realgenekim/jib-build.clj Secret

## jib-build.clj
(ns jib
  (:import
    (com.google.cloud.tools.jib.api Jib
                                    DockerDaemonImage
                                    Containerizer
                                    TarImage
                                    RegistryImage
                                    ImageReference CredentialRetriever Credential)
    (com.google.cloud.tools.jib.api.buildplan AbsoluteUnixPath)
    (com.google.cloud.tools.jib.frontend
      CredentialRetrieverFactory)
    (java.nio.file Paths)
    (java.io File)
    (java.util List ArrayList Optional)))

(defn- get-path [filename]
  (Paths/get (.toURI (File. ^String filename))))

(defn- into-list
  [& args]
  (ArrayList. ^List args))

(defn- to-imgref [image-config]
  (ImageReference/parse image-config))

(comment

  (Jib/from "gcr.io/distroless/java")

  (def standalone-jar "/Users/genekim/src.local/book-pubsub-components-rf/pubsub-web/pubsub-web-standalone.jar")

  (def app-layer [(into-list (get-path standalone-jar))
                  (AbsoluteUnixPath/get "/")])

  (def entrypoint ["/app/target/pubsub-web-standalone.jar"])

  (def registry (RegistryImage/from "us.gcr.io/booktracker-1208/pubsub-web:latest"))

  (-> (RegistryImage/named (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")))

  (def arguments standalone-jar)

  ; 1. unauthorized!

  (-> (Jib/from "gcr.io/distroless/java")
    (.addLayer (first app-layer) (second app-layer))
    (.setEntrypoint (apply into-list entrypoint))
    (.setProgramArguments (into-list arguments))
    (.containerize (Containerizer/to
                     (RegistryImage/named
                       (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")))))

  ; Execution error (HttpResponseException) at com.google.api.client.http.HttpRequest/execute (HttpRequest.java:1113).
  ;401 Unauthorized
  ;GET https://us.gcr.io/v2/token?service=us.gcr.io&scope=repository:booktracker-1208/pubsub-web:pull,push
  ;{"errors":[{"code":"UNAUTHORIZED","message":"You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"}]}

  (-> (Jib/from "gcr.io/distroless/java")
    (.addLayer (first app-layer) (second app-layer))
    (.setEntrypoint (apply into-list entrypoint))
    (.setProgramArguments (into-list arguments))
    (.containerize (Containerizer/to
                     (RegistryImage/named
                       (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest"))))
    (.addCredentialRetriever
      (-> (CredentialRetrieverFactory/forImage
            (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
            nil)
        (.googleApplicationDefaultCredentials))))

  ; same error

  (-> (Jib/from "gcr.io/distroless/java")
    (.addLayer (first app-layer) (second app-layer))
    (.setEntrypoint (apply into-list entrypoint))
    (.setProgramArguments (into-list arguments))
    (.containerize (Containerizer/to
                     (RegistryImage/named
                       (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest"))))
    (.addCredentialRetriever
      (-> (CredentialRetrieverFactory/forImage
            (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
            nil)
        ;(.dockerCredentialHelper "/Users/genekim/software/google-cloud-sdk/bin/docker-credential-gcloud")
          (.dockerConfig))))

  (def creds (-> (CredentialRetrieverFactory/forImage
                   (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
                   nil)
               (.wellKnownCredentialHelpers)))

  (def creds (-> (CredentialRetrieverFactory/forImage
                   (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
                   nil)
               (.dockerConfig)))

  (def creds (-> (CredentialRetrieverFactory/forImage
                   (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
                   nil)
               (.dockerConfig (get-path "/Users/genekim/.docker/config.json"))))

  (def creds (-> (CredentialRetrieverFactory/forImage
                   (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
                   nil)
               (.googleApplicationDefaultCredentials)))

  (def creds (-> (CredentialRetrieverFactory/forImage
                   (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
                   nil)
               (.dockerCredentialHelper "/Users/genekim/software/google-cloud-sdk/bin/docker-credential-gcloud")))

  (def creds (-> (CredentialRetrieverFactory/forImage
                   (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
                   nil)
               (.known "")))

  (.isPresent creds)
  (bean creds)
  (.retrieve creds)
  (clojure.pprint/pprint (clojure.reflect/reflect creds))

