Add Container Registry credential extension

cmd/server/flags.go

@@ -278,6 +278,11 @@ var flags = append([]cli.Flag{
 		Name:    "config-service-endpoint",
 		Usage:   "url used for calling configuration service endpoint",
 	},
+	&cli.StringFlag{
+		Sources: cli.EnvVars("WOODPECKER_REGISTRY_SERVICE_ENDPOINT"),
+		Name:    "registry-service-endpoint",
+		Usage:   "url used for calling registry service endpoint",
+	},
 	&cli.StringFlag{
 		Sources: cli.EnvVars("WOODPECKER_EXTENSIONS_ALLOWED_HOSTS"),
 		Name:    "extensions-allowed-hosts",

cmd/server/openapi/docs.go

@@ -5233,6 +5233,9 @@ const docTemplate = `{
                 "private": {
                     "type": "boolean"
                 },
+                "registry_extension_endpoint": {
+                    "type": "string"
+                },
                 "require_approval": {
                     "$ref": "#/definitions/model.ApprovalMode"
                 },
@@ -5329,6 +5332,9 @@ const docTemplate = `{
                 "private": {
                     "type": "boolean"
                 },
+                "registry_extension_endpoint": {
+                    "type": "string"
+                },
                 "require_approval": {
                     "$ref": "#/definitions/model.ApprovalMode"
                 },
@@ -5376,6 +5382,9 @@ const docTemplate = `{
                         "type": "string"
                     }
                 },
+                "registry_extension_endpoint": {
+                    "type": "string"
+                },
                 "require_approval": {
                     "type": "string"
                 },

server/api/hook_test.go

@@ -85,7 +85,7 @@ func TestHook(t *testing.T) {
 	_manager.On("SecretServiceFromRepo", repo).Return(_secretService)
 	_secretService.On("SecretListPipeline", repo, mock.Anything, mock.Anything).Return(nil, nil)
 	_manager.On("RegistryServiceFromRepo", repo).Return(_registryService)
-	_registryService.On("RegistryListPipeline", repo, mock.Anything).Return(nil, nil)
+	_registryService.On("RegistryListPipeline", mock.Anything, repo, mock.Anything).Return(nil, nil)
 	_manager.On("EnvironmentService").Return(nil)
 	_store.On("DeletePipeline", mock.Anything).Return(nil)
 

server/api/repo.go

@@ -287,6 +287,9 @@ func PatchRepo(c *gin.Context) {
 	if in.ConfigExtensionEndpoint != nil {
 		repo.ConfigExtensionEndpoint = *in.ConfigExtensionEndpoint
 	}
+	if in.RegistryExtensionEndpoint != nil {
+		repo.RegistryExtensionEndpoint = *in.RegistryExtensionEndpoint
+	}
 
 	err := _store.UpdateRepo(repo)
 	if err != nil {

server/model/repo.go

@@ -73,6 +73,7 @@ type Repo struct {
 	CancelPreviousPipelineEvents []WebhookEvent       `json:"cancel_previous_pipeline_events" xorm:"json 'cancel_previous_pipeline_events'"`
 	NetrcTrustedPlugins          []string             `json:"netrc_trusted"                   xorm:"json 'netrc_trusted'"`
 	ConfigExtensionEndpoint      string               `json:"config_extension_endpoint"       xorm:"varchar(500) 'config_extension_endpoint'"`
+	RegistryExtensionEndpoint    string               `json:"registry_extension_endpoint"     xorm:"varchar(500) 'registry_extension_endpoint'"`
 } //	@name	Repo
 
 // TableName return database table name for xorm.
@@ -144,6 +145,7 @@ type RepoPatch struct {
 	NetrcTrusted                 *[]string                  `json:"netrc_trusted"`
 	Trusted                      *TrustedConfigurationPatch `json:"trusted"`
 	ConfigExtensionEndpoint      *string                    `json:"config_extension_endpoint,omitempty"`
+	RegistryExtensionEndpoint    *string                    `json:"registry_extension_endpoint,omitempty"`
 } //	@name	RepoPatch
 
 type ForgeRemoteID string

server/pipeline/create.go

@@ -91,7 +91,7 @@ func Create(ctx context.Context, _store store.Store, repo *model.Repo, pipeline
 		return nil, updatePipelineWithErr(ctx, _forge, _store, pipeline, repo, repoUser, fmt.Errorf("could not load config from forge: %w", configFetchErr))
 	}
 
