kubespray/scripts/download_hash.py

#!/usr/bin/env python3

# After a new version of Kubernetes has been released,
# run this script to update roles/kubespray-defaults/defaults/main/download.yml
# with new hashes.

import sys

from itertools import count, groupby
from collections import defaultdict
import argparse
import requests
from ruamel.yaml import YAML
from packaging.version import Version

CHECKSUMS_YML = "../roles/kubespray-defaults/defaults/main/checksums.yml"

def open_checksums_yaml():
    yaml = YAML()
    yaml.explicit_start = True
    yaml.preserve_quotes = True
    yaml.width = 4096

    with open(CHECKSUMS_YML, "r") as checksums_yml:
        data = yaml.load(checksums_yml)

    return data, yaml

def version_compare(version):
    return Version(version.removeprefix("v"))

downloads = {
    "containerd_archive": "https://github.com/containerd/containerd/releases/download/v{version}/containerd-{version}-{os}-{arch}.tar.gz.sha256sum",
    "kubeadm": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubeadm.sha256",
    "kubectl": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubectl.sha256",
    "kubelet": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubelet.sha256",
    "runc": "https://github.com/opencontainers/runc/releases/download/{version}/runc.sha256sum",
}

def download_hash(only_downloads: [str]) -> None:
    # Handle hashes not directly in one url per hash. Return dict of hashs indexed by arch
    download_hash_extract = {
            "runc": lambda hashes : {
                parts[1].split('.')[1] : parts[0]
                for parts in (line.split()
                              for line in hashes.split('\n')[3:9])
                },
            }

    data, yaml = open_checksums_yaml()

    for download, url in (downloads if only_downloads == []
                          else {k:downloads[k] for k in downloads.keys() & only_downloads}).items():
        checksum_name = f"{download}_checksums"
        # Propagate new patch versions to all architectures
        for arch in data[checksum_name].values():
            for arch2 in data[checksum_name].values():
                arch.update({
                    v:("NONE" if arch2[v] == "NONE" else 0)
                    for v in (set(arch2.keys()) - set(arch.keys()))
                    if v.split('.')[2] == '0'})
                    # this is necessary to make the script indempotent,
                    # by only adding a vX.X.0 version (=minor release) in each arch
                    # and letting the rest of the script populate the potential
                    # patch versions

        for arch, versions in data[checksum_name].items():
            for minor, patches in groupby(versions.copy().keys(), lambda v : '.'.join(v.split('.')[:-1])):
                for version in (f"{minor}.{patch}" for patch in
                                count(start=int(max(patches, key=version_compare).split('.')[-1]),
                                      step=1)):
                    # Those barbaric generators do the following:
                    # Group all patches versions by minor number, take the newest and start from that
                    # to find new versions
                    if version in versions and versions[version] != 0:
                        continue
                    hash_file = requests.get(downloads[download].format(
                        version = version,
                        os = "linux",
                        arch = arch
                        ),
                     allow_redirects=True)
                    if hash_file.status_code == 404:
                        print(f"Unable to find {download} hash file for version {version} (arch: {arch}) at {hash_file.url}")
                        break
                    hash_file.raise_for_status()
                    sha256sum = hash_file.content.decode()
                    if download in download_hash_extract:
                        sha256sum = download_hash_extract[download](sha256sum).get(arch)
                        if sha256sum == None:
                            break
                    sha256sum = sha256sum.split()[0]

                    if len(sha256sum) != 64:
                        raise Exception(f"Checksum has an unexpected length: {len(sha256sum)} (binary: {download}, arch: {arch}, release: {version}, checksum: '{sha256sum}')")
                    data[checksum_name][arch][version] = sha256sum
        data[checksum_name] = {arch : {r : releases[r] for r in sorted(releases.keys(),
                                                  key=version_compare,
                                                  reverse=True)}
                               for arch, releases in data[checksum_name].items()}

    with open(CHECKSUMS_YML, "w") as checksums_yml:
        yaml.dump(data, checksums_yml)
        print(f"\n\nUpdated {CHECKSUMS_YML}\n")

parser = argparse.ArgumentParser(description=f"Add new patch versions hashes in {CHECKSUMS_YML}")
parser.add_argument('binaries', nargs='*', choices=downloads.keys())

args = parser.parse_args()
download_hash(args.binaries)
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00			`#!/usr/bin/env python3`

