Support private registries

[csweichel]

Description

This PR adds rudimentary support for images from private registries. It does that by virtue of project-level environment variables.

To use it, add an environment variable named GITPOD_IMAGE_AUTH to your project. The content of that environment variable looks like:
domain.com:<base64(username:password)>, anotherdomain.com:...

This format is akin to dockerconfig.json files, where the auth section contains the same base64 encoded string. For example, logging into to the GitHub registry (ghcr.io) using:

echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin

produces an entry akin to:

"auths": {
	"ghcr.io": {
		"auth": "WW91IGNoZWNrZWQgOikgTmVlZCBhIGpvYj8gRW1haWwgbWUgYXQgY2hyaXNAZ2l0cG9kLmlvCg=="
	}
},

That very base64 encoded string can be used. It would turn into:

Once this variable is present, private images can be used directly, e.g.

image: my-private-repo.com/super-secret-sauce:latest

Caveats

• the Docker image is copied over to Gitpod's registry. There currently is no means to delete that image.
• with this implementation, private images can only be used directly, not as part of a Dockerfile (i.e. FROM my-private-repo.com/secret-sauce:latest)
• right now the project level environment variable must NOT be "hidden". I'm looking to change that.
• the failure modes aren't great. There are a lot of things which might not work, e.g. using the wrong format. Users don't get a good error message, it's just that their image pull fails with a "cannot resolve base image: hostname required" error.
• this PR removes the base image resolution as part of the workspace config creation. Consequently, if the image referred to in the .gitpod.yml refers to a "moving tag" (think docker.io/somthing:latest), and we need to rebuild the "gitpod workspace image", we'd re-resolve that tag, which might lead to changing workspace images across restarts for the very same workspace.
• I've been a bit coarse with the project level environment variables - we can probably clean some of that up.

Related Issue(s)

Fixes #1699

How to test

See PR description. I tested with ghcr.io

Release Notes

Add support for private registries

Documentation

https://github.com/gitpod-io/website/issues/1704

[codecov]

Codecov Report

Merging #8550 (468e51f) into main (d030750) will increase coverage by 3.05%.
The diff coverage is 37.03%.

@@            Coverage Diff             @@
##             main    #8550      +/-   ##
==========================================
+ Coverage   12.31%   15.37%   +3.05%     
==========================================
  Files          20       35      +15     
  Lines        1161     3122    +1961     
==========================================
+ Hits          143      480     +337     
- Misses       1014     2608    +1594     
- Partials        4       34      +30     

Flag	Coverage Δ
components-gitpod-cli-app	11.17% <ø> (ø)
components-image-builder-api-go-lib	∅ <ø> (?)
components-image-builder-bob-app	∅ <ø> (?)
components-image-builder-mk3-app	35.58% <37.03%> (?)
components-local-app-app-darwin-amd64	?
components-local-app-app-darwin-arm64	?
components-local-app-app-linux-amd64	?
components-local-app-app-linux-arm64	?
components-local-app-app-windows-386	?
components-local-app-app-windows-amd64	?
components-local-app-app-windows-arm64	?
install-installer-raw-app	4.27% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...image-builder-mk3/pkg/orchestrator/orchestrator.go	40.81% <37.03%> (ø)
components/local-app/pkg/auth/auth.go
components/local-app/pkg/auth/pkce.go
...ents/image-builder-mk3/pkg/orchestrator/metrics.go	48.14% <0.00%> (ø)
...l/installer/pkg/components/ws-manager/tlssecret.go	0.00% <0.00%> (ø)
install/installer/pkg/common/display.go	0.00% <0.00%> (ø)
install/installer/pkg/common/ca.go	0.00% <0.00%> (ø)
...l/installer/pkg/components/ws-manager/configmap.go	23.75% <0.00%> (ø)
install/installer/pkg/common/render.go	0.00% <0.00%> (ø)
install/installer/pkg/common/networkpolicies.go	0.00% <0.00%> (ø)
... and 10 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d030750...468e51f. Read the comment docs.

[jankeromnes]

Many thanks for implementing this super valuable feature! 🙏 💯

Briefly reviewed the environment variable code, and left a few suggestions in-line. TL;DR -- please only "hydrate" values just when they're actually needed, in order to not pass them around clear-text too much.

[csweichel]

@jankeromnes Thank you for your feedback. I've reverted the early "hydration" of the project-level environment variables and pushed it back to the actual point of use. PTAL.

[jankeromnes]

Awesome, many thanks for the quick fix!

I've reviewed the environment variables handling code, and it looks good to me. 👍

I haven't looked too closely at the Go code or the image-source-provider.ts changes.

Please let me know if you'd like me to test this PR.

To use it, add an environment variable named GITPOD_IMAGE_AUTH to your project. The content of that environment variable looks like:
domain.com:<base64(username:password)> anotherdomain.com:...

Two minor thoughts:

• The code seems to split on , instead of -- I assume it's a typo here
• Why base64-encode the username:password part? (As a user, I'd find it more convenient to specify domain.com:username:password directly) EDIT: Nevermind, I just noticed that the response is literally the next sentence 😅

[sagor999]

reviewed go related changes. only one minor comment.

[sagor999]

the Docker image is copied over to Gitpod's registry. There currently is no means to delete that image.

is that a local cluster level registry? or registry at eu.gcr.io?
and can someone else download that image from local registry somehow later on?

