Pass dependency proxy credentials to runners

When it's available

Pass dependency proxy credentials to runners
When it's available
0ee59d62 · Lin Jen-Shin · 30cf2c96 · 0ee59d62 · 0ee59d62 · 0ee59d62
Commit 0ee59d62 authored Jan 19, 2021 by Lin Jen-Shin
7 changed files
--- a/changelogs/unreleased/automatically-authenticate-with-the-dependency-proxy.yml
+++ b/changelogs/unreleased/automatically-authenticate-with-the-dependency-proxy.yml
+---
+title: Pass dependency proxy credentials to runners to log in automatically
+merge_request: 51927
+author:
+type: added
--- a/doc/user/packages/dependency_proxy/index.md
+++ b/doc/user/packages/dependency_proxy/index.md
@@ -91,33 +91,29 @@ You can authenticate using:

 #### Authenticate within CI/CD

-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/280582) in GitLab 13.7.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/280582) in GitLab 13.7.
+> - Automatic runner authentication [added](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27302) in GitLab 13.9

-To work with the Dependency Proxy in [GitLab CI/CD](../../../ci/README.md), you can use:
+Runners will log into the Dependency Proxy automatically. We can pull through
+the dependency proxy using the `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`
+environment variable:
+
+```yaml
+# .gitlab-ci.yml
+image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/node:latest
+```
+
+There are other additional predefined environment variables we can also use:

 - `CI_DEPENDENCY_PROXY_USER`: A CI user for logging in to the Dependency Proxy.
 - `CI_DEPENDENCY_PROXY_PASSWORD`: A CI password for logging in to the Dependency Proxy.
 - `CI_DEPENDENCY_PROXY_SERVER`: The server for logging in to the Dependency Proxy.
 - `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`: The image prefix for pulling images through the Dependency Proxy.

