From c85b21dc85801801846d257f8601bd9be06c00cd Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 15:56:55 +0200 Subject: [PATCH 01/29] Support for Bearer token to access the Docker registry --- docs/usage/docker.md | 43 +++++++++++++++++++++++++ lib/datasource/docker/common.spec.ts | 48 ++++++++++++++++++++++++++++ lib/datasource/docker/common.ts | 10 +++++- 3 files changed, 100 insertions(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 38a6cec386e3c0..5b504cf6b293d6 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -206,6 +206,49 @@ module.exports = { }; ``` +#### Google Container Registry + +Assume you are running Google cloud a personal Gitlab CI and storing the Docker images in the Google Container Registry (GCR). +In this scenario the GCR requires token based authentication for everything and thus you must make two additional things happen: + +1. Get access to your token +2. Make sure renovate gets the token to read the docker registry. + +_This documentation only gives **a few hints** on **a possible way** to achieve this in this scenario_ + +You need a renovate docker image that includes the google cloud SDK which you have to build yourself. +A rough sketch of what the Dockerfile to build such a custom renovate image can look like. + +```Dockerfile +FROM renovate/renovate:12.34.56 +# Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install +# under "Installation" for "Debian/Ubuntu" +RUN ... +``` + +In the `renovate.json` you can instruct Renovate to use a secret as the token to use when connecting the specified docker registry: + +```js +{ + "hostRules": [ + { + "matchHost": "eu.gcr.io", + "token": "{{ secrets.GOOGLE_ACCESS_TOKEN }}", + "authType": "Bearer" + } + ] +} +``` + +You do not want to persist this token anywhere. +One way to provide this token to Renovate is by creating a temporary file with the token from within the .gitlab-ci.yml using something like this: + +```yaml +script: + - 'echo "module.exports = { secrets: { GOOGLE_ACCESS_TOKEN: ''"$(gcloud auth print-access-token)"'' } };" > config.js' + - renovate $RENOVATE_EXTRA_FLAGS +``` + #### ChartMuseum Maybe you're running your own ChartMuseum server to host your private Helm Charts. diff --git a/lib/datasource/docker/common.spec.ts b/lib/datasource/docker/common.spec.ts index 7bc9b260cae97b..38cc0f85ab848f 100644 --- a/lib/datasource/docker/common.spec.ts +++ b/lib/datasource/docker/common.spec.ts @@ -1,3 +1,4 @@ +import nock from 'nock'; import { getName, mocked } from '../../../test/util'; import * as _hostRules from '../../util/host-rules'; import * as dockerCommon from './common'; @@ -70,4 +71,51 @@ describe(getName(), () => { `); }); }); + describe('getAuthHeaders', () => { + beforeEach(() => { + nock('https://my.local.registry') + .get('/v2/') + .reply(401, '', { 'www-authenticate': 'Authenticate you must' }); + hostRules.hosts.mockReturnValue([]); + }); + + afterEach(() => { + nock.cleanAll(); + }); + + it('returns "authType token" if both provided', async () => { + hostRules.find.mockReturnValue({ + authType: 'some-authType', + token: 'some-token', + }); + + const headers = await dockerCommon.getAuthHeaders( + 'https://my.local.registry', + 'https://my.local.registry/prefix' + ); + + expect(headers).toMatchInlineSnapshot(` + Object { + "authorization": "some-authType some-token", + } + `); + }); + + it('returns "Bearer token" if only token provided', async () => { + hostRules.find.mockReturnValue({ + token: 'some-token', + }); + + const headers = await dockerCommon.getAuthHeaders( + 'https://my.local.registry', + 'https://my.local.registry/prefix' + ); + + expect(headers).toMatchInlineSnapshot(` + Object { + "authorization": "Bearer some-token", + } + `); + }); + }); }); diff --git a/lib/datasource/docker/common.ts b/lib/datasource/docker/common.ts index 14d9d1468e95e7..f42fbf1722507a 100644 --- a/lib/datasource/docker/common.ts +++ b/lib/datasource/docker/common.ts @@ -81,12 +81,20 @@ export async function getAuthHeaders( 'base64' ); opts.headers = { authorization: `Basic ${auth}` }; + } else if (opts.token) { + const authType = opts.authType ? opts.authType : 'Bearer'; + logger.debug( + `Using ${authType} token for docker registry ${registryHost}` + ); + opts.headers = { authorization: `${authType} ${opts.token}` }; + return opts.headers; } delete opts.username; delete opts.password; + delete opts.token; if (authenticateHeader.scheme.toUpperCase() === 'BASIC') { - logger.debug(`Using Basic auth for docker registry ${dockerRepository}`); + logger.debug(`Using Basic auth for docker registry ${registryHost}`); await http.get(apiCheckUrl, opts); return opts.headers; } From 8a6fe844858a67ba2304aa5d9972a9fb5af05f3a Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 19:39:55 +0200 Subject: [PATCH 02/29] Update docs/usage/docker.md Co-authored-by: Michael Kriese --- docs/usage/docker.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 5b504cf6b293d6..a4047e983044fd 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -234,7 +234,6 @@ In the `renovate.json` you can instruct Renovate to use a secret as the token to { "matchHost": "eu.gcr.io", "token": "{{ secrets.GOOGLE_ACCESS_TOKEN }}", - "authType": "Bearer" } ] } From a4cf412a42dfb8ccc44c8eadd52f396477d7acc9 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 19:52:55 +0200 Subject: [PATCH 03/29] Fix typo in documentation --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index a4047e983044fd..65d60fa310fdc9 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -233,7 +233,7 @@ In the `renovate.json` you can instruct Renovate to use a secret as the token to "hostRules": [ { "matchHost": "eu.gcr.io", - "token": "{{ secrets.GOOGLE_ACCESS_TOKEN }}", + "token": "{{ secrets.GOOGLE_ACCESS_TOKEN }}" } ] } From 7c46429d3a624a3442d604bb1fa41b777c7505b9 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 21:28:54 +0200 Subject: [PATCH 04/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 65d60fa310fdc9..8d0b0bcd653288 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -216,7 +216,7 @@ In this scenario the GCR requires token based authentication for everything and _This documentation only gives **a few hints** on **a possible way** to achieve this in this scenario_ -You need a renovate docker image that includes the google cloud SDK which you have to build yourself. +You need a Renovate Docker image that includes the Google Cloud SDK which you have to build yourself. A rough sketch of what the Dockerfile to build such a custom renovate image can look like. ```Dockerfile From 9772c93d09567aa94a7d0c81cdd236fe5773d498 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 21:29:02 +0200 Subject: [PATCH 05/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 8d0b0bcd653288..8d98441d6b5953 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -217,7 +217,7 @@ In this scenario the GCR requires token based authentication for everything and _This documentation only gives **a few hints** on **a possible way** to achieve this in this scenario_ You need a Renovate Docker image that includes the Google Cloud SDK which you have to build yourself. -A rough sketch of what the Dockerfile to build such a custom renovate image can look like. +A rough sketch of what the Dockerfile to build such a custom Renovate image can look like. ```Dockerfile FROM renovate/renovate:12.34.56 From b14d469e14d762d77b701db8e57c50a7be6e9c66 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 21:29:11 +0200 Subject: [PATCH 06/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 8d98441d6b5953..b2cf983695d509 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -240,7 +240,7 @@ In the `renovate.json` you can instruct Renovate to use a secret as the token to ``` You do not want to persist this token anywhere. -One way to provide this token to Renovate is by creating a temporary file with the token from within the .gitlab-ci.yml using something like this: +One way to provide this token to Renovate is by creating a temporary file with the token from within the `.gitlab-ci.yml` using something like this: ```yaml script: From a988c7f60bd22e6d0405f97b7af15b764ae8be6a Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 21:29:23 +0200 Subject: [PATCH 07/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index b2cf983695d509..206fdf4c4c9e28 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -208,7 +208,7 @@ module.exports = { #### Google Container Registry -Assume you are running Google cloud a personal Gitlab CI and storing the Docker images in the Google Container Registry (GCR). +Assume you are running Google Cloud a personal GitLab CI and storing the Docker images in the Google Container Registry (GCR). In this scenario the GCR requires token based authentication for everything and thus you must make two additional things happen: 1. Get access to your token From b66dbed2e777a4d8e52171eb946be91647192970 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 21:29:35 +0200 Subject: [PATCH 08/29] Update lib/datasource/docker/common.ts Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- lib/datasource/docker/common.