surtur
3e0e3c8cb5
All checks were successful
continuous-integration/drone/push Build is passing
rebased on master + applied the previous changes
commit b96d5245e363b8e465c95fde3dd7d3a00078da07
Author: surtur <a_mirre@utb.cz>
Date: Fri Oct 22 14:28:24 2021 +0200
chore: bump dind to 20.10.9
commit ca9cfe9733edef3df9ecae19d51976ea6371baf5
Author: surtur <a_mirre@utb.cz>
Date: Tue Jun 8 22:32:45 2021 +0200
chore: bump docker to 20.10.7-dind
commit 5dc2b561ae0cc0e75cf7f8ec78daeb0f1b2eafcd
Author: surtur <a_mirre@utb.cz>
Date: Tue Apr 13 10:00:07 2021 +0200
chore: bump docker to 20.10.6-dind
commit 6dc63b2b1d7ec133ae2b4a210f625364faa973b1
Author: surtur <a_mirre@utb.cz>
Date: Wed Mar 17 02:35:29 2021 +0100
chore: bump docker to 20.10.5-dind
commit 1ae4536a1e38d54e3d29812b70e52fabd25530b7
Author: surtur <a_mirre@utb.cz>
Date: Wed Mar 17 01:11:36 2021 +0100
docker: add multiple different image tags
rolling:
* latest
* edge-dind
fixed to a commit:
* ${DRONE_COMMIT_SHA:0:8}
* ${DRONE_COMMIT_SHA:0:8}-edge-dind
* ${DRONE_COMMIT_SHA:0:8}-linux-amd64
commit 6b86978633e0b5ba039bb5139a4f9d83ce5b0e35
Author: surtur <a_mirre@utb.cz>
Date: Wed Mar 17 02:22:36 2021 +0100
ci: use plugins/docker:linux-amd64
* bump from :18
* add repo tag for dry_run
commit 2a52c7ee365d4e05d6657fe0481af4c073c59d62
Author: surtur <a_mirre@utb.cz>
Date: Tue Mar 16 22:26:30 2021 +0100
chore: bump docker to 19.03.15-dind
commit e5693c332a0e81366085ce9508590242f5e79f5a
Author: surtur <a_mirre@utb.cz>
Date: Tue Mar 16 21:53:51 2021 +0100
ci: dry-run on push+publish to immawanderer
commit 07c40b46a61421b1c3a6aa6bc4edaf089631c360
Author: surtur <a_mirre@utb.cz>
Date: Tue Mar 16 19:59:34 2021 +0100
jsonnet: thow out {arm,gcr,acr,heroku} stuff
commit f0056159bf98e9130d1af882f08fdde2e382629c
Author: surtur <a_mirre@utb.cz>
Date: Tue Mar 16 19:26:12 2021 +0100
ci: edit .drone.yml to only build for linux-amd64
* rm windows pipelines as I don't have any windows runners
* rm arm/arm64 pipelines as I don't have any arm runners
* rm {ecr,acr,whatever} publish steps as we're not publishing anything
just yet
* tag the image under immawanderer, not the official plugins repo
* run as a dry_run (cause we're not really publishing, right?)
commit 6ec5e7141117e1489faa378b1c00e459d789642d
Merge: 88f8bf1 0911e6a
Author: TP Honey <tp@harness.io>
Date: Wed Oct 13 17:19:30 2021 +0100
Merge pull request #338 from tphoney/bump-go-1.13
(maint) bump git to 1.13 for build and test
commit 0911e6a922663d52e1d9e4dfdee51a383d2b95fa
Author: TP Honey <tp@harness.io>
Date: Wed Oct 13 14:49:29 2021 +0100
(maint) bump git to 1.13 for build and test
commit 88f8bf1cb0c41297dbe8f5bb5ff1006b51a9f718
Merge: 607b04a 2d70a1f
Author: TP Honey <tp@harness.io>
Date: Wed Oct 13 14:32:03 2021 +0100
Merge pull request #337 from tphoney/prep_v19.03.9
(maint) v19.03.9 release prep
commit 2d70a1fa7cb4a8f2afe38cad3a1984804f1df464
Author: TP Honey <tp@harness.io>
Date: Wed Oct 13 14:24:58 2021 +0100
(maint) v19.03.9 release prep
commit 607b04a8719332e8bbef6ff76ac26e30715df060
Merge: 72ef7b1 e44c2d4
Author: Eoin McAfee <83226740+eoinmcafee00@users.noreply.github.com>
Date: Thu Sep 23 15:52:24 2021 +0100
Merge pull request #333 from jimsheldon/ecr-externalid
adding support for externalId
commit e44c2d46eafd5f223ac246eb003bc6b3427b3374
Author: Jim Sheldon <jim.sheldon@meltwater.com>
Date: Fri Sep 17 15:33:05 2021 -0400
adding support for externalId
commit 72ef7b1f3fa6c47c58f33ca312bdc8c484b6c5a4
Author: Brad Rydzewski <bradley.rydzewski@harness.io>
Date: Mon Aug 2 22:15:39 2021 -0400
log available credentials before login
commit fbbeec5a2e5845e488100da3885dc630fa3468fe
Author: Brad Rydzewski <bradley.rydzewski@harness.io>
Date: Mon Aug 2 21:42:22 2021 -0400
use Replace instead of ReplaceAll
commit b1d8698d1c5eb834b0703939e1001d23152300d2
Author: Brad Rydzewski <bradley.rydzewski@harness.io>
Date: Mon Aug 2 21:28:37 2021 -0400
print login failure reason to output
commit d4cf9f20f175ae550b11e0eeb44604c6d71bee20
Author: Brad Rydzewski <brad.rydzewski@gmail.com>
Date: Sun Jul 11 15:50:43 2021 -0400
remove pull always
commit f75380013d16585f4e4038483d6b948f0c025ff4
Merge: dd359df c10d367
Author: Brad Rydzewski <brad.rydzewski@gmail.com>
Date: Sun Jul 11 15:39:35 2021 -0400
Merge pull request #325 from drone-plugins/revert-322-update-seccomp
Revert "Update seccomp to 20.10 docker"
commit c10d36754ccf53341f462a2e9f703315cc31f0cf
Author: Brad Rydzewski <brad.rydzewski@gmail.com>
Date: Sun Jul 11 15:38:04 2021 -0400
Revert "Update seccomp to 20.10 docker (#322)"
This reverts commit dd359dfc7242b257f0f2078f1ef9027391d0bd0a.
commit dd359dfc7242b257f0f2078f1ef9027391d0bd0a
Author: techknowlogick <matti@mdranta.net>
Date: Wed Jul 7 15:03:54 2021 -0400
Update seccomp to 20.10 docker (#322)
* Update seccomp to 20.10 docker
commit 729aa5d300a4085cfa6e0e8776368710a7fa96be
Merge: f08821b db5c216
Author: TP Honey <tp@harness.io>
Date: Wed Jul 7 19:52:19 2021 +0100
Merge pull request #323 from tphoney/docker_rate_limit
(maint) CI, remove the dry run steps, due to rate limiting
commit db5c2161febe6292386d9dc7dd8e20047219d15e
Author: TP Honey <tp@harness.io>
Date: Wed Jul 7 19:37:30 2021 +0100
(maint) CI, remove the dry run steps, due to rate limiting
commit f08821b02496bfa8814d688523e170156050128f
Merge: 0f6bd8a 5760e7b
Author: Brad Rydzewski <brad.rydzewski@gmail.com>
Date: Tue Apr 6 15:55:56 2021 -0400
Merge pull request #300 from rvoitenko/ecr_scan_on_push
ECR: adding setting to enable image scanning while repo creation
commit 5760e7b4e821a89805454f614cf2635f7ff7dc96
Merge: 3501d9a 7ade37a
Author: Roman Voitenko <r00mka@gmail.com>
Date: Sat Feb 20 13:32:16 2021 +0100
Merge branch 'master' into ecr_scan_on_push
commit 3501d9a65d0f773b01cf2c1a50d13a7726bca166
