From cc33c8addaa2588201cbb2bcbf249091eeebcbf6 Mon Sep 17 00:00:00 2001 From: Alan Greene Date: Mon, 23 Sep 2024 23:34:59 +0100 Subject: [PATCH] Support separate bucket and image registry credentials The current release pipeline assumes that the same credentials are used to authenticate to the cloud storage service as well as to the container registry. This change enables having independent credentials. It also enables user PAT based auth for the container registry by making the user configurable instead of hardcoding `_json_key` which is used for gcr. --- tekton/publish.yaml | 9 +++++++-- tekton/release-cheat-sheet.md | 2 ++ tekton/release-pipeline.yaml | 15 ++++++++++++--- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/tekton/publish.yaml b/tekton/publish.yaml index 2a352a25c..696021c8f 100644 --- a/tekton/publish.yaml +++ b/tekton/publish.yaml @@ -37,6 +37,9 @@ spec: - name: imageRegistryRegions description: The target image registry regions default: "us eu asia" + - name: imageRegistryUser + description: Username to be used to login to the container registry + default: "_json_key" - name: releaseAsLatest description: Whether to tag and publish this release as Dashboard's latest default: "true" @@ -61,6 +64,8 @@ spec: value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)" - name: CONTAINER_REGISTRY value: "$(params.imageRegistry)/$(params.imageRegistryPath)" + - name: CONTAINER_REGISTRY_USER + value: "$(params.imageRegistryUser)" - name: REGIONS value: "$(params.imageRegistryRegions)" - name: OUTPUT_RELEASE_DIR @@ -78,14 +83,14 @@ spec: # Login to the container registry DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \ - crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \ + crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \ sed 's,^.*logged in via \(.*\)$,\1,g') # Auth with account credentials for all regions. for region in ${REGIONS} do HOSTNAME=${region}.$(params.imageRegistry) - cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME} + cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME} done cp ${DOCKER_CONFIG} /workspace/docker-config.json diff --git a/tekton/release-cheat-sheet.md b/tekton/release-cheat-sheet.md index 18c03c6eb..812d73784 100644 --- a/tekton/release-cheat-sheet.md +++ b/tekton/release-cheat-sheet.md @@ -47,9 +47,11 @@ the dashboard repo, a terminal window and a text editor. --serviceaccount=release-right-meow \ --param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \ --param=serviceAccountPath=release.json \ + --param=serviceAccountImagesPath=release.json \ --param=versionTag="${TEKTON_VERSION}" \ --param=releaseBucket=gs://tekton-releases/dashboard \ --workspace name=release-secret,secret=release-secret \ + --workspace name=release-images-secret,secret=release-secret \ --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml ``` diff --git a/tekton/release-pipeline.yaml b/tekton/release-pipeline.yaml index d3810d60c..937d55deb 100644 --- a/tekton/release-pipeline.yaml +++ b/tekton/release-pipeline.yaml @@ -33,6 +33,9 @@ spec: - name: imageRegistryRegions description: The target image registry regions default: "us eu asia" + - name: imageRegistryUser + description: The user for the image registry credentials + default: "_json_key" - name: versionTag description: The X.Y.Z version that the artifacts should be tagged with - name: releaseBucket @@ -46,11 +49,15 @@ spec: default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le - name: serviceAccountPath description: The path to the service account file within the release-secret workspace + - name: serviceAccountImagesPath + description: The path to the service account file or credentials within the release-images-secret workspace workspaces: - name: workarea description: The workspace where the repo will be cloned. - name: release-secret - description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket + description: The secret that contains a service account authorized to push to the output bucket + - name: release-images-secret + description: The secret that contains a service account authorized to push to the image registry results: - name: commit-sha description: the sha of the commit that was released @@ -110,12 +117,14 @@ spec: value: $(params.imageRegistry) - name: imageRegistryPath value: $(params.imageRegistryPath) + - name: imageRegistryUser + value: $(params.imageRegistryUser) - name: imageRegistryRegions value: $(params.imageRegistryRegions) - name: releaseAsLatest value: $(params.releaseAsLatest) - name: serviceAccountPath - value: $(params.serviceAccountPath) + value: $(params.serviceAccountImagesPath) - name: platforms value: $(params.platforms) workspaces: @@ -126,7 +135,7 @@ spec: workspace: workarea subpath: bucket - name: release-secret - workspace: release-secret + workspace: release-images-secret - name: publish-to-bucket runAfter: [publish-images] taskRef: