Push, Pull, Build, Bop Images

manifest.yml

@@ -21,6 +21,8 @@ applications:
       # See gitlab-runner register --help for available vars
       CI_SERVER_TOKEN: ((ci_server_token))
       CI_SERVER_URL: ((ci_server_url))
+      DOCKER_HUB_USER: ((docker_hub_user))
+      DOCKER_HUB_TOKEN: ((docker_hub_token))
       RUNNER_EXECUTOR: ((runner_executor))
       RUNNER_NAME: ((runner_name))
       # Remaining runner configuration is generally static. In order to surface

runner/cf-driver/base.sh

@@ -13,5 +13,10 @@ if [ -z "$DEFAULT_JOB_IMAGE" ]; then
     echo "WARNING: DEFAULT_JOB_IMAGE not set! Falling back to ${DEFAULT_JOB_IMAGE}"
 fi
 
+# Complain if no Docker Hub credentials so we aren't bad neighbors
+if [ -z "$DOCKER_HUB_USER" ] || [ -z "$DOCKER_HUB_TOKEN" ]; then
+    echo "WARNING: Docker Hub credentials not set! Falling back to public access which could result in rate limiting."
+fi
+
 # Use a custom image if provided, else fallback to configured default
 CUSTOM_ENV_CI_JOB_IMAGE="${CUSTOM_ENV_CI_JOB_IMAGE:=$DEFAULT_JOB_IMAGE}"

runner/cf-driver/prepare.sh

@@ -12,6 +12,7 @@ trap 'rm -f "$TMPVARFILE"' EXIT
 currentDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 source "${currentDir}/base.sh" # Get variables from base.
 if [ -z "${WORKER_MEMORY-}" ]; then
+    # Some jobs may fail with less than 512M, e.g., `npm i`
     WORKER_MEMORY="512M"
 fi
 
@@ -27,16 +28,55 @@ create_temporary_varfile () {
     echo "[cf-driver] [DEBUG] Added $(wc -l "$TMPVARFILE") lines to $TMPVARFILE"
 }
 
+get_registry_credentials () {
+    image_name="$1"
+
+    # Note: the regex for non-docker image locations is not air-tight--
+    #       the definition for the format is a little loose, for one thing,
+    #       but this should work for most cases and can be revisited when
+    #       we're working with more a more robust set of language features
+    #       and can better parse the image name.
+
+    if echo "$image_name" | grep -q "registry.gitlab.com"; then
+        # Detect GitLab CR and use provided environment to authenticate
+        echo "$CUSTOM_ENV_CI_REGISTRY_USER" "$CUSTOM_ENV_CI_REGISTRY_PASSWORD"
+
+    elif echo "$image_name" | grep -q -P '^(?!registry-\d+.docker.io)[\w-]+(?:\.[\w-]+)+'; then
+        # Detect non-Docker registry that we aren't supporting auth for yet
+        return 0
+
+    elif [ -n "$DOCKER_HUB_TOKEN" ] && [ -n "$DOCKER_HUB_USER" ]; then
+        # Default to Docker Hub credentials when available
+        echo "$DOCKER_HUB_USER" "$DOCKER_HUB_TOKEN"
+    fi
+}
+
 start_container () {
     container_id="$1"
+    image_name="$CUSTOM_ENV_CI_JOB_IMAGE"
+
     if cf app --guid "$container_id" >/dev/null 2>/dev/null ; then
         echo '[cf-driver] Found old instance of runner executor, deleting'
         cf delete -f "$container_id"
     fi
 
