Using watchtower with private registries and config.json from docker secret.

[rafalkk]

Is your feature request related to a problem? Please describe.

I'm not sure where to post this so please forgive me. I want to use watchtower with private registries and config.json from docker secret. As stated in the documentation, to change the config.json location, DOCKER_CONFIG must be used.

My config looks like this:

services:
  watchtower:
    image: containrrr/watchtower
    environment:
       DOCKER_CONFIG: /run/secrets
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    container_name: watchtower
    secrets:
      - source: dockerhub_auth
        target: config.json

secrets:
   dockerhub_auth:
     file: /path_to/config.json

DOCKER_CONFIG: /run/secrets points to folder where secrets are mounted and

secrets:
      - source: dockerhub_auth
        target: config.json

change the name of secret to be config.json

This solution seemed a bit hacky to me and also makes other environment variables unusable.

environment:
      - DOCKER_CONFIG: /run/secrets
      - WATCHTOWER_POLL_INTERVAL=5

gives

docker compose up
services.watchtower.environment.0 must be a string

Describe the solution you'd like

Something like:

services:
  watchtower:
    image: containrrr/watchtower
    environment:
      - **PATH_TO_AUTH.JSON: /run/secrets/dockerhub_auth**
      - WATCHTOWER_POLL_INTERVAL=5
      - ...
    secrets:
      - dockerhub_auth


secrets:
   dockerhub_auth:
     **file: /path_to/auth.json**  

Maybe auth.json could store only auth part of docker config.json file and be merged with config.json while running?
Or just:

environment:
       REGISTRY_NAME=https://index.docker.io/v1/
       AUTH_STRING=dockerhub_auth

Describe alternatives you've considered

Described above.

Additional context

I am not a docker expert, so please let me know if there is a better way to do this correctly. Thanks.

[piksel]

change the name of secret to be config.json
This solution seemed a bit hacky to me 

You could argue that DOCKER_CONFIG should point to the full file path for the config, but this convention was adopted from the docker client which uses the same environment variable in that way. The intention was to make the transition from docker to watchtower as seamless as possible.

and also makes other environment variables unusable.

You are mixing docker compose yaml syntaxes.
You can either use - KEY=VALUE or KEY: VALUE for the environment variables, but you cannot mix them.

So, either:

environment: 
    DOCKER_CONFIG: /run/secrets 
    WATCHTOWER_POLL_INTERVAL: 5

Or

environment: 
    - DOCKER_CONFIG=/run/secrets 
    - WATCHTOWER_POLL_INTERVAL=5

[rafalkk]

Thanks for clarification!
Do you think maybe to introduce more env variables to make it easier to use private registries (authstrings and access tokens) with secrets?