fedora-image-uploader: Add the push cert for registry.fedoraproject.org

To push images, we need to use a client certificate and key[0]. Add those to the image uploader container. [0] 7a10d32e16/f/playbooks/groups/releng-compose.yml (_144)
2024-10-04 14:59:32 -04:00 · 2024-10-04 14:59:32 -04:00 · f8cad3cd92
commit f8cad3cd92
parent d3831e8178
2 changed files with 25 additions and 0 deletions
--- a/playbooks/openshift-apps/cloud-image-uploader.yml
+++ b/playbooks/openshift-apps/cloud-image-uploader.yml
@ -93,6 +93,18 @@
    key: cloud-image-uploader.ca
    privatefile: "rabbitmq/{{env}}/pki/ca.crt"

+  - role: openshift/secret-file
+    app: cloud-image-uploader
+    secret_name: registry-fedoraproject-cert
+    key: registry-fedoraproject.crt
+    privatefile: "docker-registry/{{env}}/pki/issued/containerstable.crt"
+
+  - role: openshift/secret-file
+    app: cloud-image-uploader
+    secret_name: registry-fedoraproject-key
+    key: registry-fedoraproject.key
+    privatefile: "docker-registry/{{env}}/pki/private/containerstable.key"
+
  - role: openshift/object
    app: cloud-image-uploader
    template: secret.yml
--- a/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml
+++ b/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml
@ -29,6 +29,14 @@ spec:
        - name: fedora-messaging-cert-volume
          secret:
            secretName: cloud-image-uploader-fedora-messaging-crt
+        # skopeo wants the cert and key in the same directory
+        - name: registry-fedoraproject
+          projected:
+            sources:
+            - secret:
+                secretName: registry-fedoraproject-cert
+            - secret:
+                secretName: registry-fedoraproject-key
      containers:
        - name: cloud-image-uploader
          image: image-registry.openshift-image-registry.svc:5000/cloud-image-uploader/cloud-image-uploader:latest
@ -75,6 +83,8 @@ spec:
                secretKeyRef:
                  name: podman-credentials
                  key: fedoraproject_registry_password
+            - name: FEDORA_REGISTRY_CERT_DIR
+              value: "/etc/pki/registry-fedoraproject-org/"
            - name: QUAY_IO_USER
              valueFrom:
                secretKeyRef:
@ -98,3 +108,6 @@ spec:
            - name: fedora-messaging-cert-volume
              mountPath: /etc/pki/rabbitmq/cert
              readOnly: true
+            - name: registry-fedoraproject
+              mountPath: /etc/pki/registry-fedoraproject-org/
+              readOnly: true