From ce1de8cbd9cb6f8888dff49de7f78b2f585554b0 Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Mon, 26 Aug 2024 15:42:38 +0200
Subject: [PATCH 1/9] Update scripts

---
 .../ci_helpers/list_images.sh                 | 67 ++++++++++++----
 .../ci_helpers/rename_tag.sh                  | 78 ++++++++++++++-----
 2 files changed, 109 insertions(+), 36 deletions(-)

diff --git a/continuousintegration/ci_helpers/list_images.sh b/continuousintegration/ci_helpers/list_images.sh
index 06fe5ccb72..34f562b0db 100755
--- a/continuousintegration/ci_helpers/list_images.sh
+++ b/continuousintegration/ci_helpers/list_images.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # @project      The CERN Tape Archive (CTA)
-# @copyright    Copyright © 2022 CERN
+# @copyright    Copyright © 2024 CERN
 # @license      This program is free software, distributed under the terms of the GNU General Public
 #               Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can
 #               redistribute it and/or modify it under the terms of the GPL Version 3, or (at your
@@ -15,22 +15,59 @@
 #               granted to it by virtue of its status as an Intergovernmental Organization or
 #               submit itself to any jurisdiction.
 
-# env variables used:
-# DOCKER_LOGIN_USERNAME
-# DOCKER_LOGIN_PASSWORD
-#
-# set in /etc/gitlab/gitlabregistry.txt managed by Puppet
-. /etc/gitlab/gitlabregistry.txt
+list_images() {
+  # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format:
+  # {
+  #   "auths": {
+  #     "gitlab-registry.cern.ch": {
+  #       "auth": "base64 encoded string of 'username:password'"
+  #     }
+  #   }
+  # }
+
+  local secret_name="ctaregsecret"
+  local registry_name="cta/ctageneric"
+  local gitlab_server="gitlab.cern.ch"
+
+  local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
+
+  local docker_registry=$(echo $auth_json | jq -r 'keys[0]')
+  local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
+  local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
+
+  if [[ -z "$docker_registry" ]]; then
+    echo "ERROR: Missing required variable: docker_registry"
+    return 1
+  fi
+  if [[ -z "$docker_login_username" ]]; then
+    echo "ERROR: Missing required variable: docker_login_username"
+    return 1
+  fi
+  if [[ -z "$docker_login_password" ]]; then
+    echo "ERROR: Missing required variable: docker_login_password"
+    return 1
+  fi
+
+  # Retrieve JWT pull token from GitLab
+  local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \
+    "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token')
 
-TO=gitlab-registry.cern.ch/cta/ctageneric
+  if [[ -z "$jwt_pull_token" ]]; then
+    echo "Error: Failed to retrieve JWT pull token."
+    return 1
+  fi
 
-CI_REGISTRY=$(echo ${TO} | sed -e 's%/.*%%')
-REPOSITORY=$(echo ${TO} | sed -e 's%[^/]\+/%%')
+  # List the tags in the Docker registry repository
+  local list_response=$(curl -s "https://${docker_registry}/v2/${registry_name}/tags/list" -H "Authorization: Bearer ${jwt_pull_token}")
+  local tags=$(echo "$list_response" | jq -c ".tags[]" | sed -e 's/^"//;s/"$//')
 
-GITLAB_HOST=gitlab.cern.ch
+  if [[ -z "$tags" ]]; then
+    echo "Error: Failed to retrieve tags from repository:"
+    echo "$list_response"
+    return 1
+  fi
 
-JWT_PULL_PUSH_TOKEN=$(curl -q -u ${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD} \
-  "https://${GITLAB_HOST}/jwt/auth?service=container_registry&scope=repository:${REPOSITORY}:pull,push" | cut -d\" -f4 )
+  echo "$tags"
+}
 
-# echo "List of tags in registry"
-curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/tags/list" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" | jq -c ".tags[]" | sed -e 's/^"//;s/"$//'
+list_images
\ No newline at end of file
diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh
index c014ae0a0d..52350288ef 100755
--- a/continuousintegration/ci_helpers/rename_tag.sh
+++ b/continuousintegration/ci_helpers/rename_tag.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # @project      The CERN Tape Archive (CTA)
-# @copyright    Copyright © 2022 CERN
+# @copyright    Copyright © 2022-2024 CERN
 # @license      This program is free software, distributed under the terms of the GNU General Public
 #               Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can
 #               redistribute it and/or modify it under the terms of the GPL Version 3, or (at your
@@ -16,35 +16,71 @@
 #               submit itself to any jurisdiction.
 