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/datasource/docker/common.ts b/lib/datasource/docker/common.ts index f42fbf1722507a..1e57b2c7a4100f 100644 --- a/lib/datasource/docker/common.ts +++ b/lib/datasource/docker/common.ts @@ -84,7 +84,7 @@ export async function getAuthHeaders( } else if (opts.token) { const authType = opts.authType ? opts.authType : 'Bearer'; logger.debug( - `Using ${authType} token for docker registry ${registryHost}` + `Using ${authType} token for Docker registry ${registryHost}` ); opts.headers = { authorization: `${authType} ${opts.token}` }; return opts.headers; From 8351398474427fa708c25c384176fb40558108d8 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Fri, 11 Jun 2021 21:29:46 +0200 Subject: [PATCH 09/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 206fdf4c4c9e28..7728597e4295c1 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -212,7 +212,7 @@ Assume you are running Google Cloud a personal GitLab CI and storing the Docker In this scenario the GCR requires token based authentication for everything and thus you must make two additional things happen: 1. Get access to your token -2. Make sure renovate gets the token to read the docker registry. +1. Make sure Renovate gets the token to read the Docker registry. _This documentation only gives **a few hints** on **a possible way** to achieve this in this scenario_ From b64cb2d9760c36c5e0d99ef02572c6f0e9eb8475 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 14:26:38 +0200 Subject: [PATCH 10/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 7728597e4295c1..4001530af1cc94 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -226,7 +226,7 @@ FROM renovate/renovate:12.34.56 RUN ... ``` -In the `renovate.json` you can instruct Renovate to use a secret as the token to use when connecting the specified docker registry: +In your `renovate.json` file, tell Renovate which secret to use as the token when connecting to the specified Docker registry: ```js { From 786a648e62cc43e62d8672cc64c375212c4e9af5 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 14:26:50 +0200 Subject: [PATCH 11/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 4001530af1cc94..b382455e7508f7 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -208,7 +208,7 @@ module.exports = { #### Google Container Registry -Assume you are running Google Cloud a personal GitLab CI and storing the Docker images in the Google Container Registry (GCR). +Assume you are running Google Cloud plus GitLab CI and are storing the Docker images in the Google Container Registry (GCR). In this scenario the GCR requires token based authentication for everything and thus you must make two additional things happen: 1. Get access to your token From 21d38f6048fdee71905ab9af0dff38f865ddaaf5 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 14:27:34 +0200 Subject: [PATCH 12/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index b382455e7508f7..2f99a31bcfb889 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -216,8 +216,8 @@ In this scenario the GCR requires token based authentication for everything and _This documentation only gives **a few hints** on **a possible way** to achieve this in this scenario_ -You need a Renovate Docker image that includes the Google Cloud SDK which you have to build yourself. -A rough sketch of what the Dockerfile to build such a custom Renovate image can look like. +You need a custom Renovate Docker image that includes the Google Cloud SDK. +The Dockerfile can look like this: ```Dockerfile FROM renovate/renovate:12.34.56 From 3cdcc886691caa0e26f688bcca80af703f233358 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 14:28:25 +0200 Subject: [PATCH 13/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 2f99a31bcfb889..a840940009a16a 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -220,7 +220,7 @@ You need a custom Renovate Docker image that includes the Google Cloud SDK. The Dockerfile can look like this: ```Dockerfile -FROM renovate/renovate:12.34.56 +FROM renovate/renovate:25.40.1 # Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install # under "Installation" for "Debian/Ubuntu" RUN ... From 397755bd3218341b1be71a278f4e08aa86326226 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 14:22:27 +0200 Subject: [PATCH 14/29] Add debug log of the step to applySecrets --- lib/config/secrets.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/config/secrets.ts b/lib/config/secrets.ts index bb1bfd2481d7bf..cb0c6c909a9698 100644 --- a/lib/config/secrets.ts +++ b/lib/config/secrets.ts @@ -114,6 +114,7 @@ function replaceSecretsinObject( } export function applySecretsToConfig(config: RenovateConfig): RenovateConfig { + logger.debug({ config }, 'applySecretsToConfig()'); // Add all secrets to be sanitized if (is.plainObject(config.secrets)) { for (const secret of Object.values(config.secrets)) { From 0997200d2a5d5d6f4c3453de302a8799ed24fb58 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 14:51:23 +0200 Subject: [PATCH 15/29] Improve documentation. --- docs/usage/docker.md | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index a840940009a16a..05e4b8d0148cdb 