From e4e34b712e7868db000fe52ed01f713b1d96c31b Mon Sep 17 00:00:00 2001 From: Daniel Salazar Date: Mon, 12 Aug 2024 15:21:45 -0500 Subject: [PATCH] refac(back): #1364 simplify deploy container - Make it simpler and consistent with deployContainerManifest - Remove `images` option in favor of a flat approach - Remove attempts logic for simplicity - Update documentation Signed-off-by: Daniel Salazar --- docs/src/api/builtins/deploy.md | 117 +++++------------- makes.nix | 36 +++--- src/args/deploy-container/default.nix | 9 +- src/args/deploy-container/entrypoint.sh | 62 ++++------ .../modules/deploy-container/default.nix | 55 ++++---- 5 files changed, 89 insertions(+), 190 deletions(-) diff --git a/docs/src/api/builtins/deploy.md b/docs/src/api/builtins/deploy.md index 65b8b723..99a4fcb5 100644 --- a/docs/src/api/builtins/deploy.md +++ b/docs/src/api/builtins/deploy.md @@ -134,24 +134,16 @@ before sending the job to Batch. ## deployContainer -Deploy a set of container images -in [OCI Format](https://github.com/opencontainers/image-spec) -to the specified container registries. +Deploy a container image +in [OCI Format](https://github.com/opencontainers/image-spec). -For details on how to build container images in OCI Format -please read the `makeContainerImage` reference. +For details on how to build container images in OCI format, +please see [makeContainerImage](/api/extensions/containers#makecontainerimage). Types: -- deployContainer: - - images (`attrsOf imageType`): Optional. - Definitions of container images to deploy. - Defaults to `{ }`. -- imageType (`submodule`): - - attempts (`ints.positive`): Optional. - If the value of attempts is greater than one, - the job is retried on failure the same number of attempts as the value. - Defaults to `1`. +- deployContainer (`attrsOf targetType`): +- targetType (`submodule`): - credentials: - token (`str`): Name of the environment variable @@ -159,8 +151,8 @@ Types: - user (`str`): Name of the environment variable that stores the value of the registry user. - - registry (`str`): - Registry in which the image will be copied to. + - image (`str`): + Container registry path to which the image will be copied to. - setup (`listOf package`): Optional. [Makes Environment][makes_environment] or [Makes Secrets][makes_secrets] @@ -175,58 +167,31 @@ Types: Defaults to `false`. - src (`package`): Derivation that contains the container image in OCI Format. - - tag (`str`): - The tag under which the image will be stored in the registry. Example: === "makes.nix" ```nix - { - inputs, - outputs, - ... - }: { - inputs = { - nixpkgs = fetchNixpkgs { - rev = "f88fc7a04249cf230377dd11e04bf125d45e9abe"; - sha256 = "1dkwcsgwyi76s1dqbrxll83a232h9ljwn4cps88w9fam68rf8qv3"; - }; - }; - + { outputs, ... }: { deployContainer = { - images = { - nginxDockerHub = { - credentials = { - token = "DOCKER_HUB_PASS"; - user = "DOCKER_HUB_USER"; - }; - src = inputs.nixpkgs.dockerTools.examples.nginx; - sign = false; - registry = "docker.io"; - tag = "fluidattacks/nginx:latest"; - }; - redisGitHub = { - credentials = { - token = "GITHUB_TOKEN"; - user = "GITHUB_ACTOR"; - }; - src = inputs.nixpkgs.dockerTools.examples.redis; - sign = true; - registry = "ghcr.io"; - tag = "fluidattacks/redis:$(date +%Y.%m)"; # Tag from command + makesAmd64 = { + credentials = { + token = "GITHUB_TOKEN"; + user = "GITHUB_ACTOR"; }; - makesGitLab = { - credentials = { - token = "CI_REGISTRY_PASSWORD"; - user = "CI_REGISTRY_USER"; - }; - src = outputs."/containerImage"; - sign = false; - registry = "registry.gitlab.com"; - tag = "fluidattacks/product/makes:$MY_VAR"; # Tag from env var + image = "ghcr.io/fluidattacks/makes:amd64"; + src = outputs."