Merge pull request #12 from ruby-no-kai/skopeo-copy

skopeo-copy

Author: sorah

.github/workflows/docker-dnsdist.yml

@@ -0,0 +1,21 @@
+(import './docker-build-simple.libsonnet')('skopeo-copy') {
+  jobs+: {
+    merge+: {
+      steps+: [
+        {
+          name: 'Push arm64 tag for Lambda',  // doesnt support manifest
+          run: |||
+            dgst="$(docker buildx imagetools inspect --raw "${REPO}:${SHA}" | jq -r '.manifests[] | select(.platform.architecture == "arm64" and .platform.os == "linux") | .digest')"
+            docker pull "${REPO}@${dgst}"
+            docker tag  "${REPO}@${dgst}" "${REPO}:${SHA}-arm64"
+            docker push "${REPO}:${SHA}-arm64"
+          |||,
+          env: {
+            REPO: std.format('${{ steps.login-ecr.outputs.registry }}/%s', 'skopeo-copy'),
+            SHA: '${{ github.sha }}',
+          },
+        },
+      ],
+    },
+  },
+}

.github/workflows/docker-skopeo-copy.jsonnet

@@ -0,0 +1,27 @@
+FROM public.ecr.aws/sorah/ruby:4.0-dev AS builder
+
+RUN  --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt/lists,sharing=locked apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y libssl-dev
+
+WORKDIR /var/task
+COPY Gemfile* /var/task/
+
+RUN bundle config set path '/var/task/vendor/bundle' \
+ && bundle config set deployment 'true' \
+ && bundle install --jobs 30
+RUN bundle config set bin /usr/local/bin \
+ && bundle binstubs aws_lambda_ric --force
+
+FROM public.ecr.aws/sorah/ruby:4.0
+
+RUN  --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt/lists,sharing=locked apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y skopeo
+
+WORKDIR /var/task
+COPY --from=builder /var/task/vendor /var/task/vendor
+COPY --from=builder /var/task/.bundle /var/task/.bundle
+COPY --from=builder /usr/local/bin/aws_lambda_ric /usr/local/bin/
+COPY . /var/task/
+
+ENTRYPOINT ["/usr/local/bin/aws_lambda_ric"]
+CMD ["app.handler"]

.github/workflows/docker-skopeo-copy.yml

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+gem 'aws_lambda_ric'
+gem 'aws-sdk-ecr'
+gem 'aws-sdk-ecrpublic'
+gem 'openssl'

skopeo-copy/Dockerfile

@@ -0,0 +1,53 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1213.0)
+    aws-sdk-core (3.242.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
+      jmespath (~> 1, >= 1.6.1)
+      logger
+    aws-sdk-ecr (1.119.0)
+      aws-sdk-core (~> 3, >= 3.241.4)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-ecrpublic (1.62.0)
+      aws-sdk-core (~> 3, >= 3.241.4)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.12.1)
+      aws-eventstream (~> 1, >= 1.0.2)
+    aws_lambda_ric (3.1.3)
+    base64 (0.3.0)
+    bigdecimal (4.0.1)
+    jmespath (1.6.2)
+    logger (1.7.0)
+    openssl (4.0.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  aws-sdk-ecr
+  aws-sdk-ecrpublic
+  aws_lambda_ric
+  openssl
+
+CHECKSUMS
+  aws-eventstream (1.4.0) sha256=116bf85c436200d1060811e6f5d2d40c88f65448f2125bc77ffce5121e6e183b
+  aws-partitions (1.1213.0) sha256=5ec132d91d44ef2702125b8f71f0e4fc2cd7de040e02c5d0aefb87219fd2e05e
+  aws-sdk-core (3.242.0) sha256=c17b3003acc78d80c1a8437b285a1cfc5e4d7749ce7821cf3071e847535a29a0
+  aws-sdk-ecr (1.119.0) sha256=4e2d47c6f0f02d8e15c8abe7e2d5c99aa03502820db6409ed1a0a6063ca20e86
+  aws-sdk-ecrpublic (1.62.0) sha256=c8c0101a3e99105b750ed775fe13ac8256b58f2752a0a4b8f8992a5e7aef2c36
+  aws-sigv4 (1.12.1) sha256=6973ff95cb0fd0dc58ba26e90e9510a2219525d07620c8babeb70ef831826c00
+  aws_lambda_ric (3.1.3) sha256=7d7551c91d2070bb1427cd05d7b0b94076d42084f743b117522659a76935dfbc
+  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
+  bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
+  jmespath (1.6.2) sha256=238d774a58723d6c090494c8879b5e9918c19485f7e840f2c1c7532cf84ebcb1
+  logger (1.7.0) sha256=196edec7cc44b66cfb40f9755ce11b392f21f7967696af15d274dde7edff0203
+  openssl (4.0.0) sha256=185711ed93d4e9c9a9db6efea7edb202dfe04f7d3692fbab988e3d84e498ee91
+
+BUNDLED WITH
+  4.0.3

