Replace gerrit-github-sync with newer gitsync container.
diff --git a/gerrit-github-sync/BUILD b/gerrit-github-sync/BUILD
deleted file mode 100644
index 0992c67..0000000
--- a/gerrit-github-sync/BUILD
+++ /dev/null
@@ -1,28 +0,0 @@
-# Copyright 2015 The Bazel Authors. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# A slave for polling and syncing gerrit and github
-load("@io_bazel_rules_docker//docker:docker.bzl", "docker_build")
-
-docker_build(
- name = "gerrit-github-sync",
- base = "//base:ubuntu-xenial-amd64-ssh",
- entrypoint = [
- "/bin/bash",
- "/gerrit-github-sync.sh",
- ],
- files = ["gerrit-github-sync.sh"],
- visibility = ["//visibility:public"],
- volumes = ["/opt/secrets"],
-)
diff --git a/gitsync/Dockerfile b/gitsync/Dockerfile
new file mode 100644
index 0000000..dc9a386
--- /dev/null
+++ b/gitsync/Dockerfile
@@ -0,0 +1,37 @@
+FROM ubuntu:latest
+
+# https://cloud.google.com/sdk/docs/quickstart-debian-ubuntu
+RUN apt-get update \
+ && apt-get install -y \
+ curl \
+ git \
+ lsb-release \
+ openssh-client \
+ && export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)" \
+ && echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" > /etc/apt/sources.list.d/google-cloud-sdk.list \
+ && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - \
+ && apt-get update \
+ && apt-get install -y google-cloud-sdk \
+ && gcloud config set core/disable_usage_reporting true \
+ && gcloud config set component_manager/disable_update_check true \
+ && gcloud --version \
+ && rm -rf /var/lib/apt/lists/*
+
+# TODO(philwo) is this still needed?
+# RUN (cd /usr/share/ca-certificates && find . -type f -name '*.crt' \
+# | sed -e 's|^\./||') > /etc/ca-certificates.conf \
+# && update-ca-certificates
+
+RUN useradd --create-home --user-group --shell /bin/bash gitsync
+
+RUN mkdir -p /home/gitsync/.ssh
+COPY ssh_config /home/gitsync/.ssh/config
+COPY known_hosts /home/gitsync/.ssh/known_hosts
+COPY gitsync.sh /home/gitsync/gitsync.sh
+RUN chown -R gitsync:gitsync /home/gitsync
+
+USER gitsync
+RUN git config --global http.cookiefile /home/gitsync/.gitcookies
+
+WORKDIR /home/gitsync
+ENTRYPOINT [ "/home/gitsync/gitsync.sh" ]
diff --git a/gitsync/README.md b/gitsync/README.md
new file mode 100644
index 0000000..4d3aa87
--- /dev/null
+++ b/gitsync/README.md
@@ -0,0 +1,23 @@
+# Building the Docker container
+
+```
+$ docker build -t gcr.io/bazel-public/gitsync .
+$ docker push gcr.io/bazel-public/gitsync
+```
+
+# Starting the VM that hosts the Docker container
+
+```
+$ gcloud beta compute instances create-with-container \
+ --boot-disk-size 200GB \
+ --container-image gcr.io/bazel-public/gitsync:latest \
+ --machine-type n1-standard-1 \
+ --network buildkite \
+ --zone europe-west1-d \
+ --image-project cos-cloud \
+ --image-family cos-stable \
+ --metadata cos-metrics-enabled=true \
+ --scopes cloud-platform \
+ --service-account gitsync@bazel-public.iam.gserviceaccount.com \
+ gitsync
+```
diff --git a/gerrit-github-sync/gerrit-github-sync.sh b/gitsync/gitsync.sh
old mode 100644
new mode 100755
similarity index 67%
rename from gerrit-github-sync/gerrit-github-sync.sh
rename to gitsync/gitsync.sh
index 55ed4fc..ddb8281
--- a/gerrit-github-sync/gerrit-github-sync.sh
+++ b/gitsync/gitsync.sh
@@ -27,72 +27,60 @@
"https://bazel.googlesource.com/bazel-toolchains git@github.com:bazelbuild/bazel-toolchains.git bazel-toolchains true master"
)
-# Install certificates
-(cd /usr/share/ca-certificates && find . -type f -name '*.crt' \
- | sed -e 's|^\./||') > /etc/ca-certificates.conf
-update-ca-certificates
+set -euxo pipefail
-# Set-up deploy keys
-mkdir -p ~/.ssh
-cat >~/.ssh/config <<'EOF'
-Host github.com
- Hostname github.com
- User git
- IdentityFile /opt/secrets/github_id_rsa
- IdentitiesOnly yes
- StrictHostKeyChecking no
-EOF
+# Download & decrypt gitcookies.
+gsutil cat "gs://bazel-encrypted-secrets/gitsync-cookies.enc" | \
+ gcloud kms decrypt --location "global" --keyring "buildkite" --key "gitsync-cookies-key" --plaintext-file "-" --ciphertext-file "-" \
+ > /home/gitsync/.gitcookies
+chmod 0600 /home/gitsync/.gitcookies
-git config --global http.cookiefile /opt/secrets/gerritcookies
-
-set -eu
-
-cd /tmp
-
-function log() {
- echo "[$(date -u '+%Y-%m-%d %H:%M:%S')] $*"
-}
+# Download & decrypt GitHub SSH key.
+gsutil cat "gs://bazel-encrypted-secrets/gitsync-ssh.enc" | \
+ gcloud kms decrypt --location "global" --keyring "buildkite" --key "gitsync-ssh-key" --plaintext-file "-" --ciphertext-file "-" \
+ > /home/gitsync/.ssh/id_rsa
+chmod 0600 /home/gitsync/.ssh/id_rsa
function clone() {
- git clone $1 $3
- pushd $3
- git remote add destination $2
+ git clone "$1" "$3"
+ pushd "$3"
+ git remote add destination "$2"
popd
}
function sync_branch() {
- log "sync_branch $*"
+ echo "sync_branch $*"
local branch="$1"
local bidirectional="$2"
- git checkout origin/${branch} -B ${branch} || {
+ git checkout "origin/${branch}" -B "${branch}" || {
echo "Failed to checkout ${branch}, aborting sync..."
return 1
}
- log "Origin branch is $(git rev-parse origin/master), destination is $(git rev-parse destination/master)"
+ echo "Origin branch is $(git rev-parse origin/master), destination is $(git rev-parse destination/master)"
if $bidirectional; then
- git rebase destination/${branch} || {
+ git rebase "destination/${branch}" || {
echo "Failed to rebase ${branch} from destination, aborting sync..."
git rebase --abort &>/dev/null || true
return 1
}
- git push -f origin ${branch} || {
+ git push -f origin "${branch}" || {
echo "Failed to force pushed to origin, aborting sync..."
return 1
}
fi
- log "New head for destination is $(git rev-parse HEAD)"
- git push destination ${branch} || {
+ echo "New head for destination is $(git rev-parse HEAD)"
+ git push destination "${branch}" || {
echo "Failed to push to destination..."
return 1
}
}
function sync() {
- log "sync $*"
+ echo "sync $*"
local bidirectional="$4"
- pushd $3
+ pushd "$3"
shift 4
git fetch origin
git fetch destination
diff --git a/gitsync/known_hosts b/gitsync/known_hosts
new file mode 100644
index 0000000..31cdb7d
--- /dev/null
+++ b/gitsync/known_hosts
@@ -0,0 +1 @@
+github.com,192.30.253.112,192.30.253.113 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
diff --git a/gitsync/ssh_config b/gitsync/ssh_config
new file mode 100644
index 0000000..4db8851
--- /dev/null
+++ b/gitsync/ssh_config
@@ -0,0 +1,5 @@
+Host github.com
+ Hostname github.com
+ User git
+ IdentityFile /home/gitsync/.ssh/id_rsa
+ IdentitiesOnly yes