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -208,15 +208,17 @@ module.exports = { #### Google Container Registry -Assume you are running Google Cloud plus GitLab CI and are storing the Docker images in the Google Container Registry (GCR). -In this scenario the GCR requires token based authentication for everything and thus you must make two additional things happen: +Assume you are running GitLab CI in the Google Cloud and are storing the Docker images in the Google Container Registry (GCR). +Access to the GCR uses a Bearer token based authentication. +The token for the build can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. -1. Get access to your token -1. Make sure Renovate gets the token to read the Docker registry. +It is also very important to note that this is a short-lived token ([60 minutes](https://stackoverflow.com/questions/50370714/google-cloud-bearer-token-expiry)) and thus storing it repeated builds is useless. + +When applying this to Renovate this all means the access token must be injected into the `hostRules` configuration just before Renovate is started. _This documentation only gives **a few hints** on **a possible way** to achieve this in this scenario_ -You need a custom Renovate Docker image that includes the Google Cloud SDK. +To get access to the token a custom Renovate Docker image is needed that includes the Google Cloud SDK. The Dockerfile can look like this: ```Dockerfile @@ -226,25 +228,12 @@ FROM renovate/renovate:25.40.1 RUN ... ``` -In your `renovate.json` file, tell Renovate which secret to use as the token when connecting to the specified Docker registry: - -```js -{ - "hostRules": [ - { - "matchHost": "eu.gcr.io", - "token": "{{ secrets.GOOGLE_ACCESS_TOKEN }}" - } - ] -} -``` - -You do not want to persist this token anywhere. -One way to provide this token to Renovate is by creating a temporary file with the token from within the `.gitlab-ci.yml` using something like this: +One way to provide this token to Renovate is by generating a `config.js` file from within the `.gitlab-ci.yml`: ```yaml script: - - 'echo "module.exports = { secrets: { GOOGLE_ACCESS_TOKEN: ''"$(gcloud auth print-access-token)"'' } };" > config.js' + - gcloud auth list + - 'echo "module.exports = { hostRules: [ { matchHost: ''eu.gcr.io'', token: ''"$(gcloud auth print-access-token)"'' }] };" > config.js' - renovate $RENOVATE_EXTRA_FLAGS ``` From d87a86b2e6558fb65ec63c6e358c940bc5b0d41c Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 20:27:08 +0200 Subject: [PATCH 16/29] Improve documentation. --- docs/usage/docker.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 05e4b8d0148cdb..3a3e0e730a2ee5 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -208,18 +208,20 @@ module.exports = { #### Google Container Registry -Assume you are running GitLab CI in the Google Cloud and are storing the Docker images in the Google Container Registry (GCR). -Access to the GCR uses a Bearer token based authentication. -The token for the build can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. +Assume you are running GitLab CI in the Google Cloud, and you are storing your Docker images in the Google Container Registry (GCR). -It is also very important to note that this is a short-lived token ([60 minutes](https://stackoverflow.com/questions/50370714/google-cloud-bearer-token-expiry)) and thus storing it repeated builds is useless. +Access to the GCR uses a Bearer token based authentication. This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. -When applying this to Renovate this all means the access token must be injected into the `hostRules` configuration just before Renovate is started. +It is also very important to note that this is a short-lived token ([60 minutes](https://stackoverflow.com/questions/50370714/google-cloud-bearer-token-expiry)) and thus storing it for subsequent builds in a variable (like you can do with the `RENOVATE_TOKEN`) is not an option. -_This documentation only gives **a few hints** on **a possible way** to achieve this in this scenario_ +When running Renovate in this context the Google access token must be retrieved and injected into the `hostRules` configuration just before Renovate is started. + +_This documentation gives **a few hints** on **a possible way** to achieve this end result._ + +The basic approach documented here is that you create a custom image and then run Renovate as one of the stages of your project. To make this run independent of any user you should use a `Project Access Token` for the project and use this as the `RENOVATE_TOKEN` variable for Gitlab CI. See also: https://gitlab.com/renovate-bot/renovate-runner To get access to the token a custom Renovate Docker image is needed