image-sync adaptions

* rely on env vars configuration / don't bake config file into image * support local authentication for testing outside of a container app * installation via dev-infrastructure bicep templates Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Oct 27, 2024 · 221616e · 221616e
1 parent 6bc6002
commit 221616e
Show file tree

Hide file tree

Showing 10 changed files with 209 additions and 202 deletions.
diff --git a/dev-infrastructure/configurations/mvp-image-sync.bicepparam b/dev-infrastructure/configurations/mvp-image-sync.bicepparam
@@ -3,8 +3,10 @@ using '../templates/image-sync.bicep'
 param acrResourceGroup = 'global'
 
 param keyVaultName = 'aro-hcp-dev-global-kv'
+param bearerSecretName = 'bearer-secret'
+param pullSecretName = 'component-sync-pull-secret'
 
-param requiredSecretNames = [
-  'component-sync-pull-secret'
-  'bearer-secret'
-]
+param componentSyncImage = 'arohcpdev.azurecr.io/image-sync/component-sync:gerd-10'
+param svcAcrName = 'arohcpdev'
+param repositoriesToSync = 'quay.io/app-sre/qontract-reconcile,registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service'
+param numberOfTags = 1
diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep
@@ -13,15 +13,34 @@ param imageSyncManagedIdentity string = 'image-sync-${uniqueString(resourceGroup
 @description('Resource group of the ACR containerapps will get permissions on')
 param acrResourceGroup string
 
-@description('Name of the pull secret')
-param requiredSecretNames array
+@description('Name of the service component ACR registry')
+param svcAcrName string
 
 @description('Name of the keyvault where the pull secret is stored')
 param keyVaultName string
 
 @description('Name of the KeyVault RG')
 param keyVaultResourceGroup string = 'global'
 
+@description('The name of the pull secret')
+param pullSecretName string
+
+@description('The name of the bearer secret')
+param bearerSecretName string
+
+@description('The image to use for the component sync job')
+param componentSyncImage string
+
+@description('A CSV of the repositories to sync')
+param repositoriesToSync string
+
+@description('The number of tags to sync per image in the repo list')
+param numberOfTags int = 10
+
+//
+// Container App Infra
+//
+
 resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
   name: containerAppLogAnalyticsName
   location: location
@@ -51,6 +70,8 @@ resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   location: location
 }
 
+// TODO: define permissions on ACR level instead of RG level
+
 module acrContributorRole '../modules/acr-permissions.bicep' = {
   name: guid(imageSyncManagedIdentity, 'acr', 'readwrite')
   scope: resourceGroup(acrResourceGroup)
@@ -71,7 +92,7 @@ module acrPullRole '../modules/acr-permissions.bicep' = {
 }
 
