Support json keys as credentials to access private registries

[princerachit]

Is your feature request related to a problem? Please describe

As a gitpod user who wants to use private registries to pull images, I want to use my json key instead of plain username:password to configure registry access. i.e. my password could be a json e.g. service account key of google cloud.

With #8550 a support for using username:password was added but it fails when the auth config passed is built using a json key e.g.

echo $key | docker login -u _json_key --password-stdin

Describe alternatives you've considered

NA

Additional context

Failure

Private image

europe-docker.pkg.dev/prince-tf-experiments/dazzle/workspace-images:base

[cooperbenson-qz]

I noticed that there's a new feature in GAR that allows you to pass the JSON SA key as a base64 encoded string when using the username _json_key_base64 (according to the docs).

[kylos101]

@princerachit can you add this to our inbox too?

[princerachit]

The issue is due to the way we decode and split the auth string in our code. In the image-builder-mk3 we split by colon which results the json to get split into multiple strings.

gitpod/components/image-builder-mk3/pkg/auth/auth.go

Lines 210 to 215 in 6913b4f

	segs := strings.Split(string(dec), ":")
	if len(segs) == 2 {
	res.Username = segs[0]
	res.Password = segs[1]
	}
	}

Due to the check at line 211 the password is never set. This result in the auth string being used for bearer token authentication method instead of basic authentication which results in a 401 error.

When I change above lines to the following to check if this string can be split into at least two string and then treat segs[1] as password. image-builder-mk3 succeeds in creation of imagebuild pods.

	if err == nil {
		segs := strings.SplitN(string(dec), ":", 2)
		if len(segs) == 2 {
			res.Username = segs[0]
			res.Password = segs[1]
		}
	}

While creating the imagebuild pods mk3 sets the WORKSPACEKIT_BOBPROXY_ADDITIONALAUTH env variable which contains both user passs as well as the auth string.

gitpod/components/image-builder-mk3/pkg/orchestrator/orchestrator.go

Lines 384 to 385 in 6913b4f

	Name: "WORKSPACEKIT_BOBPROXY_ADDITIONALAUTH",
	Value: string(additionalAuth),

I suspect our credentials setting login involving above env var is causing an issue where it does not use the user and password but instead tries to use auth string for bearer token authentication.

I will debug this further. The telepresence script is broken for image builder. Maybe fixing it then debugging is the right way to proceed

[princerachit]

I have created configuration to debug this issue locally: https://github.com/gitpod-io/gitpod/tree/prs/json-key/components/image-builder-bob#how-to-try-locally

[princerachit]

I found another bug with this implementation and have created a separate issue #10089