feat: add password protection to internal Docker registry

Fixes MODELIX-1058
modelix · Dec 18, 2024 · 709e378 · 709e378
1 parent a6096f8
commit 709e378
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 14 deletions.
diff --git a/instances-manager/src/main/kotlin/org/modelix/instancesmanager/DeploymentManager.kt b/instances-manager/src/main/kotlin/org/modelix/instancesmanager/DeploymentManager.kt
@@ -392,12 +392,6 @@ class DeploymentManager {
         return deployment
     }
 
-    fun getDockerRegistryPort(): Int {
-        val api = CoreV1Api()
-        var service: V1Service? = api.readNamespacedService(System.getenv("DOCKER_REGISTRY_SERVICE_NAME"), KUBERNETES_NAMESPACE).execute()
-        return service?.spec?.ports?.firstNotNullOfOrNull { it.nodePort } ?: throw IllegalStateException("Registry port unknown")
-    }
-
     fun getPod(deploymentName: InstanceName): V1Pod? {
         try {
             val coreApi = CoreV1Api()
@@ -576,7 +570,7 @@ class DeploymentManager {
 
             // The image registry is made available to the container runtime via a NodePort
             // localhost in this case is the kubernetes node, not the instances-manager
-            container.image = "localhost:${getDockerRegistryPort()}/modelix-workspaces/ws${workspace.id}:${workspace.hash().toValidImageTag()}"
+            container.image = "${INTERNAL_DOCKER_REGISTRY_AUTHORITY}/modelix-workspaces/ws${workspace.id}:${workspace.hash().toValidImageTag()}"
 
             val resources = container.resources ?: return
             val memoryLimit = Quantity.fromString(workspace.memoryLimit)
@@ -686,6 +680,7 @@ class DeploymentManager {
         val INSTANCE_PREFIX = System.getenv("WORKSPACE_CLIENT_PREFIX") ?: "wsclt-"
         val WORKSPACE_CLIENT_DEPLOYMENT_NAME = System.getenv("WORKSPACE_CLIENT_DEPLOYMENT_NAME") ?: "workspace-client"
         val WORKSPACE_PATTERN = Pattern.compile("workspace-([a-f0-9]+)-([a-zA-Z0-9\\-_\\*]+)")
+        val INTERNAL_DOCKER_REGISTRY_AUTHORITY = requireNotNull(System.getenv("INTERNAL_DOCKER_REGISTRY_AUTHORITY"))
         val INSTANCE = DeploymentManager()
     }
 }

diff --git a/workspace-job/Dockerfile b/workspace-job/Dockerfile
@@ -1,5 +1,9 @@
+FROM ghcr.io/jqlang/jq@sha256:096b83865ad59b5b02841f103f83f45c51318394331bf1995e187ea3be937432
+
 FROM gcr.io/kaniko-project/executor:debug@sha256:c3109d5926a997b100c4343944e06c6b30a6804b2f9abe0994d3de6ef92b028e
 
+# `jq` will be used in the workspace-job.sh
+COPY --from=0 /jq /busybox/jq
 COPY workspace-job.sh /workspace-job.sh
 
 ENTRYPOINT ["/bin/sh", "-c"]

diff --git a/workspace-job/workspace-job.sh b/workspace-job/workspace-job.sh
@@ -4,6 +4,16 @@ set -e
 
 echo "### DONE build-startKubernetesJob ###"
 
+ls /secrets
+
+if [ -f /secrets/config-external-registry.json ]; then
+  jq -s '.[0] * .[1]' /secrets/config-external-registry.json /secrets/config-internal-registry.json > /kaniko/.docker/config.json
+else
+  cp /secrets/config-internal-registry.json /kaniko/.docker/config.json
+fi
+
+cat /kaniko/.docker/config.json
+
 (
   # apply custom CA certificate
   cd /kaniko/ssl/certs

diff --git a/workspace-manager/src/main/kotlin/org/modelix/workspace/manager/WorkspaceJobQueue.kt b/workspace-manager/src/main/kotlin/org/modelix/workspace/manager/WorkspaceJobQueue.kt
@@ -193,6 +193,7 @@ class WorkspaceJobQueue(val tokenGenerator: (Workspace) -> String) {
             val memoryLimit = workspace.memoryLimit
             val jwtToken = tokenGenerator(workspace.workspace)
             val dockerConfigSecretName = System.getenv("DOCKER_CONFIG_SECRET_NAME")
+            val dockerConfigInternalRegistrySecretName = System.getenv("DOCKER_CONFIG_INTERN_REGISTRY_SECRET_NAME")
 
             return """
                 apiVersion: batch/v1
@@ -208,7 +209,7 @@ class WorkspaceJobQueue(val tokenGenerator: (Workspace) -> String) {
                       tolerations:
                       - key: "workspace-client"
                         operator: "Exists"
-                        effect: "NoExecute"                    
+                        effect: "NoExecute"
                       containers:
                       - name: wsjob
                         image: $IMAGE_NAME:$IMAGE_VERSION
@@ -240,20 +241,30 @@ class WorkspaceJobQueue(val tokenGenerator: (Workspace) -> String) {
                           limits:
                             memory: $memoryLimit
                             cpu: "1.0" 
-                        ${if (dockerConfigSecretName != null) """
                         volumeMounts:
-                        - name: "docker-config"
-                          mountPath: /kaniko/.docker/config.json
-                          subPath: config.json
-                          readOnly: true
+                        ${if (dockerConfigSecretName != null) """
                         - name: "docker-proxy-ca"
                           mountPath: /kaniko/ssl/certs/docker-proxy-ca.crt
                           subPath: docker-proxy-ca.crt
                           readOnly: true
+                        - name: "docker-config"
+                          mountPath: /secrets/config-external-registry.json
+                          subPath: config.json
+                          readOnly: true
                         """ else ""}
+                        - name: "docker-config-internal-registry"
+                          mountPath: /secrets/config-internal-registry.json
+                          subPath: config.json
+                          readOnly: true
                       restartPolicy: Never
-                      ${if (dockerConfigSecretName != null) """
                       volumes:
+                      - name: "docker-config-internal-registry"
+                        secret:
+                          secretName: "$dockerConfigInternalRegistrySecretName"
+                          items:
+                            - key: .dockerconfigjsonUsingServiceName
+                              path: config.json
+                      ${if (dockerConfigSecretName != null) """
                       - name: "docker-config"
                         secret:
                           secretName: "$dockerConfigSecretName"