Skip to content

Commit

Permalink
feat: add password protection to internal Docker registry
Browse files Browse the repository at this point in the history 
Fixes MODELIX-1058
  • Loading branch information
@odzhychko
odzhychko committed Dec 17, 2024
1 parent a6096f8 commit ff74610
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 14 deletions.
9 changes: 2 additions & 7 deletions instances-manager/src/main/kotlin/org/modelix/instancesmanager/DeploymentManager.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -392,12 +392,6 @@ class DeploymentManager {
return deployment
}

fun getDockerRegistryPort(): Int {
val api = CoreV1Api()
var service: V1Service? = api.readNamespacedService(System.getenv("DOCKER_REGISTRY_SERVICE_NAME"), KUBERNETES_NAMESPACE).execute()
return service?.spec?.ports?.firstNotNullOfOrNull { it.nodePort } ?: throw IllegalStateException("Registry port unknown")
}

fun getPod(deploymentName: InstanceName): V1Pod? {
try {
val coreApi = CoreV1Api()
Expand Down Expand Up @@ -576,7 +570,7 @@ class DeploymentManager {

// The image registry is made available to the container runtime via a NodePort
// localhost in this case is the kubernetes node, not the instances-manager
container.image = "localhost:${getDockerRegistryPort()}/modelix-workspaces/ws${workspace.id}:${workspace.hash().toValidImageTag()}"
container.image = "${INTERNAL_DOCKER_REGISTRY_AUTHORITY}/modelix-workspaces/ws${workspace.id}:${workspace.hash().toValidImageTag()}"

val resources = container.resources ?: return
val memoryLimit = Quantity.fromString(workspace.memoryLimit)
Expand Down Expand Up @@ -686,6 +680,7 @@ class DeploymentManager {
val INSTANCE_PREFIX = System.getenv("WORKSPACE_CLIENT_PREFIX") ?: "wsclt-"
val WORKSPACE_CLIENT_DEPLOYMENT_NAME = System.getenv("WORKSPACE_CLIENT_DEPLOYMENT_NAME") ?: "workspace-client"
val WORKSPACE_PATTERN = Pattern.compile("workspace-([a-f0-9]+)-([a-zA-Z0-9\\-_\\*]+)")
val INTERNAL_DOCKER_REGISTRY_AUTHORITY = requireNotNull(System.getenv("INTERNAL_DOCKER_REGISTRY_AUTHORITY"))
val INSTANCE = DeploymentManager()
}
}
Expand Down
43 changes: 36 additions & 7 deletions workspace-manager/src/main/kotlin/org/modelix/workspace/manager/WorkspaceJobQueue.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ class WorkspaceJobQueue(val tokenGenerator: (Workspace) -> String) {
private val LOG = mu.KotlinLogging.logger { }
val KUBERNETES_NAMESPACE = System.getenv("KUBERNETES_NAMESPACE") ?: "default"
val IMAGE_NAME = System.getenv("WORKSPACE_JOB_IMAGE_NAME") ?: "modelix/workspace-job"
val JQ_HELPER_IMAGE_NAME = System.getenv("JQ_HELPER_IMAGE_NAME")!!
// XXX The name WORKSPACE_JOB_IMAGE_VERSION is misleading as it is only the prefix.
// e.g. `latest` becomes `latest-2020.3`
val IMAGE_VERSION = System.getenv("WORKSPACE_JOB_IMAGE_VERSION") ?: "latest"
Expand Down Expand Up @@ -193,6 +194,7 @@ class WorkspaceJobQueue(val tokenGenerator: (Workspace) -> String) {
val memoryLimit = workspace.memoryLimit
val jwtToken = tokenGenerator(workspace.workspace)
val dockerConfigSecretName = System.getenv("DOCKER_CONFIG_SECRET_NAME")
val dockerConfigInternalRegistrySecretName = System.getenv("DOCKER_CONFIG_INTERN_REGISTRY_SECRET_NAME")

return """
apiVersion: batch/v1
Expand All @@ -208,7 +210,26 @@ class WorkspaceJobQueue(val tokenGenerator: (Workspace) -> String) {
tolerations:
- key: "workspace-client"
operator: "Exists"
effect: "NoExecute"
effect: "NoExecute"
initContainers:
- name: init-merge-configs
image: $JQ_HELPER_IMAGE_NAME
# Join Docker secretes with `jq`, if both are specified.
# Else copy over the only script to the required config directory.
command: ["/bin/sh", "-c", "if [ -f /secrets/config-external-registry.json ]; then jq -s '.[0] * .[1]' /secrets/config-external-registry.json /secrets/config-internal-registry.json > /kaniko/.docker/config.json;else cp /secrets/config-internal-registry.json /kaniko/.docker/config.json; fi"]
volumeMounts:
- name: "config-volume"
mountPath: /kaniko/.docker
- name: "docker-config-internal-registry"
mountPath: /secrets/config-internal-registry.json
subPath: config.json
readOnly: true
${if (dockerConfigSecretName != null) """
- name: "docker-config"
mountPath: /secrets/config-external-registry.json
subPath: config.json
readOnly: true
""" else ""}
containers:
- name: wsjob
image: $IMAGE_NAME:$IMAGE_VERSION
Expand Down Expand Up @@ -240,20 +261,28 @@ class WorkspaceJobQueue(val tokenGenerator: (Workspace) -> String) {
limits:
memory: $memoryLimit
cpu: "1.0"
${if (dockerConfigSecretName != null) """
volumeMounts:
- name: "docker-config"
mountPath: /kaniko/.docker/config.json
subPath: config.json
readOnly: true
${if (dockerConfigSecretName != null) """
- name: "docker-proxy-ca"
mountPath: /kaniko/ssl/certs/docker-proxy-ca.crt
subPath: docker-proxy-ca.crt
readOnly: true
""" else ""}
- name: "config-volume"
mountPath: /kaniko/.docker/config.json
subPath: config.json
restartPolicy: Never
${if (dockerConfigSecretName != null) """
volumes:
- name: config-volume
emptyDir:
medium: Memory
- name: "docker-config-internal-registry"
secret:
secretName: "$dockerConfigInternalRegistrySecretName"
items:
- key: .dockerconfigjsonUsingServiceName
path: config.json
${if (dockerConfigSecretName != null) """
- name: "docker-config"
secret:
secretName: "$dockerConfigSecretName"
Expand Down

0 comments on commit ff74610

Please sign in to comment.