Add baseref as additional image build auth (#18510)

csweichel · web-flow · commit 3dc5b4aac1a4 · 2023-08-14T15:19:40.000+02:00
diff --git a/components/image-builder-mk3/pkg/auth/auth.go b/components/image-builder-mk3/pkg/auth/auth.go
@@ -367,7 +367,7 @@ func (a AllowedAuthFor) additionalAuth(domain string) *Authentication {
 type ImageBuildAuth map[string]types.AuthConfig
 
 // GetImageBuildAuthFor produces authentication in the format an image builds needs
-func (a AllowedAuthFor) GetImageBuildAuthFor(blocklist []string) (res ImageBuildAuth) {
+func (a AllowedAuthFor) GetImageBuildAuthFor(ctx context.Context, auth RegistryAuthenticator, additionalRegistries []string, blocklist []string) (res ImageBuildAuth) {
 	res = make(ImageBuildAuth)
 	for reg := range a.Additional {
 		var blocked bool
@@ -383,6 +383,17 @@ func (a AllowedAuthFor) GetImageBuildAuthFor(blocklist []string) (res ImageBuild
 		ath := a.additionalAuth(reg)
 		res[reg] = types.AuthConfig(*ath)
 	}
+	for _, reg := range additionalRegistries {
+		ath, err := auth.Authenticate(ctx, reg)
+		if err != nil {
+			log.WithError(err).WithField("registry", reg).Warn("cannot get authentication for additioanl registry for image build")
+			continue
+		}
+		if ath.Empty() {
+			continue
+		}
+		res[reg] = types.AuthConfig(*ath)
+	}
 
 	return
 }
diff --git a/components/image-builder-mk3/pkg/orchestrator/orchestrator.go b/components/image-builder-mk3/pkg/orchestrator/orchestrator.go
@@ -323,7 +323,7 @@ func (o *Orchestrator) Build(req *protocol.BuildRequest, resp protocol.ImageBuil
 		return false
 	}
 
-	pbaseref, err := reference.Parse(baseref)
+	pbaseref, err := reference.ParseNormalizedNamed(baseref)
 	if err != nil {
 		return xerrors.Errorf("cannot parse baseref: %v", err)
 	}
@@ -336,9 +336,10 @@ func (o *Orchestrator) Build(req *protocol.BuildRequest, resp protocol.ImageBuil
 	wsref, err := reference.ParseNamed(wsrefstr)
 	var additionalAuth []byte
 	if err == nil {
-		additionalAuth, err = json.Marshal(reqauth.GetImageBuildAuthFor([]string{
+		ath := reqauth.GetImageBuildAuthFor(ctx, o.Auth, []string{reference.Domain(pbaseref)}, []string{
 			reference.Domain(wsref),
-		}))
+		})
+		additionalAuth, err = json.Marshal(ath)
 		if err != nil {
 			return xerrors.Errorf("cannot marshal additional auth: %w", err)
 		}
