From 5b57eb3c185b42f04ea612416901055def7d7fe0 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Wed, 23 Oct 2024 14:27:18 +0200 Subject: [PATCH] Make component sync work on container apps --- dev-infrastructure/configurations/dev.mk | 2 +- image-sync/configuration/mvp-image-sync.yml | 2 +- image-sync/deployment/Makefile | 6 +- .../componentSync/mvp-componentSyncJob.yml | 58 +++++++++++++++++++ tooling/image-sync/Dockerfile | 1 + tooling/image-sync/config.yml | 9 --- tooling/image-sync/internal/repository.go | 10 ++-- .../image-sync/internal/repository_test.go | 4 +- tooling/image-sync/internal/sync.go | 16 ++--- 9 files changed, 83 insertions(+), 25 deletions(-) create mode 100644 image-sync/deployment/componentSync/mvp-componentSyncJob.yml delete mode 100644 tooling/image-sync/config.yml diff --git a/dev-infrastructure/configurations/dev.mk b/dev-infrastructure/configurations/dev.mk index b6ffea374..ce757e192 100644 --- a/dev-infrastructure/configurations/dev.mk +++ b/dev-infrastructure/configurations/dev.mk @@ -4,6 +4,6 @@ REGIONAL_RESOURCEGROUP ?= aro-hcp-$(USER)-$(REGION) SVC_KV_RESOURCEGROUP ?= global GLOBAL_RESOURCEGROUP ?= global IMAGE_SYNC_RESOURCEGROUP ?= aro-hcp-image-sync-$(USER)-$(REGION) -IMAGE_SYNC_ENVIRONMENT ?= image-sync-env +IMAGE_SYNC_ENVIRONMENT ?= image-sync-env-sxo4oqbcjiekg ARO_HCP_IMAGE_ACR ?= arohcpdev REPOSITORIES_TO_SYNC ?= '{registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/pstefans/controlplaneoperator,quay.io/app-sre/uhc-clusters-service}' diff --git a/image-sync/configuration/mvp-image-sync.yml b/image-sync/configuration/mvp-image-sync.yml index 3dd45c233..4a0b7339c 100644 --- a/image-sync/configuration/mvp-image-sync.yml +++ b/image-sync/configuration/mvp-image-sync.yml @@ -4,6 +4,6 @@ repositories: - quay.io/pstefans/controlplaneoperator - quay.io/app-sre/uhc-clusters-service numberOfTags: 10 -quaySecretfile: /etc/containers/quayio-auth.json +quaySecretfile: /root/.docker/quayio-auth.json acrRegistry: arohcpdev.azurecr.io tenantId: 64dc69e4-d083-49fc-9569-ebece1dd1408 diff --git a/image-sync/deployment/Makefile b/image-sync/deployment/Makefile index a58f1b240..0aebc063c 100644 --- a/image-sync/deployment/Makefile +++ b/image-sync/deployment/Makefile @@ -63,4 +63,8 @@ undeploy-oc-mirror: undeploy: undeploy-shared undeploy-component-sync undeploy-oc-mirror -.PHONY: deploy-component-sync deploy-shared deploy-oc-mirror undeploy-shared undeploy-component-sync undeploy-oc-mirror +deploy-ca-component-sync: + az containerapp job create -n component-sync-job -g ${IMAGE_SYNC_RESOURCEGROUP} \ + --yaml ./componentSync/mvp-componentSyncJob.yml + +.PHONY: deploy-caj-component-sync deploy-component-sync deploy-shared deploy-oc-mirror undeploy-shared undeploy-component-sync undeploy-oc-mirror diff --git a/image-sync/deployment/componentSync/mvp-componentSyncJob.yml b/image-sync/deployment/componentSync/mvp-componentSyncJob.yml new file mode 100644 index 000000000..de7f56e96 --- /dev/null +++ b/image-sync/deployment/componentSync/mvp-componentSyncJob.yml @@ -0,0 +1,58 @@ + +identity: + userAssignedIdentities: + "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg": {} + type: UserAssigned +properties: + environmentId: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/aro-hcp-dev-image-sync/providers/Microsoft.App/managedEnvironments/image-sync-env-sxo4oqbcjiekg" + configuration: + replicaTimeout: 10000 + replicaRetryLimit: 1 + manualTriggerConfig: + replicaCompletionCount: 1 + parallelism: 1 + triggerType: Manual + registries: + - identity: "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg" + server: arohcpdev.azurecr.io + secrets: + - name: pull-secrets + keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/component-sync-pull-secret + identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg + - name: bearer-secret + keyVaultUrl: https://aro-hcp-dev-global-kv.vault.azure.net/secrets/bearer-secret + identity: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/aro-hcp-dev-image-sync/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync-sxo4oqbcjiekg + template: + containers: + - image: arohcpdev.azurecr.io/image-sync/component-sync:latest + name: sync-components + volumeMounts: + - volumeName: pull-secrets-updated + mountPath: "/root/.docker" + initContainers: + - image: mcr.microsoft.com/azure-cli:cbl-mariner2.0 + name: decodesecrets + command: + - "/bin/sh" + args: + - "-c" + - "cat /tmp/secret-orig/pull-secrets |base64 -d > /etc/containers/config.json && cat /tmp/bearer-secret/bearer-secret | base64 -d > /etc/containers/quayio-auth.json" + volumeMounts: + - volumeName: pull-secrets-updated + mountPath: "/etc/containers" + - volumeName: pull-secrets + mountPath: "/tmp/secret-orig" + - volumeName: bearer-secret + mountPath: "/tmp/bearer-secret" + volumes: + - name: pull-secrets-updated + storageType: EmptyDir + - name: pull-secrets + storageType: Secret + secrets: + - secretRef: pull-secrets + - name: bearer-secret + storageType: Secret + secrets: + - secretRef: bearer-secret + diff --git a/tooling/image-sync/Dockerfile b/tooling/image-sync/Dockerfile index 94b60e058..2b0a8a1c9 100644 --- a/tooling/image-sync/Dockerfile +++ b/tooling/image-sync/Dockerfile @@ -10,4 +10,5 @@ WORKDIR / ADD config.yml /app/config.yml COPY --from=builder /app/image-sync . + CMD ["/image-sync", "-c", "/app/config.yml"] \ No newline at end of file diff --git a/tooling/image-sync/config.yml b/tooling/image-sync/config.yml deleted file mode 100644 index 3dd45c233..000000000 --- a/tooling/image-sync/config.yml +++ /dev/null @@ -1,9 +0,0 @@ -repositories: - - registry.k8s.io/external-dns/external-dns - - quay.io/acm-d/rhtap-hypershift-operator - - quay.io/pstefans/controlplaneoperator - - quay.io/app-sre/uhc-clusters-service -numberOfTags: 10 -quaySecretfile: /etc/containers/quayio-auth.json -acrRegistry: arohcpdev.azurecr.io -tenantId: 64dc69e4-d083-49fc-9569-ebece1dd1408 diff --git a/tooling/image-sync/internal/repository.go b/tooling/image-sync/internal/repository.go index 7ee512f0b..668eb8358 100644 --- a/tooling/image-sync/internal/repository.go +++ b/tooling/image-sync/internal/repository.go @@ -128,13 +128,13 @@ func (q *QuayRegistry) GetTags(ctx context.Context, image string) ([]string, err return tags, nil } -type getAccessToken func(context.Context, *azidentity.DefaultAzureCredential) (string, error) +type getAccessToken func(context.Context, *azidentity.ManagedIdentityCredential) (string, error) type getACRUrl func(string) string // AzureContainerRegistry implements ACR Repository access type AzureContainerRegistry struct { acrName string - credential *azidentity.DefaultAzureCredential + credential *azidentity.ManagedIdentityCredential acrClient *azcontainerregistry.Client httpClient *http.Client numberOfTags int @@ -146,7 +146,9 @@ type AzureContainerRegistry struct { // NewAzureContainerRegistry creates a new AzureContainerRegistry access client func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry { - cred, err := azidentity.NewDefaultAzureCredential(nil) + cred, err := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{ + ID: azidentity.ClientID(cfg.ManagedIdentityClientID), + }) if err != nil { Log().Fatalf("failed to obtain a credential: %v", err) } @@ -164,7 +166,7 @@ func NewAzureContainerRegistry(cfg *SyncConfig) *AzureContainerRegistry { numberOfTags: cfg.NumberOfTags, tenantId: cfg.TenantId, - getAccessTokenImpl: func(ctx context.Context, dac *azidentity.DefaultAzureCredential) (string, error) { + getAccessTokenImpl: func(ctx context.Context, dac *azidentity.ManagedIdentityCredential) (string, error) { accessToken, err := dac.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{"https://management.core.windows.net//.default"}}) if err != nil { return "", err diff --git a/tooling/image-sync/internal/repository_test.go b/tooling/image-sync/internal/repository_test.go index dbda141f5..bd3fd1264 100644 --- a/tooling/image-sync/internal/repository_test.go +++ b/tooling/image-sync/internal/repository_test.go @@ -121,9 +121,9 @@ func TestQuayGetTags(t *testing.T) { func TestGetPullSecret(t *testing.T) { acr := AzureContainerRegistry{ tenantId: "test", - credential: &azidentity.DefaultAzureCredential{}, + credential: &azidentity.ManagedIdentityCredential{}, - getAccessTokenImpl: func(ctx context.Context, dac *azidentity.DefaultAzureCredential) (string, error) { + getAccessTokenImpl: func(ctx context.Context, dac *azidentity.ManagedIdentityCredential) (string, error) { return "fooBar", nil }, getACRUrlImpl: func(acrName string) string { diff --git a/tooling/image-sync/internal/sync.go b/tooling/image-sync/internal/sync.go index af1dfe6c0..21adb19dd 100644 --- a/tooling/image-sync/internal/sync.go +++ b/tooling/image-sync/internal/sync.go @@ -21,13 +21,14 @@ func Log() *zap.SugaredLogger { // SyncConfig is the configuration for the image sync type SyncConfig struct { - Repositories []string - NumberOfTags int - QuaySecretFile string - AcrRegistry string - TenantId string - RequestTimeout int - AddLatest bool + Repositories []string + NumberOfTags int + QuaySecretFile string + AcrRegistry string + TenantId string + RequestTimeout int + AddLatest bool + ManagedIdentityClientID string } // QuaySecret is the secret for quay.io @@ -42,6 +43,7 @@ func NewSyncConfig() *SyncConfig { v.SetDefault("numberoftags", 10) v.SetDefault("requesttimeout", 10) v.SetDefault("addlatest", false) + v.BindEnv("ManagedIdentityClientId", "MANAGED_IDENTITY_CLIENT_ID") if err := v.Unmarshal(&sc); err != nil { Log().Fatalw("Error while unmarshalling configuration %s", err.Error())