-	pipelineItems, parseErr := parsePipeline(_forge, _store, pipeline, repoUser, repo, forgeYamlConfigs, nil)
+	pipelineItems, parseErr := parsePipeline(ctx, _forge, _store, pipeline, repoUser, repo, forgeYamlConfigs, nil)
 	if pipeline_errors.HasBlockingErrors(parseErr) {
 		log.Debug().Str("repo", repo.FullName).Err(parseErr).Msg("failed to parse yaml")
 		return pipeline, updatePipelineWithErr(ctx, _forge, _store, pipeline, repo, repoUser, parseErr)

server/pipeline/items.go

@@ -33,7 +33,7 @@ import (
 	"go.woodpecker-ci.org/woodpecker/v3/server/store"
 )
 
-func parsePipeline(forge forge.Forge, store store.Store, currentPipeline *model.Pipeline, user *model.User, repo *model.Repo, yamls []*forge_types.FileMeta, envs map[string]string) ([]*stepbuilder.Item, error) {
+func parsePipeline(ctx context.Context, forge forge.Forge, store store.Store, currentPipeline *model.Pipeline, user *model.User, repo *model.Repo, yamls []*forge_types.FileMeta, envs map[string]string) ([]*stepbuilder.Item, error) {
 	netrc, err := forge.Netrc(user, repo)
 	if err != nil {
 		log.Error().Err(err).Msg("failed to generate netrc file")
@@ -67,7 +67,7 @@ func parsePipeline(forge forge.Forge, store store.Store, currentPipeline *model.
 	}
 
 	registryService := server.Config.Services.Manager.RegistryServiceFromRepo(repo)
-	regs, err := registryService.RegistryListPipeline(repo, currentPipeline)
+	regs, err := registryService.RegistryListPipeline(ctx, repo, currentPipeline)
 	if err != nil {
 		log.Error().Err(err).Msgf("error getting registry credentials for %s#%d", repo.FullName, currentPipeline.Number)
 	}
@@ -141,7 +141,7 @@ func createPipelineItems(c context.Context, forge forge.Forge, store store.Store
 	currentPipeline *model.Pipeline, user *model.User, repo *model.Repo,
 	yamls []*forge_types.FileMeta, envs map[string]string,
 ) (*model.Pipeline, []*stepbuilder.Item, error) {
-	pipelineItems, err := parsePipeline(forge, store, currentPipeline, user, repo, yamls, envs)
+	pipelineItems, err := parsePipeline(c, forge, store, currentPipeline, user, repo, yamls, envs)
 	if pipeline_errors.HasBlockingErrors(err) {
 		currentPipeline, uErr := UpdateToStatusError(store, *currentPipeline, err)
 		if uErr != nil {

server/pipeline/items_test.go

@@ -1,6 +1,7 @@
 package pipeline
 
 import (
+	"context"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -127,7 +128,7 @@ steps:
 	mockManager.On("SecretServiceFromRepo", mock.Anything).Return(secretService, nil)
 
 	registryService := registry_service_mocks.NewMockService(t)
-	registryService.On("RegistryListPipeline", mock.Anything, mock.Anything).Return([]*model.Registry{
+	registryService.On("RegistryListPipeline", mock.Anything, mock.Anything, mock.Anything).Return([]*model.Registry{
 		{
 			Address:  "docker.io",
 			Username: "user",
@@ -138,7 +139,7 @@ steps:
 
 	mockManager.On("EnvironmentService").Return(nil, nil)
 
-	pipelineItems, err := parsePipeline(forge, store, pipeline, user, repo, yamls, envs)
+	pipelineItems, err := parsePipeline(context.Background(), forge, store, pipeline, user, repo, yamls, envs)
 	assert.NoError(t, err)
 
 	assert.Len(t, pipelineItems, 1)

server/services/manager.go

@@ -88,7 +88,7 @@ func NewManager(c *cli.Command, store store.Store, setupForge SetupForge) (Manag
 		signaturePublicKey:  signaturePublicKey,
 		store:               store,
 		secret:              setupSecretService(store),
-		registry:            setupRegistryService(store, c.String("docker-config")),
+		registry:            setupRegistryService(store, c.String("docker-config"), c.String("registry-service-endpoint"), client),
 		config:              configService,
 		environment:         environment.Parse(c.StringSlice("environment")),
 		forgeCache:          ttlcache.New(ttlcache.WithDisableTouchOnHit[int64, forge.Forge]()),
@@ -109,7 +109,10 @@ func (m *manager) SecretService() secret.Service {
 	return m.secret
 }
 
-func (m *manager) RegistryServiceFromRepo(_ *model.Repo) registry.Service {
+func (m *manager) RegistryServiceFromRepo(repo *model.Repo) registry.Service {
+	if repo.RegistryExtensionEndpoint != "" {
+		return registry.NewWithExtension(m.registry, registry.NewHTTP(strings.TrimRight(repo.RegistryExtensionEndpoint, "/"), m.client))
+	}
 	return m.RegistryService()
 }
 

server/services/registry/combined.go

@@ -15,6 +15,7 @@
 package registry
 
 import (
+	"context"
 	"errors"
 
