feat: add private registry support (#6)

sreya · web-flow · commit b7cc89cbfb5d · 2023-03-19T20:08:26.000-05:00
diff --git a/cli/docker.go b/cli/docker.go
@@ -100,24 +100,7 @@ var envboxPrivateMounts = map[string]struct{}{
 }
 
 func dockerCmd() *cobra.Command {
-	var (
-		// Required flags.
-		innerImage         string
-		innerUsername      string
-		innerContainerName string
-		agentToken         string
-
-		// Optional flags.
-		innerEnvs         string
-		innerWorkDir      string
-		innerHostname     string
-		addTUN            bool
-		addFUSE           bool
-		dockerdBridgeCIDR string
-		boostrapScript    string
-		ethlink           string
-		containerMounts   string
-	)
+	var flag flags
 
 	cmd := &cobra.Command{
 		Use:   "docker",
@@ -144,12 +127,12 @@ func dockerCmd() *cobra.Command {
 			}()
 
 			cidr := dockerutil.DefaultBridgeCIDR
-			if dockerdBridgeCIDR != "" {
-				cidr = dockerdBridgeCIDR
+			if flag.dockerdBridgeCIDR != "" {
+				cidr = flag.dockerdBridgeCIDR
 				log.Debug(ctx, "using custom docker bridge CIDR", slog.F("cidr", cidr))
 			}
 
-			dargs, err := dockerdArgs(ctx, log, ethlink, cidr, false)
+			dargs, err := dockerdArgs(ctx, log, flag.ethlink, cidr, false)
 			if err != nil {
 				return xerrors.Errorf("dockerd args: %w", err)
 			}
@@ -182,7 +165,7 @@ func dockerCmd() *cobra.Command {
 				// directory is going to be on top of an overlayfs filesystem
 				// we have to use the vfs storage driver.
 				if xunix.IsNoSpaceErr(err) {
-					args, err = dockerdArgs(ctx, log, ethlink, cidr, true)
+					args, err = dockerdArgs(ctx, log, flag.ethlink, cidr, true)
 					if err != nil {
 						_ = envboxlog.YieldAndFailBuild("Failed to create Container-based Virtual Machine: " + err.Error())
 						//nolint
@@ -219,26 +202,7 @@ func dockerCmd() *cobra.Command {
 				return xerrors.Errorf("wait for dockerd: %w", err)
 			}
 
-			flags := flags{
-				// Required flags.
-				innerImage:         innerImage,
-				innerUsername:      innerUsername,
-				innerContainerName: innerContainerName,
-				agentToken:         agentToken,
-
-				// Optional flags.
-				innerEnvs:         innerEnvs,
-				innerWorkDir:      innerWorkDir,
-				innerHostname:     innerHostname,
-				addTUN:            addTUN,
-				addFUSE:           addFUSE,
-				dockerdBridgeCIDR: dockerdBridgeCIDR,
-				boostrapScript:    boostrapScript,
-				ethlink:           ethlink,
-				containerMounts:   containerMounts,
-			}
-
-			err = runDockerCVM(ctx, log, client, flags)
+			err = runDockerCVM(ctx, log, client, flag)
 			if err != nil {
 				// It's possible we failed because we ran out of disk while
 				// pulling the image. We should restart the daemon and use
@@ -247,7 +211,7 @@ func dockerCmd() *cobra.Command {
 				// is causing their disk to fill up.
 				if xunix.IsNoSpaceErr(err) {
 					log.Debug(ctx, "encountered 'no space left on device' error while starting workspace", slog.Error(err))
-					args, err := dockerdArgs(ctx, log, ethlink, cidr, true)
+					args, err := dockerdArgs(ctx, log, flag.ethlink, cidr, true)
 					if err != nil {
 						return xerrors.Errorf("dockerd args for restart: %w", err)
 					}
@@ -265,7 +229,7 @@ func dockerCmd() *cobra.Command {
 					}()
 
 					log.Debug(ctx, "reattempting container creation")
-					err = runDockerCVM(ctx, log, client, flags)
+					err = runDockerCVM(ctx, log, client, flag)
 				}
 				if err != nil {
 					return xerrors.Errorf("run: %w", err)
@@ -280,21 +244,22 @@ func dockerCmd() *cobra.Command {
 	}
 
