Add a script to update registry credentials

We have a script in https://docs.starlingx.io/dist_cloud/kubernetes/\ updating-docker-registry-credentials-on-a-subcloud.html to update the docker registry credentials on a subcloud. As this script is expected to use in multiple scenarios, this commit adds this script in the /usr/local/bin directory, so it can be called to update the registry credentials. Changes against the original script: 1. Add ghcr-registry as it is newly introduced. 2. Add "source /etc/platform/openrc", so the OpenStack environmental variables can be included. 3. Prompt for input username and password if not provided. Test: 1. Create a patch with the "platform-util-controller" and apply it on an AIOSX controller. 2. Call the script with the sysinv username and password, check the OpenStack secrets payload that the username and password are updated. And the secrets' UUIDs are updated to service parameters. 3. Call the script without username and password, prompt for username and password. 4. Call the script with 3 arguments, exit with an error message and the usage. Partial-Bug: 1947014 Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com> Change-Id: I4d930b06992a22addb15f4d4edcfac31af5d440b
2021-10-19 16:03:10 -04:00 · 2021-10-19 16:03:10 -04:00 · 5bc220bc2b
commit 5bc220bc2b
parent 297a22a401
5 changed files with 96 additions and 2 deletions
--- a/utilities/platform-util/centos/platform-util.spec
+++ b/utilities/platform-util/centos/platform-util.spec
@ -65,6 +65,7 @@ install -m 555 %{_buildsubdir}/scripts/update-iso.sh %{buildroot}%{local_bindir}
 install -m 555 %{_buildsubdir}/scripts/gen-bootloader-iso.sh %{buildroot}%{local_bindir}
 install -m 555 %{_buildsubdir}/scripts/stx-iso-utils.sh %{buildroot}%{local_bindir}
 install -m 555 %{_buildsubdir}/scripts/show-certs.sh %{buildroot}%{local_bindir}
+install -m 555 %{_buildsubdir}/scripts/update_docker_registry_auth.sh %{buildroot}%{local_bindir}

 install -d %{buildroot}%{local_etc_initd}
 install %{_buildsubdir}/scripts/log_functions.sh %{buildroot}%{local_etc_initd}
@ -115,6 +116,7 @@ systemctl enable opt-platform.service
 %{local_bindir}/gen-bootloader-iso.sh
 %{local_bindir}/stx-iso-utils.sh
 %{local_bindir}/show-certs.sh
+%{local_bindir}/update_docker_registry_auth.sh

 %files noncontroller
 %defattr(-,root,root,-)
--- a/utilities/platform-util/debian/deb_folder/controller.install
+++ b/utilities/platform-util/debian/deb_folder/controller.install
@ -2,3 +2,4 @@ scripts/gen-bootloader-iso.sh usr/local/bin
 scripts/show-certs.sh usr/local/bin
 scripts/stx-iso-utils.sh usr/local/bin
 scripts/update-iso.sh usr/local/bin
+scripts/update_docker_registry_auth.sh usr/local/bin
--- a/utilities/platform-util/debian/deb_folder/platform-util-controller.install
+++ b/utilities/platform-util/debian/deb_folder/platform-util-controller.install
@ -2,3 +2,4 @@
 /usr/local/bin/show-certs.sh
 /usr/local/bin/stx-iso-utils.sh
 /usr/local/bin/update-iso.sh
+/usr/local/bin/update_docker_registry_auth.sh
--- a/utilities/platform-util/debian/deb_folder/rules
+++ b/utilities/platform-util/debian/deb_folder/rules
@ -33,6 +33,7 @@ override_dh_auto_install:
 	install -m 555 scripts/gen-bootloader-iso.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 555 scripts/stx-iso-utils.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 555 scripts/show-certs.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
+	install -m 555 scripts/update_docker_registry_auth.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 555 scripts/is-rootdisk-device.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 755 scripts/connectivity_test $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 750 scripts/set_keystone_user_option.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
@ -46,5 +47,5 @@ override_dh_auto_install:

 override_dh_fixperms:
 	dh_fixperms -Xupdate-iso.sh -Xgen-bootloader-iso.sh -Xstx-iso-utils.sh \
-	-Xshow-certs.sh -Xis-rootdisk-device.sh -Xpatch-restart-* -Xconnectivity_test \
-	-Xset_keystone_user_option.sh
+	-Xshow-certs.sh -Xupdate_docker_registry_auth.sh -Xis-rootdisk-device.sh \
+	-Xpatch-restart-* -Xconnectivity_test -Xset_keystone_user_option.sh
--- a/utilities/platform-util/scripts/update_docker_registry_auth.sh
+++ b/utilities/platform-util/scripts/update_docker_registry_auth.sh
@ -0,0 +1,89 @@
+#!/bin/bash -e
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This script is to update the docker registry credentials
+#
+
+USAGE="Usage: ${0##*/} <username> <password>"
+
+get_password()
+{
+    read -s -p "Password of ${usr}: " pw
+    echo
+    read -s -p "Password of ${usr} (again): " pw2
+    while [ "${pw}" != "${pw2}" ]; do
+        echo
+        echo "Incorrect input of password, please try again."
+        read -s -p "Password of ${usr}: " pw
+        echo
+        read -s -p "Password of ${usr} (again): " pw2
+    done
+}
+
+if [ $# -eq 0 ]; then
+    read -p "Username: " usr
+    get_password
+elif [ $# -eq 1 ]; then
+    usr=${1}
+    get_password
+elif [ $# -eq 2 ]; then
+    usr=${1}
+    pw=${2}
+else
+    echo Too many arguments.
+    echo $USAGE
+    echo
+    exit
+fi
+
+NEW_CREDS="username:${usr} password:${pw}"
+
+echo
+
+source /etc/platform/openrc
+
+for REGISTRY in docker-registry quay-registry elastic-registry gcr-registry \
+    k8s-registry ghcr-registry; do
+    echo -n "Updating" $REGISTRY "credentials ."
+    SECRET_UUID=$(system service-parameter-list | fgrep $REGISTRY |\
+        fgrep auth-secret | awk '{print $10}')
+    if [ -z "$SECRET_UUID" ]; then
+        echo "No $REGISTRY entry in service-parameters"
+        echo
+        continue
+    fi
+
+    SECRET_REF=$(openstack secret list | fgrep ${SECRET_UUID} |\
+        awk '{print $2}')
+    echo -n "."
+    SECRET_VALUE=$(openstack secret get ${SECRET_REF} --payload -f value)
+    echo -n "."
+    openstack secret delete ${SECRET_REF} > /dev/null
+    echo -n "."
+    NEW_SECRET_VALUE=$NEW_CREDS
+    openstack secret store -n ${REGISTRY}-secret -p "${NEW_SECRET_VALUE}" \
+        >/dev/null
+    echo -n "."
+    NEW_SECRET_REF=$(openstack secret list | fgrep ${REGISTRY}-secret |\
+        awk '{print $2}')
+    NEW_SECRET_UUID=$(echo "${NEW_SECRET_REF}" | awk -F/ '{print $6}')
+    system service-parameter-modify docker $REGISTRY \
+        auth-secret="${NEW_SECRET_UUID}" > /dev/null
+    echo -n "."
+    echo " done."
+
+    echo -n "Validating $REGISTRY credentials updated to:  "
+    SECRET_UUID=$(system service-parameter-list | fgrep $REGISTRY |\
+        fgrep auth-secret | awk '{print $10}')
+    if [ -z "$SECRET_UUID" ]; then
+        continue
+    fi
+    SECRET_REF=$(openstack secret list | fgrep ${SECRET_UUID} | awk '{print $2}')
+    SECRET_VALUE=$(openstack secret get ${SECRET_REF} --payload -f value)
+    echo $SECRET_VALUE
+
+    echo
+done