Pass all additional auth to builder #18615
Conversation
There was a problem hiding this comment.
Thank you very much for that PR.
The move of the authentication into common-go is a bit too far, especially because registry-facade does not necessarily need that functionality (more details in the comment).
In addition to a few changes that's outlined in the comments below, this work goes definitely in the right direction.
| var additionalAuth []byte | ||
| if err == nil { | ||
| res := make(auth.ImageBuildAuth) | ||
| res[reference.Domain(wsref)] = registry.AuthConfig(*wsrefAuth) | ||
| workspaceAuth, err = json.Marshal(map[string]auth.ImageBuildAuth{"auths": res}) |
There was a problem hiding this comment.
By passing workspace auth explicitly here, the additional auth no longer becomes necessary, i.e. we can just merge the two. The only reason they were separate before was because the workspace author originally came through with the secret.
There was a problem hiding this comment.
I did wonder about simplifying the whole thing into a single combined auth file, however I felt that was a lot for what I was trying to achieve and I didn't know if that was an appropriate tactic given the importance of the image-builder. Are you suggesting that we pass through a single Auth variable that is used by the Bob for everything, and which includes a combination of all the docker config the builder knows about? That would definitely simplify a lot of the confusion here.
There was a problem hiding this comment.
So as per my other PR #18604 It looks like the strategy I've settled on is to still pass through an amalgamated auth in the additionalAuth field where it can be used by the proxy and builder, whilst the workspaceAuth contains just the auth needed for pulling the wsref directly. I'm happy to still combine them into a single var, but it actually works out more elegant keeping them separate.
ChevronTango
force-pushed
the
gitpod-ecr-backing
branch
from
b125e20 to
aba3e2c
Compare
|
Simplified this MR to aid with pushing the auth through to the Bob. This will be in support of the changes in #18604 |
ChevronTango
changed the title
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Description
Adds the ability for Gitpod to pass all additional authenticated through to the builder. Right now the additional auth is only passing through some user defined auth which neglects some of the additional auth found in the docker pull secrets. In order for the builder to eventually proxy and mirror upstream registries it needs to know about both the user defined credentials, and the system defined credentials.
This also makes sure that only the auth needed to actually pull the base image is passed through.
Summary generated by Copilot
🤖 Generated by Copilot at a39718e
This pull request adds support for all auth to be passed through to the builder
Related Issue(s)
How to test
Documentation
Preview status
gitpod:summary
Build Options
Build
Run the build with werft instead of GHA
Run Leeway with
--dont-testPublish
Installer
Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh. If enabled,with-previewandwith-large-vmwill be enabled./hold