-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add quay support #2783
Add quay support #2783
Conversation
Thanks @Ashmita152 . To my taste, there's too much repetition. What if we encapsulate the docker vs quay only within the scripts/travis/upload-to-docker.sh script? I don't think anything above it needs to know about where the images are being uploaded. And ideally we would even move the logging in steps into the same script, as there's no reason to do it before the actual upload decision is made. I assume we can pass the login/password via env and it won't be leaked to the logs (we should verify that). |
Codecov Report
@@ Coverage Diff @@
## master #2783 +/- ##
==========================================
+ Coverage 95.88% 95.92% +0.03%
==========================================
Files 218 218
Lines 9606 9620 +14
==========================================
+ Hits 9211 9228 +17
+ Misses 327 323 -4
- Partials 68 69 +1
Continue to review full report at Codecov.
|
Hi @yurishkuro Thank you for the feedback. I see your point. Let me think about it. |
Hi @yurishkuro I have updated the PR with your suggestion. I hope this time, I took the expected approach. Two things we need to do before merging:
Regards. |
did you try pushing the login steps into |
@Ashmita152 see my test PR #2797. This is the GH run: https://github.com/jaegertracing/jaeger/runs/1846319012?check_suite_focus=true The env var is never printed in the logs when logging into docker. We can remove all the login steps from the workflows.
The error is because I used a fake token, it should work with the real one. |
Sure Yuri, sounds good. I will update it. |
Hi @yurishkuro I just realised that the DOCKERHUB_TOKEN is exposed in the above GitHub Action run you shared. I agree with you that we need to cleanup this login. I am trying to find a way to move dockerhub login and quay login as a separate GitHub Action if possible. |
Oh I misunderstood your point. You are right, it will never show up in logs. |
Hi Yuri, I decided to keep the dockerhub+quay login part as a separate github action mainly because of two reasons:
Let me know in case you feel otherwise. |
if [[ ("$BRANCH" == "master" || $BRANCH =~ ^v[0-9]+\.[0-9]+\.[0-9]+$) && "$DOCKERHUB_LOGIN" == "true" ]]; then | ||
echo "upload $1 to Docker Hub" | ||
# Only push the docker image to dockerhub/quay.io for master/release branch and when dockerhub or quay.io login is done | ||
if [[ ("$BRANCH" == "master" || $BRANCH =~ ^v[0-9]+\.[0-9]+\.[0-9]+$) && ("$DOCKERHUB_LOGIN" == "true" || "$QUAY_LOGIN" == "true") ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think we need to push to upload script the login-related checks. If in the future we need to add one more registry, I only want to have to change the upload script. The var checks are not essential here, and we didn't have them before GHA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I remember correctly, those DOCKERHUB_LOGIN var check wasn't there in Travis days because we used to set DOCKERHUB_TOKEN from Travis UI. After moving to GHA, we set them Github org secrets which aren't accessible in case of PRs that's why we added it. My understanding is if we remove those checks and if someone raises a PR from their fork's master branch, it will try to push images to dockerhub and fail.
scripts/travis/upload-to-docker.sh
Outdated
if [[ -n ${minor:-} ]]; then | ||
docker tag $IMAGE $REPO:${major}.${minor} | ||
docker tag $IMAGE ${QUAY_PREFIX}/$REPO:${major}.${minor} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look quite right - this tagging will apply to Docker as well? Maybe we can simply prefix the REPO at the beginning once if quay login is in effect, and run the same set of commands otherwise. Let's separate the logic of the script from the destination registry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I get it correctly, we should make the script upload-to-docker.sh to accept a parameter with acceptable values as "dockerhub" or "quay" and should remove all if dockerhub/quay conditions and make the script agnostic of the upstream registry ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is what I am suggesting:
- In the workflows, we call
upload-to-docker.sh
and pass secrets as env vars (instead of having a dedicated login action) upload-to-docker.sh
looks like this:
function do_upload() {
registry = $1
prefix = $2
token_var = $3
marker=.$registry.login
if [ ! -f $marker && -v $token_var ]; then
printenv $token_var | docker login ...
touch marker
fi
if [ ! -f $marker ]; then
echo "skipping upload to $registry, not logged in:
return
fi
# current content of upload-to-docker.sh before this PR
}
do_upload "docker.io" "" "DOCKERHUB_TOKEN"
do_upload "quay.io" "quay prefix" "QUAY_TOKEN"
This way, the only thing that individual actions need to do about logging in is pass the token as env. The login logic is encapsulated into the upload script, the fact that it does docker and quay is also encapsulated, and the login is efficient by using a cache "marker" file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds great Yuri.
