allow osbuilder to inject ecr specific env var to exporter

2025-08-02 08:06:24 +00:00 · 2025-01-29 12:24:18 +01:00 · 2025-01-29 12:24:18 +01:00 · dcc3f0efc3
commit dcc3f0efc3
parent d69f69a0c6
11 changed files with 66 additions and 18 deletions
--- a/api/v1alpha2/osartifact_types.go
+++ b/api/v1alpha2/osartifact_types.go
@ -54,12 +54,31 @@ type SecretKeySelector struct {
 	Key string `json:"key,omitempty"`
 }

+type RegistryCloud string
+
+const (
+	// RegistryCloudECR ensures that special env variables will be injected
+	// into the exporter job to allow kaniko to automatically auth with the
+	// ecr registry to push the images.
+	RegistryCloudECR RegistryCloud = "ecr"
+	// RegistryCloudOther requires from user to provide username/password secret
+	// in order for kaniko to be able to authenticate with the container registry.
+	RegistryCloudOther RegistryCloud = "other"
+)
+
 type OutputImage struct {
-	Registry             string             `json:"registry,omitempty"`
-	Repository           string             `json:"repository,omitempty"`
-	Tag                  string             `json:"tag,omitempty"`
-	Username             string             `json:"username,omitempty"`
-	PasswordSecretKeyRef *SecretKeySelector `json:"passwordSecretKeyRef,omitempty"`
+	// +kubebuilder:validation:Enum=ecr;other
+	// +kubebuilder:default=other
+	// +required
+	Cloud RegistryCloud `json:"cloud"`
+	// +optional
+	Registry string `json:"registry,omitempty"`
+	// +optional
+	Repository string `json:"repository,omitempty"`
+	// +optional
+	Tag string `json:"tag,omitempty"`
+	// +optional
+	DockerConfigSecretKeyRef *SecretKeySelector `json:"dockerConfigSecretKeyRef,omitempty"`
 }

 type ArtifactPhase string
--- a/api/v1alpha2/zz_generated.deepcopy.go
+++ b/api/v1alpha2/zz_generated.deepcopy.go
@ -151,8 +151,8 @@ func (in *OSArtifactStatus) DeepCopy() *OSArtifactStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputImage) DeepCopyInto(out *OutputImage) {
 	*out = *in
-	if in.PasswordSecretKeyRef != nil {
-		in, out := &in.PasswordSecretKeyRef, &out.PasswordSecretKeyRef
+	if in.DockerConfigSecretKeyRef != nil {
+		in, out := &in.DockerConfigSecretKeyRef, &out.DockerConfigSecretKeyRef
 		*out = new(SecretKeySelector)
 		**out = **in
 	}
--- a/charts/osartifact/templates/secret.yaml
+++ b/charts/osartifact/templates/secret.yaml
@ -23,6 +23,8 @@ stringData:
    hostname: plural-edge-{{ `{{ trunc 10 .MachineID }}` }}

    users:
+      - name: kairos
+        lock_passwd: true
      - name: {{ .Values.username }}
        passwd: {{ $password }}
        {{- with .Values.defaultUser }}
--- a/charts/osbuilder/templates/registry/deployment.yaml
+++ b/charts/osbuilder/templates/registry/deployment.yaml
@ -1,3 +1,5 @@
+{{- if .Values.registry.enabled }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -76,4 +78,5 @@ spec:
        - name: htpasswd-volume
          secret:
            secretName: {{ .Values.registry.auth.htpasswd.existingSecret.name | default (printf "%s-%s" (include "helm-chart.fullname" .) "htpasswd") }}
-        {{- end }}
+        {{- end }}
+{{- end }}
--- a/charts/osbuilder/templates/registry/ingress.yaml
+++ b/charts/osbuilder/templates/registry/ingress.yaml
@ -1,4 +1,4 @@
-{{- if .Values.registry.ingress.enabled }}
+{{- if and (.Values.registry.enabled .Values.registry.ingress.enabled) }}

 apiVersion: networking.k8s.io/v1
 kind: Ingress
--- a/charts/osbuilder/templates/registry/secret.yaml
+++ b/charts/osbuilder/templates/registry/secret.yaml
@ -1,4 +1,4 @@
-{{- if and (eq .Values.registry.auth.realm "basic-realm") (not .Values.registry.auth.htpasswd.existingSecret.name) }}
+{{- if and (eq .Values.registry.auth.realm "basic-realm") (not .Values.registry.auth.htpasswd.existingSecret.name) (.Values.registry.enabled) }}

 {{- if not .Values.registry.auth.htpasswd.secret.name }}
  {{- fail "A valid .Values.registry.auth.htpasswd.secret.name required when auth realm set to 'basic-realm'" }}
--- a/charts/osbuilder/templates/registry/service.yaml
+++ b/charts/osbuilder/templates/registry/service.yaml
@ -1,3 +1,5 @@
+{{- if .Values.registry.enabled }}
+
 apiVersion: v1
 kind: Service
 metadata:
@ -21,3 +23,5 @@ spec:
      protocol: TCP
      targetPort: debug
    {{- end }}
+
+{{- end }}
--- a/charts/osbuilder/values.yaml
+++ b/charts/osbuilder/values.yaml
@ -41,6 +41,7 @@ builder:
        memory: 50Mi

 registry:
+  enabled: false
  # Secrets to pull container images from private registries
  imagePullSecrets: []
  image:
--- a/config/crd/bases/build.kairos.io_osartifacts.yaml
+++ b/config/crd/bases/build.kairos.io_osartifacts.yaml
@ -72,7 +72,13 @@ spec:
                type: string
              outputImage:
                properties:
-                  passwordSecretKeyRef:
+                  cloud:
+                    default: other
+                    enum:
+                    - ecr
+                    - other
+                    type: string
+                  dockerConfigSecretKeyRef:
                    properties:
                      key:
                        type: string
@ -87,8 +93,8 @@ spec:
                    type: string
                  tag:
                    type: string
-                  username:
-                    type: string
+                required:
+                - cloud
                type: object
            type: object
          status:
--- a/controllers/job.go
+++ b/controllers/job.go
@ -19,10 +19,11 @@ package controllers
 import (
 	"fmt"

-	osbuilder "github.com/kairos-io/osbuilder/api/v1alpha2"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	osbuilder "github.com/kairos-io/osbuilder/api/v1alpha2"
 )

 func unpackContainer(id, containerImage, pullImage string) corev1.Container {
--- a/controllers/osartifact_controller.go
+++ b/controllers/osartifact_controller.go
@ -319,10 +319,18 @@ func (r *OSArtifactReconciler) checkExport(ctx context.Context, artifact *osbuil
 					},
 				},
 			}
-			if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.PasswordSecretKeyRef != nil {
-				if err := r.Get(ctx, client.ObjectKey{Namespace: artifact.Namespace, Name: artifact.Spec.OutputImage.PasswordSecretKeyRef.Name}, &corev1.Secret{}); err != nil {
+
+			if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.Cloud == osbuilder.RegistryCloudECR {
+				container.Env = []corev1.EnvVar{
+					{Name: "AWS_SDK_LOAD_CONFIG", Value: "true"},
+					{Name: "AWS_EC2_METADATA_DISABLED", Value: "true"},
+				}
+			}
+
+			if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.DockerConfigSecretKeyRef != nil {
+				if err := r.Get(ctx, client.ObjectKey{Namespace: artifact.Namespace, Name: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name}, &corev1.Secret{}); err != nil {
 					if errors.IsNotFound(err) {
-						logger.Info(fmt.Sprintf("Secret %s/%s not found", artifact.Namespace, artifact.Spec.OutputImage.PasswordSecretKeyRef.Name))
+						logger.Info(fmt.Sprintf("Secret %s/%s not found", artifact.Namespace, artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name))
 						return requeue, nil
 					}
 					return ctrl.Result{}, err
@ -335,7 +343,11 @@ func (r *OSArtifactReconciler) checkExport(ctx context.Context, artifact *osbuil
 					Name: "docker-secret",
 					VolumeSource: corev1.VolumeSource{
 						Secret: &corev1.SecretVolumeSource{
-							SecretName: artifact.Spec.OutputImage.PasswordSecretKeyRef.Name,
+							SecretName: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name,
+							Items: []corev1.KeyToPath{{
+								Key:  artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Key,
+								Path: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Key,
+							}},
 						},
 					},
 				})