fedora-image-uploader: Add staging config for container uploads

Upload images to the stage registry. Rather than massaging the
credentials into the format written out by podman-login, just pass the
credentials in and have the app run podman-login with them. The
configuration includes the registry along with the prefix used for the
environment variables containing the credentials.

playbooks/openshift-apps/cloud-image-uploader.yml

@@ -103,6 +103,11 @@
     template: aws-secrets.yml
     objectname: aws-secrets.yml
 
+  - role: openshift/object
+    app: cloud-image-uploader
+    template: container-secrets.yml
+    objectname: container-secrets.yml
+
   - role: openshift/start-build
     app: cloud-image-uploader
     buildname: cloud-image-uploader-build

roles/openshift-apps/cloud-image-uploader/templates/config.toml

@@ -107,6 +107,13 @@ storage_account_type = "Standard_ZRS"
 
 {% endif %}
 
+{% if env == "staging" %}
+[[consumer_config.container.registries]]
+url = "oci-registry01.stg.iad2.fedoraproject.org"
+credential_prefix = "FEDORA_REGISTRY_"
+{% endif %}
+
+
 [qos]
 prefetch_size = 0
 prefetch_count = 25

roles/openshift-apps/cloud-image-uploader/templates/container-secrets.yml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "podman-credentials"
+  labels:
+    app: "cloud-image-uploader"
+stringData:
+{% if env == 'staging' %}
+  fedoraproject_registry_username: "{{candidate_registry_osbs_stg_username}}"
+  fedoraproject_registry_password: "{{candidate_registry_osbs_stg_password}}"
+  quay_io_username: ""
+  quay_io_password: ""
+{% else %}
+  fedoraproject_registry_username: "{{candidate_registry_osbs_prod_username}}"
+  fedoraproject_registry_password: "{{candidate_registry_osbs_prod_password}}"
+  quay_io_username: "{{quay_io_username}}"
+  quay_io_password: "{{quay_io_password}}"
+{% endif %}

roles/openshift-apps/cloud-image-uploader/templates/deployment.yml

@@ -65,6 +65,26 @@ spec:
                 secretKeyRef:
                   name: aws-credentials
                   key: secret_access_key
+            - name: FEDORA_REGISTRY_USER
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: fedoraproject_registry_username
+            - name: FEDORA_REGISTRY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: fedoraproject_registry_password
+            - name: QUAY_IO_USER
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: quay_io_username
+            - name: QUAY_IO_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: podman-credentials
+                  key: quay_io_password
           volumeMounts:
             - name: config-volume
               mountPath: /etc/fedora-messaging