Allow private registry connections with the dependency proxy
🍌 Proposal
In previous issues we added the ability for users to configure and prioritize external container registries for use with the Dependency Proxy. However, thus far, all of these registries have had to be public. Here we add the ability to use private registries.
The container registry does not control how authentication is handled, so we are left to the mercy of the provider when it comes to external registries. This means we have no choice other than to store user's credentials for these external registries directly so we can use them for each image pull.
This will require a detailed security review. We may want to consult with AppSec about the general strategy before beginning to work on it.
We should ensure that our documentation is clear in how we store these 3rd party credentials and recommend users use easily revokable credentials, or credentials that are not their personal or admin-level credentials if possible.
☑ Implementation plan
-
Add
username
andpassword
columns to thenamespace_dependency_proxy_settings
table and model.These should be optional and the assumption is that when the values are NULL, the registry is public and does not need authentication.
These settings should be accessible in the UI/API.
-
Update the
DependencyProxy::RequestTokenService
to use the stored credentials if present via Basic Auth headers when requesting the JWT access token.We should have a way to notify the user when they save these values if they are not valid. Perhaps we can do an
before/after_save
event/callback that will simply attempt to request a token. If successful, the credentials are stored, if unsuccessful, the credentials are not stored, or we could display an error indicator if we don't want to block the saving of the settings. -
Add any private-registry-specific plan limits around how many private registries a given group can connect to and update the logic to enforce these limits.
-
Metrics for number of private vs public registries being connected to for groups using this feature. Once #238056 is implemented, add metric for number of images pulled from public vs private registries.