From ebaa61945b86a63379e9e4ad5792eb18a16af014 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Thu, 12 Dec 2024 10:59:53 +0100 Subject: [PATCH 1/8] Make secrets configurable Secrets are passed as files into componentsync. --- config/config.msft.yaml | 1 + config/config.schema.json | 6 +- config/config.yaml | 1 + .../configurations/image-sync.tmpl.bicepparam | 5 +- dev-infrastructure/templates/image-sync.bicep | 92 +++++++++++-------- 5 files changed, 63 insertions(+), 42 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 8cf79ad8a..922763925 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -85,6 +85,7 @@ defaults: enabled: true imageRepo: image-sync/component-sync repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package + secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' ocMirror: enabled: true imageRepo: image-sync/oc-mirror diff --git a/config/config.schema.json b/config/config.schema.json index f2e6b4a85..ebdc77d02 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -236,6 +236,9 @@ }, "repositories": { "type": "string" + }, + "secrets": { + "type": "string" } }, "additionalProperties": false, @@ -243,7 +246,8 @@ "enabled", "imageRepo", "imageTag", - "repositories" + "repositories", + "secrets" ] }, "ocMirror": { diff --git a/config/config.yaml b/config/config.yaml index b863b5298..085c4920e 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -86,6 +86,7 @@ defaults: imageRepo: image-sync/component-sync imageTag: latest repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package + secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' ocMirror: enabled: true imageRepo: image-sync/oc-mirror diff --git a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam index 7a1219692..a6f1db7d7 100644 --- a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam +++ b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam @@ -7,10 +7,12 @@ param keyVaultName = '{{ .imageSync.keyVault.name}}' param keyVaultPrivate = {{ .imageSync.keyVault.private }} param keyVaultSoftDelete = {{ .imageSync.keyVault.softDelete }} -param bearerSecretName = 'bearer-secret' +param bearerSecretNames = ['bearer-secret'] param componentSyncPullSecretName = 'component-sync-pull-secret' param componentSyncImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.componentSync.imageRepo }}:{{ .imageSync.componentSync.imageTag }}' param componentSyncEnabed = {{ .imageSync.componentSync.enabled }} + +param componentSyncSecrets = '{{ .imageSync.componentSync.secrets }}' param svcAcrName = '{{ .svcAcrName }}' param ocpAcrName = '{{ .ocpAcrName }}' @@ -18,4 +20,5 @@ param ocpPullSecretName = 'pull-secret' param repositoriesToSync = '{{ .imageSync.componentSync.repositories }}' param ocMirrorImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.ocMirror.imageRepo }}:{{ .imageSync.ocMirror.imageTag }}' param ocMirrorEnabled = {{ .imageSync.ocMirror.enabled }} + param numberOfTags = 10 diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index f1e3cb44c..6aabde356 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -31,8 +31,8 @@ param keyVaultSoftDelete bool @description('The name of the pull secret for the component sync job') param componentSyncPullSecretName string -@description('The name of the Quay API bearer token secret') -param bearerSecretName string +@description('The names of the bearer token secrets') +param bearerSecretNames array @description('The image to use for the component sync job') param componentSyncImage string @@ -55,6 +55,9 @@ param ocMirrorEnabled bool @description('The name of the pull secret for the oc-mirror job') param ocpPullSecretName string +@description('Secret configuration to pass into component sync') +param componentSyncSecrets string + // // Container App Infra // @@ -123,7 +126,7 @@ module acrPullRole '../modules/acr/acr-permissions.bicep' = { } module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = [ - for secretName in [componentSyncPullSecretName, bearerSecretName, ocpPullSecretName]: { + for secretName in union([componentSyncPullSecretName, ocpPullSecretName], bearerSecretNames): { name: guid(imageSyncManagedIdentity, location, keyVaultName, secretName, 'secret-user') params: { keyVaultName: keyVaultName @@ -144,6 +147,24 @@ module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = var componentSyncJobName = 'component-sync' var pullSecretFile = 'quayio-auth.json' +var componentSecretsArray = [ + for bearerSecretName