Add support for private Docker registries in Dockerfile

[R0Wi]

Is your feature request related to a problem? Please describe

Thanks to #8550, we're already able to use private Docker registries to pull images from in our .gitpod.yml:

image: my.private-registry/my/image:latest

Unfortunately, like stated in the caveats of the current implementation, there's no support for using private registries in Dockerfiles:

with this implementation, private images can only be used directly, not as part of a Dockerfile (i.e. FROM my-private-repo.com/secret-sauce:latest)

Since dev environments are often built with custom Dockerfiles, it would be great to have support for this, too:

.gitpod.Dockerfile

FROM my.private-registry/my/image:latest
RUN apt-get install mypackage
# ...

.gitpod.yml

image:
    file: .gitpod.Dockerfile

Describe the behaviour you'd like

Add support for using private registries in Dockerfiles which are used to built the gitpod container.

Describe alternatives you've considered

Current alternative would be to prebuild the gitpod image and push it to a private registry. This can be quite cumbersome especially when trying new things.

Additional context

If interested in this feature, I'd really like to participate in any way!

[ChevronTango]

I'm also keen to see this implemented. My current research suggests it wouldn't take much. There's two schools of thought here depending on your setup:

User Specified creds

A user can specify an environment variable of GITPOD_IMAGE_AUTH which allows them to pass through a .dockerconfig json file that can be used to authenticate with a private registry. This can be done right now so no changes needed.

Instance wide creds

This is where a tweak would need to be made to the image-builder-mk3, but not a big one. If we assume that the .dockerconfig PullSecret contains the creds we want to pass through, then all we need to do is add in the registry domain to the orcestrator, for example:

		ath := reqauth.GetImageBuildAuthFor(ctx, o.Auth, []string{reference.Domain(pbaseref), config.additionalRegistryDomain}, []string{
			reference.Domain(wsref),
		})

Obviously you'd need to do the config changes to allow this to work, but the logic looks mostly there to allow your dockerconfig to be passed through on all builds, and nicely limited to only the registries you would like. I'm almost certainly missing something so doubtless its more complicated in practice.

With all of this, I am very keen to see this implemented at an Instance wide level and not just per user, as this relieves the burden on teams and users having to specify creds that an admin could and should do on their behalf.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.