 	// Required flags.
-	cliflag.StringVarP(cmd.Flags(), &innerImage, "image", "", EnvInnerImage, "", "The image for the inner container. Required.")
-	cliflag.StringVarP(cmd.Flags(), &innerUsername, "username", "", EnvInnerUsername, "", "The username to use for the inner container. Required.")
-	cliflag.StringVarP(cmd.Flags(), &innerContainerName, "container-name", "", EnvInnerContainerName, "", "The name of the inner container. Required.")
-	cliflag.StringVarP(cmd.Flags(), &agentToken, "agent-token", "", EnvAgentToken, "", "The token to be used by the workspace agent to estabish a connection with the control plane. Required.")
+	cliflag.StringVarP(cmd.Flags(), &flag.innerImage, "image", "", EnvInnerImage, "", "The image for the inner container. Required.")
+	cliflag.StringVarP(cmd.Flags(), &flag.innerUsername, "username", "", EnvInnerUsername, "", "The username to use for the inner container. Required.")
+	cliflag.StringVarP(cmd.Flags(), &flag.innerContainerName, "container-name", "", EnvInnerContainerName, "", "The name of the inner container. Required.")
+	cliflag.StringVarP(cmd.Flags(), &flag.agentToken, "agent-token", "", EnvAgentToken, "", "The token to be used by the workspace agent to estabish a connection with the control plane. Required.")
 
 	// Optional flags.
-	cliflag.StringVarP(cmd.Flags(), &innerEnvs, "envs", "", EnvInnerEnvs, "", "Comma separated list of envs to add to the inner container.")
-	cliflag.StringVarP(cmd.Flags(), &innerWorkDir, "work-dir", "", EnvInnerWorkDir, "", "The working directory of the inner container.")
-	cliflag.StringVarP(cmd.Flags(), &innerHostname, "hostname", "", EnvInnerHostname, "", "The hostname to use for the inner container.")
-	cliflag.StringVarP(cmd.Flags(), &dockerdBridgeCIDR, "bridge-cidr", "", EnvBridgeCIDR, "", "The CIDR to use for the docker bridge.")
-	cliflag.StringVarP(cmd.Flags(), &boostrapScript, "boostrap-script", "", EnvBootstrap, "", "The script to use to bootstrap the container. This should typically install and start the agent.")
-	cliflag.StringVarP(cmd.Flags(), &containerMounts, "mounts", "", EnvMounts, "", "Comma separated list of mounts in the form of '<source>:<target>[:options]' (e.g. /var/lib/docker:/var/lib/docker:ro,/usr/src:/usr/src).")
-	cliflag.StringVarP(cmd.Flags(), &ethlink, "ethlink", "", "", defaultNetLink, "The ethernet link to query for the MTU that is passed to docerd. Used for tests.")
-	cliflag.BoolVarP(cmd.Flags(), &addTUN, "add-tun", "", EnvAddTun, false, "Add a TUN device to the inner container.")
-	cliflag.BoolVarP(cmd.Flags(), &addFUSE, "add-fuse", "", EnvAddFuse, false, "Add a FUSE device to the inner container.")
+	cliflag.StringVarP(cmd.Flags(), &flag.innerEnvs, "envs", "", EnvInnerEnvs, "", "Comma separated list of envs to add to the inner container.")
+	cliflag.StringVarP(cmd.Flags(), &flag.innerWorkDir, "work-dir", "", EnvInnerWorkDir, "", "The working directory of the inner container.")
+	cliflag.StringVarP(cmd.Flags(), &flag.innerHostname, "hostname", "", EnvInnerHostname, "", "The hostname to use for the inner container.")
+	cliflag.StringVarP(cmd.Flags(), &flag.imagePullSecret, "image-secret", "", EnvBoxPullImageSecretEnvVar, "", fmt.Sprintf("The secret to use to pull the image. It is highly encouraged to provide this via the %s environment variable.", EnvBoxPullImageSecretEnvVar))
+	cliflag.StringVarP(cmd.Flags(), &flag.dockerdBridgeCIDR, "bridge-cidr", "", EnvBridgeCIDR, "", "The CIDR to use for the docker bridge.")
+	cliflag.StringVarP(cmd.Flags(), &flag.boostrapScript, "boostrap-script", "", EnvBootstrap, "", "The script to use to bootstrap the container. This should typically install and start the agent.")
+	cliflag.StringVarP(cmd.Flags(), &flag.containerMounts, "mounts", "", EnvMounts, "", "Comma separated list of mounts in the form of '<source>:<target>[:options]' (e.g. /var/lib/docker:/var/lib/docker:ro,/usr/src:/usr/src).")
+	cliflag.StringVarP(cmd.Flags(), &flag.ethlink, "ethlink", "", "", defaultNetLink, "The ethernet link to query for the MTU that is passed to docerd. Used for tests.")
+	cliflag.BoolVarP(cmd.Flags(), &flag.addTUN, "add-tun", "", EnvAddTun, false, "Add a TUN device to the inner container.")
+	cliflag.BoolVarP(cmd.Flags(), &flag.addFUSE, "add-fuse", "", EnvAddFuse, false, "Add a FUSE device to the inner container.")
 