[utam0k]

Suggested change

	gpctl debug logs image-builder-mk3
	gpctl debug logs image-builder-mk3

[csweichel]

I'm not sure I understand the comment :)

[utam0k]

This is the fix that the github warns about because there is no new line. There is no specific problem, so it is a minor nits.
https://thoughtbot.com/blog/no-newline-at-end-of-file

[csweichel]

is that a local cluster level registry? or registry at eu.gcr.io?
and can someone else download that image from local registry somehow later on?

I just used ghcr.io and a GitHub access token.
You could also use a Gitpod workspace with a proxy which requires basic auth.

[csweichel]

/werft run

👍 started the job as gitpod-build-cw-fix-1699.7

[csweichel]

build is green again.

@geropl this needs your approval due to API changes.

[ccll]

Does this suppose to work with Gitlab Registry?
I got an error trying to use image from my self-hosted Gitlab Registry from a self-hosted Gitpod.

Might be related with #8938 and #8795.

Request createWorkspace failed with message: 13 INTERNAL: cannot resolve base image: hostname required

Unknown Error: { "code": -32603 }

Due to issue #8536 I could not setup variable per project, so I added the variable to global settings.

[jhulance]

I believe this doesn't work for self-hosted (yet?) because it makes use of Project vars, and the global Variables are ignored?

In order to get this working in the FROM line of a Dockerfile for a workspace, I believe the BOB_WSLAYER_AUTH env var needs to be set up by Image Builder MK3 when it starts a Image Build. This is the whole of the "auths" var from a standard Docker config.json with auth/creds for private registries. Not sure how that will get passed over to the Image Builder MK3 -- use ImagePullSecrets somewhere?

[Keith-Hon]

I am unable to use a private image from hub.docker.com even after I added GITPOD_IMAGE_AUTH accordingly. Any help?

[csweichel]

I am unable to use a private image from hub.docker.com even after I added GITPOD_IMAGE_AUTH accordingly. Any help?

What do you see when you open the workspace?
Do you use the private image directly, or as part of a Dockerfile?

[Keith-Hon]

These are the steps I took.

1. I logged in docker hub via cli and printed the token

2. Add a variable named GITPOD_IMAGE_AUTH in gitpod settings

3. Here is the result I get

[jmls]

you need to add the repo to a gitpod project , then add the variable to the project, not personal

[Keith-Hon]

I just tried create a project at https://gitpod.io/projects, and added the variable GITPOD_IMAGE_AUTH to the project's Settings

and then create a new workspace from that project

still no luck...

[jmls]

double and triple check the value of the token - I know this works because we're using this for every single one of our repos across dozens of developers every day

Getting the value of the token right was our biggest hurdle ;)

[jmls]

The value is domain:<base64 encoded value>

echo -n "<domain>:"; echo <username>:<password> | base64 -w0

are you sure the domain is index.docker.io ?

[Keith-Hon]

@jmls I am not sure if the domain is index.docker.io. But that's what I get from the docker login command. I found that the token is not the same with "echo : | base64 -w0" and the one from .json.

[csweichel]

@Keith-Hon

Do you use the private image directly, or as part of a Dockerfile?
How do you refer to the image: dockerhub-user/imagename:latest or index.docker.io/dockerhub-user/imagename:latest?

[jmls]

oh, I forgot that a custom image on the dockerfile is not supported atm

You have to specify a custom image in the gitpod.yml

[Keith-Hon]

@csweichel

dockerhub-user/imagename:latest

[Keith-Hon]

I have a .gitpod.yml file at the root of the repo, which declare the custom workspace image:

[csweichel]

Please try using docker.io as host, i.e.

echo -n "docker.io:"; echo <username>:<password> | base64 -w0

Reasoning: reference.ParseNormalizedName results in docker.io. Verified using oci-tool:

$ oci-tool resolve --familiar name csweichel/werft:latest
docker.io/csweichel/werft:latest@sha256:332fd69ac3784ac57580eb61f48176e95da0f1183b826c3d732b51508c1436d2

[Keith-Hon]

@csweichel, @jmls it's working now. Thanks a lot!

However, this line of command didn't work

echo -n "docker.io:"; echo <username>:<password> | base64 -w0

I succeeded by using the token obtained from

docker login
cat /home/gitpod/.docker/config.json

and added GITPOD_IMAGE_AUTH to the project's Variables by

docker.io:TOKEN_OBTAINED

[Keith-Hon]

Btw, it is a bit confusing that "Projects" tab resides inside user's Setting. I didn't notice there was a "project" specific scope setting and environment variables....

[Keith-Hon]

@csweichel, @jmls it's working now. Thanks a lot!

However, this line of command didn't work

echo -n "docker.io:"; echo <username>:<password> | base64 -w0

I succeeded by using the token obtained from

docker login cat /home/gitpod/.docker/config.json

and added GITPOD_IMAGE_AUTH to the project's Variables by

docker.io:TOKEN_OBTAINED

I tried again with this approach today. It only works if

1. the targeted docker image was public when the workspace was prebuilt, and then set to private in dockerhub
2. the tag in the .gitpod.yml must match that once-public-then-private image's tag

It doesn't work if the docker image was never public @csweichel

[utam0k]

@Keith-Hon @jmls Thanks for your report! Can I ask you to create a new issue to prioritize to address?

[Keith-Hon]

Ok created

@Keith-Hon @jmls Thanks for your report! Can I ask you to create a new issue to prioritize to address?

[utam0k]

@Keith-Hon Thanks!

[mrzarquon]

As a note here until docs are live - this snippet needs the second echo to have -n also, it's throwing a carriage return onto the string. Using the below example you don't need to extract the credential from config.json.

echo -n "docker.io:"; echo -n <username>:<password> | base64 -w0