-    cf push "$container_id" -f "${currentDir}/worker-manifest.yml" \
-       --docker-image "$CUSTOM_ENV_CI_JOB_IMAGE" -m "$WORKER_MEMORY" \
+    push_args=(
+       "$container_id"
+       -f "${currentDir}/worker-manifest.yml"
+       -m "$WORKER_MEMORY"
        --vars-file "$TMPVARFILE"
+       --docker-image "$image_name"
+    )
+
+    local docker_user docker_pass
+    read -r docker_user docker_pass <<< "$(get_registry_credentials "$image_name")"
+
+    if [ -n "$docker_user" ] && [ -n "$docker_pass" ]; then
+        push_args+=('--docker-username' "${docker_user}")
+        local -x CF_DOCKER_PASSWORD="${docker_pass}"
+    fi
+
+    cf push "${push_args[@]}"
 }
 
 start_service () {
@@ -50,23 +90,34 @@ start_service () {
        echo 'Usage: start_service CONTAINER_ID IMAGE_NAME CONTAINER_ENTRYPOINT CONTAINER_COMMAND'
        exit 1
     fi
-    if [ -n "$container_entrypoint" ] || [ -n "$container_command" ]; then
-        # TODO - cf push allows use of -c or --start-command but not a separate
-        # entrypoint. May need to add logic to gracefully convert entrypoint to
-        # a command.
-        echo '[cf-driver] container_entrypoint and container_command are not yet supported in services - Sorry!'
-        exit 1
-    fi
 
     if cf app --guid "$container_id" >/dev/null 2>/dev/null ; then
         echo '[cf-driver] Found old instance of runner service, deleting'
         cf delete -f "$container_id"
     fi
 
-    # TODO - Figure out how to handle command and non-global memory definition
-    cf push "$container_id" --docker-image "$image_name" -m "$WORKER_MEMORY" \
-        --no-route --health-check-type process
+    push_args=(
+        "$container_id"
+        '-m' "$WORKER_MEMORY"
+        '--docker-image' "$image_name"
+        '--health-check-type' 'process'
+        '--no-route'
+    )
+
+    if [ -n "$container_entrypoint" ] || [ -n "$container_command" ]; then
+        push_args+=('-c' "${container_entrypoint[@]}" "${container_command[@]}")
+    fi
+
+    local docker_user docker_pass
+    read -r docker_user docker_pass <<< "$(get_registry_credentials "$image_name")"
+
+    if [ -n "$docker_user" ] && [ -n "$docker_pass" ]; then
+        push_args+=('--docker-username' "${docker_user}")
+        local -x CF_DOCKER_PASSWORD="${docker_pass}"
+    fi
 
+    # TODO - Figure out how to handle non-global memory definition
+    cf push "${push_args[@]}"
     cf map-route "$container_id" apps.internal --hostname "$container_id"
 }
 

runner/cf-driver/run.sh

@@ -7,6 +7,9 @@ source "${currentDir}/base.sh"
 
 printf "[cf-driver] Using SSH to connect to %s and run steps\n" "$CONTAINER_ID"
 
+# Add line below script shebang to source the /etc/profile
+sed -i '2isource /etc/profile \n' $1
+
 if [ -n "${RUNNER_DEBUG-}" ] && [ "$RUNNER_DEBUG" == "true" ]; then
     # DANGER: There may be sensitive information in this output.
     # Generated job logs should be removed after this is used.
@@ -15,7 +18,7 @@ if [ -n "${RUNNER_DEBUG-}" ] && [ "$RUNNER_DEBUG" == "true" ]; then
     printf "\n=========\n[cf-driver] RUNNER_DEBUG: End command display\n"
 fi
 
-if ! cf ssh "$CONTAINER_ID" -c "source /etc/profile" < "${1}"; then
+if ! cf ssh "$CONTAINER_ID" < "${1}"; then
     # Exit using the variable, to make the build as failure in GitLab
     # CI.
     exit "$BUILD_FAILURE_EXIT_CODE"

vars.yml-example

@@ -10,3 +10,5 @@ runner_memory: 512M
 worker_memory: 512M
 service_account_instance: my-service-account
 object_store_instance: my-brokered-bucket
+docker_hub_user: my-docker-user
+docker_hub_token: my-docker-token