in bearerSecretNames: { + name: 'bearer-secret' + keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}' + identity: uami.id + } +] + +var componentSecretVolumesArray = [ + for bearerSecretName in bearerSecretNames: { + name: bearerSecretName + storageType: 'Secret' + secrets: [ + { secretRef: bearerSecretName } + ] + } +] + resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEnabed) { name: componentSyncJobName location: location @@ -171,18 +192,16 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna server: '${svcAcrName}${environment().suffixes.acrLoginServer}' } ] - secrets: [ - { - name: 'pull-secrets' - keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${componentSyncPullSecretName}' - identity: uami.id - } - { - name: 'bearer-secret' - keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}' - identity: uami.id - } - ] + secrets: union( + [ + { + name: 'pull-secrets' + keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${componentSyncPullSecretName}' + identity: uami.id + } + ], + componentSecretsArray + ) } template: { containers: [ @@ -199,10 +218,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna { name: 'TENANT_ID', value: tenant().tenantId } { name: 'DOCKER_CONFIG', value: '/auth' } { name: 'MANAGED_IDENTITY_CLIENT_ID', value: uami.properties.clientId } - { - name: 'SECRETS' - value: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' - } + { name: 'SECRETS', value: componentSyncSecrets } ] } ] @@ -215,7 +231,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna ] args: [ '-c' - 'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/${pullSecretFile}' + 'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && for file in $(find . -type f); do; export fn=$(basename $file); cat $file | base64 -d > /etc/containers/$fn; done;' ] volumeMounts: [ { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' } @@ -224,26 +240,22 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna ] } ] - volumes: [ - { - name: 'pull-secrets-updated' - storageType: 'EmptyDir' - } - { - name: 'pull-secrets' - storageType: 'Secret' - secrets: [ - { secretRef: 'pull-secrets' } - ] - } - { - name: 'bearer-secret' - storageType: 'Secret' - secrets: [ - { secretRef: 'bearer-secret' } - ] - } - ] + volumes: union( + [ + { + name: 'pull-secrets-updated' + storageType: 'EmptyDir' + } + { + name: 'pull-secrets' + storageType: 'Secret' + secrets: [ + { secretRef: 'pull-secrets' } + ] + } + ], + componentSecretVolumesArray + ) } } dependsOn: [ From 55d4f9ae9e2fa977375609311fb4a0aaf8455c4c Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Thu, 12 Dec 2024 13:52:52 +0100 Subject: [PATCH 2/8] Additional fixes --- config/config.schema.json | 4 ++++ config/config.yaml | 4 +++- .../configurations/image-sync.tmpl.bicepparam | 4 ++-- dev-infrastructure/templates/image-sync.bicep | 20 +++++++++++++------ 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/config/config.schema.json b/config/config.schema.json index ebdc77d02..9e69798c1 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -225,6 +225,9 @@ "componentSync": { "type": "object", "properties": { + "bearerSecretNames": { + "type": "array" + }, "enabled": { "type": "boolean" }, @@ -243,6 +246,7 @@ }, "additionalProperties": false, "required": [ + "bearerSecretNames", "enabled", "imageRepo", "imageTag", diff --git a/config/config.yaml b/config/config.yaml index 085c4920e..dc346b623 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -86,7 +86,9 @@ defaults: imageRepo: image-sync/component-sync imageTag: latest repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package - secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' + secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/bearer-secret"}]}' + bearerSecretNames: + - bearer-secret ocMirror: enabled: true imageRepo: image-sync/oc-mirror diff --git a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam index a6f1db7d7..00435b59f 100644 --- a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam +++ b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam @@ -7,12 +7,12 @@ param keyVaultName = '{{ .imageSync.keyVault.name}}' param keyVaultPrivate = {{ .imageSync.keyVault.private }} param keyVaultSoftDelete = {{ .imageSync.keyVault.softDelete }} -param bearerSecretNames = ['bearer-secret'] +param bearerSecretNames = [{{ range $b := .imageSync.componentSync.bearerSecretNames}} {{$b | squote}} {{- end}} ] param componentSyncPullSecretName = 'component-sync-pull-secret' param componentSyncImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.componentSync.imageRepo }}:{{ .imageSync.componentSync.imageTag }}' param componentSyncEnabed = {{ .imageSync.componentSync.enabled }} - param componentSyncSecrets = '{{ .imageSync.componentSync.secrets }}' + param svcAcrName = '{{ .svcAcrName }}' param ocpAcrName = '{{ .ocpAcrName }}' diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index 6aabde356..4429fed6e 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -145,7 +145,6 @@ module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = // var componentSyncJobName = 'component-sync' -var pullSecretFile = 'quayio-auth.json' var componentSecretsArray = [ for bearerSecretName in bearerSecretNames: { @@ -165,6 +164,13 @@ var componentSecretVolumesArray = [ } ] +var componentSecretVolumeMountsArray = [ + for bearerSecretName in bearerSecretNames: { + volumeName: bearerSecretName + mountPath: '/tmp/${bearerSecretName}' + } +] + resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEnabed) { name: componentSyncJobName location: location @@ -233,11 +239,13 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna '-c' 'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && for file in $(find . -type f); do; export fn=$(basename $file); cat $file | base64 -d > /etc/containers/$fn; done;' ] - volumeMounts: [ - { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' } - { volumeName: 'pull-secrets', mountPath: '/tmp/secret-orig' } - { volumeName: 'bearer-secret', mountPath: '/tmp/bearer-secret' } - ] + volumeMounts: union( + [ + { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' } + { volumeName: 'pull-secrets', mountPath: '/tmp/secret-orig' } + ], + componentSecretVolumeMountsArray + ) } ] volumes: union( From 12c28738f0509918f33e7bd79f8dcaa59cd5736a Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Thu, 12 Dec 2024 14:04:45 +0100 Subject: [PATCH 3/8] Materialize config --- config/config.msft.yaml | 1 + config/public-cloud-cs-pr.json | 6 +++++- config/public-cloud-dev.json | 6 +++++- config/public-cloud-msft-int.json | 4 +++- config/public-cloud-personal-dev.json | 6 +++++- 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 922763925..7f8279781 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -83,6 +83,7 @@ defaults: environmentName: global-shared-resources componentSync: enabled: true + bearerSecretNames: [] imageRepo: image-sync/component-sync repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 7d14330d3..4fc2abd5f 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -54,10 +54,14 @@ "imageSync": { "acrRG": "global", "componentSync": { + "bearerSecretNames": [ + "bearer-secret" + ], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "latest", - "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package" + "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", + "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/bearer-secret\"}]}" }, "environmentName": "aro-hcp-image-sync", "keyVault": { diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index bb2b88a04..652fbe9f7 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -54,10 +54,14 @@ "imageSync": { "acrRG": "global", "componentSync": { + "bearerSecretNames": [ + "bearer-secret" + ], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "latest", - "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package" + "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", + "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/bearer-secret\"}]}" }, "environmentName": "aro-hcp-image-sync", "keyVault": { diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 3f88ec0c5..5fbc39837 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -54,10 +54,12 @@ "imageSync": { "acrRG": "global-shared-resources", "componentSync": { + "bearerSecretNames": [], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "0b3c08f", - "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package" + "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", + "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/${pullSecretFile}\"}]}" }, "environmentName": "global-shared-resources", "keyVault": { diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index 16690e8a8..c0686c953 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -54,10 +54,14 @@ "imageSync": { "acrRG": "global", "componentSync": { + "bearerSecretNames": [ + "bearer-secret" + ], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "latest", - "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package" + "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", + "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/bearer-secret\"}]}" }, "environmentName": "aro-hcp-image-sync", "keyVault": { From dec3a2cb8da5c444f46b33dcada82f8ea0642d11 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Thu, 12 Dec 2024 16:22:50 +0100 Subject: [PATCH 4/8] Refactor format, make it easier to configure and reuse --- config/config.msft.yaml | 3 +-- config/config.schema.json | 4 --- config/config.yaml | 4 +-- config/public-cloud-cs-pr.json | 5 +--- config/public-cloud-dev.json | 5 +--- config/public-cloud-msft-int.json | 3 +-- config/public-cloud-personal-dev.json | 5 +--- .../configurations/image-sync.tmpl.bicepparam | 3 +-- dev-infrastructure/templates/image-sync.bicep | 27 ++++++++++++------- tooling/image-sync/internal/sync.go | 9 +++---- 10 files changed, 28 insertions(+), 40 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 7f8279781..1f9911ece 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -83,10 +83,9 @@ defaults: environmentName: global-shared-resources componentSync: enabled: true - bearerSecretNames: [] imageRepo: image-sync/component-sync repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package - secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/${pullSecretFile}"}]}' + secrets: "" ocMirror: enabled: true imageRepo: image-sync/oc-mirror diff --git a/config/config.schema.json b/config/config.schema.json index 9e69798c1..ebdc77d02 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -225,9 +225,6 @@ "componentSync": { "type": "object", "properties": { - "bearerSecretNames": { - "type": "array" - }, "enabled": { "type": "boolean" }, @@ -246,7 +243,6 @@ }, "additionalProperties": false, "required": [ - "bearerSecretNames", "enabled", "imageRepo", "imageTag", diff --git a/config/config.yaml b/config/config.yaml index dc346b623..46fe7a33f 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -86,9 +86,7 @@ defaults: imageRepo: image-sync/component-sync imageTag: latest repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package - secrets: '{"secrets":[{"registry": "quay.io", "secretfile": "/auth/bearer-secret"}]}' - bearerSecretNames: - - bearer-secret + secrets: '[{"registry": "quay.io", "secret": "bearer-secret"}]' ocMirror: enabled: true imageRepo: image-sync/oc-mirror diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 4fc2abd5f..a63ed71ec 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -54,14 +54,11 @@ "imageSync": { "acrRG": "global", "componentSync": { - "bearerSecretNames": [ - "bearer-secret" - ], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "latest", "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", - "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/bearer-secret\"}]}" + "secrets": "[{\"registry\": \"quay.io\", \"secret\": \"bearer-secret\"}]" }, "environmentName": "aro-hcp-image-sync", "keyVault": { diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index 652fbe9f7..a9b6abb7d 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -54,14 +54,11 @@ "imageSync": { "acrRG": "global", "componentSync": { - "bearerSecretNames": [ - "bearer-secret" - ], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "latest", "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", - "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/bearer-secret\"}]}" + "secrets": "[{\"registry\": \"quay.io\", \"secret\": \"bearer-secret\"}]" }, "environmentName": "aro-hcp-image-sync", "keyVault": { diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 5fbc39837..61c39eec0 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -54,12 +54,11 @@ "imageSync": { "acrRG": "global-shared-resources", "componentSync": { - "bearerSecretNames": [], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "0b3c08f", "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", - "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/${pullSecretFile}\"}]}" + "secrets": "" }, "environmentName": "global-shared-resources", "keyVault": { diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index c0686c953..007f01345 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -54,14 +54,11 @@ "imageSync": { "acrRG": "global", "componentSync": { - "bearerSecretNames": [ - "bearer-secret" - ], "enabled": true, "imageRepo": "image-sync/component-sync", "imageTag": "latest", "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package", - "secrets": "{\"secrets\":[{\"registry\": \"quay.io\", \"secretfile\": \"/auth/bearer-secret\"}]}" + "secrets": "[{\"registry\": \"quay.io\", \"secret\": \"bearer-secret\"}]" }, "environmentName": "aro-hcp-image-sync", "keyVault": { diff --git a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam index 00435b59f..92f8183fd 100644 --- a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam +++ b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam @@ -7,11 +7,10 @@ param keyVaultName = '{{ .imageSync.keyVault.name}}' param keyVaultPrivate = {{ .imageSync.keyVault.private }} param keyVaultSoftDelete = {{ .imageSync.keyVault.softDelete }} -param bearerSecretNames = [{{ range $b := .imageSync.componentSync.bearerSecretNames}} {{$b | squote}} {{- end}} ] param componentSyncPullSecretName = 'component-sync-pull-secret' param componentSyncImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.componentSync.imageRepo }}:{{ .imageSync.componentSync.imageTag }}' param componentSyncEnabed = {{ .imageSync.componentSync.enabled }} -param componentSyncSecrets = '{{ .imageSync.componentSync.secrets }}' +param componentSyncSecrets = '{ .imageSync.componentSync.secrets }}' param svcAcrName = '{{ .svcAcrName }}' diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index 4429fed6e..fa7a0e6ff 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -31,9 +31,6 @@ param keyVaultSoftDelete bool @description('The name of the pull secret for the component sync job') param componentSyncPullSecretName string -@description('The names of the bearer token secrets') -param bearerSecretNames array - @description('The image to use for the component sync job') param componentSyncImage string @@ -58,6 +55,16 @@ param ocpPullSecretName string @description('Secret configuration to pass into component sync') param componentSyncSecrets string +var csSecrets = json(componentSyncSecrets) + +var bearerSecrets = [ for css in csSecrets: [ '${css.secret}' ]] + +var secretsFodler = '/etc/containers' +var secretWithFolderPrefix = [ for css in csSecrets: { + registry: css.registry + secretFile: '${secretsFodler}/${css.secret}' +}] + // // Container App Infra // @@ -126,7 +133,7 @@ module acrPullRole '../modules/acr/acr-permissions.bicep' = { } module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = [ - for secretName in union([componentSyncPullSecretName, ocpPullSecretName], bearerSecretNames): { + for secretName in union([componentSyncPullSecretName, ocpPullSecretName], bearerSecrets): { name: guid(imageSyncManagedIdentity, location, keyVaultName, secretName, 'secret-user') params: { keyVaultName: keyVaultName @@ -147,7 +154,7 @@ module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = var componentSyncJobName = 'component-sync' var componentSecretsArray = [ - for bearerSecretName in bearerSecretNames: { + for bearerSecretName in bearerSecrets: { name: 'bearer-secret' keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}' identity: uami.id @@ -155,7 +162,7 @@ var componentSecretsArray = [ ] var componentSecretVolumesArray = [ - for bearerSecretName in bearerSecretNames: { + for bearerSecretName in bearerSecrets: { name: bearerSecretName storageType: 'Secret' secrets: [ @@ -165,9 +172,9 @@ var componentSecretVolumesArray = [ ] var componentSecretVolumeMountsArray = [ - for bearerSecretName in bearerSecretNames: { + for bearerSecretName in bearerSecrets: { volumeName: bearerSecretName - mountPath: '/tmp/${bearerSecretName}' + mountPath: '/tmp/secrets/${bearerSecretName}' } ] @@ -224,7 +231,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna { name: 'TENANT_ID', value: tenant().tenantId } { name: 'DOCKER_CONFIG', value: '/auth' } { name: 'MANAGED_IDENTITY_CLIENT_ID', value: uami.properties.clientId } - { name: 'SECRETS', value: componentSyncSecrets } + { name: 'SECRETS', value: string(secretWithFolderPrefix) } ] } ] @@ -237,7 +244,7 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = if (componentSyncEna ] args: [ '-c' - 'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && for file in $(find . -type f); do; export fn=$(basename $file); cat $file | base64 -d > /etc/containers/$fn; done;' + 'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cd /tmp/secrets; for file in $(find . -type f); do; export fn=$(basename $file); cat $file | base64 -d > ${secretsFolder}/$fn; done;' ] volumeMounts: union( [ diff --git a/tooling/image-sync/internal/sync.go b/tooling/image-sync/internal/sync.go index 88a7abb6e..24e94ea21 100644 --- a/tooling/image-sync/internal/sync.go +++ b/tooling/image-sync/internal/sync.go @@ -31,9 +31,8 @@ type SyncConfig struct { ManagedIdentityClientID string } type Secrets struct { - Registry string - SecretFile string - AzureSecretfile string + Registry string + SecretFile string } // BearerSecret is the secret for the source OCI registry @@ -148,9 +147,9 @@ func DoSync(cfg *SyncConfig) error { if strings.HasSuffix(secret.Registry, "azurecr.io") || strings.HasSuffix(secret.Registry, "azurecr.cn") || strings.HasSuffix(secret.Registry, "azurecr.us") { - azureSecret, err := readAzureSecret(secret.AzureSecretfile) + azureSecret, err := readAzureSecret(secret.SecretFile) if err != nil { - return fmt.Errorf("error reading azure secret file: %w %s", err, secret.AzureSecretfile) + return fmt.Errorf("error reading azure secret file: %w %s", err, secret.SecretFile) } bearerSecret, err := getACRBearerToken(ctx, *azureSecret, secret.Registry) if err != nil { From 68fc585a1b3c0884ef219d6f54997fb5cb7c15ce Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Thu, 12 Dec 2024 16:30:25 +0100 Subject: [PATCH 5/8] Fix variable name --- dev-infrastructure/templates/image-sync.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index fa7a0e6ff..1db51e03c 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -59,10 +59,10 @@ var csSecrets = json(componentSyncSecrets) var bearerSecrets = [ for css in csSecrets: [ '${css.secret}' ]] -var secretsFodler = '/etc/containers' +var secretsFolder = '/etc/containers' var secretWithFolderPrefix = [ for css in csSecrets: { registry: css.registry - secretFile: '${secretsFodler}/${css.secret}' + secretFile: '${secretsFolder}/${css.secret}' }] // From 5895ce66021c4a35b693400c6bd8c7fc497c4ce6 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Thu, 12 Dec 2024 16:48:43 +0100 Subject: [PATCH 6/8] Fix typo --- dev-infrastructure/configurations/image-sync.tmpl.bicepparam | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam index 92f8183fd..625b7daa6 100644 --- a/dev-infrastructure/configurations/image-sync.tmpl.bicepparam +++ b/dev-infrastructure/configurations/image-sync.tmpl.bicepparam @@ -10,7 +10,7 @@ param keyVaultSoftDelete = {{ .imageSync.keyVault.softDelete }} param componentSyncPullSecretName = 'component-sync-pull-secret' param componentSyncImage = '{{ .svcAcrName }}.azurecr.io/{{ .imageSync.componentSync.imageRepo }}:{{ .imageSync.componentSync.imageTag }}' param componentSyncEnabed = {{ .imageSync.componentSync.enabled }} -param componentSyncSecrets = '{ .imageSync.componentSync.secrets }}' +param componentSyncSecrets = '{{ .imageSync.componentSync.secrets }}' param svcAcrName = '{{ .svcAcrName }}' From cebe9e103c9755014564a556776f9879f1061182 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Fri, 13 Dec 2024 09:44:13 +0100 Subject: [PATCH 7/8] Fix variable expression --- dev-infrastructure/templates/image-sync.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index 1db51e03c..dc55cfb7b 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -57,9 +57,11 @@ param componentSyncSecrets string var csSecrets = json(componentSyncSecrets) -var bearerSecrets = [ for css in csSecrets: [ '${css.secret}' ]] +var bearerSecrets = [ for css in csSecrets: '${css.secret}'] + var secretsFolder = '/etc/containers' + var secretWithFolderPrefix = [ for css in csSecrets: { registry: css.registry secretFile: '${secretsFolder}/${css.secret}' From 0a40e179d1d0dc7cbae1d1856c5d4d8b8f248099 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Fri, 13 Dec 2024 09:58:34 +0100 Subject: [PATCH 8/8] Fix format --- dev-infrastructure/templates/image-sync.bicep | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index dc55cfb7b..1e4eef757 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -57,15 +57,16 @@ param componentSyncSecrets string var csSecrets = json(componentSyncSecrets) -var bearerSecrets = [ for css in csSecrets: '${css.secret}'] - +var bearerSecrets = [for css in csSecrets: '${css.secret}'] var secretsFolder = '/etc/containers' -var secretWithFolderPrefix = [ for css in csSecrets: { - registry: css.registry - secretFile: '${secretsFolder}/${css.secret}' -}] +var secretWithFolderPrefix = [ + for css in csSecrets: { + registry: css.registry + secretFile: '${secretsFolder}/${css.secret}' + } +] // // Container App Infra