Access Token for Dockerhub

问题

I created a repository on hub.docker.com and now want to push my image to the Dockerhub using my credentials. I am wondering whether I have to use my username and password or whether I can create some kind of access token to push the docker image.

What I want to do is using the docker-image resource from Concourse to push an image to Dockerhub. Therefore I have to configure credentials like:

type: docker-image
source:
  email: {{docker-hub-email}}
  username: {{docker-hub-username}}
  password: {{docker-hub-password}}
  repository: {{docker-hub-image-dummy-resource}}

and I don't want to use my Dockerhub password for that.

回答1:

In short, you can't. There are some solutions that may appeal to you, but it may ease your mind first to know there's a structural reason for this:

Resources are configured via their source and params, which are defined at the pipeline level (in your yml file). Any authentication information has to be defined there, because there's no way to get information from an earlier step in your build into the get step (it has no inputs).

Since bearer tokens usually time out after "not that long" (i.e. hours or days) which is also true of DockerHub tokens, the concourse instance needs to be able to fetch a new token from the authentication service every time the build runs if necessary. This requires some form of persistent auth to be stored in the concourse server anyway, and currently Dockerhub does not support CI access tokens a la github.

All that is to say, you will need to provide a username and password to Concourse one way or another.

If you're worried about security, there are some steps you can most likely take to reduce risk:

you can use --load-vars-from to protect your credentials from being saved in your pipeline, storing them elsewhere (LastPass, local file, etc).
you might be able to create a user on Dockerhub that only has access to the particular repo(s) you want to push, a "CI bot user" if you will.