Don't send a certificate for non-blob-storage image downloads

Non-blob-storage images don't require a certificate. This caused problems in the E2E tests where `ubicloud_images_blob_storage_certs` wasn't set.
ubicloud · May 13, 2024 · 4036b69 · 4036b69
1 parent 10df77f
commit 4036b69
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 18 deletions.
diff --git a/prog/download_boot_image.rb b/prog/download_boot_image.rb
@@ -13,6 +13,10 @@ def version
     @version ||= frame.fetch("version")
   end
 
+  def download_from_blob_storage?
+    image_name.start_with?("github", "postgres")
+  end
+
   def url
     # YYY: Should we get ubuntu & almalinux urls here? Since we might start
     # putting all images into the blob storage in future, we're postponing the
@@ -21,7 +25,7 @@ def url
     @url ||=
       if frame["custom_url"]
         frame["custom_url"]
-      elsif image_name.start_with?("github", "postgres")
+      elsif download_from_blob_storage?
         blob_storage_client.get_presigned_url("GET", Config.ubicloud_images_bucket_name, "#{image_name}-#{vm_host.arch}.raw", 60 * 60).to_s
       end
   end
@@ -70,9 +74,10 @@ def blob_storage_client
         image_name: image_name,
         url: url,
         version: version,
-        sha256sum: sha256_sum
+        sha256sum: sha256_sum,
+        certs: download_from_blob_storage? ? Config.ubicloud_images_blob_storage_certs : nil
       }.to_json
-      sshable.cmd("common/bin/daemonizer 'host/bin/download-boot-image #{params_json.shellescape}' #{q_daemon_name}", stdin: Config.ubicloud_images_blob_storage_certs)
+      sshable.cmd("common/bin/daemonizer 'host/bin/download-boot-image' #{q_daemon_name}", stdin: params_json)
     when "Failed"
       BootImage.where(vm_host_id: vm_host.id, name: image_name, version: version).destroy
       fail "Failed to download '#{image_name}' image on #{vm_host}"

diff --git a/rhizome/host/bin/download-boot-image b/rhizome/host/bin/download-boot-image
@@ -5,11 +5,7 @@ require "json"
 require_relative "../../common/lib/util"
 require_relative "../lib/boot_image"
 
-unless (params = ARGV.shift)
-  puts "need params as argument"
-  exit 1
-end
-
+params = $stdin.read
 params_json = JSON.parse(params)
 
 unless (boot_image = params_json["image_name"])
@@ -21,10 +17,15 @@ end
 version = params_json["version"]
 url = params_json["url"]
 sha256sum = params_json["sha256sum"]
+certs = params_json["certs"]
 
-certs = $stdin.read
-ca_path = "/usr/lib/ssl/certs/ubicloud_images_blob_storage_certs.crt"
-safe_write_to_file(ca_path, certs)
+# Not all image downloads require a certificate
+if certs.nil?
+  ca_path = nil
+else
+  ca_path = "/usr/lib/ssl/certs/ubicloud_images_blob_storage_certs.crt"
+  safe_write_to_file(ca_path, certs)
+end
 
 BootImage.new(boot_image, version).download(
   url: url, ca_path: ca_path, sha256sum: sha256sum

diff --git a/spec/prog/download_boot_image_spec.rb b/spec/prog/download_boot_image_spec.rb
@@ -30,10 +30,11 @@
         "image_name" => "my-image",
         "url" => "https://example.com/my-image.raw",
         "version" => "20230303",
-        "sha256sum" => nil
+        "sha256sum" => nil,
+        "certs" => nil
       }.to_json
       expect(sshable).to receive(:cmd).with("common/bin/daemonizer --check download_my-image_20230303").and_return("NotStarted")
-      expect(sshable).to receive(:cmd).with("common/bin/daemonizer 'host/bin/download-boot-image #{params_json.shellescape}' download_my-image_20230303", stdin: nil)
+      expect(sshable).to receive(:cmd).with("common/bin/daemonizer 'host/bin/download-boot-image' download_my-image_20230303", stdin: params_json)
       expect { dbi.download }.to nap(15)
     end
 
@@ -42,26 +43,29 @@
         "image_name" => "github-runners-image",
         "url" => "https://minio.example.com/my-image.raw",
         "version" => "20230303",
-        "sha256sum" => nil
+        "sha256sum" => nil,
+        "certs" => "certs"
       }.to_json
       expect(dbi).to receive(:frame).and_return({"image_name" => "github-runners-image", "version" => "20230303"}).at_least(:once)
       expect(Minio::Client).to receive(:new).and_return(instance_double(Minio::Client, get_presigned_url: "https://minio.example.com/my-image.raw"))
       expect(Config).to receive(:ubicloud_images_blob_storage_certs).and_return("certs").at_least(:once)
       expect(sshable).to receive(:cmd).with("common/bin/daemonizer --check download_github-runners-image_20230303").and_return("NotStarted")
-      expect(sshable).to receive(:cmd).with("common/bin/daemonizer 'host/bin/download-boot-image #{params_json.shellescape}' download_github-runners-image_20230303", stdin: "certs")
+      expect(sshable).to receive(:cmd).with("common/bin/daemonizer 'host/bin/download-boot-image' download_github-runners-image_20230303", stdin: params_json)
       expect { dbi.download }.to nap(15)
     end
 
-    it "doesn't send a url for non-github-runners images by default" do
+    it "doesn't send a url or a certificate for non-blob-storage images by default" do
       params_json = {
         "image_name" => "my-image",
         "url" => nil,
         "version" => "20230303",
-        "sha256sum" => nil
+        "sha256sum" => nil,
+        "certs" => nil
       }.to_json
+      expect(Config).not_to receive(:ubicloud_images_blob_storage_certs)
       expect(dbi).to receive(:frame).and_return({"image_name" => "my-image", "version" => "20230303"}).at_least(:once)
       expect(sshable).to receive(:cmd).with("common/bin/daemonizer --check download_my-image_20230303").and_return("NotStarted")
-      expect(sshable).to receive(:cmd).with("common/bin/daemonizer 'host/bin/download-boot-image #{params_json.shellescape}' download_my-image_20230303", stdin: nil)
+      expect(sshable).to receive(:cmd).with("common/bin/daemonizer 'host/bin/download-boot-image' download_my-image_20230303", stdin: params_json)
       expect { dbi.download }.to nap(15)
     end