Implement drone-docker-ecr #155
Conversation
|
ping |
cmd/drone-docker-ecr/main.go
Outdated
| os.Exit(1) | ||
| } | ||
|
|
||
| // always attempt to create the repo if createBool is true, eat exists error |
There was a problem hiding this comment.
I like that we're documenting that we're eating the exists error, but that's more of an implementation detail for createRepo. I was initially confused to see us exiting on err on line 46, since this comment seems to contradict that.
I'd suggest either removing eat exists error here, or doing the same and adding something on the createRepo call in 44 that is a little more clear:
"already exists" errors are not returned here, since we want to ensure the repo's existence
Another option would be to rename createRepo to ensureRepoExists or ensureRepo to make this more immediately obvious.
There was a problem hiding this comment.
This flagged in my head when I was looking it over before submission as well as possibly confusing so I totally understand. I'll rename the function and drop the comment.
|
Thanks! I pulled down changes locally and pushed e4bc243. I do this only as a security precaution since we have no way to validate large vendor updates with govendor. I also switched to dep (a newer, official Go vendor solution) so that in the future validation will no longer be required. |
|
@danielkrainas hearing reports of issues (without details) here. Is this plugin working for you as merged and published to Docker Hub today? |
|
@gtaylor sorry to hear that, I'll be happy to help address anything that comes up. From the link, it looks like they are talking about the old/legacy ecr plugin. The plugin is functioning for us and we have a cluster suite of apps building and publishing with it. |
|
@danielkrainas are there any breaking changes (legacy vs new) we need to document in this thread? |
|
@bradrydzewski point 3 related to drone-plugins/drone-ecr#34 is the only thing that would count as "breaking" from the legacy version but that's more correctly a fix |
|
For some reason plugins/ecr isn't working on my 17.09 docker + drone 7.3 and also it's not working on 17.09 + drone 8.1. I'm not sure what changed, but both my servers stopped building ecr stuff. To fix I stubbed in the wrapper script and pushed my own plugin and its now working with my fix. |
|
|
I have an ECR role on the box I'm using. So I'm not exposing the secrets. Should I be?
|
|
I'm not sure about the old ecr plugin but the current plugin runs with DIND so the docker daemon that is running and building the image is not the host's. Because of this, my guess is the DIND daemon doesn't have access to the instance's ECR role and so remains unauthenticated to ECR. You could expose the AWS secrets, that should work. Otherwise if you insist on using the host's ECR authentication, for the build step - you could try disabling the DIND daemon, set the repo in drone as "Trusted", and mount the host's docker socket as a volume in the step. pipeline:
ecr_publish:
image: plugins/drone-ecr:latest
repo: my-service-repo
daemon_off: true
tags:
- latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock |
|
No, you can get creds from the EC2metadata service on 169.254 if your host has it avail. Just add a conditional for the creds here: https://github.com/drone-plugins/drone-docker/blob/master/cmd/drone-docker-ecr/main.go#L34 Unless you want to be opinionated about having users provide them. If so, let me know because I need to rethink some things. |
|
The primary difference between the old plugin and the new plugin is that the script that generates the username and password is written in Go instead of bash. Both plugin use dind and use the official plugins/docker image as base. I believe the issue is related to how this implementation loads the credentials. Instead of using Note that I am out of office for the next few days with limited internet and will not be able to test this patch, but can merge a verified PR via the GitHub user interface. I would therefore ask that interested parties create and test a patch and submit a PR once they verify it is working. I will then be happy to merge. Thanks! |
|
@bradrydzewski not familiar with the aws sdk's behavior when passed nil creds, but if it tries to procure them from the typical places, then that would make sense. |
|
Looks like #159 will solve this problem. |
|
I'll admit to being a bit disappointed that this regression has been in place for six days now. This one is pretty major, in that anyone using the plugins/ecr without static credentials will experience complete breakage. In the future I hope we'll revert sooner in the face of severe breakage like this. |
|
The pull request is merged and the image is updated in Docekrhub. If you continue to experience issues with this newer version of the plugin you can fallback to the older version with the If you are using |
|
Confirmed that |
Addresses a couple issues from the drone-ecr repository:
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables.I tried taking a look at a couple other plugins for examples how to handle/report errors (drone-docker and drone-helm specifically) but nothing that fit my usage so not quite sure what the preferred way is but they're stubbed with
os.Exit(1)for now. Let me know and I'd be glad to change them.