Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(evergreen): authenticate with docker so that we don't make unauthenticated pulls #6498

Merged
merged 12 commits into from
Nov 19, 2024

Conversation

lerouxb
Copy link
Contributor

@lerouxb lerouxb commented Nov 14, 2024

This should help with the rate limiting.

@lerouxb lerouxb added no release notes Fix or feature not for release notes no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion) labels Nov 14, 2024
@@ -113,6 +115,8 @@ function printCompassEnv() {

// https://jira.mongodb.org/browse/NODE-6320
printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`);

printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not exactly a secret but we already have this code running everywhere and we need to build an abs path somehow 🤷

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should not be everywhere, but just where we use docker without arifactory, which we use for signatures

Copy link
Contributor Author

@lerouxb lerouxb Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's gonna be tricky. I'll try and refactor it - let's see if it works first.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to have logged in to artifactory using the existing username/password vars we have for that and worked just fine.

We currently have most of our env vars together and this way it makes use of our existing code to that makes sure we don't accidentally leak secrets in logs. This way it should also be impossible to forget to log in and get all of evergreen rate limited if we ever start using docker in more places.

So I think we should just keep an eye on it for now and we can make more PRs to isolate that var if we have to. Worst case we just temporarily revert this PR.

@@ -74,6 +74,8 @@ function printCompassEnv() {
pathsToPrepend.unshift('/opt/mongodbtoolchain/v4/bin');
}

pathsToPrepend(`${originalPWD}/.evergreen/docker-config/bin`);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No idea if this should use /cygdrive/c or /cygdrive/z.. we'll see.

@lerouxb lerouxb changed the title chore(evergreen): docker login so that we do authenticated pulls chore(evergreen): authenticate with docker so that we do authenticated pulls Nov 15, 2024
@lerouxb lerouxb changed the title chore(evergreen): authenticate with docker so that we do authenticated pulls chore(evergreen): authenticate with docker so that we don't make unauthenticated pulls Nov 15, 2024
@@ -113,6 +115,8 @@ function printCompassEnv() {

// https://jira.mongodb.org/browse/NODE-6320
printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`);

printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should not be everywhere, but just where we use docker without arifactory, which we use for signatures

@lerouxb lerouxb merged commit 52098dd into main Nov 19, 2024
30 checks passed
@lerouxb lerouxb deleted the docker-login branch November 19, 2024 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no release notes Fix or feature not for release notes no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants