support registry auth

HACK: the way buildkit works, we can only supply an Auth Provider for the entirety of the build session (`dagger up`). Therefore, we start by scanning all auth in the entire Cue tree and supply an auth provider for all of them. Drawbacks: - As soon as you add `auth` in a Pipeline for a registry, all other Pipelines have access to the same registry - You can't use different credentials for the same registry Fixes #301 Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2021-04-19 18:04:18 -07:00
parent 5e90c1a11e
commit 692bd72095
9 changed files with 204 additions and 18 deletions
--- a/stdlib/dagger/op/op.cue
+++ b/stdlib/dagger/op/op.cue
@@ -32,7 +32,8 @@ package op
 // FIXME: bring back load (more efficient than copy)

 #Load: {
-	do:   "load"
+	do: "load"
+	// FIXME: this should be a `dagger.#Artifact`
 	from: _
 }

@@ -48,17 +49,32 @@ package op
 	// `true` means also ignoring the mount cache volumes
 	always?: true | *false
 	dir:     string | *"/"
+	// FIXME: this should be `from: dagger.#Artifact`
 	mount: [string]: "tmpfs" | "cache" | {from: _, path: string | *"/"}
 }

+// RegistryCredentials encodes Container Registry credentials
+#RegistryCredentials: {
+	username: string
+	// FIXME: this should `dagger.#Secret`
+	secret: string
+}
+
+// RegistryAuth maps registry hosts to credentials
+#RegistryAuth: {
+	[host=string]: #RegistryCredentials
+}
+
 #FetchContainer: {
-	do:  "fetch-container"
-	ref: string
+	do:   "fetch-container"
+	ref:  string
+	auth: #RegistryAuth
 }

 #PushContainer: {
-	do:  "push-container"
-	ref: string
+	do:   "push-container"
+	ref:  string
+	auth: #RegistryAuth
 }

 #FetchGit: {
@@ -68,7 +84,8 @@ package op
 }

 #Copy: {
-	do:   "copy"
+	do: "copy"
+	// FIXME: this should `dagger.#Artifact`
 	from: _
 	src:  string | *"/"
 	dest: string | *"/"
@@ -77,6 +94,7 @@ package op
 #DockerBuild: {
 	do: "docker-build"
 	// We accept either a context, a Dockerfile or both together
+	// FIXME: this should `dagger.#Artifact`
 	context?:        _
 	dockerfilePath?: string // path to the Dockerfile (defaults to "Dockerfile")
 	dockerfile?:     string
@@ -84,6 +102,10 @@ package op
 	platforms?: [...string]
 	buildArg?: [string]: string
 	label?: [string]:    string
+
+	// credentials for the registry (optional)
+	// used to pull images in `FROM` statements
+	auth: #RegistryAuth
 }

 #WriteFile: {