Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support overwrite for secrets #616

Merged
merged 3 commits into from
Sep 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions dev-infrastructure/configurations/mvp-dev-acr.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ param quayRepositoriesToCache = [
purgeFilter: 'quay.io/openshift-release-dev/.*:.*'
purgeAfter: '2d'
imagesToKeep: 1
userIdentifier: 'quay-username'
passwordIdentifier: 'quay-password'
}
{
ruleName: 'csSandboxImages'
Expand All @@ -20,6 +22,8 @@ param quayRepositoriesToCache = [
purgeFilter: 'quay.io/app-sre/ocm-clusters-service-sandbox:.*'
purgeAfter: '2d'
imagesToKeep: 1
userIdentifier: 'quay-componentsync-username'
passwordIdentifier: 'quay-componentsync-password'
}
]

Expand Down
74 changes: 35 additions & 39 deletions dev-infrastructure/templates/dev-acr.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,6 @@ param location string = resourceGroup().location
@description('Service tier of the Azure Container Registry.')
param acrSku string

@description('KeyVault secret name with the password used to log into quay.')
#disable-next-line secure-secrets-in-params
param passwordSecretIdentifier string = 'quay-password'

@description('KeyVault secret name with the username used to log into quay.')
#disable-next-line secure-secrets-in-params
param usernameSecretIdentifier string = 'quay-username'

@description('List of quay repositories to cache in the Azure Container Registry.')
param quayRepositoriesToCache array = []

Expand Down Expand Up @@ -84,7 +76,7 @@ steps:
trigger: {
timerTriggers: [
{
name: 'weekly'
name: 'daily'
schedule: '0 0 * * *'
}
]
Expand All @@ -95,48 +87,52 @@ steps:
@description('Login server property for later use')
output loginServer string = acrResource.properties.loginServer

resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = if (length(quayRepositoriesToCache) > 0) {
name: 'quayPullCredential'
parent: acrResource
identity: {
type: 'SystemAssigned'
}
properties: {
authCredentials: [
{
name: 'Credential1'
passwordSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${passwordSecretIdentifier}'
usernameSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${usernameSecretIdentifier}'
}
]
loginServer: 'quay.io'
resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = [
for repo in quayRepositoriesToCache: {
name: repo.ruleName
parent: acrResource
identity: {
type: 'SystemAssigned'
}
properties: {
authCredentials: [
{
name: 'Credential1'
passwordSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${repo.passwordIdentifier}'
usernameSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${repo.userIdentifier}'
}
]
loginServer: 'quay.io'
}
}
}
]

resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = [
for repo in quayRepositoriesToCache: {
for (repo, i) in quayRepositoriesToCache: {
name: repo.ruleName
parent: acrResource
properties: {
credentialSetResourceId: pullCredential.id
credentialSetResourceId: pullCredential[i].id
sourceRepository: repo.sourceRepo
targetRepository: repo.targetRepo
}
}
]

resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (length(quayRepositoriesToCache) > 0) {
scope: keyVault
name: guid(keyVault.id, 'quayPullSecrets', 'read')
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions/',
'4633458b-17de-408a-b874-0445c86b69e6'
)
principalId: pullCredential.identity.principalId
principalType: 'ServicePrincipal'
resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for (repo, i) in quayRepositoriesToCache: {
scope: keyVault
name: guid(keyVault.id, 'quayPullSecrets', 'read', repo.ruleName)
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions/',
'4633458b-17de-408a-b874-0445c86b69e6'
)
principalId: pullCredential[i].identity.principalId
principalType: 'ServicePrincipal'
}
}
}
]

resource purgeCached 'Microsoft.ContainerRegistry/registries/tasks@2019-04-01' = [
for repo in quayRepositoriesToCache: {
Expand Down Expand Up @@ -171,7 +167,7 @@ steps:
timerTriggers: [
{
name: 'daily'
schedule: '0 * * * *'
schedule: '0 0 * * *'
}
]
}
Expand Down
Loading