that includes the Google Cloud SDK. -The Dockerfile can look like this: +The Dockerfile to create such an image can look like this: ```Dockerfile FROM renovate/renovate:25.40.1 @@ -228,12 +230,11 @@ FROM renovate/renovate:25.40.1 RUN ... ``` -One way to provide this token to Renovate is by generating a `config.js` file from within the `.gitlab-ci.yml`: +One way to provide this token using the `hostRules` to Renovate is by generating a `config.js` file from within the `.gitlab-ci.yml`: ```yaml script: - - gcloud auth list - - 'echo "module.exports = { hostRules: [ { matchHost: ''eu.gcr.io'', token: ''"$(gcloud auth print-access-token)"'' }] };" > config.js' + - 'echo "module.exports = { hostRules: [ { matchHost: ''eu.gcr.io'', token: ''"$(gcloud auth print-access-token)"'' } ] };" > config.js' - renovate $RENOVATE_EXTRA_FLAGS ``` From ec9a340fc8c4de3cd210a53437804d7860efe745 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 22:39:28 +0200 Subject: [PATCH 17/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 3a3e0e730a2ee5..e61c9dc3bd4089 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -210,7 +210,8 @@ module.exports = { Assume you are running GitLab CI in the Google Cloud, and you are storing your Docker images in the Google Container Registry (GCR). -Access to the GCR uses a Bearer token based authentication. This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. +Access to the GCR uses Bearer token based authentication. +This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. It is also very important to note that this is a short-lived token ([60 minutes](https://stackoverflow.com/questions/50370714/google-cloud-bearer-token-expiry)) and thus storing it for subsequent builds in a variable (like you can do with the `RENOVATE_TOKEN`) is not an option. From 862c955eabf82fdf72f280eb6cff1817bd193003 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 22:48:02 +0200 Subject: [PATCH 18/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index e61c9dc3bd4089..52883ef59ff5e6 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -213,7 +213,7 @@ Assume you are running GitLab CI in the Google Cloud, and you are storing your D Access to the GCR uses Bearer token based authentication. This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. -It is also very important to note that this is a short-lived token ([60 minutes](https://stackoverflow.com/questions/50370714/google-cloud-bearer-token-expiry)) and thus storing it for subsequent builds in a variable (like you can do with the `RENOVATE_TOKEN`) is not an option. +Storing the bearer token for subsequent builds in a variable (like you can do with the `RENOVATE_TOKEN`) is not an option because the token expires after 60 minutes. When running Renovate in this context the Google access token must be retrieved and injected into the `hostRules` configuration just before Renovate is started. From a82ba91c0b7402a43019fa5b96aaf2dbcfe7de9f Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Sat, 12 Jun 2021 22:48:32 +0200 Subject: [PATCH 19/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 52883ef59ff5e6..4638d56081e9c5 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -219,7 +219,9 @@ When running Renovate in this context the Google access token must be retrieved _This documentation gives **a few hints** on **a possible way** to achieve this end result._ -The basic approach documented here is that you create a custom image and then run Renovate as one of the stages of your project. To make this run independent of any user you should use a `Project Access Token` for the project and use this as the `RENOVATE_TOKEN` variable for Gitlab CI. See also: https://gitlab.com/renovate-bot/renovate-runner +The basic approach documented here is that you create a custom image and then run Renovate as one of the stages of your project. +To make this run independent of any user you should use a `Project Access Token` for the project and use this as the `RENOVATE_TOKEN` variable for Gitlab CI. +See also the [renovate-runner repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner). To get access to the token a custom Renovate Docker image is needed that includes the Google Cloud SDK. The Dockerfile to create such an image can look like this: From 6954f50d54a4f393b07276624ac9b7a5266a6935 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 08:27:41 +0200 Subject: [PATCH 20/29] Update lib/config/secrets.ts Co-authored-by: Michael Kriese --- lib/config/secrets.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/config/secrets.ts b/lib/config/secrets.ts index cb0c6c909a9698..17f126ffa85e37 100644 --- a/lib/config/secrets.ts +++ b/lib/config/secrets.ts @@ -114,7 +114,7 @@ function replaceSecretsinObject( } export function applySecretsToConfig(config: RenovateConfig): RenovateConfig { - logger.debug({ config }, 'applySecretsToConfig()'); + logger.trace({ config }, 'applySecretsToConfig()'); // Add all secrets to be sanitized if (is.plainObject(config.secrets)) { for (const secret of Object.values(config.secrets)) { From 4f6280a22ba33bc78e785a8117a6e61ccfacfee3 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 08:28:04 +0200 Subject: [PATCH 21/29] Update lib/datasource/docker/common.spec.ts Co-authored-by: Michael Kriese --- lib/datasource/docker/common.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/datasource/docker/common.spec.ts b/lib/datasource/docker/common.spec.ts index 38cc0f85ab848f..a3a640c0078466 100644 --- a/lib/datasource/docker/common.spec.ts +++ b/lib/datasource/docker/common.spec.ts @@ -1,4 +1,4 @@ -import nock from 'nock'; +import * as httpMock from '../../../test/http-mock'; import { getName, mocked } from '../../../test/util'; import * as _hostRules from '../../util/host-rules'; import * as dockerCommon from './common'; From c85915fbaac99e99e2196897879ec46f398ced77 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 08:28:37 +0200 Subject: [PATCH 22/29] Update lib/datasource/docker/common.spec.ts Co-authored-by: Michael Kriese --- lib/datasource/docker/common.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/datasource/docker/common.spec.ts b/lib/datasource/docker/common.spec.ts index a3a640c0078466..14bfadb426d5af 100644 --- a/lib/datasource/docker/common.spec.ts +++ b/lib/datasource/docker/common.spec.ts @@ -73,7 +73,7 @@ describe(getName(), () => { }); describe('getAuthHeaders', () => { beforeEach(() => { - nock('https://my.local.registry') + httpMock.scope('https://my.local.registry') .get('/v2/') .reply(401, '', { 'www-authenticate': 'Authenticate you must' }); hostRules.hosts.mockReturnValue([]); From 10b523ffc2b491b7b55bca6dcd5fb2c817b8f0c8 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 08:28:48 +0200 Subject: [PATCH 23/29] Update lib/datasource/docker/common.spec.ts Co-authored-by: Michael Kriese --- lib/datasource/docker/common.spec.ts | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lib/datasource/docker/common.spec.ts b/lib/datasource/docker/common.spec.ts index 14bfadb426d5af..3b5264c1153db8 100644 --- a/lib/datasource/docker/common.spec.ts +++ b/lib/datasource/docker/common.spec.ts @@ -79,10 +79,6 @@ describe(getName(), () => { hostRules.hosts.mockReturnValue([]); }); - afterEach(() => { - nock.cleanAll(); - }); - it('returns "authType token" if both provided', async () => { hostRules.find.mockReturnValue({ authType: 'some-authType', From a0370ec597f56930c90e0f3ac1f64a64d477c4eb Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 08:29:04 +0200 Subject: [PATCH 24/29] Update lib/datasource/docker/common.ts Co-authored-by: Michael Kriese --- lib/datasource/docker/common.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/datasource/docker/common.ts b/lib/datasource/docker/common.ts index 1e57b2c7a4100f..48abffd5c91491 100644 --- a/lib/datasource/docker/common.ts +++ b/lib/datasource/docker/common.ts @@ -82,7 +82,7 @@ export async function getAuthHeaders( ); opts.headers = { authorization: `Basic ${auth}` }; } else if (opts.token) { - const authType = opts.authType ? opts.authType : 'Bearer'; + const authType = opts.authType ?? 'Bearer'; logger.debug( `Using ${authType} token for Docker registry ${registryHost}` ); From d6e77f262aa896c8496aa541aa2a3f6eb58ece1e Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 10:36:21 +0200 Subject: [PATCH 25/29] Log authentication as trace instead of debug. --- lib/datasource/docker/common.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/datasource/docker/common.ts b/lib/datasource/docker/common.ts index 48abffd5c91491..b90cf21ea0892a 100644 --- a/lib/datasource/docker/common.ts +++ b/lib/datasource/docker/common.ts @@ -83,7 +83,7 @@ export async function getAuthHeaders( opts.headers = { authorization: `Basic ${auth}` }; } else if (opts.token) { const authType = opts.authType ?? 'Bearer'; - logger.debug( + logger.trace( `Using ${authType} token for Docker registry ${registryHost}` ); opts.headers = { authorization: `${authType} ${opts.token}` }; @@ -94,7 +94,7 @@ export async function getAuthHeaders( delete opts.token; if (authenticateHeader.scheme.toUpperCase() === 'BASIC') { - logger.debug(`Using Basic auth for docker registry ${registryHost}`); + logger.trace(`Using Basic auth for docker registry ${registryHost}`); await http.get(apiCheckUrl, opts); return opts.headers; } From 959d91218256d86d0ef29edfcbb27f80dcc31106 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 10:41:42 +0200 Subject: [PATCH 26/29] Fix prettier --- lib/datasource/docker/common.spec.