From 0a9bceac5f59c0b0588342b3cb1c4370e918c2e7 Mon Sep 17 00:00:00 2001 From: Arthur Date: Wed, 25 Dec 2024 15:17:52 +0000 Subject: [PATCH] feat(ESO): Use Quay Access Token (#120) --- containers/toolbox/containerfile | 2 +- .../components/helm/crd.yaml | 156 +++++++++++++++++- .../components/helm/rbac.yaml | 3 + .../overlays/microshift/kustomization.yaml | 15 -- .../overlays/okd/kustomization.yaml | 7 + .../network/networkAttachmentDefinition.yaml | 23 +++ .../nodeNetworkConfigurationPolicy.yaml | 2 + tekton/base/push-secret.yaml | 66 ++++++-- test.yaml | 95 +++++++++++ 9 files changed, 341 insertions(+), 28 deletions(-) create mode 100644 test.yaml diff --git a/containers/toolbox/containerfile b/containers/toolbox/containerfile index afacd3ea..7ce746a4 100644 --- a/containers/toolbox/containerfile +++ b/containers/toolbox/containerfile @@ -18,7 +18,7 @@ ENV \ PRETTIER_CLI_VERSION=3.3.3 \ HOME=/tmp \ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin \ - KICK="1" + KICK="0" RUN rpm -Uvh https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \ rpm -ivh https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.rpm && \ diff --git a/kubernetes/external-secrets-operator/components/helm/crd.yaml b/kubernetes/external-secrets-operator/components/helm/crd.yaml index a90118fd..403933c3 100644 --- a/kubernetes/external-secrets-operator/components/helm/crd.yaml +++ b/kubernetes/external-secrets-operator/components/helm/crd.yaml @@ -155,6 +155,7 @@ spec: - Fake - GCRAccessToken - GithubAccessToken + - QuayAccessToken - Password - STSSessionToken - UUID @@ -341,6 +342,7 @@ spec: - Fake - GCRAccessToken - GithubAccessToken + - QuayAccessToken - Password - STSSessionToken - UUID @@ -6939,6 +6941,7 @@ spec: - Fake - GCRAccessToken - GithubAccessToken + - QuayAccessToken - Password - STSSessionToken - UUID @@ -7125,6 +7128,7 @@ spec: - Fake - GCRAccessToken - GithubAccessToken + - QuayAccessToken - Password - STSSessionToken - UUID @@ -7593,6 +7597,7 @@ spec: - Fake - GCRAccessToken - GithubAccessToken + - QuayAccessToken - Password - STSSessionToken - UUID @@ -14037,7 +14042,7 @@ spec: - auth - registry type: object - ecrRAuthorizationTokenSpec: + ecrAuthorizationTokenSpec: properties: auth: description: Auth defines how to authenticate with AWS @@ -14170,6 +14175,11 @@ spec: You can assume a role before making calls to the desired AWS service. type: string + scope: + description: |- + Scope specifies the ECR service scope. + Valid options are private and public. + type: string required: - region type: object @@ -14374,6 +14384,46 @@ spec: - length - noUpper type: object + quayAccessTokenSpec: + properties: + robotAccount: + description: Name of the robot account you are federating with + type: string + serviceAccountRef: + description: Name of the service account you are federating with + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + url: + description: URL configures the Quay instance URL. Defaults to https://quay.io/. + type: string + required: + - robotAccount + - serviceAccountRef + type: object stsSessionTokenSpec: properties: auth: @@ -15445,6 +15495,7 @@ spec: - Fake - GCRAccessToken - GithubAccessToken + - QuayAccessToken - Password - STSSessionToken - UUID @@ -15652,6 +15703,11 @@ spec: You can assume a role before making calls to the desired AWS service. type: string + scope: + description: |- + Scope specifies the ECR service scope. + Valid options are private and public. + type: string required: - region type: object @@ -16113,6 +16169,104 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.5 + labels: + external-secrets.io/component: controller + name: quayaccesstokens.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - external-secrets + - external-secrets-generators + kind: QuayAccessToken + listKind: QuayAccessTokenList + plural: quayaccesstokens + singular: quayaccesstoken + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: QuayAccessToken generates Quay oauth token for pulling/pushing images + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + robotAccount: + description: Name of the robot account you are federating with + type: string + serviceAccountRef: + description: Name of the service account you are federating with + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + url: + description: URL configures the Quay instance URL. Defaults to https://quay.io/. + type: string + required: + - robotAccount + - serviceAccountRef + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: kubernetes + namespace: default + path: /convert +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.5 diff --git a/kubernetes/external-secrets-operator/components/helm/rbac.yaml b/kubernetes/external-secrets-operator/components/helm/rbac.yaml index 5c175253..62779af2 100644 --- a/kubernetes/external-secrets-operator/components/helm/rbac.yaml +++ b/kubernetes/external-secrets-operator/components/helm/rbac.yaml @@ -182,6 +182,7 @@ rules: - "fakes" - "gcraccesstokens" - "githubaccesstokens" + - "quayaccesstokens" - "passwords" - "stssessiontokens" - "uuids" @@ -277,6 +278,7 @@ rules: - "fakes" - "gcraccesstokens" - "githubaccesstokens" + - "quayaccesstokens" - "passwords" - "vaultdynamicsecrets" - "webhooks" @@ -321,6 +323,7 @@ rules: - "fakes" - "gcraccesstokens" - "githubaccesstokens" + - "quayaccesstokens" - "passwords" - "vaultdynamicsecrets" - "webhooks" diff --git a/kubernetes/external-secrets-operator/overlays/microshift/kustomization.yaml b/kubernetes/external-secrets-operator/overlays/microshift/kustomization.yaml index 1f41556e..cd347b68 100644 --- a/kubernetes/external-secrets-operator/overlays/microshift/kustomization.yaml +++ b/kubernetes/external-secrets-operator/overlays/microshift/kustomization.yaml @@ -14,21 +14,6 @@ patches: value: {"mountPath":"microshift","role":"microshift","serviceAccountRef":{"name":"argocd","namespace":"default"}} - target: kind: Deployment - name: external-secrets - patch: |- - - op: replace - path: /spec/replicas - value: 1 - - target: - kind: Deployment - name: external-secrets-cert-controller - patch: |- - - op: replace - path: /spec/replicas - value: 1 - - target: - kind: Deployment - name: external-secrets-webhook patch: |- - op: replace path: /spec/replicas diff --git a/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml b/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml index 4be9e4ca..c61b82c0 100644 --- a/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml +++ b/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml @@ -5,3 +5,10 @@ resources: - ./egress-firewall.yaml components: - ../../components/helm +patches: + - target: + kind: Deployment + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b diff --git a/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml b/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml index aa00bdd5..a602df16 100644 --- a/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml +++ b/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml @@ -15,3 +15,26 @@ spec: "topology":"localnet", "netAttachDefName": "default/br1" }' + +--- +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: br1-vlan2 + namespace: default + annotations: + k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br1-vlan2 + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "4" +spec: + config: '{ + "cniVersion": "0.3.1", + "name": "br1", + "type": "ovn-k8s-cni-overlay", + "vlan": 2, + "topology":"localnet", + "netAttachDefName": "default/br1-vlan2" + }' + + +ip link set br0 type bridge vlan_filtering 1 diff --git a/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml b/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml index 4881750f..d1b14091 100644 --- a/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml +++ b/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml @@ -18,6 +18,7 @@ spec: dhcp: true enabled: true bridge: + allow-extra-patch-ports: true options: stp: enabled: false @@ -50,6 +51,7 @@ spec: dhcp: true enabled: true bridge: + allow-extra-patch-ports: true options: stp: enabled: false diff --git a/tekton/base/push-secret.yaml b/tekton/base/push-secret.yaml index 0ed22818..634794f3 100644 --- a/tekton/base/push-secret.yaml +++ b/tekton/base/push-secret.yaml @@ -8,17 +8,61 @@ # stringData: # .dockerconfigjson: # type: kubernetes.io/dockerconfigjson -apiVersion: containerregistry.arthurvardevanyan.com/v1beta1 -kind: Auth +# apiVersion: containerregistry.arthurvardevanyan.com/v1beta1 +# kind: Auth +# metadata: +# name: homelab-push-pull-secret +# namespace: homelab +# spec: +# serviceAccount: pipeline +# secretName: homelab-push-pull-secret +# containerRegistry: quay +# audiences: +# - openshift +# quay: +# robotAccount: "homelab+push" +# url: registry.arthurvardevanyan.com +--- +apiVersion: generators.external-secrets.io/v1alpha1 +kind: QuayAccessToken +metadata: + name: homelab + namespace: homelab + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + url: registry.arthurvardevanyan.com + robotAccount: homelab+push + serviceAccountRef: + name: "pipeline" + audiences: + - openshift +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret metadata: - name: homelab-push-pull-secret + name: homelab namespace: homelab + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: - serviceAccount: pipeline - secretName: homelab-push-pull-secret - containerRegistry: quay - audiences: - - openshift - quay: - robotAccount: "homelab+push" - url: registry.arthurvardevanyan.com + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: QuayAccessToken + name: homelab + refreshInterval: "55m" # Overlap with Token Expire + target: + name: homelab-push-pull-secret + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: | + { + "auths": { + "{{ .registry }}": { + "auth": "{{ .auth }}" + } + } + } diff --git a/test.yaml b/test.yaml new file mode 100644 index 00000000..41cee18d --- /dev/null +++ b/test.yaml @@ -0,0 +1,95 @@ +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: br1-vlan2-enp5s0 + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + nodeSelector: + nic: enp5s0 + desiredState: + interfaces: + - name: br1.2 + description: VLAN using br1 + type: vlan + state: up + vlan: + base-iface: enp5s0 + id: 2 + mtu: 9000 + - name: br1.2.ovs + description: OVS bridge with enp5s0 as a port + type: ovs-bridge + state: up + ipv4: + dhcp: true + enabled: true + bridge: + options: + stp: + enabled: false + port: + - name: br1.2 + mtu: 9000 + ovn: + bridge-mappings: + - localnet: br1.2 + bridge: br1.2.ovs + state: present +--- +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: br1-vlan2-enp7s0 + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + nodeSelector: + nic: enp5s0 + desiredState: + interfaces: + - name: br1.2 + description: VLAN using br1 + type: vlan + state: up + vlan: + base-iface: enp5s0 + id: 2 + mtu: 9000 + - name: br1.2.ovs + description: OVS bridge with enp7s0 as a port + type: ovs-bridge + state: up + ipv4: + dhcp: true + enabled: true + bridge: + options: + stp: + enabled: false + port: + - name: br1.2 + mtu: 9000 + ovn: + bridge-mappings: + - localnet: br1.2 + bridge: br1.2.ovs + state: present +--- +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: br1-vlan2 + namespace: default + annotations: + k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br1 + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "4" +spec: + config: '{ + "cniVersion": "0.3.1", + "name": "br1.2.ovs", + "type": "ovn-k8s-cni-overlay", + "topology":"localnet", + "netAttachDefName": "default/br1-vlan2" + }'