WIP: use registry mirror for image builds

Author: csweichel

components/image-builder-bob/cmd/mirror.go

@@ -0,0 +1,56 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"net/http"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	log "github.com/gitpod-io/gitpod/common-go/log"
+	"github.com/gitpod-io/gitpod/image-builder/bob/pkg/proxy"
+)
+
+var mirrorOpts struct {
+	Auth           string
+	AdditionalAuth string
+}
+
+// mirrorCmd represents the build command
+var mirrorCmd = &cobra.Command{
+	Use:   "mirror",
+	Short: "Runs an authenticating mirror",
+	Run: func(cmd *cobra.Command, args []string) {
+		log.Init("bob", "", true, os.Getenv("SUPERVISOR_DEBUG_ENABLE") == "true")
+		log := log.WithField("command", "mirror")
+
+		authP, err := proxy.NewAuthorizerFromDockerEnvVar(mirrorOpts.Auth)
+		if err != nil {
+			log.WithError(err).WithField("auth", mirrorOpts.Auth).Fatal("cannot unmarshal auth")
+		}
+		authA, err := proxy.NewAuthorizerFromEnvVar(mirrorOpts.AdditionalAuth)
+		if err != nil {
+			log.WithError(err).WithField("auth", mirrorOpts.Auth).Fatal("cannot unmarshal auth")
+		}
+		authP = authP.AddIfNotExists(authA)
+
+		prx := proxy.NewRegistryMirror(authP)
+		http.Handle("/", prx)
+		log.Info("starting bob mirror on :5000")
+		err = http.ListenAndServe(":5000", nil)
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(mirrorCmd)
+
+	// These env vars start with `WORKSPACEKIT_` so that they aren't passed on to ring2
+	mirrorCmd.Flags().StringVar(&mirrorOpts.Auth, "auth", os.Getenv("WORKSPACEKIT_BOBmirror_AUTH"), "authentication to use")
+	mirrorCmd.Flags().StringVar(&mirrorOpts.AdditionalAuth, "additional-auth", os.Getenv("WORKSPACEKIT_BOBmirror_ADDITIONALAUTH"), "additional authentication to use")
+}

components/image-builder-bob/go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/docker/distribution v2.8.1+incompatible
 	github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
 	github.com/gofrs/flock v0.8.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.1
+	github.com/hashicorp/go-retryablehttp v0.7.4
 	github.com/moby/buildkit v0.11.6
 	github.com/opencontainers/runtime-spec v1.1.0
 	github.com/sirupsen/logrus v1.9.3
@@ -32,7 +32,7 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/klauspost/compress v1.15.12 // indirect
 	github.com/kr/text v0.2.0 // indirect

components/image-builder-bob/go.sum

@@ -0,0 +1,119 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package proxy
+
+import (
+	"context"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"sync"
+
+	"github.com/containerd/containerd/remotes/docker"
+	"github.com/gitpod-io/gitpod/common-go/log"
+	"github.com/hashicorp/go-retryablehttp"
+)
+
+func NewRegistryMirror(auth Authorizer) *RegistryMirror {
+	return &RegistryMirror{
+		Auth:    auth,
+		proxies: make(map[string]*httputil.ReverseProxy),
+	}
+}
+
+type RegistryMirror struct {
+	Auth Authorizer
+
+	mu      sync.Mutex
+	proxies map[string]*httputil.ReverseProxy
+}
+
+// ServeHTTP serves the proxy
+func (mirror *RegistryMirror) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ns := r.URL.Query().Get("ns")
+	if ns == "" {
+		http.Error(w, "no namespace (ns query parameter) present", http.StatusBadRequest)
+	}
+
+	auth := docker.NewDockerAuthorizer(docker.WithAuthCreds(mirror.Auth.Authorize))
+	r = r.WithContext(context.WithValue(r.Context(), authKey, auth))
+
+	r.RequestURI = ""
+
+	mirror.reverse(ns).ServeHTTP(w, r)
+}
+
+// reverse produces an authentication-adding reverse proxy for a given repo alias
+func (mirror *RegistryMirror) reverse(host string) *httputil.ReverseProxy {
+	mirror.mu.Lock()
+	defer mirror.mu.Unlock()
+
+	if rp, ok := mirror.proxies[host]; ok {
+		return rp
+	}
+
+	rp := httputil.NewSingleHostReverseProxy(&url.URL{Scheme: "https", Host: host})
+
+	client := retryablehttp.NewClient()
+	client.RetryMax = 3
+	client.CheckRetry = func(ctx context.Context, resp *http.Response, err error) (bool, error) {
+		if err != nil {
+			log.WithError(err).Warn("saw error during CheckRetry")
+			return false, err
+		}
+		auth, ok := ctx.Value(authKey).(docker.Authorizer)
+		if !ok || auth == nil {
+			return false, nil
+		}
+		if resp.StatusCode == http.StatusUnauthorized {
+			err := auth.AddResponses(context.Background(), []*http.Response{resp})
+			if err != nil {
+				log.WithError(err).WithField("URL", resp.Request.URL.String()).Warn("cannot add responses although response was Unauthorized")
+				return false, nil
+			}
+			return true, nil
+		}
+
+		return false, nil
+	}
+	client.RequestLogHook = func(l retryablehttp.Logger, r *http.Request, i int) {
+		// Total hack: we need a place to modify the request before retrying, and this log
+		//             hook seems to be the only place. We need to modify the request, because
+		//             maybe we just added the host authorizer in the previous CheckRetry call.
+		//
+		//			   The ReverseProxy sets the X-Forwarded-For header with the host machine
+		//			   address. If on a cluster with IPV6 enabled, this will be "::1" (IPV6 equivalent
+		//			   of "127.0.0.1"). This can have the knock-on effect of receiving an IPV6
+		//			   URL, e.g. auth.ipv6.docker.com instead of auth.docker.com which may not
+		//			   exist. By forcing the value to be "127.0.0.1", we ensure consistency
+		//			   across clusters.
+		//
+		// 			   @link https://golang.org/src/net/http/httputil/reversemirror.go
+		r.Header.Set("X-Forwarded-For", "127.0.0.1")
+
+		auth, ok := r.Context().Value(authKey).(docker.Authorizer)
+		if !ok || auth == nil {
+			return
+		}
+		_ = auth.Authorize(r.Context(), r)
+	}
+	client.ResponseLogHook = func(l retryablehttp.Logger, r *http.Response) {}
+
+	rp.Transport = &retryablehttp.RoundTripper{
+		Client: client,
+	}
+	rp.ModifyResponse = func(r *http.Response) error {
+		if r.StatusCode == http.StatusBadGateway {
+			// BadGateway makes containerd retry - we don't want that because we retry the upstream
+			// requests internally.
+			r.StatusCode = http.StatusInternalServerError
+			r.Status = http.StatusText(http.StatusInternalServerError)
+		}
+
+		return nil
+	}
+	mirror.proxies[host] = rp
+	return rp
+}

