do not leak eic-spack rw credentials

69884f72 · Wouter Deconinck · 4987a738 · 69884f72 · 69884f72
Commit 69884f72 authored 2 years ago by Wouter Deconinck
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -254,8 +254,10 @@ jug_dev:default:
                   --build-arg EICSPACK_ORGREPO="${EICSPACK_ORGREPO}"
                   --build-arg EICSPACK_VERSION="${EICSPACK_VERSION}"
                   --build-arg EICSPACK_CHERRYPICKS="${EICSPACK_CHERRYPICKS}"
-                   --build-arg S3_ACCESS_KEY="${S3RW_ACCESS_KEY}"
-                   --build-arg S3_SECRET_KEY="${S3RW_SECRET_KEY}"
+                   --build-arg S3_ACCESS_KEY="${S3_ACCESS_KEY}"
+                   --build-arg S3_SECRET_KEY="${S3_SECRET_KEY}"
+                   --build-arg S3RW_ACCESS_KEY="${S3RW_ACCESS_KEY}"
+                   --build-arg S3RW_SECRET_KEY="${S3RW_SECRET_KEY}"
                   --build-arg CACHE_BUST=${PACKAGE_HASH}
                   --build-arg INTERNAL_TAG=${INTERNAL_TAG}
                   --build-arg JUG_VERSION=${INTERNAL_TAG}-$(git rev-parse HEAD)
@@ -270,8 +272,10 @@ jug_dev:default:
                   --build-arg EICSPACK_ORGREPO="${EICSPACK_ORGREPO}"
                   --build-arg EICSPACK_VERSION="${EICSPACK_VERSION}"
                   --build-arg EICSPACK_CHERRYPICKS="${EICSPACK_CHERRYPICKS}"
-                   --build-arg S3_ACCESS_KEY="${S3RW_ACCESS_KEY}"
-                   --build-arg S3_SECRET_KEY="${S3RW_SECRET_KEY}"
+                   --build-arg S3_ACCESS_KEY="${S3_ACCESS_KEY}"
+                   --build-arg S3_SECRET_KEY="${S3_SECRET_KEY}"
+                   --build-arg S3RW_ACCESS_KEY="${S3RW_ACCESS_KEY}"
+                   --build-arg S3RW_SECRET_KEY="${S3RW_SECRET_KEY}"
                   --build-arg CACHE_BUST=${PACKAGE_HASH}
                   --build-arg INTERNAL_TAG=${INTERNAL_TAG}
                   --build-arg JUG_VERSION=${INTERNAL_TAG}-$(git rev-parse HEAD)

--- a/containers/jug/dev.Dockerfile
+++ b/containers/jug/dev.Dockerfile
@@ -105,7 +105,7 @@ RUN rm -r /usr/local                                                    \
 ## or intermittently to keep the buildcache step from taking too much time
 ##
 ## Update the local build cache if needed. Consists of 3 steps:
-## 1. Remove the B010 network buildcache (silicon)
+## 1. Remove the eic-spack buildcache on S3
 ## 2. Get a list of all packages, and compare with what is already on
 ##    the buildcache (using package hash)
 ## 3. Add packages that need to be added to buildcache if any
@@ -118,15 +118,16 @@ RUN --mount=type=cache,target=/var/cache/spack-mirror                   \
    || spack install -j64 --no-check-signature                          \
    || spack install -j64 --no-check-signature                          \
    || status=$?                                                        \
+ && spack mirror rm eic-spack                                           \
 && [ -z "${CACHE_NUKE}" ]                                              \
    || rm -rf /var/cache/spack-mirror/build_cache/*                     \
 && mkdir -p /var/cache/spack-mirror/build_cache                        \
 && spack buildcache update-index -d /var/cache/spack-mirror            \
 && spack buildcache list --allarch --very-long                         \
    | sed '/^$/d;/^--/d;s/@.\+//;s/\([a-z0-9]*\) \(.*\)/\2\/\1/'        \
-    | sort > buildcache.local.txt                                         \
+    | sort > buildcache.local.txt                                       \
 && spack find --format {name}/{hash} | sort                            \
-    | comm -23 - buildcache.local.txt                                     \
+    | comm -23 - buildcache.local.txt                                   \
    | xargs --no-run-if-empty                                           \
      spack buildcache create --allow-root --only package --unsigned    \
                              --directory /var/cache/spack-mirror       \
@@ -135,8 +136,16 @@ RUN --mount=type=cache,target=/var/cache/spack-mirror                   \
 && exit $status

 ## Update the S3 build cache (without local cache mount)
+ARG S3RW_ACCESS_KEY=""
+ARG S3RW_SECRET_KEY=""
 RUN cd /opt/spack-environment                                           \
- && ls /var/cache/spack-mirror                                          \
+ && if [ -n ${S3RW_ACCESS_KEY} ] ; then                                 \
+    spack mirror add --scope site                                       \
+      --s3-endpoint-url https://eics3.sdcc.bnl.gov:9000                 \
+      --s3-access-key-id ${S3RW_ACCESS_KEY}                             \
+      --s3-access-key-secret ${S3RW_SECRET_KEY}                         \
+      eic-spack s3://eictest/EPIC/spack                                 \
+ && spack mirror list                                                   \
 && spack buildcache update-index -mirror-name eic-spack                \
 && spack buildcache list --allarch --very-long                         \
    | sed '/^$/d;/^--/d;s/@.\+//;s/\([a-z0-9]*\) \(.*\)/\2\/\1/'        \
@@ -146,7 +155,10 @@ RUN cd /opt/spack-environment                                           \
    | xargs --no-run-if-empty                                           \
      spack buildcache create --allow-root --only package --unsigned    \
                              --mirror-name eic-spack                   \
-                              --rebuild-index
+                              --rebuild-index                           \
+ && spack mirror rm eic-spack                                           \
+    ; fi                                                                \
+ && spack mirror list

 ## Extra post-spack steps:
 ##   - Python packages