-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
46ae9df
commit 3e22629
Showing
5 changed files
with
176 additions
and
91 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,170 @@ | ||
# Copyright (c) HashiCorp, Inc. | ||
# SPDX-License-Identifier: BUSL-1.1 | ||
|
||
# This job runs after the private registry is up and running, when we know | ||
# address and port provided by the bridge network. It is a sysbatch job | ||
# that writes these files on every linux client. | ||
# - /usr/local/bin/docker-credential-test.sh | ||
# - /etc/docker-registry-auth.json | ||
|
||
variable "registry_address" { | ||
type = string | ||
description = "The HTTP address of the local registry" | ||
} | ||
|
||
variable "auth_dir" { | ||
type = string | ||
description = "The destination directory of the auth.json file." | ||
default = "/tmp" | ||
} | ||
|
||
variable "helper_dir" { | ||
type = string | ||
description = "The directory in which test.sh will be written." | ||
default = "/tmp" | ||
} | ||
|
||
variable "docker_conf_dir" { | ||
type = string | ||
description = "The directory in which daemon.json will be written." | ||
default = "/tmp" | ||
} | ||
|
||
variable "user" { | ||
type = string | ||
description = "The user to create files as. Should be root in e2e." | ||
# no default because dealing with root files is annoying locally | ||
# try -var=user=$USER for local development | ||
} | ||
|
||
job "registry-auths" { | ||
type = "sysbatch" | ||
|
||
constraint { | ||
attribute = "${attr.kernel.name}" | ||
value = "linux" | ||
} | ||
|
||
group "create-files" { | ||
reschedule { | ||
attempts = 0 | ||
unlimited = false | ||
} | ||
|
||
# write out the test.sh file into var.helper_dir | ||
task "create-helper-file" { | ||
driver = "pledge" | ||
user = "${var.user}" | ||
|
||
config { | ||
command = "cp" | ||
args = ["${NOMAD_TASK_DIR}/test.sh", "${var.helper_dir}/docker-credential-test.sh"] | ||
promises = "stdio rpath wpath cpath" | ||
unveil = ["r:${NOMAD_TASK_DIR}/test.sh", "rwc:${var.helper_dir}"] | ||
} | ||
|
||
template { | ||
destination = "local/test.sh" | ||
perms = "755" | ||
data = <<EOH | ||
#!/usr/bin/env bash | ||
set -euo pipefail | ||
value=$(cat /dev/stdin) | ||
username="auth_helper_user" | ||
password="auth_helper_pass" | ||
case "${value}" in | ||
${var.registry_address}*) | ||
echo "{\"Username\": \"$username\", \"Secret\": \"$password\"}" | ||
exit 0 | ||
;; | ||
*) | ||
echo "must use local registry" | ||
exit 3 | ||
;; | ||
esac | ||
EOH | ||
} | ||
resources { | ||
cpu = 100 | ||
memory = 32 | ||
} | ||
} | ||
|
||
# write out the auth.json file into var.auth_dir | ||
task "create-auth-file" { | ||
driver = "pledge" | ||
user = "${var.user}" | ||
|
||
config { | ||
command = "cp" | ||
args = ["${NOMAD_TASK_DIR}/auth.json", "${var.auth_dir}/auth.json"] | ||
promises = "stdio rpath wpath cpath" | ||
unveil = ["r:${NOMAD_TASK_DIR}/auth.json", "rwc:${var.auth_dir}"] | ||
} | ||
template { | ||
perms = "644" | ||
destination = "local/auth.json" | ||
data = <<EOH | ||
{ | ||
"auths": { | ||
"${var.registry_address}:/docker.io/library/bash_auth_static": { | ||
"auth": "YXV0aF9zdGF0aWNfdXNlcjphdXRoX3N0YXRpY19wYXNz" | ||
} | ||
} | ||
} | ||
EOH | ||
} | ||
resources { | ||
cpu = 100 | ||
memory = 32 | ||
} | ||
} | ||
} | ||
|
||
group "create-conf" { | ||
task "create-daemon-file" { | ||
driver = "pledge" | ||
user = "${var.user}" | ||
|
||
config { | ||
command = "cp" | ||
args = ["${NOMAD_TASK_DIR}/daemon.json", "${var.docker_conf_dir}/daemon.json"] | ||
promises = "stdio rpath wpath cpath" | ||
unveil = ["r:${NOMAD_TASK_DIR}/daemon.json", "rwc:${var.docker_conf_dir}"] | ||
} | ||
|
||
template { | ||
destination = "local/daemon.json" | ||
perms = "644" | ||
data = <<EOH | ||
{ | ||
"insecure-registries": [ | ||
"${var.registry_address}" | ||
] | ||
} | ||
EOH | ||
} | ||
resources { | ||
cpu = 100 | ||
memory = 32 | ||
} | ||
} | ||
|
||
task "restart-docker" { | ||
driver = "raw_exec" # TODO: see if this could be done with pledge? | ||
|
||
config { | ||
command = "service" | ||
args = ["docker", "restart"] | ||
} | ||
resources { | ||
cpu = 100 | ||
memory = 32 | ||
} | ||
} | ||
} | ||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters