents
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Synchronous throw from getDockerPassword can crash create() before tryCatch; handle errors inside auth()
this.auth() calls getDockerPassword(), which may throw. Because arguments are evaluated before awaiting tryCatch(this.docker.createImage(...)), any synchronous throw here will bypass tryCatch and bubble out of create(), potentially crashing the supervisor. Wrap resolution and guard against empty/undefined passwords.
Apply this diff:
📝 Committable suggestion
🤖 Prompt for AI Agents