Skip to content

Commit

Permalink
feat(ESO): Use Quay Access Token (#120)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ArthurVardevanyan
ArthurVardevanyan committed Dec 25, 2024
1 parent cf99359 commit 0a9bcea
Show file tree
Hide file tree
Showing 9 changed files with 341 additions and 28 deletions.
2 changes: 1 addition & 1 deletion containers/toolbox/containerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ ENV \
PRETTIER_CLI_VERSION=3.3.3 \
HOME=/tmp \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin \
KICK="1"
KICK="0"

RUN rpm -Uvh https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \
rpm -ivh https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.rpm && \
Expand Down
156 changes: 155 additions & 1 deletion kubernetes/external-secrets-operator/components/helm/crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -341,6 +342,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -6939,6 +6941,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -7125,6 +7128,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -7593,6 +7597,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -14037,7 +14042,7 @@ spec:
- auth
- registry
type: object
ecrRAuthorizationTokenSpec:
ecrAuthorizationTokenSpec:
properties:
auth:
description: Auth defines how to authenticate with AWS
Expand Down Expand Up @@ -14170,6 +14175,11 @@ spec:
You can assume a role before making calls to the
desired AWS service.
type: string
scope:
description: |-
Scope specifies the ECR service scope.
Valid options are private and public.
type: string
required:
- region
type: object
Expand Down Expand Up @@ -14374,6 +14384,46 @@ spec:
- length
- noUpper
type: object
quayAccessTokenSpec:
properties:
robotAccount:
description: Name of the robot account you are federating with
type: string
serviceAccountRef:
description: Name of the service account you are federating with
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
url:
description: URL configures the Quay instance URL. Defaults to https://quay.io/.
type: string
required:
- robotAccount
- serviceAccountRef
type: object
stsSessionTokenSpec:
properties:
auth:
Expand Down Expand Up @@ -15445,6 +15495,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -15652,6 +15703,11 @@ spec:
You can assume a role before making calls to the
desired AWS service.
type: string
scope:
description: |-
Scope specifies the ECR service scope.
Valid options are private and public.
type: string
required:
- region
type: object
Expand Down Expand Up @@ -16113,6 +16169,104 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.5
labels:
external-secrets.io/component: controller
name: quayaccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: QuayAccessToken
listKind: QuayAccessTokenList
plural: quayaccesstokens
singular: quayaccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: QuayAccessToken generates Quay oauth token for pulling/pushing images
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
robotAccount:
description: Name of the robot account you are federating with
type: string
serviceAccountRef:
description: Name of the service account you are federating with
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
url:
description: URL configures the Quay instance URL. Defaults to https://quay.io/.
type: string
required:
- robotAccount
- serviceAccountRef
type: object
type: object
served: true
storage: true
subresources:
status: {}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: kubernetes
namespace: default
path: /convert
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.5
Expand Down
3 changes: 3 additions & 0 deletions kubernetes/external-secrets-operator/components/helm/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ rules:
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "stssessiontokens"
- "uuids"
Expand Down Expand Up @@ -277,6 +278,7 @@ rules:
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- "webhooks"
Expand Down Expand Up @@ -321,6 +323,7 @@ rules:
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- "webhooks"
Expand Down
15 changes: 0 additions & 15 deletions kubernetes/external-secrets-operator/overlays/microshift/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,21 +14,6 @@ patches:
value: {"mountPath":"microshift","role":"microshift","serviceAccountRef":{"name":"argocd","namespace":"default"}}
- target:
kind: Deployment
name: external-secrets
patch: |-
- op: replace
path: /spec/replicas
value: 1
- target:
kind: Deployment
name: external-secrets-cert-controller
patch: |-
- op: replace
path: /spec/replicas
value: 1
- target:
kind: Deployment
name: external-secrets-webhook
patch: |-
- op: replace
path: /spec/replicas
Expand Down
7 changes: 7 additions & 0 deletions kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,10 @@ resources:
- ./egress-firewall.yaml
components:
- ../../components/helm
patches:
- target:
kind: Deployment
patch: |-
- op: replace
path: /spec/template/spec/containers/0/image
value: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b
23 changes: 23 additions & 0 deletions kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,26 @@ spec:
"topology":"localnet",
"netAttachDefName": "default/br1"
}'

---
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: br1-vlan2
namespace: default
annotations:
k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br1-vlan2
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "4"
spec:
config: '{
"cniVersion": "0.3.1",
"name": "br1",
"type": "ovn-k8s-cni-overlay",
"vlan": 2,
"topology":"localnet",
"netAttachDefName": "default/br1-vlan2"
}'


ip link set br0 type bridge vlan_filtering 1
2 changes: 2 additions & 0 deletions kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ spec:
dhcp: true
enabled: true
bridge:
allow-extra-patch-ports: true
options:
stp:
enabled: false
Expand Down Expand Up @@ -50,6 +51,7 @@ spec:
dhcp: true
enabled: true
bridge:
allow-extra-patch-ports: true
options:
stp:
enabled: false
Expand Down
Loading

0 comments on commit 0a9bcea

Please sign in to comment.