 module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' = [
-  for secretName in requiredSecretNames: {
+  for secretName in [pullSecretName, bearerSecretName]: {
     name: '${secretName}-access'
     scope: resourceGroup(keyVaultResourceGroup)
     params: {
@@ -82,3 +103,111 @@ module pullSecretPermission '../modules/keyvault/keyvault-secret-access.bicep' =
     }
   }
 ]
+
+//
+// Component sync job
+//
+
+var jobName = 'component-sync'
+var pullSecretFile = 'quayio-auth.json'
+
+resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = {
+  name: jobName
+  location: location
+
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${uami.id}': {}
+    }
+  }
+
+  properties: {
+    environmentId: containerAppEnvironment.id
+    configuration: {
+      eventTriggerConfig: {}
+      triggerType: 'Schedule'
+      scheduleTriggerConfig: {
+        cronExpression: '*/5 * * * *'
+        parallelism: 1
+      }
+      replicaTimeout: 60 * 60
+      registries: [
+        {
+          identity: uami.id
+          server: '${svcAcrName}${environment().suffixes.acrLoginServer}'
+        }
+      ]
+      secrets: [
+        {
+          name: 'pull-secrets'
+          keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${pullSecretName}'
+          identity: uami.id
+        }
+        {
+          name: 'bearer-secret'
+          keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${bearerSecretName}'
+          identity: uami.id
+        }
+      ]
+    }
+    template: {
+      containers: [
+        {
+          name: jobName
+          image: componentSyncImage
+          volumeMounts: [
+            { volumeName: 'pull-secrets-updated', mountPath: '/auth' }
+          ]
+          env: [
+            { name: 'NUMBER_OF_TAGS', value: '${numberOfTags}' }
+            { name: 'REPOSITORIES', value: repositoriesToSync }
+            { name: 'QUAY_SECRET_FILE', value: '/auth/${pullSecretFile}' }
+            { name: 'ACR_REGISTRY', value: '${svcAcrName}${environment().suffixes.acrLoginServer}' }
+            { name: 'TENANT_ID', value: tenant().tenantId }
+            { name: 'DOCKER_CONFIG', value: '/auth' }
+            { name: 'MANAGED_IDENTITY_CLIENT_ID', value: uami.properties.clientId }
+          ]
+        }
+      ]
+      initContainers: [
+        {
+          name: 'decodesecrets'
+          image: 'mcr.microsoft.com/azure-cli:cbl-mariner2.0'
+          command: [
+            '/bin/sh'
+          ]
+          args: [
+            '-c'
+            'cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/${pullSecretFile}'
+          ]
+          volumeMounts: [
+            { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' }
+            { volumeName: 'pull-secrets', mountPath: '/tmp/secret-orig' }
+            { volumeName: 'bearer-secret', mountPath: '/tmp/bearer-secret' }
+          ]
+        }
+      ]
+      volumes: [
+        {
+          name: 'pull-secrets-updated'
+          storageType: 'EmptyDir'
+        }
+        {
+          name: 'pull-secrets'
+          storageType: 'Secret'
+          secrets: [
+            { secretRef: 'pull-secrets' }
+          ]
+        }
+        {
+          name: 'bearer-secret'
+          storageType: 'Secret'
+          secrets: [
+            { secretRef: 'bearer-secret' }
+          ]
+        }
+      ]
+    }
+  }
+}
diff --git a/image-sync/configuration/mvp-image-sync.yml b/image-sync/configuration/mvp-image-sync.yml
diff --git a/image-sync/deployment/componentSync/component-sync.bicep b/image-sync/deployment/componentSync/component-sync.bicep
diff --git a/image-sync/deployment/componentSync/mvp-component-sync.bicepparam b/image-sync/deployment/componentSync/mvp-component-sync.bicepparam
diff --git a/tooling/image-sync/Dockerfile b/tooling/image-sync/Dockerfile
@@ -1,14 +1,13 @@
-FROM --platform=${TARGETPLATFORM:-linux/amd64} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-cbl-mariner2.0@sha256:28a743b14a9d4e9ff19c522dfaa97b38cb603badf69181f983f5033708552564 as builder
+FROM --platform=linux/amd64 mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-cbl-mariner2.0@sha256:28a743b14a9d4e9ff19c522dfaa97b38cb603badf69181f983f5033708552564 as builder
 
 WORKDIR /app
 ADD . .
 # https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips#build-option-to-require-fips-mode
-RUN CGO_ENABLED=1 go build -tags=containers_image_openpgp,requirefips .
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -tags=containers_image_openpgp,requirefips .
 
-FROM --platform=${TARGETPLATFORM:-linux/amd64} mcr.microsoft.com/cbl-mariner/distroless/base:2.0-nonroot@sha256:ef0dc582fc2a8dd34fbb41341a3a9a1aaa70d4542ff04ce4e33a641e52e4807e
+FROM --platform=linux/amd64 mcr.microsoft.com/cbl-mariner/distroless/base:2.0-nonroot@sha256:ef0dc582fc2a8dd34fbb41341a3a9a1aaa70d4542ff04ce4e33a641e52e4807e
 WORKDIR /
 
-ADD config.yml /app/config.yml
 COPY --from=builder /app/image-sync .
 
-CMD ["/image-sync", "-c", "/app/config.yml"]
+CMD ["/image-sync"]