Hi concourse community,
We’re currently starting to use concourse for deploying our pipelines for a company in the banking sector. As you can imagine, security in the banking sector is quite strict and we are not allowed to directly access the dockerhub images in absolutely no way.
Our setup: We use kubernetes (EKS) on AWS and use the helm chart to install concourse. All necessary (resource) images are mirrored locally to ECR. The concourse worker pods have an AWS worker role allowing access to ECR (roles distributed through kube2iam)
Our idea to run pipelines on concourse without access to dockerhub was to mirror all resource types docker images, and define them locally in the concourse pipeline yaml files. Below is an example of a pipeline file:
resource_types: - name: docker-image-resource type: docker-image privileged: true source: repository: some_account_id.dkr.ecr.some_region.amazonaws.com/docker-image-resource tag: 1.3.1 aws_access_key_id: ((build-role-credentials.AccessKeyId)) aws_secret_access_key: ((build-role-credentials.SecretAccessKey)) aws_session_token: ((build-role-credentials.SessionToken)) jobs: - name: job plan: - task: simple-task config: platform: linux image_resource: type: docker-image-resource source: repository: some_account_id.dkr.ecr.some_region.amazonaws.com/cicd-image tag: 0.0.1 aws_access_key_id: ((build-role-credentials.AccessKeyId)) aws_secret_access_key: ((build-role-credentials.SecretAccessKey)) aws_session_token: ((build-role-credentials.SessionToken)) run: path: echo args: ["Hello, world!"]
What we see is the following error in the simple-task logs:
resource script '/opt/resource/check ' failed: exit status 1 stderr: failed to get ECR credentials: credentials not found in native keychain
I find it very confusing that the resource type definition depends on a resource_type that requires probably a dockerhub image to start from. It feels there is a chicken or egg problem for this particular definition and I am wondering how this would work in practice. Concourse unfortunately offers very limited debugging possibilities (to my knowledge) to find out what the issue might be. Are in concourse the default resources part of the concourse worker images, or are they pulled from dockerhub?
Can someone with some deep knowledge about how this works help me out on how to set up a concourse environment without dockerhub access or any internet access whatsoever? That would be greatly appreciated. We are struggling with this some time and if we can’t find a solution to this problem we will probably have to migrate to another build tool as Jenkins (God forbid!) Maybe we are doing something awfully wrong here, but we fail to pinpoint where this might be.