From 54eafe8709cbf79d15acc00b3293a57abab9d4f1 Mon Sep 17 00:00:00 2001 From: 0x1def <0x1def@flakybit.net> Date: Wed, 27 Nov 2024 18:48:12 +0300 Subject: [PATCH] CI: reworked using creds helper --- .ci/image.sh | 10 +++++----- .ci/lib.sh | 10 ++++++++++ .ci/login-ecr.sh | 12 ------------ .ci/publish-external.sh | 12 ++++++++---- .ci/set-env.sh | 7 ++----- .woodpecker.yaml | 17 ++++++----------- 6 files changed, 31 insertions(+), 37 deletions(-) delete mode 100755 .ci/login-ecr.sh diff --git a/.ci/image.sh b/.ci/image.sh index 23828a8..07e5c4f 100755 --- a/.ci/image.sh +++ b/.ci/image.sh @@ -5,14 +5,14 @@ set -a . .ci/lib.sh set +a -echo "Setting authentication for $HARBOR_REGISTRY" -setRegistryAuth "$KANIKO_AUTH_FILE" "$HARBOR_REGISTRY" "$HARBOR_CREDS" +echo && echo "Setting authentication for $HARBOR_REGISTRY" +authfile='/kaniko/.docker/config.json' +setRegistryAuth "$authfile" "$HARBOR_REGISTRY" "$HARBOR_CREDS" image="$APP_NAME/$APP_COMPONENT:$APP_VERSION" dockerfile="./Dockerfile" -echo "Building $image image" +echo && echo "Building $image image" executor -c ./ -f "$dockerfile" -d "$HARBOR_REGISTRY/$image" -echo 'Done' - +echo && echo 'Done' diff --git a/.ci/lib.sh b/.ci/lib.sh index 894cc35..888e6b2 100755 --- a/.ci/lib.sh +++ b/.ci/lib.sh @@ -66,6 +66,16 @@ setRegistryAuth () { unset auth auths } +# $1 - configuration file +# $2 - registry +# $3 - creds helper +setRegistryCredHelper () { + helpers=$(printf '{"credHelpers":{"%s":"%s"}}' "$2" "$3") + printf '%s' "$helpers" > "$1" + + unset helpers +} + # AWS_ACCESS_KEY_ID - login # AWS_SECRET_ACCESS_KEY - password # $1 - file with token diff --git a/.ci/login-ecr.sh b/.ci/login-ecr.sh deleted file mode 100755 index f96af09..0000000 --- a/.ci/login-ecr.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -eu - -set -a -. .ci/lib.sh -set +a - -echo Obtaining AWS Public ECR credentials - -setAwsEcrCreds "$AWS_CREDS_FILE" - -echo Done diff --git a/.ci/publish-external.sh b/.ci/publish-external.sh index d66d48f..6e4fcd6 100755 --- a/.ci/publish-external.sh +++ b/.ci/publish-external.sh @@ -7,13 +7,17 @@ set +a src_image="$HARBOR_REGISTRY/$APP_NAME/$APP_COMPONENT:$APP_VERSION" dst_image="$DEST_REGISTRY/$EXTERNAL_REGISTRY_NAMESPACE/$APP_NAME-$APP_COMPONENT:$APP_VERSION" +dst_authfile="$HOME/auth.json" +echo && echo "Setting authentication for $DEST_REGISTRY" if printf '%s' "$DEST_REGISTRY" | grep -q "ecr.aws"; then + setRegistryCredHelper "$dst_authfile" "$DEST_REGISTRY" 'ecr-login' dst_image="$DEST_REGISTRY/$EXTERNAL_REGISTRY_NAMESPACE/$APP_NAME/$APP_COMPONENT:$APP_VERSION" - DEST_CREDS=$(cat "$AWS_CREDS_FILE") +else + setRegistryAuth "$dst_authfile" "$DEST_REGISTRY" "$DEST_CREDS" fi -echo "Pushing $dst_image" -retry 2 skopeo copy --dest-creds="$DEST_CREDS" "docker://$src_image" "docker://$dst_image" +echo && echo "Pushing $dst_image" +retry 2 skopeo copy "docker://$src_image" "docker://$dst_image" --dest-authfile="$dst_authfile" -echo 'Done' +echo && echo 'Done' diff --git a/.ci/set-env.sh b/.ci/set-env.sh index ec397fa..31dd23f 100755 --- a/.ci/set-env.sh +++ b/.ci/set-env.sh @@ -5,7 +5,7 @@ set -a . .ci/lib.sh set +a -echo Setting up environment +echo && echo 'Setting up environment' app_name='mongodb' printf 'APP_NAME=%s\n' "$app_name" >> "$CI_ENV_FILE" @@ -18,9 +18,6 @@ printf 'APP_VERSION=%s\n' "$(getAppVersion)" >> "$CI_ENV_FILE" printf 'HARBOR_REGISTRY=%s\n' 'harbor.flakybit.net' >> "$CI_ENV_FILE" printf 'EXTERNAL_REGISTRY_NAMESPACE=%s\n' 'flakybitnet' >> "$CI_ENV_FILE" -printf 'KANIKO_AUTH_FILE=%s\n' '/kaniko/.docker/config.json' >> "$CI_ENV_FILE" -printf 'AWS_CREDS_FILE=%s\n' '.ci/aws-ecr-creds' >> "$CI_ENV_FILE" - cat "$CI_ENV_FILE" -echo Done +echo && echo 'Done' diff --git a/.woodpecker.yaml b/.woodpecker.yaml index 46a5aeb..c306c9c 100644 --- a/.woodpecker.yaml +++ b/.woodpecker.yaml @@ -5,8 +5,7 @@ variables: - &debian_image 'public.ecr.aws/docker/library/debian:bookworm-slim' - &kaniko_image "gcr.io/kaniko-project/executor:v1.23.2-debug" - - &skopeo_image "quay.io/containers/skopeo:v1.15.2" - - &awscli_image "public.ecr.aws/aws-cli/aws-cli:2.17.42" + - &skopeo_image "public.ecr.aws/flakybitnet/skopeo:1.16.1-fb1" when: - branch: main @@ -40,6 +39,7 @@ steps: publish-quay: when: evaluate: '(RUN_PHASES == "" || "publish-quay" in split(RUN_PHASES, ",")) && (CI_COMMIT_TAG != "" || CI_MANUAL_TAG != "")' + failure: ignore image: *skopeo_image environment: DEST_REGISTRY: quay.io @@ -50,6 +50,7 @@ steps: publish-ghcr: when: evaluate: '(RUN_PHASES == "" || "publish-ghcr" in split(RUN_PHASES, ",")) && (CI_COMMIT_TAG != "" || CI_MANUAL_TAG != "")' + failure: ignore image: *skopeo_image environment: DEST_REGISTRY: ghcr.io @@ -57,22 +58,16 @@ steps: from_secret: fb_ghcr_creds commands: - .ci/publish-external.sh - login-ecr: + publish-ecr: when: evaluate: '(RUN_PHASES == "" || "publish-ecr" in split(RUN_PHASES, ",")) && (CI_COMMIT_TAG != "" || CI_MANUAL_TAG != "")' - image: *awscli_image + failure: ignore environment: + DEST_REGISTRY: public.ecr.aws AWS_ACCESS_KEY_ID: from_secret: fb_ecr_key_id AWS_SECRET_ACCESS_KEY: from_secret: fb_ecr_key - commands: - - .ci/login-ecr.sh - publish-ecr: - environment: - DEST_REGISTRY: public.ecr.aws - when: - evaluate: '(RUN_PHASES == "" || "publish-ecr" in split(RUN_PHASES, ",")) && (CI_COMMIT_TAG != "" || CI_MANUAL_TAG != "")' image: *skopeo_image commands: - .ci/publish-external.sh