			`# After a new version of Kubernetes has been released,`
Fix the path of download.yml (#10711) Signed-off-by: tu1h <lihai.tu@daocloud.io> 2023-12-12 20:47:27 +08:00			`# run this script to update roles/kubespray-defaults/defaults/main/download.yml`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00			`# with new hashes.`

			`import sys`

download_hash.py: generalized and data-driven The script is currently limited to one hardcoded URL for kubernetes related binaries, and a fixed set of architectures. The solution is three-fold: 1. Use an url template dictionary for each download -> this allow to easily add support for new downloads. 2. Source the architectures to search from the existing data 3. Enumerate the existing versions in the data and start searching from the last one until no newer version is found (newer in the version order sense, irrespective of actual age) 2024-02-02 23:01:14 +08:00			`from itertools import count, groupby`
Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`from collections import defaultdict`
download_hash: argument handling with argparse Allow the script to be called with a list of components, to only download new versions checksums for those. By default, we get new versions checksums for all supported (by the script) components. 2024-09-05 21:58:36 +08:00			`import argparse`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00			`import requests`
			`from ruamel.yaml import YAML`
Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`from packaging.version import Version`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
chore: improve performance of python script for hash download (#10335) The old version of the script downloaded all binaries and generated file checksums locally. This was a slow process since all binaries of all architectures needed to be downloaded. The new version simply downloads the .sha256 files containing the binary checksum in text form which saves a lot of traffic and time. 2024-01-23 23:41:20 +08:00			`CHECKSUMS_YML = "../roles/kubespray-defaults/defaults/main/checksums.yml"`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
chore: improve performance of python script for hash download (#10335) The old version of the script downloaded all binaries and generated file checksums locally. This was a slow process since all binaries of all architectures needed to be downloaded. The new version simply downloads the .sha256 files containing the binary checksum in text form which saves a lot of traffic and time. 2024-01-23 23:41:20 +08:00			`def open_checksums_yaml():`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00			`yaml = YAML()`
			`yaml.explicit_start = True`
			`yaml.preserve_quotes = True`
			`yaml.width = 4096`

chore: improve performance of python script for hash download (#10335) The old version of the script downloaded all binaries and generated file checksums locally. This was a slow process since all binaries of all architectures needed to be downloaded. The new version simply downloads the .sha256 files containing the binary checksum in text form which saves a lot of traffic and time. 2024-01-23 23:41:20 +08:00			`with open(CHECKSUMS_YML, "r") as checksums_yml:`
			`data = yaml.load(checksums_yml)`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
			`return data, yaml`

download_hash.py: generalized and data-driven The script is currently limited to one hardcoded URL for kubernetes related binaries, and a fixed set of architectures. The solution is three-fold: 1. Use an url template dictionary for each download -> this allow to easily add support for new downloads. 2. Source the architectures to search from the existing data 3. Enumerate the existing versions in the data and start searching from the last one until no newer version is found (newer in the version order sense, irrespective of actual age) 2024-02-02 23:01:14 +08:00			`def version_compare(version):`
			`return Version(version.removeprefix("v"))`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
download_hash: argument handling with argparse Allow the script to be called with a list of components, to only download new versions checksums for those. By default, we get new versions checksums for all supported (by the script) components. 2024-09-05 21:58:36 +08:00			`downloads = {`
			`"containerd_archive": "https://github.com/containerd/containerd/releases/download/v{version}/containerd-{version}-{os}-{arch}.tar.gz.sha256sum",`
			`"kubeadm": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubeadm.sha256",`
			`"kubectl": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubectl.sha256",`
			`"kubelet": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubelet.sha256",`
			`"runc": "https://github.com/opencontainers/runc/releases/download/{version}/runc.sha256sum",`
			`}`

