Log warning when DOCKER_AUTH_CONFIG credentials resolution fails

Daniel Keenanrequested to merge
39201-docker-auth-fallback into main

What does this MR do?

Adds logging to surface the reason when DOCKER_AUTH_CONFIG fails as a Docker credentials source (e.g., due to missing credential helper binary).

Retains path traversal as a fatal error within the credentials resolution process.

Why was this MR needed?

When DOCKER_AUTH_CONFIG references a credential helper (such as docker-credential-gcloud), and the relevant binary is not present on the runner host, the full DOCKER_AUTH_CONFIG is discarded as a Docker credentials source, and the runner effectively falls back to alternatives (i.e., ~/.docker/config.json, .dockercfg, or credentials from the job itself). The problem is that there is no logging in the job output to indicate that DOCKER_AUTH_CONFIG has been discarded due to the missing binary, which makes troubleshooting harder (e.g., if the alternative credentials sources carry insufficient permissions to pull the image).

What's the best way to test this MR?

  1. Configure DOCKER_AUTH_CONFIG as a CI/CD variable with:
{"credsStore": "gcloud"}
  1. Ensure the docker-credential-gcloud binary is not available on the runner host.
  2. Run a job that pulls an image from the dependency proxy (e.g., set image to gitlab.com:443/<some-group>/dependency_proxy/containers/alpine:latest).
  3. Observe whether the job output logs that DOCKER_AUTH_CONFIG has been discarded due to the relevant error.

Example job output excerpt (before): 

Using effective pull policy of [always] for container gitlab.com:443/daniel-keenan-test-group/dependency_proxy/containers/alpine:latest
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image gitlab.com:443/daniel-keenan-test-group/dependency_proxy/containers/alpine:latest ...

Note the absence of any indication that the DOCKER_AUTH_CONFIG authentication has failed or why.

Example job output excerpt (after): 

Using effective pull policy of [always] for container gitlab.com:443/daniel-keenan-test-group/dependency_proxy/containers/alpine:latest
WARNING: Failed to resolve credentials from $DOCKER_AUTH_CONFIG: error listing credentials - err: exec: "docker-credential-gcloud": executable file not found in $PATH, out: ``. Credentials from this source will not be used.
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image gitlab.com:443/daniel-keenan-test-group/dependency_proxy/containers/alpine:latest ...

What are the relevant issue numbers?

Closes #39201 (closed)

Edited by Daniel Keenan

Merge request reports