diff options
author | Jeremy Lin <[email protected]> | 2020-06-14 00:00:05 -0700 |
---|---|---|
committer | Jeremy Lin <[email protected]> | 2020-07-15 20:03:34 -0700 |
commit | 73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4 (patch) | |
tree | 7dee1896cd8ff5817bafbdcc8cfc0caa0d1421ac /hooks | |
parent | 4559e85daa31afb5120c5320760a708f2e5ea862 (diff) | |
download | vaultwarden-73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4.tar.gz vaultwarden-73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4.zip |
Clean up arch-specific tags if Docker Hub credentials are provided
Diffstat (limited to 'hooks')
-rw-r--r-- | hooks/README.md | 1 | ||||
-rwxr-xr-x | hooks/push | 41 |
2 files changed, 42 insertions, 0 deletions
diff --git a/hooks/README.md b/hooks/README.md index 0932987a..402f4bad 100644 --- a/hooks/README.md +++ b/hooks/README.md @@ -17,3 +17,4 @@ The current multi-arch image build relies on the original bitwarden_rs Dockerfil * https://docs.docker.com/docker-hub/builds/advanced/ * https://docs.docker.com/engine/reference/commandline/manifest/ * https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/ +* https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api @@ -53,3 +53,44 @@ for manifest_list in "${manifest_lists[@]}"; do # Push the manifest list. docker manifest push --purge ${manifest_list} done + +# Avoid logging credentials and tokens. +set +ex + +# Delete the arch-specific tags, if credentials for doing so are available. +# Note that `DOCKER_PASSWORD` must be the actual user password. Passing a JWT +# obtained using a personal access token results in a 403 error with +# {"detail": "access to the resource is forbidden with personal access token"} +if [[ -z "${DOCKER_USERNAME}" || -z "${DOCKER_PASSWORD}" ]]; then + exit 0 +fi + +# Given a JSON input on stdin, extract the string value associated with the +# specified key. This avoids an extra dependency on a tool like `jq`. +extract() { + local key="$1" + # Extract "<key>":"<val>" (assumes key/val won't contain double quotes). + # The colon may have whitespace on either side. + grep -o "\"${key}\"[[:space:]]*:[[:space:]]*\"[^\"]\+\"" | + # Extract just <val> by deleting the last '"', and then greedily deleting + # everything up to '"'. + sed -e 's/"$//' -e 's/.*"//' +} + +echo ">>> Getting API token..." +jwt=$(curl -sS -X POST \ + -H "Content-Type: application/json" \ + -d "{\"username\":\"${DOCKER_USERNAME}\",\"password\": \"${DOCKER_PASSWORD}\"}" \ + "https://hub.docker.com/v2/users/login" | + extract 'token') + +# Strip the registry portion from `index.docker.io/user/repo`. +repo="${DOCKER_REPO#*/}" + +for arch in ${arches[@]}; do + tag="${DOCKER_TAG}-${arch}" + echo ">>> Deleting '${repo}:${tag}'..." + curl -sS -X DELETE \ + -H "Authorization: Bearer ${jwt}" \ + "https://hub.docker.com/v2/repositories/${repo}/tags/${tag}/" +done |