Merge pull request #467 from tiiuae/fix-ci-workflow-jfrog-server-change

Fix CI: Disable workflow + update SSRC repo + Use MITM proxy in apt

.github/workflows/main.yaml

@@ -24,20 +24,22 @@ jobs:
           ROS: 1
           ROS_DISTRO: ${{ matrix.ros2_distro }}
           PACKAGE_NAME: mesh_com
+          ARTIFACTORY_CLOUD_TOKEN: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }}
         run: |
           set -eux
           mkdir bin
           pushd mesh_com
           ./build.sh ../bin/
           popd
 
-      - uses: jfrog/setup-jfrog-cli@v2
+      - uses: jfrog/setup-jfrog-cli@v4
         env:
-          JF_ARTIFACTORY_1: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }}
+          JF_URL: https://artifactory.ssrcdevops.tii.ae
+          JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }}
 
       - name: Upload to Artifactory
         env:
-          ARTIFACTORY_REPO: ssrc-deb-public-local
+          ARTIFACTORY_REPO: debian-public-local
           DISTRIBUTION: focal
           COMPONENT: fog-sw
           ARCHITECTURE: amd64

.github/workflows/tii-mesh-com.yaml → .github/workflows/tii-mesh-com.yaml.to-fix

@@ -56,6 +56,8 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
+          build-args: |
+            "ARTIFACTORY_CLOUD_TOKEN=${{ secrets.ARTIFACTORY_CLOUD_TOKEN }}"
           platforms: linux/amd64,linux/arm64,linux/riscv64
           file: ./modules/mesh_com/Dockerfile
           push: true

build.sh

@@ -16,6 +16,8 @@ iname=${PACKAGE_NAME:=mesh_com}
 
 iversion=${PACKAGE_VERSION:=latest}
 
+artifactory_cloud_token=${ARTIFACTORY_CLOUD_TOKEN:?ARTIFACTORY_CLOUD_TOKEN is not set}
+
 docker build \
   --build-arg UID=$(id -u) \
   --build-arg GID=$(id -g) \

common/tools/squid/squid.conf

@@ -0,0 +1,27 @@
+http_port 127.0.0.1:3128 ssl-bump \
+  cert=/etc/squid/ssl_cert/myCA.pem \
+  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
+
+http_access allow all
+cache allow all
+
+sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
+
+acl step1 at_step SslBump1
+
+ssl_bump peek step1
+ssl_bump bump all
+
+acl artifactory dstdomain artifactory.ssrcdevops.tii.ae
+
+request_header_add Authorization "Bearer <token>" artifactory
+
+pid_filename none
+logfile_rotate 0
+
+# Debug
+# access_log stdio:/dev/fd/1
+# cache_log stdio:/dev/fd/2
+
+# Needed to prevent bug in docker
+max_filedescriptors 1048576

modules/mesh_com/Dockerfile

@@ -4,6 +4,10 @@ FROM --platform=${BUILDPLATFORM:-linux/amd64} ghcr.io/tiiuae/fog-ros-sdk:v3.2.0-
 # Must be defined another time after "FROM" keyword.
 ARG TARGETARCH
 
+# Needed for apt to authenticate with the custom private repo
+ARG ARTIFACTORY_CLOUD_TOKEN
+ENV ARTIFACTORY_CLOUD_TOKEN=${ARTIFACTORY_CLOUD_TOKEN}
+
 # SRC_DIR environment variable is defined in the fog-ros-sdk image.
 # The same workspace path is used by all ROS2 components.
 # See: https://github.com/tiiuae/fog-ros-baseimage/blob/main/Dockerfile.sdk_builder
@@ -22,7 +26,24 @@ FROM ghcr.io/tiiuae/fog-ros-baseimage:v3.2.0
 ENTRYPOINT [ "/entrypoint.sh" ]
 
 RUN apt update \
-    && apt install -y --no-install-recommends \
+    && apt install -y --no-install-recommends squid-openssl \
+    && apt clean \
+    && rm -rf /var/lib/apt/lists/*  \
+    && mkdir -p /etc/squid/ssl_cert \
+    && openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout /etc/squid/ssl_cert/myCA.pem -out /etc/squid/ssl_cert/myCA.pem -batch \
+    && openssl x509 -in /etc/squid/ssl_cert/myCA.pem -outform PEM -out /usr/local/share/ca-certificates/squid.crt \
+    && update-ca-certificates \
+    && mkdir -p /var/lib/squid \
+    && /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
+
+COPY common/tools/squid/ /etc/squid/
+
+# Squid proxy needed to add Authorization: Bearer <token> header for apt to authenticate with priv repo
+RUN echo "deb [trusted=yes] https://artifactory.ssrcdevops.tii.ae/artifactory/debian-public-local focal fog-sw" >> /etc/apt/sources.list \
+    && sed -i "s/<token>/$ARTIFACTORY_CLOUD_TOKEN/" /etc/squid/squid.conf \
+    && squid \
+    && apt -o "acquire::http::proxy=http://127.0.0.1:3128" update \
+    && apt -o "acquire::http::proxy=http://127.0.0.1:3128" install -y --no-install-recommends \
         alfred \
         batctl \
         iproute2 \
@@ -32,7 +53,9 @@ RUN apt update \
         pcsc-lite \
         rfkill \
         wpa-supplicant=2.9-r0 \
+    && pkill squid \
     && apt clean \
+    && rm /etc/squid/squid.conf \
     && rm -rf /var/lib/apt/lists/*
 
 COPY modules/mesh_com/entrypoint.sh /entrypoint.sh

modules/mesh_com/Dockerfile.build_env

@@ -9,26 +9,25 @@ ARG COMMIT_ID
 ARG GIT_VER
 ARG PACKAGE_NAME
 # Install build dependencies
-RUN apt-get update -y && apt-get install -y --no-install-recommends \
-    curl \
-    python3-bloom \
-    fakeroot \
-    dh-make \
-    dh-python \
-    python3-pytest \
-    ros-${ROS_DISTRO}-ament-flake8 \
-    ros-${ROS_DISTRO}-ament-pep257 \
-    batctl \
-    alfred \
+RUN apt update \
+    && apt install -y --no-install-recommends \
+       curl \
+       python3-bloom \
+       fakeroot \
+       dh-make \
+       dh-python \
+       python3-pytest \
+       ros-${ROS_DISTRO}-ament-flake8 \
+       ros-${ROS_DISTRO}-ament-pep257 \
+       batctl \
+       alfred \
     && rm -rf /var/lib/apt/lists/*
 
 RUN groupadd -g $GID builder && \
     useradd -m -u $UID -g $GID -g builder builder && \
     usermod -aG sudo builder && \
     echo 'builder ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 
-RUN echo "deb [trusted=yes] https://ssrc.jfrog.io/artifactory/ssrc-deb-public-local focal fog-sw" >> /etc/apt/sources.list
-
 WORKDIR /$PACKAGE_NAME
 
 RUN chown -R builder:builder /$PACKAGE_NAME