 	return cmd
 }
@@ -309,6 +274,7 @@ type flags struct {
 	innerEnvs         string
 	innerWorkDir      string
 	innerHostname     string
+	imagePullSecret   string
 	addTUN            bool
 	addFUSE           bool
 	dockerdBridgeCIDR string
@@ -327,6 +293,14 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Docker
 		return xerrors.Errorf("set oom score: %w", err)
 	}
 
+	var dockerAuth dockerutil.AuthConfig
+	if flags.imagePullSecret != "" {
+		dockerAuth, err = dockerutil.ParseAuthConfig(flags.imagePullSecret)
+		if err != nil {
+			return xerrors.Errorf("parse auth config: %w", err)
+		}
+	}
+
 	envs := defaultContainerEnvs(flags.agentToken)
 
 	innerEnvsTokens := strings.Split(flags.innerEnvs, ",")
@@ -392,8 +366,8 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Docker
 	err = dockerutil.PullImage(ctx, &dockerutil.PullImageConfig{
 		Client:     client,
 		Image:      flags.innerImage,
-		Auth:       dockerutil.DockerAuth{},                                // TODO
-		ProgressFn: func(e dockerutil.ImagePullEvent) error { return nil }, // TODO
+		Auth:       dockerAuth,
+		ProgressFn: func(e dockerutil.ImagePullEvent) error { return nil },
 	})
 	if err != nil {
 		return xerrors.Errorf("pull image: %w", err)
diff --git a/cli/docker_test.go b/cli/docker_test.go
@@ -1,9 +1,15 @@
+//go:build !integration
+// +build !integration
+
 package cli_test
 
