Adds support for additional auth in docker build #18604
Conversation
There was a problem hiding this comment.
BOB_WSLAYER_AUTH is a deprecated mechanism by which authentication can be shipped to Bob the Builder. The issue with this mechanism is that the credentials essentially become available to the workspace itself. And because image builds do little in the way of a security boundary, that essentially makes those credentials available to the build itself. And hence puts those credentials at risk.
Instead of using BOB_WSLAYER_AUTH, we should actually just remove it.
buildkiIn order to support private ECR images as part of a Dockerfile build, i.e. from private registry, we'd rather change or add to Bob Proxy the ability to act as registry mirror. And in the building workspace, we would configure buildkit to reuse that registry. Hence we would replace the current URL rewriting mechanism with what's essentially an HTTP proxy that adds authentication.
I had a sneaking suspicion that might be the case. Part of me was hoping that was why there were two Env vars, an Auth and AdditionalAuth. I suppose this MR might just be removing that logic as a refactor.
The mirror config should be easy enough if the proxy is able to support it. We'd need to iterate over all the registries in the config that we have auth for and add a mirror for them to the proxy. I don't know if the bob proxy will need to do any path logic to distinguish one registry from another, and if the buildkit supports that, else it might need different ports to differentiate it. |
Buildkit sends a URL query indicating the original registry. |
Signed-off-by: Edward Brough <[email protected]>
@csweichel I've spent a while on this one, but think I have a working proxy auth layer and the bob using it as a mirror. I've not done any work on passing through additional auth from the orchestrator, as I figured that would sit best in the work ongoing in #18615 |
|
We recently merged the PR #18760 which seems to solve the problem. See also #18760 (comment). |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Description
Adds support for additional auth in Docker builds.
Currently users wishing to reference private docker registries in their Dockerfiles have been unable to do so, since the auth isn't passed through to the WSLayer. The auth is however passed through to the BOB, but only for the purpose of pulling a whole image from the Private Registry, not for building a Dockerfile from it.
This MR add in support by passing that same Auth through to the WSLayer so that Private Registries can be used by users in their Dockerfiles.
Summary generated by Copilot
🤖 Generated by Copilot at 274bde6
Refactored the authentication mechanism for the image builder workspace layer to use a shared secret and a nonce. Added the
BOB_WSLAYER_AUTHenvironment variable to thebuildkitdcontainer spec inorchestrator.go. Removed unused code from thebuilderpackage.Related Issue(s)
Fixes #18315
How to test
Launch a workspace that contains a .gitpod.Dockerfile as it's image, and have that be based on an image hosted in a private Docker registry. Specify the correct credentials in you GITPOD_IMAGE_AUTH env as per normal.
Documentation
Preview status
gitpod:summary
Build Options
Build
Run the build with werft instead of GHA
Run Leeway with
--dont-testPublish
Installer
Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh. If enabled,with-previewandwith-large-vmwill be enabled./hold