diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt index a8b63ee2..c7df08aa 100644 --- a/.github/actions/spelling/allow.txt +++ b/.github/actions/spelling/allow.txt @@ -1,3 +1,5 @@ +acr +ACR aic amd anyfield @@ -14,6 +16,7 @@ argoprojlabs args auths aws +azurecr babayaga baralias baz @@ -217,6 +220,7 @@ TODO toolchain Torvalds Tracef +tsv uber unmarshal unmarshals diff --git a/Dockerfile b/Dockerfile index ea59d972..411ae512 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,10 @@ RUN apk update && \ apk add ca-certificates git openssh-client aws-cli tini gpg gpg-agent && \ rm -rf /var/cache/apk/* +RUN apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo make py3-pip && \ + pip3 install --break-system-packages azure-cli && \ + rm -rf /var/cache/apk/* + RUN mkdir -p /usr/local/bin RUN mkdir -p /app/config RUN adduser --home "/app" --disabled-password --uid 1000 argocd diff --git a/docs/configuration/registries.md b/docs/configuration/registries.md index 015558f5..3e782d4a 100644 --- a/docs/configuration/registries.md +++ b/docs/configuration/registries.md @@ -15,6 +15,7 @@ It has been successfully tested against the following popular registries: * GitHub Packages Registry (`docker.pkg.github.com`) * GitLab Container Registry (`registry.gitlab.com`) * Google Container Registry (`gcr.io`) +* Azure Container Registry (`azurecr.io`) Chances are, that it will work out of the box for other registries as well. @@ -326,3 +327,29 @@ two strategies to overcome this: i.e. for getting EKS credentials from the aws CLI. For example, if the token has a lifetime of 12 hours, you can set `credsexpire: 12h` and Argo CD Image Updater will get a new token after 12 hours. + +### Configuring a script to authenticate against an Azure Container Registry + +You can authenticate against an Azure Container Registry using Azure Managed Identities with an external script: + +```yaml +registries: +- name: ACR example with external script + api_url: https://acr-example.azurecr.io/ + prefix: acr-example.azurecr.io + credentials: ext:/app/scripts/acr-login.sh + credsexpire: 10h +``` + +The script should contain the name of the registry: + +```bash + acr-login.sh: | + #!/bin/sh + LOGIN=$(az login --identity) + REGISTRY="acr-example" + TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) + echo "00000000-0000-0000-0000-000000000000:$TOKEN" +``` + +And the image used for `argocd-image-updater` should contain the Azure CLI. diff --git a/registry-scanner/pkg/image/credentials.go b/registry-scanner/pkg/image/credentials.go index a19d01a0..f865097d 100644 --- a/registry-scanner/pkg/image/credentials.go +++ b/registry-scanner/pkg/image/credentials.go @@ -146,7 +146,7 @@ func (src *CredentialSource) FetchCredentials(registryURL string, kubeclient *ku return nil, fmt.Errorf("could not stat %s: %v", src.ScriptPath, err) } cmd := exec.Command(src.ScriptPath) - out, err := argoexec.RunCommandExt(cmd, argoexec.CmdOpts{Timeout: 10 * time.Second}) + out, err := argoexec.RunCommandExt(cmd, argoexec.CmdOpts{Timeout: 30 * time.Second}) if err != nil { return nil, fmt.Errorf("error executing %s: %v", src.ScriptPath, err) }