Support separate bucket and image reg creds

The current release pipeline assumes that the same credentials are used to authenticate to the cloud storage service as well as to the container registry. This enables having independent credentials. It also enables using PAT based auth for the container registry by making the user configurable (instead of _json_key which works with gcr). Signed-off-by: Andrea Frittoli <[email protected]>
tektoncd · Sep 10, 2024 · 9f9005c · 9f9005c
1 parent 2bbd219
commit 9f9005c
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 6 deletions.
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -30,6 +30,9 @@ spec:
       default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64
     - name: serviceAccountPath
       description: The name of the service account path within the release-secret workspace
+    - name: registryUser
+      description: Username to be used to login to the container registry
+      default: "_json_key"
   workspaces:
     - name: source
       description: >-
@@ -50,6 +53,8 @@ spec:
         value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
       - name: CONTAINER_REGISTRY
         value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
+      - name: CONTAINER_REGISTRY_USER
+        value: "$(params.registryUser)"
       - name: REGIONS
         value: "$(params.imageRegistryRegions)"
       - name: OUTPUT_RELEASE_DIR
@@ -68,7 +73,7 @@ spec:
 
       # Login to the container registry
       DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
-        crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
+        crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
         sed 's,^.*logged in via \(.*\)$,\1,g')
 
       # Auth with account credentials for all regions.

diff --git a/tekton/release-cheat-sheet.md b/tekton/release-cheat-sheet.md
@@ -62,9 +62,11 @@ the pipelines repo, a terminal window and a text editor.
       --serviceaccount=release-right-meow \
       --param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
       --param=serviceAccountPath=release.json \
+      --param=serviceAccountImagesPath=release.json \
       --param=versionTag="${TEKTON_VERSION}" \
       --param=releaseBucket=gs://tekton-releases/pipeline \
       --workspace name=release-secret,secret=release-secret \
+      --workspace name=release-images-secret,secret=release-secret \
       --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
       --tasks-timeout 2h \
       --pipeline-timeout 3h

diff --git a/tekton/release-pipeline.yaml b/tekton/release-pipeline.yaml
@@ -19,6 +19,9 @@ spec:
   - name: imageRegistryRegions
     description: The target image registry regions
     default: "us eu asia"
+  - name: imageRegistryUser
+    description: The user for the image registry credentials
+    default: _json_key
   - name: versionTag
     description: The X.Y.Z version that the artifacts should be tagged with
   - name: releaseBucket
@@ -38,11 +41,15 @@ spec:
     default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64
   - name: serviceAccountPath
     description: The path to the service account file within the release-secret workspace
+  - name: serviceAccountImagesPath
+    description: The path to the service account file or credentials within the release-images-secret workspace
   workspaces:
     - name: workarea
       description: The workspace where the repo will be cloned.
     - name: release-secret
-      description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
+      description: The secret that contains a service account authorized to push to the output bucket
+    - name: release-images-secret
+      description: The secret that contains a service account authorized to push to the imageRegistry
   results:
     - name: commit-sha
       description: the sha of the commit that was released
@@ -157,12 +164,12 @@ spec:
           value: $(params.imageRegistry)
         - name: imageRegistryPath
           value: $(params.imageRegistryPath)
-        - name: imageRegistryRegions
-          value: $(params.imageRegistryRegions)
+        - name: imageRegistryUser
+          value: $(params.registryUser)
         - name: releaseAsLatest
           value: $(params.releaseAsLatest)
         - name: serviceAccountPath
-          value: $(params.serviceAccountPath)
+          value: $(params.serviceAccountImagesPath)
         - name: platforms
           value: $(params.publishPlatforms)
       workspaces:
@@ -173,7 +180,7 @@ spec:
           workspace: workarea
           subpath: bucket
         - name: release-secret
-          workspace: release-secret
+          workspace: release-images-secret
       timeout: 2h
     - name: publish-to-bucket
       runAfter: [publish-images]