From 5ff2ecd4e357d371fab28cb21dce1d3cbdee967a Mon Sep 17 00:00:00 2001
From: Jasper Clark <jasper.clark@kasmweb.com>
Date: Fri, 1 Nov 2024 16:21:35 +0000
Subject: [PATCH] Resolve KASM-6454 "Feature/ workspace core images pipelines
 not longer push to private registry reducing visibility on
 vulnerabilities/workspaces core images"

---
 .gitlab-ci.yml                |  2 +-
 ci-scripts/gitlab-ci.template |  2 +-
 ci-scripts/manifest.sh        | 82 ++++++++++++++++++++++++-----------
 3 files changed, 58 insertions(+), 28 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index dd69c7e..eedbda6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -19,7 +19,7 @@ variables:
   TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz"
   SCAN_CONTAINERS: "true"
 before_script:
-  - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
+  - export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
 
 #######################
 # Build from template #
diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template
index 6f36328..e391a54 100644
--- a/ci-scripts/gitlab-ci.template
+++ b/ci-scripts/gitlab-ci.template
@@ -18,7 +18,7 @@ variables:
   DOCKER_TLS_CERTDIR: ""
 before_script:
   - docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
-  - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
+  - export SANITIZED_BRANCH="$(echo ${CI_COMMIT_REF_NAME:0:64} | sed -r 's#^release/##' | sed 's/\//_/g')"
 
 ###############################################
 # Build Containers and push to cache endpoint #
diff --git a/ci-scripts/manifest.sh b/ci-scripts/manifest.sh
index b56a821..a742070 100755
--- a/ci-scripts/manifest.sh
+++ b/ci-scripts/manifest.sh
@@ -2,6 +2,7 @@
 
 # Globals
 FAILED="false"
+PUBLIC_BUILD="false"
 
 # Ingest cli variables
 ## Parse input ##
@@ -12,19 +13,15 @@ REVERT_PIPELINE_ID=$4
 IS_ROLLING=$5
 PULL_BRANCH=${SANITIZED_BRANCH}
 
-# Determine if this is a private or public build
+# Determine if this is a public build
 if [[ "${CI_COMMIT_REF_NAME}" == release/* ]] || [[ "${CI_COMMIT_REF_NAME}" == "develop" ]]; then
-  if [[ "${NAME1}" == "${NAME2}" ]]; then
-    ENDPOINT="core-${NAME1}"
-  else
-    ENDPOINT="core-${NAME1}-${NAME2}"
-  fi
+  PUBLIC_BUILD="true"
+fi
+
+if [[ "${NAME1}" == "${NAME2}" ]]; then
+  ENDPOINT="core-${NAME1}"
 else
-  if [[ "${NAME1}" == "${NAME2}" ]]; then
-    ENDPOINT="core-${NAME1}-private"
-  else
-    ENDPOINT="core-${NAME1}-${NAME2}-private"
-  fi
+  ENDPOINT="core-${NAME1}-${NAME2}"
 fi
 
 # Determine if this is a rolling build
@@ -81,28 +78,50 @@ fi
 
 # Manifest for multi pull and push for single arch
 if [[ "${TYPE}" == "multi" ]]; then
+  docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
 
   # Pull images from cache repo
   docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
   docker pull ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
 
-  # Tag images to live repo
+  # Conditionally Process Public Build
+  if [[ "${PUBLIC_BUILD}" == "true" ]]; then
+    # Tag images to live repo
+    docker tag \
+      ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
+      ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
+    docker tag \
+      ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
+      ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
+
+    # Push arches to live repo
+    docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
+    docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
+
+    # Manifest to meta tag on live repo
+    docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
+    docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
+    docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
+    docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
+  fi
+
+  # Tag images to private repo
   docker tag \
     ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
-    ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
+    ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
   docker tag \
     ${ORG_NAME}/image-cache-private:aarch64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
-    ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
+    ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
 
-  # Push arches to live repo
-  docker push ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH}
-  docker push ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
+  # Push arches to private repo
+  docker push ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH}
+  docker push ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
 
-  # Manifest to meta tag
-  docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} || :
-  docker manifest create ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH}
-  docker manifest annotate ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
-  docker manifest push --purge ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
+  # Manifest to meta tag on private repo
+  docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} || :
+  docker manifest create ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:x86_64-${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH}
+  docker manifest annotate ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH} ${ORG_NAME}/${ENDPOINT}-private:aarch64-${SANITIZED_BRANCH} --os linux --arch arm64 --variant v8
+  docker manifest push --purge ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
 
 # Single arch image just pull and push
 else
@@ -110,12 +129,23 @@ else
   # Pull image
   docker pull ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID}
 
-  # Tage image
+  # Conditionally Process Public Build
+  if [[ "${PUBLIC_BUILD}" == "true" ]]; then
+    # Tage image to live repo
+    docker tag \
+      ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
+      ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
+
+    # Push image to live repo
+    docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
+  fi
+
+  # Tage image to private repo
   docker tag \
     ${ORG_NAME}/image-cache-private:x86_64-core-${NAME1}-${NAME2}-${PULL_BRANCH}-${CI_PIPELINE_ID} \
-    ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
+    ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
 
-  # Push image
-  docker push ${ORG_NAME}/${ENDPOINT}:${SANITIZED_BRANCH}
+  # Push image to private repo
+  docker push ${ORG_NAME}/${ENDPOINT}-private:${SANITIZED_BRANCH}
 
 fi