1

I've inherited a system where we have a gitlab Docker image registry hosted in GCP, but it's behind an IAP proxy so I can do a docker pull while connected to our internal network (thanks to firewall rules that bypass the IAP proxy).

Is there any way to do a docker pull against it from the internet? I suspect I need a plugin for docker login to make it IAP aware.

Has anyone done this before?

mebius99
  • 2,495
  • 1
  • 5
  • 9
Ryan
  • 219
  • 3
  • 12
  • What does "hosted in GCP" actually mean - which service? – John Hanley Mar 10 '20 at 17:19
  • It's on a GKE cluster. Effectively I have a pod running gitlab which deploys a pod (via helm i believe) for the container registry. I don't that part is relevant though. I think I would have the same problem on a compute instance. – Ryan Mar 11 '20 at 13:29
  • AFAIK No. The reason is that IAP uses Google Accounts for the Identity Provider. IAP requires OIDC Identity Tokens for authentication. Take a look at `docker login -u oauth2accesstoken -p "$(gcloud auth print-identity-token)" https://[HOSTNAME]` I am not sure if docker login is creating an HTTP Authorization Bearer header which is required for IAP or another form for credentials. – John Hanley Mar 12 '20 at 05:22
  • @JohnHanley That's what i was thinking, though jumping though the docker CLI code is frustrating as it actually makes the request to the docker daemon which then makes the request to the registry. I did find that `docker login` 'works' in that it succeeds. But doing a `docker pull` fails as unauthorised. – Ryan Mar 13 '20 at 14:49
  • 1
    It seems in this case a possible way is to reproduce an approach similar to the existing VPN connection from the office: establish VPN between the clients and the registry, or configure bypassing rules for partucular public addresses (if clients do have them). – mebius99 Mar 19 '20 at 13:40

0 Answers0