Kevin, are you suggesting option 2 and having a config file like the above?
I think another downside of a per-agent config is that it's hard to
maintain this. What if a new framework joins and has a new credential for
the docker images. Do we need to restart the agent to reload the config?
- Jie
On Tue, Mar 15, 2016 at 1:25 PM, Kevin Klues <klue...@gmail.com> wrote:
> Can we be a bit more concrete here and try to build up a schema for this.
> Maybe something like:
>
> {
> [
> {
> "service" : "docker",
> "registries" :
> [
> "uri" : "<uri>",
> "default_credentials" :
> {
> "type" : "<type>",
> "credential" :
> {
> // Custom based on type...
> }
> },
> "image_credentials" :
> [
> {
> "image_name" : "<image_name>",
> "type" : "<type>",
> "credential" :
> {
> // Custom based on type...
> },
> },
> ...
> ],
> ...
> ]
> ...
> },
> ...
> ]
> }
>
>
> On Tue, Mar 15, 2016 at 12:57 PM, Jie Yu <yujie....@gmail.com> wrote:
> >>
> >> Yeah I was thinking having the JSON as a dictionary with keys being the
> >> registry URI (appc/docker) and the values being credentials (which will
> be
> >> a dictionary as well I guess).
> >
> >
> > Using registry URI as the key is problematic. Think about the public
> docker
> > hub. Different frameworks might want to use different credentials to
> access
> > their docker images.
> >
> > - Jie
> >
> > On Tue, Mar 15, 2016 at 11:52 AM, Avinash Sridharan <
> avin...@mesosphere.io
> >
> > wrote:
> >
> >> On Tue, Mar 15, 2016 at 11:43 AM, Vinod Kone <vinodk...@apache.org>
> wrote:
> >>
> >> > moved core@ to *bcc*
> >> >
> >> > On Tue, Mar 15, 2016 at 11:18 AM, Avinash Sridharan <
> >> avin...@mesosphere.io
> >> > > wrote:
> >> >
> >> >> Why not follow option 2, but instead of passing the agent
> credentials,
> >> >> pass a location to the flag where credentials for the registry can be
> >> found
> >> >> (in JSON)? The frameworks can set credentials (maybe registry name or
> >> URL
> >> >> to the registry), and the credentials can be learnt from the JSON
> >> config.
> >> >>
> >> >
> >> > What if we need credentials for multiple-registries? Have a JSON with
> one
> >> > credential per registry I guess? But if possible, I would love to
> solve
> >> > this more generally as possible; as Gilbert mentioned, this is not a
> >> > problem just for Docker images but any URIs that need AuthN.
> >> >
> >> Yeah I was thinking having the JSON as a dictionary with keys being the
> >> registry URI (appc/docker) and the values being credentials (which will
> be
> >> a dictionary as well I guess).
> >>
> >>
> >> --
> >> Avinash Sridharan, Mesosphere
> >> +1 (323) 702 5245
> >>
>
>
>
> --
> ~Kevin
>
