[image-builds] Dynamically reload auth config

components/image-builder-mk3/go.mod

@@ -35,6 +35,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.3 // indirect

components/image-builder-mk3/pkg/auth/auth.go

@@ -5,16 +5,22 @@
 package auth
 
 import (
+	"bytes"
+	"context"
+	"crypto/sha256"
 	"encoding/base64"
+	"fmt"
 	"os"
 	"strings"
+	"sync"
 
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	"golang.org/x/xerrors"
 
 	"github.com/gitpod-io/gitpod/common-go/log"
+	"github.com/gitpod-io/gitpod/common-go/watch"
 	"github.com/gitpod-io/gitpod/image-builder/api"
 )
 
@@ -26,24 +32,62 @@ type RegistryAuthenticator interface {
 
 // NewDockerConfigFileAuth reads a docker config file to provide authentication
 func NewDockerConfigFileAuth(fn string) (*DockerConfigFileAuth, error) {
-	fp, err := os.OpenFile(fn, os.O_RDONLY, 0600)
+	res := &DockerConfigFileAuth{}
+	err := res.loadFromFile(fn)
 	if err != nil {
 		return nil, err
 	}
-	defer fp.Close()
 
-	cfg := configfile.New(fn)
-	err = cfg.LoadFromReader(fp)
+	err = watch.File(context.Background(), fn, func() {
+		res.loadFromFile(fn)
+	})
 	if err != nil {
 		return nil, err
 	}
 
-	return &DockerConfigFileAuth{cfg}, nil
+	return res, nil
 }
 
 // DockerConfigFileAuth uses a Docker config file to provide authentication
 type DockerConfigFileAuth struct {
 	C *configfile.ConfigFile
+
+	hash string
+	mu   sync.RWMutex
+}
+
+func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("error loading Docker config from %s: %w", fn, err)
+		}
+	}()
+
+	cntnt, err := os.ReadFile(fn)
+	if err != nil {
+		return err
+	}
+	hash := sha256.New()
+	_, _ = hash.Write(cntnt)
+	newHash := fmt.Sprintf("%x", hash.Sum(nil))
+	if a.hash == newHash {
+		return nil
+	}
+
+	log.WithField("path", fn).Info("reloading auth from Docker config")
+
+	cfg := configfile.New(fn)
+	err = cfg.LoadFromReader(bytes.NewReader(cntnt))
+	if err != nil {
+		return err
+	}
+
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.C = cfg
+	a.hash = newHash
+
+	return nil
 }
 
 // Authenticate attempts to provide an encoded authentication string for Docker registry access

components/registry-facade/cmd/run.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
+	"sync"
 	"syscall"
 	"time"
 
@@ -77,24 +78,12 @@ var runCmd = &cobra.Command{
 			go pprof.Serve(cfg.PProfAddr)
 		}
 
-		var dockerCfg *configfile.ConfigFile
+		var (
+			dockerCfg   *configfile.ConfigFile
+			dockerCfgMu sync.RWMutex
+		)
 		if cfg.AuthCfg != "" {
-			authCfg := cfg.AuthCfg
-			if tproot := os.Getenv("TELEPRESENCE_ROOT"); tproot != "" {
-				authCfg = filepath.Join(tproot, authCfg)
-			}
-			fr, err := os.OpenFile(authCfg, os.O_RDONLY, 0)
-			if err != nil {
-				log.WithError(err).Fatal("cannot read docker auth config")
-			}
-
-			dockerCfg = configfile.New(authCfg)
-			err = dockerCfg.LoadFromReader(fr)
-			fr.Close()
-			if err != nil {
-				log.WithError(err).Fatal("cannot read docker config")
-			}
-			log.WithField("fn", authCfg).Info("using authentication for backing registries")
+			dockerCfg = loadDockerCfg(cfg.AuthCfg)
 		}
 
 		resolverProvider := func() remotes.Resolver {
@@ -105,6 +94,8 @@ var runCmd = &cobra.Command{
 				Client: client,
 			}
 
+			dockerCfgMu.RLock()
+			defer dockerCfgMu.RUnlock()
 			if dockerCfg != nil {
 				resolverOpts.Hosts = docker.ConfigureDefaultRegistries(
 					docker.WithAuthorizer(authorizerFromDockerConfig(dockerCfg)),
@@ -174,6 +165,16 @@ var runCmd = &cobra.Command{
 			log.WithError(err).Fatal("cannot start watch of configuration file")
 		}
 
+		err = watch.File(ctx, cfg.AuthCfg, func() {
+			dockerCfgMu.Lock()
+			defer dockerCfgMu.Unlock()
+
+			dockerCfg = loadDockerCfg(cfg.AuthCfg)
+		})
+		if err != nil {
+			log.WithError(err).Fatal("cannot start watch of Docker auth configuration file")
+		}
+
 		go func() {
 			defer close(registryDoneChan)
 			reg.MustServe()
@@ -189,6 +190,26 @@ var runCmd = &cobra.Command{
 	},
 }
 
+func loadDockerCfg(fn string) *configfile.ConfigFile {
+	if tproot := os.Getenv("TELEPRESENCE_ROOT"); tproot != "" {
+		fn = filepath.Join(tproot, fn)
+	}
+	fr, err := os.OpenFile(fn, os.O_RDONLY, 0)
+	if err != nil {
+		log.WithError(err).Fatal("cannot read docker auth config")
+	}
+
+	dockerCfg := configfile.New(fn)
+	err = dockerCfg.LoadFromReader(fr)
+	fr.Close()
+	if err != nil {
+		log.WithError(err).Fatal("cannot read docker config")
+	}
+	log.WithField("fn", fn).Info("using authentication for backing registries")
+
+	return dockerCfg
+}
+
 func newDefaultTransport() *http.Transport {
 	return &http.Transport{
 		Proxy: http.ProxyFromEnvironment,