gitpod icon indicating copy to clipboard operation
gitpod copied to clipboard
verified publisher icon gitpod-io

Adds support for additional auth in docker build

Open Edward13ruf opened this issue 2 years ago • 5 comments

Description

Adds support for additional auth in Docker builds.

Currently users wishing to reference private docker registries in their Dockerfiles have been unable to do so, since the auth isn't passed through to the WSLayer. The auth is however passed through to the BOB, but only for the purpose of pulling a whole image from the Private Registry, not for building a Dockerfile from it.

This MR add in support by passing that same Auth through to the WSLayer so that Private Registries can be used by users in their Dockerfiles.

Summary generated by Copilot

🤖 Generated by Copilot at 274bde6

Refactored the authentication mechanism for the image builder workspace layer to use a shared secret and a nonce. Added the BOB_WSLAYER_AUTH environment variable to the buildkitd container spec in orchestrator.go. Removed unused code from the builder package.

Related Issue(s)

Fixes #18315

How to test

Launch a workspace that contains a .gitpod.Dockerfile as it's image, and have that be based on an image hosted in a private Docker registry. Specify the correct credentials in you GITPOD_IMAGE_AUTH env as per normal.

Documentation

Preview status

gitpod:summary

Build Options

Build
  • [ ] /werft with-werft Run the build with werft instead of GHA
  • [ ] leeway-no-cache
  • [ ] /werft no-test Run Leeway with --dont-test
Publish
  • [ ] /werft publish-to-npm
  • [ ] /werft publish-to-jb-marketplace
Installer
  • [ ] analytics=segment
  • [ ] with-dedicated-emulation
  • [ ] workspace-feature-flags Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • [ ] /werft with-local-preview If enabled this will build install/preview
  • [ ] /werft with-preview
  • [ ] /werft with-large-vm
  • [x] /werft with-gce-vm If enabled this will create the environment on GCE infra
  • [ ] with-integration-tests=all Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • [ ] with-monitoring

/hold

Edward13ruf avatar Aug 25 '23 13:08 Edward13ruf

BOB_WSLAYER_AUTH is a deprecated mechanism by which authentication can be shipped to Bob the Builder. The issue with this mechanism is that the credentials essentially become available to the workspace itself. And because image builds do little in the way of a security boundary, that essentially makes those credentials available to the build itself. And hence puts those credentials at risk.

I had a sneaking suspicion that might be the case. Part of me was hoping that was why there were two Env vars, an Auth and AdditionalAuth. I suppose this MR might just be removing that logic as a refactor.

buildkiIn order to support private ECR images as part of a Dockerfile build, i.e. from private registry, we'd rather change or add to Bob Proxy the ability to act as registry mirror. And in the building workspace, we would configure buildkit to reuse that registry. Hence we would replace the current URL rewriting mechanism with what's essentially an HTTP proxy that adds authentication.

The mirror config should be easy enough if the proxy is able to support it. We'd need to iterate over all the registries in the config that we have auth for and add a mirror for them to the proxy. I don't know if the bob proxy will need to do any path logic to distinguish one registry from another, and if the buildkit supports that, else it might need different ports to differentiate it.

Edward13ruf avatar Aug 29 '23 14:08 Edward13ruf

I don't know if the bob proxy will need to do any path logic to distinguish one registry from another, and if the buildkit supports that, else it might need different ports to differentiate it.

Buildkit sends a URL query indicating the original registry.

csweichel avatar Aug 30 '23 11:08 csweichel

I don't know if the bob proxy will need to do any path logic to distinguish one registry from another, and if the buildkit supports that, else it might need different ports to differentiate it.

Buildkit sends a URL query indicating the original registry.

@csweichel I've spent a while on this one, but think I have a working proxy auth layer and the bob using it as a mirror. I've not done any work on passing through additional auth from the orchestrator, as I figured that would sit best in the work ongoing in #18615

Edward13ruf avatar Sep 13 '23 15:09 Edward13ruf

We recently merged the PR https://github.com/gitpod-io/gitpod/pull/18760 which seems to solve the problem. See also https://github.com/gitpod-io/gitpod/pull/18760#issuecomment-1736800772.

corneliusludmann avatar Sep 27 '23 06:09 corneliusludmann

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 15 '23 10:10 stale[bot]