Support separate bucket and image registry credentials

The current release pipeline assumes that the same credentials are used to authenticate to the cloud storage service as well as to the container registry. This change enables having independent credentials. It also enables user PAT based auth for the container registry by making the user configurable instead of hardcoding `_json_key` which is used for gcr.
tektoncd · Sep 25, 2024 · cc33c8a · cc33c8a
1 parent 061ceca
commit cc33c8a
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -37,6 +37,9 @@ spec:
     - name: imageRegistryRegions
       description: The target image registry regions
       default: "us eu asia"
+    - name: imageRegistryUser
+      description: Username to be used to login to the container registry
+      default: "_json_key"
     - name: releaseAsLatest
       description: Whether to tag and publish this release as Dashboard's latest
       default: "true"
@@ -61,6 +64,8 @@ spec:
         value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
       - name: CONTAINER_REGISTRY
         value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
+      - name: CONTAINER_REGISTRY_USER
+        value: "$(params.imageRegistryUser)"
       - name: REGIONS
         value: "$(params.imageRegistryRegions)"
       - name: OUTPUT_RELEASE_DIR
@@ -78,14 +83,14 @@ spec:
 
         # Login to the container registry
         DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
-          crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
+          crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
           sed 's,^.*logged in via \(.*\)$,\1,g')
 
         # Auth with account credentials for all regions.
         for region in ${REGIONS}
         do
           HOSTNAME=${region}.$(params.imageRegistry)
-          cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME}
+          cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
         done
         cp ${DOCKER_CONFIG} /workspace/docker-config.json
 

diff --git a/tekton/release-cheat-sheet.md b/tekton/release-cheat-sheet.md
@@ -47,9 +47,11 @@ the dashboard repo, a terminal window and a text editor.
       --serviceaccount=release-right-meow \
       --param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
       --param=serviceAccountPath=release.json \
+      --param=serviceAccountImagesPath=release.json \
       --param=versionTag="${TEKTON_VERSION}" \
       --param=releaseBucket=gs://tekton-releases/dashboard \
       --workspace name=release-secret,secret=release-secret \
+      --workspace name=release-images-secret,secret=release-secret \
       --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml
     ```
 

diff --git a/tekton/release-pipeline.yaml b/tekton/release-pipeline.yaml
@@ -33,6 +33,9 @@ spec:
     - name: imageRegistryRegions
       description: The target image registry regions
       default: "us eu asia"
+    - name: imageRegistryUser
+      description: The user for the image registry credentials
+      default: "_json_key"
     - name: versionTag
       description: The X.Y.Z version that the artifacts should be tagged with
     - name: releaseBucket
@@ -46,11 +49,15 @@ spec:
       default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le
     - name: serviceAccountPath
       description: The path to the service account file within the release-secret workspace
+    - name: serviceAccountImagesPath
+      description: The path to the service account file or credentials within the release-images-secret workspace
   workspaces:
     - name: workarea
       description: The workspace where the repo will be cloned.
     - name: release-secret
-      description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
+      description: The secret that contains a service account authorized to push to the output bucket
+    - name: release-images-secret
+      description: The secret that contains a service account authorized to push to the image registry
   results:
     - name: commit-sha
       description: the sha of the commit that was released
@@ -110,12 +117,14 @@ spec:
           value: $(params.imageRegistry)
         - name: imageRegistryPath
           value: $(params.imageRegistryPath)
+        - name: imageRegistryUser
+          value: $(params.imageRegistryUser)
         - name: imageRegistryRegions
           value: $(params.imageRegistryRegions)
         - name: releaseAsLatest
           value: $(params.releaseAsLatest)
         - name: serviceAccountPath
-          value: $(params.serviceAccountPath)
+          value: $(params.serviceAccountImagesPath)
         - name: platforms
           value: $(params.platforms)
       workspaces:
@@ -126,7 +135,7 @@ spec:
           workspace: workarea
           subpath: bucket
         - name: release-secret
-          workspace: release-secret
+          workspace: release-images-secret
     - name: publish-to-bucket
       runAfter: [publish-images]
       taskRef: