Support private registries

gitpod-io · Mar 7, 2022 · 3ea8f6d · 3ea8f6d
1 parent 863bb02
commit 3ea8f6d
Show file tree

Hide file tree

Showing 12 changed files with 391 additions and 261 deletions.
diff --git a/components/image-builder-api/go/imgbuilder.pb.go b/components/image-builder-api/go/imgbuilder.pb.go
diff --git a/components/image-builder-api/imgbuilder.proto b/components/image-builder-api/imgbuilder.proto
@@ -64,14 +64,15 @@ message ResolveWorkspaceImageResponse {
 message BuildRequest {
     BuildSource source = 1;
     BuildRegistryAuth auth = 2;
-    bool forceRebuild = 3;
+    bool force_rebuild = 3;
 }
 
 message BuildRegistryAuth {
     oneof mode {
         BuildRegistryAuthTotal total = 1;
         BuildRegistryAuthSelective selective = 2;
     }
+    map<string, string> additional = 3;
 }
 
 message BuildRegistryAuthTotal {

diff --git a/components/image-builder-api/typescript/src/imgbuilder_pb.d.ts b/components/image-builder-api/typescript/src/imgbuilder_pb.d.ts
@@ -215,8 +215,8 @@ export class BuildRequest extends jspb.Message {
     clearAuth(): void;
     getAuth(): BuildRegistryAuth | undefined;
     setAuth(value?: BuildRegistryAuth): BuildRequest;
-    getForcerebuild(): boolean;
-    setForcerebuild(value: boolean): BuildRequest;
+    getForceRebuild(): boolean;
+    setForceRebuild(value: boolean): BuildRequest;
 
     serializeBinary(): Uint8Array;
     toObject(includeInstance?: boolean): BuildRequest.AsObject;
@@ -232,7 +232,7 @@ export namespace BuildRequest {
     export type AsObject = {
         source?: BuildSource.AsObject,
         auth?: BuildRegistryAuth.AsObject,
-        forcerebuild: boolean,
+        forceRebuild: boolean,
     }
 }
 
@@ -248,6 +248,9 @@ export class BuildRegistryAuth extends jspb.Message {
     getSelective(): BuildRegistryAuthSelective | undefined;
     setSelective(value?: BuildRegistryAuthSelective): BuildRegistryAuth;
 
+    getAdditionalMap(): jspb.Map<string, string>;
+    clearAdditionalMap(): void;
+
     getModeCase(): BuildRegistryAuth.ModeCase;
 
     serializeBinary(): Uint8Array;
@@ -264,6 +267,8 @@ export namespace BuildRegistryAuth {
     export type AsObject = {
         total?: BuildRegistryAuthTotal.AsObject,
         selective?: BuildRegistryAuthSelective.AsObject,
+
+        additionalMap: Array<[string, string]>,
     }
 
     export enum ModeCase {

diff --git a/components/image-builder-api/typescript/src/imgbuilder_pb.js b/components/image-builder-api/typescript/src/imgbuilder_pb.js
@@ -1764,7 +1764,7 @@ proto.builder.BuildRequest.toObject = function(includeInstance, msg) {
   var f, obj = {
     source: (f = msg.getSource()) && proto.builder.BuildSource.toObject(includeInstance, f),
     auth: (f = msg.getAuth()) && proto.builder.BuildRegistryAuth.toObject(includeInstance, f),
-    forcerebuild: jspb.Message.getBooleanFieldWithDefault(msg, 3, false)
+    forceRebuild: jspb.Message.getBooleanFieldWithDefault(msg, 3, false)
   };
 
   if (includeInstance) {
@@ -1813,7 +1813,7 @@ proto.builder.BuildRequest.deserializeBinaryFromReader = function(msg, reader) {
       break;
     case 3:
       var value = /** @type {boolean} */ (reader.readBool());
-      msg.setForcerebuild(value);
+      msg.setForceRebuild(value);
       break;
     default:
       reader.skipField();
@@ -1860,7 +1860,7 @@ proto.builder.BuildRequest.serializeBinaryToWriter = function(message, writer) {
       proto.builder.BuildRegistryAuth.serializeBinaryToWriter
     );
   }
-  f = message.getForcerebuild();
+  f = message.getForceRebuild();
   if (f) {
     writer.writeBool(
       3,
@@ -1945,10 +1945,10 @@ proto.builder.BuildRequest.prototype.hasAuth = function() {
 
 
 /**
- * optional bool forceRebuild = 3;
+ * optional bool force_rebuild = 3;
  * @return {boolean}
  */
-proto.builder.BuildRequest.prototype.getForcerebuild = function() {
+proto.builder.BuildRequest.prototype.getForceRebuild = function() {
   return /** @type {boolean} */ (jspb.Message.getBooleanFieldWithDefault(this, 3, false));
 };
 
