From cf893499d9f7c0e9ef864ab2a20ee488655c6970 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Thu, 11 Jul 2024 19:01:41 +0400 Subject: [PATCH] Fix CI: Update SSRC repo + use ARTIFACTORY_CLOUD_TOKEN in apt+squid --- .github/workflows/main.yaml | 8 +++++--- .github/workflows/tii-mesh-com.yaml | 2 ++ build.sh | 3 +++ common/tools/squid/squid.conf | 27 +++++++++++++++++++++++++++ modules/mesh_com/Dockerfile | 8 +++++++- modules/mesh_com/Dockerfile.build_env | 10 +++++++++- 6 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 common/tools/squid/squid.conf diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index eab737334..24765affe 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -24,6 +24,7 @@ jobs: ROS: 1 ROS_DISTRO: ${{ matrix.ros2_distro }} PACKAGE_NAME: mesh_com + ARTIFACTORY_CLOUD_TOKEN: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }} run: | set -eux mkdir bin @@ -31,13 +32,14 @@ jobs: ./build.sh ../bin/ popd - - uses: jfrog/setup-jfrog-cli@v2 + - uses: jfrog/setup-jfrog-cli@v4 env: - JF_ARTIFACTORY_1: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }} + JF_URL: https://artifactory.ssrcdevops.tii.ae + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }} - name: Upload to Artifactory env: - ARTIFACTORY_REPO: ssrc-deb-public-local + ARTIFACTORY_REPO: debian-public-local DISTRIBUTION: focal COMPONENT: fog-sw ARCHITECTURE: amd64 diff --git a/.github/workflows/tii-mesh-com.yaml b/.github/workflows/tii-mesh-com.yaml index 856317d41..9d77adc33 100644 --- a/.github/workflows/tii-mesh-com.yaml +++ b/.github/workflows/tii-mesh-com.yaml @@ -56,6 +56,8 @@ jobs: uses: docker/build-push-action@v5 with: context: . + build-args: | + "ARTIFACTORY_CLOUD_TOKEN=${{ secrets.ARTIFACTORY_CLOUD_TOKEN }}" platforms: linux/amd64,linux/arm64,linux/riscv64 file: ./modules/mesh_com/Dockerfile push: true diff --git a/build.sh b/build.sh index 526aa45cb..ca0cbcd44 100755 --- a/build.sh +++ b/build.sh @@ -16,6 +16,8 @@ iname=${PACKAGE_NAME:=mesh_com} iversion=${PACKAGE_VERSION:=latest} +artifactory_cloud_token=${ARTIFACTORY_CLOUD_TOKEN:?ARTIFACTORY_CLOUD_TOKEN is not set} + docker build \ --build-arg UID=$(id -u) \ --build-arg GID=$(id -g) \ @@ -26,6 +28,7 @@ docker build \ docker run \ --rm \ + -e ARTIFACTORY_CLOUD_TOKEN="$artifactory_cloud_token" \ -v $(pwd):/${iname}/sources \ ${iname}_build:${iversion} \ modules/mesh_com/package.sh \ diff --git a/common/tools/squid/squid.conf b/common/tools/squid/squid.conf new file mode 100644 index 000000000..07d357dbe --- /dev/null +++ b/common/tools/squid/squid.conf @@ -0,0 +1,27 @@ +http_port 127.0.0.1:3128 ssl-bump \ + cert=/etc/squid/ssl_cert/myCA.pem \ + generate-host-certificates=on dynamic_cert_mem_cache_size=4MB + +http_access allow all +cache allow all + +sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB + +acl step1 at_step SslBump1 + +ssl_bump peek step1 +ssl_bump bump all + +acl artifactory dstdomain artifactory.ssrcdevops.tii.ae + +request_header_add Authorization "Bearer " artifactory + +pid_filename none +logfile_rotate 0 + +# Debug +# access_log stdio:/dev/fd/1 +# cache_log stdio:/dev/fd/2 + +# Needed to prevent bug in docker +max_filedescriptors 1048576 diff --git a/modules/mesh_com/Dockerfile b/modules/mesh_com/Dockerfile index 4b11fd4f8..6009441a5 100644 --- a/modules/mesh_com/Dockerfile +++ b/modules/mesh_com/Dockerfile @@ -4,6 +4,10 @@ FROM --platform=${BUILDPLATFORM:-linux/amd64} ghcr.io/tiiuae/fog-ros-sdk:v3.2.0- # Must be defined another time after "FROM" keyword. ARG TARGETARCH +# Needed for apt to authenticate with the custom private repo +ARG ARTIFACTORY_CLOUD_TOKEN +ENV ARTIFACTORY_CLOUD_TOKEN=${ARTIFACTORY_CLOUD_TOKEN} + # SRC_DIR environment variable is defined in the fog-ros-sdk image. # The same workspace path is used by all ROS2 components. # See: https://github.com/tiiuae/fog-ros-baseimage/blob/main/Dockerfile.sdk_builder @@ -21,8 +25,9 @@ FROM ghcr.io/tiiuae/fog-ros-baseimage:v3.2.0 ENTRYPOINT [ "/entrypoint.sh" ] +# Squid proxy needed to add Authorization: Bearer header for apt to authenticate with priv repo RUN apt update \ - && apt install -y --no-install-recommends \ + apt install -y --no-install-recommends \ alfred \ batctl \ iproute2 \ @@ -33,6 +38,7 @@ RUN apt update \ rfkill \ wpa-supplicant=2.9-r0 \ && apt clean \ + && rm -f /etc/squid/squid.conf \ && rm -rf /var/lib/apt/lists/* COPY modules/mesh_com/entrypoint.sh /entrypoint.sh diff --git a/modules/mesh_com/Dockerfile.build_env b/modules/mesh_com/Dockerfile.build_env index 51ec466bc..b1025543c 100644 --- a/modules/mesh_com/Dockerfile.build_env +++ b/modules/mesh_com/Dockerfile.build_env @@ -20,14 +20,22 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \ ros-${ROS_DISTRO}-ament-pep257 \ batctl \ alfred \ + squid-openssl \ && rm -rf /var/lib/apt/lists/* +RUN mkdir -p /etc/squid/ssl_cert \ + && openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout /etc/squid/ssl_cert/myCA.pem -out /etc/squid/ssl_cert/myCA.pem -batch \ + && openssl x509 -in /etc/squid/ssl_cert/myCA.pem -outform PEM -out /usr/local/share/ca-certificates/squid.crt \ + && update-ca-certificates \ + && mkdir -p /var/lib/squid \ + && /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB + RUN groupadd -g $GID builder && \ useradd -m -u $UID -g $GID -g builder builder && \ usermod -aG sudo builder && \ echo 'builder ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers -RUN echo "deb [trusted=yes] https://ssrc.jfrog.io/artifactory/ssrc-deb-public-local focal fog-sw" >> /etc/apt/sources.list +RUN echo "deb [trusted=yes] https://artifactory.ssrcdevops.tii.ae/artifactory/debian-public-local focal fog-sw" >> /etc/apt/sources.list WORKDIR /$PACKAGE_NAME