skopeo-copy/Gemfile

@@ -0,0 +1,86 @@
+$stdout.sync = true
+
+require 'json'
+require 'base64'
+require 'logger'
+require 'open3'
+require 'aws-sdk-ecr'
+require 'aws-sdk-ecrpublic'
+
+module SkopeoCopy
+  ECR_PRIVATE_PATTERN = /\A(\d+)\.dkr\.ecr\.([^.]+)\.amazonaws\.com\z/
+  ECR_PUBLIC_HOST = 'public.ecr.aws'
+  AUTHFILE = '/tmp/containers-auth.json'
+
+  Registry = Data.define(:host, :kind, :account_id, :region)
+
+  def self.detect_registry(image_ref)
+    host = image_ref.sub(%r{\A[a-z0-9+-]+://}, '').split('/').first
+    case host
+    when ECR_PRIVATE_PATTERN
+      Registry.new(host:, kind: :ecr_private, account_id: $1, region: $2)
+    when ECR_PUBLIC_HOST
+      Registry.new(host:, kind: :ecr_public, account_id: nil, region: nil)
+    end
+  end
+
+  def self.ecr_login_password(account_id:, region:)
+    client = Aws::ECR::Client.new(region:, logger:)
+    resp = client.get_authorization_token(registry_ids: [account_id])
+    token = Base64.decode64(resp.authorization_data[0].authorization_token)
+    _user, password = token.split(':', 2)
+    password
+  end
+
+  # ECR Public endpoint is only available in us-east-1
+  def self.ecr_public_login_password
+    client = Aws::ECRPublic::Client.new(region: 'us-east-1', logger:)
+    resp = client.get_authorization_token
+    token = Base64.decode64(resp.authorization_data.authorization_token)
+    _user, password = token.split(':', 2)
+    password
+  end
+
+  def self.skopeo_login(registry:, password:)
+    out, status = Open3.capture2e('skopeo', 'login', '--authfile', AUTHFILE, '--username', 'AWS', '--password-stdin', registry, stdin_data: password)
+    logger.info("skopeo login #{registry}: #{out}")
+    raise "skopeo login #{registry} failed (status=#{status.exitstatus}): #{out}" unless status.success?
+  end
+
+  def self.skopeo_copy(src:, dst:)
+    logger.info("skopeo copy #{src} #{dst}")
+    out, status = Open3.capture2e('skopeo', 'copy', '--authfile', AUTHFILE, src, dst)
+    logger.info("skopeo copy: #{out}")
+    raise "skopeo copy failed (status=#{status.exitstatus}): #{out}" unless status.success?
+  end
+
+  def self.logger
+    @logger ||= Logger.new($stdout)
+  end
+
+  def self.perform(event)
+    params = event.fetch('skopeo_copy')
+    src = params.fetch('src')
+    dst = params.fetch('dst')
+
+    registries = [detect_registry(src), detect_registry(dst)].compact.uniq
+    registries.each do |reg|
+      case reg.kind
+      when :ecr_private
+        password = ecr_login_password(account_id: reg.account_id, region: reg.region)
+        skopeo_login(registry: reg.host, password:)
+      when :ecr_public
+        password = ecr_public_login_password
+        skopeo_login(registry: reg.host, password:)
+      end
+    end
+
+    skopeo_copy(src:, dst:)
+
+    {status: 'ok', src:, dst:}
+  end
+end
+
+def handler(event:, context:)
+  SkopeoCopy.perform(event)
+end