Skip to content

chore(evergreen): authenticate with docker so that we don't make unauthenticated pulls #6498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Nov 19, 2024
Merged

chore(evergreen): authenticate with docker so that we don't make unauthenticated pulls #6498

merged 12 commits into from
Nov 19, 2024

Conversation

@lerouxb
Copy link
Contributor

@lerouxb lerouxb commented Nov 14, 2024
edited
Loading

This should help with the rate limiting.

@lerouxb lerouxb added no release notes Fix or feature not for release notes no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion) labels Nov 14, 2024
gribnoysup
gribnoysup reviewed Nov 15, 2024
View reviewed changes
lerouxb
lerouxb commented Nov 15, 2024
View reviewed changes
.evergreen/print-compass-env.js
// https://jira.mongodb.org/browse/NODE-6320
printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`);

printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`);
Copy link
Contributor Author

@lerouxb lerouxb Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not exactly a secret but we already have this code running everywhere and we need to build an abs path somehow 🤷

Copy link
Collaborator

@mcasimir mcasimir Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should not be everywhere, but just where we use docker without arifactory, which we use for signatures

Copy link
Contributor Author

@lerouxb lerouxb Nov 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's gonna be tricky. I'll try and refactor it - let's see if it works first.

Copy link
Contributor Author

@lerouxb lerouxb Nov 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to have logged in to artifactory using the existing username/password vars we have for that and worked just fine.

We currently have most of our env vars together and this way it makes use of our existing code to that makes sure we don't accidentally leak secrets in logs. This way it should also be impossible to forget to log in and get all of evergreen rate limited if we ever start using docker in more places.

So I think we should just keep an eye on it for now and we can make more PRs to isolate that var if we have to. Worst case we just temporarily revert this PR.

lerouxb
lerouxb commented Nov 15, 2024
View reviewed changes
.evergreen/print-compass-env.js Outdated
pathsToPrepend.unshift('/opt/mongodbtoolchain/v4/bin');
}

pathsToPrepend(`${originalPWD}/.evergreen/docker-config/bin`);
Copy link
Contributor Author

@lerouxb lerouxb Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No idea if this should use /cygdrive/c or /cygdrive/z.. we'll see.

@lerouxb lerouxb changed the title chore(evergreen): docker login so that we do authenticated pulls chore(evergreen): authenticate with docker so that we do authenticated pulls Nov 15, 2024
@lerouxb lerouxb changed the title chore(evergreen): authenticate with docker so that we do authenticated pulls chore(evergreen): authenticate with docker so that we don't make unauthenticated pulls Nov 15, 2024
mcasimir
mcasimir approved these changes Nov 15, 2024
View reviewed changes
.evergreen/print-compass-env.js
// https://jira.mongodb.org/browse/NODE-6320
printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`);

printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`);
Copy link
Collaborator

@mcasimir mcasimir Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should not be everywhere, but just where we use docker without arifactory, which we use for signatures

@lerouxb lerouxb merged commit 52098dd into main Nov 19, 2024
30 checks passed
@lerouxb lerouxb deleted the docker-login branch November 19, 2024 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gribnoysup gribnoysup gribnoysup left review comments

@mcasimir mcasimir mcasimir approved these changes

@Anemy Anemy Anemy approved these changes

Assignees

No one assigned

Labels

no release notes Fix or feature not for release notes no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lerouxb @mcasimir @Anemy @gribnoysup