@@ -1957,7 +1957,7 @@ proto.builder.BuildRequest.prototype.getForcerebuild = function() {
  * @param {boolean} value
  * @return {!proto.builder.BuildRequest} returns this
  */
-proto.builder.BuildRequest.prototype.setForcerebuild = function(value) {
+proto.builder.BuildRequest.prototype.setForceRebuild = function(value) {
   return jspb.Message.setProto3BooleanField(this, 3, value);
 };
 
@@ -2021,7 +2021,8 @@ proto.builder.BuildRegistryAuth.prototype.toObject = function(opt_includeInstanc
 proto.builder.BuildRegistryAuth.toObject = function(includeInstance, msg) {
   var f, obj = {
     total: (f = msg.getTotal()) && proto.builder.BuildRegistryAuthTotal.toObject(includeInstance, f),
-    selective: (f = msg.getSelective()) && proto.builder.BuildRegistryAuthSelective.toObject(includeInstance, f)
+    selective: (f = msg.getSelective()) && proto.builder.BuildRegistryAuthSelective.toObject(includeInstance, f),
+    additionalMap: (f = msg.getAdditionalMap()) ? f.toObject(includeInstance, undefined) : []
   };
 
   if (includeInstance) {
@@ -2068,6 +2069,12 @@ proto.builder.BuildRegistryAuth.deserializeBinaryFromReader = function(msg, read
       reader.readMessage(value,proto.builder.BuildRegistryAuthSelective.deserializeBinaryFromReader);
       msg.setSelective(value);
       break;
+    case 3:
+      var value = msg.getAdditionalMap();
+      reader.readMessage(value, function(message, reader) {
+        jspb.Map.deserializeBinary(message, reader, jspb.BinaryReader.prototype.readString, jspb.BinaryReader.prototype.readString, null, "", "");
+         });
+      break;
     default:
       reader.skipField();
       break;
@@ -2113,6 +2120,10 @@ proto.builder.BuildRegistryAuth.serializeBinaryToWriter = function(message, writ
       proto.builder.BuildRegistryAuthSelective.serializeBinaryToWriter
     );
   }
+  f = message.getAdditionalMap(true);
+  if (f && f.getLength() > 0) {
+    f.serializeBinary(3, writer, jspb.BinaryWriter.prototype.writeString, jspb.BinaryWriter.prototype.writeString);
+  }
 };
 
 
@@ -2190,6 +2201,28 @@ proto.builder.BuildRegistryAuth.prototype.hasSelective = function() {
 };
 
 
+/**
+ * map<string, string> additional = 3;
+ * @param {boolean=} opt_noLazyCreate Do not create the map if
+ * empty, instead returning `undefined`
+ * @return {!jspb.Map<string,string>}
+ */
+proto.builder.BuildRegistryAuth.prototype.getAdditionalMap = function(opt_noLazyCreate) {
+  return /** @type {!jspb.Map<string,string>} */ (
+      jspb.Message.getMapField(this, 3, opt_noLazyCreate,
+      null));
+};
+
+
+/**
+ * Clears values from the map. The map will be non-null.
+ * @return {!proto.builder.BuildRegistryAuth} returns this
+ */
+proto.builder.BuildRegistryAuth.prototype.clearAdditionalMap = function() {
+  this.getAdditionalMap().clear();
+  return this;};
+
+
 
 
 

diff --git a/components/image-builder-bob/cmd/proxy.go b/components/image-builder-bob/cmd/proxy.go
@@ -20,6 +20,7 @@ import (
 var proxyOpts struct {
 	BaseRef, TargetRef string
 	Auth               string
+	AdditionalAuth     string
 }
 
 // proxyCmd represents the build command
@@ -30,10 +31,15 @@ var proxyCmd = &cobra.Command{
 		log.Init("bob", "", true, os.Getenv("SUPERVISOR_DEBUG_ENABLE") == "true")
 		log := log.WithField("command", "proxy")
 
