chore: refactor Go CronJob to Pepr OnSchedule capability

.github/codeql.yaml

@@ -1,6 +1,2 @@
 paths-ignore:
   - build/**
-
-query-filters:
-  - exclude:
-      id: go/path-injection

.github/workflows/release.yml

@@ -27,33 +27,8 @@ jobs:
       - name: Install tools
         uses: defenseunicorns/zarf/.github/actions/install-tools@main
 
-      - name: Setup Go
-        uses: defenseunicorns/zarf/.github/actions/golang@main
-
-      - name: Build ECR credential-helper binary
-        run: make build-credential-helper-linux-amd
-
-      - name: "ECR Credential Helper: Login to GHCR"
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ghcr.io
-          username: dummy
-          password: ${{ github.token }}
-
-      - name: "ECR Credential Helper: Build and Publish the Image"
-        run: docker buildx build --push --platform linux/amd64 --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME .
-
-      # TODO@jeff-mccoy: Setup cosign signing key secrets in repo
-      # - name: "ECR Credential Helper: Sign the Image"
-      #   run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME
-      #   env:
-      #     COSIGN_EXPERIMENTAL: 1
-      #     AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
-      #     AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
-      #     AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
-
       - name: Build AWS init package for release
-        run: make release-aws-init-package CREDENTIAL_HELPER_IMAGE_TAG=$GITHUB_REF_NAME
+        run: make release-aws-init-package
 
       - name: Publish AWS Init Package as OCI and Skeleton
         run: make publish-aws-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages

.github/workflows/scan-codeql.yml

@@ -27,20 +27,10 @@ jobs:
       contents: read
       security-events: write
 
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["go", "javascript", "typescript"]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Setup Go
-        uses: defenseunicorns/zarf/.github/actions/golang@main
-
       - name: Setup NodeJS
         uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
@@ -54,13 +44,10 @@ jobs:
         env:
           CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
         with:
-          languages: ${{ matrix.language }}
+          languages: typescript
           config-file: ./.github/codeql.yaml
 
-      - name: Build
-        run: make build-credential-helper-linux-amd
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:typescript"

.github/workflows/scan-cves.yml

@@ -10,8 +10,6 @@ on:
     paths:
       - "**/package.json"
       - "**/package-lock.json"
-      - "go.mod"
-      - "go.sum"
 
 jobs:
   validate:

.github/workflows/test-aws-init-package.yml

@@ -56,9 +56,6 @@ jobs:
       - name: Install Node dependencies
         run: npm ci
 
-      - name: Setup Go
-        uses: defenseunicorns/zarf/.github/actions/golang@main
-
       - name: Build ECR Pepr module
         run: make build-module
 

.vscode/pepr.code-snippets

@@ -0,0 +1,21 @@
+{
+  "Create a new Pepr capability": {
+    "prefix": "create pepr capability",
+    "body": [
+      "import { Capability, a } from 'pepr';",
+      "",
+      "export const ${TM_FILENAME_BASE/(.*)/${1:/pascalcase}/} = new Capability({",
+      "\tname: '${TM_FILENAME_BASE}',",
+      "\tdescription: '${1:A brief description of this capability.}',",
+      "\tnamespaces: [${2:}],",
+      "});",
+      "",
+      "// Use the 'When' function to create a new action",
+      "const { When } = ${TM_FILENAME_BASE/(.*)/${1:/pascalcase}/};",
+      "",
+      "// When(a.<Kind>).Is<Event>().Then(change => change.<changes>",
+      "When(${3:})"
+    ],
+    "description": "Creates a new Pepr capability with a specified description, optional namespaces, and adds a When statement for the specified value."
+  }
+}

.vscode/settings.json

@@ -0,0 +1,9 @@
+{
+  "debug.javascript.terminalOptions": {
+    "enableTurboSourcemaps": true,
+    "resolveSourceMapLocations": [
+      "${workspaceFolder}/**",
+      "node_modules/pepr/**"
+    ]
+  }
+}

Makefile

@@ -4,7 +4,6 @@
 # Provide a default value for the operating system architecture used in tests, e.g. " APPLIANCE_MODE=true|false make test-e2e ARCH=arm64"
 ARCH ?= amd64
 ZARF_VERSION ?= $$(zarf version)
-CREDENTIAL_HELPER_BIN := ./build/zarf-ecr-credential-helper
 CLUSTER_NAME ?= ""
 INSTANCE_TYPE ?= t3.small
 EKS_PACKAGE := ./build/zarf-package-distro-eks-multi-0.0.5.tar.zst
@@ -55,20 +54,12 @@ test-gen-schema:
 	$(MAKE) gen-schema
 	hack/gen-schema/check-gen-schema.sh
 
-# Note: the path to the main.go file is not used due to https://github.com/golang/go/issues/51831#issuecomment-1074188363
-build-credential-helper-linux-amd: ## Build the ECR credential helper binary for Linux on AMD64
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o ./build/zarf-ecr-credential-helper
-
-build-local-credential-helper-image: ## Build the ECR credential helper image to be used in a locally built init package
-	@test -s $(CREDENTIAL_HELPER_BIN) || $(MAKE) build-credential-helper-linux-amd
-	docker buildx build --load --platform linux/$(ARCH) --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:local .
-
 aws-init-package: ## Build the AWS Zarf init package
 	ZARF_CONFIG="zarf-config.example.yaml" zarf package create -o build -a $(ARCH) --confirm .
 
 # INTERNAL: used to build a release version of the AWS init package with a specific credential-helper image
 release-aws-init-package:
-	ZARF_CONFIG="zarf-config.example.yaml" zarf package create -o build -a $(ARCH) --set CREDENTIAL_HELPER_IMAGE_TAG=$(CREDENTIAL_HELPER_IMAGE_TAG) --confirm .
+	ZARF_CONFIG="zarf-config.example.yaml" zarf package create -o build -a $(ARCH) --confirm .
 
 # INTERNAL: used to publish the AWS init package
 publish-aws-init-package:
@@ -116,19 +107,18 @@ delete-iam: ## Delete AWS IAM policies and roles used in CI
 
 update-zarf-config: ## Generate a new Zarf config file with registry type and IAM role ARN values to use for 'zarf init'
 	@cd iam || exit \
-	&& node ../hack/update-zarf-config/index.mjs "$(REGISTRY_TYPE)" "$$(PULUMI_CONFIG_PASSPHRASE="" pulumi stack output webhookRoleArn)" "$$(PULUMI_CONFIG_PASSPHRASE="" pulumi stack output credentialHelperRoleArn)"
+	&& node ../hack/update-zarf-config/index.mjs "$(REGISTRY_TYPE)" "$$(PULUMI_CONFIG_PASSPHRASE="" pulumi stack output roleArn)"
 
 deploy-init-package-private: ## Run zarf init to deploy the AWS init package configured with private ECR registry
 	@cd build || exit \
 	&& ZARF_CONFIG="../zarf-config.yaml" zarf init \
 		--registry-url="$$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com" \
         --registry-push-username="AWS" \
         --registry-push-password="$$(aws ecr get-login-password --region us-east-1)" \
-        --components="zarf-ecr-credential-helper" \
         --confirm
 
 delete-private-repos: ## Delete private ECR repos created by deploying the AWS init package
-	@repos="defenseunicorns/pepr/controller defenseunicorns/zarf/agent defenseunicorns/zarf-init-aws/ecr-credential-helper"; \
+	@repos="defenseunicorns/pepr/controller defenseunicorns/zarf/agent"; \
 	for repo in $${repos}; do \
 		aws ecr delete-repository --repository-name "$$repo" --force --region us-east-1 || true; \
 	done
@@ -139,11 +129,10 @@ deploy-init-package-public: ## Run zarf init to deploy the AWS init package conf
 		--registry-url="$$(aws ecr-public describe-registries --query 'registries[0].registryUri' --output text --region us-east-1)" \
         --registry-push-username="AWS" \
         --registry-push-password="$$(aws ecr-public get-login-password --region us-east-1)" \
-        --components="zarf-ecr-credential-helper" \
         --confirm
 
 delete-public-repos: ## Delete public ECR repos created by deploying the AWS init package
-	@repos="defenseunicorns/pepr/controller defenseunicorns/zarf/agent defenseunicorns/zarf-init-aws/ecr-credential-helper"; \
+	@repos="defenseunicorns/pepr/controller defenseunicorns/zarf/agent"; \
 	for repo in $${repos}; do \
 		aws ecr-public delete-repository --repository-name "$$repo" --force --region us-east-1 || true; \
 	done

README.md

@@ -28,22 +28,13 @@ This repository contains the Zarf init package for AWS that uses [ECR](https://a
 
 - AWS CLI configured with the necessary permissions to describe and create ECR repositories, and fetch ECR tokens
 
-- Create IAM role for the Pepr webhook to be able to list and create ECR repositories
-  - See an [example role for reference](iam/json/ecr-webhook-role.json). Be sure to replace the `{{AWS_ACCOUNT_ID}}` and `{{EKS_CLUSTER_ID}}` placeholders, as well as the AWS region with your values.
+- Create IAM role for the Pepr controller to be able to list and create ECR repositories, as well as fetch ECR tokens
+  - See an [example role for reference](iam/json/ecr-role.json). Be sure to replace the `{{AWS_ACCOUNT_ID}}` and `{{EKS_CLUSTER_ID}}` placeholders, as well as the AWS region with your values.
 
-  - You will need to create an IAM policy with the appropriate permissions and attach it to the role. See an [example policy for reference](iam/json/ecr-webhook-policy.json).
+  - You will need to create an IAM policy with the appropriate permissions and attach it to the role. See an [example policy for reference](iam/json/ecr-policy.json).
 
   ***Note***: If you only need to work with a private ECR registry, the `ecr-public:` prefixed actions can be removed from the policy. Likewise, if you only need to work with a public ECR registry, the `ecr:` prefixed actions can be removed from the policy.
 
-- (Optional) Create IAM role for the `zarf-ecr-credential-helper` to be able to fetch new ECR auth tokens
-  - The credential helper is an optional component and is NOT required to use ECR as an external Zarf registry. It can be used if you are looking for an automated solution for keeping your image pull secrets updated with valid ECR auth tokens. Frequent rotation of ECR tokens in image pull secrets is required because they expire after 12 hours. <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html>
-
-  - See an [example role for reference](iam/json/ecr-credential-helper-role.json). Be sure to replace the `{{AWS_ACCOUNT_ID}}` and `{{EKS_CLUSTER_ID}}` placeholders, as well as the AWS region with your values.
-
-  - You will need to create an IAM policy with the appropriate permissions and attach it to the role. See an [example policy for reference](iam/json/ecr-credential-helper-policy.json).
-
-  ***Note***: If you only need to work with a private ECR registry, the `ecr-public:` prefixed actions can be removed from the policy. Likewise, if you only need to work with a public ECR registry, the `ecr:` prefixed actions can be removed from the policy.
-
 ### Get the Zarf init package
 
 ```bash
@@ -61,16 +52,14 @@ zarf package pull oci://ghcr.io/defenseunicorns/packages/init-aws:$(zarf version
 
     package:
       deploy:
-        components: zarf-ecr-credential-helper
         set:
           registry_type: private
 
           # Change me to your AWS region if needed
           aws_region: us-east-1
 
           # Set IAM role ARNs
-          ecr_hook_role_arn: <YOUR_WEBHOOK_ROLE_ARN>
-          ecr_credential_helper_role_arn: <YOUR_CREDENTIAL_HELPER_ROLE_ARN>
+          ecr_role_arn: <YOUR_ROLE_ARN>
 
     ```
 
@@ -98,7 +87,6 @@ zarf package pull oci://ghcr.io/defenseunicorns/packages/init-aws:$(zarf version
 
     package:
       deploy:
-        components: zarf-ecr-credential-helper
         set:
           registry_type: public
 
@@ -107,8 +95,7 @@ zarf package pull oci://ghcr.io/defenseunicorns/packages/init-aws:$(zarf version
           aws_region: us-east-1
 
           # Set IAM role ARNs
-          ecr_hook_role_arn: <YOUR_WEBHOOK_ROLE_ARN>
-          ecr_credential_helper_role_arn: <YOUR_CREDENTIAL_HELPER_ROLE_ARN>
+          ecr_role_arn: <YOUR_ROLE_ARN>
 
     ```
 

capabilities/ecr-credential-helper/credential-helper.ts

@@ -0,0 +1,67 @@
+import { Capability } from "pepr";
+import { ECRPrivate } from "../ecr-private";
+import { ECRPublic } from "../ecr-public";
+import { isPrivateECRURL, isPublicECRURL } from "../lib/utils";
+import { updateZarfManagedImageSecrets } from "../lib/zarf";
+import { isECRregistry } from "../lib/ecr";
+
+/**
+ * The ECR Credential Helper Capability refreshes ECR tokens for Zarf image pull secrets.
+ */
+export const ECRCredentialHelper = new Capability({
+  name: "ecr-credential-helper",
+  description: "Refreshes ECR tokens for Zarf image pull secrets",
+  namespaces: ["pepr-system"],
+});
+
+const { OnSchedule } = ECRCredentialHelper;
+
+/**
+ * Following the same schedule used by the EKS Anywhere CronJob used to refresh ECR tokens.
+ * https://github.com/aws/eks-anywhere-packages/blob/492a930b6cc1791208b9ac6da9907331350ace5a/charts/eks-anywhere-packages/templates/cronjob.yaml#L18
+ */
+OnSchedule({
+  name: "refresh-ecr-token",
+  every: 5,
+  unit: "hours",
+  run: async () => {
+    await refreshECRToken();
+  },
+});
+
+async function refreshECRToken(): Promise<void> {
+  let authToken: string = "";
+  const region = process.env.AWS_REGION;
+
+  if (region === undefined) {
+    throw new Error("AWS_REGION environment variable is not defined.");
+  }
+
+  try {
+    const result = await isECRregistry();
+
+    if (!result.isECR) {
+      throw new Error(
+        `A valid ECR URL was not found in the Zarf state secret: ${result.registryURL}\n
+        Please provide a valid ECR registry URL.\n
+        Example: '123456789012.dkr.ecr.us-east-1.amazonaws.com'`,
+      );
+    }
+
+    if (isPrivateECRURL(result.registryURL)) {
+      const ecrPrivate = new ECRPrivate(region);
+      authToken = await ecrPrivate.fetchECRToken();
+    }
+
+    if (isPublicECRURL(result.registryURL)) {
+      const ecrPublic = new ECRPublic(region);
+      authToken = await ecrPublic.fetchECRToken();
+    }
+
+    await updateZarfManagedImageSecrets(result.registryURL, authToken);
+  } catch (err) {
+    throw new Error(
+      `unable to update ECR token in Zarf image pull secrets: ${err}`,
+    );
+  }
+}

capabilities/ecr-private.ts

@@ -4,6 +4,7 @@ import {
   CreateRepositoryCommandInput,
   DescribeRepositoriesCommand,
   DescribeRepositoriesCommandInput,
+  GetAuthorizationTokenCommand,
 } from "@aws-sdk/client-ecr";
 import { Log } from "pepr";
 import { ECRProvider } from "./ecr-provider";
@@ -63,8 +64,9 @@ export class ECRPrivate implements ECRProvider {
       }
       return existingRepositories;
     } catch (err) {
-      Log.error(`Error checking for existing ECR repositories: ${err}`);
-      return [];
+      throw new Error(
+        `error listing existing private ECR repositories: ${err}`,
+      );
     }
   }
 
@@ -98,7 +100,26 @@ export class ECRPrivate implements ECRProvider {
         }
       }
     } catch (err) {
-      Log.error(`Error creating ECR repositories: ${err}`);
+      throw new Error(`error creating ECR repositories: ${err}`);
+    }
+  }
+
+  async fetchECRToken(): Promise<string> {
+    try {
+      const authOutput = await this.ecr.send(
+        new GetAuthorizationTokenCommand({}),
+      );
+
+      if (authOutput.authorizationData.length === 0) {
+        throw new Error("No authorization data received from ECR");
+      }
+      if (authOutput.authorizationData[0].authorizationToken === "") {
+        throw new Error("Empty authorization token received from ECR");
+      }
+
+      return authOutput.authorizationData[0].authorizationToken;
+    } catch (err) {
+      throw new Error(`error fetching ECR token: ${err}`);
     }
   }
 }

capabilities/ecr-provider.ts

@@ -4,4 +4,5 @@
 export interface ECRProvider {
   listExistingRepositories(repoNames: string[]): Promise<string[]>;
   createRepositories(repoNames: string[], accountId?: string): Promise<void>;
+  fetchECRToken(): Promise<string>;
 }