Bug 1508383 - pass TASKCLUSTER_{ROOT,PROXY}_URL to tasks

config.yml

@@ -53,7 +53,7 @@ defaults:
   restrictCPU: false
 
   # Image used to  create the taskcluster proxy container.
-  taskclusterProxyImage: 'taskcluster/taskcluster-proxy:4.0.1'
+  taskclusterProxyImage: 'taskcluster/taskcluster-proxy:5.0.0'
   taskclusterLogImage: 'taskcluster/livelog:v4'
   testdroidProxyImage: 'taskcluster/testdroid-proxy:0.0.7'
   balrogVPNProxyImage: 'taskclusterprivate/taskcluster-vpn-proxy:0.0.3'

deploy/packer/app/scripts/deploy.sh

@@ -43,7 +43,7 @@ sudo depmod
 relengapi_proxy_version=2.3.1
 
 # Pull images used for sidecar containers
-docker pull taskcluster/taskcluster-proxy:4.0.1
+docker pull taskcluster/taskcluster-proxy:5.0.0
 docker pull taskcluster/livelog:v4
 docker pull taskcluster/dind-service:v4.0
 docker pull taskcluster/relengapi-proxy:$relengapi_proxy_version
@@ -54,7 +54,7 @@ sudo sh -c 'echo "vm.panic_on_oom=1" >> /etc/sysctl.conf'
 sudo sh -c 'echo "kernel.panic=1" >> /etc/sysctl.conf'
 
 # Export the images as a tarball to load when insances are initialized
-docker save taskcluster/taskcluster-proxy:4.0.1 taskcluster/livelog:v4 taskcluster/dind-service:v4.0 taskcluster/relengapi-proxy:$relengapi_proxy_version > /home/ubuntu/docker_worker/docker_worker_images.tar
+docker save taskcluster/taskcluster-proxy:5.0.0 taskcluster/livelog:v4 taskcluster/dind-service:v4.0 taskcluster/relengapi-proxy:$relengapi_proxy_version > /home/ubuntu/docker_worker/docker_worker_images.tar
 
 # Blow away local docker state because it is never used. On actual workers
 # per-instance storage is initialized and Docker state goes there.

docs/features.md

@@ -95,53 +95,35 @@ References:
 #### Feature: `taskclusterProxy`
 
 The taskcluster proxy provides an easy and safe way to make authenticated
-taskcluster requests within the scope(s) of a particular task.
+taskcluster requests within the scope(s) of a particular task.  The proxy
+accepts un-authenticated requests and attaches credentials to them
+corresponding to `task.scopes` as well as scopes to upload artifacts.
 
-For example lets say we have a task like this:
+The proxy's rootUrl is available to tasks in the environment variable
+`TASKCLUSTER_PROXY_URL`.  It can be used with a client like this:
 
 ```js
-{
-  "scopes": ["a", "b"],
-  "payload": {
-    "features": {
-      "taskclusterProxy": true
-    }
-  }
-}
+var taskcluster = require('taskcluster-client');
+var queue = new taskcluster.Queue({
+  rootUrl: process.env.TASKCLUSTER_PROXY_URL,
+});
+queue.createTask(..);
 ```
 
-A special docker container is linked to your task contained named "taskcluster"
-with this container linked you can make requests to various taskcluster services
-with _only_ the scopes listed in the task (in this case ["a", "b"])
+This request would require that `task.scopes` contain the appropriate
+`queue:create-task:..` scope for the `createTask` API call.
 
-| Host | Service |
-|---------------------------------|-------------------------------|
-| queue.taskcluster.net           | taskcluster/queue/            |
-| index.taskcluster.net           | taskcluster/index/            |
-| aws-provisioner.taskcluster.net | taskcluster/aws-provisioner/  |
-| secrets.taskcluster.net         | taskcluster/secrets/          |
-| auth.taskcluster.net            | taskcluster/auth/             |
-| hooks.taskcluster.net           | taskcluster/hooks/            |
-| purge-cache.taskcluster.net     | taskcluster/purge-cache/      |
+*NOTE*: as a special case, the scopes required to call
+`queue.createArtifact(<taskId>, <runId>, ..)` are automatically included,
+regardless of `task.scopes`.
 
-and maybe more - see [the source](https://github.com/taskcluster/taskcluster-proxy/blob/master/taskcluster/services.go).
-
-For example (using curl) inside a task container.
+The proxy is easy to use within a shell command, too:
 
 ```sh
-curl taskcluster/queue/v1/<taskId>
+curl $TASKCLUSTER_PROXY_URL/api/secrets/v1/secret/my-top-secret-secret
 ```
 
-You can also use the `baseUrl` parameter in the taskcluster-client
-
-```js
-var taskcluster = require('taskcluster-client');
-var queue = new taskcluster.Queue({
- baseUrl: 'taskcluster/queue'
- });
-
-queue.getTask('<taskId>');
-```
+This invocation would require `secrets:get:my-top-secret-secret` in `task.scopes`.
 
 References:
 

src/lib/features/taskcluster_proxy.js

@@ -38,9 +38,15 @@ class TaskclusterProxy {
       cmd.push('--certificate=' + task.claim.credentials.certificate);
     }
 
+    cmd.push('--root-url=' + task.runtime.rootUrl);
+
     // supply the task's scopes, limiting what can be done via the proxy
     cmd = cmd.concat(task.task.scopes);
 
+    // ..and include the scope to create artifacts on this task, which cannot
+    // be represented in task.scopes (since it contains a taskId)
+    cmd.push(`queue:create-artifact:${task.status.taskId}/${task.runId}`);
+
     // create the container.
     this.container = await docker.createContainer({
       Image: imageId,
@@ -120,7 +126,9 @@ class TaskclusterProxy {
 
     return {
       links: [{name, alias: ALIAS}],
-      env: {}
+      env: {
+        TASKCLUSTER_PROXY_URL: `http://${ALIAS}`,
+      }
     };
   }
 

src/lib/task.js

@@ -376,6 +376,7 @@ class Task extends EventEmitter {
     env.TASKCLUSTER_INSTANCE_TYPE = this.runtime.workerNodeType;
     env.TASKCLUSTER_WORKER_GROUP = this.runtime.workerGroup;
     env.TASKCLUSTER_PUBLIC_IP = this.runtime.publicIp;
+    env.TASKCLUSTER_ROOT_URL = this.runtime.rootUrl;
 
     let privilegedTask = runAsPrivileged(
       this.task, this.runtime.dockerConfig.allowPrivileged