[image-builder-bob] Prioritize using additional auth #10235
Conversation
github-actions
bot
added
team: workspace
|
/hold Prefer merging #9337 first |
|
Hi @princerachit If I remember correctly, |
|
The FROM defined by the user in the Dockerfile do not go through the bob_proxy, because they do not start with localhost |
Let me correct the naming |
|
it not about naming... as you can see, base and target both out registry... If you want to download a private registry image, this is not the place to change |
|
I think this one is real gitpod/components/image-builder-bob/pkg/builder/builder.go Lines 118 to 119 in 20ae141 |
princerachit
force-pushed
the
prs/use-dedicated-auth
branch
from
fc2f633 to
7d75592
Compare
princerachit
changed the title
|
In fact, we're using lcoalhost:8080 as the push registry, so anything we do on bob_proxy is unlikely to affect the pull image authentication |
👍🏾 |
|
I mean it is useless to make any changes on the bob_proxy... gitpod/components/image-builder-bob/pkg/builder/builder.go Lines 118 to 119 in 20ae141 If you want to support pulling images from the user's private registry, then you have to make changes in this location |
|
Another thing is that I was under the impression that we don't have a place to pass user auth, so if users want to use a private registry, how do they configure it? |
|
This is the PR which configures using a private registry to pull image. The caveat is, you can not use it in dockerfile. If you look at the PR the additional auth supplied should be used to pull the image. But in a special case when such config already exist in the pull secret then this causes a conflict of credential selection. I think the changes I just pushed cannot really address it and would rather cause other issues when trying to push to container registry. We probably need to separate out the variables to distinguish user provided auth for image pulling vs auth for container registry used by gitpod. |
|
OK, now I get it |
|
/hold |
|
If it is based on this premise, the original PR is indeed available 🙏 |
|
But prefer don't change the ENV name 😂 |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
not stale |
|
Closing as this is not the right approach to fix the issue. |
Description
This implements the PR #10094 in a different way. Instead of changing the names of env vars, override existing vars with additional auth. I am not sure how this will impact gitpod installations. AFAIK additional auth is only used in the context of user supplied auth, so using it instead of existing configured auth should make sense.Prefer merging #9337 first as that will give us more control in testing and debugging issues related to this PR or any changes related to image-builder in general without impacting production env.
Related Issue(s)
The initial revert was done due to an incident see: INC-150
#10089
How to test
Refer to original PR #10094
Release Notes
Documentation