Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image builder does not support private container registry when gitpod uses same registry #10089

Closed
princerachit opened this issue May 18, 2022 · 3 comments · Fixed by #10094
Closed

Image builder does not support private container registry when gitpod uses same registry #10089

princerachit opened this issue May 18, 2022 · 3 comments · Fixed by #10094
Labels
component: image-builder meta: stale This issue/PR is stale and will be closed soon type: bug Something isn't working

Comments

@princerachit
Copy link
Contributor

Bug description

If gitpod installation contains image pull secret for a registry say myreg.com and user tries to configure the same registry provider to pull private images then gitpod fails to pull the image.
This happens because gitpod tries to use the existing credentials of imagepull secrets rather than the credential provided by the user.

e.g. We have europe-docker.pkg.dev access credentials configured in preview env as part of image pull secret. When I create a project in preview env and use europe-docker.pkg.dev for my private images, gitpod does not use my credentials.

Steps to reproduce

This can be reproduced easily in preview env.

  • Create a private google artifact registry in europe region such that the host is europe-docker.pkg.dev.
  • Create a service account and give it registry writer permission to your repo.
  • Upload an image in your registry.
  • Configure your repo with a .gitpod.yml which uses this image.
  • Follow steps in Support private registries #8550 description.

The image build will fail.

NOTE: The image build will fail early if the changes of this PR Iare not included in your preview env.

Workspace affected

No response

Expected behavior

Image build should have worked and correct credentials should have been used.

Example repository

No response

Anything else?

No response
@princerachit princerachit added the type: bug Something isn't working label May 18, 2022
@princerachit princerachit mentioned this issue May 18, 2022
Closed
@princerachit
Copy link
Contributor Author

princerachit commented May 18, 2022
edited
Loading

There are a few ways we can solve this problem.

Maintain a list of auths for a registry combining both WORKSPACEKIT_BOBPROXY_AUTH and WORKSPACEKIT_BOBPROXY_ADDITIONALAUTH

Try the next auth in the list if the first one fails. -> This is expensive as their would be multiple calls (as we need to retry)

Modify the bob proxy code to maintain two maps

One for Target ref which will use WORKSPACEKIT_BOBPROXY_AUTH and would use WORKSPACEKIT_BOBPROXY_ADDITIONALAUTH only if former doesn't have an entry. Another for Base ref which will WORKSPACEKIT_BOBPROXY_ADDITIONALAUTH and will back to WORKSPACEKIT_BOBPROXY_AUTH only if former does not have an entry.

Accept per repo/image auths from user

Fallback to registry level credentials if repo level credential is missing. i.e. do a maximum prefix match against all the keys.

@princerachit princerachit mentioned this issue May 18, 2022
Merged
@princerachit princerachit moved this to In Progress in 🌌 Workspace Team May 18, 2022
@princerachit princerachit self-assigned this May 18, 2022
Repository owner moved this from In Progress to Done in 🌌 Workspace Team May 20, 2022
@princerachit princerachit mentioned this issue May 25, 2022
Closed
@princerachit
Copy link
Contributor Author

Reopening this as we reverted the PR.

@princerachit princerachit reopened this May 25, 2022
@princerachit princerachit moved this from Done to Scheduled in 🌌 Workspace Team Jun 1, 2022
@atduarte atduarte removed the status in 🌌 Workspace Team Jun 17, 2022
@princerachit princerachit removed their assignment Jun 21, 2022
@kylos101 kylos101 mentioned this issue Jun 21, 2022
Closed
13 tasks
@stale
Copy link

stale bot commented Nov 26, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the meta: stale This issue/PR is stale and will be closed soon label Nov 26, 2022
@stale stale bot closed this as completed Dec 24, 2022
@stale stale bot moved this to Awaiting Deployment in 🌌 Workspace Team Dec 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: image-builder meta: stale This issue/PR is stale and will be closed soon type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[image-builder-bob] Use separate auth for target and base gitpod-io/gitpod
2 participants
@kylos101 @princerachit