From cae97711e94c53e9b2cdbaeb0dee20586eadc6ac Mon Sep 17 00:00:00 2001 From: rahulguptajss Date: Wed, 14 Aug 2024 19:30:46 +0530 Subject: [PATCH] feat: use docker buildx secret for token --- container/onePollerPerContainer/Dockerfile | 17 +-- jenkins/artifacts/jenkinsfile | 115 ++++++++++++--------- 2 files changed, 75 insertions(+), 57 deletions(-) diff --git a/container/onePollerPerContainer/Dockerfile b/container/onePollerPerContainer/Dockerfile index 6f8121cfb..0de92dd1f 100644 --- a/container/onePollerPerContainer/Dockerfile +++ b/container/onePollerPerContainer/Dockerfile @@ -1,6 +1,6 @@ # GO_VERSION should be overridden by the build script via --build-arg GO_VERSION=$value ARG GO_VERSION -FROM golang:${GO_VERSION} as builder +FROM golang:${GO_VERSION} AS builder SHELL ["/bin/bash", "-c"] @@ -8,7 +8,6 @@ ARG INSTALL_DIR=/opt/harvest ARG BUILD_DIR=/opt/home ARG VERSION=2.0 ARG RELEASE=nightly -ARG GIT_TOKEN ARG ASUP_MAKE_TARGET=build # Set the Current Working Directory inside the container @@ -18,11 +17,13 @@ RUN mkdir -p $INSTALL_DIR $INSTALL_DIR/container/onePollerPerContainer $INSTALL_ COPY . . -RUN if [[ -n "$ASUP_MAKE_TARGET" && -n "$GIT_TOKEN" ]]; then \ -make build asup VERSION=$VERSION RELEASE=$RELEASE ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET GIT_TOKEN=$GIT_TOKEN ; \ -else \ -make build VERSION=$VERSION RELEASE=$RELEASE BIN_PLATFORM=linux ;\ -fi +RUN --mount=type=secret,id=git_token \ + if [[ -n "$ASUP_MAKE_TARGET" && -f "/run/secrets/git_token" ]]; then \ + GIT_TOKEN=$(cat /run/secrets/git_token) && \ + make build asup VERSION=$VERSION RELEASE=$RELEASE ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET GIT_TOKEN=$GIT_TOKEN ; \ + else \ + make build VERSION=$VERSION RELEASE=$RELEASE BIN_PLATFORM=linux ;\ + fi RUN cp -a $BUILD_DIR/harvest.yml $INSTALL_DIR/harvest.yml.example @@ -39,4 +40,4 @@ ENV HARVEST_DOCKER=yes COPY --from=builder $INSTALL_DIR $INSTALL_DIR WORKDIR $INSTALL_DIR -ENTRYPOINT ["bin/poller"] +ENTRYPOINT ["bin/poller"] \ No newline at end of file diff --git a/jenkins/artifacts/jenkinsfile b/jenkins/artifacts/jenkinsfile index 47a232850..47926a70c 100644 --- a/jenkins/artifacts/jenkinsfile +++ b/jenkins/artifacts/jenkinsfile @@ -140,18 +140,26 @@ pipeline { } } - stage('Build Docker Image ') { - steps { - withDockerRegistry([credentialsId: "DockerHub", url: ""]) { - sh ''' - targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH - docker login - docker build -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET --build-arg GIT_TOKEN=$GIT_TOKEN -t ${imageName}:latest -t ${imageName}:$VERSION-$RELEASE -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:$VERSION-$RELEASE -t ${ghcrImage}:latest -t ${ghcrImage}:$VERSION-$RELEASE . --no-cache - docker save -o ${targetLocation}/docker_harvest.tar ${ghcrImage}:latest - ''' - } + stage('Build Docker Image') { + steps { + withCredentials([string(credentialsId: 'GIT_TOKEN', variable: 'GIT_TOKEN')]) { + script { + // Write the GIT_TOKEN to a temporary file + def gitTokenFile = "${env.WORKSPACE}/git_token" + writeFile file: gitTokenFile, text: env.GIT_TOKEN + + withDockerRegistry([credentialsId: "DockerHub", url: ""]) { + sh ''' + targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH + docker login + docker build --secret id=git_token,src=${gitTokenFile} -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET -t ${imageName}:latest -t ${imageName}:$VERSION-$RELEASE -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:$VERSION-$RELEASE -t ${ghcrImage}:latest -t ${ghcrImage}:$VERSION-$RELEASE . --no-cache + docker save -o ${targetLocation}/docker_harvest.tar ${ghcrImage}:latest + ''' + } + } } - } + } + } stage('Publish builds locally'){ steps { @@ -219,46 +227,55 @@ pipeline { } stage('Publish Nightly Build to GitHub') { - when { - expression { - return params.RELEASE == 'nightly' && env.BRANCH == 'main' && params.ASUP_MAKE_TARGET == 'production' - } - } - steps { - sh ''' - targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH - wget -q -O /opt/home/gh.tar.gz "https://github.com/cli/cli/releases/download/v2.8.0/gh_2.8.0_linux_386.tar.gz" - tar -C /opt/home -xzf /opt/home/gh.tar.gz - echo $GIT_TOKEN > mytoken.txt - /opt/home/gh_2.8.0_linux_386/bin/gh auth login --with-token < mytoken.txt - /opt/home/gh_2.8.0_linux_386/bin/gh release view nightly && /opt/home/gh_2.8.0_linux_386/bin/gh release delete nightly || true - if [ $(git tag -l nightly) ]; then - git push https://$GIT_TOKEN@github.com/NetApp/harvest.git --delete nightly - fi - /opt/home/gh_2.8.0_linux_386/bin/gh release create nightly $targetLocation/*.rpm $targetLocation/*.deb $targetLocation/*.gz --notes "Nightly builds may include bugs and other issues. You might want to use the stable releases instead." --title "Harvest Nightly Release" --prerelease --target main - docker build -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET --build-arg GIT_TOKEN=$GIT_TOKEN -t ${imageName}:latest -t ${imageName}:nightly -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:nightly -t ${ghcrImage}:latest -t ${ghcrImage}:nightly . --no-cache - echo $GIT_TOKEN | docker login ghcr.io -u $DOCKERHUB_USERNAME --password-stdin - docker push ${ghcrImage}:nightly - # Add a dummy user/email for mike deploy to work - git config user.name harvest - git config user.email harvest - git fetch origin gh-pages:gh-pages - mike deploy -r https://$GIT_TOKEN@github.com/NetApp/harvest.git --push --update-aliases nightly - ''' - withDockerRegistry([credentialsId: "DockerHub", url: ""]) { - sh ''' - docker login - docker push ${imageName}:nightly - ''' + when { + expression { + return params.RELEASE == 'nightly' && env.BRANCH == 'main' && params.ASUP_MAKE_TARGET == 'production' + } } - withCredentials([usernamePassword(credentialsId: 'Jfrog', passwordVariable: 'password', usernameVariable: 'username')]) { - sh ''' - docker login --username=$username --password=$password ${jfrogRepo} - docker push ${jfrogImagePrefix}:nightly - ''' + steps { + withCredentials([string(credentialsId: 'GIT_TOKEN', variable: 'GIT_TOKEN')]) { + script { + // Write the GIT_TOKEN to a temporary file + def gitTokenFile = "${env.WORKSPACE}/git_token" + writeFile file: gitTokenFile, text: env.GIT_TOKEN + + sh ''' + targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH + wget -q -O /opt/home/gh.tar.gz "https://github.com/cli/cli/releases/download/v2.8.0/gh_2.8.0_linux_386.tar.gz" + tar -C /opt/home -xzf /opt/home/gh.tar.gz + echo $GIT_TOKEN > mytoken.txt + /opt/home/gh_2.8.0_linux_386/bin/gh auth login --with-token < mytoken.txt + /opt/home/gh_2.8.0_linux_386/bin/gh release view nightly && /opt/home/gh_2.8.0_linux_386/bin/gh release delete nightly || true + if [ $(git tag -l nightly) ]; then + git push https://$GIT_TOKEN@github.com/NetApp/harvest.git --delete nightly + fi + /opt/home/gh_2.8.0_linux_386/bin/gh release create nightly $targetLocation/*.rpm $targetLocation/*.deb $targetLocation/*.gz --notes "Nightly builds may include bugs and other issues. You might want to use the stable releases instead." --title "Harvest Nightly Release" --prerelease --target main + docker build --secret id=git_token,src=${gitTokenFile} -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET -t ${imageName}:latest -t ${imageName}:nightly -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:nightly -t ${ghcrImage}:latest -t ${ghcrImage}:nightly . --no-cache + echo $GIT_TOKEN | docker login ghcr.io -u $DOCKERHUB_USERNAME --password-stdin + docker push ${ghcrImage}:nightly + # Add a dummy user/email for mike deploy to work + git config user.name harvest + git config user.email harvest + git fetch origin gh-pages:gh-pages + mike deploy -r https://$GIT_TOKEN@github.com/NetApp/harvest.git --push --update-aliases nightly + ''' + withDockerRegistry([credentialsId: "DockerHub", url: ""]) { + sh ''' + docker login + docker push ${imageName}:nightly + ''' + } + withCredentials([usernamePassword(credentialsId: 'Jfrog', passwordVariable: 'password', usernameVariable: 'username')]) { + sh ''' + docker login --username=$username --password=$password ${jfrogRepo} + docker push ${jfrogImagePrefix}:nightly + ''' + } + } + } } - } - } + } + }