 import (
 	"bufio"
+	"bytes"
 	"context"
+	"encoding/base64"
 	"fmt"
+	"io"
 	"net"
 	"os"
 	"strings"
@@ -377,4 +383,34 @@ func TestDocker(t *testing.T) {
 		require.NoError(t, err)
 		require.True(t, called, "container create fn not called")
 	})
+
+	t.Run("DockerAuth", func(t *testing.T) {
+		t.Parallel()
+
+		name := namesgenerator.GetRandomName(1)
+		ctx, cmd := clitest.New(t, "docker",
+			"--image=ubuntu",
+			"--username=root",
+			fmt.Sprintf("--container-name=%s", name),
+			"--agent-token=hi",
+			fmt.Sprintf("--image-secret=%s", rawDockerAuth),
+		)
+
+		raw := []byte(`{"username":"_json_key","password":"{\"type\": \"service_account\", \"project_id\": \"some-test\", \"private_key_id\": \"blahblah\", \"private_key\": \"-----BEGIN PRIVATE KEY-----mykey-----END PRIVATE KEY-----\", \"client_email\": \"test@test.iam.gserviceaccount.com\", \"client_id\": \"123\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/test.iam.gserviceaccount.com\" }","auth":"X2pzb25fa2V5OnsKCgkidHlwZSI6ICJzZXJ2aWNlX2FjY291bnQiLAoJInByb2plY3RfaWQiOiAic29tZS10ZXN0IiwKCSJwcml2YXRlX2tleV9pZCI6ICJibGFoYmxhaCIsCgkicHJpdmF0ZV9rZXkiOiAiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCm15a2V5LS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQoiLAoJImNsaWVudF9lbWFpbCI6ICJ0ZXN0QHRlc3QuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLAoJImNsaWVudF9pZCI6ICIxMjMiLAoJImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKCSJ0b2tlbl91cmkiOiAiaHR0cHM6Ly9vYXV0aDIuZ29vZ2xlYXBpcy5jb20vdG9rZW4iLAoJImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAoJImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3JvYm90L3YxL21ldGFkYXRhL3g1MDkvdGVzdC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQo=","email":"test@test.iam.gserviceaccount.com"}`)
+		authB64 := base64.StdEncoding.EncodeToString(raw)
+
+		client := clitest.DockerClient(t, ctx)
+		client.ImagePullFn = func(_ context.Context, ref string, options dockertypes.ImagePullOptions) (io.ReadCloser, error) {
+			// Assert that we call the image pull function with the credentials.
+			require.Equal(t, authB64, options.RegistryAuth)
+			return io.NopCloser(bytes.NewReader(nil)), nil
+		}
+
+		err := cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+	})
 }
+
+// rawDockerAuth is sample input for a kubernetes secret to a gcr.io private
+// registry.
+const rawDockerAuth = `{"auths":{"us.gcr.io":{"username":"_json_key","password":"{\"type\": \"service_account\", \"project_id\": \"some-test\", \"private_key_id\": \"blahblah\", \"private_key\": \"-----BEGIN PRIVATE KEY-----mykey-----END PRIVATE KEY-----\", \"client_email\": \"test@test.iam.gserviceaccount.com\", \"client_id\": \"123\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/test.iam.gserviceaccount.com\" }","email":"test@test.iam.gserviceaccount.com","auth":"X2pzb25fa2V5OnsKCgkidHlwZSI6ICJzZXJ2aWNlX2FjY291bnQiLAoJInByb2plY3RfaWQiOiAic29tZS10ZXN0IiwKCSJwcml2YXRlX2tleV9pZCI6ICJibGFoYmxhaCIsCgkicHJpdmF0ZV9rZXkiOiAiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCm15a2V5LS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQoiLAoJImNsaWVudF9lbWFpbCI6ICJ0ZXN0QHRlc3QuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLAoJImNsaWVudF9pZCI6ICIxMjMiLAoJImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKCSJ0b2tlbl91cmkiOiAiaHR0cHM6Ly9vYXV0aDIuZ29vZ2xlYXBpcy5jb20vdG9rZW4iLAoJImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAoJImNsaWVudF94NTA5X2NlcnRfdXJsIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3JvYm90L3YxL21ldGFkYXRhL3g1MDkvdGVzdC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQo="}}}`
diff --git a/dockerutil/client.go b/dockerutil/client.go
@@ -2,7 +2,10 @@ package dockerutil
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 
+	dockertypes "github.com/docker/docker/api/types"
 	dockerclient "github.com/docker/docker/client"
 	"golang.org/x/xerrors"
 )
@@ -31,3 +34,32 @@ func Client(ctx context.Context) (DockerClient, error) {
 	//nolint we should panic if this isn't the case.
 	return client.(DockerClient), nil
 }
+
+type AuthConfig dockertypes.AuthConfig
+
+func (a AuthConfig) Base64() (string, error) {
+	authStr, err := json.Marshal(a)
+	if err != nil {
+		return "", xerrors.Errorf("json marshal: %w", err)
+	}
+	return base64.StdEncoding.EncodeToString(authStr), nil
+}
+
+func ParseAuthConfig(raw string) (AuthConfig, error) {
+	type dockerConfig struct {
+		AuthConfigs map[string]dockertypes.AuthConfig `json:"auths"`
+	}
+
+	var conf dockerConfig
+	if err := json.Unmarshal([]byte(raw), &conf); err != nil {
+		return AuthConfig{}, xerrors.Errorf("parse docker auth config secret: %w", err)
+	}
+	if len(conf.AuthConfigs) != 1 {
+		return AuthConfig{}, xerrors.Errorf("number of image pull auth configs not equal to 1 (%d)", len(conf.AuthConfigs))
+	}
+	for _, regConfig := range conf.AuthConfigs {
+		return AuthConfig(regConfig), nil
+	}
+
+	return AuthConfig{}, xerrors.New("no auth configs parsed.")
+}
diff --git a/dockerutil/image.go b/dockerutil/image.go
@@ -3,7 +3,6 @@ package dockerutil
 import (
 	"bytes"
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"io"
 	"time"
@@ -22,7 +21,7 @@ const diskFullStorageDriver = "vfs"
 type PullImageConfig struct {
 	Client     DockerClient
 	Image      string
-	Auth       DockerAuth
+	Auth       AuthConfig
 	ProgressFn ImagePullProgressFn
 }
 
@@ -40,21 +39,6 @@ type ImagePullEvent struct {
 // image pull progress.
 type ImagePullProgressFn func(e ImagePullEvent) error
 
-type DockerAuth dockertypes.AuthConfig
-
-func (d DockerAuth) Base64() (string, error) {
-	if d == (DockerAuth{}) {
-		return "", nil
-	}
-
-	authStr, err := json.Marshal(d)
-	if err != nil {
-		return "", xerrors.Errorf("marshal auth: %w", err)
-	}
-
-	return base64.StdEncoding.EncodeToString(authStr), nil
-}
-
 // PullImage pulls the provided image.
 func PullImage(ctx context.Context, config *PullImageConfig) error {
 	authStr, err := config.Auth.Base64()