 	"go.woodpecker-ci.org/woodpecker/v3/server/model"
@@ -42,8 +43,8 @@ func (c *combined) RegistryList(repo *model.Repo, p *model.ListOptions) ([]*mode
 	return c.dbRegistry.RegistryList(repo, p)
 }
 
-func (c *combined) RegistryListPipeline(repo *model.Repo, pipeline *model.Pipeline) ([]*model.Registry, error) {
-	dbRegistries, err := c.dbRegistry.RegistryListPipeline(repo, pipeline)
+func (c *combined) RegistryListPipeline(ctx context.Context, repo *model.Repo, pipeline *model.Pipeline) ([]*model.Registry, error) {
+	dbRegistries, err := c.dbRegistry.RegistryListPipeline(ctx, repo, pipeline)
 	if err != nil {
 		return nil, err
 	}

server/services/registry/db.go

@@ -15,6 +15,8 @@
 package registry
 
 import (
+	"context"
+
 	"go.woodpecker-ci.org/woodpecker/v3/server/model"
 	"go.woodpecker-ci.org/woodpecker/v3/server/store"
 )
@@ -36,7 +38,7 @@ func (d *db) RegistryList(repo *model.Repo, p *model.ListOptions) ([]*model.Regi
 	return d.store.RegistryList(repo, false, p)
 }
 
-func (d *db) RegistryListPipeline(repo *model.Repo, _ *model.Pipeline) ([]*model.Registry, error) {
+func (d *db) RegistryListPipeline(_ context.Context, repo *model.Repo, _ *model.Pipeline) ([]*model.Registry, error) {
 	r, err := d.store.RegistryList(repo, true, &model.ListOptions{All: true})
 	if err != nil {
 		return nil, err

server/services/registry/http.go

@@ -0,0 +1,79 @@
+// Copyright 2025 Woodpecker Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package registry
+
+import (
+	"context"
+	"fmt"
+	net_http "net/http"
+
+	"go.woodpecker-ci.org/woodpecker/v3/server/model"
+	"go.woodpecker-ci.org/woodpecker/v3/server/services/utils"
+)
+
+type httpExtension struct {
+	endpoint string
+	client   *utils.Client
+}
+
+type requestStructure struct {
+	Repo     *model.Repo     `json:"repo"`
+	Pipeline *model.Pipeline `json:"pipeline"`
+}
+
+type responseStructure struct {
+	Registries []*registryData `json:"registries"`
+}
+
+type registryData struct {
+	Address  string `json:"address"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+// NewHTTP returns a new HTTP registry extension client.
+func NewHTTP(endpoint string, client *utils.Client) *httpExtension {
+	return &httpExtension{endpoint, client}
+}
+
+// RegistryListPipeline fetches registry credentials from an external HTTP extension.
+func (h *httpExtension) RegistryListPipeline(ctx context.Context, repo *model.Repo, pipeline *model.Pipeline) ([]*model.Registry, error) {
+	response := new(responseStructure)
+	body := requestStructure{
+		Repo:     repo,
+		Pipeline: pipeline,
+	}
+
+	status, err := h.client.Send(ctx, net_http.MethodPost, h.endpoint, body, response)
+	if err != nil && status != net_http.StatusNoContent {
+		return nil, fmt.Errorf("failed to fetch registries via http (%d) %w", status, err)
+	}
+
+	if status != net_http.StatusOK {
+		// 204 No Content means no additional registries
+		return nil, nil
+	}
+
+	registries := make([]*model.Registry, len(response.Registries))
+	for i, reg := range response.Registries {
+		registries[i] = &model.Registry{
+			Address:  reg.Address,
+			Username: reg.Username,
+			Password: reg.Password,
+		}
+	}
+
+	return registries, nil
+}

server/services/registry/service.go

@@ -14,11 +14,15 @@
 
 package registry
 
-import "go.woodpecker-ci.org/woodpecker/v3/server/model"
+import (
+	"context"
+
+	"go.woodpecker-ci.org/woodpecker/v3/server/model"
+)
 
 // Service defines a service for managing registries.
 type Service interface {
-	RegistryListPipeline(*model.Repo, *model.Pipeline) ([]*model.Registry, error)
+	RegistryListPipeline(context.Context, *model.Repo, *model.Pipeline) ([]*model.Registry, error)
 	// Repository registries
 	RegistryFind(*model.Repo, string) (*model.Registry, error)
 	RegistryList(*model.Repo, *model.ListOptions) ([]*model.Registry, error)