[kots] load dockerConfigJson reigstry names into privateBaseImageAllowList

Pothulapati · Simon Emms · nandajavarma · roboquat · commit 22e9253abe11 · 2022-08-26T13:00:11.000+02:00
Follow upto #12174 This PR updates the installer logic to also load the auth's reigstry URL's into `.containerRegistry.privateBaseImageAllowList`. Signed-off-by: Tarun Pothulapati <tarun@gitpod.io> Co-authored-by: Simon Emms <simon@gitpod.io> Co-authored-by: Nandaja Varma <nandaja.varma@gmail.com>
diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml
@@ -178,6 +178,15 @@ spec:
                 yq e -i ".containerRegistry.privateBaseImageAllowList += \"docker.io\"" "${CONFIG_FILE}"
               fi
 
+              if [ '{{repl ConfigOptionNotEquals "reg_docker_config" "" }}' = "true" ];
+              then
+                DOCKER_CONFIG='{{repl ConfigOptionData "reg_docker_config" | Base64Encode }}'
+                echo "${DOCKER_CONFIG}" | base64 -d  > /tmp/userconfig.json
+                # Add the registries to the server allowlist
+                yq e -i ".containerRegistry.privateBaseImageAllowList += $(cat /tmp/userconfig.json | jq '.auths' | jq -rc 'keys')" "${CONFIG_FILE}"
+                yq e -i ".containerRegistry.privateBaseImageAllowList += \"docker.io\"" "${CONFIG_FILE}"
+              fi
+
               # Output the local registry secret - this is proxy.replicated.com if user hasn't set their own
               echo "{{repl LocalRegistryImagePullSecret }}" | base64 -d > /tmp/kotsregistry.json
 
@@ -356,9 +365,6 @@ spec:
                   | base64 -d \
                   > /tmp/currentconfig.json
 
-                DOCKER_CONFIG='{{repl ConfigOptionData "reg_docker_config" | Base64Encode }}'
-                echo "${DOCKER_CONFIG}" | base64 -d  > /tmp/userconfig.json
-
                 export REGISTRY_SECRET=$(jq -s '.[0] * .[1]' /tmp/userconfig.json /tmp/currentconfig.json | base64 -w 0)
 
                 echo "Gitpod: update the in-cluster registry secret"
diff --git a/install/kots/manifests/kots-config.yaml b/install/kots/manifests/kots-config.yaml
@@ -119,7 +119,7 @@ spec:
           when: '{{repl ConfigOptionEquals "reg_docker_config_enable" "1" }}'
           type: file
           required: true
-          help_text: Docker [config JSON file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) with auth credentials used to access private registries, for workspace images.
+          help_text: "Docker [config JSON file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) with auth credentials used to access private registries, for workspace images. **NB.** All of the registries in the config will be automatically added to the [`privateBaseImageAllowList`](http://gitpod.io/docs/self-hosted/latest/advanced/private-registries)."
 
     - name: database
       title: Database
