Skip to content

Commit

Permalink
refactor: remote curl fallback
Browse files Browse the repository at this point in the history
  • Loading branch information
thesayyn committed May 10, 2024
1 parent cbff154 commit d787152
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 170 deletions.
14 changes: 8 additions & 6 deletions fetch.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,19 @@ def fetch_images():
],
)

# Pull an image from public ECR.
# Pull an image from public ECR.
# When --credential_helper is provided, see .bazelrc at workspace root, it will take precende over
# auth from oci_pull. However, pulling from public ECR works out of the box so this will never fail
# auth from oci_pull. However, pulling from public ECR works out of the box so this will never fail
# unless oci_pull's authentication mechanism breaks and --credential_helper is absent.
oci_pull(
name = "ecr_lambda_python",
image = "public.ecr.aws/lambda/python",
tag = "3.11.2024.01.25.10",
# digest = "sha256:9499013bebe91a97ad3925269d1097408c092d85a1f6b96f91c7bb3a100e2c18",
platforms = [
"linux/amd64",
"linux/arm64/v8"
]
"linux/arm64/v8",
],
)

# Show that the digest is optional.
Expand Down Expand Up @@ -141,6 +142,7 @@ def fetch_images():
oci_pull(
name = "fluxcd_flux",
image = "docker.io/fluxcd/flux:1.25.4",
# digest = "sha256:c18e0c96fbb510fffa27ca0fb2561c2124e74f975a8a826d1f33cd4c82552db1"
)

oci_pull(
Expand Down Expand Up @@ -172,7 +174,7 @@ def fetch_images():
digest = "sha256:9a83bce5d337e7e19d789ee7f952d36d0d514c80987c3d76d90fd1afd2411a9a",
platforms = [
"linux/amd64",
"linux/arm64"
"linux/arm64",
],
)

Expand All @@ -183,7 +185,7 @@ def fetch_images():
digest = "sha256:8d38ffa8fad72f4bc2647644284c16491cc2d375602519a1f963f96ccc916276",
platforms = [
"linux/amd64",
"linux/arm64"
"linux/arm64",
],
)

Expand Down
8 changes: 0 additions & 8 deletions oci/private/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ bzl_library(
],
deps = [
"//oci/private:authn",
"//oci/private:download",
"//oci/private:util",
"@bazel_skylib//lib:dicts",
],
Expand Down Expand Up @@ -84,13 +83,6 @@ bzl_library(
visibility = ["//oci:__subpackages__"],
)

bzl_library(
name = "download",
srcs = ["download.bzl"],
visibility = ["//oci:__subpackages__"],
deps = ["@bazel_skylib//lib:versions"],
)

bzl_library(
name = "authn",
srcs = ["authn.bzl"],
Expand Down
125 changes: 0 additions & 125 deletions oci/private/download.bzl

This file was deleted.

41 changes: 10 additions & 31 deletions oci/private/pull.bzl
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
"Implementation details for oci_pull repository rules"

load("@bazel_skylib//lib:dicts.bzl", "dicts")
load("@bazel_skylib//lib:versions.bzl", "versions")
load("//oci/private:authn.bzl", "authn")
load("//oci/private:download.bzl", "download")
load("//oci/private:util.bzl", "util")

# attributes that are specific to image reference url. shared between multiple targets
Expand Down Expand Up @@ -44,11 +44,6 @@ OCI_MEDIA_TYPE_OR_AUTHN_ERROR = """\
Unable to retrieve the manifest. This could be due to authentication problems or an attempt to fetch an image with OCI image media types.
"""

CURL_FALLBACK_WARNING = """\
The use of Curl fallback is deprecated and is set to be removed in version 2.0.
For more details, refer to: https://github.com/bazel-contrib/rules_oci/issues/456
"""

# Supported media types
# * OCI spec: https://github.com/opencontainers/image-spec/blob/main/media-types.md
# * Docker spec: https://github.com/distribution/distribution/blob/main/docs/spec/manifest-v2-2.md#media-types
Expand Down Expand Up @@ -85,7 +80,7 @@ def _digest_into_blob_path(digest):
digest_path = digest.replace(":", "/", 1)
return "blobs/{}".format(digest_path)

def _download(rctx, authn, identifier, output, resource, download_fn = download.bazel, headers = {}, allow_fail = False):
def _download(rctx, authn, identifier, output, resource, headers = {}, allow_fail = False):
"Use the Bazel Downloader to fetch from the remote registry"

if resource != "blobs" and resource != "manifests":
Expand All @@ -108,17 +103,19 @@ def _download(rctx, authn, identifier, output, resource, download_fn = download.
if identifier.startswith("sha256:"):
sha256 = identifier[len("sha256:"):]
else:
util.warning(rctx, "Fetching from {}@{} without an integrity hash. The result will not be cached.".format(rctx.attr.repository, identifier))
util.warning(rctx, "Fetching from {}@{} without an integrity hash, result will not be cached.".format(rctx.attr.repository, identifier))

return download_fn(
rctx,
kwargs = dict(
output = output,
sha256 = sha256,
url = registry_url,
auth = {registry_url: auth},
headers = headers,
allow_fail = allow_fail,
)
if versions.is_at_least("7.1.0", versions.get()):
return rctx.download(headers = headers, **kwargs)
else:
return rctx.download(**kwargs)

def _download_manifest(rctx, authn, identifier, output):
bytes = None
Expand All @@ -135,35 +132,17 @@ def _download_manifest(rctx, authn, identifier, output):
headers = _DOWNLOAD_HEADERS,
)

fallback_to_curl = False
if result.success:
bytes = rctx.read(output)
manifest = json.decode(bytes)
digest = "sha256:{}".format(result.sha256)
if manifest["schemaVersion"] == 1:
fallback_to_curl = True
util.warning(rctx, SCHEMA1_ERROR)
fail(SCHEMA1_ERROR)
else:
fallback_to_curl = True
util.warning(rctx, OCI_MEDIA_TYPE_OR_AUTHN_ERROR)
explanation = authn.explain()
if explanation:
util.warning(rctx, explanation)

if fallback_to_curl:
util.warning(rctx, CURL_FALLBACK_WARNING)
_download(
rctx,
authn,
identifier,
output,
"manifests",
download.curl,
headers = _DOWNLOAD_HEADERS,
)
bytes = rctx.read(output)
manifest = json.decode(bytes)
digest = "sha256:{}".format(util.sha256(rctx, output))
fail(OCI_MEDIA_TYPE_OR_AUTHN_ERROR)

return manifest, len(bytes), digest

Expand Down

0 comments on commit d787152

Please sign in to comment.