feat(tikv/migration): migrate CI artifacts from fileserver to OCI registry#4272
Conversation
|
Hi @Copilot. Thanks for your PR. I'm waiting for a PingCAP-QE member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…OCI registry Co-authored-by: wuhuizuo <2574558+wuhuizuo@users.noreply.github.com>
ti-chi-bot
bot
added
area/jenkins-pipelines
area/jobs/prow
size/L
and removed
size/XS
labels
## Summary - remove `pull_unit_test` presubmit from `prow-jobs/tikv/migration/latest-presubmits.yaml` - delete the Jenkins job DSL `jobs/tikv/migration/latest/pull_unit_test.groovy` - delete the pipeline and pod template used by this job under `pipelines/tikv/migration/latest/` ## Context - this is a follow-up split from #4272 Fixes #4300 Related to #4215
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wuhuizuo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
[LGTM Timeline notifier]Timeline:
|
|
/ok-to-test |
There was a problem hiding this comment.
Pull request overview
This PR migrates the tikv/migration integration presubmit pipelines away from fileserver.pingcap.net by downloading required CI binaries from OCI registries (hub-zot mirror), aligning these jobs with the repo’s broader OCI artifact migration approach.
Changes:
- Refactors
tikv/migrationpresubmits YAML to use shared YAML anchors for branch and Jenkins job defaults. - Updates integration pipelines to download
tidb/tikv/pd(+pd-ctl,etcdctl,go-ycsb) viadownload_pingcap_oci_artifact.shand setsOCI_ARTIFACT_HOSTto the hub-zot mirror. - Adds a
utilssidecar container to the integration pod templates to provide OCI tooling (oras,yq, etc.).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| prow-jobs/tikv/migration/latest-presubmits.yaml | Uses shared YAML anchors to DRY up presubmit definitions (branches + Jenkins defaults). |
| pipelines/tikv/migration/latest/pull_integration_test.groovy | Switches binary preparation from fileserver to OCI downloads using the utils container + mirror host env. |
| pipelines/tikv/migration/latest/pull_integration_kafka_test.groovy | Same OCI-based binary preparation change for the Kafka integration job. |
| pipelines/tikv/migration/latest/pod-pull_integration_test.yaml | Adds utils sidecar needed for OCI artifact tooling. |
| pipelines/tikv/migration/latest/pod-pull_integration_kafka_test.yaml | Adds utils sidecar needed for OCI artifact tooling in the Kafka pod. |
| sh label: 'download test binaries via OCI', script: """ | ||
| mkdir -p ./cdc/scripts/bin | ||
| cd ./cdc/scripts/bin | ||
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | ||
| --tidb=${OCI_TAG_TIDB} \ | ||
| --tikv=${OCI_TAG_TIKV} \ | ||
| --pd=${OCI_TAG_PD} \ | ||
| --pd-ctl=${OCI_TAG_PD} \ | ||
| --etcdctl=${OCI_TAG_ETCD} \ | ||
| --ycsb=${OCI_TAG_YCSB} | ||
| chmod +x tidb-server tikv-server pd-server pd-ctl etcdctl go-ycsb | ||
| cd ../../ | ||
| touch prepare_test_binaries | ||
| ls -alh | ||
| """ |
There was a problem hiding this comment.
The OCI download step is doing network fetches but isn’t wrapped in retry(...), unlike similar pipelines in this repo. Consider adding a small retry around the download script invocation to reduce CI flakiness from transient registry/network errors.
| sh label: 'download test binaries via OCI', script: """ | |
| mkdir -p ./cdc/scripts/bin | |
| cd ./cdc/scripts/bin | |
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | |
| --tidb=${OCI_TAG_TIDB} \ | |
| --tikv=${OCI_TAG_TIKV} \ | |
| --pd=${OCI_TAG_PD} \ | |
| --pd-ctl=${OCI_TAG_PD} \ | |
| --etcdctl=${OCI_TAG_ETCD} \ | |
| --ycsb=${OCI_TAG_YCSB} | |
| chmod +x tidb-server tikv-server pd-server pd-ctl etcdctl go-ycsb | |
| cd ../../ | |
| touch prepare_test_binaries | |
| ls -alh | |
| """ | |
| retry(3) { | |
| sh label: 'download test binaries via OCI', script: """ | |
| mkdir -p ./cdc/scripts/bin | |
| cd ./cdc/scripts/bin | |
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | |
| --tidb=${OCI_TAG_TIDB} \ | |
| --tikv=${OCI_TAG_TIKV} \ | |
| --pd=${OCI_TAG_PD} \ | |
| --pd-ctl=${OCI_TAG_PD} \ | |
| --etcdctl=${OCI_TAG_ETCD} \ | |
| --ycsb=${OCI_TAG_YCSB} | |
| chmod +x tidb-server tikv-server pd-server pd-ctl etcdctl go-ycsb | |
| cd ../../ | |
| touch prepare_test_binaries | |
| ls -alh | |
| """ | |
| } |
| // tidb-server: hub-zot.pingcap.net/mirrors/hub/pingcap/tidb/package:<tag>_linux_amd64 | ||
| // tikv-server: hub-zot.pingcap.net/mirrors/hub/tikv/tikv/package:<tag>_linux_amd64 | ||
| // pd-server: hub-zot.pingcap.net/mirrors/hub/tikv/pd/package:<tag>_linux_amd64 | ||
| OCI_ARTIFACT_HOST = 'hub-zot.pingcap.net/mirrors/hub' |
There was a problem hiding this comment.
download_pingcap_oci_artifact.sh uses OCI_ARTIFACT_HOST_COMMUNITY (defaulting to us-docker.pkg.dev/.../hub) for third-party artifacts like --etcdctl and --ycsb. If these jobs are intended to pull all artifacts via the hub-zot mirror, also set OCI_ARTIFACT_HOST_COMMUNITY (or export it just for the script invocation) to the mirror registry; otherwise these downloads will still hit the community registry.
| OCI_ARTIFACT_HOST = 'hub-zot.pingcap.net/mirrors/hub' | |
| OCI_ARTIFACT_HOST = 'hub-zot.pingcap.net/mirrors/hub' | |
| OCI_ARTIFACT_HOST_COMMUNITY = 'hub-zot.pingcap.net/mirrors/hub' |
| sh label: 'download test binaries via OCI', script: """ | ||
| mkdir -p ./cdc/scripts/bin | ||
| cd ./cdc/scripts/bin | ||
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | ||
| --tidb=${OCI_TAG_TIDB} \ | ||
| --tikv=${OCI_TAG_TIKV} \ | ||
| --pd=${OCI_TAG_PD} \ | ||
| --pd-ctl=${OCI_TAG_PD} \ | ||
| --etcdctl=${OCI_TAG_ETCD} \ | ||
| --ycsb=${OCI_TAG_YCSB} | ||
| chmod +x tidb-server tikv-server pd-server pd-ctl etcdctl go-ycsb | ||
| cd ../../ | ||
| touch prepare_test_binaries | ||
| ls -alh | ||
| """ |
There was a problem hiding this comment.
The OCI download step is doing network fetches but isn’t wrapped in retry(...), unlike similar pipelines in this repo. Consider adding a small retry around the download script invocation to reduce CI flakiness from transient registry/network errors.
| sh label: 'download test binaries via OCI', script: """ | |
| mkdir -p ./cdc/scripts/bin | |
| cd ./cdc/scripts/bin | |
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | |
| --tidb=${OCI_TAG_TIDB} \ | |
| --tikv=${OCI_TAG_TIKV} \ | |
| --pd=${OCI_TAG_PD} \ | |
| --pd-ctl=${OCI_TAG_PD} \ | |
| --etcdctl=${OCI_TAG_ETCD} \ | |
| --ycsb=${OCI_TAG_YCSB} | |
| chmod +x tidb-server tikv-server pd-server pd-ctl etcdctl go-ycsb | |
| cd ../../ | |
| touch prepare_test_binaries | |
| ls -alh | |
| """ | |
| retry(2) { | |
| sh label: 'download test binaries via OCI', script: """ | |
| mkdir -p ./cdc/scripts/bin | |
| cd ./cdc/scripts/bin | |
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | |
| --tidb=${OCI_TAG_TIDB} \ | |
| --tikv=${OCI_TAG_TIKV} \ | |
| --pd=${OCI_TAG_PD} \ | |
| --pd-ctl=${OCI_TAG_PD} \ | |
| --etcdctl=${OCI_TAG_ETCD} \ | |
| --ycsb=${OCI_TAG_YCSB} | |
| chmod +x tidb-server tikv-server pd-server pd-ctl etcdctl go-ycsb | |
| cd ../../ | |
| touch prepare_test_binaries | |
| ls -alh | |
| """ | |
| } |
| // tidb-server: hub-zot.pingcap.net/mirrors/hub/pingcap/tidb/package:<tag>_linux_amd64 | ||
| // tikv-server: hub-zot.pingcap.net/mirrors/hub/tikv/tikv/package:<tag>_linux_amd64 | ||
| // pd-server: hub-zot.pingcap.net/mirrors/hub/tikv/pd/package:<tag>_linux_amd64 | ||
| OCI_ARTIFACT_HOST = 'hub-zot.pingcap.net/mirrors/hub' |
There was a problem hiding this comment.
download_pingcap_oci_artifact.sh uses OCI_ARTIFACT_HOST_COMMUNITY (defaulting to us-docker.pkg.dev/.../hub) for third-party artifacts like --etcdctl and --ycsb. If these jobs are intended to pull all artifacts via the hub-zot mirror, also set OCI_ARTIFACT_HOST_COMMUNITY (or export it just for the script invocation) to the mirror registry; otherwise these downloads will still hit the community registry.
| OCI_ARTIFACT_HOST = 'hub-zot.pingcap.net/mirrors/hub' | |
| OCI_ARTIFACT_HOST = 'hub-zot.pingcap.net/mirrors/hub' | |
| // Community / third-party artifacts (e.g. etcdctl, ycsb) via the same mirror | |
| OCI_ARTIFACT_HOST_COMMUNITY = 'hub-zot.pingcap.net/mirrors/hub' |
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | ||
| --tidb=${OCI_TAG_TIDB} \ | ||
| --tikv=${OCI_TAG_TIKV} \ | ||
| --pd=${OCI_TAG_PD} \ | ||
| --pd-ctl=${OCI_TAG_PD} \ | ||
| --etcdctl=${OCI_TAG_ETCD} \ | ||
| --ycsb=${OCI_TAG_YCSB} |
There was a problem hiding this comment.
The sh step builds a shell command line where --tidb=${OCI_TAG_TIDB}, --tikv=${OCI_TAG_TIKV}, and other flags interpolate values derived from the PR title into an unquoted shell context. Because OCI_TAG_* values come from component.computeArtifactOciTagFromPR, which can be influenced via the PR title and allows shell metacharacters like ;, an attacker can craft a PR title such that the resulting tag injects arbitrary commands executed in the CI container. Treat OCI_TAG_* as untrusted: strictly validate/whitelist allowed characters for tags and ensure they are passed as safely quoted arguments (or via an array/parameter mechanism) so no shell metacharacters can break out of the intended argument.
| ${WORKSPACE}/scripts/artifacts/download_pingcap_oci_artifact.sh \ | ||
| --tidb=${OCI_TAG_TIDB} \ | ||
| --tikv=${OCI_TAG_TIKV} \ | ||
| --pd=${OCI_TAG_PD} \ | ||
| --pd-ctl=${OCI_TAG_PD} \ | ||
| --etcdctl=${OCI_TAG_ETCD} \ | ||
| --ycsb=${OCI_TAG_YCSB} |
There was a problem hiding this comment.
This sh invocation interpolates OCI_TAG_* values (computed from PR metadata via component.computeArtifactOciTagFromPR) directly into a shell command as unquoted arguments like --tidb=${OCI_TAG_TIDB}. Since the PR title can include shell metacharacters (e.g., ;, &) that are preserved by computeArtifactOciTagFromPR, a malicious PR author could craft a title that turns these arguments into a command-injection vector, executing arbitrary commands in the CI utils container. Please treat these tag values as untrusted: constrain them to a safe character set and ensure they are safely quoted/passed to the script so injected shell syntax cannot alter the command flow.
Migrates
tikv/migrationintegration CI jobs fromfileserver.pingcap.netto OCI artifacts inhub-zot.pingcap.net/mirrors/hub.Changes
pull_integration_test.groovyandpull_integration_kafka_test.groovyto prepare integration binaries via OCImake prepare_test_binariessemantics by downloading required artifacts intocdc/scripts/bin(tidb-server,tikv-server,pd-server,pd-ctl,etcdctl,go-ycsb)OCI_ARTIFACT_HOSTtohub-zot.pingcap.net/mirrors/hubin integration pipelinesutilssidecar (ghcr.io/pingcap-qe/cd/utils/release) in integration pod templates for OCI tooling supportprow-jobs/tikv/migration/latest-presubmits.yamlwith shared YAML anchorsFollow-up split out
pull_unit_testremoval is tracked separately in ci(tikv/migration): remove pull_unit_test job from ci repo #4300 and implemented in ci(tikv/migration): remove pull_unit_test job #4301Fixes #4215