From a3b28afc70c3f5e7e887cad509aa6fcbdf74e1f9 Mon Sep 17 00:00:00 2001 From: Dan Mick Date: Wed, 20 Nov 2024 19:11:24 -0800 Subject: [PATCH] container/{Containerfile,build.sh}: use a secret to pass secrets Use podman's build --secret mechanism to pass credentials for download.ceph.com Signed-off-by: Dan Mick (cherry picked from commit 4b3c0cb8f3f130563d9e1309beb7a8e0b59ea83e) --- container/Containerfile | 10 ++++------ container/build.sh | 13 +++++++++++-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/container/Containerfile b/container/Containerfile index 8a0e90dcf1a67..c954ebed1be81 100644 --- a/container/Containerfile +++ b/container/Containerfile @@ -22,9 +22,6 @@ ARG OSD_FLAVOR="default" # (optional) Should be 'true' for CI builds (pull from shaman, etc.) ARG CI_CONTAINER="true" -# creds for accessing prerelease packages on download.ceph.com for release builds -ARG PRERELEASE_USERNAME "" -ARG PRERELEASE_PASSWORD "" RUN /bin/echo -e "\ FROM_IMAGE: ${FROM_IMAGE}\n\ @@ -77,7 +74,7 @@ RUN set -ex && \ esac # Ceph repo -RUN set -ex && \ +RUN --mount=type=secret,id=prerelease_creds set -ex && \ rpm --import 'https://download.ceph.com/keys/release.asc' && \ ARCH=$(arch); if [ "${ARCH}" == "aarch64" ]; then ARCH="arm64"; fi ;\ IS_RELEASE=0 ;\ @@ -86,12 +83,13 @@ RUN set -ex && \ REPO_URL=$(curl -fs "https://shaman.ceph.com/api/search/?project=ceph&distros=centos/9/${ARCH}&flavor=${OSD_FLAVOR}&ref=${CEPH_REF}&sha1=latest" | jq -r .[0].url) ;\ else \ IS_RELEASE=1 ;\ + source /run/secrets/prerelease_creds; \ REPO_URL="https://${PRERELEASE_USERNAME}:${PRERELEASE_PASSWORD}@download.ceph.com/prerelease/ceph/rpm-${CEPH_REF}/el9/" ;\ fi && \ rpm -Uvh "$REPO_URL/noarch/ceph-release-1-${IS_RELEASE}.el9.noarch.rpm" ; \ if [[ "$IS_RELEASE" == 1 ]] ; then \ - sed -i "s;http://download.ceph.com/;https://${PRERELEASE_USERNAME}:${PRERELEASE_PASSWORD}@download.ceph.com/prerelease/ceph/;" /etc/yum.repos.d/ceph.repo ; \ - dnf clean expire-cache ; \ + sed -i "s;http://download.ceph.com/;https://${PRERELEASE_USERNAME}:${PRERELEASE_PASSWORD}@download.ceph.com/prerelease/ceph/;" /etc/yum.repos.d/ceph.repo ; \ + dnf clean expire-cache ; \ fi diff --git a/container/build.sh b/container/build.sh index bf538fb72b8b5..b3044ff9cfb0f 100755 --- a/container/build.sh +++ b/container/build.sh @@ -94,6 +94,14 @@ fi # BRANCH will be, say, origin/main. remove / BRANCH=${BRANCH##*/} +# podman build only supports secret files. +# This must be removed after podman build +touch prerelease.secret.txt +chmod 600 prerelease.secret.txt +echo -e "\ + PRERELEASE_USERNAME=${PRERELEASE_USERNAME}\n + PRERELEASE_PASSWORD=${PRERELEASE_PASSWORD}\n " > prerelease.secret.txt + podman build --pull=newer --squash -f $CFILE -t build.sh.output \ --build-arg FROM_IMAGE=${FROM_IMAGE:-quay.io/centos/centos:stream9} \ --build-arg CEPH_SHA1=${CEPH_SHA1} \ @@ -101,10 +109,11 @@ podman build --pull=newer --squash -f $CFILE -t build.sh.output \ --build-arg CEPH_REF=${BRANCH:-main} \ --build-arg OSD_FLAVOR=${FLAVOR:-default} \ --build-arg CI_CONTAINER=${CI_CONTAINER:-default} \ - --build-arg PRERELEASE_USERNAME=${PRERELEASE_USERNAME} \ - --build-arg PRERELEASE_PASSWORD=${PRERELEASE_PASSWORD} \ + --secret=id=prerelease_creds,src=./prerelease.secret.txt \ 2>&1 +rm ./prerelease.secret.txt + image_id=$(podman image ls localhost/build.sh.output --format '{{.ID}}') # grab useful image attributes for building the tag -- 2.39.5