Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / fdd5ceecf9d64038414d04bd1f89c62911959a4a / . / build / pin-images.py
blob: 361db9c897c1c152dc07f3a21699a16bd49a3ea8 [file] [log] [blame]
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]1#!/usr/bin/env python3
2
3import argparse
4import functools
5
Mohammed Naser12207172024-02-05 18:49:35 -0500[diff] [blame]6import requests
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]7from docker_image import reference
8from oslo_config import cfg
9from oslo_log import log as logging
10from ruyaml import YAML
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]11
12LOG = logging.getLogger(__name__)
13CONF = cfg.CONF
14
Oleksandr Kd4e5b232024-01-18 17:20:16 +0100[diff] [blame]15SKIP_IMAGE_LIST = ["secretgen_controller"]
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]16
Mohammed Naser891a2902024-01-23 09:47:47 -0500[diff] [blame]17
Mohammed Naser21066a12024-01-02 11:14:53 -0500[diff] [blame]18def get_digest(image_ref, token=None):
19 headers = {}
20 if token:
21 headers["Authorization"] = f"Bearer {token}"
22
23 try:
24 headers["Accept"] = "application/vnd.docker.distribution.manifest.v2+json"
25
26 r = requests.get(
27 f"https://{image_ref.domain()}/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
28 timeout=5,
29 headers=headers,
30 )
31 r.raise_for_status()
32 return r.headers["Docker-Content-Digest"]
33 except requests.exceptions.HTTPError:
34 headers["Accept"] = "application/vnd.oci.image.index.v1+json"
35
36 r = requests.get(
37 f"https://{image_ref.domain()}/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
38 timeout=5,
39 headers=headers,
40 )
41 r.raise_for_status()
42 return r.headers["Docker-Content-Digest"]
43
44
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]45@functools.cache
46def get_pinned_image(image_src):
47 image_ref = reference.Reference.parse(image_src)
48
Mohammed Naser12207172024-02-05 18:49:35 -0500[diff] [blame]49 if image_ref.domain() in (
50 "registry.k8s.io",
51 "us-docker.pkg.dev",
52 "registry.atmosphere.dev",
53 ):
Mohammed Naser21066a12024-01-02 11:14:53 -0500[diff] [blame]54 digest = get_digest(image_ref)
55
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]56 if image_ref.domain() == "quay.io":
57 r = requests.get(
58 f"https://quay.io/api/v1/repository/{image_ref.path()}/tag/",
Mohammed Naser21066a12024-01-02 11:14:53 -0500[diff] [blame]59 timeout=5,
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]60 params={"specificTag": image_ref["tag"]},
61 )
62 r.raise_for_status()
63 digest = r.json()["tags"][0]["manifest_digest"]
64
Mohammed Naser49e66372023-07-10 14:57:00 -0400[diff] [blame]65 if image_ref.domain() == "docker.io":
66 # Get token for docker.io
67 r = requests.get(
68 "https://auth.docker.io/token",
Mohammed Naser21066a12024-01-02 11:14:53 -0500[diff] [blame]69 timeout=5,
Mohammed Naser16baaab2023-07-10 15:07:11 -0400[diff] [blame]70 params={
71 "service": "registry.docker.io",
72 "scope": f"repository:{image_ref.path()}:pull",
73 },
Mohammed Naser49e66372023-07-10 14:57:00 -0400[diff] [blame]74 )
75 r.raise_for_status()
76 token = r.json()["token"]
77
78 r = requests.get(
79 f"https://registry-1.docker.io/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
Mohammed Naser21066a12024-01-02 11:14:53 -0500[diff] [blame]80 timeout=5,
Mohammed Naser16baaab2023-07-10 15:07:11 -0400[diff] [blame]81 headers={
82 "Accept": "application/vnd.docker.distribution.manifest.v2+json",
83 "Authorization": f"Bearer {token}",
84 },
Mohammed Naser49e66372023-07-10 14:57:00 -0400[diff] [blame]85 )
86 r.raise_for_status()
87 digest = r.headers["Docker-Content-Digest"]
88
Mohammed Naser21066a12024-01-02 11:14:53 -0500[diff] [blame]89 if image_ref.domain() == "ghcr.io":
90 # Get token for docker.io
91 r = requests.get(
92 "https://ghcr.io/token",
93 timeout=5,
94 params={
95 "service": "ghcr.io",
96 "scope": f"repository:{image_ref.path()}:pull",
97 },
98 )
99 r.raise_for_status()
100 token = r.json()["token"]
101
102 digest = get_digest(image_ref, token=token)
103
104 return f"{image_ref.domain()}/{image_ref.path()}:{image_ref['tag']}@{digest}"
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]105
106
107def main():
108 logging.register_options(CONF)
109 logging.setup(CONF, "atmosphere-bump-images")
110
111 parser = argparse.ArgumentParser("bump-images")
112 parser.add_argument(
113 "src", help="Path for default values file", type=argparse.FileType("r")
114 )
115 parser.add_argument("dst", help="Path for output file", type=argparse.FileType("w"))
Mohammed Naser12207172024-02-05 18:49:35 -0500[diff] [blame]116 parser.add_argument(
117 "-r",
118 "--registry",
119 default="ghcr.io/vexxhost/atmosphere",
120 help="Registry containing Atmosphere images",
121 )
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]122
123 args = parser.parse_args()
124
Mohammed Naser12207172024-02-05 18:49:35 -0500[diff] [blame]125 registry = args.registry
126 if "registry.atmosphere.dev:5000" in registry:
127 registry = registry.replace(
128 "registry.atmosphere.dev:5000", "registry.atmosphere.dev"
129 )
130
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]131 yaml = YAML(typ="rt")
132 data = yaml.load(args.src)
133
Mohammed Naser21066a12024-01-02 11:14:53 -0500[diff] [blame]134 for image in data["_atmosphere_images"]:
Oleksandr Kd4e5b232024-01-18 17:20:16 +0100[diff] [blame]135 if image in SKIP_IMAGE_LIST:
136 continue
Mohammed Naserfdd5cee2024-02-07 23:45:52 -0500[diff] [blame^]137
138 # NOTE(mnaser): If we're in CI, only pin the Atmosphere images
139 if (
140 "registry.atmosphere.dev" in registry
141 and "ghcr.io/vexxhost/atmosphere" not in data["_atmosphere_images"][image]
142 ):
143 continue
144
Mohammed Naser12207172024-02-05 18:49:35 -0500[diff] [blame]145 image_src = data["_atmosphere_images"][image].replace(
146 "ghcr.io/vexxhost/atmosphere", registry
147 )
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]148 pinned_image = get_pinned_image(image_src)
149
150 LOG.info("Pinning image %s from %s to %s", image, image_src, pinned_image)
ricolinb8ab0172023-06-01 15:41:02 +0800[diff] [blame]151 data["_atmosphere_images"][image] = pinned_image
Mohammed Naser8613c862023-04-24 17:26:51 -0400[diff] [blame]152
153 yaml.dump(data, args.dst)
154
155
156if __name__ == "__main__":
157 main()