✨ Implement private registries for Docker

cmd/rig/cmd/project/get_settings.go

@@ -25,12 +25,12 @@ func ProjectGetSettings(ctx context.Context, cmd *cobra.Command, args []string,
 	}
 
 	dockerRegistries := []table.Row{}
-	for i, r := range set.GetDockerRegistries().GetHosts() {
+	for i, r := range set.GetDockerRegistries() {
 		if i == 0 {
 			dockerRegistries = append(dockerRegistries, table.Row{"Docker Registries", r})
 			continue
 		}
-		dockerRegistries = append(dockerRegistries, table.Row{"", r})
+		dockerRegistries = append(dockerRegistries, table.Row{"", r.GetHost()})
 	}
 
 	t := table.NewWriter()

cmd/rig/cmd/project/update_settings.go

@@ -251,11 +251,16 @@ func promptEmailProvider(s *settings.Settings) (*settings.Update, error) {
 }
 
 func promptDeleteDockerRegistry(s *settings.Settings) (*settings.Update, error) {
-	if len(s.GetDockerRegistries().GetHosts()) == 0 {
+	if len(s.GetDockerRegistries()) == 0 {
 		return nil, nil
 	}
 
-	_, res, err := utils.PromptSelect("Choose a registry to delete:", s.GetDockerRegistries().GetHosts(), false)
+	var hosts []string
+	for _, r := range s.GetDockerRegistries() {
+		hosts = append(hosts, r.GetHost())
+	}
+
+	_, res, err := utils.PromptSelect("Choose a registry to delete:", hosts, false)
 	if err != nil {
 		return nil, err
 	}
@@ -288,9 +293,9 @@ func promptAddDockerRegistry(s *settings.Settings) (*settings.Update, error) {
 		return nil, err
 	}
 
-	reg := &settings.DockerRegistry{
+	reg := &settings.AddDockerRegistry{
 		Host: host,
-		Field: &settings.DockerRegistry_Credentials{
+		Field: &settings.AddDockerRegistry_Credentials{
 			Credentials: &settings.DockerRegistryCredentials{
 				Username: username,
 				Password: password,
@@ -430,7 +435,7 @@ func parseSettingsUpdate() (*settings.Update, error) {
 		}, nil
 	case utils.FormatField(settingsAddDockerRegistry.String()):
 		jsonValue := []byte(value)
-		reg := settings.DockerRegistry{}
+		reg := settings.AddDockerRegistry{}
 		if err := protojson.Unmarshal(jsonValue, &reg); err != nil {
 			return nil, err
 		}

deploy/docker-compose/docker-compose.yaml

@@ -7,8 +7,6 @@ services:
       MONGO_INITDB_ROOT_USERNAME: mongodb
       MONGO_INITDB_ROOT_PASSWORD: mongodb
       MONGO_INITDB_DATABASE: rig
-    networks:
-      - rig
     ports:
       - 27017:27017
     volumes:
@@ -18,8 +16,6 @@ services:
   minio:
     image: quay.io/minio/minio:latest
     command: server --console-address ":9001" /data
-    networks:
-      - rig
     ports:
       - "9000:9000"
       - "9001:9001"
@@ -66,13 +62,10 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - ../../configs/server-config.yaml:/etc/rig/server-config.yaml
 
-    networks:
-      - rig
-      - default
-
 networks:
-  rig:
-    external: true
+  default:
+    name: rig
+
 volumes:
   mongodb-data:
   minio-data:

internal/client/docker/capsule.go

@@ -36,7 +36,7 @@ func (c *Client) UpsertCapsule(ctx context.Context, capsuleName string, cc *clus
 		return err
 	}
 
-	image, err := c.ensureImage(ctx, cc.Image)
+	image, err := c.ensureImage(ctx, cc.Image, cc.RegistryAuth)
 	if err != nil {
 		return err
 	}

internal/client/docker/client.go

@@ -3,6 +3,8 @@ package docker
 import (
 	"bytes"
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io"
 	"strings"
@@ -12,14 +14,16 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/stdcopy"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/rigdev/rig-go-api/api/v1/capsule"
 	"github.com/rigdev/rig/internal/config"
+	"github.com/rigdev/rig/internal/gateway/cluster"
 	"github.com/rigdev/rig/pkg/auth"
 	"github.com/rigdev/rig/pkg/errors"
 	"github.com/rigdev/rig/pkg/iterator"
-	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"go.uber.org/zap"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
@@ -177,7 +181,7 @@ func (c *Client) ensureNetwork(ctx context.Context) (string, error) {
 	return projectID.String(), nil
 }
 
