feature request: docker registry secret backend

[blacktop]

It would be great to be able to use vault in front of the private docker registry to control revokable access to read/push to certain images/groups. It could work in conjunction with the LDAP auth backend to add/remove a user from access to push as well as you could use AppID to allow CI/CD to push images after successful builds.

This would be HUGE in enterprise where people are just now getting started with on-prem docker.

Thank you.

NOTE: it would also prevent the users LDAP/Kerb creds from being stored as a Base64 string in a .docker folder in their home directory 😉 #securitywin

[CpuID]

Big +1

[pedroadame]

Huge +1

[djenriquez]

Any progress on this?

[simongottschlag]

+1 for this one, would be great

[dbellinghoven]

Hi there, I'm not entirely sure if this is what you all have been looking for you may find this tool useful:
https://github.com/morningconsult/docker-credential-vault-login/

[simongottschlag]

Hi there, I'm not entirely sure if this is what you all have been looking for you may find this tool useful:
https://github.com/morningconsult/docker-credential-vault-login/

Cool! I was more thinking about making a Secret Engine that generates temporary credentials using Vault. Maybe working together with something like: https://github.com/cesanta/docker_auth

[CpuID]

Maybe working together with something like: https://github.com/cesanta/docker_auth

this feels like it might work, the only feasible way I can see though would be:

• vault -> temp credentials -> some storage engine in https://github.com/cesanta/docker_auth ?
• the only storage "engine"/s where https://github.com/cesanta/docker_auth actually stores credentials (vs checking them against an external system), that have an ability to interact with them from an existing Vault secrets engine would be:
  • static list of users (?)
  • OpenLDAP

---

I thought about the idea of the Docker Registry authenticating against Vault using OIDC/Token Auth, but I think that's not the right "type" of auth plugin/backend (auth instead of secret?).

https://docs.docker.com/registry/spec/auth/jwt/

https://www.vaultproject.io/docs/auth/jwt

Pretty sure the https://github.com/cesanta/docker_auth approach (with an appropriate place to store the temp generated credentials) is probably the better answer.

[CpuID]

Bunch of feature requests on https://github.com/cesanta/docker_auth for "where to store credentials" (which Vault would generate + insert over there via $somemethod):

MySQL

CouchDB

In addition to the suggested Static List of Users + OpenLDAP mentioned above.

Static List of Users is actually YAML it seems - you'd want to have some (separate?) file that Vault can manipulate that https://github.com/cesanta/docker_auth can read to make it work I suspect. Would avoid the dependence on any specific database/storage implementation...

[Zenithar]

I started one, really alpha state, it's my first vault-plugins - https://github.com/zntrio/vault-secret-engine-docker-registry