Make component sync work on container apps

dev-infrastructure/configurations/dev.mk

@@ -4,7 +4,7 @@ REGIONAL_RESOURCEGROUP ?= aro-hcp-$(USER)-$(REGION)
 SVC_KV_RESOURCEGROUP ?= global
 GLOBAL_RESOURCEGROUP ?= global
 IMAGE_SYNC_RESOURCEGROUP ?= aro-hcp-image-sync-$(USER)-$(REGION)
-IMAGE_SYNC_ENVIRONMENT ?= image-sync-env
+IMAGE_SYNC_ENVIRONMENT ?= image-sync-env-sxo4oqbcjiekg
 ARO_HCP_IMAGE_ACR ?= arohcpdev
 REGIONAL_ACR_NAME ?= arohcpdev$(shell echo $(CURRENTUSER) | sha256sum  | head -c 24)
 REPOSITORIES_TO_SYNC ?= '{registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/pstefans/controlplaneoperator,quay.io/app-sre/uhc-clusters-service}'

go.work.sum

@@ -471,8 +471,6 @@ github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/dennwc/varint v1.0.0/go.mod h1:hnItb35rvZvJrbTALZtY/iQfDs48JKRG1RPpgziApxA=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/digitalocean/godo v1.99.0/go.mod h1:SsS2oXo2rznfM/nORlZ/6JaUJZFhmKTib1YhopUc8NA=
 github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
@@ -842,6 +840,7 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a/go.mod h1:YPNKjjE7Ubp9dTbnWvsP3HT+hYnY6TfXzubYTBeUxc8=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.5.0 h1:e8esj/e4R+SAOwFwN+n3zr0nYeCyeweozKfO23MvHzY=
 github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=

image-sync/configuration/mvp-image-sync.yml

@@ -4,6 +4,6 @@ repositories:
   - quay.io/pstefans/controlplaneoperator
   - quay.io/app-sre/uhc-clusters-service
 numberOfTags: 10
-quaySecretfile: /etc/containers/quayio-auth.json
+quaySecretfile: /root/.docker/quayio-auth.json
 acrRegistry: arohcpdev.azurecr.io
 tenantId: 64dc69e4-d083-49fc-9569-ebece1dd1408

image-sync/deployment/Makefile

@@ -63,4 +63,8 @@ undeploy-oc-mirror:
 
 undeploy: undeploy-shared undeploy-component-sync undeploy-oc-mirror
 
-.PHONY: deploy-component-sync deploy-shared deploy-oc-mirror undeploy-shared undeploy-component-sync undeploy-oc-mirror
+deploy-ca-component-sync:
+	az containerapp job create -n component-sync-job -g ${IMAGE_SYNC_RESOURCEGROUP} \
+		--yaml ./componentSync/mvp-componentSyncJob.yml
+
+.PHONY: deploy-caj-component-sync deploy-component-sync deploy-shared deploy-oc-mirror undeploy-shared undeploy-component-sync undeploy-oc-mirror

image-sync/deployment/componentSync/mvp-componentSyncJob.yml

@@ -0,0 +1,58 @@
+
+identity:
+  userAssignedIdentities:
+    "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg": {}
+  type: UserAssigned
+properties:
+  environmentId: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/aro-hcp-dev-image-sync/providers/Microsoft.App/managedEnvironments/image-sync-env-sxo4oqbcjiekg"
+  configuration:
+    replicaTimeout: 10000
+    replicaRetryLimit: 1
+    manualTriggerConfig:
+      replicaCompletionCount: 1
+      parallelism: 1
+    triggerType: Manual
+    registries:
+      - identity: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg"
+        server: arohcpdev.azurecr.io
+    secrets:
+    - name: pull-secrets
+      keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/component-sync-pull-secret
+      identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg
+    - name: bearer-secret
+      keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/bearer-secret
+      identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg
+  template:
+    containers:
+    - image: arohcpdev.azurecr.io/image-sync/component-sync:latest
+      name: sync-components
+      volumeMounts:
+      - volumeName: pull-secrets-updated
+        mountPath: "/root/.docker"
+    initContainers:
+    - image: mcr.microsoft.com/azure-cli:cbl-mariner2.0
+      name: decodesecrets
+      command: 
+      - "/bin/sh"
+      args:
+      - "-c"
+      - "cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/quayio-auth.json"
+      volumeMounts:
+      - volumeName: pull-secrets-updated
+        mountPath: "/etc/containers"
+      - volumeName: pull-secrets
+        mountPath: "/tmp/secret-orig"
+      - volumeName: bearer-secret
+        mountPath: "/tmp/bearer-secret"
+    volumes:
+    - name: pull-secrets-updated
+      storageType: EmptyDir
+    - name: pull-secrets
+      storageType: Secret
+      secrets:
+      - secretRef: pull-secrets
+    - name: bearer-secret
+      storageType: Secret
+      secrets:
+      - secretRef: bearer-secret
+

