Add support for public build repo

Signed-off-by: Paolo Di Tommaso <[email protected]>

config.yml

@@ -9,6 +9,9 @@ wave:
     quay.io:
       username: "${QUAY_USER:}"
       password: "${QUAY_PAT:}"
+    quay.io/seqera/wave/containers:
+      username: "${WAVE_PUBLIC_USER}"
+      password: "${WAVE_PUBLIC_PAT}"
     195996028523.dkr.ecr.eu-west-1.amazonaws.com:
       username : "${AWS_ACCESS_KEY_ID:}"
       password : "${AWS_SECRET_ACCESS_KEY:}"

src/main/groovy/io/seqera/wave/auth/RegistryCredentialsProvider.groovy

@@ -39,9 +39,7 @@ interface RegistryCredentialsProvider {
      */
     RegistryCredentials getDefaultCredentials(String registry)
 
-    default RegistryCredentials getDefaultCredentials(ContainerPath container) {
-        return getDefaultCredentials((String)(container?.registry))
-    }
+    RegistryCredentials getDefaultCredentials(ContainerPath container)
 
     /**
      * Provides the credentials for the specified container associated with the user and tower

src/main/groovy/io/seqera/wave/auth/RegistryCredentialsProviderImpl.groovy

@@ -18,6 +18,8 @@
 
 package io.seqera.wave.auth
 
+import javax.annotation.Nullable
+
 import groovy.transform.CompileStatic
 import groovy.util.logging.Slf4j
 import io.micronaut.context.annotation.Value
@@ -51,6 +53,10 @@ class RegistryCredentialsProviderImpl implements RegistryCredentialsProvider {
     @Value('${wave.build.cache}')
     private String defaultCacheRepository
 
+    @Nullable
+    @Value('${wave.build.public}')
+    private String defaultPublicRepository
+
     /**
      * Find the corresponding credentials for the specified registry
      *
@@ -65,16 +71,31 @@ class RegistryCredentialsProviderImpl implements RegistryCredentialsProvider {
         return getDefaultCredentials0(registry)
     }
 
-    protected RegistryCredentials getDefaultCredentials0(String registry) {
+    @Override
+    RegistryCredentials getDefaultCredentials(ContainerPath container) {
+        return container && container.repository==defaultPublicRepository
+                ? getDefaultRepoCredentials0(container)
+                : getDefaultCredentials0(container?.registry)
+    }
 
+    protected RegistryCredentials getDefaultCredentials0(String registry) {
         final config = registryConfigurationFactory.getRegistryKeys(registry)
         if( !config ){
-            log.debug "Unable to find credentials for registry '$registry'"
+            log.debug "Unable to find default credentials for registry '$registry'"
             return null
         }
         return credentialsFactory.create(registry, config.username, config.password)
     }
 
+    protected RegistryCredentials getDefaultRepoCredentials0(ContainerPath container) {
+        final config = registryConfigurationFactory.getRegistryKeys(container.repository)
+        if( !config ){
+            log.debug "Unable to find default credentials for repository '$container.repository'"
+            return null
+        }
+        return credentialsFactory.create(container.registry, config.username, config.password)
+    }
+
     /**
      * Provides the credentials for the specified container associated with the user and tower
      * workspace specified.
@@ -99,8 +120,9 @@ class RegistryCredentialsProviderImpl implements RegistryCredentialsProvider {
             throw new IllegalArgumentException("Missing required parameter userId -- Unable to retrieve credentials for container repository '$container'")
 
         // use default credentials for default repositories
-        if( container.repository==defaultBuildRepository || container.repository==defaultCacheRepository )
-            return getDefaultCredentials(container.registry)
+        final repo = container.repository
+        if( repo==defaultBuildRepository || repo==defaultCacheRepository || repo==defaultPublicRepository)
+            return getDefaultCredentials(container)
 
         return getUserCredentials0(container.registry, userId, workspaceId, towerToken, towerEndpoint)
     }

src/main/groovy/io/seqera/wave/controller/ContainerTokenController.groovy

@@ -20,6 +20,7 @@ package io.seqera.wave.controller
 
 import java.nio.file.Path
 import java.util.concurrent.CompletableFuture
+import javax.annotation.Nullable
 import javax.annotation.PostConstruct
 
 import groovy.transform.CompileStatic
@@ -102,6 +103,10 @@ class ContainerTokenController {
     @Value('${wave.build.cache}')
     String defaultCacheRepo
 
+    @Nullable
+    @Value('${wave.build.public}')
+    String defaultPublicRepo
+
     @Value('${wave.scan.enabled:false}')
     boolean scanEnabled
 
@@ -136,7 +141,7 @@ class ContainerTokenController {
 
     @PostConstruct
     private void init() {
-        log.info "Wave server url: $serverUrl; allowAnonymous: $allowAnonymous; tower-endpoint-url: $towerEndpointUrl"
+        log.info "Wave server url: $serverUrl; allowAnonymous: $allowAnonymous; tower-endpoint-url: $towerEndpointUrl; default-builld-repo: $defaultBuildRepo; default-cache-repo: $defaultCacheRepo; default-public-repo: $defaultPublicRepo"
     }
 
     @Post('/container-token')
@@ -204,7 +209,7 @@ class ContainerTokenController {
         final spackContent = req.spackFile ? new String(req.spackFile.decodeBase64()) : null as String
         final format = req.formatSingularity() ? SINGULARITY : DOCKER
         final platform = ContainerPlatform.of(req.containerPlatform)
-        final build = req.buildRepository ?: defaultBuildRepo
+        final build = req.buildRepository ?: (req.freeze && defaultPublicRepo ? defaultPublicRepo : defaultBuildRepo)
         final cache = req.cacheRepository ?: defaultCacheRepo
         final configJson = dockerAuthService.credentialsConfigJson(containerSpec, build, cache, user?.id, req.towerWorkspaceId, req.towerAccessToken, req.towerEndpoint)
         final containerConfig = req.freeze ? req.containerConfig : null
@@ -251,7 +256,7 @@ class ContainerTokenController {
             throw new BadRequestException("Attributes 'containerImage' and 'containerFile' cannot be used in the same request")
         if( req.containerImage?.contains('@sha256:') && req.containerConfig && !req.freeze )
             throw new BadRequestException("Container requests made using a SHA256 as tag does not support the 'containerConfig' attribute")
-        if( req.freeze && !req.buildRepository )
+        if( req.freeze && !req.buildRepository && !defaultPublicRepo )
             throw new BadRequestException("When freeze mode is enabled the target build repository must be specified - see 'wave.build.repository' setting")
         if( req.formatSingularity() && !req.freeze )
             throw new BadRequestException("Singularity build is only allowed enabling freeze mode - see 'wave.freeze' setting")

src/main/resources/application-dev.yml

@@ -3,6 +3,7 @@ wave:
   scan:
     enabled: true
   build:
+    public: 'quay.io/seqera/wave/containers'
     workspace: 'build-workspace'
     spack:
       cacheDirectory: 'spack-cache'

src/test/resources/application-test.yml

@@ -41,6 +41,9 @@ wave:
       password: ${AZURECR_PAT:test}
     europe-southwest1-docker.pkg.dev:
       credentials : ${GOOGLECR_KEYS:test}
+    quay.io/test/public/repo:
+      username: 'foo'
+      password: 'bar'
   build:
     workspace: 'build-workspace'
     spack: