feat(ESO): Use Quay Access Token

Author: ArthurVardevanyan

containers/toolbox/containerfile

@@ -18,7 +18,7 @@ ENV \
   PRETTIER_CLI_VERSION=3.3.3 \
   HOME=/tmp \
   PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin \
-  KICK="1"
+  KICK="0"
 
 RUN rpm -Uvh https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \
   rpm -ivh https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.rpm && \

kubernetes/external-secrets-operator/components/helm/crd.yaml

@@ -155,6 +155,7 @@ spec:
                                       - Fake
                                       - GCRAccessToken
                                       - GithubAccessToken
+                                      - QuayAccessToken
                                       - Password
                                       - STSSessionToken
                                       - UUID
@@ -341,6 +342,7 @@ spec:
                                       - Fake
                                       - GCRAccessToken
                                       - GithubAccessToken
+                                      - QuayAccessToken
                                       - Password
                                       - STSSessionToken
                                       - UUID
@@ -6939,6 +6941,7 @@ spec:
                                   - Fake
                                   - GCRAccessToken
                                   - GithubAccessToken
+                                  - QuayAccessToken
                                   - Password
                                   - STSSessionToken
                                   - UUID
@@ -7125,6 +7128,7 @@ spec:
                                   - Fake
                                   - GCRAccessToken
                                   - GithubAccessToken
+                                  - QuayAccessToken
                                   - Password
                                   - STSSessionToken
                                   - UUID
@@ -7593,6 +7597,7 @@ spec:
                             - Fake
                             - GCRAccessToken
                             - GithubAccessToken
+                            - QuayAccessToken
                             - Password
                             - STSSessionToken
                             - UUID
@@ -14037,7 +14042,7 @@ spec:
                         - auth
                         - registry
                       type: object
-                    ecrRAuthorizationTokenSpec:
+                    ecrAuthorizationTokenSpec:
                       properties:
                         auth:
                           description: Auth defines how to authenticate with AWS
@@ -14170,6 +14175,11 @@ spec:
                             You can assume a role before making calls to the
                             desired AWS service.
                           type: string
+                        scope:
+                          description: |-
+                            Scope specifies the ECR service scope.
+                            Valid options are private and public.
+                          type: string
                       required:
                         - region
                       type: object
@@ -14374,6 +14384,46 @@ spec:
                         - length
                         - noUpper
                       type: object
+                    quayAccessTokenSpec:
+                      properties:
+                        robotAccount:
+                          description: Name of the robot account you are federating with
+                          type: string
+                        serviceAccountRef:
+                          description: Name of the service account you are federating with
+                          properties:
+                            audiences:
+                              description: |-
+                                Audience specifies the `aud` claim for the service account token
+                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+                                then this audiences will be appended to the list
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: The name of the ServiceAccount resource being referred to.
+                              maxLength: 253
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                              type: string
+                            namespace:
+                              description: |-
+                                Namespace of the resource being referred to.
+                                Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                              maxLength: 63
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          required:
+                            - name
+                          type: object
+                        url:
+                          description: URL configures the Quay instance URL. Defaults to https://quay.io/.
+                          type: string
+                      required:
+                        - robotAccount
+                        - serviceAccountRef
+                      type: object
                     stsSessionTokenSpec:
                       properties:
                         auth:
@@ -15445,6 +15495,7 @@ spec:
                     - Fake
                     - GCRAccessToken
                     - GithubAccessToken
+                    - QuayAccessToken
                     - Password
                     - STSSessionToken
                     - UUID
@@ -15652,6 +15703,11 @@ spec:
                     You can assume a role before making calls to the
                     desired AWS service.
                   type: string
+                scope:
+                  description: |-
+                    Scope specifies the ECR service scope.
+                    Valid options are private and public.
+                  type: string
               required:
                 - region
               type: object
@@ -16113,6 +16169,104 @@ spec:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.5
+  labels:
+    external-secrets.io/component: controller
+  name: quayaccesstokens.generators.external-secrets.io
+spec:
+  group: generators.external-secrets.io
+  names:
+    categories:
+      - external-secrets
+      - external-secrets-generators
+    kind: QuayAccessToken
+    listKind: QuayAccessTokenList
+    plural: quayaccesstokens
+    singular: quayaccesstoken
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: QuayAccessToken generates Quay oauth token for pulling/pushing images
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              properties:
+                robotAccount:
+                  description: Name of the robot account you are federating with
+                  type: string
+                serviceAccountRef:
+                  description: Name of the service account you are federating with
+                  properties:
+                    audiences:
+                      description: |-
+                        Audience specifies the `aud` claim for the service account token
+                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+                        then this audiences will be appended to the list
+                      items:
+                        type: string
+                      type: array
+                    name:
+                      description: The name of the ServiceAccount resource being referred to.
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace of the resource being referred to.
+                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                    - name
+                  type: object
+                url:
+                  description: URL configures the Quay instance URL. Defaults to https://quay.io/.
+                  type: string
+              required:
+                - robotAccount
+                - serviceAccountRef
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        service:
+          name: kubernetes
+          namespace: default
+          path: /convert
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.16.5