Author: Roman Voitenko <roman.voitenko@konsult.atg.se>
Date: Thu Oct 1 10:43:25 2020 +0200
add possibility to turn on/off image scanning not only during repo creation, but when repo already created
commit d8b6b48fa34561c16680cc5787ab97b3f18b2141
Author: Roman Voitenko <roman.voitenko@konsult.atg.se>
Date: Wed Sep 30 23:32:23 2020 +0200
add possibility to turn on ECR image scanning for repos created by ecr plugin
228 lines
5.9 KiB
Go
228 lines
5.9 KiB
Go
package main
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"log"
|
|
"os"
|
|
"os/exec"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/joho/godotenv"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
|
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
|
"github.com/aws/aws-sdk-go/service/ecr"
|
|
)
|
|
|
|
const defaultRegion = "us-east-1"
|
|
|
|
func main() {
|
|
// Load env-file if it exists first
|
|
if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
|
|
godotenv.Load(env)
|
|
}
|
|
|
|
var (
|
|
repo = getenv("PLUGIN_REPO")
|
|
registry = getenv("PLUGIN_REGISTRY")
|
|
region = getenv("PLUGIN_REGION", "ECR_REGION", "AWS_REGION")
|
|
key = getenv("PLUGIN_ACCESS_KEY", "ECR_ACCESS_KEY", "AWS_ACCESS_KEY_ID")
|
|
secret = getenv("PLUGIN_SECRET_KEY", "ECR_SECRET_KEY", "AWS_SECRET_ACCESS_KEY")
|
|
create = parseBoolOrDefault(false, getenv("PLUGIN_CREATE_REPOSITORY", "ECR_CREATE_REPOSITORY"))
|
|
lifecyclePolicy = getenv("PLUGIN_LIFECYCLE_POLICY")
|
|
repositoryPolicy = getenv("PLUGIN_REPOSITORY_POLICY")
|
|
assumeRole = getenv("PLUGIN_ASSUME_ROLE")
|
|
externalId = getenv("PLUGIN_EXTERNAL_ID")
|
|
scanOnPush = parseBoolOrDefault(false, getenv("PLUGIN_SCAN_ON_PUSH"))
|
|
)
|
|
|
|
// set the region
|
|
if region == "" {
|
|
region = defaultRegion
|
|
}
|
|
|
|
os.Setenv("AWS_REGION", region)
|
|
|
|
if key != "" && secret != "" {
|
|
os.Setenv("AWS_ACCESS_KEY_ID", key)
|
|
os.Setenv("AWS_SECRET_ACCESS_KEY", secret)
|
|
}
|
|
|
|
sess, err := session.NewSession(&aws.Config{Region: ®ion})
|
|
if err != nil {
|
|
log.Fatal(fmt.Sprintf("error creating aws session: %v", err))
|
|
}
|
|
|
|
svc := getECRClient(sess, assumeRole, externalId)
|
|
username, password, defaultRegistry, err := getAuthInfo(svc)
|
|
|
|
if registry == "" {
|
|
registry = defaultRegistry
|
|
}
|
|
|
|
if err != nil {
|
|
log.Fatal(fmt.Sprintf("error getting ECR auth: %v", err))
|
|
}
|
|
|
|
if !strings.HasPrefix(repo, registry) {
|
|
repo = fmt.Sprintf("%s/%s", registry, repo)
|
|
}
|
|
|
|
if create {
|
|
err = ensureRepoExists(svc, trimHostname(repo, registry), scanOnPush)
|
|
if err != nil {
|
|
log.Fatal(fmt.Sprintf("error creating ECR repo: %v", err))
|
|
}
|
|
err = updateImageScannningConfig(svc, trimHostname(repo, registry), scanOnPush)
|
|
if err != nil {
|
|
log.Fatal(fmt.Sprintf("error updating scan on push for ECR repo: %v", err))
|
|
}
|
|
}
|
|
|
|
if lifecyclePolicy != "" {
|
|
p, err := ioutil.ReadFile(lifecyclePolicy)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
if err := uploadLifeCyclePolicy(svc, string(p), trimHostname(repo, registry)); err != nil {
|
|
log.Fatal(fmt.Sprintf("error uploading ECR lifecycle policy: %v", err))
|
|
}
|
|
}
|
|
|
|
if repositoryPolicy != "" {
|
|
p, err := ioutil.ReadFile(repositoryPolicy)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
if err := uploadRepositoryPolicy(svc, string(p), trimHostname(repo, registry)); err != nil {
|
|
log.Fatal(fmt.Sprintf("error uploading ECR repository policy. %v", err))
|
|
}
|
|
}
|
|
|
|
os.Setenv("PLUGIN_REPO", repo)
|
|
