Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[image-builder] Fix error when secret is a json #10031

Merged
merged 1 commit into from
May 18, 2022
Merged

[image-builder] Fix error when secret is a json #10031

merged 1 commit into from
May 18, 2022

Conversation

princerachit
Copy link
Contributor

@princerachit princerachit commented May 16, 2022
edited
Loading

Description

The credentials from decoded auth string should be split in such a way that the first substring is treated as username and the rest of the string as password/secret. This is in conformance with what we have in image-builder-bob.

Related Issue(s)

Fixes #8938

How to test

Prefer testing in workspace-preview due to known issues (see following Known Caveats section)
The json key secret is used in GAR/GCR. It allows you to use your service account key as a json key secret for docker login. Read more here.
I am not aware of any other such registry services which accepts a json key as a secret. In any case this PR should solve any issues whether a registry service accepts a json key or a yaml or a plain string.

  1. Create a Google Artifact Registry in us region (There is a conflict of keys in preview env with europe region, to be fixed by followup PR)
  2. Create a service account with registry writer permission
  3. Create a key for above service account
  4. Rename the key to key.json
  5. Run the following command: cat key.json | docker login us-docker.pkg.dev -u _json_key --password-stdin
  6. Push an image to the registry (prefer retagging a workspace image e.g. gitpod/workspace-go:latest)
  7. Configure your repo to use above image in .gitpod.yml
  8. Open docker config (~/.docker/config) and copy the auth base64encoded string and use it as per instructions of this PR. Your workspace should start now.

Working example

image

Known Caveats

  • The default behaviour of image-build is to use an existing auth if it exists. e.g. in preview env we configure europe-docker.pkg.dev and eu.gcr.io in our pull secrets. If you create a private registry in any of these registries then your image build will fail due to incorrect key.
  • I will raise a follow up PR to solve this issue. Whereas, we can always ignore the existing creds and use the additional auth supplied by user, this will not work well with eu.gcr.io because that is where we pushed the built images.

Release Notes

Fix credential errors when json key is used as secret in image-builder-mk3

Documentation

@princerachit
Copy link
Contributor Author

princerachit commented May 16, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-prs-json-key.2
(with .werft/ from main)

@roboquat roboquat added size/XS and removed size/S labels May 16, 2022
@princerachit
Copy link
Contributor Author

princerachit commented May 16, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-prs-json-key.5
(with .werft/ from main)

@princerachit princerachit changed the title [image-builder] Support json keys [image-builder] Fix error when secret is a json May 18, 2022
@princerachit princerachit marked this pull request as ready for review May 18, 2022 06:27
@princerachit princerachit requested a review from a team May 18, 2022 06:27
@github-actions github-actions bot added the team: workspace Issue belongs to the Workspace team label May 18, 2022
@princerachit princerachit mentioned this pull request May 18, 2022
Closed
jenting
jenting approved these changes May 18, 2022
View reviewed changes
Copy link
Contributor

@jenting jenting left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did not test but code LGTM

@roboquat roboquat merged commit e54dbfd into main May 18, 2022
@roboquat roboquat deleted the prs/json-key branch May 18, 2022 12:39
@roboquat roboquat added deployed: workspace Workspace team change is running in production deployed Change is completely running in production labels May 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenting jenting jenting approved these changes

Assignees
No one assigned
Labels
deployed: workspace Workspace team change is running in production deployed Change is completely running in production release-note size/XS team: workspace Issue belongs to the Workspace team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support json keys as credentials to access private registries
3 participants
@princerachit @jenting @roboquat