[image-builder] Support whitelisted registries in GP layer build

components/image-builder-mk3/pkg/auth/auth.go

@@ -115,6 +115,15 @@ func (a AllowedAuthFor) Elevate(ref string) AllowedAuthFor {
 	return AllowedAuthFor{a.All, append(a.Explicit, reference.Domain(pref))}
 }
 
+// ExplicitlyAll produces an AllowedAuthFor that allows authentication for all
+// registries, yet carries the original Explicit list which affects GetAuthForImageBuild
+func (a AllowedAuthFor) ExplicitlyAll() AllowedAuthFor {
+	return AllowedAuthFor{
+		All:      true,
+		Explicit: a.Explicit,
+	}
+}
+
 // Resolver resolves an auth request determining which authentication is actually allowed
 type Resolver struct {
 	BaseImageRepository      string

components/image-builder-mk3/pkg/orchestrator/orchestrator.go

@@ -383,7 +383,7 @@ func (o *Orchestrator) Build(req *protocol.BuildRequest, resp protocol.ImageBuil
 	if err != nil {
 		return
 	}
-	gplayerAuth, err := o.getAuthFor(auth.AllowedAuthForAll, wsrefstr, baseref)
+	gplayerAuth, err := o.getAuthFor(reqauth.ExplicitlyAll(), wsrefstr, baseref)
 	if err != nil {
 		return
 	}