os.Setenv("PLUGIN_REGISTRY", registry)
|
|
os.Setenv("DOCKER_USERNAME", username)
|
|
os.Setenv("DOCKER_PASSWORD", password)
|
|
|
|
// invoke the base docker plugin binary
|
|
cmd := exec.Command("drone-docker")
|
|
cmd.Stdout = os.Stdout
|
|
cmd.Stderr = os.Stderr
|
|
if err = cmd.Run(); err != nil {
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
func trimHostname(repo, registry string) string {
|
|
repo = strings.TrimPrefix(repo, registry)
|
|
repo = strings.TrimLeft(repo, "/")
|
|
return repo
|
|
}
|
|
|
|
func ensureRepoExists(svc *ecr.ECR, name string, scanOnPush bool) (err error) {
|
|
input := &ecr.CreateRepositoryInput{}
|
|
input.SetRepositoryName(name)
|
|
input.SetImageScanningConfiguration(&ecr.ImageScanningConfiguration{ScanOnPush: &scanOnPush})
|
|
_, err = svc.CreateRepository(input)
|
|
if err != nil {
|
|
if aerr, ok := err.(awserr.Error); ok && aerr.Code() == ecr.ErrCodeRepositoryAlreadyExistsException {
|
|
// eat it, we skip checking for existing to save two requests
|
|
err = nil
|
|
}
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func updateImageScannningConfig(svc *ecr.ECR, name string, scanOnPush bool) (err error) {
|
|
input := &ecr.PutImageScanningConfigurationInput{}
|
|
input.SetRepositoryName(name)
|
|
input.SetImageScanningConfiguration(&ecr.ImageScanningConfiguration{ScanOnPush: &scanOnPush})
|
|
_, err = svc.PutImageScanningConfiguration(input)
|
|
|
|
return err
|
|
}
|
|
|
|
func uploadLifeCyclePolicy(svc *ecr.ECR, lifecyclePolicy string, name string) (err error) {
|
|
input := &ecr.PutLifecyclePolicyInput{}
|
|
input.SetLifecyclePolicyText(lifecyclePolicy)
|
|
input.SetRepositoryName(name)
|
|
_, err = svc.PutLifecyclePolicy(input)
|
|
|
|
return err
|
|
}
|
|
|
|
func uploadRepositoryPolicy(svc *ecr.ECR, repositoryPolicy string, name string) (err error) {
|
|
input := &ecr.SetRepositoryPolicyInput{}
|
|
input.SetPolicyText(repositoryPolicy)
|
|
input.SetRepositoryName(name)
|
|
_, err = svc.SetRepositoryPolicy(input)
|
|
|
|
return err
|
|
}
|
|
|
|
func getAuthInfo(svc *ecr.ECR) (username, password, registry string, err error) {
|
|
var result *ecr.GetAuthorizationTokenOutput
|
|
var decoded []byte
|
|
|
|
result, err = svc.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{})
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
auth := result.AuthorizationData[0]
|
|
token := *auth.AuthorizationToken
|
|
decoded, err = base64.StdEncoding.DecodeString(token)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
registry = strings.TrimPrefix(*auth.ProxyEndpoint, "https://")
|
|
creds := strings.Split(string(decoded), ":")
|
|
username = creds[0]
|
|
password = creds[1]
|
|
return
|
|
}
|
|
|
|
func parseBoolOrDefault(defaultValue bool, s string) (result bool) {
|
|
var err error
|
|
result, err = strconv.ParseBool(s)
|
|
if err != nil {
|
|
result = false
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func getenv(key ...string) (s string) {
|
|
for _, k := range key {
|
|
s = os.Getenv(k)
|
|
if s != "" {
|
|
return
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
func getECRClient(sess *session.Session, role string, externalId string) *ecr.ECR {
|
|
if role == "" {
|
|
return ecr.New(sess)
|
|
}
|
|
if externalId != "" {
|
|
return ecr.New(sess, &aws.Config{
|
|
Credentials: stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {
|
|
p.ExternalID = &externalId
|
|
}),
|
|
})
|
|
} else {
|
|
return ecr.New(sess, &aws.Config{
|
|
Credentials: stscreds.NewCredentials(sess, role),
|
|
})
|
|
}
|
|
}
|