A couple of comments:
|
Signed-off-by: Ashmita Bohara <[email protected]>
Signed-off-by: Ashmita Bohara <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Almost all redundancy is eliminated, should be much easier to maintain going forward.
Signed-off-by: Ashmita Bohara <[email protected]>
Signed-off-by: Ashmita Bohara <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good if you try running the upload script manually (you can build one of the images locally and try to push it to your personal account at quay/dockerhub) and include a paste of the execution logs.
Thank you for the feedbacks. Sure Yuri, I will test this PR from my fork properly both from merge to master + release perspective and share with the links. |
Signed-off-by: Ashmita Bohara <[email protected]>
Nice! |
I think this is almost ready to merge (just one tiny fix), but it would be nice to see a test run logs. Of course, we could merge and see if the publishing succeeds and fix forward. |
Signed-off-by: Ashmita Bohara <[email protected]>
Pull request has been modified.
Right, I am still testing with my fork. I will share the result once I am done testing. |
Signed-off-by: Ashmita Bohara <[email protected]>
Signed-off-by: Ashmita Bohara <[email protected]>
scripts/travis/upload-to-registry.sh
Outdated
|
||
try_login ${registry} ${user} ${token} ${marker} | ||
|
||
if [ ! -f ${marker} ] && [ -z ${token} ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need to check for token here, it is in fact harmful since if it is not set you fall through to the else-clause and try to upload
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
another way to refactor this is to do something like this:
if [ try_login ${registry} ${user} ${token} ] ; then
# do upload
else
# echo no upload
fi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This way the marker can be hidden inside try_login
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trying it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am little confused about this change. If we use this way, let's say we don't specify token for one of the registries, won't it will still try to upload to that registry since we no longer checking for marker file and deciding based on the return value of try_login function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this specific location, if the marker file does not exist, it means we did not log in, so no point in trying to upload. That's why the extra && -v $token
condition was wrong.
Otherwise, if you're asking about the if [ try_login ]
version, then the function should return true only if it successfully logged in, i.e. it needs to be modified slightly to return false when token is not defined.
I wouldn't worry about it, lets leave it as it is now.
Signed-off-by: Ashmita Bohara <[email protected]>
Hi @yurishkuro I can confirm that this PR works as expected. I tested by merging my branch in my fork. I wasn't able to make the quay's robot user work for pushing to quay image and keep getting this error while pushing from robot account.
Then I used the main quay user account. I found one bug and fixed it here: 3b2ea2e Otherwise for quay.io,
This will fail because image will be missing because we was never labelling the latest tag for quay. All the GH actions completed successfully: https://github.com/Ashmita152/jaeger/runs/1873169008 Regards. |
Given the positive test evidence, I think it's time to merge, and see if it works with real credentials / repos. |
@jpkrohling any thoughts?
|
Oops, it should be |
|
||
DOCKERHUB_USERNAME=${DOCKERHUB_USERNAME:-"jaegertracingbot"} | ||
DOCKERHUB_TOKEN=${DOCKERHUB_TOKEN:-} | ||
QUAY_USERNAME=${QUAY_USERNAME:-"jaegertracingbot+github_workflows"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this isn't being take from the env var set as secret in the project. The right username for this is jaegertracing+github_workflows
Signed-off-by: Ashmita Bohara [email protected]
I am still trying to figure out ways to test it properly before merging. Looking for feedback to validate the approach.
Which problem is this PR solving?
Solves #2498
Short description of the changes