Merge pull request #865 from pivotal/mount-image-pull-secrets

Mount all ServiceAccount imagePullSecrets to allow builds to read the run image
buildpacks-community · Oct 22, 2021 · 65ce71d · 65ce71d
2 parents 7eff976 + d2816c9
commit 65ce71d
Show file tree

Hide file tree

Showing 7 changed files with 786 additions and 533 deletions.
diff --git a/cmd/build-init/main.go b/cmd/build-init/main.go
@@ -43,6 +43,7 @@ var (
 	dockerCredentials       flaghelpers.CredentialsFlags
 	dockerCfgCredentials    flaghelpers.CredentialsFlags
 	dockerConfigCredentials flaghelpers.CredentialsFlags
+	imagePullSecrets        flaghelpers.CredentialsFlags
 )
 
 func init() {
@@ -51,18 +52,18 @@ func init() {
 	flag.Var(&dockerCredentials, "basic-docker", "Basic authentication for docker of the form 'secretname=git.domain.com'")
 	flag.Var(&dockerCfgCredentials, "dockercfg", "Docker Cfg credentials in the form of the path to the credential")
 	flag.Var(&dockerConfigCredentials, "dockerconfig", "Docker Config JSON credentials in the form of the path to the credential")
+	flag.Var(&imagePullSecrets, "imagepull", "Builder Image pull credentials in the form of the path to the credential")
 }
 
 const (
-	secretsHome               = "/builder/home"
-	appDir                    = "/workspace"
-	platformDir               = "/platform"
-	buildSecretsDir           = "/var/build-secrets"
-	imagePullSecretsDir       = "/imagePullSecrets"
-	builderPullSecretsDir     = "/builderPullSecrets"
-	projectMetadataDir        = "/projectMetadata"
-	networkWaitLauncherDir    = "/networkWait"
-	networkWaitLauncherBinary = "network-wait-launcher.exe"
+	secretsHome                  = "/builder/home"
+	appDir                       = "/workspace"
+	platformDir                  = "/platform"
+	buildSecretsDir              = "/var/build-secrets"
+	registrySourcePullSecretsDir = "/registrySourcePullSecrets"
+	projectMetadataDir           = "/projectMetadata"
+	networkWaitLauncherDir       = "/networkWait"
+	networkWaitLauncherBinary    = "network-wait-launcher.exe"
 )
 
 func main() {
@@ -108,6 +109,20 @@ func main() {
 		logger.Fatal(errors.Wrapf(err, "Error verifying write access to %q", *imageTag))
 	}
 
+	for _, c := range imagePullSecrets {
+		credPath := filepath.Join(buildSecretsDir, c)
+
+		imagePullCreds, err := dockercreds.ParseDockerPullSecrets(credPath)
+		if err != nil {
+			logger.Fatal(err)
+		}
+
+		creds, err = creds.Append(imagePullCreds)
+		if err != nil {
+			logger.Fatalf("error appending image pull creds %s", err)
+		}
+	}
+
 	err = dockercreds.VerifyReadAccess(creds, *runImage)
 	if err != nil {
 		logger.Fatal(errors.Wrapf(err, "Error verifying read access to run image %q", *runImage))
@@ -128,17 +143,7 @@ func main() {
 		logger.Fatalf("error setting up platform env vars %s", err)
 	}
 
-	builderCreds, err := dockercreds.ParseDockerPullSecrets(builderPullSecretsDir)
-	if err != nil {
-		logger.Fatal(err)
-	}
-
-	dockerCreds, err := creds.Append(builderCreds)
-	if err != nil {
-		logger.Fatalf("error appending builder creds %s", err)
-	}
-
-	err = dockerCreds.Save(path.Join(secretsHome, ".docker", "config.json"))
+	err = creds.Save(path.Join(secretsHome, ".docker", "config.json"))
 	if err != nil {
 		logger.Fatalf("error writing docker creds %s", err)
 	}
@@ -185,15 +190,15 @@ func fetchSource(logger *log.Logger, serviceAccountCreds dockercreds.DockerCreds
 		}
 		return fetcher.Fetch(appDir, *blobURL)
 	case *registryImage != "":
-		imagePullSecrets, err := dockercreds.ParseDockerPullSecrets(imagePullSecretsDir)
+		registrySourcePullSecrets, err := dockercreds.ParseDockerPullSecrets(registrySourcePullSecretsDir)
 		if err != nil {
 			return err
 		}
 
 		fetcher := registry.Fetcher{
 			Logger:   logger,
 			Client:   &registry.Client{},
-			Keychain: authn.NewMultiKeychain(imagePullSecrets, serviceAccountCreds),
+			Keychain: authn.NewMultiKeychain(registrySourcePullSecrets, serviceAccountCreds),
 		}
 		return fetcher.Fetch(appDir, *registryImage)
 	default:

diff --git a/cmd/completion/main.go b/cmd/completion/main.go
@@ -34,6 +34,8 @@ var (
 	cosignAnnotations       flaghelpers.CredentialsFlags
 	cosignRepositories      flaghelpers.CredentialsFlags
 	cosignDockerMediaTypes  flaghelpers.CredentialsFlags
+	basicGitCredentials     flaghelpers.CredentialsFlags
+	sshGitCredentials       flaghelpers.CredentialsFlags
 	logger                  *log.Logger
 )
 
@@ -42,6 +44,9 @@ func init() {
 	flag.Var(&dockerCredentials, "basic-docker", "Basic authentication for docker of the form 'secretname=git.domain.com'")
 	flag.Var(&dockerCfgCredentials, "dockercfg", "Docker Cfg credentials in the form of the path to the credential")
 	flag.Var(&dockerConfigCredentials, "dockerconfig", "Docker Config JSON credentials in the form of the path to the credential")
+	flag.Var(&basicGitCredentials, "basic-git", "Basic authentication for git of the form 'secretname=git.domain.com'")
+	flag.Var(&sshGitCredentials, "ssh-git", "SSH authentication for git of the form 'secretname=git.domain.com'")
+
 	flag.Var(&cosignAnnotations, "cosign-annotations", "Cosign custom signing annotations")
 	flag.Var(&cosignRepositories, "cosign-repositories", "Cosign signing repository of the form 'secretname=registry.example.com/project'")
 	flag.Var(&cosignDockerMediaTypes, "cosign-docker-media-types", "Cosign signing with legacy docker media types of the form 'secretname=1'")

diff --git a/cmd/rebase/main.go b/cmd/rebase/main.go
@@ -32,12 +32,14 @@ var (
 	dockerCredentials       flaghelpers.CredentialsFlags
 	dockerCfgCredentials    flaghelpers.CredentialsFlags
 	dockerConfigCredentials flaghelpers.CredentialsFlags
+	imagePullSecrets        flaghelpers.CredentialsFlags
 )
 
 func init() {
 	flag.Var(&dockerCredentials, "basic-docker", "Basic authentication for docker of the form 'secretname=git.domain.com'")
 	flag.Var(&dockerCfgCredentials, "dockercfg", "Docker Cfg credentials in the form of the path to the credential")
 	flag.Var(&dockerConfigCredentials, "dockerconfig", "Docker Config JSON credentials in the form of the path to the credential")
+	flag.Var(&imagePullSecrets, "imagepull", "Builder Image pull credentials in the form of the path to the credential")
 }
 
 func main() {
@@ -62,7 +64,7 @@ func rebase(tags []string, logger *log.Logger) error {
 		return cmd.FailErrCode(err, cmd.CodeInvalidArgs)
 	}
 
-	for _, c := range append(dockerCfgCredentials, dockerConfigCredentials...) {
+	for _, c := range combine(dockerCfgCredentials, dockerConfigCredentials, imagePullSecrets) {
 		credPath := filepath.Join(buildSecretsDir, c)
 
 		dockerCfgCreds, err := dockercreds.ParseDockerPullSecrets(credPath)
@@ -118,3 +120,11 @@ func rebase(tags []string, logger *log.Logger) error {
 
 	return ioutil.WriteFile(*reportFilePath, buf.Bytes(), 0777)
 }
+
+func combine(credentials ...[]string) []string {
+	var combinded []string
+	for _, creds := range credentials {
+		combinded = append(combinded, creds...)
+	}
+	return combinded
+}