tooling/image-sync/Dockerfile

@@ -10,4 +10,5 @@ WORKDIR /
 
 ADD config.yml /app/config.yml
 COPY --from=builder /app/image-sync .
+
 CMD ["/image-sync", "-c", "/app/config.yml"]

tooling/image-sync/internal/repository.go

@@ -128,13 +128,13 @@ func (q *QuayRegistry) GetTags(ctx context.Context, image string) ([]string, err
 	return tags, nil
 }
 
-type getAccessToken func(context.Context, *azidentity.DefaultAzureCredential) (string, error)
+type getAccessToken func(context.Context, *azidentity.ManagedIdentityCredential) (string, error)
 type getACRUrl func(string) string
 
 // AzureContainerRegistry implements ACR Repository access
 type AzureContainerRegistry struct {
 	acrName      string
-	credential   *azidentity.DefaultAzureCredential
+	credential   *azidentity.ManagedIdentityCredential
 	acrClient    *azcontainerregistry.Client
 	httpClient   *http.Client
 	numberOfTags int
@@ -146,7 +146,9 @@ type AzureContainerRegistry struct {
 
 // NewAzureContainerRegistry creates a new AzureContainerRegistry access client
 func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry {
-	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	cred, err := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
+		ID: azidentity.ClientID(cfg.ManagedIdentityClientID),
+	})
 	if err != nil {
 		Log().Fatalf("failed to obtain a credential: %v", err)
 	}
@@ -164,7 +166,7 @@ func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry {
 		numberOfTags: cfg.NumberOfTags,
 		tenantId:     cfg.TenantId,
 
-		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.DefaultAzureCredential) (string, error) {
+		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.ManagedIdentityCredential) (string, error) {
 			accessToken, err := dac.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{"https://management.core.windows.net//.default"}})
 			if err != nil {
 				return "", err

tooling/image-sync/internal/repository_test.go

@@ -121,9 +121,9 @@ func TestQuayGetTags(t *testing.T) {
 func TestGetPullSecret(t *testing.T) {
 	acr := AzureContainerRegistry{
 		tenantId:   "test",
-		credential: &azidentity.DefaultAzureCredential{},
+		credential: &azidentity.ManagedIdentityCredential{},
 
-		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.DefaultAzureCredential) (string, error) {
+		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.ManagedIdentityCredential) (string, error) {
 			return "fooBar", nil
 		},
 		getACRUrlImpl: func(acrName string) string {

tooling/image-sync/internal/sync.go

@@ -21,13 +21,14 @@ func Log() *zap.SugaredLogger {
 
 // SyncConfig is the configuration for the image sync
 type SyncConfig struct {
-	Repositories   []string
-	NumberOfTags   int
-	QuaySecretFile string
-	AcrRegistry    string
-	TenantId       string
-	RequestTimeout int
-	AddLatest      bool
+	Repositories            []string
+	NumberOfTags            int
+	QuaySecretFile          string
+	AcrRegistry             string
+	TenantId                string
+	RequestTimeout          int
+	AddLatest               bool
+	ManagedIdentityClientID string
 }
 
 // QuaySecret is the secret for quay.io
@@ -42,6 +43,7 @@ func NewSyncConfig() *SyncConfig {
 	v.SetDefault("numberoftags", 10)
 	v.SetDefault("requesttimeout", 10)
 	v.SetDefault("addlatest", false)
+	v.BindEnv("ManagedIdentityClientId", "MANAGED_IDENTITY_CLIENT_ID")
 
 	if err := v.Unmarshal(&sc); err != nil {
 		Log().Fatalw("Error while unmarshalling configuration %s", err.Error())