Support authentication with 3rd party docker registries

[zootalures]

Fn (dind) doesn't get docker regstry credentials.

I think fn needs to understand these eventually in some form but a stop gap

Ideally we should be able to share one or more k8s docker image pull secrets with the fn container to allow secured registries to be used.

e.g. (elswhere in k8s ):

kubectl create secret docker-registry wcrsecret--docker-server=wcr --docker-username=testserver --docker-password=$(cat ~/.wercker/token)  [email protected]

then in values.yaml

fnserver
   imageSecrets:
       - wcrsecret 

[carimura]

cc @derekschultz

[rdallman]

we support multiple registries configured in ~/.docker/config or through DOCKER_AUTH env var in fn. i am less sure if it works properly, but there was an attempt. it should be possible to thread in either way to k8s

[venkat50]

Please also consider support for private registry (with and without authentication).

[lenalebt]

One important aspect to consider when using a private registry is the nesting level of docker image names. You can only have 3 at max, see https://github.com/fnproject/fn/blob/f27d47f2dd9520647f8799043bfcb3d121709958/api/agent/drivers/driver.go#L283

If you use more than 3, it falls back to assuming the image comes from docker hub and does not provide correct credentials. This cost me about 3 days of debugging, hoping that others do not run in the same thing...

Shorter nestings are okay.

I opened a bug report here: fnproject/fn#764