kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
f9cbaaf6c7e192ab7a0c5a8444cc17ef99ddd853
nomad/e2e/docker/input/registry-auths.hcl
Piotr Kazmierczak f9cbaaf6c7 docker: fix a bug where auth for private registries wasn't parsed correctly (#24215) 
In #23966 we introduced an official Docker client and did not notice that in
contrast to our previous 3rd party client, the official SDK PullOptions object
expects a base64 encoded JSON with username and password, instead of username/
password pair.
2024-10-16 22:04:54 +02:00

171 lines
3.8 KiB
HCL
Raw Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
# This job runs after the private registry is up and running, when we know
# address and port provided by the bridge network. It is a sysbatch job
# that writes these files on every linux client.
# - /usr/local/bin/docker-credential-test.sh
# - /etc/docker-registry-auth.json
variable "registry_address" {
type = string
description = "The HTTP address of the local registry"
}
variable "auth_dir" {
type = string
description = "The destination directory of the auth.json file."
default = "/tmp"
}
variable "helper_dir" {
type = string
description = "The directory in which test.sh will be written."
default = "/tmp"
}
variable "docker_conf_dir" {
type = string
description = "The directory in which daemon.json will be written."
default = "/tmp"
}
variable "user" {
type = string
description = "The user to create files as. Should be root in e2e."
# no default because dealing with root files is annoying locally
# try -var=user=$USER for local development
}
job "registry-auths" {
type = "sysbatch"
constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}
group "create-files" {
reschedule {
attempts = 0
unlimited = false
}
# write out the test.sh file into var.helper_dir
task "create-helper-file" {
driver = "pledge"
user = "${var.user}"
config {
command = "cp"
args = ["${NOMAD_TASK_DIR}/test.sh", "${var.helper_dir}/docker-credential-test.sh"]
promises = "stdio rpath wpath cpath"
unveil = ["r:${NOMAD_TASK_DIR}/test.sh", "rwc:${var.helper_dir}"]
}
template {
destination = "local/test.sh"
perms = "755"
data = <<EOH
#!/usr/bin/env bash
set -euo pipefail
value=$(cat /dev/stdin)
username="auth_helper_user"
password="auth_helper_pass"
case "${value}" in
${var.registry_address}*)
echo "{\"Username\": \"$username\", \"Secret\": \"$password\"}"
exit 0
;;
*)
echo "must use local registry"
exit 3
;;
esac
EOH
}
resources {
cpu = 100
memory = 32
}
}
# write out the auth.json file into var.auth_dir
task "create-auth-file" {
driver = "pledge"
user = "${var.user}"
config {
command = "cp"
args = ["${NOMAD_TASK_DIR}/auth.json", "${var.auth_dir}/auth.json"]
promises = "stdio rpath wpath cpath"
unveil = ["r:${NOMAD_TASK_DIR}/auth.json", "rwc:${var.auth_dir}"]
}
template {
perms = "644"
destination = "local/auth.json"
data = <<EOH
{
"auths": {
"${var.registry_address}:/docker.io/library/bash_auth_static": {
"auth": "YXV0aF9zdGF0aWNfdXNlcjphdXRoX3N0YXRpY19wYXNz"
}
}
}
EOH
}
resources {
cpu = 100
memory = 32
}
}
}
group "create-conf" {
task "create-daemon-file" {
driver = "pledge"
user = "${var.user}"
config {
command = "cp"
args = ["${NOMAD_TASK_DIR}/daemon.json", "${var.docker_conf_dir}/daemon.json"]
promises = "stdio rpath wpath cpath"
unveil = ["r:${NOMAD_TASK_DIR}/daemon.json", "rwc:${var.docker_conf_dir}"]
}
template {
destination = "local/daemon.json"
perms = "644"
data = <<EOH
{
"insecure-registries": [
"${var.registry_address}"
]
}
EOH
}
resources {
cpu = 100
memory = 32
}
}
task "restart-docker" {
driver = "raw_exec" # TODO: see if this could be done with pledge?
config {
command = "service"
args = ["docker", "restart"]
}
resources {
cpu = 100
memory = 32
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink