WIP

Azure · Oct 18, 2024 · d34dc0e · d34dc0e
1 parent 85c43cc
commit d34dc0e
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 41 deletions.
diff --git a/go.work.sum b/go.work.sum
@@ -471,8 +471,6 @@ github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/dennwc/varint v1.0.0/go.mod h1:hnItb35rvZvJrbTALZtY/iQfDs48JKRG1RPpgziApxA=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/digitalocean/godo v1.99.0/go.mod h1:SsS2oXo2rznfM/nORlZ/6JaUJZFhmKTib1YhopUc8NA=
 github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
@@ -842,6 +840,7 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a/go.mod h1:YPNKjjE7Ubp9dTbnWvsP3HT+hYnY6TfXzubYTBeUxc8=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.5.0 h1:e8esj/e4R+SAOwFwN+n3zr0nYeCyeweozKfO23MvHzY=
 github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=

diff --git a/image-sync/configuration/mvp-image-sync.yml b/image-sync/configuration/mvp-image-sync.yml
@@ -5,5 +5,5 @@ repositories:
   - quay.io/app-sre/uhc-clusters-service
 numberOfTags: 10
 quaySecretfile: /etc/containers/quayio-auth.json
-acrRegistry: arohcpdev.azurecr.io
+acrRegistry: jbolltesting.azurecr.io
 tenantId: 64dc69e4-d083-49fc-9569-ebece1dd1408
diff --git a/image-sync/deployment/componentSync/mvp-componentSyncJob.yml b/image-sync/deployment/componentSync/mvp-componentSyncJob.yml
@@ -6,31 +6,64 @@ identity:
 properties:
   environmentId: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/aro-hcp-dev-image-sync/providers/Microsoft.App/managedEnvironments/image-sync-env-sxo4oqbcjiekg"
   configuration:
-    replicaTimeout: 10
-    replicaRetryLimit: 10
+    replicaTimeout: 10000
+    replicaRetryLimit: 1
     manualTriggerConfig:
       replicaCompletionCount: 1
-      parallelism: 4
+      parallelism: 1
     triggerType: Manual
     registries:
       - identity: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg"
         server: arohcpdev.azurecr.io
+    secrets:
+    - name: pull-secrets
+      keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/jbolltesting
+      identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg
+    - name: bearer-secret
+      keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/bearer-secret
+      identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg
   template:
     containers:
-    - image: arohcpdev.azurecr.io/image-sync/component-sync:latest
+    - image: arohcpdev.azurecr.io/image-sync/component-sync:testing
       name: sync-components
-    #   volumeMounts:
-    #   - volumeName: pull-secrets-updated
-    #     mountPath: "/etc/containers"
-    # initContainers:
-    # - image: mcr.microsoft.com/azure-cli:cbl-mariner2.0
-    #   name: login
-    #   command: ['sh', '-c',
-    #       "az login --federated-token $(cat $AZURE_FEDERATED_TOKEN_FILE) --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID; accessToken=$(az acr login --name {{ .Values.acrRegistryName }} --expose-token | grep accessToken |cut -d ':' -f2| tr -d ' \",') ; cat /tmp/secret-orig/pull-secret | base64 -d  |sed \"s/TOKENTOBEREPLACED/$accessToken/\" > /etc/containers/auth.json",
-    #     ]
-    #   volumeMounts:
-    #   - volumeName: pull-secrets-updated
-    #     mountPath: "/etc/containers"
-    # volumes:
-    # - name: pull-secrets-updated
-    #   storageType: EmptyDir
+      volumeMounts:
+      - volumeName: pull-secrets-updated
+        mountPath: "/etc/containers"
+    initContainers:
+    - image: mcr.microsoft.com/azure-cli:cbl-mariner2.0
+      name: login
+      command: 
+      - "/bin/sh"
+      - "-c"
+      - "az login --identity --username 5d766170-b14c-4f75-a2c2-e44ff99d1216; accessToken=$(az acr login --name jbolltesting --expose-token | grep accessToken |cut -d ':' -f2| tr -d ' \",') ; cat /tmp/secret-orig/pull-secrets | base64 -d  |sed \"s/TOKENTOBEREPLACED/$accessToken/\" > /etc/containers/auth.json"
+      volumeMounts:
+      - volumeName: pull-secrets-updated
+        mountPath: "/etc/containers"
+      - volumeName: pull-secrets
+        mountPath: "/tmp/secret-orig"
+      env:
+      - name: APPSETTING_WEBSITE_SITE_NAME
+        value: https://github.com/microsoft/azure-container-apps/issues/502
+    - image: mcr.microsoft.com/azure-cli:cbl-mariner2.0
+      name: quay-auth
+      command: 
+      - "/bin/sh"
+      - "-c"
+      - "cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/quayio-auth.json"
+      volumeMounts:
+      - volumeName: pull-secrets-updated
+        mountPath: "/etc/containers"
+      - volumeName: bearer-secret
+        mountPath: "/tmp/bearer-secret"
+    volumes:
+    - name: pull-secrets-updated
+      storageType: EmptyDir
+    - name: pull-secrets
+      storageType: Secret
+      secrets:
+      - secretRef: pull-secrets
+    - name: bearer-secret
+      storageType: Secret
+      secrets:
+      - secretRef: bearer-secret
+
diff --git a/tooling/image-sync/Dockerfile b/tooling/image-sync/Dockerfile
@@ -10,4 +10,4 @@ WORKDIR /
 
 ADD config.yml /app/config.yml
 COPY --from=builder /app/image-sync .
-CMD ["/image-sync", "-c", "/app/config.yml"]
+CMD ["/image-sync",  "-l", "debug", "-c", "/app/config.yml"]
diff --git a/tooling/image-sync/Makefile b/tooling/image-sync/Makefile
@@ -17,12 +17,11 @@ clean:
 build-push: image push
 
 image:
-	cp ../../image-sync/configuration/mvp-image-sync.yml config.yml
-	docker build --platform="linux/amd64" -f "./Dockerfile" -t ${ARO_HCP_IMAGE_SYNC_IMAGE}:${COMMIT} .
+	docker build --platform="linux/amd64" -f "./Dockerfile" -t ${ARO_HCP_IMAGE_SYNC_IMAGE}:testing .
 
 push:
-	docker tag ${ARO_HCP_IMAGE_SYNC_IMAGE}:${COMMIT} ${ARO_HCP_IMAGE_SYNC_IMAGE}:latest
-	docker push ${ARO_HCP_IMAGE_SYNC_IMAGE}:${COMMIT}
-	docker push ${ARO_HCP_IMAGE_SYNC_IMAGE}:latest
+	docker tag ${ARO_HCP_IMAGE_SYNC_IMAGE}:testing ${ARO_HCP_IMAGE_SYNC_IMAGE}:latest
+	docker push ${ARO_HCP_IMAGE_SYNC_IMAGE}:testing
+	# docker push ${ARO_HCP_IMAGE_SYNC_IMAGE}:latest
 
 .PHONY: image-sync clean image run deploy
diff --git a/tooling/image-sync/config.yml b/tooling/image-sync/config.yml
diff --git a/tooling/image-sync/internal/repository.go b/tooling/image-sync/internal/repository.go
@@ -128,13 +128,13 @@ func (q *QuayRegistry) GetTags(ctx context.Context, image string) ([]string, err
 	return tags, nil
 }
 
-type getAccessToken func(context.Context, *azidentity.DefaultAzureCredential) (string, error)
+type getAccessToken func(context.Context, *azidentity.ManagedIdentityCredential) (string, error)
 type getACRUrl func(string) string
 
 // AzureContainerRegistry implements ACR Repository access
 type AzureContainerRegistry struct {
 	acrName      string
-	credential   *azidentity.DefaultAzureCredential
+	credential   *azidentity.ManagedIdentityCredential
 	acrClient    *azcontainerregistry.Client
 	httpClient   *http.Client
 	numberOfTags int
@@ -146,7 +146,7 @@ type AzureContainerRegistry struct {
 
 // NewAzureContainerRegistry creates a new AzureContainerRegistry access client
 func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry {
-	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	cred, err := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{ID: azidentity.ClientID("5d766170-b14c-4f75-a2c2-e44ff99d1216")})
 	if err != nil {
 		Log().Fatalf("failed to obtain a credential: %v", err)
 	}
@@ -164,7 +164,7 @@ func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry {
 		numberOfTags: cfg.NumberOfTags,
 		tenantId:     cfg.TenantId,
 
-		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.DefaultAzureCredential) (string, error) {
+		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.ManagedIdentityCredential) (string, error) {
 			accessToken, err := dac.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{"https://management.core.windows.net//.default"}})
 			if err != nil {
 				return "", err