  ; from Jib CLI
  ;
  ; genekim@Genes-2020-M1-MacBook-Pro datomic-cloudrun % time make jibcli
  ;bin/jib-0.5.0/bin/jib jar --target=us.gcr.io/booktracker-1208/datomic-test-jib \
  ;		target/datomic-test-standalone.jar
  ;[WARN] Base image 'adoptopenjdk:8-jre' does not use a specific image digest - build may not be reproducible
  ;Using credentials from Docker config (/Users/genekim/.docker/config.json) for us.gcr.io/booktracker-1208/datomic-test-jib
  ;The base image requires auth. Trying again for adoptopenjdk:8-jre...
  ;Using base image with digest: sha256:bf736024c65942ab045c497e408706f9e599651bf8c01a75ecb3d6971d66700d

  ;==== original

  (-> (Jib/from (configure-image base-image project))
    (.addLayer (first app-layer) (second app-layer))
    (.setEntrypoint (apply into-list entrypoint))
    (.setProgramArguments (into-list arguments))
    (.containerize (Containerizer/to (configure-image (:target-image config) project))))


  ,)

;
; copied from: https://github.com/vehvis/lein-jib-build/blob/master/src/leiningen/jib_build.clj
;

(comment
  (ns leiningen.jib-build
    (:import [com.google.cloud.tools.jib.api Jib
                                             DockerDaemonImage
                                             Containerizer
                                             TarImage
                                             RegistryImage
                                             AbsoluteUnixPath
                                             ImageReference CredentialRetriever Credential]
             [java.io File]
             [java.util List ArrayList Optional]
             [java.nio.file Paths])
    (:require [leiningen.core.main :as lein]
              [leiningen.core.classpath :as lein-cp]
              [leiningen.uberjar :as uberjar]
              [leiningen.jar :as jar]
              [clojure.pprint :as pprint]
              [leiningen.core.project :as project]))

  (def default-base-image {:type :registry
                           :image-name "gcr.io/distroless/java"})
  (def default-entrypoint ["java" "-jar"])


  (defn- into-list
    [& args]
    (ArrayList. ^List args))

  (defn- get-path [filename]
    (Paths/get (.toURI (File. ^String filename))))

  (defn- to-imgref [image-config]
    (ImageReference/parse (:image-name image-config)))

  (defn add-registry-credentials [rimg registry-config]
    (cond
      (:username registry-config)
      (do (lein/debug "Using username/password authentication, user:" (:username registry-config))
          (.addCredential rimg (:username registry-config) (:password registry-config)))

      (:authorizer registry-config)
      (let [auth (:authorizer registry-config)]
        (lein/debug "Using custom registry authentication:" (:authorizer registry-config))
        (.addCredentialRetriever rimg (reify CredentialRetriever
                                        (retrieve [_]
                                          (require [(symbol (namespace (:fn auth)))])
                                          (let [creds (eval `(~(:fn auth) ~(:args auth)))]
                                            (Optional/of (Credential/from (:username creds) (:password creds))))))))

      :default rimg))


  (defmulti configure-image (fn [image-config project] (:type image-config)))

  (defmethod configure-image :tar [{:keys [image-name]} project]
    (let [image-name (or image-name (str "target/" (:name project) ".tar"))]
      (lein/debug "Tar image:" image-name)
      (.named (TarImage/at (-> (File. ^String image-name)
                             .toURI
                             Paths/get))
        ^String image-name)))

  (defmethod configure-image :registry [{:keys [image-name] :as image-config} project]
    (let [image-name (or image-name (:name project))]
      (lein/debug "Registry image:" image-name)
      (-> (RegistryImage/named ^ImageReference (to-imgref image-config))
        (add-registry-credentials image-config))))

  (defmethod configure-image :docker [{:keys [image-name] :as image-config} project]
    (let [image-name (or image-name (:name project))]
      (lein/debug "Local docker:" image-name)
      (DockerDaemonImage/named ^ImageReference (to-imgref image-config))))

  (defmethod configure-image :default [image-config _]
    (throw (Exception. ^String (str "Unknown image type: " (:image-name image-config)))))

  (defn jib-build
    "It places the jar in the container (or else it gets the hose again)."
    [project & args]
    #_(pprint/pprint (lein-cp/ext-classpath project))
    #_(pprint/pprint args)
    (let [project (project/merge-profiles project [:uberjar])
          config (:jib-build/build-config project)
          standalone-jar (jar/get-jar-filename project :standalone)
          base-image (get config :base-image default-base-image)
          entrypoint (get config :entrypoint default-entrypoint)
          arguments (get config :arguments (.toString (.getFileName (get-path standalone-jar))))
          app-layer [(into-list (get-path standalone-jar))
                     (AbsoluteUnixPath/get "/")]]
      (lein/info "Building container upon" (:image-name base-image) "with" standalone-jar)
      (-> (Jib/from (configure-image base-image project))
        (.addLayer (first app-layer) (second app-layer))
        (.setEntrypoint (apply into-list entrypoint))
        (.setProgramArguments (into-list arguments))
        (.containerize (Containerizer/to (configure-image (:target-image config) project)))))))
	(ns jib
	(:import
	(com.google.cloud.tools.jib.api Jib
	DockerDaemonImage
	Containerizer
	TarImage
	RegistryImage
	ImageReference CredentialRetriever Credential)
	(com.google.cloud.tools.jib.api.buildplan AbsoluteUnixPath)
	(com.google.cloud.tools.jib.frontend
	CredentialRetrieverFactory)
	(java.nio.file Paths)
	(java.io File)
	(java.util List ArrayList Optional)))

	(defn- get-path [filename]
	(Paths/get (.toURI (File. ^String filename))))

	(defn- into-list
	[& args]
	(ArrayList. ^List args))

	(defn- to-imgref [image-config]
	(ImageReference/parse image-config))

	(comment

	(Jib/from "gcr.io/distroless/java")

	(def standalone-jar "/Users/genekim/src.local/book-pubsub-components-rf/pubsub-web/pubsub-web-standalone.jar")

	(def app-layer [(into-list (get-path standalone-jar))
	(AbsoluteUnixPath/get "/")])

	(def entrypoint ["/app/target/pubsub-web-standalone.jar"])

	(def registry (RegistryImage/from "us.gcr.io/booktracker-1208/pubsub-web:latest"))

	(-> (RegistryImage/named (to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")))

	(def arguments standalone-jar)

	; 1. unauthorized!

	(-> (Jib/from "gcr.io/distroless/java")
	(.addLayer (first app-layer) (second app-layer))
	(.setEntrypoint (apply into-list entrypoint))
	(.setProgramArguments (into-list arguments))
	(.containerize (Containerizer/to
	(RegistryImage/named
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")))))

	; Execution error (HttpResponseException) at com.google.api.client.http.HttpRequest/execute (HttpRequest.java:1113).
	;401 Unauthorized
	;GET https://us.gcr.io/v2/token?service=us.gcr.io&scope=repository:booktracker-1208/pubsub-web:pull,push
	;{"errors":[{"code":"UNAUTHORIZED","message":"You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"}]}

	(-> (Jib/from "gcr.io/distroless/java")
	(.addLayer (first app-layer) (second app-layer))
	(.setEntrypoint (apply into-list entrypoint))
	(.setProgramArguments (into-list arguments))
	(.containerize (Containerizer/to
	(RegistryImage/named
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest"))))
	(.addCredentialRetriever
	(-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	(.googleApplicationDefaultCredentials))))

	; same error

	(-> (Jib/from "gcr.io/distroless/java")
	(.addLayer (first app-layer) (second app-layer))
	(.setEntrypoint (apply into-list entrypoint))
	(.setProgramArguments (into-list arguments))
	(.containerize (Containerizer/to
	(RegistryImage/named
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest"))))
	(.addCredentialRetriever
	(-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	;(.dockerCredentialHelper "/Users/genekim/software/google-cloud-sdk/bin/docker-credential-gcloud")
	(.dockerConfig))))

	(def creds (-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	(.wellKnownCredentialHelpers)))

	(def creds (-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	(.dockerConfig)))

	(def creds (-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	(.dockerConfig (get-path "/Users/genekim/.docker/config.json"))))

	(def creds (-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	(.googleApplicationDefaultCredentials)))

	(def creds (-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	(.dockerCredentialHelper "/Users/genekim/software/google-cloud-sdk/bin/docker-credential-gcloud")))

	(def creds (-> (CredentialRetrieverFactory/forImage
	(to-imgref "us.gcr.io/booktracker-1208/pubsub-web:latest")
	nil)
	(.known "")))

	(.isPresent creds)
	(bean creds)
	(.retrieve creds)
	(clojure.pprint/pprint (clojure.reflect/reflect creds))

	; from Jib CLI
	;
	; genekim@Genes-2020-M1-MacBook-Pro datomic-cloudrun % time make jibcli
	;bin/jib-0.5.0/bin/jib jar --target=us.gcr.io/booktracker-1208/datomic-test-jib \
	; target/datomic-test-standalone.jar
	;[WARN] Base image 'adoptopenjdk:8-jre' does not use a specific image digest - build may not be reproducible
	;Using credentials from Docker config (/Users/genekim/.docker/config.json) for us.gcr.io/booktracker-1208/datomic-test-jib
	;The base image requires auth. Trying again for adoptopenjdk:8-jre...
	;Using base image with digest: sha256:bf736024c65942ab045c497e408706f9e599651bf8c01a75ecb3d6971d66700d

	;==== original

	(-> (Jib/from (configure-image base-image project))
	(.addLayer (first app-layer) (second app-layer))
	(.setEntrypoint (apply into-list entrypoint))
	(.setProgramArguments (into-list arguments))
	(.containerize (Containerizer/to (configure-image (:target-image config) project))))


	,)

	;
	; copied from: https://github.com/vehvis/lein-jib-build/blob/master/src/leiningen/jib_build.clj
	;

	(comment
	(ns leiningen.jib-build
	(:import [com.google.cloud.tools.jib.api Jib
	DockerDaemonImage
	Containerizer
	TarImage
	RegistryImage
	AbsoluteUnixPath
	ImageReference CredentialRetriever Credential]
	[java.io File]
	[java.util List ArrayList Optional]
	[java.nio.file Paths])
	(:require [leiningen.core.main :as lein]
	[leiningen.core.classpath :as lein-cp]
	[leiningen.uberjar :as uberjar]
	[leiningen.jar :as jar]
	[clojure.pprint :as pprint]
	[leiningen.core.project :as project]))

	(def default-base-image {:type :registry
	:image-name "gcr.io/distroless/java"})
	(def default-entrypoint ["java" "-jar"])


	(defn- into-list
	[& args]
	(ArrayList. ^List args))

	(defn- get-path [filename]
	(Paths/get (.toURI (File. ^String filename))))

	(defn- to-imgref [image-config]
	(ImageReference/parse (:image-name image-config)))

	(defn add-registry-credentials [rimg registry-config]
	(cond
	(:username registry-config)
	(do (lein/debug "Using username/password authentication, user:" (:username registry-config))
	(.addCredential rimg (:username registry-config) (:password registry-config)))

	(:authorizer registry-config)
	(let [auth (:authorizer registry-config)]
	(lein/debug "Using custom registry authentication:" (:authorizer registry-config))
	(.addCredentialRetriever rimg (reify CredentialRetriever
	(retrieve [_]
	(require [(symbol (namespace (:fn auth)))])
	(let [creds (eval `(~(:fn auth) ~(:args auth)))]
	(Optional/of (Credential/from (:username creds) (:password creds))))))))

	:default rimg))



	(defmulti configure-image (fn [image-config project] (:type image-config)))

	(defmethod configure-image :tar [{:keys [image-name]} project]
	(let [image-name (or image-name (str "target/" (:name project) ".tar"))]
	(lein/debug "Tar image:" image-name)
	(.named (TarImage/at (-> (File. ^String image-name)
	.toURI
	Paths/get))
	^String image-name)))

	(defmethod configure-image :registry [{:keys [image-name] :as image-config} project]
	(let [image-name (or image-name (:name project))]
	(lein/debug "Registry image:" image-name)
	(-> (RegistryImage/named ^ImageReference (to-imgref image-config))
	(add-registry-credentials image-config))))

	(defmethod configure-image :docker [{:keys [image-name] :as image-config} project]
	(let [image-name (or image-name (:name project))]
	(lein/debug "Local docker:" image-name)
	(DockerDaemonImage/named ^ImageReference (to-imgref image-config))))

	(defmethod configure-image :default [image-config _]
	(throw (Exception. ^String (str "Unknown image type: " (:image-name image-config)))))

	(defn jib-build
	"It places the jar in the container (or else it gets the hose again)."
	[project & args]
	#_(pprint/pprint (lein-cp/ext-classpath project))
	#_(pprint/pprint args)
	(let [project (project/merge-profiles project [:uberjar])
	config (:jib-build/build-config project)
	standalone-jar (jar/get-jar-filename project :standalone)
	base-image (get config :base-image default-base-image)
	entrypoint (get config :entrypoint default-entrypoint)
	arguments (get config :arguments (.toString (.getFileName (get-path standalone-jar))))
	app-layer [(into-list (get-path standalone-jar))
	(AbsoluteUnixPath/get "/")]]
	(lein/info "Building container upon" (:image-name base-image) "with" standalone-jar)
	(-> (Jib/from (configure-image base-image project))
	(.addLayer (first app-layer) (second app-layer))
	(.setEntrypoint (apply into-list entrypoint))
	(.setProgramArguments (into-list arguments))
	(.containerize (Containerizer/to (configure-image (:target-image config) project)))))))