Make component sync work on container apps

Azure · Oct 23, 2024 · 5b57eb3 · 5b57eb3
1 parent 62a464c
commit 5b57eb3
Show file tree

Hide file tree

Showing 9 changed files with 83 additions and 25 deletions.
diff --git a/dev-infrastructure/configurations/dev.mk b/dev-infrastructure/configurations/dev.mk
@@ -4,6 +4,6 @@ REGIONAL_RESOURCEGROUP ?= aro-hcp-$(USER)-$(REGION)
 SVC_KV_RESOURCEGROUP ?= global
 GLOBAL_RESOURCEGROUP ?= global
 IMAGE_SYNC_RESOURCEGROUP ?= aro-hcp-image-sync-$(USER)-$(REGION)
-IMAGE_SYNC_ENVIRONMENT ?= image-sync-env
+IMAGE_SYNC_ENVIRONMENT ?= image-sync-env-sxo4oqbcjiekg
 ARO_HCP_IMAGE_ACR ?= arohcpdev
 REPOSITORIES_TO_SYNC ?= '{registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/pstefans/controlplaneoperator,quay.io/app-sre/uhc-clusters-service}'
diff --git a/image-sync/configuration/mvp-image-sync.yml b/image-sync/configuration/mvp-image-sync.yml
@@ -4,6 +4,6 @@ repositories:
   - quay.io/pstefans/controlplaneoperator
   - quay.io/app-sre/uhc-clusters-service
 numberOfTags: 10
-quaySecretfile: /etc/containers/quayio-auth.json
+quaySecretfile: /root/.docker/quayio-auth.json
 acrRegistry: arohcpdev.azurecr.io
 tenantId: 64dc69e4-d083-49fc-9569-ebece1dd1408
diff --git a/image-sync/deployment/Makefile b/image-sync/deployment/Makefile
@@ -63,4 +63,8 @@ undeploy-oc-mirror:
 
 undeploy: undeploy-shared undeploy-component-sync undeploy-oc-mirror
 
-.PHONY: deploy-component-sync deploy-shared deploy-oc-mirror undeploy-shared undeploy-component-sync undeploy-oc-mirror
+deploy-ca-component-sync:
+	az containerapp job create -n component-sync-job -g ${IMAGE_SYNC_RESOURCEGROUP} \
+		--yaml ./componentSync/mvp-componentSyncJob.yml
+
+.PHONY: deploy-caj-component-sync deploy-component-sync deploy-shared deploy-oc-mirror undeploy-shared undeploy-component-sync undeploy-oc-mirror
diff --git a/image-sync/deployment/componentSync/mvp-componentSyncJob.yml b/image-sync/deployment/componentSync/mvp-componentSyncJob.yml
@@ -0,0 +1,58 @@
+
+identity:
+  userAssignedIdentities:
+    "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg": {}
+  type: UserAssigned
+properties:
+  environmentId: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/aro-hcp-dev-image-sync/providers/Microsoft.App/managedEnvironments/image-sync-env-sxo4oqbcjiekg"
+  configuration:
+    replicaTimeout: 10000
+    replicaRetryLimit: 1
+    manualTriggerConfig:
+      replicaCompletionCount: 1
+      parallelism: 1
+    triggerType: Manual
+    registries:
+      - identity: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg"
+        server: arohcpdev.azurecr.io
+    secrets:
+    - name: pull-secrets
+      keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/component-sync-pull-secret
+      identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg
+    - name: bearer-secret
+      keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/bearer-secret
+      identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg
+  template:
+    containers:
+    - image: arohcpdev.azurecr.io/image-sync/component-sync:latest
+      name: sync-components
+      volumeMounts:
+      - volumeName: pull-secrets-updated
+        mountPath: "/root/.docker"
+    initContainers:
+    - image: mcr.microsoft.com/azure-cli:cbl-mariner2.0
+      name: decodesecrets
+      command: 
+      - "/bin/sh"
+      args:
+      - "-c"
+      - "cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/quayio-auth.json"
+      volumeMounts:
+      - volumeName: pull-secrets-updated
+        mountPath: "/etc/containers"
+      - volumeName: pull-secrets
+        mountPath: "/tmp/secret-orig"
+      - volumeName: bearer-secret
+        mountPath: "/tmp/bearer-secret"
+    volumes:
+    - name: pull-secrets-updated
+      storageType: EmptyDir
+    - name: pull-secrets
+      storageType: Secret
+      secrets:
+      - secretRef: pull-secrets
+    - name: bearer-secret
+      storageType: Secret
+      secrets:
+      - secretRef: bearer-secret
+
diff --git a/tooling/image-sync/Dockerfile b/tooling/image-sync/Dockerfile
@@ -10,4 +10,5 @@ WORKDIR /
 
