From 9f9005cef2a48ef540bc17f749f4dca66efd752f Mon Sep 17 00:00:00 2001
From: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
Date: Mon, 9 Sep 2024 11:42:27 +0100
Subject: [PATCH] Support separate bucket and image reg creds

The current release pipeline assumes that the same credentials
are used to authenticate to the cloud storage service as well
as to the container registry.

This enables having independent credentials. It also enables
using PAT based auth for the container registry by making the
user configurable (instead of _json_key which works with gcr).

Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
---
 tekton/publish.yaml           |  7 ++++++-
 tekton/release-cheat-sheet.md |  2 ++
 tekton/release-pipeline.yaml  | 17 ++++++++++++-----
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/tekton/publish.yaml b/tekton/publish.yaml
index 361d1f5de79..48c09956485 100644
--- a/tekton/publish.yaml
+++ b/tekton/publish.yaml
@@ -30,6 +30,9 @@ spec:
       default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64
     - name: serviceAccountPath
       description: The name of the service account path within the release-secret workspace
+    - name: registryUser
+      description: Username to be used to login to the container registry
+      default: "_json_key"
   workspaces:
     - name: source
       description: >-
@@ -50,6 +53,8 @@ spec:
         value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
       - name: CONTAINER_REGISTRY
         value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
+      - name: CONTAINER_REGISTRY_USER
+        value: "$(params.registryUser)"
       - name: REGIONS
         value: "$(params.imageRegistryRegions)"
       - name: OUTPUT_RELEASE_DIR
@@ -68,7 +73,7 @@ spec:
 
       # Login to the container registry
       DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
-        crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
+        crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
         sed 's,^.*logged in via \(.*\)$,\1,g')
 
       # Auth with account credentials for all regions.
diff --git a/tekton/release-cheat-sheet.md b/tekton/release-cheat-sheet.md
index af86c88f57d..929d273a71f 100644
--- a/tekton/release-cheat-sheet.md
+++ b/tekton/release-cheat-sheet.md
@@ -62,9 +62,11 @@ the pipelines repo, a terminal window and a text editor.
       --serviceaccount=release-right-meow \
       --param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
       --param=serviceAccountPath=release.json \
+      --param=serviceAccountImagesPath=release.json \
       --param=versionTag="${TEKTON_VERSION}" \
       --param=releaseBucket=gs://tekton-releases/pipeline \
       --workspace name=release-secret,secret=release-secret \
+      --workspace name=release-images-secret,secret=release-secret \
       --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
       --tasks-timeout 2h \
       --pipeline-timeout 3h
diff --git a/tekton/release-pipeline.yaml b/tekton/release-pipeline.yaml
index a6875d844a0..fc3cc6d5245 100644
--- a/tekton/release-pipeline.yaml
+++ b/tekton/release-pipeline.yaml
@@ -19,6 +19,9 @@ spec:
   - name: imageRegistryRegions
     description: The target image registry regions
     default: "us eu asia"
+  - name: imageRegistryUser
+    description: The user for the image registry credentials
+    default: _json_key
   - name: versionTag
     description: The X.Y.Z version that the artifacts should be tagged with
   - name: releaseBucket
@@ -38,11 +41,15 @@ spec:
     default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64
   - name: serviceAccountPath
     description: The path to the service account file within the release-secret workspace
+  - name: serviceAccountImagesPath
+    description: The path to the service account file or credentials within the release-images-secret workspace
   workspaces:
     - name: workarea
       description: The workspace where the repo will be cloned.
     - name: release-secret
-      description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
+      description: The secret that contains a service account authorized to push to the output bucket
+    - name: release-images-secret
+      description: The secret that contains a service account authorized to push to the imageRegistry
   results:
     - name: commit-sha
       description: the sha of the commit that was released
@@ -157,12 +164,12 @@ spec:
           value: $(params.imageRegistry)
         - name: imageRegistryPath
           value: $(params.imageRegistryPath)
-        - name: imageRegistryRegions
-          value: $(params.imageRegistryRegions)
+        - name: imageRegistryUser
+          value: $(params.registryUser)
         - name: releaseAsLatest
           value: $(params.releaseAsLatest)
         - name: serviceAccountPath
-          value: $(params.serviceAccountPath)
+          value: $(params.serviceAccountImagesPath)
         - name: platforms
           value: $(params.publishPlatforms)
       workspaces:
@@ -173,7 +180,7 @@ spec:
           workspace: workarea
           subpath: bucket
         - name: release-secret
-          workspace: release-secret
+          workspace: release-images-secret
       timeout: 2h
     - name: publish-to-bucket
       runAfter: [publish-images]