 # env variables used:
-# DOCKER_LOGIN_USERNAME
-# DOCKER_LOGIN_PASSWORD
 # OLDTAG
 # NEWTAG
 
-# TO=gitlab-registry.cern.ch/cta/cta-orchestration
+rename_tag() {
+  # Usage: rename_tag <old_tag> <new_tag>
+  local old_tag=$1
+  local new_tag=$2
 
-CI_REGISTRY=$(echo ${TO} | sed -e 's%/.*%%')
-REPOSITORY=$(echo ${TO} | sed -e 's%[^/]\+/%%')
+  if [[ "-${old_tag}-" == "-${new_tag}-" ]]; then
+    echo "The 2 tags are identical: ${old_tag}/${new_tag} no need to rename"
+    exit 0
+  fi
 
-GITLAB_HOST=gitlab.cern.ch
+  local secret_name="ctaregsecret"
+  local registry_name="cta/cta-orchestration"
+  local gitlab_server="gitlab.cern.ch"
 
-if [[ "-${OLDTAG}-" == "-${NEWTAG}-" ]]; then
-  echo "The 2 tags are identical: ${OLDTAG}/${NEWTAG} no need to rename"
-  exit 0
-fi
+  local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
 
-JWT_PULL_PUSH_TOKEN=$(curl -q -u ${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD} \
-  "https://${GITLAB_HOST}/jwt/auth?service=container_registry&scope=repository:${REPOSITORY}:pull,push" | cut -d\" -f4 )
+  local docker_registry=$(echo $auth_json | jq -r 'keys[0]')
+  local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
+  local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
 
-echo "List of tags in registry"
-curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/tags/list" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}"
+  if [[ -z "$docker_registry" ]]; then
+    echo "ERROR: Missing required variable: docker_registry"
+    return 1
+  fi
+  if [[ -z "$docker_login_username" ]]; then
+    echo "ERROR: Missing required variable: docker_login_username"
+    return 1
+  fi
+  if [[ -z "$docker_login_password" ]]; then
+    echo "ERROR: Missing required variable: docker_login_password"
+    return 1
+  fi
 
+  local jwt_push_pull_token=$(curl -s -u ${docker_login_username}:${docker_login_password} \
+    "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token')
 
-echo "Pulling the manifest of tag:${OLDTAG}"
-curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/manifests/${OLDTAG}" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" -H 'accept: application/vnd.docker.distribution.manifest.v2+json' > manifest.json
+  if [[ -z "$jwt_push_pull_token" ]]; then
+    echo "Error: Failed to retrieve JWT pull token."
+    return 1
+  fi
 
-echo "Pushing new tag: ${NEWTAG}"
-curl -XPUT "https://${CI_REGISTRY}/v2/${REPOSITORY}/manifests/${NEWTAG}" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" -H 'content-type: application/vnd.docker.distribution.manifest.v2+json' -d '@manifest.json' -v
+  echo "List of tags in registry"
+  curl -H "Authorization: Bearer ${jwt_push_pull_token}" \
+       "https://${docker_registry}/v2/${registry_name}/tags/list"
 
-echo "List of tags in registry"
-curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/tags/list" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}"
+
+  echo "Pulling the manifest of tag:${old_tag}"
+  curl -H "Authorization: Bearer ${jwt_push_pull_token}" \
+       -H 'accept: application/vnd.docker.distribution.manifest.v2+json' \
+       "https://${docker_registry}/v2/${registry_name}/manifests/${old_tag}" > manifest.json
+
+  echo "Pushing new tag: ${new_tag}"
+  curl -XPUT \
+       -H "Authorization: Bearer ${jwt_push_pull_token}" \
+       -H 'content-type: application/vnd.docker.distribution.manifest.v2+json' \
+       -d '@manifest.json' \
+       "https://${docker_registry}/v2/${registry_name}/manifests/${new_tag}" \
+       -v
+
+  echo "List of tags in registry"
+  curl -H "Authorization: Bearer ${jwt_push_pull_token}" \
+       "https://${docker_registry}/v2/${registry_name}/tags/list"
+}
+
+rename_tag $OLDTAG $NEWTAG
\ No newline at end of file
-- 
GitLab


