From ce1de8cbd9cb6f8888dff49de7f78b2f585554b0 Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Mon, 26 Aug 2024 15:42:38 +0200 Subject: [PATCH 1/9] Update scripts --- .../ci_helpers/list_images.sh | 67 ++++++++++++---- .../ci_helpers/rename_tag.sh | 78 ++++++++++++++----- 2 files changed, 109 insertions(+), 36 deletions(-) diff --git a/continuousintegration/ci_helpers/list_images.sh b/continuousintegration/ci_helpers/list_images.sh index 06fe5ccb72..34f562b0db 100755 --- a/continuousintegration/ci_helpers/list_images.sh +++ b/continuousintegration/ci_helpers/list_images.sh @@ -1,7 +1,7 @@ #!/bin/bash # @project The CERN Tape Archive (CTA) -# @copyright Copyright © 2022 CERN +# @copyright Copyright © 2024 CERN # @license This program is free software, distributed under the terms of the GNU General Public # Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can # redistribute it and/or modify it under the terms of the GPL Version 3, or (at your @@ -15,22 +15,59 @@ # granted to it by virtue of its status as an Intergovernmental Organization or # submit itself to any jurisdiction. -# env variables used: -# DOCKER_LOGIN_USERNAME -# DOCKER_LOGIN_PASSWORD -# -# set in /etc/gitlab/gitlabregistry.txt managed by Puppet -. /etc/gitlab/gitlabregistry.txt +list_images() { + # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format: + # { + # "auths": { + # "gitlab-registry.cern.ch": { + # "auth": "base64 encoded string of 'username:password'" + # } + # } + # } + + local secret_name="ctaregsecret" + local registry_name="cta/ctageneric" + local gitlab_server="gitlab.cern.ch" + + local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') + + local docker_registry=$(echo $auth_json | jq -r 'keys[0]') + local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) + local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) + + if [[ -z "$docker_registry" ]]; then + echo "ERROR: Missing required variable: docker_registry" + return 1 + fi + if [[ -z "$docker_login_username" ]]; then + echo "ERROR: Missing required variable: docker_login_username" + return 1 + fi + if [[ -z "$docker_login_password" ]]; then + echo "ERROR: Missing required variable: docker_login_password" + return 1 + fi + + # Retrieve JWT pull token from GitLab + local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \ + "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token') -TO=gitlab-registry.cern.ch/cta/ctageneric + if [[ -z "$jwt_pull_token" ]]; then + echo "Error: Failed to retrieve JWT pull token." + return 1 + fi -CI_REGISTRY=$(echo ${TO} | sed -e 's%/.*%%') -REPOSITORY=$(echo ${TO} | sed -e 's%[^/]\+/%%') + # List the tags in the Docker registry repository + local list_response=$(curl -s "https://${docker_registry}/v2/${registry_name}/tags/list" -H "Authorization: Bearer ${jwt_pull_token}") + local tags=$(echo "$list_response" | jq -c ".tags[]" | sed -e 's/^"//;s/"$//') -GITLAB_HOST=gitlab.cern.ch + if [[ -z "$tags" ]]; then + echo "Error: Failed to retrieve tags from repository:" + echo "$list_response" + return 1 + fi -JWT_PULL_PUSH_TOKEN=$(curl -q -u ${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD} \ - "https://${GITLAB_HOST}/jwt/auth?service=container_registry&scope=repository:${REPOSITORY}:pull,push" | cut -d\" -f4 ) + echo "$tags" +} -# echo "List of tags in registry" -curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/tags/list" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" | jq -c ".tags[]" | sed -e 's/^"//;s/"$//' +list_images \ No newline at end of file diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh index c014ae0a0d..52350288ef 100755 --- a/continuousintegration/ci_helpers/rename_tag.sh +++ b/continuousintegration/ci_helpers/rename_tag.sh @@ -1,7 +1,7 @@ #!/bin/bash # @project The CERN Tape Archive (CTA) -# @copyright Copyright © 2022 CERN +# @copyright Copyright © 2022-2024 CERN # @license This program is free software, distributed under the terms of the GNU General Public # Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can # redistribute it and/or modify it under the terms of the GPL Version 3, or (at your @@ -16,35 +16,71 @@ # submit itself to any jurisdiction. # env variables used: -# DOCKER_LOGIN_USERNAME -# DOCKER_LOGIN_PASSWORD # OLDTAG # NEWTAG -# TO=gitlab-registry.cern.ch/cta/cta-orchestration +rename_tag() { + # Usage: rename_tag <old_tag> <new_tag> + local old_tag=$1 + local new_tag=$2 -CI_REGISTRY=$(echo ${TO} | sed -e 's%/.*%%') -REPOSITORY=$(echo ${TO} | sed -e 's%[^/]\+/%%') + if [[ "-${old_tag}-" == "-${new_tag}-" ]]; then + echo "The 2 tags are identical: ${old_tag}/${new_tag} no need to rename" + exit 0 + fi -GITLAB_HOST=gitlab.cern.ch + local secret_name="ctaregsecret" + local registry_name="cta/cta-orchestration" + local gitlab_server="gitlab.cern.ch" -if [[ "-${OLDTAG}-" == "-${NEWTAG}-" ]]; then - echo "The 2 tags are identical: ${OLDTAG}/${NEWTAG} no need to rename" - exit 0 -fi + local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') -JWT_PULL_PUSH_TOKEN=$(curl -q -u ${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD} \ - "https://${GITLAB_HOST}/jwt/auth?service=container_registry&scope=repository:${REPOSITORY}:pull,push" | cut -d\" -f4 ) + local docker_registry=$(echo $auth_json | jq -r 'keys[0]') + local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) + local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) -echo "List of tags in registry" -curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/tags/list" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" + if [[ -z "$docker_registry" ]]; then + echo "ERROR: Missing required variable: docker_registry" + return 1 + fi + if [[ -z "$docker_login_username" ]]; then + echo "ERROR: Missing required variable: docker_login_username" + return 1 + fi + if [[ -z "$docker_login_password" ]]; then + echo "ERROR: Missing required variable: docker_login_password" + return 1 + fi + local jwt_push_pull_token=$(curl -s -u ${docker_login_username}:${docker_login_password} \ + "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token') -echo "Pulling the manifest of tag:${OLDTAG}" -curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/manifests/${OLDTAG}" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" -H 'accept: application/vnd.docker.distribution.manifest.v2+json' > manifest.json + if [[ -z "$jwt_push_pull_token" ]]; then + echo "Error: Failed to retrieve JWT pull token." + return 1 + fi -echo "Pushing new tag: ${NEWTAG}" -curl -XPUT "https://${CI_REGISTRY}/v2/${REPOSITORY}/manifests/${NEWTAG}" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" -H 'content-type: application/vnd.docker.distribution.manifest.v2+json' -d '@manifest.json' -v + echo "List of tags in registry" + curl -H "Authorization: Bearer ${jwt_push_pull_token}" \ + "https://${docker_registry}/v2/${registry_name}/tags/list" -echo "List of tags in registry" -curl "https://${CI_REGISTRY}/v2/${REPOSITORY}/tags/list" -H "Authorization: Bearer ${JWT_PULL_PUSH_TOKEN}" + + echo "Pulling the manifest of tag:${old_tag}" + curl -H "Authorization: Bearer ${jwt_push_pull_token}" \ + -H 'accept: application/vnd.docker.distribution.manifest.v2+json' \ + "https://${docker_registry}/v2/${registry_name}/manifests/${old_tag}" > manifest.json + + echo "Pushing new tag: ${new_tag}" + curl -XPUT \ + -H "Authorization: Bearer ${jwt_push_pull_token}" \ + -H 'content-type: application/vnd.docker.distribution.manifest.v2+json' \ + -d '@manifest.json' \ + "https://${docker_registry}/v2/${registry_name}/manifests/${new_tag}" \ + -v + + echo "List of tags in registry" + curl -H "Authorization: Bearer ${jwt_push_pull_token}" \ + "https://${docker_registry}/v2/${registry_name}/tags/list" +} + +rename_tag $OLDTAG $NEWTAG \ No newline at end of file -- GitLab From 24f530c2982f471ad7d3606c1651b11358f67f84 Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Mon, 26 Aug 2024 15:43:45 +0200 Subject: [PATCH 2/9] Update release notes --- ReleaseNotes.md | 1 + 1 file changed, 1 insertion(+) diff --git a/ReleaseNotes.md b/ReleaseNotes.md index 25db00fc1a..c5227df87b 100644 --- a/ReleaseNotes.md +++ b/ReleaseNotes.md @@ -53,6 +53,7 @@ - cta/CTA#847 - Introduced version-lock for Oracle instant client - cta/CTA#821 - Improved pipeline logic for faster performance and correct cancel propagation - cta/CTA#708 - Added a basic test for the archive metadata to the CI +- cta/CTA#835 - Refactor scripts that made use of /etc/gitlab/gitlabregistry.txt to use kubernetes secret instead ### Catalogue Schema - cta/CTA#801 - Update CTA catalogue schema to version 15.0 -- GitLab From 48c2f6c18c4fd2aa8903fb8f0f5c50eb3ca24021 Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Tue, 27 Aug 2024 09:28:06 +0200 Subject: [PATCH 3/9] Added newline at end of file --- continuousintegration/ci_helpers/list_images.sh | 2 +- continuousintegration/ci_helpers/rename_tag.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/continuousintegration/ci_helpers/list_images.sh b/continuousintegration/ci_helpers/list_images.sh index 34f562b0db..5d38d62ae0 100755 --- a/continuousintegration/ci_helpers/list_images.sh +++ b/continuousintegration/ci_helpers/list_images.sh @@ -70,4 +70,4 @@ list_images() { echo "$tags" } -list_images \ No newline at end of file +list_images diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh index 52350288ef..703ad125da 100755 --- a/continuousintegration/ci_helpers/rename_tag.sh +++ b/continuousintegration/ci_helpers/rename_tag.sh @@ -83,4 +83,4 @@ rename_tag() { "https://${docker_registry}/v2/${registry_name}/tags/list" } -rename_tag $OLDTAG $NEWTAG \ No newline at end of file +rename_tag $OLDTAG $NEWTAG -- GitLab From 07644dac0a1c98dd67a2932d1f6c814254f09889 Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Mon, 2 Sep 2024 17:47:34 +0200 Subject: [PATCH 4/9] Added script to verify credentials --- .../ci_helpers/check_registry_credentials.sh | 66 +++++++++++++++++++ .../orchestration/create_instance.sh | 5 ++ 2 files changed, 71 insertions(+) create mode 100755 continuousintegration/ci_helpers/check_registry_credentials.sh diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/check_registry_credentials.sh new file mode 100755 index 0000000000..401edcecfb --- /dev/null +++ b/continuousintegration/ci_helpers/check_registry_credentials.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# @project The CERN Tape Archive (CTA) +# @copyright Copyright © 2024 CERN +# @license This program is free software, distributed under the terms of the GNU General Public +# Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can +# redistribute it and/or modify it under the terms of the GPL Version 3, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# In applying this licence, CERN does not waive the privileges and immunities +# granted to it by virtue of its status as an Intergovernmental Organization or +# submit itself to any jurisdiction. + +check_credentials() { + # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format: + # { + # "auths": { + # "gitlab-registry.cern.ch": { + # "auth": "base64 encoded string of 'username:password'" + # } + # } + # } + + local secret_name="ctaregsecret" + local registry_name="cta/ctageneric" + local gitlab_server="gitlab.cern.ch" + + local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') + + local docker_registry=$(echo $auth_json | jq -r 'keys[0]') + local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) + local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) + + if [[ -z "$docker_registry" ]]; then + echo "ERROR: Missing required variable: docker_registry" + return 1 + fi + if [[ -z "$docker_login_username" ]]; then + echo "ERROR: Missing required variable: docker_login_username" + return 1 + fi + if [[ -z "$docker_login_password" ]]; then + echo "ERROR: Missing required variable: docker_login_password" + return 1 + fi + + # Retrieve JWT pull token from GitLab + local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \ + "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token') + + if [[ -z "$jwt_pull_token" ]]; then + echo "Error: Failed to retrieve JWT pull token." + echo "\tRegistry: $docker_registry" + echo "\tUsername: $docker_login_username" + return 1 + fi + + echo "Credentials verified" + return 0 +} + +check_credentials diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh index e6e4e6f7c9..ce15571c5d 100755 --- a/continuousintegration/orchestration/create_instance.sh +++ b/continuousintegration/orchestration/create_instance.sh @@ -166,6 +166,11 @@ if [ "$updatedatabasetest" == "1" ] ; then fi # We are going to run with repository based images (they have rpms embedded) +../ci_helpers/check_registry_credentials.sh +if [ $? -ne 0 ]; then + echo "Error: Credential check failed" + exit 1 +fi if [[ ${systest_only} -eq 1 ]]; then COMMITID=$(curl --url "https://gitlab.cern.ch/api/v4/projects/139306/repository/commits" | jq -cr '.[0] | .short_id' | sed -e 's/\(........\).*/\1/') else -- GitLab From 3fb8f1f982f80f76970643746db31992b74b97a3 Mon Sep 17 00:00:00 2001 From: Niels <bugel.niels@gmail.com> Date: Tue, 3 Sep 2024 10:54:45 +0200 Subject: [PATCH 5/9] Changed error capitalization --- .../ci_helpers/check_registry_credentials.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/check_registry_credentials.sh index 401edcecfb..2161a27d66 100755 --- a/continuousintegration/ci_helpers/check_registry_credentials.sh +++ b/continuousintegration/ci_helpers/check_registry_credentials.sh @@ -36,15 +36,15 @@ check_credentials() { local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) if [[ -z "$docker_registry" ]]; then - echo "ERROR: Missing required variable: docker_registry" + echo "Error: Missing required variable: docker_registry" return 1 fi if [[ -z "$docker_login_username" ]]; then - echo "ERROR: Missing required variable: docker_login_username" + echo "Error: Missing required variable: docker_login_username" return 1 fi if [[ -z "$docker_login_password" ]]; then - echo "ERROR: Missing required variable: docker_login_password" + echo "Error: Missing required variable: docker_login_password" return 1 fi -- GitLab From d86626e2de69aa978db00a67b33dceef8f8fd41a Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Tue, 3 Sep 2024 17:11:19 +0200 Subject: [PATCH 6/9] Added fallback for registry credentials --- .../ci_helpers/check_registry_credentials.sh | 38 ++++++++++++------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/check_registry_credentials.sh index 2161a27d66..56dd060cca 100755 --- a/continuousintegration/ci_helpers/check_registry_credentials.sh +++ b/continuousintegration/ci_helpers/check_registry_credentials.sh @@ -15,6 +15,10 @@ # granted to it by virtue of its status as an Intergovernmental Organization or # submit itself to any jurisdiction. +secret_is_dockerconfigjson() { + test $(kubectl get secret $1 -o jsonpath='{.type}') == "kubernetes.io/dockerconfigjson" +} + check_credentials() { # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format: # { @@ -29,33 +33,41 @@ check_credentials() { local registry_name="cta/ctageneric" local gitlab_server="gitlab.cern.ch" - local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') + # These variable are capatalised to match the variable in gitlabregistry.txt + local DOCKER_REGISTRY=$(echo $auth_json | jq -r 'keys[0]') + local DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) + local DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) + if secret_is_dockerconfigjson $secret_name ; then + local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') - local docker_registry=$(echo $auth_json | jq -r 'keys[0]') - local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) - local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) + DOCKER_REGISTRY=$(echo $auth_json | jq -r 'keys[0]') + DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) + DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) + else + source /etc/gitlab/gitlabregistry.txt + fi - if [[ -z "$docker_registry" ]]; then - echo "Error: Missing required variable: docker_registry" + if [[ -z "$DOCKER_REGISTRY" ]]; then + echo "Error: Missing required variable: DOCKER_REGISTRY" return 1 fi - if [[ -z "$docker_login_username" ]]; then - echo "Error: Missing required variable: docker_login_username" + if [[ -z "$DOCKER_LOGIN_USERNAME" ]]; then + echo "Error: Missing required variable: DOCKER_LOGIN_USERNAME" return 1 fi - if [[ -z "$docker_login_password" ]]; then - echo "Error: Missing required variable: docker_login_password" + if [[ -z "$DOCKER_LOGIN_PASSWORD" ]]; then + echo "Error: Missing required variable: DOCKER_LOGIN_PASSWORD" return 1 fi # Retrieve JWT pull token from GitLab - local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \ + local jwt_pull_token=$(curl -s -u "${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD}" \ "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token') if [[ -z "$jwt_pull_token" ]]; then echo "Error: Failed to retrieve JWT pull token." - echo "\tRegistry: $docker_registry" - echo "\tUsername: $docker_login_username" + echo "\tRegistry: $DOCKER_REGISTRY" + echo "\tUsername: $DOCKER_LOGIN_USERNAME" return 1 fi -- GitLab From 96d6eb4acdc013fbe787f2c9c4f3618630408e7e Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Tue, 3 Sep 2024 17:48:39 +0200 Subject: [PATCH 7/9] Reduced code duplication with credential extraction --- ...entials.sh => get_registry_credentials.sh} | 29 +++++++++++----- .../ci_helpers/list_images.sh | 34 ++++--------------- .../ci_helpers/rename_tag.sh | 30 +++------------- .../orchestration/create_instance.sh | 6 +--- 4 files changed, 34 insertions(+), 65 deletions(-) rename continuousintegration/ci_helpers/{check_registry_credentials.sh => get_registry_credentials.sh} (83%) diff --git a/continuousintegration/ci_helpers/check_registry_credentials.sh b/continuousintegration/ci_helpers/get_registry_credentials.sh similarity index 83% rename from continuousintegration/ci_helpers/check_registry_credentials.sh rename to continuousintegration/ci_helpers/get_registry_credentials.sh index 56dd060cca..dbe2c0438c 100755 --- a/continuousintegration/ci_helpers/check_registry_credentials.sh +++ b/continuousintegration/ci_helpers/get_registry_credentials.sh @@ -19,7 +19,7 @@ secret_is_dockerconfigjson() { test $(kubectl get secret $1 -o jsonpath='{.type}') == "kubernetes.io/dockerconfigjson" } -check_credentials() { +get_credentials() { # The Kubernetes secret stores a base64 encoded .dockerconfigjson. This json has the following format: # { # "auths": { @@ -29,14 +29,23 @@ check_credentials() { # } # } + local check_mode=false + while [[ "$#" -gt 0 ]]; do + case $1 in + --check) check_mode=true ;; + *) echo "Unknown option: $1" ;; + esac + shift + done + local secret_name="ctaregsecret" local registry_name="cta/ctageneric" local gitlab_server="gitlab.cern.ch" # These variable are capatalised to match the variable in gitlabregistry.txt - local DOCKER_REGISTRY=$(echo $auth_json | jq -r 'keys[0]') - local DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) - local DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) + local DOCKER_REGISTRY="" + local DOCKER_LOGIN_USERNAME="" + local DOCKER_LOGIN_PASSWORD="" if secret_is_dockerconfigjson $secret_name ; then local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') @@ -61,18 +70,22 @@ check_credentials() { fi # Retrieve JWT pull token from GitLab - local jwt_pull_token=$(curl -s -u "${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD}" \ + local jwt_token=$(curl -s -u "${DOCKER_LOGIN_USERNAME}:${DOCKER_LOGIN_PASSWORD}" \ "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token') - if [[ -z "$jwt_pull_token" ]]; then + if [[ -z "$jwt_token" ]]; then echo "Error: Failed to retrieve JWT pull token." echo "\tRegistry: $DOCKER_REGISTRY" echo "\tUsername: $DOCKER_LOGIN_USERNAME" return 1 fi - echo "Credentials verified" + if [[ $check_only == true ]]; then + echo "Credentials verified" + else + echo $jwt_token + fi return 0 } -check_credentials +get_credentials "$@" \ No newline at end of file diff --git a/continuousintegration/ci_helpers/list_images.sh b/continuousintegration/ci_helpers/list_images.sh index 5d38d62ae0..0d86c6645e 100755 --- a/continuousintegration/ci_helpers/list_images.sh +++ b/continuousintegration/ci_helpers/list_images.sh @@ -25,40 +25,20 @@ list_images() { # } # } - local secret_name="ctaregsecret" local registry_name="cta/ctageneric" - local gitlab_server="gitlab.cern.ch" + local docker_registry="gitlab-registry.cern.ch" - local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') + + local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + local jwt_token=$(bash ${script_dir}/get_registry_credentials.sh) - local docker_registry=$(echo $auth_json | jq -r 'keys[0]') - local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) - local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) - - if [[ -z "$docker_registry" ]]; then - echo "ERROR: Missing required variable: docker_registry" - return 1 - fi - if [[ -z "$docker_login_username" ]]; then - echo "ERROR: Missing required variable: docker_login_username" - return 1 - fi - if [[ -z "$docker_login_password" ]]; then - echo "ERROR: Missing required variable: docker_login_password" - return 1 - fi - - # Retrieve JWT pull token from GitLab - local jwt_pull_token=$(curl -s -u "${docker_login_username}:${docker_login_password}" \ - "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token') - - if [[ -z "$jwt_pull_token" ]]; then - echo "Error: Failed to retrieve JWT pull token." + if [[ -z "$jwt_token" ]]; then + echo "Error: Failed to retrieve JWT token." return 1 fi # List the tags in the Docker registry repository - local list_response=$(curl -s "https://${docker_registry}/v2/${registry_name}/tags/list" -H "Authorization: Bearer ${jwt_pull_token}") + local list_response=$(curl -s "https://${docker_registry}/v2/${registry_name}/tags/list" -H "Authorization: Bearer ${jwt_token}") local tags=$(echo "$list_response" | jq -c ".tags[]" | sed -e 's/^"//;s/"$//') if [[ -z "$tags" ]]; then diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh index 703ad125da..f254f20551 100755 --- a/continuousintegration/ci_helpers/rename_tag.sh +++ b/continuousintegration/ci_helpers/rename_tag.sh @@ -29,34 +29,14 @@ rename_tag() { exit 0 fi - local secret_name="ctaregsecret" local registry_name="cta/cta-orchestration" - local gitlab_server="gitlab.cern.ch" + local docker_registry="gitlab-registry.cern.ch" - local auth_json=$(kubectl get secret $secret_name -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | jq -r '.auths') + local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + local jwt_token=$(bash ${script_dir}/get_registry_credentials.sh) - local docker_registry=$(echo $auth_json | jq -r 'keys[0]') - local docker_login_username=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) - local docker_login_password=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) - - if [[ -z "$docker_registry" ]]; then - echo "ERROR: Missing required variable: docker_registry" - return 1 - fi - if [[ -z "$docker_login_username" ]]; then - echo "ERROR: Missing required variable: docker_login_username" - return 1 - fi - if [[ -z "$docker_login_password" ]]; then - echo "ERROR: Missing required variable: docker_login_password" - return 1 - fi - - local jwt_push_pull_token=$(curl -s -u ${docker_login_username}:${docker_login_password} \ - "https://${gitlab_server}/jwt/auth?service=container_registry&scope=repository:${registry_name}:pull,push" | jq -r '.token') - - if [[ -z "$jwt_push_pull_token" ]]; then - echo "Error: Failed to retrieve JWT pull token." + if [[ -z "$jwt_token" ]]; then + echo "Error: Failed to retrieve JWT token." return 1 fi diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh index ce15571c5d..6c8222d18e 100755 --- a/continuousintegration/orchestration/create_instance.sh +++ b/continuousintegration/orchestration/create_instance.sh @@ -166,11 +166,7 @@ if [ "$updatedatabasetest" == "1" ] ; then fi # We are going to run with repository based images (they have rpms embedded) -../ci_helpers/check_registry_credentials.sh -if [ $? -ne 0 ]; then - echo "Error: Credential check failed" - exit 1 -fi +../ci_helpers/get_registry_credentials.sh --check || { echo "Error: Credential check failed"; exit 1; } if [[ ${systest_only} -eq 1 ]]; then COMMITID=$(curl --url "https://gitlab.cern.ch/api/v4/projects/139306/repository/commits" | jq -cr '.[0] | .short_id' | sed -e 's/\(........\).*/\1/') else -- GitLab From 198ff2db0e51e218302fd55eb71ef2e0963fa24d Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Wed, 4 Sep 2024 13:28:35 +0200 Subject: [PATCH 8/9] Added extra log statement --- continuousintegration/ci_helpers/get_registry_credentials.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/continuousintegration/ci_helpers/get_registry_credentials.sh b/continuousintegration/ci_helpers/get_registry_credentials.sh index dbe2c0438c..d26cbb3a54 100755 --- a/continuousintegration/ci_helpers/get_registry_credentials.sh +++ b/continuousintegration/ci_helpers/get_registry_credentials.sh @@ -53,6 +53,9 @@ get_credentials() { DOCKER_LOGIN_USERNAME=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f1) DOCKER_LOGIN_PASSWORD=$(echo $auth_json | jq -r '.[].auth' | base64 --decode | cut -d: -f2) else + if [[ $check_only == true ]]; then + echo "No secret with name $secret_name of type \"kubernetes.io/dockerconfigjson\" was found. Falling back to /etc/gitlab/gitlabregistry.txt..." + fi source /etc/gitlab/gitlabregistry.txt fi -- GitLab From 9d57321981bdd16e1dbec259e7afa3fa64e94111 Mon Sep 17 00:00:00 2001 From: Niels Alexander Buegel <niels.alexander.bugel@cern.ch> Date: Wed, 4 Sep 2024 17:06:44 +0200 Subject: [PATCH 9/9] Removed rename_tag --- .../ci_helpers/rename_tag.sh | 66 ------------------- 1 file changed, 66 deletions(-) delete mode 100755 continuousintegration/ci_helpers/rename_tag.sh diff --git a/continuousintegration/ci_helpers/rename_tag.sh b/continuousintegration/ci_helpers/rename_tag.sh deleted file mode 100755 index f254f20551..0000000000 --- a/continuousintegration/ci_helpers/rename_tag.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# @project The CERN Tape Archive (CTA) -# @copyright Copyright © 2022-2024 CERN -# @license This program is free software, distributed under the terms of the GNU General Public -# Licence version 3 (GPL Version 3), copied verbatim in the file "COPYING". You can -# redistribute it and/or modify it under the terms of the GPL Version 3, or (at your -# option) any later version. -# -# This program is distributed in the hope that it will be useful, but WITHOUT ANY -# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# In applying this licence, CERN does not waive the privileges and immunities -# granted to it by virtue of its status as an Intergovernmental Organization or -# submit itself to any jurisdiction. - -# env variables used: -# OLDTAG -# NEWTAG - -rename_tag() { - # Usage: rename_tag <old_tag> <new_tag> - local old_tag=$1 - local new_tag=$2 - - if [[ "-${old_tag}-" == "-${new_tag}-" ]]; then - echo "The 2 tags are identical: ${old_tag}/${new_tag} no need to rename" - exit 0 - fi - - local registry_name="cta/cta-orchestration" - local docker_registry="gitlab-registry.cern.ch" - - local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - local jwt_token=$(bash ${script_dir}/get_registry_credentials.sh) - - if [[ -z "$jwt_token" ]]; then - echo "Error: Failed to retrieve JWT token." - return 1 - fi - - echo "List of tags in registry" - curl -H "Authorization: Bearer ${jwt_push_pull_token}" \ - "https://${docker_registry}/v2/${registry_name}/tags/list" - - - echo "Pulling the manifest of tag:${old_tag}" - curl -H "Authorization: Bearer ${jwt_push_pull_token}" \ - -H 'accept: application/vnd.docker.distribution.manifest.v2+json' \ - "https://${docker_registry}/v2/${registry_name}/manifests/${old_tag}" > manifest.json - - echo "Pushing new tag: ${new_tag}" - curl -XPUT \ - -H "Authorization: Bearer ${jwt_push_pull_token}" \ - -H 'content-type: application/vnd.docker.distribution.manifest.v2+json' \ - -d '@manifest.json' \ - "https://${docker_registry}/v2/${registry_name}/manifests/${new_tag}" \ - -v - - echo "List of tags in registry" - curl -H "Authorization: Bearer ${jwt_push_pull_token}" \ - "https://${docker_registry}/v2/${registry_name}/tags/list" -} - -rename_tag $OLDTAG $NEWTAG -- GitLab