watchtower/docs/private-registries.md

Watchtower supports private Docker image registries. In many cases, accessing a private registry
requires a valid username and password (i.e., _credentials_). In order to operate in such an
environment, watchtower needs to know the credentials to access the registry. 

The credentials can be provided to watchtower in a configuration file called `config.json`.
There are two ways to generate this configuration file:

* The configuration file can be created manually.
* Call `docker login <REGISTRY_NAME>` and share the resulting configuration file.

### Create the configuration file manually
Create a new configuration file with the following syntax and a base64 encoded username and
password `auth` string:

```json
{
    "auths": {
        "<REGISTRY_NAME>": {
            "auth": "XXXXXXX"
        }
    }
}
```

`<REGISTRY_NAME>` needs to be replaced by the name of your private registry
(e.g., `my-private-registry.example.org`)

The required `auth` string can be generated as follows:
```bash
echo -n 'username:password' | base64
```

> ### ℹ️ Username and Password for GCloud
>
> For gcloud, we'll use `__json_key` as our username and the content
> of `gcloudauth.json` as the password.

When the watchtower Docker container is started, the created configuration file
(`<PATH>/config.json` in this example) needs to be passed to the container:

```bash
docker run [...] -v <PATH>/config.json:/config.json containrrr/watchtower
```

### Share the Docker configuration file
To pull an image from a private registry, `docker login` needs to be called first, to get access
to the registry. The provided credentials are stored in a configuration file called `<PATH_TO_HOME_DIR>/.docker/config.json`.
This configuration file can be directly used by watchtower. In this case, the creation of an
additional configuration file is not necessary.

When the Docker container is started, pass the configuration file to watchtower:

```bash
docker run [...] -v <PATH_TO_HOME_DIR>/.docker/config.json:/config.json containrrr/watchtower
```

When creating the watchtower container via docker-compose, use the following lines:

```yaml
version: "3"
[...]
watchtower:
  image: index.docker.io/containrrr/watchtower:latest
  volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - <PATH_TO_HOME_DIR>/.docker/config.json:/config.json
[...]
```

## Credential helpers
Some private Docker registries (the most prominent probably being AWS ECR) use non-standard ways of authentication.
To be able to use this together with watchtower, we need to use a credential helper.

To keep the image size small we've decided to not include any helpers in the watchtower image, instead we'll put the
helper in a separate container and mount it using volumes.

### Example
Example implementation for use with [amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper):

```Dockerfile
FROM golang:latest

ENV CGO_ENABLED 0
ENV REPO github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login

RUN go get -u $REPO

RUN rm /go/bin/docker-credential-ecr-login

RUN go build \
  -o /go/bin/docker-credential-ecr-login \
  /go/src/$REPO

WORKDIR /go/bin/
```

and the docker-compose definition:
```yaml
version: "3"

services:
  watchtower:
    image: index.docker.io/containrrr/watchtower:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - <PATH_TO_HOME_DIR>/.docker/config.json:/config.json
      - helper:/go/bin
    environment:
      - HOME=/
      - PATH=$PATH:/go/bin
      - AWS_REGION=<AWS_REGION>
      - AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY>
      - AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
volumes:
  helper: {}
```

and for `<PATH_TO_HOME_DIR>/.docker/config.json`:
```json
  {
    "HttpHeaders" : {
      "User-Agent" : "Docker-Client/19.03.1 (XXXXXX)"
    },
    "credsStore" : "osxkeychain",
    "auths" : {
      "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : {},
      "https://index.docker.io/v1/": {}
    },
    "credHelpers": {
      "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : "ecr-login",
      "index.docker.io": "osxkeychain"
    }
  }
```

*Note:* `osxkeychain` can be changed to your preferred credentials helper.
add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00			`Watchtower supports private Docker image registries. In many cases, accessing a private registry`
			`requires a valid username and password (i.e., _credentials_). In order to operate in such an`
			`environment, watchtower needs to know the credentials to access the registry.`
Documented private registries 2019-12-25 22:58:19 +02:00
add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00			The credentials can be provided to watchtower in a configuration file called `config.json`.
			`There are two ways to generate this configuration file:`
Documented private registries 2019-12-25 22:58:19 +02:00
			`* The configuration file can be created manually.`
Update private-registries.md 2019-12-25 22:59:10 +02:00			* Call `docker login <REGISTRY_NAME>` and share the resulting configuration file.
Documented private registries 2019-12-25 22:58:19 +02:00
			`### Create the configuration file manually`
add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00			`Create a new configuration file with the following syntax and a base64 encoded username and`
			password `auth` string:

Documented private registries 2019-12-25 22:58:19 +02:00			```json
			`{`
			`"auths": {`
Update private-registries.md 2019-12-25 22:59:10 +02:00			`"<REGISTRY_NAME>": {`
Documented private registries 2019-12-25 22:58:19 +02:00			`"auth": "XXXXXXX"`
			`}`
			`}`
			`}`
			```

add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00			`<REGISTRY_NAME>` needs to be replaced by the name of your private registry
			(e.g., `my-private-registry.example.org`)
Documented private registries 2019-12-25 22:58:19 +02:00
			The required `auth` string can be generated as follows:
			```bash
			`echo -n 'username:password' \| base64`
			```

add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00			`> ### ℹ️ Username and Password for GCloud`
			`>`
			> For gcloud, we'll use `__json_key` as our username and the content
			> of `gcloudauth.json` as the password.

			`When the watchtower Docker container is started, the created configuration file`
			(`<PATH>/config.json` in this example) needs to be passed to the container:

Documented private registries 2019-12-25 22:58:19 +02:00			```bash
			`docker run [...] -v <PATH>/config.json:/config.json containrrr/watchtower`
			```

			`### Share the Docker configuration file`
add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00			To pull an image from a private registry, `docker login` needs to be called first, to get access
			to the registry. The provided credentials are stored in a configuration file called `<PATH_TO_HOME_DIR>/.docker/config.json`.
			`This configuration file can be directly used by watchtower. In this case, the creation of an`
			`additional configuration file is not necessary.`
Documented private registries 2019-12-25 22:58:19 +02:00
			`When the Docker container is started, pass the configuration file to watchtower:`
add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00
Documented private registries 2019-12-25 22:58:19 +02:00			```bash
			`docker run [...] -v <PATH_TO_HOME_DIR>/.docker/config.json:/config.json containrrr/watchtower`
			```

			`When creating the watchtower container via docker-compose, use the following lines:`
add additional note on gcloud credentials 2020-03-28 21:05:59 +02:00
Documented private registries 2019-12-25 22:58:19 +02:00			```yaml
			`version: "3"`
			`[...]`
			`watchtower:`
			`image: index.docker.io/containrrr/watchtower:latest`
			`volumes:`
			`- /var/run/docker.sock:/var/run/docker.sock`
			`- <PATH_TO_HOME_DIR>/.docker/config.json:/config.json`
			`[...]`
			```

			`## Credential helpers`
			`Some private Docker registries (the most prominent probably being AWS ECR) use non-standard ways of authentication.`
add information on how to use credential helpers 2019-08-23 14:07:09 +02:00			`To be able to use this together with watchtower, we need to use a credential helper.`

			`To keep the image size small we've decided to not include any helpers in the watchtower image, instead we'll put the`
			`helper in a separate container and mount it using volumes.`

			`### Example`
			`Example implementation for use with [amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper):`

			```Dockerfile
			`FROM golang:latest`

			`ENV CGO_ENABLED 0`
			`ENV REPO github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login`

			`RUN go get -u $REPO`

			`RUN rm /go/bin/docker-credential-ecr-login`

			`RUN go build \`
			`-o /go/bin/docker-credential-ecr-login \`
			`/go/src/$REPO`

			`WORKDIR /go/bin/`
			```

			`and the docker-compose definition:`
			```yaml
			`version: "3"`

			`services:`
			`watchtower:`
			`image: index.docker.io/containrrr/watchtower:latest`
			`volumes:`
			`- /var/run/docker.sock:/var/run/docker.sock`
			`- <PATH_TO_HOME_DIR>/.docker/config.json:/config.json`
			`- helper:/go/bin`
			`environment:`
			`- HOME=/`
			`- PATH=$PATH:/go/bin`
			`- AWS_REGION=<AWS_REGION>`
			`- AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY>`
			`- AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>`
			`volumes:`
			`helper: {}`
			```

Added full path to config file 2019-12-25 11:47:57 +02:00			and for `<PATH_TO_HOME_DIR>/.docker/config.json`:
Changed codeblock language 2019-12-25 14:29:38 +02:00			```json
add information on how to use credential helpers 2019-08-23 14:07:09 +02:00			`{`
			`"HttpHeaders" : {`
			`"User-Agent" : "Docker-Client/19.03.1 (XXXXXX)"`
			`},`
Update credential-helpers.md 2019-12-25 14:32:39 +02:00			`"credsStore" : "osxkeychain",`
add information on how to use credential helpers 2019-08-23 14:07:09 +02:00			`"auths" : {`
			`"xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : {},`
			`"https://index.docker.io/v1/": {}`
			`},`
			`"credHelpers": {`
			`"xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : "ecr-login",`
Update credential-helpers.md 2019-12-25 14:32:39 +02:00			`"index.docker.io": "osxkeychain"`
add information on how to use credential helpers 2019-08-23 14:07:09 +02:00			`}`
			`}`
Fixed wrong filename in documentation 2019-12-25 11:40:35 +02:00			```
Update credential-helpers.md 2019-12-25 14:32:39 +02:00
Fix typos (#554) 2020-05-29 10:59:52 +02:00			Note: `osxkeychain` can be changed to your preferred credentials helper.