From bed3ef104c0054d616df35c632b69e697bf115fb Mon Sep 17 00:00:00 2001
From: qwerty287 <80460567+qwerty287@users.noreply.github.com>
Date: Sun, 14 Aug 2022 10:46:18 +0200
Subject: [PATCH] Support Docker credential helpers (#1075)

* support docker credential and add docker-credential-ecr-login into alpine image

* Remove ecr from docker and add docs

* Update docs/docs/30-administration/22-backends/10-docker.md

Co-authored-by: WeStone <xuecanlong@qq.com>
Co-authored-by: Anbraten <anton@ju60.de>
---
 docs/docs/30-administration/22-backends/10-docker.md | 12 ++++++++++++
 server/plugins/registry/filesystem.go                |  7 +++++++
 2 files changed, 19 insertions(+)

diff --git a/docs/docs/30-administration/22-backends/10-docker.md b/docs/docs/30-administration/22-backends/10-docker.md
index b2e60b46c..f73d3c7ca 100644
--- a/docs/docs/30-administration/22-backends/10-docker.md
+++ b/docs/docs/30-administration/22-backends/10-docker.md
@@ -14,6 +14,18 @@ Set to the name of an existing network which will be attached to all your pipeli
 
 Enable IPv6 for the networks used by pipeline containers (steps). Make sure you configured your docker daemon to support IPv6.
 
+## Docker credentials
+
+Woodpecker supports [Docker credentials](https://github.com/docker/docker-credential-helpers) to securely store registry credentials. Install your corresponding credential helper and configure it in your Docker config file passed via [`WOODPECKER_DOCKER_CONFIG`](/docs/administration/server-config#woodpecker_docker_config).
+
+To add your credential helper to the Woodpecker server container you could use the following code to build a custom image:
+
+```dockerfile
+FROM woodpeckerci/woodpecker-server:latest-alpine
+
+RUN apk add -U --no-cache docker-credential-ecr-login
+```
+
 ## Podman support
 
 While the agent was developped with Docker/Moby, Podman can also be used by setting the environment variable `DOCKER_SOCK` to point to the podman socket. In order to work without workarounds, Podman 4.0 (or above) is required.
diff --git a/server/plugins/registry/filesystem.go b/server/plugins/registry/filesystem.go
index 6f32be55a..c525b4637 100644
--- a/server/plugins/registry/filesystem.go
+++ b/server/plugins/registry/filesystem.go
@@ -40,6 +40,13 @@ func parseDockerConfig(path string) ([]*model.Registry, error) {
 		return nil, err
 	}
 
+	for registryHostname := range configFile.CredentialHelpers {
+		newAuth, err := configFile.GetAuthConfig(registryHostname)
+		if err == nil {
+			configFile.AuthConfigs[registryHostname] = newAuth
+		}
+	}
+
 	for addr, ac := range configFile.AuthConfigs {
 		if ac.Auth != "" {
 			ac.Username, ac.Password, err = decodeAuth(ac.Auth)