-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest.yaml
139 lines (129 loc) · 6.49 KB
/
test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# -------------------------------------------------------------------------------------
#
# Copyright (c) 2021, WSO2 Inc. (http://www.wso2.com). All Rights Reserved.
#
# This software is the property of WSO2 Inc. and its suppliers, if any.
# Dissemination of any information or reproduction of any material contained
# herein in any form is strictly forbidden, unless permitted by WSO2 expressly.
# You may not alter or remove any copyright or other notice from copies of this content.
#
# --------------------------------------------------------------------------------------
parameters:
- name: "SERVICE_CONNECTION"
type: string
- name: "REGISTRY"
type: string
- name: "REPOSITORY"
type: string
- name: "DIGEST"
type: string
- name: "STATE_FILE"
type: string
- name: "RETENTION_PERIOD"
type: string
steps:
- task: AzureCLI@2
inputs:
azureSubscription: ${{ parameters.SERVICE_CONNECTION }}
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
# Fail script when a subsuquent command or pipe redirection fails
set -e
set -o pipefail
# Declare variables
PRESENT_TAGS=()
REGISTRY="${{ parameters.REGISTRY }}"
REPOSITORY="${{ parameters.REPOSITORY }}"
DIGEST="${{ parameters.DIGEST }}"
FILE="${{ parameters.STATE_FILE }}"
RETENTION_PERIOD="${{ parameters.RETENTION_PERIOD }}"
IS_LOCKED="false"
# Create state file if not exist
if [ ! -f "${FILE}" ]; then
touch "${FILE}"
fi
# Check retention period
rg='^[0-9]+$'
if [[ ${RETENTION_PERIOD} =~ ${rg} && ${RETENTION_PERIOD} -le 12 && ! ${RETENTION_PERIOD} -eq 0 ]]; then
RETENTION_PERIOD="${RETENTION_PERIOD} months ago"
else
echo "Error: invalid retention period, enter months 1-12!" >&2
exit 1
fi
# Get image tag
image_tag=$(az acr repository show-manifests --name "${REGISTRY}" --repository "${REPOSITORY}" \
-o tsv --query "[?digest == '${DIGEST}'].[tags[0]]")
# Exit with error if digest not found in the ACR
if [ -z "${image_tag}" ]; then
echo "Error: image tag not found for Digest: "${REPOSITORY}"@""${DIGEST}" >&2
exit 1
fi
# Read state file to an array
readarray -t PRESENT_TAGS <"${FILE}"
# Check if image tag is already available in the state file
if [[ "${PRESENT_TAGS[*]}" == *"${image_tag}"* ]]; then
IS_LOCKED="true"
# Report if image already in the state file
echo "Image Digest: "${REPOSITORY}":"${DIGEST}" haven't changed!!!"
fi
if (("${#PRESENT_TAGS[@]}")); then
for tag in "${PRESENT_TAGS[@]}"; do
# Get older image tag and it's last updated date from the state file
image_tag_with_date=${tag}
# Split image last update date and tag into separate variables
last_updated_on=$(echo "${image_tag_with_date}" | cut -d' ' -f1)
image_tag_to_remove=$(echo "${image_tag_with_date}" | cut -d' ' -f2)
# Check if image tag matches with current image tag to support rollback scenario
if [[ "${image_tag_to_remove}" != "${image_tag}" ]]; then
# Check if image retention period
# Set retention period
timeago="${RETENTION_PERIOD}"
# Covert to seconds (Epoch time)
dtSec=$(date --date "${last_updated_on}" +'%s')
taSec=$(date --date "${timeago}" +'%s')
# Check if image date is less than retention period
if [ "${dtSec}" -lt "${taSec}" ]; then
# Unlock oldest image before removing from state file
echo "----------------------------------------------------------------------------------"
echo "Image tag: "${REPOSITORY}":"${image_tag_to_remove}" older than "${timeago}""
echo "Unlocking image tag: "${REPOSITORY}":""${image_tag_to_remove}"
az acr repository update \
--name "${REGISTRY}" --image "${REPOSITORY}":"${image_tag_to_remove}" \
--delete-enabled true --write-enabled true
echo "Unlocking image COMPLETED for tag: "${REPOSITORY}":""${image_tag_to_remove}"
echo "----------------------------------------------------------------------------------"
# Remove oldest image from the state file
sed -i "/${image_tag_to_remove}/d" "${FILE}"
echo "Removed image tag: "${REPOSITORY}":"${image_tag_to_remove}" from state file!"
else
echo "Image tag: "${REPOSITORY}":"${image_tag_to_remove}" not unlocked as it's not older than "${timeago}""
break
fi
else
echo "Latest image tag "${REPOSITORY}":"${image_tag_to_remove}" is older than "${timeago}""
fi
done
else
echo "State file doesn't have any images!"
fi
# Check and skip locking image if the image tag is already available in the state file
if [[ ! "${IS_LOCKED}" = true ]]; then
# Lock new image tag
echo "----------------------------------------------------------------------------------"
echo "Locking image tag: "${REPOSITORY}":""${image_tag}"
az acr repository update \
--name "${REGISTRY}" --image "${REPOSITORY}":"${image_tag}" \
--delete-enabled false --write-enabled true
echo "Locking image COMPLETED for tag: "${REPOSITORY}":""${image_tag}"
echo "----------------------------------------------------------------------------------"
# Get image last update date
last_updated_on=$(az acr repository show -n "${REGISTRY}" --image "${REPOSITORY}":"${image_tag}" \
-o tsv --query "[lastUpdateTime]")
# Add new image tag to state file
echo ""${last_updated_on}" "${image_tag}"" >>"${FILE}"
echo "Updated state file with image tag: "${REPOSITORY}":""${image_tag}"
else
echo "Skipped image lock for image tag: "${REPOSITORY}"@""${image_tag}"" as it's found in the state file!"
fi
displayName: "Lock ACR images"