Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(codebuild): allow specifying principals and credentials for pulling build images #3049

Merged
merged 1 commit into from
Jul 7, 2019

Conversation

Kaixiang-AWS
Copy link
Contributor

@Kaixiang-AWS Kaixiang-AWS commented Jun 25, 2019

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes #2175

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()

  • codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()

Pull Request Checklist

  • Testing
    • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
    • CLI change?: coordinate update of integration tests with team
    • cdk-init template change?: coordinated update of integration tests with team
  • Docs
    • jsdocs: All public APIs documented
    • README: README and/or documentation topic updated
    • Design: For significant features, design document added to design folder
  • Title and Description
    • Change type: title prefixed with fix, feat and module name in parens, which will appear in changelog
    • Title: use lower-case and doesn't end with a period
    • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
    • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
  • Sensitive Modules (requires 2 PR approvers)
    • IAM Policy Document (in @aws-cdk/aws-iam)
    • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
    • Grant APIs (only if not based on official documentation with a reference)
      By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some minor comments after the initial pass, but one big concern.

I see the implementation of LinuxBuildImage/WindowsBuildImage's fromAsset methods changed significantly. This is also reflected in the changes to the integ.ecr.lit.expect.json file (which should be rare). Can you post a rationale for doing these changes? Is this a difference in the behavior of CodeBuild's backend, that makes the current implementation possible? Or was just the "old" behavior always incorrect, in your mind? I would love to hear some details about this.

packages/@aws-cdk/aws-codebuild/lib/project.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-codebuild/lib/project.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-codebuild/lib/project.ts Outdated Show resolved Hide resolved
@Kaixiang-AWS
Copy link
Contributor Author

I have some minor comments after the initial pass, but one big concern.

I see the implementation of LinuxBuildImage/WindowsBuildImage's fromAsset methods changed significantly. This is also reflected in the changes to the integ.ecr.lit.expect.json file (which should be rare). Can you post a rationale for doing these changes? Is this a difference in the behavior of CodeBuild's backend, that makes the current implementation possible? Or was just the "old" behavior always incorrect, in your mind? I would love to hear some details about this.

We want customers to use their own service role to pull ECR images instead of using codebuild's service role. Therefore, we need to move the role policy from customers ECR repo to their service role. Looks like I do make a mistake that policy was not added to customers service role correctly. I will update this PR later to fix it.

Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

Can you please fix the PR title and follow the contribution guidelines with a clear description of what this PR is doing (not just a reference to an issue, but description of how you solved it)?

Also, would it make sense to also update the ECS module to use the same terminology (@rix0rrr)

@Kaixiang-AWS Kaixiang-AWS force-pushed the private-registry-2 branch 2 times, most recently from a6cc355 to ee51df2 Compare July 3, 2019 21:51
@skinny85 skinny85 force-pushed the private-registry-2 branch 2 times, most recently from ce6c01f to c85f204 Compare July 5, 2019 02:35
@skinny85 skinny85 force-pushed the private-registry-2 branch 2 times, most recently from e182467 to cad83dc Compare July 6, 2019 23:53
@skinny85
Copy link
Contributor

skinny85 commented Jul 6, 2019

@eladb submitted a new revision which (I believe) addresses all your comments. Please re-review when you have a second. Thanks!

@skinny85 skinny85 changed the title feat(codebuild): add functionality to allow using private registry an… feat(codebuild): allow specifying principals and credentials for pulling build images Jul 7, 2019
…ing build images.

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes aws#2175

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CodeBuild project environment should support ImagePullCredentialsType
3 participants