worker: support for configuring the containers auth file

Add a new configuration section for containers and an option
to configure the authfile in it.

cmd/osbuild-worker/config.go

@@ -50,6 +50,10 @@ type authenticationConfig struct {
 	ClientSecretPath string `toml:"client_secret"`
 }
 
+type containersConfig struct {
+	AuthFilePath string `toml:"auth_file_path"`
+}
+
 type workerConfig struct {
 	Composer       *composerConfig             `toml:"composer"`
 	Koji           map[string]kojiServerConfig `toml:"koji"`
@@ -58,6 +62,7 @@ type workerConfig struct {
 	AWS            *awsConfig                  `toml:"aws"`
 	GenericS3      *genericS3Config            `toml:"generic_s3"`
 	Authentication *authenticationConfig       `toml:"authentication"`
+	Containers     *containersConfig           `toml:"containers"`
 	// default value: /api/worker/v1
 	BasePath string `toml:"base_path"`
 	DNFJson  string `toml:"dnf-json"`

cmd/osbuild-worker/jobimpl-container-resolve.go

@@ -29,6 +29,7 @@ func (impl *ContainerResolveJobImpl) Run(job worker.Job) error {
 	logWithId.Infof("Resolving containers (%d)", len(args.Specs))
 
 	resolver := container.NewResolver(args.Arch)
+	resolver.AuthFilePath = impl.AuthFilePath
 
 	for _, s := range args.Specs {
 		resolver.Add(s.Source, s.Name, s.TLSVerify)

cmd/osbuild-worker/jobimpl-osbuild.go

@@ -41,14 +41,15 @@ type S3Configuration struct {
 }
 
 type OSBuildJobImpl struct {
-	Store       string
-	Output      string
-	KojiServers map[string]kojiServer
-	GCPCreds    string
-	AzureCreds  *azure.Credentials
-	AWSCreds    string
-	AWSBucket   string
-	S3Config    S3Configuration
+	Store             string
+	Output            string
+	KojiServers       map[string]kojiServer
+	GCPCreds          string
+	AzureCreds        *azure.Credentials
+	AWSCreds          string
+	AWSBucket         string
+	S3Config          S3Configuration
+	ContainerAuthFile string
 }
 
 // Returns an *awscloud.AWS object with the credentials of the request. If they
@@ -306,8 +307,15 @@ func (impl *OSBuildJobImpl) Run(job worker.Job) error {
 		return nil
 	}
 
+	var extraEnv []string
+	if impl.ContainerAuthFile != "" {
+		extraEnv = []string{
+			fmt.Sprintf("REGISTRY_AUTH_FILE=%s", impl.ContainerAuthFile),
+		}
+	}
+
 	// Run osbuild and handle two kinds of errors
-	osbuildJobResult.OSBuildOutput, err = osbuild.RunOSBuild(jobArgs.Manifest, impl.Store, outputDirectory, exports, nil, nil, true, os.Stderr)
+	osbuildJobResult.OSBuildOutput, err = osbuild.RunOSBuild(jobArgs.Manifest, impl.Store, outputDirectory, exports, nil, extraEnv, true, os.Stderr)
 	// First handle the case when "running" osbuild failed
 	if err != nil {
 		osbuildJobResult.JobError = clienterrors.WorkerClientError(clienterrors.ErrorBuildJob, "osbuild build failed")

cmd/osbuild-worker/main.go

@@ -377,6 +377,11 @@ func main() {
 		genericS3SkipSSLVerification = config.GenericS3.SkipSSLVerification
 	}
 
+	var containersAuthFilePath string
+	if config.Containers != nil {
+		containersAuthFilePath = config.Containers.AuthFilePath
+	}
+
 	// depsolve jobs can be done during other jobs
 	depsolveCtx, depsolveCtxCancel := context.WithCancel(context.Background())
 	solver := dnfjson.NewBaseSolver(rpmmd_cache)
@@ -430,11 +435,17 @@ func main() {
 				CABundle:            genericS3CABundle,
 				SkipSSLVerification: genericS3SkipSSLVerification,
 			},
+			ContainerAuthFile: containersAuthFilePath,
 		},
 		worker.JobTypeKojiInit: &KojiInitJobImpl{
 			KojiServers: kojiServers,
 		},
-		worker.JobTypeKojiFinalize: &KojiFinalizeJobImpl{},
+		worker.JobTypeKojiFinalize: &KojiFinalizeJobImpl{
+			KojiServers: kojiServers,
+		},
+		worker.JobTypeContainerResolve: &ContainerResolveJobImpl{
+			AuthFilePath: containersAuthFilePath,
+		},
 	}
 
 	acceptedJobTypes := []string{}