Add ECR credential provider #5
Conversation
|
An easier way to test this I think would be to adjust the drone pipeline to push a git-hash image to our registry. Then we can use the |
It was already doing this but only for pushes to |
Dockerfile
Outdated
| ENV HOME=/buildah | ||
| RUN mkdir -m 777 -p $HOME/.docker | ||
| RUN chown -R app $HOME |
There was a problem hiding this comment.
We don't need to manage HOME and these permissions would be bad anyway.
/home/build already exists for the build user and /home/app exists for the app user so just consume the default home of whichever user we settle on.
There was a problem hiding this comment.
Oh thanks, I didn't bother looking at the upstream quay.io/buildah/stable Containerfile till now. Good catch.
Updated to use USER build because it seems the reference image already sets up all the necessary permissions subuid, subgid for that user so we don't need to repeat for another user.
Adds the
amazon-ecr-credential-helperto the container image.ECR
access-keyandsecret-keywill be set as environment variables, and the credential helper will do the work when executing any buildah command.buildah loginis not needed.Testing
I spun up minikube to have a working registry.example.com
The seccomp.json is from here and is needed for docker because of this
Alternatively, testing with podman, you don't need seccomp.json
I'll post more details on how to test in slack