Make secrets configurable

Secrets are passed as files into componentsync.

config/config.msft.yaml

@@ -85,6 +85,7 @@ defaults:
       enabled: true
       imageRepo: image-sync/component-sync
       repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
+      secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}'
     ocMirror:
       enabled: true
       imageRepo: image-sync/oc-mirror

config/config.schema.json

@@ -236,14 +236,18 @@
               },
               "repositories": {
                 "type": "string"
+              },
+              "secrets": {
+                "type": "string"
               }
             },
             "additionalProperties": false,
             "required": [
               "enabled",
               "imageRepo",
               "imageTag",
-              "repositories"
+              "repositories",
+              "secrets"
             ]
           },
           "ocMirror": {

config/config.yaml

@@ -86,6 +86,7 @@ defaults:
       imageRepo: image-sync/component-sync
       imageTag: latest
       repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
+      secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}'
     ocMirror:
       enabled: true
       imageRepo: image-sync/oc-mirror

dev-infrastructure/configurations/image-sync.tmpl.bicepparam

@@ -7,15 +7,18 @@ param keyVaultName = '{{ .imageSync.keyVault.name}}'
 param keyVaultPrivate = {{ .imageSync.keyVault.private }}
 param keyVaultSoftDelete = {{ .imageSync.keyVault.softDelete }}
 
-param bearerSecretName = 'bearer-secret'
+param bearerSecretNames = ['bearer-secret']
 param componentSyncPullSecretName = 'component-sync-pull-secret'
 param componentSyncImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.componentSync.imageRepo }}:{{ .imageSync.componentSync.imageTag }}'
 param componentSyncEnabed = {{ .imageSync.componentSync.enabled }}
+
+param componentSyncSecrets = '{{ .imageSync.componentSync.secrets }}'
 param svcAcrName = '{{ .svcAcrName }}'
 
 param ocpAcrName = '{{ .ocpAcrName }}'
 param ocpPullSecretName = 'pull-secret'
 param repositoriesToSync = '{{ .imageSync.componentSync.repositories }}'
 param ocMirrorImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.ocMirror.imageRepo }}:{{ .imageSync.ocMirror.imageTag }}'
 param ocMirrorEnabled = {{ .imageSync.ocMirror.enabled }}
+
 param numberOfTags = 10

dev-infrastructure/templates/image-sync.bicep

@@ -31,8 +31,8 @@ param keyVaultSoftDelete bool
 @description('The name of the pull secret for the component sync job')
 param componentSyncPullSecretName string
 
-@description('The name of the Quay API bearer token secret')
-param bearerSecretName string
+@description('The names of the bearer token secrets')
+param bearerSecretNames array
 
 @description('The image to use for the component sync job')
 param componentSyncImage string
@@ -55,6 +55,9 @@ param ocMirrorEnabled bool
 @description('The name of the pull secret for the oc-mirror job')
 param ocpPullSecretName string
 
+@description('Secret configuration to pass into component sync')
+param componentSyncSecrets string
+
 //
 // Container App Infra
 //
@@ -123,7 +126,7 @@ module acrPullRole '../modules/acr/acr-permissions.bicep' = {
 }
 
 module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = [
-  for secretName in [componentSyncPullSecretName, bearerSecretName, ocpPullSecretName]: {
+  for secretName in union([componentSyncPullSecretName, ocpPullSecretName], bearerSecretNames): {
     name: guid(imageSyncManagedIdentity, location, keyVaultName, secretName, 'secret-user')
     params: {
       keyVaultName: keyVaultName
@@ -144,6 +147,24 @@ module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' =
 var componentSyncJobName = 'component-sync'
 var pullSecretFile = 'quayio-auth.json'
 
+var componentSecretsArray = [
+  for bearerSecretName in bearerSecretNames: {
+    name: 'bearer-secret'
+    keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}'
+    identity: uami.id
+  }
+]
+
+var componentSecretVolumesArray = [
+  for bearerSecretName in bearerSecretNames: {
+    name: bearerSecretName
+    storageType: 'Secret'
+    secrets: [
+      { secretRef: bearerSecretName }
+    ]
+  }
+]
+
 resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEnabed) {
   name: componentSyncJobName
   location: location
@@ -171,18 +192,16 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna
           server: '${svcAcrName}${environment().suffixes.acrLoginServer}'
         }
       ]
-      secrets: [
-        {
-          name: 'pull-secrets'
-          keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${componentSyncPullSecretName}'
-          identity: uami.id
-        }
-        {
-          name: 'bearer-secret'
-          keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}'
-          identity: uami.id
-        }
-      ]
+      secrets: union(
+        [
+          {
+            name: 'pull-secrets'
+            keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${componentSyncPullSecretName}'
+            identity: uami.id
+          }
+        ],
+        componentSecretsArray
+      )
     }
     template: {
       containers: [
@@ -199,10 +218,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna
             { name: 'TENANT_ID', value: tenant().tenantId }
             { name: 'DOCKER_CONFIG', value: '/auth' }
             { name: 'MANAGED_IDENTITY_CLIENT_ID', value: uami.properties.clientId }
-            {
-              name: 'SECRETS'
-              value: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}'
-            }
+            { name: 'SECRETS', value: componentSyncSecrets }
           ]
         }
       ]
@@ -215,7 +231,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna
           ]
           args: [
             '-c'
-            'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/${pullSecretFile}'
+            'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && for file in $(find . -type f); do; export fn=$(basename $file); cat $file | base64 -d > /etc/containers/$fn; done;'
           ]
           volumeMounts: [
             { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' }
@@ -224,26 +240,22 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna
           ]
         }
       ]
-      volumes: [
-        {
-          name: 'pull-secrets-updated'
-          storageType: 'EmptyDir'
-        }
-        {
-          name: 'pull-secrets'
-          storageType: 'Secret'
-          secrets: [
-            { secretRef: 'pull-secrets' }
-          ]
-        }
-        {
-          name: 'bearer-secret'
-          storageType: 'Secret'
-          secrets: [
-            { secretRef: 'bearer-secret' }
-          ]
-        }
-      ]
+      volumes: union(
+        [
+          {
+            name: 'pull-secrets-updated'
+            storageType: 'EmptyDir'
+          }
+          {
+            name: 'pull-secrets'
+            storageType: 'Secret'
+            secrets: [
+              { secretRef: 'pull-secrets' }
+            ]
+          }
+        ],
+        componentSecretVolumesArray
+      )
     }
   }
   dependsOn: [