147 lines
4.4 KiB
Bash
Executable file
147 lines
4.4 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# Helper: print registry "latest" tag digest and show which image each environment is running.
|
|
# - Uses docker manifest inspect to read digests.
|
|
# - Uses kubectl to read the deployed container image per namespace.
|
|
# - Relies on deploy/env.sh for registry/repo/namespaces; will load secrets for registry auth if available.
|
|
#
|
|
# Usage: ./scripts/check-versions.sh
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
|
|
# shellcheck source=/dev/null
|
|
source "$ROOT_DIR/deploy/env.sh"
|
|
|
|
: "${SOPS_AGE_KEY_FILE:=$ROOT_DIR/creds/age-key.txt}"
|
|
: "${ENCRYPTED_FILE:=$ROOT_DIR/creds/secrets.enc.env}"
|
|
: "${SECRETS_FILE:=$ROOT_DIR/creds/secrets.env}"
|
|
|
|
load_registry_creds() {
|
|
# Try repo helper if present (may decrypt creds).
|
|
if [[ -f "$ROOT_DIR/scripts/load-secrets.sh" ]]; then
|
|
# shellcheck source=/dev/null
|
|
source "$ROOT_DIR/scripts/load-secrets.sh" >/dev/null 2>&1 || true
|
|
fi
|
|
|
|
# Fallback: if secrets file is empty but encrypted exists, decrypt to temp.
|
|
if [[ ! -s "$SECRETS_FILE" && -f "$ENCRYPTED_FILE" && -f "$SOPS_AGE_KEY_FILE" && -x "$(command -v sops || true)" ]]; then
|
|
tmpfile=$(mktemp)
|
|
SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" sops -d "$ENCRYPTED_FILE" >"$tmpfile" 2>/dev/null || true
|
|
if [[ -s "$tmpfile" ]]; then
|
|
# shellcheck source=/dev/null
|
|
source "$tmpfile" || true
|
|
fi
|
|
rm -f "$tmpfile"
|
|
elif [[ -s "$SECRETS_FILE" ]]; then
|
|
# shellcheck source=/dev/null
|
|
source "$SECRETS_FILE" >/dev/null 2>&1 || true
|
|
fi
|
|
}
|
|
|
|
load_registry_creds
|
|
|
|
REGISTRY_AUTH_STATE="missing"
|
|
|
|
# Prefer repo kubeconfig if none set.
|
|
if [[ -z "${KUBECONFIG:-}" && -f "$ROOT_DIR/creds/kubeconfig.yaml" ]]; then
|
|
export KUBECONFIG="$ROOT_DIR/creds/kubeconfig.yaml"
|
|
fi
|
|
|
|
login_registry() {
|
|
if ! command -v docker >/dev/null 2>&1; then
|
|
REGISTRY_AUTH_STATE="no-docker"
|
|
return
|
|
fi
|
|
if [[ -n "${REGISTRY_USERNAME:-}" && -n "${REGISTRY_PASSWORD:-}" ]]; then
|
|
if docker login "$REGISTRY" -u "$REGISTRY_USERNAME" -p "$REGISTRY_PASSWORD" >/dev/null 2>&1; then
|
|
REGISTRY_AUTH_STATE="logged-in"
|
|
else
|
|
REGISTRY_AUTH_STATE="login-failed"
|
|
fi
|
|
else
|
|
REGISTRY_AUTH_STATE="no-creds"
|
|
fi
|
|
}
|
|
|
|
manifest_digest() {
|
|
local image="$1"
|
|
if ! command -v docker >/dev/null 2>&1; then
|
|
echo ""
|
|
return
|
|
fi
|
|
local out
|
|
out="$(
|
|
{ docker manifest inspect "$image" 2>/dev/null | python3 - <<'PY'
|
|
import json,sys
|
|
try:
|
|
raw=sys.stdin.read().strip()
|
|
if not raw:
|
|
raise SystemExit
|
|
data=json.loads(raw)
|
|
except Exception:
|
|
raise SystemExit
|
|
# Prefer amd64 manifest when multi-arch.
|
|
if "manifests" in data:
|
|
m=[m for m in data["manifests"] if m.get("platform",{}).get("architecture")=="amd64"]
|
|
if not m:
|
|
m=data["manifests"]
|
|
if m:
|
|
print(m[0].get("digest",""))
|
|
elif "config" in data and "digest" in data["config"]:
|
|
print(data["config"]["digest"])
|
|
PY
|
|
} || true
|
|
)"
|
|
echo "$out"
|
|
}
|
|
|
|
get_deployed_image() {
|
|
local namespace="$1"
|
|
kubectl -n "$namespace" get deploy "$DEPLOYMENT_NAME" -o jsonpath='{.spec.template.spec.containers[?(@.name=="'"$DEPLOYMENT_NAME"'")].image}' 2>/dev/null || true
|
|
echo
|
|
}
|
|
|
|
login_registry
|
|
|
|
LATEST_IMAGE="${REGISTRY}/${REGISTRY_REPO}:latest"
|
|
LATEST_DIGEST="$(manifest_digest "$LATEST_IMAGE")"
|
|
|
|
echo "Registry latest: $LATEST_IMAGE"
|
|
if [[ -z "$LATEST_DIGEST" ]]; then
|
|
echo " digest: unavailable (docker missing or unauthorized)"
|
|
else
|
|
echo " digest: $LATEST_DIGEST"
|
|
fi
|
|
if [[ -f "$ROOT_DIR/deploy/.last-image" ]]; then
|
|
echo "Local last built: $(cat "$ROOT_DIR/deploy/.last-image")"
|
|
fi
|
|
echo
|
|
if [[ "$REGISTRY_AUTH_STATE" != "logged-in" && "$REGISTRY_AUTH_STATE" != "missing" ]]; then
|
|
echo "Note: registry auth not established (state: $REGISTRY_AUTH_STATE); digest comparison may be unavailable."
|
|
echo " Export REGISTRY_USERNAME/REGISTRY_PASSWORD (via sops load) or run: docker login $REGISTRY"
|
|
echo
|
|
fi
|
|
|
|
for row in "testing:$TEST_NAMESPACE" "staging:$STAGING_NAMESPACE" "prod:$PROD_NAMESPACE"; do
|
|
env_name="${row%%:*}"
|
|
ns="${row##*:}"
|
|
img="$(get_deployed_image "$ns")"
|
|
if [[ -z "$img" ]]; then
|
|
echo "Env $env_name ($ns): no image found (missing deploy?)"
|
|
continue
|
|
fi
|
|
digest="$(manifest_digest "$img")"
|
|
match="no"
|
|
if [[ -n "$LATEST_DIGEST" && -n "$digest" && "$LATEST_DIGEST" == "$digest" ]]; then
|
|
match="yes"
|
|
fi
|
|
echo "Env $env_name ($ns):"
|
|
echo " image: $img"
|
|
if [[ -z "$digest" ]]; then
|
|
echo " digest: unavailable (docker missing or unauthorized)"
|
|
else
|
|
echo " digest: $digest"
|
|
fi
|
|
echo " matches latest: $match"
|
|
done
|