gitpod icon indicating copy to clipboard operation
gitpod copied to clipboard
verified publisher icon gitpod-io

[installer] Support adding image pull secrets even when the internal (in-cluster) registry is used

Open corneliusludmann opened this issue 3 years ago • 3 comments

Currently, we can add image pull secrets only when an external registry is used like this:

containerRegistry:
  inCluster: false
  external:
    url: my-registry.example.com
    certificate:
      kind: secret
      name: my-registry-credentials

However, when we use an in-cluster registry, customers would probably still want to add pull secrets for workspace base images.

I would suggest to deprecate the certificate block under external and moving it directly under containerRegistry. Like this:

containerRegistry:
  inCluster: false
  external:
    url: my-registry.example.com
  certificate:
    kind: secret
    name: my-registry-credentials

(probably rename “certificate” to “credentials”, however, we probably want to keep this consistent to other occurences of “credentials”, e.g. for the object storage)

That would also allow adding workspace pull secrets when the in-cluster registry is used like this (see also https://github.com/gitpod-io/gitpod/issues/10791):

containerRegistry:
  inCluster: true
  certificate:
    kind: secret
    name: my-registry-credentials
  privateBaseImageRegistries:
    - my-registry.example.com
    - my-other-registry.example.com

In this case, we need to merge the in-cluster container secret with the secret given here to allow accessing both registries.

corneliusludmann avatar Jun 21 '22 09:06 corneliusludmann

  • We should do this soon - we created tech debt to solve a customer problem, but should solve this properly via this issue.

lucasvaltl avatar Jun 24 '22 08:06 lucasvaltl

Internal mention of this here

lucasvaltl avatar Jun 29 '22 13:06 lucasvaltl

Allow certificate or a dockerconfig, since uploading a dockerconfig directly from a file means they can validate that they've set the correct credentials with a docker push/pull, before uploading the file.

Allow for multiple secrets and we merge them for one dockerconfig

mrzarquon avatar Aug 02 '22 17:08 mrzarquon

Started working on this. The planned resolution is to move credentials to be under containerRegistry so that it can specified irrespective of the type of container registry i.e internal or external.

Coming to the requirements that @mrzarquon specified,

Allow certificate or a dockerconfig, since uploading a dockerconfig directly from a file means they can validate that they've set the correct credentials with a docker push/pull, before uploading the file.

We can only specify setting a certificate (aka secret) as taking a dockerconfig directly means that the we might be storing auth credentials in the config (which has complexities, even if we mask them). But, As the certificate is created by the user using the .dockerconfig itself, They can always try doing the push/pull before creating the secret itself.

Pothulapati avatar Aug 10 '22 12:08 Pothulapati

Created https://github.com/gitpod-io/gitpod/issues/12060

Pothulapati avatar Aug 11 '22 05:08 Pothulapati

@Pothulapati does #12060 replace this one in that case, let's close this one and prioritise the other one :)

lucasvaltl avatar Aug 11 '22 14:08 lucasvaltl

@lucasvaltl This is still needed, as #12060 only tackles the components side of things, but we still need to move this config in the installer (but only after that is done)

Pothulapati avatar Aug 11 '22 14:08 Pothulapati

After we merged https://github.com/gitpod-io/gitpod/pull/12174, This is supported now through kots!

There is https://github.com/gitpod-io/gitpod/issues/12060 that helps us to also add this option to the installer but not too important. Closing this hence.

Pothulapati avatar Sep 13 '22 14:09 Pothulapati