Support pulling images from different registries with authentication

[WqyJh]

This is my base image built upon paketobuildpacks/run:base named docker.example.com/run:base which has been pushed to my private registry with basic auth.

FROM paketobuildpacks/run:base

# Install packages (ffmpeg)
RUN echo "debconf debconf/frontend select noninteractive" | debconf-set-selections && \
  export DEBIAN_FRONTEND=noninteractive && \
  apt-get -y update && \
  apt-get -y upgrade && \
  apt-get -y --no-install-recommends install ffmpeg && \
  find /usr/share/doc/*/* ! -name copyright | xargs rm -rf && \
  rm -rf \
    /usr/share/man/* /usr/share/info/* \
    /usr/share/groff/* /usr/share/lintian/* /usr/share/linda/* \
    /var/lib/apt/lists/* /tmp/*

ARG cnb_uid=1000
ARG cnb_gid=1000
ARG distro_name="Ubuntu"
ARG distro_version="18.04"
ARG homepage="https://github.com/paketo-buildpacks/stacks"
ARG maintainer="Paketo Buildpacks"
ARG stack_id="io.buildpacks.stacks.bionic"
ARG description="ubuntu:bionic + openssl + CA certs + ffmpeg"
ARG released

RUN groupadd cnb --gid ${cnb_gid} && \
  useradd --uid ${cnb_uid} --gid ${cnb_gid} -m -s /bin/bash cnb

USER ${cnb_uid}:${cnb_gid}
LABEL io.buildpacks.stack.description=${description}
LABEL io.buildpacks.stack.distro.name=${distro_name}
LABEL io.buildpacks.stack.distro.version=${distro_version}
LABEL io.buildpacks.stack.homepage=${homepage}
LABEL io.buildpacks.stack.id=${stack_id}
LABEL io.buildpacks.stack.maintainer=${maintainer}
LABEL io.buildpacks.stack.metadata=${fully_qualified_base_image}
LABEL io.buildpacks.stack.mixins=${mixins}
LABEL io.buildpacks.stack.released=${released}

This is how I config bootBuildImage.

bootBuildImage {
    docker {
        builderRegistry {
            username = "username"
            password = "password"
            url = "https://docker.example.com/v1/"
        }
    }
    imageName = "docker.example.com/app"
    runImage = "docker.example.com/run:base"
}

But I've got the following problem when executing bootBuildImage task.

* What went wrong:
Execution failed for task ':app:bootBuildImage'.
> Docker API call to 'localhost/v1.24/images/create?fromImage=docker.io%2Fpaketobuildpacks%2Fbuilder%3Abase' failed with status code 500 "Internal Server Error" and message "Head https://registry-1.docker.io/v2/paketobuildpacks/builder/manifests/base: unauthorized: incorrect username or password"

Because a basic auth was applied to docker.io when pulling paketobuildpacks/builder:base which is a public registry with no authentication required.

I've dive into the source code and found the following code, which performs the basic auth configured for images from all registries, which I think, should only be applied when the image was matched with the registry configured.

spring-boot/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerApi.java

Line 178 in 4b763c3

try (Response response = http().post(createUri, registryAuth)) {

[scottfrederick]

@WqyJh The Spring Boot image-building Maven goal and Gradle task apply the builderRegistry credentials to both the builder and run image by design.

We can discuss enhancing this so that different authentication can be supplied for the builder and run images. Your suggested fix solves your use case of one image in a private repository and one image in a public repository, but does not support the use case of each of the two images being in different private repositories. Because of this, I don't think your suggestion is the right fix.

You'll need to re-tag and push the builder image to the same repository as the run image if you need the run image to be in a private repository. I'll tag the issue for team attention so we can discuss an approach to addressing additional use cases.

[scottfrederick]

I've opened a new issue(#24552) to enforce that both the builder and run images are in the same registry when an authenticated registry is configured. For the use case raised in this issue, that would require the builder image to be copied to the private registry with something like:

$ docker pull paketobuildpacks/builder:base
$ docker tag paketobuildpacks/builder:base docker.example.com/builder:base
$ docker push docker.example.com/builder:base

We'll leave this issue open to consider enhancing the plugin configuration to allow the builder and run images to be pulled from different registries - either one public and one private registry, or different private registries.

[scottfrederick]

We'll leave this issue open to consider enhancing the plugin configuration to allow the builder and run images to be pulled from different registries - either one public and one private registry, or different private registries.

This should now include pulling buildpack images from different authenticated registries in addition to builder and run images (see #21722).

[pgalache]

I had opened #26759 but closed it as I saw this one opened.

We faced the same problem and think that allowing different authentication parameters for builder and runImage (docker.runImageRegistry) would solve this problem and give developers more flexibility.

[tukez]

I think a more generic solution would be better than just separate builderRegistry and runImageRegistry. Same problem occurs if you define your own buildpacks (for example changing the JVM to Adoptium).

[Mobe91]

This is still an issue and I couldn't figure out how #24547 (comment) would help. I ended up using the workaround described in #24547 (comment).

[piercemar]

Hello.
I just faced the same issue when starting to fiddle with runImage.
Wouldn't a solution based on maven's elements be both more flexible and more secure (supporting encryption and so on) ?