diff --git a/.evergreen/config_generator/components/earthly.py b/.evergreen/config_generator/components/earthly.py index 4dac11f31d..debf6dd39a 100644 --- a/.evergreen/config_generator/components/earthly.py +++ b/.evergreen/config_generator/components/earthly.py @@ -5,9 +5,18 @@ from typing import Iterable, Literal, Mapping, NamedTuple, TypeVar from shrub.v3.evg_build_variant import BuildVariant -from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, subprocess_exec +from shrub.v3.evg_command import ( + BuiltInCommand, + EvgCommandType, + KeyValueParam, + ec2_assume_role, + expansions_update, + subprocess_exec, +) from shrub.v3.evg_task import EvgTask, EvgTaskRef +from config_generator.etc.function import Function + from ..etc.utils import all_possible T = TypeVar("T") @@ -38,7 +47,7 @@ "Valid options for the SASL configuration parameter" TLSOption = Literal["OpenSSL", "off"] "Options for the TLS backend configuration parameter (AKA 'ENABLE_SSL')" -CxxVersion = Literal["none"] # TODO: Once CXX-3103 is released, add latest C++ release tag. +CxxVersion = Literal["none"] # TODO: Once CXX-3103 is released, add latest C++ release tag. "C++ driver refs that are under CI test" # A separator character, since we cannot use whitespace @@ -136,6 +145,34 @@ def suffix(self) -> str: return _SEPARATOR.join(f"{k}={v}" for k, v in self._asdict().items()) +# Authenticate with DevProd-provided Amazon ECR instance to use as pull-through cache for DockerHub. +class DockerLoginAmazonECR(Function): + name = 'docker-login-amazon-ecr' + commands = [ + # Avoid inadvertently using a pre-existing and potentially conflicting Docker config. + expansions_update(updates=[KeyValueParam(key='DOCKER_CONFIG', value='${workdir}/.docker')]), + ec2_assume_role(role_arn="arn:aws:iam::901841024863:role/ecr-role-evergreen-ro"), + subprocess_exec( + binary="bash", + command_type=EvgCommandType.SETUP, + include_expansions_in_env=[ + "AWS_ACCESS_KEY_ID", + "AWS_SECRET_ACCESS_KEY", + "AWS_SESSION_TOKEN", + "DOCKER_CONFIG", + ], + args=[ + "-c", + 'aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com', + ], + ), + ] + + @classmethod + def call(cls, **kwargs): + return cls.default_call(**kwargs) + + def task_filter(env: EarthlyVariant, conf: Configuration) -> bool: """ Control which tasks are actually defined by matching on the platform and @@ -170,11 +207,16 @@ def earthly_exec( return subprocess_exec( "./tools/earthly.sh", args=[ + # Use Amazon ECR as pull-through cache for DockerHub to avoid rate limits. + "--buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3", *(f"--secret={k}" for k in (secrets or ())), f"+{target}", + # Use Amazon ECR as pull-through cache for DockerHub to avoid rate limits. + "--default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub", *(f"--{arg}={val}" for arg, val in (args or {}).items()), ], command_type=EvgCommandType(kind), + include_expansions_in_env=["DOCKER_CONFIG"], env=env if env else None, working_dir="mongoc", ) @@ -209,15 +251,7 @@ def earthly_task( return EvgTask( name=name, commands=[ - # Ensure subsequent Docker commands are authenticated. - subprocess_exec( - binary="bash", - command_type=EvgCommandType.SETUP, - args=[ - "-c", - r'docker login -u "${artifactory_username}" --password-stdin artifactory.corp.mongodb.com <<<"${artifactory_password}"', - ], - ), + DockerLoginAmazonECR.call(), # First, just build the "env-warmup" which will prepare the build environment. # This won't generate any output, but allows EVG to track it as a separate build step # for timing and logging purposes. The subequent build step will cache-hit the @@ -249,6 +283,10 @@ def earthly_task( ] +def functions(): + return DockerLoginAmazonECR.defn() + + def tasks() -> Iterable[EvgTask]: for conf in all_possible(Configuration): # test-example is a target in all configurations diff --git a/.evergreen/config_generator/components/sbom.py b/.evergreen/config_generator/components/sbom.py index dca242148d..67fcff9a9a 100644 --- a/.evergreen/config_generator/components/sbom.py +++ b/.evergreen/config_generator/components/sbom.py @@ -3,11 +3,17 @@ from config_generator.etc.utils import bash_exec from shrub.v3.evg_build_variant import BuildVariant -from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, expansions_update, s3_put +from shrub.v3.evg_command import ( + BuiltInCommand, + EvgCommandType, + KeyValueParam, + ec2_assume_role, + expansions_update, + s3_put, +) from shrub.v3.evg_task import EvgTask, EvgTaskRef from pydantic import ConfigDict -from typing import Optional TAG = 'sbom' @@ -18,56 +24,58 @@ class CustomCommand(BuiltInCommand): model_config = ConfigDict(arbitrary_types_allowed=True) -def ec2_assume_role( - role_arn: Optional[str] = None, - policy: Optional[str] = None, - duration_seconds: Optional[int] = None, - command_type: Optional[EvgCommandType] = None, -) -> CustomCommand: - return CustomCommand( - command="ec2.assume_role", - params={ - "role_arn": role_arn, - "policy": policy, - "duration_seconds": duration_seconds, - }, - type=command_type, - ) - - class SBOM(Function): name = 'sbom' commands = [ - ec2_assume_role( - command_type=EvgCommandType.SETUP, - role_arn='${kondukto_role_arn}', - ), - bash_exec( - command_type=EvgCommandType.SETUP, - include_expansions_in_env=[ - 'AWS_ACCESS_KEY_ID', - 'AWS_SECRET_ACCESS_KEY', - 'AWS_SESSION_TOKEN', - ], - script='''\ + # Authenticate with Kondukto. + *[ + ec2_assume_role( + command_type=EvgCommandType.SETUP, + role_arn='${kondukto_role_arn}', + ), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=[ + 'AWS_ACCESS_KEY_ID', + 'AWS_SECRET_ACCESS_KEY', + 'AWS_SESSION_TOKEN', + ], + script='''\ set -o errexit set -o pipefail kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml ''', - ), - expansions_update( - command_type=EvgCommandType.SETUP, - file='expansions.kondukto.yml', - ), + ), + expansions_update( + command_type=EvgCommandType.SETUP, + file='expansions.kondukto.yml', + ), + ], + # Authenticate with Amazon ECR. + *[ + # Avoid inadvertently using a pre-existing and potentially conflicting Podman config. + # Note: podman understands and uses DOCKER_CONFIG despite the name. + expansions_update(updates=[KeyValueParam(key='DOCKER_CONFIG', value='${workdir}/.docker')]), + ec2_assume_role(role_arn="arn:aws:iam::901841024863:role/ecr-role-evergreen-ro"), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=[ + "AWS_ACCESS_KEY_ID", + "AWS_SECRET_ACCESS_KEY", + "AWS_SESSION_TOKEN", + "DOCKER_CONFIG", + ], + script='aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com', + ), + ], bash_exec( command_type=EvgCommandType.TEST, working_dir='mongoc', include_expansions_in_env=[ - 'artifactory_password', - 'artifactory_username', 'branch_name', - 'KONDUKTO_TOKEN', + 'DOCKER_CONFIG', + "KONDUKTO_TOKEN", ], script='.evergreen/scripts/sbom.sh', ), diff --git a/.evergreen/generated_configs/functions.yml b/.evergreen/generated_configs/functions.yml index b6ff4f67d3..ec2f3b7683 100644 --- a/.evergreen/generated_configs/functions.yml +++ b/.evergreen/generated_configs/functions.yml @@ -175,6 +175,26 @@ functions: args: - -c - EXTRA_CONFIGURE_FLAGS="-DENABLE_PIC=ON ${EXTRA_CONFIGURE_FLAGS}" .evergreen/scripts/compile.sh + docker-login-amazon-ecr: + - command: expansions.update + params: + updates: + - { key: DOCKER_CONFIG, value: "${workdir}/.docker" } + - command: ec2.assume_role + params: + role_arn: arn:aws:iam::901841024863:role/ecr-role-evergreen-ro + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + - DOCKER_CONFIG + args: + - -c + - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com fetch-build: - command: subprocess.exec type: setup @@ -506,15 +526,33 @@ functions: type: setup params: file: expansions.kondukto.yml + - command: expansions.update + params: + updates: + - { key: DOCKER_CONFIG, value: "${workdir}/.docker" } + - command: ec2.assume_role + params: + role_arn: arn:aws:iam::901841024863:role/ecr-role-evergreen-ro + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + - DOCKER_CONFIG + args: + - -c + - aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com - command: subprocess.exec type: test params: binary: bash working_dir: mongoc include_expansions_in_env: - - artifactory_password - - artifactory_username - branch_name + - DOCKER_CONFIG - KONDUKTO_TOKEN args: - -c diff --git a/.evergreen/generated_configs/tasks.yml b/.evergreen/generated_configs/tasks.yml index b5abdbc7d7..8188744a0b 100644 --- a/.evergreen/generated_configs/tasks.yml +++ b/.evergreen/generated_configs/tasks.yml @@ -1133,20 +1133,18 @@ tasks: - ubuntu2404-large tags: [earthly, pr-merge-gate, alpine3.16-clang, alpine3.16-gcc, alpine3.17-clang, alpine3.17-gcc, alpine3.18-clang, alpine3.18-gcc, alpine3.19-clang, alpine3.19-gcc, archlinux-clang, archlinux-gcc, centos7-clang, centos7-gcc, u16-clang, u16-gcc, u18-clang, u18-gcc, u20-clang, u20-gcc, u22-clang, u22-gcc] commands: - - command: subprocess.exec - type: setup - params: - binary: bash - args: - - -c - - docker login -u "${artifactory_username}" --password-stdin artifactory.corp.mongodb.com <<<"${artifactory_password}" + - func: docker-login-amazon-ecr - command: subprocess.exec type: setup params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +env-warmup + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --sasl=Cyrus - --tls=OpenSSL - --test_mongocxx_ref=none @@ -1157,8 +1155,12 @@ tasks: params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +run + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --targets=test-example - --sasl=Cyrus - --tls=OpenSSL @@ -1174,20 +1176,18 @@ tasks: - ubuntu2404-large tags: [earthly, pr-merge-gate, alpine3.16-clang, alpine3.16-gcc, alpine3.17-clang, alpine3.17-gcc, alpine3.18-clang, alpine3.18-gcc, alpine3.19-clang, alpine3.19-gcc, archlinux-clang, archlinux-gcc, centos7-clang, centos7-gcc, u16-clang, u16-gcc, u18-clang, u18-gcc, u20-clang, u20-gcc, u22-clang, u22-gcc] commands: - - command: subprocess.exec - type: setup - params: - binary: bash - args: - - -c - - docker login -u "${artifactory_username}" --password-stdin artifactory.corp.mongodb.com <<<"${artifactory_password}" + - func: docker-login-amazon-ecr - command: subprocess.exec type: setup params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +env-warmup + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --sasl=Cyrus - --tls=off - --test_mongocxx_ref=none @@ -1198,8 +1198,12 @@ tasks: params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +run + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --targets=test-example - --sasl=Cyrus - --tls=off @@ -1215,20 +1219,18 @@ tasks: - ubuntu2404-large tags: [earthly, pr-merge-gate, alpine3.16-clang, alpine3.16-gcc, alpine3.17-clang, alpine3.17-gcc, alpine3.18-clang, alpine3.18-gcc, alpine3.19-clang, alpine3.19-gcc, archlinux-clang, archlinux-gcc, centos7-clang, centos7-gcc, u16-clang, u16-gcc, u18-clang, u18-gcc, u20-clang, u20-gcc, u22-clang, u22-gcc] commands: - - command: subprocess.exec - type: setup - params: - binary: bash - args: - - -c - - docker login -u "${artifactory_username}" --password-stdin artifactory.corp.mongodb.com <<<"${artifactory_password}" + - func: docker-login-amazon-ecr - command: subprocess.exec type: setup params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +env-warmup + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --sasl=off - --tls=OpenSSL - --test_mongocxx_ref=none @@ -1239,8 +1241,12 @@ tasks: params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +run + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --targets=test-example - --sasl=off - --tls=OpenSSL @@ -1256,20 +1262,18 @@ tasks: - ubuntu2404-large tags: [earthly, pr-merge-gate, alpine3.16-clang, alpine3.16-gcc, alpine3.17-clang, alpine3.17-gcc, alpine3.18-clang, alpine3.18-gcc, alpine3.19-clang, alpine3.19-gcc, archlinux-clang, archlinux-gcc, centos7-clang, centos7-gcc, u16-clang, u16-gcc, u18-clang, u18-gcc, u20-clang, u20-gcc, u22-clang, u22-gcc] commands: - - command: subprocess.exec - type: setup - params: - binary: bash - args: - - -c - - docker login -u "${artifactory_username}" --password-stdin artifactory.corp.mongodb.com <<<"${artifactory_password}" + - func: docker-login-amazon-ecr - command: subprocess.exec type: setup params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +env-warmup + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --sasl=off - --tls=off - --test_mongocxx_ref=none @@ -1280,8 +1284,12 @@ tasks: params: binary: ./tools/earthly.sh working_dir: mongoc + include_expansions_in_env: + - DOCKER_CONFIG args: + - --buildkit-image=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub/earthly/buildkitd:v0.8.3 - +run + - --default_search_registry=901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub - --targets=test-example - --sasl=off - --tls=off diff --git a/.evergreen/scripts/sbom.sh b/.evergreen/scripts/sbom.sh index b683b73787..4a2a01dff3 100755 --- a/.evergreen/scripts/sbom.sh +++ b/.evergreen/scripts/sbom.sh @@ -3,9 +3,8 @@ set -o errexit set -o pipefail -: "${artifactory_username:?}" -: "${artifactory_password:?}" : "${branch_name:?}" +: "${DOCKER_CONFIG:?}" : "${KONDUKTO_TOKEN:?}" command -v podman >/dev/null || { @@ -13,9 +12,7 @@ command -v podman >/dev/null || { exit 1 } -podman login --password-stdin --username "${artifactory_username:?}" artifactory.corp.mongodb.com <<<"${artifactory_password:?}" - -silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" +silkbomb="901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0" # Ensure latest version of SilkBomb is being used. podman pull "${silkbomb:?}" diff --git a/Earthfile b/Earthfile index 6d668088f7..032b07942f 100644 --- a/Earthfile +++ b/Earthfile @@ -1,6 +1,9 @@ -VERSION --arg-scope-and-set --pass-args 0.7 +VERSION --arg-scope-and-set --pass-args --use-function-keyword 0.7 LOCALLY +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG --global default_search_registry=docker.io + IMPORT ./tools/ AS tools # For target names, descriptions, and build parameters, run the "doc" Earthly subcommand. @@ -114,7 +117,7 @@ test-cxx-driver: # PREP_CMAKE "warms up" the CMake installation cache for the current environment PREP_CMAKE: - COMMAND + FUNCTION LET scratch=/opt/mongoc-cmake # Copy the minimal amount that we need, as to avoid cache invalidation COPY tools/use.sh tools/platform.sh tools/paths.sh tools/base.sh tools/download.sh \ @@ -148,7 +151,7 @@ multibuild: # release-archive : # Create a release archive of the source tree. (Refer to dev docs) release-archive: - FROM alpine:3.20 + FROM $default_search_registry/library/alpine:3.20 RUN apk add git bash ARG --required prefix ARG --required ref @@ -193,7 +196,7 @@ release-archive: # Obtain the signing public key. Exported as an artifact /c-driver.pub signing-pubkey: - FROM alpine:3.20 + FROM $default_search_registry/library/alpine:3.20 RUN apk add curl RUN curl --location --silent --fail "https://pgp.mongodb.com/c-driver.pub" -o /c-driver.pub SAVE ARTIFACT /c-driver.pub @@ -203,7 +206,7 @@ signing-pubkey: # to be used to access them. (Refer to dev docs) sign-file: # Pull from Garasign: - FROM artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg + FROM 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/garasign-gpg # Copy the file to be signed ARG --required file COPY $file /s/file @@ -223,7 +226,7 @@ sign-file: # Generate a signed release artifact. Refer to the "Earthly" page of our dev docs for more information. # (Refer to dev docs) signed-release: - FROM alpine:3.20 + FROM $default_search_registry/library/alpine:3.20 RUN apk add git # The version of the release. This affects the filepaths of the output and is the default for --ref ARG --required version @@ -253,7 +256,7 @@ signed-release: # This target is simply an environment in which the SilkBomb executable is available. silkbomb: - FROM artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 + FROM 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 # Alias the silkbomb executable to a simpler name: RUN ln -s /python/src/sbom/silkbomb/bin /usr/local/bin/silkbomb @@ -312,7 +315,7 @@ sbom-validate: --exclude jira snyk: - FROM --platform=linux/amd64 ubuntu:24.04 + FROM --platform=linux/amd64 $default_search_registry/library/ubuntu:24.04 RUN apt-get update && apt-get -y install curl RUN curl --location https://github.com/snyk/cli/releases/download/v1.1291.1/snyk-linux -o /usr/local/bin/snyk RUN chmod a+x /usr/local/bin/snyk @@ -384,7 +387,7 @@ test-vcpkg-manifest-mode: make test-manifest-mode vcpkg-base: - FROM alpine:3.18 + FROM $default_search_registry/library/alpine:3.18 RUN apk add cmake curl gcc g++ musl-dev ninja-is-really-ninja zip unzip tar \ build-base git pkgconf perl bash linux-headers ENV VCPKG_ROOT=/opt/vcpkg-git @@ -443,7 +446,7 @@ env.alpine3.19: DO --pass-args +ALPINE_ENV --version=3.19 env.archlinux: - FROM --pass-args tools+init-env --from archlinux + FROM --pass-args tools+init-env --from $default_search_registry/library/archlinux RUN pacman-key --init ARG --required purpose @@ -462,9 +465,9 @@ env.centos7: DO --pass-args +CENTOS_ENV --version=7 ALPINE_ENV: - COMMAND + FUNCTION ARG --required version - FROM --pass-args tools+init-env --from alpine:$version + FROM --pass-args tools+init-env --from $default_search_registry/library/alpine:$version # XXX: On Alpine, we just use the system's CMake. At time of writing, it is # very up-to-date and much faster than building our own from source (since # Kitware does not (yet) provide libmuslc builds of CMake) @@ -484,9 +487,9 @@ ALPINE_ENV: DO --pass-args tools+ADD_C_COMPILER --clang_pkg="gcc clang compiler-rt" UBUNTU_ENV: - COMMAND + FUNCTION ARG --required version - FROM --pass-args tools+init-env --from ubuntu:$version + FROM --pass-args tools+init-env --from $default_search_registry/library/ubuntu:$version RUN __install curl build-essential ARG --required purpose @@ -502,13 +505,13 @@ UBUNTU_ENV: DO +PREP_CMAKE CENTOS_ENV: - COMMAND + FUNCTION ARG --required version - FROM --pass-args tools+init-env --from centos:$version + FROM --pass-args tools+init-env --from $default_search_registry/library/centos:$version # Update repositories to use vault.centos.org RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \ sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* - RUN yum -y install epel-release && yum -y update + RUN yum -y --enablerepo=extras install epel-release && yum -y update RUN yum -y install curl gcc gcc-c++ make ARG --required purpose diff --git a/docs/dev/earthly.rst b/docs/dev/earthly.rst index d216fc81c4..9a9a45b863 100644 --- a/docs/dev/earthly.rst +++ b/docs/dev/earthly.rst @@ -149,8 +149,8 @@ enumerated using ``earthly ls`` or ``earthly doc`` in the root of the repository .. earthly-target:: +sign-file Signs a file using Garasign. Use of this target requires authenticating - against the MongoDB Artifactory installation! (Refer to: - `earthly.artifactory-auth`) + against the DevProd-provided Amazon ECR instance! (Refer to: + `earthly.amazon-ecr`) .. earthly-artifact:: +sign-file/signature.asc @@ -175,23 +175,36 @@ enumerated using ``earthly ls`` or ``earthly doc`` in the root of the repository .. seealso:: `earthly.secrets` - .. _earthly.artifactory-auth: + .. _earthly.amazon-ecr: - Authenticating with Artifactory - =============================== + Authenticating with Amazon ECR + ============================== In order to run `+sign-file` or any target that depends upon it, the container engine client\ [#oci]_ will need to be authenticated with the - MongoDB Artifactory instance. + DevProd-provided Amazon ECR instance using AWS CLI v2:: - Authenticating can be done using the container engine's command-line - interface. For example, with Podman:: + # Forward the short-term AWS credentials to the container engine client. + $ aws ecr get-login-password --profile | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com - $ podman login "artifactory.corp.mongodb.com" + Configure the AWS profile using ``aws configure sso`` or modifying the + ``$HOME/.aws/config`` file such that: - Which will prompt you for a username and password if you are not already - authenticated with the host.\ [#creds]_ If you are already authenticated, this - command will have no effect. + - The SSO start URL is ``https://d-9067613a84.awsapps.com/start#/``. + - The SSO and client region are ``us-east-1``. + - The SSO registration scope is ``sso:account:access`` (default). + - The SSO account ID is ``901841024863`` (aka ``devprod-platforms-ecr``). + - The SSO role name is ``ECRScopedAccess`` (default). + + To refresh short-term credentials when they have expired, run + ``aws sso login --profile `` followed by the same + ``aws ecr get-login-password ... | podman login ...`` command described + above. + + .. seealso:: `"DevProd Platforms Container Registry" + `_ and + `"Configuring IAM Identity Center authentication with the AWS CLI" + `_. .. earthly-target:: +sbom-generate diff --git a/docs/dev/releasing.rst b/docs/dev/releasing.rst index be177eef93..d41460c9b4 100644 --- a/docs/dev/releasing.rst +++ b/docs/dev/releasing.rst @@ -396,7 +396,7 @@ Specifically, it is generated using the :any:`+signed-release` target. Before running :any:`+signed-release`, one will need to set up some environment that is required for it to succeed: -1. :ref:`Authenticate with Artifactory ` +1. :ref:`Authenticate with the DevProd-provided Amazon ECR instance ` 2. Set the Earthly secrets required for the :any:`+sign-file` target. 3. Download an augmented SBOM from a recent execution of the ``sbom`` task in an Evergreen patch or commit build and save it to ``etc/augmented-sbom.json``.