[image-builder] Fix ignoring of user-passed authentication

[geropl]

Description

With #19474 a bug was introduced that ignores two registry authentication special cases:

1. installation defined registry auth (code)
   • this is an old self-hosted feature, and we don't seem to be using it anymore ✔️
2. user-defined registry auth (the GITPOD_IMAGE_AUTH variable)
   • this one is fixed with this PR 👇

Related Issue(s)

Fixes ENT-72

How to test

• start an image build referencing a base image in a private repository (via GITPOD_IMAGE_AUTH)

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - gpl-72-fixab59193ca7
• 🔗 URL - gpl-72-fixab59193ca7.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - gpl-72-fix-image-auth-gha.25210
• 🗒️ Logs - GCP Logs Explorer

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft preemptible
  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[geropl]

@iQQBot Could you review this PR, and see if it makes sense?

[kylos101]

Works well!

I tested the following:

1. Previously built workspace images that are dependent on private registries in a custom dockerfile are able to start workspaces w/o building or being dependent on having GITPOD_IMAGE_AUTH set on the repo.
2. A change to the private image in a custom dockerfile dependent on a private registry fails the build with a 502 if the GITPOD_IMAGE_AUTH is not set (image-builder-bob needs a credential).
3. Building on the previous test, once the GITPOD_IMAGE_AUTH is set in the repo, a workspace image is built, and a workspace started. It can also be restarted.
4. I can also use the same private image directly (so no custom docker file). It restarts fine, and if I delete the workspace-image it gets rebuilt.

I did not test private ECR. Let's plan to do against dogfood Thursday, and follow-up if needed? It's easier to land main-gha changes in Dedicated.

Before removing the hold, let's assert the problem can be recreated in a gen113 preview. That'll help us increase confidence that this resolves the issue. I'll do that now.

[kylos101]

Made a preview from:

Got the following on workspace start for this context, an image ref:

This was regardless of whether GITPOD_IMAGE_AUTH was defined for the repo (even when defined we got the error).

Interestly, starting from this context, a docker file (a customer dockerfile) worked w/o issue. This other docker file also worked fine.

[geropl]

Before removing the hold, let's assert the problem can be recreated in a gen113 preview. That'll help us increase confidence that this resolves the issue. I'll do that now.

Awesome, thank you for your thorough testing 🧡

[geropl]

/unhold

[geropl]

Whoa, blocked by needing ✔️ from an old EXP team member... 😬

[geropl]

Thx @AlexTugarev for the unblock 🙇