WX-927 Demo KMS Docker token issues in GCP Batch

broadinstitute · Sep 19, 2024 · 62d86f6 · 62d86f6
1 parent dde735a
commit 62d86f6
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 2 deletions.
diff --git a/...ndardTestCases/docker_hash/gcpbatch_docker_hash_dockerhub_private_no_dockerhub_config.wdl b/...ndardTestCases/docker_hash/gcpbatch_docker_hash_dockerhub_private_no_dockerhub_config.wdl
@@ -0,0 +1,13 @@
+task dockerhub {
+    command {
+        echo "hello"
+    }
+    runtime {
+        docker: "broadinstitute/cloud-cromwell:dev"
+        backend: "GCPBATCHNoDockerHubConfig"
+    }
+}
+
+workflow docker_hash_dockerhub_private {
+    call dockerhub
+}
diff --git a/centaur/src/main/resources/standardTestCases/docker_hash_dockerhub_private_wf_options.test b/centaur/src/main/resources/standardTestCases/docker_hash_dockerhub_private_wf_options.test
@@ -1,7 +1,6 @@
 name: docker_hash_dockerhub_private_wf_options
 testFormat: workflowsuccess
-# see https://github.com/broadinstitute/cromwell/pull/7515
-backends: [Papiv2NoDockerHubConfig, GCPBATCH_FAIL]
+backends: [Papiv2NoDockerHubConfig, GCPBATCH_ALT]
 
 files {
   workflow: docker_hash/docker_hash_dockerhub_private_no_dockerhub_config.wdl

diff --git a/...c/main/resources/standardTestCases/gcpbatch_docker_hash_dockerhub_private_wf_options.test b/...c/main/resources/standardTestCases/gcpbatch_docker_hash_dockerhub_private_wf_options.test
@@ -0,0 +1,17 @@
+name: gcpbatch_docker_hash_dockerhub_private_wf_options
+testFormat: workflowsuccess
+backends: [GCPBATCHNoDockerHubConfig]
+
+files {
+  workflow: docker_hash/gcpbatch_docker_hash_dockerhub_private_no_dockerhub_config.wdl
+  # Updated the options to read_from_cache: false for
+  # https://github.com/broadinstitute/cromwell/issues/3998
+  options-dir: "Error: BA-6546 The environment variable CROMWELL_BUILD_RESOURCES_DIRECTORY must be set/export pointing to a valid path such as '${YOUR_CROMWELL_DIR}/target/ci/resources'"
+  options-dir: ${?CROMWELL_BUILD_RESOURCES_DIRECTORY}
+  options: ${files.options-dir}/private_docker_papi_v2_usa.options
+}
+
+metadata {
+  "calls.docker_hash_dockerhub_private.dockerhub.runtimeAttributes.docker": "broadinstitute/cloud-cromwell:dev",
+  "calls.docker_hash_dockerhub_private.dockerhub.dockerImageUsed": "broadinstitute/cloud-cromwell@sha256:0d51f90e1dd6a449d4587004c945e43f2a7bbf615151308cff40c15998cc3ad4"
+}
diff --git a/src/ci/resources/gcp_batch_application.conf b/src/ci/resources/gcp_batch_application.conf
@@ -23,5 +23,11 @@ backend {
         filesystems.gcs.auth = "requester_pays_service_account"
       }
     }
+    GCPBATCHNoDockerHubConfig {
+      actor-factory = "cromwell.backend.google.batch.GcpBatchBackendLifecycleActorFactory"
+      config {
+        include "gcp_batch_provider_config.inc.conf"
+      }
+    }
   }
 }
diff --git a/src/ci/resources/gcp_batch_shared_application.inc.conf b/src/ci/resources/gcp_batch_shared_application.inc.conf
@@ -61,5 +61,10 @@ backend {
         filesystems.http {}
       }
     }
+    GCPBATCHNoDockerHubConfig {
+      actor-factory = "REPLACEME!"
+      config {
+      }
+    }
   }
 }
diff --git a/.../google/batch/src/main/scala/cromwell/backend/google/batch/runnable/RunnableBuilder.scala b/.../google/batch/src/main/scala/cromwell/backend/google/batch/runnable/RunnableBuilder.scala
@@ -156,6 +156,7 @@ object RunnableBuilder {
           .setImageUri(docker)
           .setEntrypoint(jobShell)
           .addCommands(scriptContainerPath)
+          // GCP Batch: no way to pass in KMS-encrypted Secret like PAPI v2?
           .setUsername(username)
           .setPassword(password)
       case _ =>

diff --git a/...es/v2beta/src/main/scala/cromwell/backend/google/pipelines/v2beta/api/ActionBuilder.scala b/...es/v2beta/src/main/scala/cromwell/backend/google/pipelines/v2beta/api/ActionBuilder.scala
@@ -122,6 +122,7 @@ object ActionBuilder {
       if DockerHub.isValidDockerHubHost(
         imageId.host
       ) // This token only works for Docker Hub and not other repositories.
+      // PAPI v2: If the private Docker key and token are defined, create a Secret
       keyAndToken <- privateDockerKeyAndToken
       s = new Secret().setKeyName(keyAndToken.key).setCipherText(keyAndToken.encryptedToken)
     } yield s
@@ -132,6 +133,7 @@ object ActionBuilder {
       .setMounts(mounts.asJava)
       .setEntrypoint(jobShell)
       .setLabels(Map(Key.Tag -> Value.UserAction).asJava)
+      // PAPI v2: Set the Secret as the credentials
       .setCredentials(secret.orNull)
       .setEnableFuse(fuseEnabled)
   }

diff --git a/...lines/v2beta/src/main/scala/cromwell/backend/google/pipelines/v2beta/api/UserAction.scala b/...lines/v2beta/src/main/scala/cromwell/backend/google/pipelines/v2beta/api/UserAction.scala
@@ -10,6 +10,7 @@ trait UserAction {
       createPipelineParameters.commandScriptContainerPath.pathAsString,
       mounts,
       createPipelineParameters.jobShell,
+      // PAPI v2: send in the key name and encrypted Docker token here
       createPipelineParameters.privateDockerKeyAndEncryptedToken,
       createPipelineParameters.fuseEnabled
     )