[supervisor, ws-manager] Write docker credentials into client config file if passed into workspace

Tool: gitpod/catfood.gitpod.cloud

Author: geropl

Diff for: components/supervisor/pkg/supervisor/config.go

@@ -350,6 +350,9 @@ type WorkspaceConfig struct {
 	ConfigcatEnabled bool `env:"GITPOD_CONFIGCAT_ENABLED"`
 
 	SSHGatewayCAPublicKey string `env:"GITPOD_SSH_CA_PUBLIC_KEY"`
+
+	// Comma-separated list of host:<base64ed user:password> pairs to authenticate against docker registries
+	GitpodImageAuth string `env:"GITPOD_IMAGE_AUTH"`
 }
 
 // WorkspaceGitpodToken is a list of tokens that should be added to supervisor's token service.

Diff for: components/supervisor/pkg/supervisor/docker.go

@@ -6,12 +6,14 @@ package supervisor
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
@@ -38,6 +40,9 @@ const (
 
 	logsDir             = "/workspace/.gitpod/logs"
 	dockerUpLogFilePath = logsDir + "/docker-up.log"
+
+	gitpodUserId  = 33333
+	gitpodGroupId = 33333
 )
 
 var (
@@ -57,6 +62,17 @@ func socketActivationForDocker(parentCtx context.Context, wg *sync.WaitGroup, te
 		return
 	}
 
+	// insert credentials into docker config
+	credentialsWritten, err := insertCredentialsIntoConfig(cfg.GitpodImageAuth)
+	if err != nil {
+		log.WithError(err).Warn("authentication: cannot write credentials to config")
+	}
+	if credentialsWritten > 0 {
+		log.Info("authentication: successfully wrote credentials")
+	} else {
+		log.Info("authentication: no credentials provided")
+	}
+
 	logFile, err := openDockerUpLogFile()
 	if err != nil {
 		log.WithError(err).Error("docker-up: cannot open log file")
@@ -285,3 +301,115 @@ func openDockerUpLogFile() (*os.File, error) {
 	}
 	return logFile, nil
 }
+
+func insertCredentialsIntoConfig(imageAuth string) (int, error) {
+	imageAuth = strings.TrimSpace(imageAuth)
+	if imageAuth == "" {
+		return 0, nil
+	}
+
+	authConfig := DockerConfig{
+		Auths: make(map[string]RegistryAuth),
+	}
+	authenticationPerHost := strings.Split(imageAuth, ",")
+	for _, hostCredentials := range authenticationPerHost {
+		parts := strings.SplitN(hostCredentials, ":", 2)
+		if len(parts) < 2 {
+			continue
+		}
+		host := parts[0]
+		if strings.Contains(host, "docker.io") {
+			host = "https://index.docker.io/v1/"
+		}
+
+		authConfig.Auths[host] = RegistryAuth{
+			Auth: parts[1],
+		}
+	}
+	if len(authConfig.Auths) == 0 {
+		return 0, nil
+	}
+
+	err := insertDockerRegistryAuthentication(authConfig, gitpodUserId, gitpodGroupId)
+	if err != nil {
+		return 0, xerrors.Errorf("cannot append registry auth: %w", err)
+	}
+
+	return len(authConfig.Auths), nil
+}
+
+type RegistryAuth struct {
+	Auth string `json:"auth"`
+}
+
+type DockerConfig struct {
+	Auths map[string]RegistryAuth `json:"auths"`
+}
+
+// insertDockerRegistryAuthentication inserts the provided registry credentials to the existing Docker config file
+func insertDockerRegistryAuthentication(newConfig DockerConfig, uid, pid int) error {
+	userHome, err := os.UserHomeDir()
+	if err != nil {
+		return fmt.Errorf("failed to determine user home directory: %w", err)
+	}
+
+	dockerDir := filepath.Join(userHome, ".docker")
+	if err := os.MkdirAll(dockerDir, 0744); err != nil {
+		return fmt.Errorf("failed to create docker config directory: %w", err)
+	}
+	if err := os.Chown(dockerDir, uid, pid); err != nil {
+		return fmt.Errorf("failed to change ownership of docker config directory: %w", err)
+	}
+	configPath := filepath.Join(dockerDir, "config.json")
+
+	// Read existing config if it exists
+	var rawConfig map[string]interface{}
+	existingBytes, err := os.ReadFile(configPath)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to read existing docker config: %w", err)
+	}
+
+	var configCreated bool
+	if len(existingBytes) > 0 {
+		if err := json.Unmarshal(existingBytes, &rawConfig); err != nil {
+			return fmt.Errorf("failed to parse existing docker config: %w", err)
+		}
+	} else {
+		configCreated = true
+		rawConfig = make(map[string]interface{})
+	}
+
+	// Get existing auths or create new
+	existingAuths := make(map[string]interface{})
+	if authsRaw, ok := rawConfig["auths"]; ok {
+		if authsMap, ok := authsRaw.(map[string]interface{}); ok {
+			existingAuths = authsMap
+		}
+	}
+
+	// Merge new auth entries
+	for registry, auth := range newConfig.Auths {
+		// We overwrite existing registry entries
+		existingAuths[registry] = auth
+	}
+
+	// Update auths in raw config while preserving other fields
+	rawConfig["auths"] = existingAuths
+
+	// Write merged config back to file
+	bytes, err := json.MarshalIndent(rawConfig, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal docker config: %w", err)
+	}
+
+	if err := os.WriteFile(configPath, bytes, 0644); err != nil {
+		return fmt.Errorf("failed to write docker config file: %w", err)
+	}
+	if configCreated {
+		if err := os.Chown(configPath, uid, pid); err != nil {
+			return fmt.Errorf("failed to change ownership of docker config file: %w", err)
+		}
+	}
+
+	return nil
+}