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/datasource/docker/common.spec.ts b/lib/datasource/docker/common.spec.ts index 3b5264c1153db8..6c652b798a2846 100644 --- a/lib/datasource/docker/common.spec.ts +++ b/lib/datasource/docker/common.spec.ts @@ -73,7 +73,8 @@ describe(getName(), () => { }); describe('getAuthHeaders', () => { beforeEach(() => { - httpMock.scope('https://my.local.registry') + httpMock + .scope('https://my.local.registry') .get('/v2/') .reply(401, '', { 'www-authenticate': 'Authenticate you must' }); hostRules.hosts.mockReturnValue([]); From a8c76d179b1752f7af805eb234beafb4bee12115 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 13:48:02 +0200 Subject: [PATCH 27/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 4638d56081e9c5..a87c8e68d63b1d 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -213,7 +213,7 @@ Assume you are running GitLab CI in the Google Cloud, and you are storing your D Access to the GCR uses Bearer token based authentication. This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. -Storing the bearer token for subsequent builds in a variable (like you can do with the `RENOVATE_TOKEN`) is not an option because the token expires after 60 minutes. +The token expires after 60 minutes so you cannot store it in a variable for subsequent builds (like you can with `RENOVATE_TOKEN`). When running Renovate in this context the Google access token must be retrieved and injected into the `hostRules` configuration just before Renovate is started. From ead8c9c340f95ef5619e5bc237941fde1a0ececc Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 13:49:29 +0200 Subject: [PATCH 28/29] Update docs/usage/docker.md Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- docs/usage/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index a87c8e68d63b1d..53d5a2d46a97b1 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -219,7 +219,7 @@ When running Renovate in this context the Google access token must be retrieved _This documentation gives **a few hints** on **a possible way** to achieve this end result._ -The basic approach documented here is that you create a custom image and then run Renovate as one of the stages of your project. +The basic approach is that you create a custom image and then run Renovate as one of the stages of your project. To make this run independent of any user you should use a `Project Access Token` for the project and use this as the `RENOVATE_TOKEN` variable for Gitlab CI. See also the [renovate-runner repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner). From 9a2d13ab6bfb862c13e3feb599ef95d12217b1b6 Mon Sep 17 00:00:00 2001 From: Niels Basjes Date: Wed, 16 Jun 2021 14:26:37 +0200 Subject: [PATCH 29/29] Improve documentation --- docs/usage/docker.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 53d5a2d46a97b1..5146194127eac7 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -220,8 +220,8 @@ When running Renovate in this context the Google access token must be retrieved _This documentation gives **a few hints** on **a possible way** to achieve this end result._ The basic approach is that you create a custom image and then run Renovate as one of the stages of your project. -To make this run independent of any user you should use a `Project Access Token` for the project and use this as the `RENOVATE_TOKEN` variable for Gitlab CI. -See also the [renovate-runner repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner). +To make this run independent of any user you should use a [`Project Access Token`](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) (with Scopes: `api`, `read_api` and `write_repository`) for the project and use this as the `RENOVATE_TOKEN` variable for Gitlab CI. +See also the [renovate-runner repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner) where `.gitlab-ci.yml` configuration examples can be found. To get access to the token a custom Renovate Docker image is needed that includes the Google Cloud SDK. The Dockerfile to create such an image can look like this: @@ -233,7 +233,19 @@ FROM renovate/renovate:25.40.1 RUN ... ``` -One way to provide this token using the `hostRules` to Renovate is by generating a `config.js` file from within the `.gitlab-ci.yml`: +For Renovate to access the Google Container Registry (GCR) it needs the current Google Access Token. +The configuration fragment to do that looks something like this: + +```js +hostRules: [ + { + matchHost: 'eu.gcr.io', + token: 'MyReallySecretTokenThatExpiresAfter60Minutes', + }, +]; +``` + +One way to provide the short-lived Google Access Token to Renovate is by generating these settings into a `config.js` file from within the `.gitlab-ci.yml` right before starting Renovate: ```yaml script: