In the context of the project docker/build-push-action, authentication refers to the process of providing necessary credentials to access Docker registries. The action supports multiple authentication methods, which are explored below.
Authentication methods
OIDC (OpenID Connect)
OpenID Connect is an authentication protocol built on top of the OAuth 2.0 framework. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server.
To use OIDC with the Docker build-push action, you can follow the HashiCorp Boundary documentation to create an OIDC auth method.
Example command:
boundary auth-methods create -id oidc-auth-method -type oidc -name "OIDC Auth Method" -api-url-prefix "https://your-auth-server.com" -issuer "https://your-openid-provider.com" -client-id "your-client-id" -client-secret-hmac "your-client-secret"
AppRole
AppRole is a Vault auth method that allows you to authenticate to Vault using a role ID and a secret ID. The secret ID can be distributed securely to clients, and the role ID is used to identify the role that the client is assuming.
To use AppRole with the Docker build-push action, you can follow the HashiCorp Vault documentation to create an AppRole auth method.
Example command:
vault auth-enable approle
vault write auth/approle/role/my-role \
secret_id_num_uses=1 \
secret_id_ttl="1h" \
token_num_uses=1 \
token_ttl="1h" \
token_max_ttl="2h" \
policies="default"
Basic Auth
Basic Auth is a simple authentication scheme built into the HTTP protocol. It involves sending a username and password in the Authorization header, encoded in Base64.
To use Basic Auth with the Docker build-push action, you can follow the Grafana Agent documentation to set up Basic Auth.
Example configuration:
basic_auth:
username: "your-username"
password: "your-password"
Managing authentication tokens
To manage authentication tokens in your workflow, you can use the GithubCredentialsProvider interface provided by the Backstage Software Catalog and Developer Platform. This interface allows you to provide a custom implementation for obtaining credentials for the GitHub API.
Example TypeScript code:
import { GithubCredentialsProvider } from '@backstage/plugin-scaffolder-backend';
class CustomCredentialsProvider implements GithubCredentialsProvider {
async getCredentials(): Promise<{ username: string; password: string }> {
// Implement your custom logic for obtaining credentials here
return {
username: 'your-username',
password: 'your-password',
};
}
}
Enabling MFA
To enable multi-factor authentication (MFA) for your auth methods, you can follow the HashiCorp Vault documentation to set up MFA for your Vault auth methods.
Example command:
vault auth enable mfa
vault write auth/mfa/methods/your-mfa-method mfa_type=totp
vault write auth/mfa/roles/your-mfa-role mfa_method_refs=your-mfa-method
Using OpenID Connect as an OAuth 2.0 authentication provider
To use OpenID Connect as an OAuth 2.0 authentication provider with GitLab, you can follow the GitLab documentation to set up OpenID Connect as an authentication provider.
Example configuration:
provider:
openid_connect:
label: "OpenID Connect"
icon: "<custom_provider_icon>"
args:
name: "openid_connect"
strategy_class: "OmniAuth::Strategies::OpenIDConnect"
scope: [ "openid", "profile", "email" ]
response_type: "code"
issuer: "<your_oidc_url>"
discovery: true
client_auth_method: "query"
uid_field: "<uid_field>"
send_scope_to_token_endpoint: "false"
pkce: true
client_options:
identifier: "<your_oidc_client_id>"
secret: "<your_oidc_client_secret>"
redirect_uri: "<your_gitlab_url>/users/auth/openid_connect/callback"
Enabling auth methods in Vault
To enable an auth method in Vault, you can use the sys/auth endpoint.
Example command:
vault secrets enable -path=my-auth-path auth
Using AppRole with constraints
To use AppRole with constraints, you can follow the HashiCorp Vault documentation to set up constraints for your AppRole auth method.
Example command:
vault write auth/approle/role/my-role \
secret_id_num_uses=1 \
secret_id_ttl="1h" \
token_num_uses=1 \
token_ttl="1h" \
token_max_ttl="2h" \
policies="default" \
constraints="{ \
\"capabilities\": { \
\"update\": [\"secret/*\"] \
}, \
\"resource\": { \
\"secret\": { \
\"my-secret\": { \
\"capabilities\": { \
\"read\": [], \
\"update\": [], \
\"delete\": [] \
} \
} \
} \
} \
}"
Authenticating to GitHub Actions
When using GitHub Actions, authentication is handled by the CI platform, and you can transitively gain write access to the repository safely. However, if you need to authenticate to other providers like Bitbucket Cloud, Jenkins, or GitLab, you will need to pay more attention to authentication configurations.
Pushing to a registry
To push to a registry using the oras command, you can use the oras push command.
Example command:
oras push your-image-name:your-tag your-registry-url --username your-username --password your-password
Authenticating to Apache Pulsar
To authenticate to Apache Pulsar using KEDA, you can use the authModes parameter.
Example configuration:
spec:
scale:
object:
kind: Deployment
name: my-pulsar-consumer
apiVersion: apps/v1
triggers:
- type: pulsar
authModes:
- type: bearer
token: "your-token"
Deploying a Git repository using Flux
To deploy a Git repository using Flux, you can follow the GitLab documentation to set up a protected deployment branch and configure GitLab CI/CD to push to your branch.
Example .gitlab-ci.yml file:
deploy:
stage: deploy
environment:
name: production
variables:
DEPLOYMENT_BRANCH: _gitlab/deploy/example
script:
- |
git config user.name "Deploy Example Bot