-func (c *Client) ensureImage(ctx context.Context, image string) (string, error) {
+func (c *Client) ensureImage(ctx context.Context, image string, auth *cluster.RegistryAuth) (string, error) {
 	if strings.IndexByte(image, ':') < 0 {
 		image += ":latest"
 	}
@@ -195,7 +199,30 @@ func (c *Client) ensureImage(ctx context.Context, image string) (string, error)
 	if len(is) == 0 {
 		c.logger.Debug("pulling image", zap.String("image", image))
 
-		r, err := c.dc.ImagePull(ctx, image, types.ImagePullOptions{})
+		opts := types.ImagePullOptions{}
+
+		if auth != nil {
+			ac := registry.AuthConfig{
+				ServerAddress: auth.Host,
+				Username:      auth.RegistrySecret.GetUsername(),
+				Password:      auth.RegistrySecret.GetPassword(),
+				Auth: base64.StdEncoding.EncodeToString(
+					[]byte(fmt.Sprint(
+						auth.RegistrySecret.GetUsername(),
+						":",
+						auth.RegistrySecret.GetPassword()),
+					),
+				),
+			}
+			secret, err := json.Marshal(ac)
+			if err != nil {
+				return "", err
+			}
+
+			opts.RegistryAuth = base64.StdEncoding.EncodeToString(secret)
+		}
+
+		r, err := c.dc.ImagePull(ctx, image, opts)
 		if err != nil {
 			return "", err
 		}

internal/client/docker/service.go

@@ -25,7 +25,7 @@ func (c *Client) upsertService(ctx context.Context, capsuleName string, pc *prox
 
 	cfg := strconv.QuoteToASCII(string(bs))
 
-	image, err := c.ensureImage(ctx, fmt.Sprint("ghcr.io/rigdev/rig:", build.Version()))
+	image, err := c.ensureImage(ctx, fmt.Sprint("ghcr.io/rigdev/rig:", build.Version()), nil)
 	if err != nil {
 		return err
 	}

internal/client/k8s/k8s.go

@@ -7,7 +7,6 @@ import (
 	"path"
 
 	"github.com/rigdev/rig/internal/gateway/cluster"
-	"github.com/rigdev/rig/internal/service/project"
 	"go.uber.org/zap"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -18,13 +17,12 @@ import (
 type Client struct {
 	logger *zap.Logger
 	cs     *kubernetes.Clientset
-	ps     project.Service
 	mcs    *metricsclient.Clientset
 }
 
 var _ cluster.Gateway = &Client{}
 
-func New(logger *zap.Logger, ps project.Service) (*Client, error) {
+func New(logger *zap.Logger) (*Client, error) {
 	var (
 		restCfg *rest.Config
 		err     error
@@ -52,7 +50,6 @@ func New(logger *zap.Logger, ps project.Service) (*Client, error) {
 		logger: logger,
 		cs:     cs,
 		mcs:    mcs,
-		ps:     ps,
 	}, nil
 }
 

internal/client/k8s/upsert_capsule.go

@@ -3,6 +3,8 @@ package k8s
 import (
 	"context"
 	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"strconv"
 
@@ -36,11 +38,7 @@ func (c *Client) UpsertCapsule(ctx context.Context, capsuleName string, cc *clus
 		return err
 	}
 
-	bs, err := c.ps.GetProjectDockerSecret(ctx)
-	if err != nil {
-		return err
-	}
-	if err := c.reconcilePullSecret(ctx, ns, bs); err != nil {
+	if err := c.reconcilePullSecret(ctx, ns, cc.RegistryAuth); err != nil {
 		return err
 	}
 
@@ -59,7 +57,7 @@ func (c *Client) UpsertCapsule(ctx context.Context, capsuleName string, cc *clus
 	if err := c.reconcileEnvSecret(ctx, capsuleName, ns, cc); err != nil {
 		return err
 	}
-	if err := c.reconcileDeployment(ctx, capsuleName, ns, len(bs) > 0, cc); err != nil {
+	if err := c.reconcileDeployment(ctx, capsuleName, ns, cc.RegistryAuth != nil, cc); err != nil {
 		return err
 	}
 
@@ -76,21 +74,38 @@ func (c *Client) reconcileProjectNamespace(ctx context.Context, namespace string
 	return nil
 }
 
-func (c *Client) reconcilePullSecret(ctx context.Context, namespace string, data []byte) error {
-	if len(data) == 0 {
+func (c *Client) reconcilePullSecret(ctx context.Context, namespace string, auth *cluster.RegistryAuth) error {
+	if auth == nil {
 		if err := c.deletePullSecret(ctx, namespace); err != nil {
 			return err
 		}
 		return nil
 	}
 
