[kots] load dockerConfigJson reigstry names into `privateBaseImageAll…

…owList` Follow upto #12174 This PR updates the installer logic to also load the auth's reigstry URL's into `.containerRegistry.privateBaseImageAllowList`. Signed-off-by: Tarun Pothulapati <[email protected]> Co-authored-by: Simon Emms <[email protected]> Co-authored-by: Simon Emms <[email protected]>
gitpod-io · Aug 26, 2022 · 9eeeab0 · 9eeeab0
1 parent 50623fb
commit 9eeeab0
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml
@@ -178,6 +178,15 @@ spec:
                 yq e -i ".containerRegistry.privateBaseImageAllowList += \"docker.io\"" "${CONFIG_FILE}"
               fi
 
+              if [ '{{repl ConfigOptionNotEquals "reg_docker_config" "" }}' = "true" ];
+              then
+                DOCKER_CONFIG='{{repl ConfigOptionData "reg_docker_config" | Base64Encode }}'
+                echo "${DOCKER_CONFIG}" | base64 -d  > /tmp/userconfig.json
+                # Add the registries to the server allowlist
+                yq e -i ".containerRegistry.privateBaseImageAllowList += $(cat /tmp/userconfig.json | jq '.auths' | jq -rc 'keys')" "${CONFIG_FILE}"
+                yq e -i ".containerRegistry.privateBaseImageAllowList += \"docker.io\"" "${CONFIG_FILE}"
+              fi
+
               # Output the local registry secret - this is proxy.replicated.com if user hasn't set their own
               echo "{{repl LocalRegistryImagePullSecret }}" | base64 -d > /tmp/kotsregistry.json
 
@@ -360,9 +369,6 @@ spec:
                   | base64 -d \
                   > /tmp/currentconfig.json
 
-                DOCKER_CONFIG='{{repl ConfigOptionData "reg_docker_config" | Base64Encode }}'
-                echo "${DOCKER_CONFIG}" | base64 -d  > /tmp/userconfig.json
-
                 export REGISTRY_SECRET=$(jq -s '.[0] * .[1]' /tmp/userconfig.json /tmp/currentconfig.json | base64 -w 0)
 
                 echo "Gitpod: update the in-cluster registry secret"

diff --git a/install/kots/manifests/kots-config.yaml b/install/kots/manifests/kots-config.yaml
@@ -119,7 +119,7 @@ spec:
           when: '{{repl ConfigOptionEquals "reg_docker_config_enable" "1" }}'
           type: file
           required: true
-          help_text: Docker [config JSON file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) with auth credentials used to access private registries, for workspace images.
+          help_text: "Docker [config JSON file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) with auth credentials used to access private registries, for workspace images. **NB.** All of the registries in the config with be automatically added to the [`privateBaseImageAllowList`]()."
 
     - name: database
       title: Database