Default to auth hard fail but optionally soft fail

2017-07-06 11:35:34 -07:00 · 2017-07-06 11:35:34 -07:00 · 2900f941b5
parent 08b452adf5
commit 2900f941b5
2 changed files with 13 additions and 1 deletions
--- a/client/driver/docker.go
+++ b/client/driver/docker.go
@ -158,6 +158,7 @@ type DockerDriverConfig struct {
 	LabelsRaw        []map[string]string `mapstructure:"labels"`             //
 	Labels           map[string]string   `mapstructure:"-"`                  // Labels to set when the container starts up
 	Auth             []DockerDriverAuth  `mapstructure:"auth"`               // Authentication credentials for a private Docker registry
+	AuthSoftFail     bool                `mapstructure:"auth_soft_fail"`     // Soft-fail if auth creds are provided but fail
 	TTY              bool                `mapstructure:"tty"`                // Allocate a Pseudo-TTY
 	Interactive      bool                `mapstructure:"interactive"`        // Keep STDIN open even if not attached
 	ShmSize          int64               `mapstructure:"shm_size"`           // Size of /dev/shm of the container in bytes
@ -400,6 +401,9 @@ func (d *DockerDriver) Validate(config map[string]interface{}) error {
 			"auth": &fields.FieldSchema{
 				Type: fields.TypeArray,
 			},
+			"auth_soft_fail": &fields.FieldSchema{
+				Type: fields.TypeBool,
+			},
 			// COMPAT: Remove in 0.6.0. SSL is no longer needed
 			"ssl": &fields.FieldSchema{
 				Type: fields.TypeBool,
@ -1082,7 +1086,11 @@ func (d *DockerDriver) createImage(driverConfig *DockerDriverConfig, client *doc
 func (d *DockerDriver) pullImage(driverConfig *DockerDriverConfig, client *docker.Client, repo, tag string) (id string, err error) {
 	authOptions, err := d.resolveRegistryAuthentication(driverConfig, repo)
 	if err != nil {
-		d.logger.Printf("[WARN] Failed to find docker auth for repo %q: %v", repo, err)
+		if d.driverConfig.AuthSoftFail {
+			d.logger.Printf("[WARN] Failed to find docker auth for repo %q: %v", repo, err)
+		} else {
+			return "", fmt.Errorf("Failed to find docker auth for repo %q: %v", repo, err)
+		}
 	}

 	if authIsEmpty(authOptions) {
--- a/website/source/docs/drivers/docker.html.md
+++ b/website/source/docs/drivers/docker.html.md
@ -64,6 +64,10 @@ The `docker` driver supports the following configuration in the job spec.  Only

 * `auth` - (Optional) Provide authentication for a private registry (see below).

+* `auth_soft_fail` `(bool: false)` - Fallback to public images if auth fails.
+  Disabled by default to avoid accidently looking up private images in a public
+  repo, but provided as a convenience.
+
 * `command` - (Optional) The command to run when starting the container.

    ```hcl