kubernetes/external-secrets-operator/components/helm/deployment.yaml

@@ -40,7 +40,7 @@ spec:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          image: ghcr.io/external-secrets/external-secrets:v0.11.0@sha256:bf0747a7c8a9726a6757c185faa5a77bd0652f7aac03c9712c92fe7f26576431
+          image: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b
           imagePullPolicy: IfNotPresent
           args:
             - certcontroller
@@ -113,7 +113,7 @@ spec:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          image: ghcr.io/external-secrets/external-secrets:v0.11.0@sha256:bf0747a7c8a9726a6757c185faa5a77bd0652f7aac03c9712c92fe7f26576431
+          image: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b
           imagePullPolicy: IfNotPresent
           args:
             - --concurrent=1
@@ -175,7 +175,7 @@ spec:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          image: ghcr.io/external-secrets/external-secrets:v0.11.0@sha256:bf0747a7c8a9726a6757c185faa5a77bd0652f7aac03c9712c92fe7f26576431
+          image: registry.arthurvardevanyan.com/homelab/external-secrets:quay-head@sha256:091b495923dd5b22509e8c419053b91f61ef5d871ed2c8612678b859d893e14b
           imagePullPolicy: IfNotPresent
           args:
             - webhook

kubernetes/external-secrets-operator/components/helm/rbac.yaml

@@ -182,6 +182,7 @@ rules:
       - "fakes"
       - "gcraccesstokens"
       - "githubaccesstokens"
+      - "quayaccesstokens"
       - "passwords"
       - "stssessiontokens"
       - "uuids"
@@ -277,6 +278,7 @@ rules:
       - "fakes"
       - "gcraccesstokens"
       - "githubaccesstokens"
+      - "quayaccesstokens"
       - "passwords"
       - "vaultdynamicsecrets"
       - "webhooks"
@@ -321,6 +323,7 @@ rules:
       - "fakes"
       - "gcraccesstokens"
       - "githubaccesstokens"
+      - "quayaccesstokens"
       - "passwords"
       - "vaultdynamicsecrets"
       - "webhooks"

tekton/base/push-secret.yaml

@@ -8,17 +8,61 @@
 # stringData:
 #   .dockerconfigjson: <path:secret/data/homelab/homelab#quay_push>
 # type: kubernetes.io/dockerconfigjson
-apiVersion: containerregistry.arthurvardevanyan.com/v1beta1
-kind: Auth
+# apiVersion: containerregistry.arthurvardevanyan.com/v1beta1
+# kind: Auth
+# metadata:
+#   name: homelab-push-pull-secret
+#   namespace: homelab
+# spec:
+#   serviceAccount: pipeline
+#   secretName: homelab-push-pull-secret
+#   containerRegistry: quay
+#   audiences:
+#     - openshift
+#   quay:
+#     robotAccount: "homelab+push"
+#     url: registry.arthurvardevanyan.com
+---
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: QuayAccessToken
+metadata:
+  name: homelab
+  namespace: homelab
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  url: registry.arthurvardevanyan.com
+  robotAccount: homelab+push
+  serviceAccountRef:
+    name: "pipeline"
+    audiences:
+      - openshift
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
-  name: homelab-push-pull-secret
+  name: homelab
   namespace: homelab
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
-  serviceAccount: pipeline
-  secretName: homelab-push-pull-secret
-  containerRegistry: quay
-  audiences:
-    - openshift
-  quay:
-    robotAccount: "homelab+push"
-    url: registry.arthurvardevanyan.com
+  dataFrom:
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: QuayAccessToken
+          name: homelab
+  refreshInterval: "55m" # Overlap with Token Expire
+  target:
+    name: homelab-push-pull-secret
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |
+          {
+            "auths": {
+              "{{ .registry }}": {
+                "auth": "{{ .auth }}"
+              }
+            }
+          }