auth support for tls endpoint

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

src/auth.ts

@@ -0,0 +1,51 @@
+import * as fs from 'fs';
+
+export const envPrefix = 'BUILDER_NODE';
+
+export function setCredentials(credsdir: string, index: number, driver: string, endpoint: string): Array<string> {
+  let url: URL;
+  try {
+    url = new URL(endpoint);
+  } catch (e) {
+    return [];
+  }
+  switch (url.protocol) {
+    case 'tcp:': {
+      return setBuildKitClientCerts(credsdir, index, driver, url);
+    }
+  }
+  return [];
+}
+
+function setBuildKitClientCerts(credsdir: string, index: number, driver: string, endpoint: URL): Array<string> {
+  const driverOpts: Array<string> = [];
+  const buildkitCacert = process.env[`${envPrefix}_${index}_AUTH_TLS_CACERT`] || '';
+  const buildkitCert = process.env[`${envPrefix}_${index}_AUTH_TLS_CERT`] || '';
+  const buildkitKey = process.env[`${envPrefix}_${index}_AUTH_TLS_KEY`] || '';
+  if (buildkitCacert.length == 0 && buildkitCert.length == 0 && buildkitKey.length == 0) {
+    return driverOpts;
+  }
+  let host = endpoint.hostname;
+  if (endpoint.port.length > 0) {
+    host += `-${endpoint.port}`;
+  }
+  if (buildkitCacert.length > 0) {
+    const cacertpath = `${credsdir}/cacert_${host}.pem`;
+    fs.writeFileSync(cacertpath, buildkitCacert);
+    driverOpts.push(`cacert=${cacertpath}`);
+  }
+  if (buildkitCert.length > 0) {
+    const certpath = `${credsdir}/cert_${host}.pem`;
+    fs.writeFileSync(certpath, buildkitCert);
+    driverOpts.push(`cert=${certpath}`);
+  }
+  if (buildkitKey.length > 0) {
+    const keypath = `${credsdir}/key_${host}.pem`;
+    fs.writeFileSync(keypath, buildkitKey);
+    driverOpts.push(`key=${keypath}`);
+  }
+  if (driver != 'remote') {
+    return [];
+  }
+  return driverOpts;
+}

src/main.ts

@@ -1,6 +1,8 @@
+import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import * as uuid from 'uuid';
+import * as auth from './auth';
 import * as buildx from './buildx';
 import * as context from './context';
 import * as docker from './docker';
@@ -56,8 +58,16 @@ async function run(): Promise<void> {
     context.setOutput('name', builderName);
     stateHelper.setBuilderName(builderName);
 
+    const credsdir = path.join(dockerConfigHome, 'buildx', 'creds', builderName);
+    fs.mkdirSync(credsdir, {recursive: true});
+    stateHelper.setCredsDir(credsdir);
+
     if (inputs.driver !== 'docker') {
       core.startGroup(`Creating a new builder instance`);
+      const authOpts = auth.setCredentials(credsdir, 0, inputs.driver, inputs.endpoint);
+      if (authOpts.length > 0) {
+        inputs.driverOpts = [...inputs.driverOpts, ...authOpts];
+      }
       const createArgs: Array<string> = ['create', '--name', builderName, '--driver', inputs.driver];
       if (buildx.satisfies(buildxVersion, '>=0.3.0')) {
         await context.asyncForEach(inputs.driverOpts, async driverOpt => {
@@ -156,6 +166,11 @@ async function cleanup(): Promise<void> {
       });
     core.endGroup();
   }
+
+  if (stateHelper.credsDir.length > 0 && fs.existsSync(stateHelper.credsDir)) {
+    core.info(`Cleaning up credentials`);
+    fs.rmdirSync(stateHelper.credsDir, {recursive: true});
+  }
 }
 
 if (!stateHelper.IsPost) {

src/state-helper.ts

@@ -5,6 +5,7 @@ export const IsDebug = !!process.env['STATE_isDebug'];
 export const standalone = process.env['STATE_standalone'] || '';
 export const builderName = process.env['STATE_builderName'] || '';
 export const containerName = process.env['STATE_containerName'] || '';
+export const credsDir = process.env['STATE_credsDir'] || '';
 
 export function setDebug(debug: string) {
   core.saveState('isDebug', debug);
@@ -22,6 +23,10 @@ export function setContainerName(containerName: string) {
   core.saveState('containerName', containerName);
 }
 
+export function setCredsDir(credsDir: string) {
+  core.saveState('credsDir', credsDir);
+}
+
 if (!IsPost) {
   core.saveState('isPost', 'true');
 }