-		authP, err := proxy.NewAuthorizerFromEnvVar(proxyOpts.Auth)
+		authP, err := proxy.NewAuthorizerFromDockerEnvVar(proxyOpts.Auth)
 		if err != nil {
 			log.WithError(err).WithField("auth", proxyOpts.Auth).Fatal("cannot unmarshal auth")
 		}
+		authA, err := proxy.NewAuthorizerFromEnvVar(proxyOpts.AdditionalAuth)
+		if err != nil {
+			log.WithError(err).WithField("auth", proxyOpts.Auth).Fatal("cannot unmarshal auth")
+		}
+		authP = authP.AddIfNotExists(authA)
 
 		baseref, err := reference.ParseNormalizedNamed(proxyOpts.BaseRef)
 		if err != nil {
@@ -87,4 +93,5 @@ func init() {
 	proxyCmd.Flags().StringVar(&proxyOpts.BaseRef, "base-ref", os.Getenv("WORKSPACEKIT_BOBPROXY_BASEREF"), "ref of the base image")
 	proxyCmd.Flags().StringVar(&proxyOpts.TargetRef, "target-ref", os.Getenv("WORKSPACEKIT_BOBPROXY_TARGETREF"), "ref of the target image")
 	proxyCmd.Flags().StringVar(&proxyOpts.Auth, "auth", os.Getenv("WORKSPACEKIT_BOBPROXY_AUTH"), "authentication to use")
+	proxyCmd.Flags().StringVar(&proxyOpts.AdditionalAuth, "additional-auth", os.Getenv("WORKSPACEKIT_BOBPROXY_ADDITIONALAUTH"), "additional authentication to use")
 }
diff --git a/components/image-builder-bob/pkg/proxy/auth.go b/components/image-builder-bob/pkg/proxy/auth.go
@@ -20,9 +20,9 @@ type authConfig struct {
 	Auth     string `json:"auth"`
 }
 
-type authorizerImpl map[string]authConfig
+type MapAuthorizer map[string]authConfig
 
-func (a authorizerImpl) Authorize(host string) (user, pass string, err error) {
+func (a MapAuthorizer) Authorize(host string) (user, pass string, err error) {
 	defer func() {
 		log.WithFields(logrus.Fields{
 			"host": host,
@@ -54,17 +54,44 @@ func (a authorizerImpl) Authorize(host string) (user, pass string, err error) {
 	return
 }
 
+func (a MapAuthorizer) AddIfNotExists(other MapAuthorizer) MapAuthorizer {
+	res := make(map[string]authConfig)
+	for k, v := range a {
+		res[k] = v
+	}
+	for k, v := range other {
+		if _, ok := a[k]; ok {
+			continue
+		}
+		res[k] = v
+	}
+	return MapAuthorizer(res)
+}
+
 type Authorizer interface {
 	Authorize(host string) (user, pass string, err error)
 }
 
-func NewAuthorizerFromEnvVar(content string) (auth Authorizer, err error) {
+func NewAuthorizerFromDockerEnvVar(content string) (auth MapAuthorizer, err error) {
 	var res struct {
 		Auths map[string]authConfig `json:"auths"`
 	}
 	err = json.Unmarshal([]byte(content), &res)
 	if err != nil {
 		return
 	}
-	return authorizerImpl(res.Auths), nil
+	return MapAuthorizer(res.Auths), nil
+}
+
+func NewAuthorizerFromEnvVar(content string) (auth MapAuthorizer, err error) {
+	if content == "" {
+		return nil, nil
+	}
+
+	var res map[string]authConfig
+	err = json.Unmarshal([]byte(content), &res)
+	if err != nil {
+		return nil, err
+	}
+	return MapAuthorizer(res), nil
 }
diff --git a/components/image-builder-mk3/debug.sh b/components/image-builder-mk3/debug.sh
@@ -5,8 +5,15 @@
 docker ps &> /dev/null || (echo "You need a working Docker daemon. Maybe set DOCKER_HOST?"; exit 1)
 gcloud auth list | grep typefox &>/dev/null || (echo "Login using 'gcloud auth login' for the docker push to work"; exit 1)
 
-leeway build .:docker -Dversion=dev
-devImage=eu.gcr.io/gitpod-dev/image-builder:dev
 
-kubectl patch deployment image-builder --patch '{"spec": {"template": {"spec": {"containers": [{"name": "service","image": "'$devImage'"}]}}}}'
-kubectl get pods --no-headers -o=custom-columns=:metadata.name | grep image-builder | xargs kubectl delete pod
+readonly tag
+tag="dev-$(date +%s)"
+leeway build -v .:docker -Dversion="${tag}" -DimageRepoBase=eu.gcr.io/gitpod-core-dev/build
+devImage="eu.gcr.io/gitpod-core-dev/build/image-builder-mk3:${tag}"
+
+kubectl patch deployment image-builder-mk3 --patch '{"spec": {"template": {"spec": {"containers": [{"name": "image-builder-mk3","imagePullPolicy":"Always","image": "'"$devImage"'"}]}}}}'
+kubectl rollout restart deployment/image-builder-mk3
+kubectl rollout status -w deployment/image-builder-mk3
+# give the old pod time to disappear
+sleep 20
+gpctl debug logs image-builder-mk3