Skip to content

Commit

Permalink
feat(ESO): Use Quay Access Token
Browse files Browse the repository at this point in the history
  • Loading branch information
@ArthurVardevanyan
ArthurVardevanyan committed Dec 25, 2024
1 parent cf99359 commit 0bfa325
Show file tree
Hide file tree
Showing 5 changed files with 224 additions and 23 deletions.
2 changes: 1 addition & 1 deletion containers/toolbox/containerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ ENV \
PRETTIER_CLI_VERSION=3.3.3 \
HOME=/tmp \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin \
KICK="1"
KICK="0"

RUN rpm -Uvh https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \
rpm -ivh https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.rpm && \
Expand Down
156 changes: 155 additions & 1 deletion kubernetes/external-secrets-operator/components/helm/crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -341,6 +342,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -6939,6 +6941,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -7125,6 +7128,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -7593,6 +7597,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -14037,7 +14042,7 @@ spec:
- auth
- registry
type: object
ecrRAuthorizationTokenSpec:
ecrAuthorizationTokenSpec:
properties:
auth:
description: Auth defines how to authenticate with AWS
Expand Down Expand Up @@ -14170,6 +14175,11 @@ spec:
You can assume a role before making calls to the
desired AWS service.
type: string
scope:
description: |-
Scope specifies the ECR service scope.
Valid options are private and public.
type: string
required:
- region
type: object
Expand Down Expand Up @@ -14374,6 +14384,46 @@ spec:
- length
- noUpper
type: object
quayAccessTokenSpec:
properties:
robotAccount:
description: Name of the robot account you are federating with
type: string
serviceAccountRef:
description: Name of the service account you are federating with
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
url:
description: URL configures the Quay instance URL. Defaults to https://quay.io/.
type: string
required:
- robotAccount
- serviceAccountRef
type: object
stsSessionTokenSpec:
properties:
auth:
Expand Down Expand Up @@ -15445,6 +15495,7 @@ spec:
- Fake
- GCRAccessToken
- GithubAccessToken
- QuayAccessToken
- Password
- STSSessionToken
- UUID
Expand Down Expand Up @@ -15652,6 +15703,11 @@ spec:
You can assume a role before making calls to the
desired AWS service.
type: string
scope:
description: |-
Scope specifies the ECR service scope.
Valid options are private and public.
type: string
required:
- region
type: object
Expand Down Expand Up @@ -16113,6 +16169,104 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.5
labels:
external-secrets.io/component: controller
name: quayaccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: QuayAccessToken
listKind: QuayAccessTokenList
plural: quayaccesstokens
singular: quayaccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: QuayAccessToken generates Quay oauth token for pulling/pushing images
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
robotAccount:
description: Name of the robot account you are federating with
type: string
serviceAccountRef:
description: Name of the service account you are federating with
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
url:
description: URL configures the Quay instance URL. Defaults to https://quay.io/.
type: string
required:
- robotAccount
- serviceAccountRef
type: object
type: object
served: true
storage: true
subresources:
status: {}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: kubernetes
namespace: default
path: /convert
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.5
Expand Down
6 changes: 3 additions & 3 deletions kubernetes/external-secrets-operator/components/helm/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ spec:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
image: ghcr.io/external-secrets/external-secrets:v0.11.0@sha256:bf0747a7c8a9726a6757c185faa5a77bd0652f7aac03c9712c92fe7f26576431
image: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b
imagePullPolicy: IfNotPresent
args:
- certcontroller
Expand Down Expand Up @@ -113,7 +113,7 @@ spec:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
image: ghcr.io/external-secrets/external-secrets:v0.11.0@sha256:bf0747a7c8a9726a6757c185faa5a77bd0652f7aac03c9712c92fe7f26576431
image: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b
imagePullPolicy: IfNotPresent
args:
- --concurrent=1
Expand Down Expand Up @@ -175,7 +175,7 @@ spec:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
image: ghcr.io/external-secrets/external-secrets:v0.11.0@sha256:bf0747a7c8a9726a6757c185faa5a77bd0652f7aac03c9712c92fe7f26576431
image: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b
imagePullPolicy: IfNotPresent
args:
- webhook
Expand Down
3 changes: 3 additions & 0 deletions kubernetes/external-secrets-operator/components/helm/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ rules:
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "stssessiontokens"
- "uuids"
Expand Down Expand Up @@ -277,6 +278,7 @@ rules:
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- "webhooks"
Expand Down Expand Up @@ -321,6 +323,7 @@ rules:
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- "webhooks"
Expand Down
80 changes: 62 additions & 18 deletions tekton/base/push-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,68 @@
# apiVersion: v1
# kind: Secret
# # apiVersion: v1
# # kind: Secret
# # metadata:
# # name: homelab-push-pull-secret
# # namespace: homelab
# # labels:
# # app.kubernetes.io/instance: homelab
# # stringData:
# # .dockerconfigjson: <path:secret/data/homelab/homelab#quay_push>
# # type: kubernetes.io/dockerconfigjson
# apiVersion: containerregistry.arthurvardevanyan.com/v1beta1
# kind: Auth
# metadata:
# name: homelab-push-pull-secret
# namespace: homelab
# labels:
# app.kubernetes.io/instance: homelab
# stringData:
# .dockerconfigjson: <path:secret/data/homelab/homelab#quay_push>
# type: kubernetes.io/dockerconfigjson
apiVersion: containerregistry.arthurvardevanyan.com/v1beta1
kind: Auth
# spec:
# serviceAccount: pipeline
# secretName: homelab-push-pull-secret
# containerRegistry: quay
# audiences:
# - openshift
# quay:
# robotAccount: "homelab+push"
# url: registry.arthurvardevanyan.com
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: QuayAccessToken
metadata:
name: homelab-push-pull-secret
name: homelab
namespace: homelab
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
serviceAccount: pipeline
secretName: homelab-push-pull-secret
containerRegistry: quay
audiences:
- openshift
quay:
robotAccount: "homelab+push"
url: registry.arthurvardevanyan.com
url: registry.arthurvardevanyan.com
robotAccount: homelab+push
serviceAccountRef:
name: "pipeline"
audiences:
- openshift
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: homelab
namespace: homelab
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: QuayAccessToken
name: homelab
refreshInterval: "55m" # Overlay with Token Expire
target:
name: homelab-push-pull-secret
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
{
"auths": {
"{{ .registry }}": {
"auth": "{{ .auth }}"
}
}
}

0 comments on commit 0bfa325

Please sign in to comment.