+	bs, err := json.Marshal(map[string]interface{}{
+		"auths": map[string]interface{}{
+			auth.Host: map[string]interface{}{
+				"auth": base64.StdEncoding.EncodeToString(
+					[]byte(fmt.Sprint(
+						auth.RegistrySecret.GetUsername(),
+						":",
+						auth.RegistrySecret.GetPassword()),
+					),
+				),
+			},
+		},
+	})
+	if err != nil {
+		return err
+	}
+
 	s := acsv1.Secret(fmt.Sprintf("%s-pull", namespace), namespace).
 		WithType(v1.SecretTypeDockerConfigJson).
-		WithData(map[string][]byte{".dockerconfigjson": data})
-	_, err := c.cs.CoreV1().Secrets(namespace).Apply(ctx, s, applyOpts())
-	if err != nil {
+		WithData(map[string][]byte{".dockerconfigjson": bs})
+	if _, err := c.cs.CoreV1().Secrets(namespace).Apply(ctx, s, applyOpts()); err != nil {
 		return fmt.Errorf("could not apply pull secret: %w", err)
 	}
+
 	return nil
 }
 

internal/gateway/cluster/gateway.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/rigdev/rig-go-api/api/v1/capsule"
 	"github.com/rigdev/rig/gen/go/proxy"
+	"github.com/rigdev/rig/gen/go/registry"
 	"github.com/rigdev/rig/pkg/auth"
 	"github.com/rigdev/rig/pkg/iterator"
 )
@@ -21,6 +22,12 @@ type Capsule struct {
 	Metadata          map[string]string
 	BuildID           string
 	JWTMethod         *proxy.JWTMethod
+	RegistryAuth      *RegistryAuth
+}
+
+type RegistryAuth struct {
+	Host           string
+	RegistrySecret *registry.Secret
 }
 
 type Gateway interface {

internal/service/capsule/rollout.go

@@ -7,6 +7,7 @@ import (
 	"reflect"
 	"time"
 
+	"github.com/distribution/distribution/v3/reference"
 	"github.com/golang-jwt/jwt"
 	"github.com/rigdev/rig-go-api/api/v1/capsule"
 	"github.com/rigdev/rig-go-api/model"
@@ -239,6 +240,9 @@ func (j *rolloutJob) Run(ctx context.Context) error {
 	rs := proto.Clone(oldRS).(*rollout.Status)
 
 	err = j.run(ctx, c, rc, rs, version, logger)
+	if err != nil {
+		rs.Status.Message = errors.MessageOf(err)
+	}
 
 	if proto.Equal(rs, oldRS) {
 		rs.ScheduledAt = timestamppb.New(time.Now().Add(3 * time.Second))
@@ -425,6 +429,22 @@ func (j *rolloutJob) run(
 			Network:           rc.GetNetwork(),
 		}
 
+		ref, err := reference.ParseDockerRef(b.GetBuildId())
+		if err != nil {
+			return errors.InvalidArgumentErrorf("%v", err)
+		}
+
+		host := reference.Domain(ref)
+		if ds, err := j.s.ps.GetProjectDockerSecret(ctx, host); errors.IsNotFound(err) {
+		} else if err != nil {
+			return err
+		} else {
+			cc.RegistryAuth = &cluster.RegistryAuth{
+				Host:           host,
+				RegistrySecret: ds,
+			}
+		}
+
 		if cc.ContainerSettings == nil {
 			cc.ContainerSettings = &capsule.ContainerSettings{}
 		}

internal/service/capsule/service.go

@@ -8,6 +8,7 @@ import (
 	"github.com/rigdev/rig/internal/gateway/cluster"
 	"github.com/rigdev/rig/internal/repository"
 	"github.com/rigdev/rig/internal/service/auth"
+	"github.com/rigdev/rig/internal/service/project"
 	"github.com/rigdev/rig/pkg/errors"
 	"github.com/rigdev/rig/pkg/iterator"
 	"github.com/rigdev/rig/pkg/uuid"
@@ -21,15 +22,17 @@ type Service struct {
 	sr     repository.Secret
 	cg     cluster.Gateway
 	as     *auth.Service
+	ps     project.Service
 	q      *Queue[Job]
 }
 
-func NewService(cr repository.Capsule, sr repository.Secret, cg cluster.Gateway, as *auth.Service, logger *zap.Logger) *Service {
+func NewService(cr repository.Capsule, sr repository.Secret, cg cluster.Gateway, as *auth.Service, ps project.Service, logger *zap.Logger) *Service {
 	s := &Service{
 		cr:     cr,
 		sr:     sr,
 		cg:     cg,
 		as:     as,
+		ps:     ps,
 		q:      NewQueue[Job](),
 		logger: logger,
 	}