Summary
The user is transitioning from GitHub Container Registry to Google Artifact Registry (GAR) and is experiencing issues with logging in from an Earthfile. They are looking for the correct authentication method for GAR, as the standard docker login
does not work. Despite trying to authenticate with the Google Cloud SDK, they are unable to push images to GAR. The user has encountered errors when passing JSON credentials directly, so they encoded the credentials in base64 and shared a code snippet of their method. They express a need for professional guidance and plan to discuss the issue in a meeting later that day.
jw
Still no dice. <@U035VU5K46Q> <@U01EDDAJGFK> - we are meeting later today anyway so let’s talk about it then, but this is precisely why I need professional guidance :pray:
jw
Yep, already tried that as well. You cannot pass the json directly because the format will trigger some errors. I had to encode it in base64, with something like:
run: |
echo "GCLOUD_CREDENTIALS_FILE=$(jq -c . "${{ steps.gauth.outputs.credentials_file_path }}" | base64)" >> $GITHUB_ENV```
then call earthly:
```earthly --secret GCLOUD_CREDENTIALS_JSON=$GCLOUD_CREDENTIALS_FILE blah blah ```
Inside the Earthfile,
``` RUN echo "hello"
RUN --secret GCLOUD_CREDENTIALS_JSON echo "$GCLOUD_CREDENTIALS_JSON" | base64 --decode > /tmp/decoded_credentials.json
RUN --secret GCLOUD_CREDENTIALS_JSON gcloud auth activate-service-account --key-file /tmp/decoded_credentials.json
RUN rm /tmp/decoded_credentials.json```
nacho
> The article is not very specific though - how do I get access to key.json
from within Earthly?
Hi Jiuguang, you could pass your key.json
though a https://docs.earthly.dev/docs/guides/secrets|secret. Something like:
RUN --secret=GCP_KEY echo $GCP_KEY > /test/key.json
nacho
> The article is not very specific though - how do I get access to key.json
from within Earthly?
> RUN --secret=GCP_KEY=gcp/ci-cd-key \ > echo $GCP_KEY > key.json > > RUN gcloud auth activate-service-account --key-file /test/key.json
>
nacho
Hi Jiuguang, let me TAL, and I will come back to you
jw
The article mentions (in the IAM section), this line: ```RUN gcloud auth activate-service-account --key-file /test/key.json``` The article is not very specific though - how do I get access to
key.json` from within Earthly?
jw
But Earthly at the very end cannot push the image to GAR
jw
Unfortunately this didn’t work. I’m doing something like:
id: gauth
uses: 'google-github-actions/auth@v2'
with:
workload_identity_provider: ${{ vars.GOOGLE_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.GOOGLE_DEFAULT_CI_SERVICE_ACCOUNT }}
create_credentials_file: true
- name: Set up Google Cloud SDK
uses: 'google-github-actions/setup-gcloud@v2'
- name: Save gcloud service account credentials
run: |
gcloud auth configure-docker us-docker.pkg.dev
- name: Build and Push amd64 Docker
run: |
earthly --allow-privileged --ci --push --secret GITHUB_TOKEN=${{ secrets.PAT_SECRET }} \
+build-dmm-docker-amd64 \
--DOCKER_METADATA_TAG=${{ needs.extract_docker_image_tag.outputs.tag }}```
brandon
Hi <@U062TUKQURM> authentication with registries usually involves a docker login
on the host, then earthly automatically passes the credentials through to the build. We also have a doc here on using Google Artifact Registry with Earthly: https://docs.earthly.dev/docs/guides/configuring-registries/gcp-artifact-registry
Does that help?
jw
I’m not sure what is the recommended way for GAR and would appreciate guidance. Thanks!
jw
For example, to authenticate with GHCR, I am passing in the Github PAT token. For example,
+build-dmm-docker-arm64```
Inside the Earthfile, I have:
```RUN --secret GITHUB_TOKEN echo "machine <http://github.com|github.com> login $GITHUB_TOKEN" > $HOME/.netrc```
jw
My Earthfile is generating a Docker image, that I would like to publish to Github Container Registry and Google Artifacts Registry simultaneously. We used GHCR for a while and it works fine, but we are trying to switch to GAR. I have something like:
FROM +blah
ARG DOCKER_METADATA_TAG=default-tag
SAVE IMAGE --push <http://ghcr.io/blah/dmm_amd64:$DOCKER_METADATA_TAG|ghcr.io/blah/dmm_amd64:$DOCKER_METADATA_TAG>
SAVE IMAGE --push us-docker.pkg.dev/blah/starfish/dmm_amd64:$DOCKER_METADATA_TAG```
Is there an example of how I can log into GAR from within the Earthfile?
For example, to authenticate with GHCR, I am passing in the Github PAT token. For example,
```earthly --allow-privileged --ci --push --secret GITHUB_TOKEN=${{ secrets.PAT_SECRET }} \
+build-dmm-docker-arm64```
Inside the Earthfile, I have:
```RUN --secret GITHUB_TOKEN echo "machine <http://github.com|github.com> login $GITHUB_TOKEN" > $HOME/.netrc```