components/image-builder-bob/pkg/proxy/mirror.go

@@ -18,7 +18,9 @@ import (
 	"github.com/hashicorp/go-retryablehttp"
 )
 
-const authKey = "authKey"
+const authKey authKeyType = "authKey"
+
+type authKeyType string
 
 func NewProxy(host *url.URL, aliases map[string]Repo) (*Proxy, error) {
 	if host.Host == "" || host.Scheme == "" {

components/image-builder-bob/pkg/proxy/proxy.go

@@ -20,6 +20,7 @@ import (
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/xerrors"
 
 	"github.com/gitpod-io/gitpod/common-go/log"
@@ -349,7 +350,7 @@ func (a AllowedAuthFor) additionalAuth(domain string) *Authentication {
 type ImageBuildAuth map[string]types.AuthConfig
 
 // GetImageBuildAuthFor produces authentication in the format an image builds needs
-func (a AllowedAuthFor) GetImageBuildAuthFor(blocklist []string) (res ImageBuildAuth) {
+func (a AllowedAuthFor) GetImageBuildAuthFor(ctx context.Context, auth RegistryAuthenticator, blocklist []string) (res ImageBuildAuth) {
 	res = make(ImageBuildAuth)
 	for reg := range a.Additional {
 		var blocked bool
@@ -363,8 +364,36 @@ func (a AllowedAuthFor) GetImageBuildAuthFor(blocklist []string) (res ImageBuild
 			continue
 		}
 		ath := a.additionalAuth(reg)
+		if ath.Empty() {
+			continue
+		}
+		res[reg] = types.AuthConfig(*ath)
+	}
+	for _, reg := range a.Explicit {
+		ath, err := auth.Authenticate(ctx, reg)
+		if err != nil {
+			// TODO(cw): swalloing this error is not the obvious choice. We have to weigh failing all workspace image builds because of
+			// a single misconfiguration, vs essentially silently ignoring that misconfig.
+			log.WithError(err).WithField("registry", reg).Warn("cannot add image build auth for explicit registry - image build might fail")
+			continue
+		}
+		if ath.Empty() {
+			continue
+		}
 		res[reg] = types.AuthConfig(*ath)
 	}
 
-	return
+	if log.Log.Logger.IsLevelEnabled(logrus.DebugLevel) {
+		keys := make([]string, 0, len(res))
+		for k := range res {
+			keys = append(keys, k)
+		}
+		log.WithField("registries", trustedStrings(keys)).Debug("providing additional auth for image build")
+	}
+
+	return res
 }
+
+type trustedStrings []string
+
+func (trustedStrings) IsTrustedValue() {}

components/image-builder-mk3/pkg/auth/auth.go

@@ -336,9 +336,10 @@ func (o *Orchestrator) Build(req *protocol.BuildRequest, resp protocol.ImageBuil
 	wsref, err := reference.ParseNamed(wsrefstr)
 	var additionalAuth []byte
 	if err == nil {
-		additionalAuth, err = json.Marshal(reqauth.GetImageBuildAuthFor([]string{
+		imgbldAuth := reqauth.GetImageBuildAuthFor(ctx, o.Auth, []string{
 			reference.Domain(wsref),
-		}))
+		})
+		additionalAuth, err = json.Marshal(imgbldAuth)
 		if err != nil {
 			return xerrors.Errorf("cannot marshal additional auth: %w", err)
 		}