-This script shows how to use these variables to log in and pull an image from the Dependency Proxy:
-
-```yaml
-# .gitlab-ci.yml
-
-dependency-proxy-pull-master:
-  # Official docker image.
-  image: docker:latest
-  stage: build
-  services:
-    - docker:dind
-  before_script:
-    - docker login -u "$CI_DEPENDENCY_PROXY_USER" -p "$CI_DEPENDENCY_PROXY_PASSWORD" "$CI_DEPENDENCY_PROXY_SERVER"
-  script:
-    - docker pull "$CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX"/alpine:latest
-```
-
-`CI_DEPENDENCY_PROXY_SERVER` and `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX` include the server port. So if you use `CI_DEPENDENCY_PROXY_SERVER` to log in, for example, you must explicitly include the port in your pull command and vice-versa:
+`CI_DEPENDENCY_PROXY_SERVER` and `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`
+include the server port. So if you explicitly include the Dependency Proxy
+path, the port must be included unless you have logged into the dependency
+proxy manually without including the port:

 ```shell
 docker pull gitlab.example.com:443/my-group/dependency_proxy/containers/alpine:latest
@@ -125,61 +121,6 @@ docker pull gitlab.example.com:443/my-group/dependency_proxy/containers/alpine:l

 You can also use [custom environment variables](../../../ci/variables/README.md#custom-environment-variables) to store and access your personal access token or other valid credentials.

-##### Authenticate with `DOCKER_AUTH_CONFIG`
-
-You can use the Dependency Proxy to pull your base image.
-
-1. [Create a `DOCKER_AUTH_CONFIG` environment variable](../../../ci/docker/using_docker_images.md#define-an-image-from-a-private-container-registry).
-1. Get credentials that allow you to log into the Dependency Proxy.
-1. Generate the version of these credentials that will be used by Docker:
-
-   ```shell
-   # The use of "-n" - prevents encoding a newline in the password.
-   echo -n "my_username:my_password" | base64
-
-   # Example output to copy
-   bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=
-   ```
-
-   This can also be a [personal access token](../../../user/profile/personal_access_tokens.md) such as:
-
-   ```shell
-   echo -n "my_username:personal_access_token" | base64
-   ```
-
-1. Create a [custom environment variables](../../../ci/variables/README.md#custom-environment-variables)
-named `DOCKER_AUTH_CONFIG` with a value of:
-
-   ```json
-   {
-       "auths": {
-           "https://gitlab.example.com": {
-               "auth": "(Base64 content from above)"
-           }
-       }
-   }
-   ```
-
-   To use `$CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX` when referencing images, you must explicitly include the port in your `DOCKER_AUTH_CONFIG` value:
-
-   ```json
-   {
-       "auths": {
-           "https://gitlab.example.com:443": {
-               "auth": "(Base64 content from above)"
-           }
-       }
-   }
-   ```
-
-1. Now reference the Dependency Proxy in your base image:
-
-   ```yaml
-   # .gitlab-ci.yml
-   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/node:latest
-   ...
-   ```
-
 ### Store a Docker image in Dependency Proxy cache

 To store a Docker image in Dependency Proxy storage:

--- a/lib/gitlab/ci/build/credentials/base.rb
+++ b/lib/gitlab/ci/build/credentials/base.rb
@@ -6,7 +6,7 @@ module Gitlab
      module Credentials
        class Base
          def type
-            self.class.name.demodulize.underscore
+            raise NotImplementedError
          end
        end
      end

--- a/lib/gitlab/ci/build/credentials/dependency_proxy.rb
+++ b/lib/gitlab/ci/build/credentials/dependency_proxy.rb
+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    module Build
+      module Credentials
+        class DependencyProxy < Registry
+          def url
+            "#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}"
+          end
+
+          def valid?
+            Gitlab.config.dependency_proxy.enabled
+          end
+        end
+      end
+    end
+  end
+end
--- a/lib/gitlab/ci/build/credentials/factory.rb
+++ b/lib/gitlab/ci/build/credentials/factory.rb
@@ -20,7 +20,7 @@ module Gitlab
          end

          def providers
-            [Registry]
+            [Registry, DependencyProxy]
          end
        end
      end

--- a/lib/gitlab/ci/build/credentials/registry.rb
+++ b/lib/gitlab/ci/build/credentials/registry.rb
@@ -8,7 +8,7 @@ module Gitlab
          attr_reader :username, :password

          def initialize(build)
-            @username = 'gitlab-ci-token'
+            @username = ::Gitlab::Auth::CI_JOB_USER
            @password = build.token
          end

@@ -19,6 +19,10 @@ module Gitlab
          def valid?
            Gitlab.config.registry.enabled
          end
+
+          def type
+            'registry'
+          end
        end
      end
    end

--- a/spec/lib/gitlab/ci/build/credentials/dependency_proxy_spec.rb
+++ b/spec/lib/gitlab/ci/build/credentials/dependency_proxy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::Build::Credentials::DependencyProxy do
+  let(:build) { create(:ci_build, name: 'spinach', stage: 'test', stage_idx: 0) }
+  let(:gitlab_url) { 'gitlab.example.com:443' }
+
+  subject { described_class.new(build) }
+
+  before do
+    stub_config_setting(host: 'gitlab.example.com', port: 443)
+  end
+
+  it 'contains valid dependency proxy credentials' do
+    expect(subject).to be_kind_of(described_class)
+
+    expect(subject.username).to eq 'gitlab-ci-token'
+    expect(subject.password).to eq build.token
+    expect(subject.url).to eq gitlab_url
+    expect(subject.type).to eq 'registry'
+  end
+
+  describe '.valid?' do
+    subject { described_class.new(build).valid? }
+
+    context 'when dependency proxy is enabled' do
+      before do
+        stub_config(dependency_proxy: { enabled: true })
+      end
+
+      it { is_expected.to be_truthy }
+    end
+
+    context 'when dependency proxy is disabled' do
+      before do
+        stub_config(dependency_proxy: { enabled: false })
+      end
+
+      it { is_expected.to be_falsey }
+    end
+  end
+end