/container-image"; + sign = true; + }; + makesArm64 = { + credentials = { + token = "GITHUB_TOKEN"; + user = "GITHUB_ACTOR"; }; + image = "ghcr.io/fluidattacks/makes:arm64"; + src = outputs."/container-image"; + sign = true; }; }; } @@ -235,19 +200,19 @@ Example: === "Invocation DockerHub" ```bash - DOCKER_HUB_USER=user DOCKER_HUB_PASS=123 m . /deployContainer/nginxDockerHub + DOCKER_HUB_USER=user DOCKER_HUB_PASS=123 m . /deployContainer/makesAmd64 ``` === "Invocation GitHub" ```bash - GITHUB_ACTOR=user GITHUB_TOKEN=123 m . /deployContainer/makesLatest + GITHUB_ACTOR=user GITHUB_TOKEN=123 m . /deployContainer/makesAmd64 ``` === "Invocation GitLab" ```bash - CI_REGISTRY_USER=user CI_REGISTRY_PASSWORD=123 m . /deployContainer/makesGitLab + CI_REGISTRY_USER=user CI_REGISTRY_PASSWORD=123 m . /deployContainer/makesAmd64 ``` ## deployContainerManifest @@ -302,33 +267,7 @@ Example: === "makes.nix" ```nix - { - deployContainer = { - images = { - makesAmd64 = { - attempts = 3; - credentials = { - token = "GITHUB_TOKEN"; - user = "GITHUB_ACTOR"; - }; - registry = "ghcr.io"; - src = outputs."/container-image"; - sign = true; - tag = "fluidattacks/makes:amd64"; - }; - makesArm64 = { - attempts = 3; - credentials = { - token = "GITHUB_TOKEN"; - user = "GITHUB_ACTOR"; - }; - registry = "ghcr.io"; - src = outputs."/container-image"; - sign = true; - tag = "fluidattacks/makes:arm64"; - }; - }; - }; + { outputs, ... }: { deployContainerManifest = { makes = { credentials = { diff --git a/makes.nix b/makes.nix index 7cb6eae5..f734c5c6 100644 --- a/makes.nix +++ b/makes.nix @@ -19,29 +19,23 @@ target = "github.com/fluidattacks/makes"; }; deployContainer = { - images = { - makesAmd64 = { - attempts = 3; - credentials = { - token = "GITHUB_TOKEN"; - user = "GITHUB_ACTOR"; - }; - registry = "ghcr.io"; - src = outputs."/container-image"; - sign = true; - tag = "fluidattacks/makes:amd64"; + makesAmd64 = { + credentials = { + token = "GITHUB_TOKEN"; + user = "GITHUB_ACTOR"; }; - makesArm64 = { - attempts = 3; - credentials = { - token = "GITHUB_TOKEN"; - user = "GITHUB_ACTOR"; - }; - registry = "ghcr.io"; - src = outputs."/container-image"; - sign = true; - tag = "fluidattacks/makes:arm64"; + image = "ghcr.io/fluidattacks/makes:amd64"; + src = outputs."/container-image"; + sign = true; + }; + makesArm64 = { + credentials = { + token = "GITHUB_TOKEN"; + user = "GITHUB_ACTOR"; }; + image = "ghcr.io/fluidattacks/makes:arm64"; + src = outputs."/container-image"; + sign = true; }; }; deployContainerManifest = { diff --git a/src/args/deploy-container/default.nix b/src/args/deploy-container/default.nix index a5e1514a..c426c6f2 100644 --- a/src/args/deploy-container/default.nix +++ b/src/args/deploy-container/default.nix @@ -1,15 +1,12 @@ { __nixpkgs__, makeScript, ... }: -{ attempts ? 1, containerImage, credentials, name, registry, setup, sign, tag, -}: +{ credentials, image, name, setup, sign, src }: makeScript { replace = { - __argAttempts__ = attempts; - __argContainerImage__ = containerImage; __argCredentialsToken__ = credentials.token; __argCredentialsUser__ = credentials.user; - __argRegistry__ = registry; + __argImage__ = image; __argSign__ = sign; - __argTag__ = "${registry}/${tag}"; + __argSrc__ = src; }; entrypoint = ./entrypoint.sh; inherit name; diff --git a/src/args/deploy-container/entrypoint.sh b/src/args/deploy-container/entrypoint.sh index 57e7348c..71e4d8cc 100644 --- a/src/args/deploy-container/entrypoint.sh +++ b/src/args/deploy-container/entrypoint.sh @@ -1,75 +1,55 @@ # shellcheck shell=bash function deploy { - local attempts="${1}" - local container_image="${2}" - local credentials_token="${3}" - local credentials_user="${4}" - local tag="${5}" + local credentials_token="${1}" + local credentials_user="${2}" + local image="${3}" + local src="${4}" - : && info Syncing container image: "${tag}" \ - && command=( - skopeo - --insecure-policy - copy - --dest-creds "${credentials_user}:${credentials_token}" - "docker-archive://${container_image}" - "docker://${tag}" - ) \ - && temp="$(mktemp)" \ - && seq 1 "${attempts}" > "${temp}" \ - && mapfile -t nums < "${temp}" \ - && for num in "${nums[@]}"; do - if "${command[@]}"; then - return 0 - else - info Retrying number "${num}" ... - fi - done \ - && return 1 \ - || return 1 + : && info Syncing container image: "${image}" \ + && skopeo \ + --insecure-policy \ + copy \ + --dest-creds "${credentials_user}:${credentials_token}" \ + "docker-archive://${src}" \ + "docker://${image}" } function sign { local credentials_token="${1}" local credentials_user="${2}" - local registry="${3}" + local image="${3}" local sign="${4}" - local tag="${5}" if [ "${sign}" = "1" ]; then - : && info "Signing container image: ${tag}" \ + : && info "Signing container image: ${image}" \ && cosign sign \ --yes=true \ --registry-username="${credentials_user}" \ --registry-password="${credentials_token}" \ - "${tag}" + "${image}" else - : && info "Skipping signing container ${tag}" + : && info "Skipping signing container ${image}" fi } function main { - local attempts="__argAttempts__" - local container_image="__argContainerImage__" local credentials_token="${__argCredentialsToken__}" local credentials_user="${__argCredentialsUser__}" - local registry="__argRegistry__" + local image="__argImage__" local sign="__argSign__" - local tag="__argTag__" + local src="__argSrc__" : && deploy \ - "${attempts}" \ - "${container_image}" \ "${credentials_token}" \ "${credentials_user}" \ - "${tag}" \ + "${image}" \ + "${src}" \ && sign \ "${credentials_token}" \ "${credentials_user}" \ - "${registry}" \ - "${sign}" \ - "${tag}" + "${image}" \ + "${sign}" } main "${@}" diff --git a/src/evaluator/modules/deploy-container/default.nix b/src/evaluator/modules/deploy-container/default.nix index 7552dfb1..c750ad73 100644 --- a/src/evaluator/modules/deploy-container/default.nix +++ b/src/evaluator/modules/deploy-container/default.nix @@ -4,48 +4,37 @@ let makeOutput = name: args: { name = "/deployContainer/${name}"; value = deployContainer { - inherit (args) attempts; inherit (args) credentials; - containerImage = args.src; + inherit (args) image; inherit name; - inherit (args) registry; inherit (args) setup; inherit (args) sign; - inherit (args) tag; + inherit (args) src; }; }; in { options = { - deployContainer = { - images = lib.mkOption { - default = { }; - type = lib.types.attrsOf (lib.types.submodule (_: { - options = { - attempts = lib.mkOption { - default = 1; - type = lib.types.ints.positive; - }; - credentials = { - token = lib.mkOption { type = lib.types.str; }; - user = lib.mkOption { type = lib.types.str; }; - }; - registry = lib.mkOption { type = lib.types.str; }; - setup = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.package; - }; - sign = lib.mkOption { - default = false; - type = lib.types.bool; - }; - src = lib.mkOption { type = lib.types.package; }; - tag = lib.mkOption { type = lib.types.str; }; + deployContainer = lib.mkOption { + default = { }; + type = lib.types.attrsOf (lib.types.submodule (_: { + options = { + credentials = { + token = lib.mkOption { type = lib.types.str; }; + user = lib.mkOption { type = lib.types.str; }; }; - })); - }; + image = lib.mkOption { type = lib.types.str; }; + setup = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.package; + }; + sign = lib.mkOption { + default = false; + type = lib.types.bool; + }; + src = lib.mkOption { type = lib.types.package; }; + }; + })); }; }; - config = { - outputs = __toModuleOutputs__ makeOutput config.deployContainer.images; - }; + config = { outputs = __toModuleOutputs__ makeOutput config.deployContainer; }; }