Registry configurations
Status: Open — design proposal, nothing shipped yet
Problem
Running jackin against a role whose published_image lives in a private registry fails silently and expensively: the pull path in crates/jackin-docker/src/docker_client.rs hard-codes None for bollard's registry-auth argument, and the freshness check in crates/jackin-runtime/src/runtime/image.rs treats any pull failure as "image is stale" — so an auth failure triggers a multi-minute rebuild from the Dockerfile instead of an actionable error. The structural gap is that jackin has no place for an operator to declare credentials for an external endpoint at all; every existing secret (agent API keys, GitHub token, 1Password refs) was solved as a one-off instead of through a shared credential-source layer.
Remaining work
- Define a
[[registries]]configuration schema (globalAppConfigand per-workspaceWorkspaceConfig, per-workspace overriding/extending global) — each entry's credential field is the sharedCredentialSourceenum. - Build the
docker-configprovider (reads~/.docker/config.json/credsStore/credHelpers) as the zero-config default fallback. - Build the native
ecrprovider (aws-sdk-ecrover the default AWS credential chain, with token caching/refresh) — the forcing case for this item. - Thread real
DockerCredentialsinto bollard'spull_image, resolved lazily per pull rather than at config load. - Split the freshness check's conflated states: classify auth failures (fail fast, actionable message) from genuine manifest/tag-not-found staleness (fall back to build, as today), with a
[registry].on_auth_failureescape hatch for operators who want the old build-on-failure behavior. - Add operator + internals docs for the new config surface.
A jackin registry login (keychain-backed, no plaintext store) and a read-only jackin registry status are candidate follow-ups, not required for v1.
Design details — provider mechanics, config surface, ADRs on each decision above, and open questions — live in Registry Configurations: design.
Out of scope
- A generic
commandcredential kind — deferred until a concrete custom-SSO need appears. - A broader
endpoints/connectionsconfiguration layer beyond registries — this item stays registry-specific; the credential guts are shared so a broader layer can wrap this later without reshaping them.
Related work
- Registry Configurations: design — provider mechanics, config surface, decision rationale, and source material.
- Credential source pattern — the unified sourcing abstraction this item makes concrete and consumes.
- Container Credential Exposure — Beyond Env Injection — resolved credentials must not leak into layers,
docker inspect, or logs. - Workspace registry cache — a pull-through cache still needs upstream registry credentials.
- 1Password integration — one credential source among several.
crates/jackin-docker/src/docker_client.rs—pull_image; bollardcreate_imagewithRegistryAuthcurrentlyNone.crates/jackin-runtime/src/runtime/image.rs— published-image freshness check that conflates auth failure with staleness.crates/jackin-config/src/schema.rs—AppConfig/WorkspaceConfig; where a configurations block would live.