From 8a0424c7a5150a35b9a73a7d6bdceecf0e3420d4 Mon Sep 17 00:00:00 2001
From: Lauris BH <lafriks@noreply.codeberg.org>
Date: Tue, 27 Sep 2022 22:33:05 +0200
Subject: [PATCH] Automatically generate buildkit config with registry CA file
 (#17)

Fixes #14

Buildkit config is actually TOML file not JSON - https://docs.docker.com/engine/reference/commandline/buildx_create/#config

Tested using `lafriks/plugin-docker-buildx:latest` image built with these changes

Co-authored-by: Lauris BH <lauris@nix.lv>
Reviewed-on: https://codeberg.org/woodpecker-plugins/plugin-docker-buildx/pulls/17
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: Lauris BH <lafriks@noreply.codeberg.org>
Co-committed-by: Lauris BH <lafriks@noreply.codeberg.org>
---
 docs.md          | 12 ++++++++++--
 plugin/daemon.go | 11 +++++++----
 plugin/impl.go   | 34 +++++++++++++++++++++++++++++-----
 3 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/docs.md b/docs.md
index 1d03d4e..93fcd7d 100644
--- a/docs.md
+++ b/docs.md
@@ -15,7 +15,15 @@ Woodpecker CI plugin to build multiarch Docker images with buildx. This plugin i
 
 - Build without push
 - Use custom registries
-- Build based on existing tags when needed.
+- Build based on existing tags when needed
+
+It will automatically generate buildkit configuration to use custom CA certificate if following conditions are met:
+
+- Setting `buildkit_config` is not set
+- Custom `registry` value is provided
+- File exists `/etc/docker/certs.d/<registry-value>/ca.crt`
+
+> NB! To mount custom CA you can use Woodpecker CI runner configuration environment `WOODPECKER_BACKEND_DOCKER_VOLUMES` with value `/etc/ssl/certs:/etc/ssl/certs:ro,/etc/docker/certs.d:/etc/docker/certs.d:ro`. And have created file `/etc/docker/certs.d/<registry-value>/ca.crt` with CA certificate on runner server host.
 
 ## Settings
 
@@ -86,7 +94,7 @@ Woodpecker CI plugin to build multiarch Docker images with buildx. This plugin i
 | `experimental`            | `false`           | enables docker daemon experimental mode
 | `debug`                   | `false`           | enables verbose debug mode for the docker daemon
 | `daemon_off`              | `false`           | disables the startup of the docker daemon
-| `buildkit_config`         | *none*            | sets content of the docker buildkit json config
+| `buildkit_config`         | *none*            | sets content of the docker [buildkit TOML config](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md)
 | `context`                 | `.`               | sets the path of the build context to use
 | `default_tags`/`auto_tag` | `false`           | generates tag names automatically based on git branch and git tag
 | `default_suffix"`/`auto_tag_suffix`| *none*   | generates tag names with the given suffix
diff --git a/plugin/daemon.go b/plugin/daemon.go
index d851e5e..8906b0c 100644
--- a/plugin/daemon.go
+++ b/plugin/daemon.go
@@ -5,10 +5,13 @@ import (
 	"os"
 )
 
-const dockerExe = "/usr/local/bin/docker"
-const dockerdExe = "/usr/local/bin/dockerd"
-const dockerHome = "/root/.docker/"
-const buildkitConfig = "/tmp/buildkit.json"
+const (
+	dockerExe              = "/usr/local/bin/docker"
+	dockerdExe             = "/usr/local/bin/dockerd"
+	dockerHome             = "/root/.docker/"
+	buildkitConfig         = "/tmp/buildkit.toml"
+	buildkitConfigTemplate = "[registry.\"%s\"]\n  ca=[\"%s\"]\n"
+)
 
 func (p Plugin) startDaemon() {
 	cmd := commandDaemon(p.settings.Daemon)
diff --git a/plugin/impl.go b/plugin/impl.go
index 55d6583..db8887c 100644
--- a/plugin/impl.go
+++ b/plugin/impl.go
@@ -2,6 +2,7 @@ package plugin
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -101,6 +102,32 @@ func (p *Plugin) Validate() error {
 	return nil
 }
 
+func (p *Plugin) writeBuildkitConfig() error {
+	if p.settings.Daemon.BuildkitConfig == "" && p.settings.Daemon.Registry != "" {
+		registry := p.settings.Daemon.Registry
+		u, err := url.Parse(registry)
+		if err == nil && u.Host != "" {
+			registry = u.Host
+		}
+
+		caPath := fmt.Sprintf("/etc/docker/certs.d/%s/ca.crt", registry)
+		ca, err := os.Open(caPath)
+		if err != nil && !os.IsNotExist(err) {
+			logrus.Warnf("error reading %s: %w", caPath, err)
+		} else if err == nil {
+			ca.Close()
+			p.settings.Daemon.BuildkitConfig = fmt.Sprintf(buildkitConfigTemplate, registry, caPath)
+		}
+	}
+	if p.settings.Daemon.BuildkitConfig != "" {
+		err := os.WriteFile(buildkitConfig, []byte(p.settings.Daemon.BuildkitConfig), 0o600)
+		if err != nil {
+			return fmt.Errorf("error writing buildkit.toml: %s", err)
+		}
+	}
+	return nil
+}
+
 // Execute provides the implementation of the plugin.
 func (p *Plugin) Execute() error {
 	// start the Docker daemon server
@@ -139,11 +166,8 @@ func (p *Plugin) Execute() error {
 		}
 	}
 
-	if p.settings.Daemon.BuildkitConfig != "" {
-		err := os.WriteFile(buildkitConfig, []byte(p.settings.Daemon.BuildkitConfig), 0o600)
-		if err != nil {
-			return fmt.Errorf("error writing buildkit.json: %s", err)
-		}
+	if err := p.writeBuildkitConfig(); err != nil {
+		return err
 	}
 
 	switch {