From f4db0f097927f606364069f9123332240b24c28e Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 18 Mar 2019 08:09:27 -0700 Subject: [PATCH] buildset registry: don't put skopeo creds on command line Use the docker user config file rather than the skopeo command line when performing skopeo push/pull operations. This should allow us to log the command. Change-Id: If6b1f3ab34461d77e619b188f48c5d209df7afce --- .../tasks/main.yaml | 76 ++++++++++++++++--- .../tasks/push-image.yaml | 3 - .../tasks/push.yaml | 68 +++++++++++++++-- 3 files changed, 129 insertions(+), 18 deletions(-) diff --git a/roles/pull-from-intermediate-registry/tasks/main.yaml b/roles/pull-from-intermediate-registry/tasks/main.yaml index 985020a2d..4f9078284 100644 --- a/roles/pull-from-intermediate-registry/tasks/main.yaml +++ b/roles/pull-from-intermediate-registry/tasks/main.yaml @@ -11,13 +11,69 @@ copy: content: "{{ buildset_registry.cert }}" dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt" -- name: Pull artifact from intermediate registry - command: >- - skopeo --insecure-policy copy - --src-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }} - --dest-creds={{ buildset_registry.username }}:{{ buildset_registry.password }} - {{ item.url }} - docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }} - when: "item.metadata.type | default('') == 'container_image'" - loop: "{{ zuul.artifacts | default([]) }}" - no_log: true + + +# Update user config for intermediate and buildset registries +- name: Ensure docker user directory exists + file: + state: directory + path: "~/.docker" + mode: 0700 +- name: Check if docker user configuration exists + stat: + path: "~/.docker/config.json" + register: docker_config_stat +- name: Load docker user configuration + when: docker_config_stat.stat.exists + slurp: + path: "~/.docker/config.json" + register: docker_config +- name: Parse docker user configuration + when: docker_config_stat.stat.exists + set_fact: + docker_config: "{{ docker_config.content | b64decode | from_json }}" +- name: Set default docker user configuration + when: not docker_config_stat.stat.exists + set_fact: + docker_config: + auths: {} +- name: Add registry to docker user configuration + vars: + new_config: + auths: | + { + "{{ intermediate_registry.host }}:{{ intermediate_registry.port }}": + {"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"}, + "{{ intermediate_registry.host }}:{{ intermediate_registry.proxy_port }}": + {"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"} + "{{ buildset_registry.host }}:{{ buildset_registry.port }}": + {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, + "{{ buildset_registry.host }}:{{ buildset_registry.proxy_port }}": + {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"} + } + set_fact: + new_docker_config: "{{ docker_config | combine(new_config, recursive=True) }}" +- name: Save docker user configuration + copy: + content: "{{ new_docker_config | to_nice_json }}" + dest: "~/.docker/config.json" + mode: 0600 + +# Pull the images +- name: Pull artifacts from intermediate registry + block: + - name: Pull artifacts from intermediate registry + command: >- + skopeo --insecure-policy copy + {{ item.url }} + docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }} + when: "item.metadata.type | default('') == 'container_image'" + loop: "{{ zuul.artifacts | default([]) }}" + always: + - name: Remove docker user config + command: "shred ~/.docker/config.json" + - name: Replace docker user configuration + copy: + content: "{{ docker_config | to_nice_json }}" + dest: "~/.docker/config.json" + mode: 0600 diff --git a/roles/push-to-intermediate-registry/tasks/push-image.yaml b/roles/push-to-intermediate-registry/tasks/push-image.yaml index 155681155..0721a771a 100644 --- a/roles/push-to-intermediate-registry/tasks/push-image.yaml +++ b/roles/push-to-intermediate-registry/tasks/push-image.yaml @@ -1,14 +1,11 @@ - name: Push tag to intermediate registry command: >- skopeo --insecure-policy copy - --src-creds={{ buildset_registry.username }}:{{ buildset_registry.password }} - --dest-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }} docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }} docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }} loop: "{{ image.tags | default(['latest']) }}" loop_control: loop_var: image_tag - no_log: true - name: Return artifact to Zuul zuul_return: diff --git a/roles/push-to-intermediate-registry/tasks/push.yaml b/roles/push-to-intermediate-registry/tasks/push.yaml index cd6d5e387..bfb08f958 100644 --- a/roles/push-to-intermediate-registry/tasks/push.yaml +++ b/roles/push-to-intermediate-registry/tasks/push.yaml @@ -11,8 +11,66 @@ copy: content: "{{ buildset_registry.cert }}" dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt" -- name: Push image to intermediate registry - include_tasks: push-image.yaml - loop: "{{ docker_images }}" - loop_control: - loop_var: image + +# Update user config for intermediate and buildset registries +- name: Ensure docker user directory exists + file: + state: directory + path: "~/.docker" + mode: 0700 +- name: Check if docker user configuration exists + stat: + path: "~/.docker/config.json" + register: docker_config_stat +- name: Load docker user configuration + when: docker_config_stat.stat.exists + slurp: + path: "~/.docker/config.json" + register: docker_config +- name: Parse docker user configuration + when: docker_config_stat.stat.exists + set_fact: + docker_config: "{{ docker_config.content | b64decode | from_json }}" +- name: Set default docker user configuration + when: not docker_config_stat.stat.exists + set_fact: + docker_config: + auths: {} +- name: Add registry to docker user configuration + vars: + new_config: + auths: | + { + "{{ intermediate_registry.host }}:{{ intermediate_registry.port }}": + {"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"}, + "{{ intermediate_registry.host }}:{{ intermediate_registry.proxy_port }}": + {"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"} + "{{ buildset_registry.host }}:{{ buildset_registry.port }}": + {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, + "{{ buildset_registry.host }}:{{ buildset_registry.proxy_port }}": + {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"} + } + set_fact: + new_docker_config: "{{ docker_config | combine(new_config, recursive=True) }}" +- name: Save docker user configuration + copy: + content: "{{ new_docker_config | to_nice_json }}" + dest: "~/.docker/config.json" + mode: 0600 + +# Push the images +- name: Push images to intermediate registry + block: + - name: Push image to intermediate registry + include_tasks: push-image.yaml + loop: "{{ docker_images }}" + loop_control: + loop_var: image + always: + - name: Remove docker user config + command: "shred ~/.docker/config.json" + - name: Replace docker user configuration + copy: + content: "{{ docker_config | to_nice_json }}" + dest: "~/.docker/config.json" + mode: 0600