From 24f530c2982f471ad7d3606c1651b11358f67f84 Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Mon, 26 Aug 2024 15:43:45 +0200
Subject: [PATCH 2/9] Update release notes

---
 ReleaseNotes.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ReleaseNotes.md b/ReleaseNotes.md
index 25db00fc1a..c5227df87b 100644
--- a/ReleaseNotes.md
+++ b/ReleaseNotes.md
@@ -53,6 +53,7 @@
 - cta/CTA#847 - Introduced version-lock for Oracle instant client
 - cta/CTA#821 - Improved pipeline logic for faster performance and correct cancel propagation
 - cta/CTA#708 - Added a basic test for the archive metadata to the CI
+- cta/CTA#835 - Refactor scripts that made use of /etc/gitlab/gitlabregistry.txt to use kubernetes secret instead
 
 ### Catalogue Schema
 - cta/CTA#801 - Update CTA catalogue schema to version 15.0
-- 
GitLab


From 48c2f6c18c4fd2aa8903fb8f0f5c50eb3ca24021 Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Tue, 27 Aug 2024 09:28:06 +0200
Subject: [PATCH 3/9] Added newline at end of file

---
 continuousintegration/ci_helpers/list_images.sh | 2 +-
 continuousintegration/ci_helpers/rename_tag.sh  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/continuousintegration/ci_helpers/list_images.sh b/continuousintegration/ci_helpers/list_images.sh
index 34f562b0db..5d38d62ae0 100755
--- a/continuousintegration/ci_helpers/list_images.sh
+++ b/continuousintegration/ci_helpers/list_images.sh
@@ -70,4 +70,4 @@ list_images() {
   echo "$tags"
 }
 
-list_images
\ No newline at end of file
+list_images
diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh
index 52350288ef..703ad125da 100755
--- a/continuousintegration/ci_helpers/rename_tag.sh
+++ b/continuousintegration/ci_helpers/rename_tag.sh
@@ -83,4 +83,4 @@ rename_tag() {
        "https://${docker_registry}/v2/${registry_name}/tags/list"
 }
 
-rename_tag $OLDTAG $NEWTAG
\ No newline at end of file
+rename_tag $OLDTAG $NEWTAG
-- 
GitLab


From 07644dac0a1c98dd67a2932d1f6c814254f09889 Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Mon, 2 Sep 2024 17:47:34 +0200
Subject: [PATCH 4/9] Added script to verify credentials

---
 .../ci_helpers/check_registry_credentials.sh  | 66 +++++++++++++++++++
 .../orchestration/create_instance.sh          |  5 ++
 2 files changed, 71 insertions(+)
 create mode 100755 continuousintegration/ci_helpers/check_registry_credentials.sh

diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/check_registry_credentials.sh
new file mode 100755
index 0000000000..401edcecfb
--- /dev/null
+++ b/continuousintegration/ci_helpers/check_registry_credentials.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# @project      The CERN Tape Archive (CTA)
+# @copyright    Copyright © 2024 CERN
+# @license      This program is free software, distributed under the terms of the GNU General Public
+#               Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can
+#               redistribute it and/or modify it under the terms of the GPL Version 3, or (at your
+#               option) any later version.
+#
+#               This program is distributed in the hope that it will be useful, but WITHOUT ANY
+#               WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+#               PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+#               In applying this licence, CERN does not waive the privileges and immunities
+#               granted to it by virtue of its status as an Intergovernmental Organization or
+#               submit itself to any jurisdiction.
+
+check_credentials() {
+  # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format:
+  # {
+  #   "auths": {
+  #     "gitlab-registry.cern.ch": {
+  #       "auth": "base64 encoded string of 'username:password'"
+  #     }
+  #   }
+  # }
+
+  local secret_name="ctaregsecret"
+  local registry_name="cta/ctageneric"
+  local gitlab_server="gitlab.cern.ch"
+
+  local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
+
+  local docker_registry=$(echo $auth_json | jq -r 'keys[0]')
+  local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
+  local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
+
+  if [[ -z "$docker_registry" ]]; then
+    echo "ERROR: Missing required variable: docker_registry"
+    return 1
+  fi
+  if [[ -z "$docker_login_username" ]]; then
+    echo "ERROR: Missing required variable: docker_login_username"
+    return 1
+  fi
+  if [[ -z "$docker_login_password" ]]; then
+    echo "ERROR: Missing required variable: docker_login_password"
+    return 1
+  fi
+
+  # Retrieve JWT pull token from GitLab
+  local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \
+    "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token')
+
+  if [[ -z "$jwt_pull_token" ]]; then
+    echo "Error: Failed to retrieve JWT pull token."
+    echo "\tRegistry: $docker_registry"
+    echo "\tUsername: $docker_login_username"
+    return 1
+  fi
+
+  echo "Credentials verified"
+  return 0
+}
+
+check_credentials
diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh
index e6e4e6f7c9..ce15571c5d 100755
--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -166,6 +166,11 @@ if [ "$updatedatabasetest" == "1" ] ; then
 fi
 
 # We are going to run with repository based images (they have rpms embedded)
+../ci_helpers/check_registry_credentials.sh
+if [ $? -ne 0 ]; then
+  echo "Error: Credential check failed"
+  exit 1
+fi
 if [[ ${systest_only} -eq 1 ]]; then
   COMMITID=$(curl --url "https://gitlab.cern.ch/api/v4/projects/139306/repository/commits" | jq -cr '.[0] | .short_id' | sed -e 's/\(........\).*/\1/')
 else
-- 
GitLab


From 3fb8f1f982f80f76970643746db31992b74b97a3 Mon Sep 17 00:00:00 2001
From: Niels <bugel.niels@gmail.com>
Date: Tue, 3 Sep 2024 10:54:45 +0200
Subject: [PATCH 5/9] Changed error capitalization

---
 .../ci_helpers/check_registry_credentials.sh                | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/check_registry_credentials.sh
index 401edcecfb..2161a27d66 100755
--- a/continuousintegration/ci_helpers/check_registry_credentials.sh
+++ b/continuousintegration/ci_helpers/check_registry_credentials.sh
@@ -36,15 +36,15 @@ check_credentials() {
   local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
 
   if [[ -z "$docker_registry" ]]; then
-    echo "ERROR: Missing required variable: docker_registry"
+    echo "Error: Missing required variable: docker_registry"
     return 1
   fi
   if [[ -z "$docker_login_username" ]]; then
-    echo "ERROR: Missing required variable: docker_login_username"
+    echo "Error: Missing required variable: docker_login_username"
     return 1
   fi
   if [[ -z "$docker_login_password" ]]; then
-    echo "ERROR: Missing required variable: docker_login_password"
+    echo "Error: Missing required variable: docker_login_password"
     return 1
   fi
 
-- 
GitLab


From d86626e2de69aa978db00a67b33dceef8f8fd41a Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Tue, 3 Sep 2024 17:11:19 +0200
Subject: [PATCH 6/9] Added fallback for registry credentials

---
 .../ci_helpers/check_registry_credentials.sh  | 38 ++++++++++++-------
 1 file changed, 25 insertions(+), 13 deletions(-)

diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/check_registry_credentials.sh
index 2161a27d66..56dd060cca 100755
--- a/continuousintegration/ci_helpers/check_registry_credentials.sh
+++ b/continuousintegration/ci_helpers/check_registry_credentials.sh
@@ -15,6 +15,10 @@
 #               granted to it by virtue of its status as an Intergovernmental Organization or
 #               submit itself to any jurisdiction.
 
+secret_is_dockerconfigjson() {
+  test $(kubectl get secret $1 -o jsonpath='{.type}') == "kubernetes.io/dockerconfigjson" 
+}
+
 check_credentials() {
   # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format:
   # {
@@ -29,33 +33,41 @@ check_credentials() {
   local registry_name="cta/ctageneric"
   local gitlab_server="gitlab.cern.ch"
 
-  local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
+  # These variable are capatalised to match the variable in gitlabregistry.txt
+  local DOCKER_REGISTRY=$(echo $auth_json | jq -r 'keys[0]')
+  local DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
+  local DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
+  if secret_is_dockerconfigjson $secret_name ; then
+    local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
 
-  local docker_registry=$(echo $auth_json | jq -r 'keys[0]')
-  local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
-  local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
+    DOCKER_REGISTRY=$(echo $auth_json | jq -r 'keys[0]')
+    DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
+    DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
+  else
+    source /etc/gitlab/gitlabregistry.txt
+  fi
 
-  if [[ -z "$docker_registry" ]]; then
-    echo "Error: Missing required variable: docker_registry"
+  if [[ -z "$DOCKER_REGISTRY" ]]; then
+    echo "Error: Missing required variable: DOCKER_REGISTRY"
     return 1
   fi
-  if [[ -z "$docker_login_username" ]]; then
-    echo "Error: Missing required variable: docker_login_username"
+  if [[ -z "$DOCKER_LOGIN_USERNAME" ]]; then
+    echo "Error: Missing required variable: DOCKER_LOGIN_USERNAME"
     return 1
   fi
-  if [[ -z "$docker_login_password" ]]; then
-    echo "Error: Missing required variable: docker_login_password"
+  if [[ -z "$DOCKER_LOGIN_PASSWORD" ]]; then
+    echo "Error: Missing required variable: DOCKER_LOGIN_PASSWORD"
     return 1
   fi
 
   # Retrieve JWT pull token from GitLab
-  local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \
+  local jwt_pull_token=$(curl -s -u "${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD}" \
     "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token')
 
   if [[ -z "$jwt_pull_token" ]]; then
     echo "Error: Failed to retrieve JWT pull token."
-    echo "\tRegistry: $docker_registry"
-    echo "\tUsername: $docker_login_username"
+    echo "\tRegistry: $DOCKER_REGISTRY"
+    echo "\tUsername: $DOCKER_LOGIN_USERNAME"
     return 1
   fi
 
-- 
GitLab


From 96d6eb4acdc013fbe787f2c9c4f3618630408e7e Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Tue, 3 Sep 2024 17:48:39 +0200
Subject: [PATCH 7/9] Reduced code duplication with credential extraction

---
 ...entials.sh => get_registry_credentials.sh} | 29 +++++++++++-----
 .../ci_helpers/list_images.sh                 | 34 ++++---------------
 .../ci_helpers/rename_tag.sh                  | 30 +++-------------
 .../orchestration/create_instance.sh          |  6 +---
 4 files changed, 34 insertions(+), 65 deletions(-)
 rename continuousintegration/ci_helpers/{check_registry_credentials.sh => get_registry_credentials.sh} (83%)

diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/get_registry_credentials.sh
similarity index 83%
rename from continuousintegration/ci_helpers/check_registry_credentials.sh
rename to continuousintegration/ci_helpers/get_registry_credentials.sh
index 56dd060cca..dbe2c0438c 100755
--- a/continuousintegration/ci_helpers/check_registry_credentials.sh
+++ b/continuousintegration/ci_helpers/get_registry_credentials.sh
@@ -19,7 +19,7 @@ secret_is_dockerconfigjson() {
   test $(kubectl get secret $1 -o jsonpath='{.type}') == "kubernetes.io/dockerconfigjson" 
 }
 
-check_credentials() {
+get_credentials() {
   # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format:
   # {
   #   "auths": {
@@ -29,14 +29,23 @@ check_credentials() {
   #   }
   # }
 
+  local check_mode=false
+  while [[ "$#" -gt 0 ]]; do
+      case $1 in
+          --check) check_mode=true ;;
+          *) echo "Unknown option: $1" ;;
+      esac
+      shift
+  done
+
   local secret_name="ctaregsecret"
   local registry_name="cta/ctageneric"
   local gitlab_server="gitlab.cern.ch"
 
   # These variable are capatalised to match the variable in gitlabregistry.txt
-  local DOCKER_REGISTRY=$(echo $auth_json | jq -r 'keys[0]')
-  local DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
-  local DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
+  local DOCKER_REGISTRY=""
+  local DOCKER_LOGIN_USERNAME=""
+  local DOCKER_LOGIN_PASSWORD=""
   if secret_is_dockerconfigjson $secret_name ; then
     local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
 
@@ -61,18 +70,22 @@ check_credentials() {
   fi
 
   # Retrieve JWT pull token from GitLab
-  local jwt_pull_token=$(curl -s -u "${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD}" \
+  local jwt_token=$(curl -s -u "${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD}" \
     "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token')
 
-  if [[ -z "$jwt_pull_token" ]]; then
+  if [[ -z "$jwt_token" ]]; then
     echo "Error: Failed to retrieve JWT pull token."
     echo "\tRegistry: $DOCKER_REGISTRY"
     echo "\tUsername: $DOCKER_LOGIN_USERNAME"
     return 1
   fi
 
-  echo "Credentials verified"
+  if [[ $check_only == true ]]; then
+    echo "Credentials verified"
+  else
+    echo $jwt_token
+  fi
   return 0
 }
 
-check_credentials
+get_credentials "$@"
\ No newline at end of file
diff --git a/continuousintegration/ci_helpers/list_images.sh b/continuousintegration/ci_helpers/list_images.sh
index 5d38d62ae0..0d86c6645e 100755
--- a/continuousintegration/ci_helpers/list_images.sh
+++ b/continuousintegration/ci_helpers/list_images.sh
@@ -25,40 +25,20 @@ list_images() {
   #   }
   # }
 
-  local secret_name="ctaregsecret"
   local registry_name="cta/ctageneric"
-  local gitlab_server="gitlab.cern.ch"
+  local docker_registry="gitlab-registry.cern.ch"
 
-  local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
+  
+  local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+  local jwt_token=$(bash ${script_dir}/get_registry_credentials.sh)
 
-  local docker_registry=$(echo $auth_json | jq -r 'keys[0]')
-  local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
-  local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
-
-  if [[ -z "$docker_registry" ]]; then
-    echo "ERROR: Missing required variable: docker_registry"
-    return 1
-  fi
-  if [[ -z "$docker_login_username" ]]; then
-    echo "ERROR: Missing required variable: docker_login_username"
-    return 1
-  fi
-  if [[ -z "$docker_login_password" ]]; then
-    echo "ERROR: Missing required variable: docker_login_password"
-    return 1
-  fi
-
-  # Retrieve JWT pull token from GitLab
-  local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \
-    "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token')
-
-  if [[ -z "$jwt_pull_token" ]]; then
-    echo "Error: Failed to retrieve JWT pull token."
+  if [[ -z "$jwt_token" ]]; then
+    echo "Error: Failed to retrieve JWT token."
     return 1
   fi
 
   # List the tags in the Docker registry repository
-  local list_response=$(curl -s "https://${docker_registry}/v2/${registry_name}/tags/list" -H "Authorization: Bearer ${jwt_pull_token}")
+  local list_response=$(curl -s "https://${docker_registry}/v2/${registry_name}/tags/list" -H "Authorization: Bearer ${jwt_token}")
   local tags=$(echo "$list_response" | jq -c ".tags[]" | sed -e 's/^"//;s/"$//')
 
   if [[ -z "$tags" ]]; then
diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh
index 703ad125da..f254f20551 100755
--- a/continuousintegration/ci_helpers/rename_tag.sh
+++ b/continuousintegration/ci_helpers/rename_tag.sh
@@ -29,34 +29,14 @@ rename_tag() {
     exit 0
   fi
 
-  local secret_name="ctaregsecret"
   local registry_name="cta/cta-orchestration"
-  local gitlab_server="gitlab.cern.ch"
+  local docker_registry="gitlab-registry.cern.ch"
 
-  local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths')
+  local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+  local jwt_token=$(bash ${script_dir}/get_registry_credentials.sh)
 
-  local docker_registry=$(echo $auth_json | jq -r 'keys[0]')
-  local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
-  local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
-
-  if [[ -z "$docker_registry" ]]; then
-    echo "ERROR: Missing required variable: docker_registry"
-    return 1
-  fi
-  if [[ -z "$docker_login_username" ]]; then
-    echo "ERROR: Missing required variable: docker_login_username"
-    return 1
-  fi
-  if [[ -z "$docker_login_password" ]]; then
-    echo "ERROR: Missing required variable: docker_login_password"
-    return 1
-  fi
-
-  local jwt_push_pull_token=$(curl -s -u ${docker_login_username}:${docker_login_password} \
-    "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token')
-
-  if [[ -z "$jwt_push_pull_token" ]]; then
-    echo "Error: Failed to retrieve JWT pull token."
+  if [[ -z "$jwt_token" ]]; then
+    echo "Error: Failed to retrieve JWT token."
     return 1
   fi
 
diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh
index ce15571c5d..6c8222d18e 100755
--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -166,11 +166,7 @@ if [ "$updatedatabasetest" == "1" ] ; then
 fi
 
 # We are going to run with repository based images (they have rpms embedded)
-../ci_helpers/check_registry_credentials.sh
-if [ $? -ne 0 ]; then
-  echo "Error: Credential check failed"
-  exit 1
-fi
+../ci_helpers/get_registry_credentials.sh --check || { echo "Error: Credential check failed"; exit 1; }
 if [[ ${systest_only} -eq 1 ]]; then
   COMMITID=$(curl --url "https://gitlab.cern.ch/api/v4/projects/139306/repository/commits" | jq -cr '.[0] | .short_id' | sed -e 's/\(........\).*/\1/')
 else
-- 
GitLab


From 198ff2db0e51e218302fd55eb71ef2e0963fa24d Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Wed, 4 Sep 2024 13:28:35 +0200
Subject: [PATCH 8/9] Added extra log statement

---
 continuousintegration/ci_helpers/get_registry_credentials.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/continuousintegration/ci_helpers/get_registry_credentials.sh b/continuousintegration/ci_helpers/get_registry_credentials.sh
index dbe2c0438c..d26cbb3a54 100755
--- a/continuousintegration/ci_helpers/get_registry_credentials.sh
+++ b/continuousintegration/ci_helpers/get_registry_credentials.sh
@@ -53,6 +53,9 @@ get_credentials() {
     DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1)
     DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2)
   else
+    if [[ $check_only == true ]]; then
+      echo "No secret with name $secret_name of type \"kubernetes.io/dockerconfigjson\" was found. Falling back to /etc/gitlab/gitlabregistry.txt..."
+    fi
     source /etc/gitlab/gitlabregistry.txt
   fi
 
-- 
GitLab


From 9d57321981bdd16e1dbec259e7afa3fa64e94111 Mon Sep 17 00:00:00 2001
From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch>
Date: Wed, 4 Sep 2024 17:06:44 +0200
Subject: [PATCH 9/9] Removed rename_tag

---
 .../ci_helpers/rename_tag.sh                  | 66 -------------------
 1 file changed, 66 deletions(-)
 delete mode 100755 continuousintegration/ci_helpers/rename_tag.sh

diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh
deleted file mode 100755
index f254f20551..0000000000
--- a/continuousintegration/ci_helpers/rename_tag.sh
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/bash
-
-# @project      The CERN Tape Archive (CTA)
-# @copyright    Copyright © 2022-2024 CERN
-# @license      This program is free software, distributed under the terms of the GNU General Public
-#               Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can
-#               redistribute it and/or modify it under the terms of the GPL Version 3, or (at your
-#               option) any later version.
-#
-#               This program is distributed in the hope that it will be useful, but WITHOUT ANY
-#               WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-#               PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-#               In applying this licence, CERN does not waive the privileges and immunities
-#               granted to it by virtue of its status as an Intergovernmental Organization or
-#               submit itself to any jurisdiction.
-
-# env variables used:
-# OLDTAG
-# NEWTAG
-
-rename_tag() {
-  # Usage: rename_tag <old_tag> <new_tag>
-  local old_tag=$1
-  local new_tag=$2
-
-  if [[ "-${old_tag}-" == "-${new_tag}-" ]]; then
-    echo "The 2 tags are identical: ${old_tag}/${new_tag} no need to rename"
-    exit 0
-  fi
-
-  local registry_name="cta/cta-orchestration"
-  local docker_registry="gitlab-registry.cern.ch"
-
-  local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-  local jwt_token=$(bash ${script_dir}/get_registry_credentials.sh)
-
-  if [[ -z "$jwt_token" ]]; then
-    echo "Error: Failed to retrieve JWT token."
-    return 1
-  fi
-
-  echo "List of tags in registry"
-  curl -H "Authorization: Bearer ${jwt_push_pull_token}" \
-       "https://${docker_registry}/v2/${registry_name}/tags/list"
-
-
-  echo "Pulling the manifest of tag:${old_tag}"
-  curl -H "Authorization: Bearer ${jwt_push_pull_token}" \
-       -H 'accept: application/vnd.docker.distribution.manifest.v2+json' \
-       "https://${docker_registry}/v2/${registry_name}/manifests/${old_tag}" > manifest.json
-
-  echo "Pushing new tag: ${new_tag}"
-  curl -XPUT \
-       -H "Authorization: Bearer ${jwt_push_pull_token}" \
-       -H 'content-type: application/vnd.docker.distribution.manifest.v2+json' \
-       -d '@manifest.json' \
-       "https://${docker_registry}/v2/${registry_name}/manifests/${new_tag}" \
-       -v
-
-  echo "List of tags in registry"
-  curl -H "Authorization: Bearer ${jwt_push_pull_token}" \
-       "https://${docker_registry}/v2/${registry_name}/tags/list"
-}
-
-rename_tag $OLDTAG $NEWTAG
-- 
GitLab