From b6bb07acdcb9ca5989529ff98bebb570d98c90b4 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 21 Apr 2022 17:26:47 +0200 Subject: [PATCH 1/8] ci-automation: Initial test script for Digital Ocean --- ci-automation/ci-config.env | 10 +++ ci-automation/vendor-testing/digitalocean.sh | 71 ++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100755 ci-automation/vendor-testing/digitalocean.sh diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 20e2bf4f01..cfb4af96dd 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -82,3 +82,13 @@ GCE_IMAGE_NAME="flatcar_production_gce.tar.gz" GCE_GCS_IMAGE_UPLOAD="gs://flatcar-jenkins/developer/gce-ci" GCE_MACHINE_TYPE="${GCE_MACHINE_TYPE:-n1-standard-2}" GCE_PARALLEL="${PARALLEL_TESTS:-4}" + +# -- Digital Ocean -- + +# Use the "@ARCH@", "@CHANNEL@" and "@VERNUM@" placeholders. They will +# be replaced. +DO_IMAGE_URL="https://${BUILDCACHE_SERVER}/images/@ARCH@/@VERNUM@/flatcar_production_digitalocean_image.bin.bz2" +DO_CONFIG_FILE='do-token.json' +DO_REGION='sfo3' +DO_MACHINE_SIZE='s-2vcpu-2gb' +DO_PARALLEL='8' diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh new file mode 100755 index 0000000000..5de9120d0b --- /dev/null +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -0,0 +1,71 @@ +#!/bin/bash +# Copyright (c) 2022 The Flatcar Maintainers. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +set -euo pipefail + +# Test execution script for the Digital Ocean vendor image. +# This script is supposed to run in the mantle container. + +work_dir="$1"; shift +arch="$1"; shift +vernum="$1"; shift +tapfile="$1"; shift + +# $@ now contains tests / test patterns to run + +source ci-automation/ci_automation_common.sh +source sdk_lib/sdk_container_common.sh + +mkdir -p "${work_dir}" +cd "${work_dir}" + +# We never ran Digital Ocean on arm64, so for now fail it as an +# unsupported option. +if [[ "${arch}" == "arm64" ]]; then + echo "1..1" > "${tapfile}" + echo "not ok - all digital ocean tests" >> "${tapfile}" + echo " ---" >> "${tapfile}" + echo " ERROR: ARM64 tests not supported on Digital Ocean." | tee -a "${tapfile}" + echo " ..." >> "${tapfile}" + exit 1 +fi + +channel="$(get_git_channel)" +if [[ "${channel}" = 'developer' ]]; then + channel='alpha' +fi +image_name="ci-${vernum//+/-}" +testscript="$(basename "$0")" +image_url="${DO_IMAGE_URL//@ARCH@/${arch}}" +image_url="${image_url//@CHANNEL@/${channel}}" +image_url="${image_url//@VERNUM@/${vernum}}" + +ore do create-image \ + --config-file="${DO_CONFIG_FILE}" \ + --region="${DO_REGION}" \ + --name="${image_name}" \ + --url="${image_url}" + +trap 'ore do delete-image \ + --name="${image_name}" \ + --config-file="${DO_CONFIG_FILE}"' EXIT + +set -x + +timeout --signal=SIGQUIT 4h\ + kola run \ + --do-size="${DO_MACHINE_SIZE}" \ + --do-region="${DO_REGION}" \ + --basename="${image_name}" \ + --do-config-file="${DO_CONFIG_FILE}" \ + --do-image="${image_name}" \ + --parallel="${DO_PARALLEL}" \ + --platform=do \ + --channel="${channel}" \ + --tapfile="${tapfile}" \ + --torcx-manifest='../torcx_manifest.json' \ + "${@}" + +set +x From 9650650e4b1988fc2f3c3072542d0e3937d1dd71 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 5 May 2022 16:51:46 +0200 Subject: [PATCH 2/8] ci-automation: Add URL template handling --- ci-automation/ci-config.env | 6 ++++-- ci-automation/ci_automation_common.sh | 21 ++++++++++++++++++++ ci-automation/vendor-testing/digitalocean.sh | 4 +--- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index cfb4af96dd..0913f61746 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -17,6 +17,8 @@ CONTAINER_REGISTRY="ghcr.io/flatcar-linux" GC_BUCKET="flatcar-linux" +DEFAULT_HTTP_IMAGE_URL_TEMPLATE="@PROTO@://${BUILDCACHE_SERVER}/images/@ARCH@/@VERNUM@" + if ! command -v pigz > /dev/null; then # No PIGZ on Flatcar PIGZ="docker run --rm -i ghcr.io/flatcar-linux/pigz --fast" @@ -85,9 +87,9 @@ GCE_PARALLEL="${PARALLEL_TESTS:-4}" # -- Digital Ocean -- -# Use the "@ARCH@", "@CHANNEL@" and "@VERNUM@" placeholders. They will +# Use the "@PROTO@" "@ARCH@", "@CHANNEL@" and "@VERNUM@" placeholders. They will # be replaced. -DO_IMAGE_URL="https://${BUILDCACHE_SERVER}/images/@ARCH@/@VERNUM@/flatcar_production_digitalocean_image.bin.bz2" +DO_IMAGE_URL="${DEFAULT_HTTP_IMAGE_URL_TEMPLATE}/flatcar_production_digitalocean_image.bin.bz2" DO_CONFIG_FILE='do-token.json' DO_REGION='sfo3' DO_MACHINE_SIZE='s-2vcpu-2gb' diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh index 82cf997d2f..f7d4039a74 100644 --- a/ci-automation/ci_automation_common.sh +++ b/ci-automation/ci_automation_common.sh @@ -224,3 +224,24 @@ function docker_image_from_registry_or_buildcache() { docker_image_from_buildcache "${image}" "${version}" } # -- + +# Substitutes fields in the passed template and prints the +# result. Followed by the template, the parameters used for +# replacement are in alphabetical order: arch, channel, proto and +# vernum. +function url_from_template() { + local template="${1}"; shift + local arch="${1}"; shift + local channel="${1}"; shift + local proto="${1}"; shift + local vernum="${1}"; shift + local url="${template}" + + url="${url//@ARCH@/${arch}}" + url="${url//@CHANNEL@/${channel}}" + url="${url//@PROTO@/${proto}}" + url="${url//@VERNUM@/${vernum}}" + + echo "${url}" +} +# -- diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh index 5de9120d0b..000172a47c 100755 --- a/ci-automation/vendor-testing/digitalocean.sh +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -38,9 +38,7 @@ if [[ "${channel}" = 'developer' ]]; then fi image_name="ci-${vernum//+/-}" testscript="$(basename "$0")" -image_url="${DO_IMAGE_URL//@ARCH@/${arch}}" -image_url="${image_url//@CHANNEL@/${channel}}" -image_url="${image_url//@VERNUM@/${vernum}}" +image_url="$(url_from_template "${DO_IMAGE_URL}" "${arch}" "${channel}" 'https' "${vernum}")" ore do create-image \ --config-file="${DO_CONFIG_FILE}" \ From 2fe896b558a83d4119214c7e23ae722819e6cd8b Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 5 May 2022 16:53:37 +0200 Subject: [PATCH 3/8] ci-automation: Add retest cycle breaking functionality --- ci-automation/ci_automation_common.sh | 28 ++++++++++++++++++++ ci-automation/test.sh | 12 ++++++++- ci-automation/vendor-testing/digitalocean.sh | 1 + 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh index f7d4039a74..c6a1a90f35 100644 --- a/ci-automation/ci_automation_common.sh +++ b/ci-automation/ci_automation_common.sh @@ -10,6 +10,8 @@ source ci-automation/ci-config.env : ${PIGZ:=pigz} : ${docker:=docker} +: ${TEST_WORK_DIR:='__TESTS__'} + function init_submodules() { git submodule init git submodule update @@ -225,6 +227,32 @@ function docker_image_from_registry_or_buildcache() { } # -- +# Called by vendor test in case of complete failure not eligible for +# reruns (like trying to run tests on unsupported architecture). +function break_retest_cycle() { + local work_dir=$(dirname "${PWD}") + local dir=$(basename "${work_dir}") + + if [[ "${dir}" != "${TEST_WORK_DIR}" ]]; then + echo "Not breaking retest cycle, expected test work dir to be a parent directory" >&2 + return + fi + touch "${work_dir}/break_retests" +} +# -- + +# Called by test runner to see if the retest cycle should be broken. +function retest_cycle_broken() { + # Using the reverse boolean logic here! + local broken=1 + if [[ -f "${TEST_WORK_DIR}/break_retests" ]]; then + broken=0 + rm -f "${TEST_WORK_DIR}/break_retests" + fi + return ${broken} +} +# -- + # Substitutes fields in the passed template and prints the # result. Followed by the template, the parameters used for # replacement are in alphabetical order: arch, channel, proto and diff --git a/ci-automation/test.sh b/ci-automation/test.sh index fa7c6c3720..c66fffeb09 100644 --- a/ci-automation/test.sh +++ b/ci-automation/test.sh @@ -122,7 +122,7 @@ function test_run() { local docker_vernum docker_vernum="$(vernum_to_docker_image_version "${vernum}")" - local work_dir="__TESTS__" + local work_dir="${TEST_WORK_DIR}" local tests_dir="${work_dir}/${image}" mkdir -p "${tests_dir}" @@ -182,6 +182,16 @@ function test_run() { break fi + if retest_cycle_broken; then + echo "########### Test cycle requested to break ###########" + echo "Failed tests: $failed_tests" + echo "-----------" + # not really a success, but don't print a message about + # exhaused reruns and giving up + success=true + break + fi + echo "########### Some tests failed and will be re-run (${retry} / ${retries}). ###########" echo "Failed tests: $failed_tests" echo "-----------" diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh index 000172a47c..a0f82d0cb8 100755 --- a/ci-automation/vendor-testing/digitalocean.sh +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -29,6 +29,7 @@ if [[ "${arch}" == "arm64" ]]; then echo " ---" >> "${tapfile}" echo " ERROR: ARM64 tests not supported on Digital Ocean." | tee -a "${tapfile}" echo " ..." >> "${tapfile}" + break_retest_cycle exit 1 fi From cd2f3f0d6c41e5d360f6c7f8900bdcd16a093b85 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 5 May 2022 16:55:35 +0200 Subject: [PATCH 4/8] ci-automation: Drop boilerplate code from digital ocean test --- ci-automation/vendor-testing/digitalocean.sh | 40 ++++++-------------- 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh index a0f82d0cb8..f15377ac0f 100755 --- a/ci-automation/vendor-testing/digitalocean.sh +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -8,38 +8,22 @@ set -euo pipefail # Test execution script for the Digital Ocean vendor image. # This script is supposed to run in the mantle container. -work_dir="$1"; shift -arch="$1"; shift -vernum="$1"; shift -tapfile="$1"; shift - -# $@ now contains tests / test patterns to run - -source ci-automation/ci_automation_common.sh -source sdk_lib/sdk_container_common.sh - -mkdir -p "${work_dir}" -cd "${work_dir}" +source ci-automation/vendor_test.sh # We never ran Digital Ocean on arm64, so for now fail it as an # unsupported option. -if [[ "${arch}" == "arm64" ]]; then - echo "1..1" > "${tapfile}" - echo "not ok - all digital ocean tests" >> "${tapfile}" - echo " ---" >> "${tapfile}" - echo " ERROR: ARM64 tests not supported on Digital Ocean." | tee -a "${tapfile}" - echo " ..." >> "${tapfile}" +if [[ "${CIA_ARCH}" == "arm64" ]]; then + echo "1..1" > "${CIA_TAPFILE}" + echo "not ok - all Digital Ocean tests" >> "${CIA_TAPFILE}" + echo " ---" >> "${CIA_TAPFILE}" + echo " ERROR: ARM64 tests not supported on Digital Ocean." | tee -a "${CIA_TAPFILE}" + echo " ..." >> "${CIA_TAPFILE}" break_retest_cycle exit 1 fi -channel="$(get_git_channel)" -if [[ "${channel}" = 'developer' ]]; then - channel='alpha' -fi -image_name="ci-${vernum//+/-}" -testscript="$(basename "$0")" -image_url="$(url_from_template "${DO_IMAGE_URL}" "${arch}" "${channel}" 'https' "${vernum}")" +image_name="ci-${CIA_VERNUM//+/-}" +image_url="$(url_from_template "${DO_IMAGE_URL}" "${CIA_ARCH}" "${CIA_CHANNEL}" 'https' "${CIA_VERNUM}")" ore do create-image \ --config-file="${DO_CONFIG_FILE}" \ @@ -62,9 +46,9 @@ timeout --signal=SIGQUIT 4h\ --do-image="${image_name}" \ --parallel="${DO_PARALLEL}" \ --platform=do \ - --channel="${channel}" \ - --tapfile="${tapfile}" \ - --torcx-manifest='../torcx_manifest.json' \ + --channel="${CIA_CHANNEL}" \ + --tapfile="${CIA_TAPFILE}" \ + --torcx-manifest="${CIA_TORCX_MANIFEST}" \ "${@}" set +x From 197e9a334fca6615e669b3ad34b69394f6596bc4 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 5 May 2022 16:57:06 +0200 Subject: [PATCH 5/8] ci-automation: Add secrets handling --- ci-automation/ci-config.env | 3 ++- ci-automation/ci_automation_common.sh | 16 ++++++++++++++++ ci-automation/vendor-testing/digitalocean.sh | 8 +++++--- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 0913f61746..fe821f22b7 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -90,7 +90,8 @@ GCE_PARALLEL="${PARALLEL_TESTS:-4}" # Use the "@PROTO@" "@ARCH@", "@CHANNEL@" and "@VERNUM@" placeholders. They will # be replaced. DO_IMAGE_URL="${DEFAULT_HTTP_IMAGE_URL_TEMPLATE}/flatcar_production_digitalocean_image.bin.bz2" -DO_CONFIG_FILE='do-token.json' DO_REGION='sfo3' DO_MACHINE_SIZE='s-2vcpu-2gb' DO_PARALLEL='8' +# DIGITALOCEAN_TOKEN_JSON env var is used for credentials, and should +# come from sdk_container/.env diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh index c6a1a90f35..35a9c93bc5 100644 --- a/ci-automation/ci_automation_common.sh +++ b/ci-automation/ci_automation_common.sh @@ -273,3 +273,19 @@ function url_from_template() { echo "${url}" } # -- + +# Puts a secret into a file, while trying for the secret to not end up +# on a filesystem at all. Prints a path to a file with the secret in +# /proc. +function secret_to_file() { + local secret="${1}"; shift + local tmpfile=$(mktemp) + local fd + + exec {fd}<>"${tmpfile}" + rm -f "${tmpfile}" + echo "${secret}" >&${fd} + + echo "/proc/${$}/fd/${fd}" +} +# -- diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh index f15377ac0f..bbfa8ac344 100755 --- a/ci-automation/vendor-testing/digitalocean.sh +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -25,15 +25,17 @@ fi image_name="ci-${CIA_VERNUM//+/-}" image_url="$(url_from_template "${DO_IMAGE_URL}" "${CIA_ARCH}" "${CIA_CHANNEL}" 'https' "${CIA_VERNUM}")" +config_file="$(secret_to_file "${DIGITALOCEAN_TOKEN_JSON}")" + ore do create-image \ - --config-file="${DO_CONFIG_FILE}" \ + --config-file="${config_file}" \ --region="${DO_REGION}" \ --name="${image_name}" \ --url="${image_url}" trap 'ore do delete-image \ --name="${image_name}" \ - --config-file="${DO_CONFIG_FILE}"' EXIT + --config-file="${config_file}"' EXIT set -x @@ -42,7 +44,7 @@ timeout --signal=SIGQUIT 4h\ --do-size="${DO_MACHINE_SIZE}" \ --do-region="${DO_REGION}" \ --basename="${image_name}" \ - --do-config-file="${DO_CONFIG_FILE}" \ + --do-config-file="${config_file}" \ --do-image="${image_name}" \ --parallel="${DO_PARALLEL}" \ --platform=do \ From 413689c7796b4ee7fe822008c04b7743fcebb24e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 5 May 2022 16:59:07 +0200 Subject: [PATCH 6/8] ci-automation: Rename some variables and make them overridable --- ci-automation/ci-config.env | 8 ++++---- ci-automation/vendor-testing/digitalocean.sh | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index fe821f22b7..3fa6d63290 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -89,9 +89,9 @@ GCE_PARALLEL="${PARALLEL_TESTS:-4}" # Use the "@PROTO@" "@ARCH@", "@CHANNEL@" and "@VERNUM@" placeholders. They will # be replaced. -DO_IMAGE_URL="${DEFAULT_HTTP_IMAGE_URL_TEMPLATE}/flatcar_production_digitalocean_image.bin.bz2" -DO_REGION='sfo3' -DO_MACHINE_SIZE='s-2vcpu-2gb' -DO_PARALLEL='8' +: ${DIGITALOCEAN_IMAGE_URL_TEMPLATE:="${DEFAULT_HTTP_IMAGE_URL_TEMPLATE}/flatcar_production_digitalocean_image.bin.bz2"} +: ${DIGITALOCEAN_REGION:='sfo3'} +: ${DIGITALOCEAN_MACHINE_SIZE:='s-2vcpu-2gb'} +DIGITALOCEAN_PARALLEL="${PARALLEL_TESTS:-8}" # DIGITALOCEAN_TOKEN_JSON env var is used for credentials, and should # come from sdk_container/.env diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh index bbfa8ac344..a8d870bd14 100755 --- a/ci-automation/vendor-testing/digitalocean.sh +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -23,13 +23,13 @@ if [[ "${CIA_ARCH}" == "arm64" ]]; then fi image_name="ci-${CIA_VERNUM//+/-}" -image_url="$(url_from_template "${DO_IMAGE_URL}" "${CIA_ARCH}" "${CIA_CHANNEL}" 'https' "${CIA_VERNUM}")" +image_url="$(url_from_template "${DIGITALOCEAN_IMAGE_URL_TEMPLATE}" "${CIA_ARCH}" "${CIA_CHANNEL}" 'https' "${CIA_VERNUM}")" config_file="$(secret_to_file "${DIGITALOCEAN_TOKEN_JSON}")" ore do create-image \ --config-file="${config_file}" \ - --region="${DO_REGION}" \ + --region="${DIGITALOCEAN_REGION}" \ --name="${image_name}" \ --url="${image_url}" @@ -41,12 +41,12 @@ set -x timeout --signal=SIGQUIT 4h\ kola run \ - --do-size="${DO_MACHINE_SIZE}" \ - --do-region="${DO_REGION}" \ + --do-size="${DIGITALOCEAN_MACHINE_SIZE}" \ + --do-region="${DIGITALOCEAN_REGION}" \ --basename="${image_name}" \ --do-config-file="${config_file}" \ --do-image="${image_name}" \ - --parallel="${DO_PARALLEL}" \ + --parallel="${DIGITALOCEAN_PARALLEL}" \ --platform=do \ --channel="${CIA_CHANNEL}" \ --tapfile="${CIA_TAPFILE}" \ From 3c119f14b22c7b6ec7bade0438e78186946da6e2 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 5 May 2022 17:53:33 +0200 Subject: [PATCH 7/8] ci-automation: Fix secret file handling It can't be done in a subshell, because the file will be gone after subshell quits. --- ci-automation/ci_automation_common.sh | 17 +++++++++++++---- ci-automation/vendor-testing/digitalocean.sh | 3 ++- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh index 35a9c93bc5..3a21f177da 100644 --- a/ci-automation/ci_automation_common.sh +++ b/ci-automation/ci_automation_common.sh @@ -275,17 +275,26 @@ function url_from_template() { # -- # Puts a secret into a file, while trying for the secret to not end up -# on a filesystem at all. Prints a path to a file with the secret in -# /proc. +# on a filesystem at all. A path to the file with the secret in +# /proc in put into the chosen variable. +# +# Typical use: +# secret_file='' +# secret_to_file secret_file "${some_secret}" +# +# Parameters: +# 1 - name of the variable where the path is stored +# 2 - the secret to store in the file function secret_to_file() { + local config_var_name="${1}"; shift local secret="${1}"; shift local tmpfile=$(mktemp) + local -n config_ref="${config_var_name}" local fd exec {fd}<>"${tmpfile}" rm -f "${tmpfile}" echo "${secret}" >&${fd} - - echo "/proc/${$}/fd/${fd}" + config_ref="/proc/${$}/fd/${fd}" } # -- diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh index a8d870bd14..3ca82ac2e4 100755 --- a/ci-automation/vendor-testing/digitalocean.sh +++ b/ci-automation/vendor-testing/digitalocean.sh @@ -25,7 +25,8 @@ fi image_name="ci-${CIA_VERNUM//+/-}" image_url="$(url_from_template "${DIGITALOCEAN_IMAGE_URL_TEMPLATE}" "${CIA_ARCH}" "${CIA_CHANNEL}" 'https' "${CIA_VERNUM}")" -config_file="$(secret_to_file "${DIGITALOCEAN_TOKEN_JSON}")" +config_file='' +secret_to_file config_file "${DIGITALOCEAN_TOKEN_JSON}" ore do create-image \ --config-file="${config_file}" \ From 3b3cffabc84f86b39960ef2e67e1998df3e6018f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 6 May 2022 09:16:04 +0200 Subject: [PATCH 8/8] ci-automation: Fix credentials handling in digital ocean --- ci-automation/ci-config.env | 2 +- ci-automation/ci_automation_common.sh | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 3fa6d63290..2c2672758f 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -94,4 +94,4 @@ GCE_PARALLEL="${PARALLEL_TESTS:-4}" : ${DIGITALOCEAN_MACHINE_SIZE:='s-2vcpu-2gb'} DIGITALOCEAN_PARALLEL="${PARALLEL_TESTS:-8}" # DIGITALOCEAN_TOKEN_JSON env var is used for credentials, and should -# come from sdk_container/.env +# come from sdk_container/.env. It must be base64-encoded. diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh index 3a21f177da..ce01d55765 100644 --- a/ci-automation/ci_automation_common.sh +++ b/ci-automation/ci_automation_common.sh @@ -275,8 +275,9 @@ function url_from_template() { # -- # Puts a secret into a file, while trying for the secret to not end up -# on a filesystem at all. A path to the file with the secret in -# /proc in put into the chosen variable. +# on a filesystem at all. A path to the file with the secret in /proc +# in put into the chosen variable. The secret is assumed to be +# base64-encoded. # # Typical use: # secret_file='' @@ -294,7 +295,7 @@ function secret_to_file() { exec {fd}<>"${tmpfile}" rm -f "${tmpfile}" - echo "${secret}" >&${fd} + echo "${secret}" | base64 --decode >&${fd} config_ref="/proc/${$}/fd/${fd}" } # --