 ADD config.yml /app/config.yml
 COPY --from=builder /app/image-sync .
+
 CMD ["/image-sync", "-c", "/app/config.yml"]
diff --git a/tooling/image-sync/config.yml b/tooling/image-sync/config.yml
diff --git a/tooling/image-sync/internal/repository.go b/tooling/image-sync/internal/repository.go
@@ -128,13 +128,13 @@ func (q *QuayRegistry) GetTags(ctx context.Context, image string) ([]string, err
 	return tags, nil
 }
 
-type getAccessToken func(context.Context, *azidentity.DefaultAzureCredential) (string, error)
+type getAccessToken func(context.Context, *azidentity.ManagedIdentityCredential) (string, error)
 type getACRUrl func(string) string
 
 // AzureContainerRegistry implements ACR Repository access
 type AzureContainerRegistry struct {
 	acrName      string
-	credential   *azidentity.DefaultAzureCredential
+	credential   *azidentity.ManagedIdentityCredential
 	acrClient    *azcontainerregistry.Client
 	httpClient   *http.Client
 	numberOfTags int
@@ -146,7 +146,9 @@ type AzureContainerRegistry struct {
 
 // NewAzureContainerRegistry creates a new AzureContainerRegistry access client
 func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry {
-	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	cred, err := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
+		ID: azidentity.ClientID(cfg.ManagedIdentityClientID),
+	})
 	if err != nil {
 		Log().Fatalf("failed to obtain a credential: %v", err)
 	}
@@ -164,7 +166,7 @@ func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry {
 		numberOfTags: cfg.NumberOfTags,
 		tenantId:     cfg.TenantId,
 
-		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.DefaultAzureCredential) (string, error) {
+		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.ManagedIdentityCredential) (string, error) {
 			accessToken, err := dac.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{"https://management.core.windows.net//.default"}})
 			if err != nil {
 				return "", err

diff --git a/tooling/image-sync/internal/repository_test.go b/tooling/image-sync/internal/repository_test.go
@@ -121,9 +121,9 @@ func TestQuayGetTags(t *testing.T) {
 func TestGetPullSecret(t *testing.T) {
 	acr := AzureContainerRegistry{
 		tenantId:   "test",
-		credential: &azidentity.DefaultAzureCredential{},
+		credential: &azidentity.ManagedIdentityCredential{},
 
-		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.DefaultAzureCredential) (string, error) {
+		getAccessTokenImpl: func(ctx context.Context, dac *azidentity.ManagedIdentityCredential) (string, error) {
 			return "fooBar", nil
 		},
 		getACRUrlImpl: func(acrName string) string {

diff --git a/tooling/image-sync/internal/sync.go b/tooling/image-sync/internal/sync.go
@@ -21,13 +21,14 @@ func Log() *zap.SugaredLogger {
 
 // SyncConfig is the configuration for the image sync
 type SyncConfig struct {
-	Repositories   []string
-	NumberOfTags   int
-	QuaySecretFile string
-	AcrRegistry    string
-	TenantId       string
-	RequestTimeout int
-	AddLatest      bool
+	Repositories            []string
+	NumberOfTags            int
+	QuaySecretFile          string
+	AcrRegistry             string
+	TenantId                string
+	RequestTimeout          int
+	AddLatest               bool
+	ManagedIdentityClientID string
 }
 
 // QuaySecret is the secret for quay.io
@@ -42,6 +43,7 @@ func NewSyncConfig() *SyncConfig {
 	v.SetDefault("numberoftags", 10)
 	v.SetDefault("requesttimeout", 10)
 	v.SetDefault("addlatest", false)
+	v.BindEnv("ManagedIdentityClientId", "MANAGED_IDENTITY_CLIENT_ID")
 
 	if err := v.Unmarshal(&sc); err != nil {
 		Log().Fatalw("Error while unmarshalling configuration %s", err.Error())