[Feature Request] Only use custom credentials for certain labels

[LostOnTheLine]

Is your feature request related to a problem? Please describe.

When running watchtower I have the option of using custom credentials

REPO_USER=username
REPO_PASS=password

But I, like I assume most users, don't pull all my images from my private repo, most are pulled from Docker Hub.

As it stands if I set custom Repo credentials all the Docker ones give an error
If I don't set it all the private ones do

So as of how I have to set up 2 Towers, & set them each with a label to monitor on on one & off on the other. But then you can't have some that actually get ignored.

Describe the solution you'd like

It would be nice to have a com.centurylinklabs.watchtower.custom or com.centurylinklabs.watchtower.credentials label to make it so that those labeled will use the custom credentials while those not labeled will not.
Either that or let us use user-defined labels so I could have something like watchtower.credentials.johnny for ones that update using the custom credentials argument or watchtower.credentials.docker to act as though no custom arguments are set.

I'm sure this is less of an issue if using the Docker config.json but running under Docker Desktop that isn't an option.

Ideally it'd be nice to be able to specify credentials for multiple custom repos, though not something I personally would use I'm sure there are those who would.

Perhaps

version: "3"
services:
  portainer_agent:
    image: portainer/agent:latest
    network_mode: "host"
    ports:
      - 9001:9001
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.michelangelo=true"

  mosquitto:
    image: eclipse-mosquitto
    container_name: buzzbuzz
    ports:
      - 1883:1883
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.salvador=true"

  registry: # Custom Docker Repo Container
    container_name: putstuffhere
    image: registry:latest
    ports:
      - 5000:5000
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.steve=true"

  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    environment:
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_INCLUDE_STOPPED=true
      - WATCHTOWER_POLL_INTERVAL=43200
      - CUSTOM_REPOS=michelangelo, salvador, picasso, steve
      - REPO_michelangelo_USER=Madonna
      - REPO_michelangelo_PASS=OfBurge$$
      - REPO_salvador_USER=Persistence
      - REPO_salvador_PASS=NoClocks!
      - REPO_picasso_USER=Pablo
      - REPO_picasso_PASS=WeepingW0man
      - REPO_steve_USER=steve
      - REPO_steve_PASS=ilikefootball
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    restart: always

I'm not exactly sure how it would need to be for watchtower to use the arguments, I just gave an example to something I know I could make work in python.

Describe alternatives you've considered

The only alternative is having 2 watchtowers & using 1 with WATCHTOWER_LABEL_ENABLE set to true & the other with WATCHTOWER_LABEL_ENABLE set to false & I'm not even sure that would work properly, plus it leaves no way to have ones ignored completely

Additional context

No response

[github-actions]

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏

[piksel]

but running under Docker Desktop that isn't an option.

Why wouldn't that be an option?
docker.config does exactly what you want.

Just use docker login your-repo.com and log in. The ~/.docker/config.json will contain your credentials after a successful login. Mount that file (or copy the relevant content to a new one) in watchtower and it will use the appropriate credentials for the listed repositories.

[LostOnTheLine]

but running under Docker Desktop that isn't an option.

Why wouldn't that be an option? docker.config does exactly what you want.

The reason is exactly as I stated UNDER DOCKER DESKTOP that isn't an option because the config.json file doesn't exist. I've searched for it, found places that it is said to exist (C:\ProgramData\Docker\config\daemon.json, //wsl.localhost/docker-desktop/etc/docker/, //wsl.localhost/docker-desktop-data/etc/docker/, //wsl.localhost/ubuntu/etc/docker/, C:/Users/Username/.docker/machine/default/config.json, ``) The ones that do exist don't have any of the credentials in them (C:\Users\USERNAME\.docker\config.json, `C:\Users\USERNAME.docker\daemon.json`, `C:\Users\LostO\AppData\Roaming\Docker\settings.json`)

The only thing that seems potentially related is C:\Users\USERNAME\.docker\config.json which contains this single line

{
  "credsStore": "desktop"
}

but when mapped still fails assumedly because the "desktop" isn't something accessible to the container

---

Just use docker login your-repo.com and log in. The ~/.docker/config.json will contain your credentials after a successful login. Mount that file (or copy the relevant content to a new one) in watchtower and it will use the appropriate credentials for the listed repositories.

I've been logged in since before I ever used Watchtower, I've tried re-login-ed, restarted after logging in, both the machine & just Docker Desktop, but it just doesn't work. My credentials are definitely there, I can browse & pull from & push to my Repo, but the config.json file just isn't anywhere I can find & so I assume the credentials are located somewhere else

[piksel]

Just remove the "credsStore" line in the config and do the login again. You can then move your config.json somewhere else and revert "credsStore" to keep using docker desktop creds store if you want.

Then point watchtower to your copied config.json

[LostOnTheLine]

Just remove the "credsStore" line in the config and do the login again. You can then move your config.json somewhere else and revert "credsStore" to keep using docker desktop creds store if you want.

Then point watchtower to your copied config.json

I tried that, well I tried removing the file & that didn't do anything, a restart just recreated it. I just tried with editing out the line & did a login

$ docker login https://MYDOMAIN.EXT
Authenticating with existing credentials...
Login Succeeded

After which the file still had the blank lines.

Since I logged in before, it added nothing to the file, logged in again with it gone, it added nothing, removed the line & logged in again, &, big surprise, no change, I'm fairly confident that that file is not going to be able to give me the needed credentials

Just remove the "credsStore" line

&, FYI, in case it wasn't clear, that wasn't part of the config.json file, I shared the entirety of it

[piksel]

If you are currently logged in, run docker logout to remove the credentials from the file and run docker login again.

Seems like you have to use docker logout after removing the creds store.

&, FYI, in case it wasn't clear, that wasn't part of the config.json file, I shared the entirety of it.

Yes, the "credsStore" setting means ”don't store credentials in here, use the program docker-credentials-XXXX instead"