From ebaa61945b86a63379e9e4ad5792eb18a16af014 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Thu, 12 Dec 2024 10:59:53 +0100 Subject: [PATCH] Make secrets configurable Secrets are passed as files into componentsync. --- config/config.msft.yaml | 1 + config/config.schema.json | 6 +- config/config.yaml | 1 + .../configurations/image-sync.tmpl.bicepparam | 5 +- dev-infrastructure/templates/image-sync.bicep | 92 +++++++++++-------- 5 files changed, 63 insertions(+), 42 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 8cf79ad8a..922763925 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -85,6 +85,7 @@ defaults: enabled: true imageRepo: image-sync/component-sync repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package + secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' ocMirror: enabled: true imageRepo: image-sync/oc-mirror diff --git a/config/config.schema.json b/config/config.schema.json index f2e6b4a85..ebdc77d02 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -236,6 +236,9 @@ }, "repositories": { "type": "string" + }, + "secrets": { + "type": "string" } }, "additionalProperties": false, @@ -243,7 +246,8 @@ "enabled", "imageRepo", "imageTag", - "repositories" + "repositories", + "secrets" ] }, "ocMirror": { diff --git a/config/config.yaml b/config/config.yaml index b863b5298..085c4920e 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -86,6 +86,7 @@ defaults: imageRepo: image-sync/component-sync imageTag: latest repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package + secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' ocMirror: enabled: true imageRepo: image-sync/oc-mirror diff --git a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam index 7a1219692..a6f1db7d7 100644 --- a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam +++ b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam @@ -7,10 +7,12 @@ param keyVaultName = '{{ .imageSync.keyVault.name}}' param keyVaultPrivate = {{ .imageSync.keyVault.private }} param keyVaultSoftDelete = {{ .imageSync.keyVault.softDelete }} -param bearerSecretName = 'bearer-secret' +param bearerSecretNames = ['bearer-secret'] param componentSyncPullSecretName = 'component-sync-pull-secret' param componentSyncImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.componentSync.imageRepo }}:{{ .imageSync.componentSync.imageTag }}' param componentSyncEnabed = {{ .imageSync.componentSync.enabled }} + +param componentSyncSecrets = '{{ .imageSync.componentSync.secrets }}' param svcAcrName = '{{ .svcAcrName }}' param ocpAcrName = '{{ .ocpAcrName }}' @@ -18,4 +20,5 @@ param ocpPullSecretName = 'pull-secret' param repositoriesToSync = '{{ .imageSync.componentSync.repositories }}' param ocMirrorImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.ocMirror.imageRepo }}:{{ .imageSync.ocMirror.imageTag }}' param ocMirrorEnabled = {{ .imageSync.ocMirror.enabled }} + param numberOfTags = 10 diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index f1e3cb44c..6aabde356 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -31,8 +31,8 @@ param keyVaultSoftDelete bool @description('The name of the pull secret for the component sync job') param componentSyncPullSecretName string -@description('The name of the Quay API bearer token secret') -param bearerSecretName string +@description('The names of the bearer token secrets') +param bearerSecretNames array @description('The image to use for the component sync job') param componentSyncImage string @@ -55,6 +55,9 @@ param ocMirrorEnabled bool @description('The name of the pull secret for the oc-mirror job') param ocpPullSecretName string +@description('Secret configuration to pass into component sync') +param componentSyncSecrets string + // // Container App Infra // @@ -123,7 +126,7 @@ module acrPullRole '../modules/acr/acr-permissions.bicep' = { } module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = [ - for secretName in [componentSyncPullSecretName, bearerSecretName, ocpPullSecretName]: { + for secretName in union([componentSyncPullSecretName, ocpPullSecretName], bearerSecretNames): { name: guid(imageSyncManagedIdentity, location, keyVaultName, secretName, 'secret-user') params: { keyVaultName: keyVaultName @@ -144,6 +147,24 @@ module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = var componentSyncJobName = 'component-sync' var pullSecretFile = 'quayio-auth.json' +var componentSecretsArray = [ + for bearerSecretName in bearerSecretNames: { + name: 'bearer-secret' + keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}' + identity: uami.id + } +] + +var componentSecretVolumesArray = [ + for bearerSecretName in bearerSecretNames: { + name: bearerSecretName + storageType: 'Secret' + secrets: [ + { secretRef: bearerSecretName } + ] + } +] + resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEnabed) { name: componentSyncJobName location: location @@ -171,18 +192,16 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna server: '${svcAcrName}${environment().suffixes.acrLoginServer}' } ] - secrets: [ - { - name: 'pull-secrets' - keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${componentSyncPullSecretName}' - identity: uami.id - } - { - name: 'bearer-secret' - keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}' - identity: uami.id - } - ] + secrets: union( + [ + { + name: 'pull-secrets' + keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${componentSyncPullSecretName}' + identity: uami.id + } + ], + componentSecretsArray + ) } template: { containers: [ @@ -199,10 +218,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna { name: 'TENANT_ID', value: tenant().tenantId } { name: 'DOCKER_CONFIG', value: '/auth' } { name: 'MANAGED_IDENTITY_CLIENT_ID', value: uami.properties.clientId } - { - name: 'SECRETS' - value: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' - } + { name: 'SECRETS', value: componentSyncSecrets } ] } ] @@ -215,7 +231,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna ] args: [ '-c' - 'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/${pullSecretFile}' + 'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && for file in $(find . -type f); do; export fn=$(basename $file); cat $file | base64 -d > /etc/containers/$fn; done;' ] volumeMounts: [ { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' } @@ -224,26 +240,22 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna ] } ] - volumes: [ - { - name: 'pull-secrets-updated' - storageType: 'EmptyDir' - } - { - name: 'pull-secrets' - storageType: 'Secret' - secrets: [ - { secretRef: 'pull-secrets' } - ] - } - { - name: 'bearer-secret' - storageType: 'Secret' - secrets: [ - { secretRef: 'bearer-secret' } - ] - } - ] + volumes: union( + [ + { + name: 'pull-secrets-updated' + storageType: 'EmptyDir' + } + { + name: 'pull-secrets' + storageType: 'Secret' + secrets: [ + { secretRef: 'pull-secrets' } + ] + } + ], + componentSecretVolumesArray + ) } } dependsOn: [