diff --git a/scripts/check-versions.sh b/scripts/check-versions.sh index e4195d4..049d264 100755 --- a/scripts/check-versions.sh +++ b/scripts/check-versions.sh @@ -13,11 +13,35 @@ ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" # shellcheck source=/dev/null source "$ROOT_DIR/deploy/env.sh" -# Load secrets (for REGISTRY_USERNAME/PASSWORD) if present. -if [[ -f "$ROOT_DIR/scripts/load-secrets.sh" ]]; then - # shellcheck source=/dev/null - source "$ROOT_DIR/scripts/load-secrets.sh" >/dev/null 2>&1 || true -fi +: "${SOPS_AGE_KEY_FILE:=$ROOT_DIR/creds/age-key.txt}" +: "${ENCRYPTED_FILE:=$ROOT_DIR/creds/secrets.enc.env}" +: "${SECRETS_FILE:=$ROOT_DIR/creds/secrets.env}" + +load_registry_creds() { + # Try repo helper if present (may decrypt creds). + if [[ -f "$ROOT_DIR/scripts/load-secrets.sh" ]]; then + # shellcheck source=/dev/null + source "$ROOT_DIR/scripts/load-secrets.sh" >/dev/null 2>&1 || true + fi + + # Fallback: if secrets file is empty but encrypted exists, decrypt to temp. + if [[ ! -s "$SECRETS_FILE" && -f "$ENCRYPTED_FILE" && -f "$SOPS_AGE_KEY_FILE" && -x "$(command -v sops || true)" ]]; then + tmpfile=$(mktemp) + SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" sops -d "$ENCRYPTED_FILE" >"$tmpfile" 2>/dev/null || true + if [[ -s "$tmpfile" ]]; then + # shellcheck source=/dev/null + source "$tmpfile" || true + fi + rm -f "$tmpfile" + elif [[ -s "$SECRETS_FILE" ]]; then + # shellcheck source=/dev/null + source "$SECRETS_FILE" >/dev/null 2>&1 || true + fi +} + +load_registry_creds + +REGISTRY_AUTH_STATE="missing" # Prefer repo kubeconfig if none set. if [[ -z "${KUBECONFIG:-}" && -f "$ROOT_DIR/creds/kubeconfig.yaml" ]]; then @@ -25,13 +49,27 @@ if [[ -z "${KUBECONFIG:-}" && -f "$ROOT_DIR/creds/kubeconfig.yaml" ]]; then fi login_registry() { + if ! command -v docker >/dev/null 2>&1; then + REGISTRY_AUTH_STATE="no-docker" + return + fi if [[ -n "${REGISTRY_USERNAME:-}" && -n "${REGISTRY_PASSWORD:-}" ]]; then - docker login "$REGISTRY" -u "$REGISTRY_USERNAME" -p "$REGISTRY_PASSWORD" >/dev/null 2>&1 || true + if docker login "$REGISTRY" -u "$REGISTRY_USERNAME" -p "$REGISTRY_PASSWORD" >/dev/null 2>&1; then + REGISTRY_AUTH_STATE="logged-in" + else + REGISTRY_AUTH_STATE="login-failed" + fi + else + REGISTRY_AUTH_STATE="no-creds" fi } manifest_digest() { local image="$1" + if ! command -v docker >/dev/null 2>&1; then + echo "" + return + fi local out out="$( { docker manifest inspect "$image" 2>/dev/null | python3 - <<'PY' @@ -70,11 +108,20 @@ LATEST_IMAGE="${REGISTRY}/${REGISTRY_REPO}:latest" LATEST_DIGEST="$(manifest_digest "$LATEST_IMAGE")" echo "Registry latest: $LATEST_IMAGE" -echo " digest: ${LATEST_DIGEST:-n/a (docker unavailable or unauthorized)}" +if [[ -z "$LATEST_DIGEST" ]]; then + echo " digest: unavailable (docker missing or unauthorized)" +else + echo " digest: $LATEST_DIGEST" +fi if [[ -f "$ROOT_DIR/deploy/.last-image" ]]; then echo "Local last built: $(cat "$ROOT_DIR/deploy/.last-image")" fi echo +if [[ "$REGISTRY_AUTH_STATE" != "logged-in" && "$REGISTRY_AUTH_STATE" != "missing" ]]; then + echo "Note: registry auth not established (state: $REGISTRY_AUTH_STATE); digest comparison may be unavailable." + echo " Export REGISTRY_USERNAME/REGISTRY_PASSWORD (via sops load) or run: docker login $REGISTRY" + echo +fi for row in "testing:$TEST_NAMESPACE" "staging:$STAGING_NAMESPACE" "prod:$PROD_NAMESPACE"; do env_name="${row%%:*}" @@ -91,6 +138,10 @@ for row in "testing:$TEST_NAMESPACE" "staging:$STAGING_NAMESPACE" "prod:$PROD_NA fi echo "Env $env_name ($ns):" echo " image: $img" - echo " digest: ${digest:-n/a}" + if [[ -z "$digest" ]]; then + echo " digest: unavailable (docker missing or unauthorized)" + else + echo " digest: $digest" + fi echo " matches latest: $match" done