			`def download_hash(only_downloads: [str]) -> None:`
download_hash.py: support for 'multi-hash' file + runc runc upstream does not provide one hash file per assets in their releases, but one file with all the hashes. To handle this (and/or any arbitrary format from upstreams), add a dictionary mapping the name of the download to a lambda function which transform the file provided by upstream into a dictionary of hashes, keyed by architecture. 2024-02-03 03:48:08 +08:00			`# Handle hashes not directly in one url per hash. Return dict of hashs indexed by arch`
			`download_hash_extract = {`
			`"runc": lambda hashes : {`
			`parts[1].split('.')[1] : parts[0]`
			`for parts in (line.split()`
			`for line in hashes.split('\n')[3:9])`
			`},`
			`}`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
chore: improve performance of python script for hash download (#10335) The old version of the script downloaded all binaries and generated file checksums locally. This was a slow process since all binaries of all architectures needed to be downloaded. The new version simply downloads the .sha256 files containing the binary checksum in text form which saves a lot of traffic and time. 2024-01-23 23:41:20 +08:00			`data, yaml = open_checksums_yaml()`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
download_hash: argument handling with argparse Allow the script to be called with a list of components, to only download new versions checksums for those. By default, we get new versions checksums for all supported (by the script) components. 2024-09-05 21:58:36 +08:00			`for download, url in (downloads if only_downloads == []`
			`else {k:downloads[k] for k in downloads.keys() & only_downloads}).items():`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00			`checksum_name = f"{download}_checksums"`
download_hash: propagate new patch versions to all archs 2024-09-05 22:39:04 +08:00			`# Propagate new patch versions to all architectures`
			`for arch in data[checksum_name].values():`
			`for arch2 in data[checksum_name].values():`
			`arch.update({`
			`v:("NONE" if arch2[v] == "NONE" else 0)`
			`for v in (set(arch2.keys()) - set(arch.keys()))`
			`if v.split('.')[2] == '0'})`
			`# this is necessary to make the script indempotent,`
			`# by only adding a vX.X.0 version (=minor release) in each arch`
			`# and letting the rest of the script populate the potential`
			`# patch versions`

download_hash.py: generalized and data-driven The script is currently limited to one hardcoded URL for kubernetes related binaries, and a fixed set of architectures. The solution is three-fold: 1. Use an url template dictionary for each download -> this allow to easily add support for new downloads. 2. Source the architectures to search from the existing data 3. Enumerate the existing versions in the data and start searching from the last one until no newer version is found (newer in the version order sense, irrespective of actual age) 2024-02-02 23:01:14 +08:00			`for arch, versions in data[checksum_name].items():`
			`for minor, patches in groupby(versions.copy().keys(), lambda v : '.'.join(v.split('.')[:-1])):`
			`for version in (f"{minor}.{patch}" for patch in`
			`count(start=int(max(patches, key=version_compare).split('.')[-1]),`
			`step=1)):`
			`# Those barbaric generators do the following:`
			`# Group all patches versions by minor number, take the newest and start from that`
			`# to find new versions`
			`if version in versions and versions[version] != 0:`
Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`continue`
download_hash.py: generalized and data-driven The script is currently limited to one hardcoded URL for kubernetes related binaries, and a fixed set of architectures. The solution is three-fold: 1. Use an url template dictionary for each download -> this allow to easily add support for new downloads. 2. Source the architectures to search from the existing data 3. Enumerate the existing versions in the data and start searching from the last one until no newer version is found (newer in the version order sense, irrespective of actual age) 2024-02-02 23:01:14 +08:00			`hash_file = requests.get(downloads[download].format(`
			`version = version,`
			`os = "linux",`
			`arch = arch`
			`),`
			`allow_redirects=True)`
Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`if hash_file.status_code == 404:`
download_hash.py: generalized and data-driven The script is currently limited to one hardcoded URL for kubernetes related binaries, and a fixed set of architectures. The solution is three-fold: 1. Use an url template dictionary for each download -> this allow to easily add support for new downloads. 2. Source the architectures to search from the existing data 3. Enumerate the existing versions in the data and start searching from the last one until no newer version is found (newer in the version order sense, irrespective of actual age) 2024-02-02 23:01:14 +08:00			`print(f"Unable to find {download} hash file for version {version} (arch: {arch}) at {hash_file.url}")`
Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`break`
			`hash_file.raise_for_status()`
download_hash.py: support for 'multi-hash' file + runc runc upstream does not provide one hash file per assets in their releases, but one file with all the hashes. To handle this (and/or any arbitrary format from upstreams), add a dictionary mapping the name of the download to a lambda function which transform the file provided by upstream into a dictionary of hashes, keyed by architecture. 2024-02-03 03:48:08 +08:00			`sha256sum = hash_file.content.decode()`
			`if download in download_hash_extract:`
			`sha256sum = download_hash_extract[download](sha256sum).get(arch)`
			`if sha256sum == None:`
			`break`
			`sha256sum = sha256sum.split()[0]`

Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`if len(sha256sum) != 64:`
download_hash.py: generalized and data-driven The script is currently limited to one hardcoded URL for kubernetes related binaries, and a fixed set of architectures. The solution is three-fold: 1. Use an url template dictionary for each download -> this allow to easily add support for new downloads. 2. Source the architectures to search from the existing data 3. Enumerate the existing versions in the data and start searching from the last one until no newer version is found (newer in the version order sense, irrespective of actual age) 2024-02-02 23:01:14 +08:00			`raise Exception(f"Checksum has an unexpected length: {len(sha256sum)} (binary: {download}, arch: {arch}, release: {version}, checksum: '{sha256sum}')")`
			`data[checksum_name][arch][version] = sha256sum`
Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`data[checksum_name] = {arch : {r : releases[r] for r in sorted(releases.keys(),`
download_hash.py: generalized and data-driven The script is currently limited to one hardcoded URL for kubernetes related binaries, and a fixed set of architectures. The solution is three-fold: 1. Use an url template dictionary for each download -> this allow to easily add support for new downloads. 2. Source the architectures to search from the existing data 3. Enumerate the existing versions in the data and start searching from the last one until no newer version is found (newer in the version order sense, irrespective of actual age) 2024-02-02 23:01:14 +08:00			`key=version_compare,`
Download hash script: auto discover versions (#10849) * Download patches version automatically from a minor * Automate versions discovery for hash download * Small refactoring 2024-01-30 10:06:10 +08:00			`reverse=True)}`
			`for arch, releases in data[checksum_name].items()}`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
chore: improve performance of python script for hash download (#10335) The old version of the script downloaded all binaries and generated file checksums locally. This was a slow process since all binaries of all architectures needed to be downloaded. The new version simply downloads the .sha256 files containing the binary checksum in text form which saves a lot of traffic and time. 2024-01-23 23:41:20 +08:00			`with open(CHECKSUMS_YML, "w") as checksums_yml:`
			`yaml.dump(data, checksums_yml)`
			`print(f"\n\nUpdated {CHECKSUMS_YML}\n")`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
download_hash: argument handling with argparse Allow the script to be called with a list of components, to only download new versions checksums for those. By default, we get new versions checksums for all supported (by the script) components. 2024-09-05 21:58:36 +08:00			`parser = argparse.ArgumentParser(description=f"Add new patch versions hashes in {CHECKSUMS_YML}")`
			`parser.add_argument('binaries', nargs='*', choices=downloads.keys())`
Rewrite download_hash in Python (#5995) - Directly update the main.yml file with the new hashes. 2020-05-27 21:52:40 +08:00
download_hash: argument handling with argparse Allow the script to be called with a list of components, to only download new versions checksums for those. By default, we get new versions checksums for all supported (by the script) components. 2024-09-05 21:58:36 +08:00			`args = parser.parse_args()`
			`download_hash(args.binaries)`