fedora-image-uploader: Add staging config for container uploads

Upload images to the stage registry. Rather than massaging the credentials into the format written out by podman-login, just pass the credentials in and have the app run podman-login with them. The configuration includes the registry along with the prefix used for the environment variables containing the credentials.
2024-08-28 17:18:37 -04:00 · 2024-08-28 17:18:37 -04:00 · 5e0ad1134d
commit 5e0ad1134d
parent 0db90a7f3a
4 changed files with 50 additions and 0 deletions
--- a/playbooks/openshift-apps/cloud-image-uploader.yml
+++ b/playbooks/openshift-apps/cloud-image-uploader.yml
@ -103,6 +103,11 @@
    template: aws-secrets.yml
    objectname: aws-secrets.yml

+  - role: openshift/object
+    app: cloud-image-uploader
+    template: container-secrets.yml
+    objectname: container-secrets.yml
+
  - role: openshift/start-build
    app: cloud-image-uploader
    buildname: cloud-image-uploader-build
--- a/roles/openshift-apps/cloud-image-uploader/templates/config.toml
+++ b/roles/openshift-apps/cloud-image-uploader/templates/config.toml
@ -107,6 +107,13 @@ storage_account_type = "Standard_ZRS"

 {% endif %}

+{% if env == "staging" %}
+[[consumer_config.container.registries]]
+url = "oci-registry01.stg.iad2.fedoraproject.org"
+credential_prefix = "FEDORA_REGISTRY_"
+{% endif %}
+
+
 [qos]
 prefetch_size = 0
 prefetch_count = 25
--- a/roles/openshift-apps/cloud-image-uploader/templates/container-secrets.yml
+++ b/roles/openshift-apps/cloud-image-uploader/templates/container-secrets.yml
@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "podman-credentials"
+  labels:
+    app: "cloud-image-uploader"
+stringData:
+{% if env == 'staging' %}
+  fedoraproject_registry_username: "{{candidate_registry_osbs_stg_username}}"
+  fedoraproject_registry_password: "{{candidate_registry_osbs_stg_password}}"
+  quay_io_username: ""
+  quay_io_password: ""
+{% else %}
+  fedoraproject_registry_username: "{{candidate_registry_osbs_prod_username}}"
+  fedoraproject_registry_password: "{{candidate_registry_osbs_prod_password}}"
+  quay_io_username: "{{quay_io_username}}"
+  quay_io_password: "{{quay_io_password}}"
+{% endif %}
--- a/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml
+++ b/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml
@ -65,6 +65,26 @@ spec:
                secretKeyRef:
                  name: aws-credentials
                  key: secret_access_key
+            - name: FEDORA_REGISTRY_USER
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: fedoraproject_registry_username
+            - name: FEDORA_REGISTRY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: fedoraproject_registry_password
+            - name: QUAY_IO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: quay_io_username
+            - name: QUAY_IO_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: quay_io_password
          volumeMounts:
            - name: config-volume
              mountPath: /etc/fedora-messaging