container/{Containerfile,build.sh}: use a secret to pass secrets

Use podman's build --secret mechanism to pass credentials for
download.ceph.com

Signed-off-by: Dan Mick <dan.mick@redhat.com>
(cherry picked from commit 4b3c0cb8f3f130563d9e1309beb7a8e0b59ea83e)

diff --git a/container/Containerfile b/container/Containerfile
index 8a0e90dcf1a67b65721cf0b4e555cd42bb0091f8..c954ebed1be81841ba8bfaa3460f59f0e37aed69 100644 (file)
--- a/container/Containerfile
+++ b/container/Containerfile
@@ -22,9 +22,6 @@ ARG OSD_FLAVOR="default"
 # (optional) Should be 'true' for CI builds (pull from shaman, etc.)
 ARG CI_CONTAINER="true"
 
-# creds for accessing prerelease packages on download.ceph.com for release builds
-ARG PRERELEASE_USERNAME ""
-ARG PRERELEASE_PASSWORD ""
 
 RUN /bin/echo -e "\
 FROM_IMAGE: ${FROM_IMAGE}\n\
@@ -77,7 +74,7 @@ RUN set -ex && \
     esac
 
 # Ceph repo
-RUN set -ex && \
+RUN --mount=type=secret,id=prerelease_creds set -ex && \
     rpm --import 'https://download.ceph.com/keys/release.asc' && \
     ARCH=$(arch); if [ "${ARCH}" == "aarch64" ]; then ARCH="arm64"; fi ;\
     IS_RELEASE=0 ;\
@@ -86,12 +83,13 @@ RUN set -ex && \
         REPO_URL=$(curl -fs "https://shaman.ceph.com/api/search/?project=ceph&distros=centos/9/${ARCH}&flavor=${OSD_FLAVOR}&ref=${CEPH_REF}&sha1=latest" | jq -r .[0].url) ;\
     else \
         IS_RELEASE=1 ;\
+        source /run/secrets/prerelease_creds; \
         REPO_URL="https://${PRERELEASE_USERNAME}:${PRERELEASE_PASSWORD}@download.ceph.com/prerelease/ceph/rpm-${CEPH_REF}/el9/" ;\
     fi && \
     rpm -Uvh "$REPO_URL/noarch/ceph-release-1-${IS_RELEASE}.el9.noarch.rpm" ; \
     if [[ "$IS_RELEASE" == 1 ]] ; then \
-       sed -i "s;http://download.ceph.com/;https://${PRERELEASE_USERNAME}:${PRERELEASE_PASSWORD}@download.ceph.com/prerelease/ceph/;" /etc/yum.repos.d/ceph.repo ; \
-       dnf clean expire-cache ; \
+        sed -i "s;http://download.ceph.com/;https://${PRERELEASE_USERNAME}:${PRERELEASE_PASSWORD}@download.ceph.com/prerelease/ceph/;" /etc/yum.repos.d/ceph.repo ; \
+        dnf clean expire-cache ; \
     fi
 
 

diff --git a/container/build.sh b/container/build.sh
index bf538fb72b8b5fd76d78c0df9a4d27631f407862..b3044ff9cfb0f05c0ad07b04837dbc871ba43d74 100755 (executable)
--- a/container/build.sh
+++ b/container/build.sh
@@ -94,6 +94,14 @@ fi
 # BRANCH will be, say, origin/main.  remove <remote>/
 BRANCH=${BRANCH##*/}
 
+# podman build only supports secret files.
+# This must be removed after podman build
+touch prerelease.secret.txt
+chmod 600 prerelease.secret.txt
+echo -e "\
+    PRERELEASE_USERNAME=${PRERELEASE_USERNAME}\n
+    PRERELEASE_PASSWORD=${PRERELEASE_PASSWORD}\n " > prerelease.secret.txt
+
 podman build --pull=newer --squash -f $CFILE -t build.sh.output \
     --build-arg FROM_IMAGE=${FROM_IMAGE:-quay.io/centos/centos:stream9} \
     --build-arg CEPH_SHA1=${CEPH_SHA1} \
@@ -101,10 +109,11 @@ podman build --pull=newer --squash -f $CFILE -t build.sh.output \
     --build-arg CEPH_REF=${BRANCH:-main} \
     --build-arg OSD_FLAVOR=${FLAVOR:-default} \
     --build-arg CI_CONTAINER=${CI_CONTAINER:-default} \
-    --build-arg PRERELEASE_USERNAME=${PRERELEASE_USERNAME} \
-    --build-arg PRERELEASE_PASSWORD=${PRERELEASE_PASSWORD} \
+    --secret=id=prerelease_creds,src=./prerelease.secret.txt \
     2>&1 
 
+rm ./prerelease.secret.txt
+
 image_id=$(podman image ls localhost/build.sh.output --format '{{.ID}}')
 
 # grab useful image attributes for building the tag