aboutsummaryrefslogtreecommitdiff
path: root/hooks
diff options
context:
space:
mode:
authorJeremy Lin <[email protected]>2020-06-14 00:00:05 -0700
committerJeremy Lin <[email protected]>2020-07-15 20:03:34 -0700
commit73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4 (patch)
tree7dee1896cd8ff5817bafbdcc8cfc0caa0d1421ac /hooks
parent4559e85daa31afb5120c5320760a708f2e5ea862 (diff)
downloadvaultwarden-73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4.tar.gz
vaultwarden-73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4.zip
Clean up arch-specific tags if Docker Hub credentials are provided
Diffstat (limited to 'hooks')
-rw-r--r--hooks/README.md1
-rwxr-xr-xhooks/push41
2 files changed, 42 insertions, 0 deletions
diff --git a/hooks/README.md b/hooks/README.md
index 0932987a..402f4bad 100644
--- a/hooks/README.md
+++ b/hooks/README.md
@@ -17,3 +17,4 @@ The current multi-arch image build relies on the original bitwarden_rs Dockerfil
* https://docs.docker.com/docker-hub/builds/advanced/
* https://docs.docker.com/engine/reference/commandline/manifest/
* https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/
+* https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api
diff --git a/hooks/push b/hooks/push
index 5fd96079..aedd0f04 100755
--- a/hooks/push
+++ b/hooks/push
@@ -53,3 +53,44 @@ for manifest_list in "${manifest_lists[@]}"; do
# Push the manifest list.
docker manifest push --purge ${manifest_list}
done
+
+# Avoid logging credentials and tokens.
+set +ex
+
+# Delete the arch-specific tags, if credentials for doing so are available.
+# Note that `DOCKER_PASSWORD` must be the actual user password. Passing a JWT
+# obtained using a personal access token results in a 403 error with
+# {"detail": "access to the resource is forbidden with personal access token"}
+if [[ -z "${DOCKER_USERNAME}" || -z "${DOCKER_PASSWORD}" ]]; then
+ exit 0
+fi
+
+# Given a JSON input on stdin, extract the string value associated with the
+# specified key. This avoids an extra dependency on a tool like `jq`.
+extract() {
+ local key="$1"
+ # Extract "<key>":"<val>" (assumes key/val won't contain double quotes).
+ # The colon may have whitespace on either side.
+ grep -o "\"${key}\"[[:space:]]*:[[:space:]]*\"[^\"]\+\"" |
+ # Extract just <val> by deleting the last '"', and then greedily deleting
+ # everything up to '"'.
+ sed -e 's/"$//' -e 's/.*"//'
+}
+
+echo ">>> Getting API token..."
+jwt=$(curl -sS -X POST \
+ -H "Content-Type: application/json" \
+ -d "{\"username\":\"${DOCKER_USERNAME}\",\"password\": \"${DOCKER_PASSWORD}\"}" \
+ "https://hub.docker.com/v2/users/login" |
+ extract 'token')
+
+# Strip the registry portion from `index.docker.io/user/repo`.
+repo="${DOCKER_REPO#*/}"
+
+for arch in ${arches[@]}; do
+ tag="${DOCKER_TAG}-${arch}"
+ echo ">>> Deleting '${repo}:${tag}'..."
+ curl -sS -X DELETE \
+ -H "Authorization: Bearer ${jwt}" \
+ "https://hub.docker.com/v2/repositories/${repo}/tags/${tag}/"
+done