Diff for: components/supervisor/pkg/supervisor/docker_test.go

@@ -0,0 +1,175 @@
+// Copyright (c) 2025 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package supervisor
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestInsertRegistryAuth(t *testing.T) {
+	type expectation struct {
+		json string
+		err  string
+	}
+	tests := []struct {
+		name           string
+		existingConfig string // JSON string of existing config.json
+		inputConfig    DockerConfig
+		expect         expectation
+	}{
+		{
+			name:           "append to empty config",
+			existingConfig: "",
+			inputConfig: DockerConfig{
+				Auths: map[string]RegistryAuth{
+					"reg1.example.com": {Auth: "dXNlcjE6cGFzczE="}, // user1:pass1
+				},
+			},
+			expect: expectation{
+				json: `{
+                    "auths": {
+                        "reg1.example.com": {"auth": "dXNlcjE6cGFzczE="}
+                    }
+                }`,
+			},
+		},
+		{
+			name: "merge with existing config preserving other fields",
+			existingConfig: `{
+                "auths": {
+                    "reg1.example.com": {"auth": "existing=="}
+                },
+                "credsStore": "desktop",
+                "experimental": "enabled",
+                "stackOrchestrator": "swarm"
+            }`,
+			inputConfig: DockerConfig{
+				Auths: map[string]RegistryAuth{
+					"reg2.example.com": {Auth: "bmV3QXV0aA=="}, // newAuth
+				},
+			},
+			expect: expectation{
+				json: `{
+                    "auths": {
+                        "reg1.example.com": {"auth": "existing=="},
+                        "reg2.example.com": {"auth": "bmV3QXV0aA=="}
+                    },
+                    "credsStore": "desktop",
+                    "experimental": "enabled",
+                    "stackOrchestrator": "swarm"
+                }`,
+			},
+		},
+		{
+			name: "override existing registry auth preserving structure",
+			existingConfig: `{
+                "auths": {
+                    "reg1.example.com": {"auth": "old=="}
+                },
+                "credHelpers": {
+                    "registry.example.com": "ecr-login"
+                }
+            }`,
+			inputConfig: DockerConfig{
+				Auths: map[string]RegistryAuth{
+					"reg1.example.com": {Auth: "updated=="},
+				},
+			},
+			expect: expectation{
+				json: `{
+                    "auths": {
+                        "reg1.example.com": {"auth": "updated=="}
+                    },
+                    "credHelpers": {
+                        "registry.example.com": "ecr-login"
+                    }
+                }`,
+			},
+		},
+		{
+			name:           "invalid existing config json",
+			existingConfig: `{invalid json`,
+			inputConfig: DockerConfig{
+				Auths: map[string]RegistryAuth{
+					"reg1.example.com": {Auth: "dXNlcjE6cGFzczE="},
+				},
+			},
+			expect: expectation{
+				err: "failed to parse existing docker config: invalid character 'i' looking for beginning of object key string",
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create temp dir for test
+			tmpDir, err := os.MkdirTemp("", "docker-test-*")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer os.RemoveAll(tmpDir)
+
+			// Set up mock home dir
+			oldHome := os.Getenv("HOME")
+			defer os.Setenv("HOME", oldHome)
+			os.Setenv("HOME", tmpDir)
+
+			// Write existing config if any
+			if tc.existingConfig != "" {
+				configDir := filepath.Join(tmpDir, ".docker")
+				if err := os.MkdirAll(configDir, 0700); err != nil {
+					t.Fatal(err)
+				}
+				if err := os.WriteFile(
+					filepath.Join(configDir, "config.json"),
+					[]byte(tc.existingConfig),
+					0600,
+				); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			// Run test
+			err = insertDockerRegistryAuthentication(tc.inputConfig, 33333, 33333)
+			if tc.expect.err != "" {
+				if err == nil {
+					t.Error("expected error but got none")
+				}
+
+				if diff := cmp.Diff(tc.expect.err, err.Error()); diff != "" {
+					t.Errorf("unexpected error (-want +got):\n%s", diff)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			// Read resulting config
+			configBytes, err := os.ReadFile(filepath.Join(tmpDir, ".docker", "config.json"))
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// Compare JSON structural equality
+			var got, want interface{}
+			if err := json.Unmarshal(configBytes, &got); err != nil {
+				t.Fatal(err)
+			}
+			if err := json.Unmarshal([]byte(tc.expect.json), &want); err != nil {
+				t.Fatal(err)
+			}
+
+			if diff := cmp.Diff(want, got); diff != "" {
+				t.Errorf("unexpected config (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

Diff for: components/ws-manager-mk2/controllers/create.go

@@ -596,7 +596,8 @@ func createWorkspaceEnvironment(sctx *startWorkspaceContext) ([]corev1.EnvVar, e
 			"GITPOD_EXTERNAL_EXTENSIONS",
 			"GITPOD_WORKSPACE_CLASS_INFO",
 			"GITPOD_IDE_ALIAS",
-			"GITPOD_RLIMIT_CORE":
+			"GITPOD_RLIMIT_CORE",
+			"GITPOD_IMAGE_AUTH":
 			// these variables are allowed - don't skip them
 		default:
 			if strings.HasPrefix(e.Name, "GITPOD_") {