-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(evergreen): authenticate with docker so that we don't make unauthenticated pulls #6498
Conversation
@@ -113,6 +115,8 @@ function printCompassEnv() { | |||
|
|||
// https://jira.mongodb.org/browse/NODE-6320 | |||
printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`); | |||
|
|||
printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not exactly a secret but we already have this code running everywhere and we need to build an abs path somehow 🤷
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should not be everywhere, but just where we use docker without arifactory, which we use for signatures
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's gonna be tricky. I'll try and refactor it - let's see if it works first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems to have logged in to artifactory using the existing username/password vars we have for that and worked just fine.
We currently have most of our env vars together and this way it makes use of our existing code to that makes sure we don't accidentally leak secrets in logs. This way it should also be impossible to forget to log in and get all of evergreen rate limited if we ever start using docker in more places.
So I think we should just keep an eye on it for now and we can make more PRs to isolate that var if we have to. Worst case we just temporarily revert this PR.
.evergreen/print-compass-env.js
Outdated
@@ -74,6 +74,8 @@ function printCompassEnv() { | |||
pathsToPrepend.unshift('/opt/mongodbtoolchain/v4/bin'); | |||
} | |||
|
|||
pathsToPrepend(`${originalPWD}/.evergreen/docker-config/bin`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No idea if this should use /cygdrive/c or /cygdrive/z.. we'll see.
@@ -113,6 +115,8 @@ function printCompassEnv() { | |||
|
|||
// https://jira.mongodb.org/browse/NODE-6320 | |||
printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`); | |||
|
|||
printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should not be everywhere, but just where we use docker without arifactory, which we use for signatures
This should help with the rate limiting.