diff --git a/api/v1alpha2/osartifact_types.go b/api/v1alpha2/osartifact_types.go index f83d7ed..507ddb2 100644 --- a/api/v1alpha2/osartifact_types.go +++ b/api/v1alpha2/osartifact_types.go @@ -54,12 +54,31 @@ type SecretKeySelector struct { Key string `json:"key,omitempty"` } +type RegistryCloud string + +const ( + // RegistryCloudECR ensures that special env variables will be injected + // into the exporter job to allow kaniko to automatically auth with the + // ecr registry to push the images. + RegistryCloudECR RegistryCloud = "ecr" + // RegistryCloudOther requires from user to provide username/password secret + // in order for kaniko to be able to authenticate with the container registry. + RegistryCloudOther RegistryCloud = "other" +) + type OutputImage struct { - Registry string `json:"registry,omitempty"` - Repository string `json:"repository,omitempty"` - Tag string `json:"tag,omitempty"` - Username string `json:"username,omitempty"` - PasswordSecretKeyRef *SecretKeySelector `json:"passwordSecretKeyRef,omitempty"` + // +kubebuilder:validation:Enum=ecr;other + // +kubebuilder:default=other + // +required + Cloud RegistryCloud `json:"cloud"` + // +optional + Registry string `json:"registry,omitempty"` + // +optional + Repository string `json:"repository,omitempty"` + // +optional + Tag string `json:"tag,omitempty"` + // +optional + DockerConfigSecretKeyRef *SecretKeySelector `json:"dockerConfigSecretKeyRef,omitempty"` } type ArtifactPhase string diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go index 0446a7a..a62ab7b 100644 --- a/api/v1alpha2/zz_generated.deepcopy.go +++ b/api/v1alpha2/zz_generated.deepcopy.go @@ -151,8 +151,8 @@ func (in *OSArtifactStatus) DeepCopy() *OSArtifactStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OutputImage) DeepCopyInto(out *OutputImage) { *out = *in - if in.PasswordSecretKeyRef != nil { - in, out := &in.PasswordSecretKeyRef, &out.PasswordSecretKeyRef + if in.DockerConfigSecretKeyRef != nil { + in, out := &in.DockerConfigSecretKeyRef, &out.DockerConfigSecretKeyRef *out = new(SecretKeySelector) **out = **in } diff --git a/charts/osartifact/templates/secret.yaml b/charts/osartifact/templates/secret.yaml index 4b219ff..84c72c8 100644 --- a/charts/osartifact/templates/secret.yaml +++ b/charts/osartifact/templates/secret.yaml @@ -23,6 +23,8 @@ stringData: hostname: plural-edge-{{ `{{ trunc 10 .MachineID }}` }} users: + - name: kairos + lock_passwd: true - name: {{ .Values.username }} passwd: {{ $password }} {{- with .Values.defaultUser }} diff --git a/charts/osbuilder/templates/registry/deployment.yaml b/charts/osbuilder/templates/registry/deployment.yaml index 921063e..2176432 100644 --- a/charts/osbuilder/templates/registry/deployment.yaml +++ b/charts/osbuilder/templates/registry/deployment.yaml @@ -1,3 +1,5 @@ +{{- if .Values.registry.enabled }} + apiVersion: apps/v1 kind: Deployment metadata: @@ -76,4 +78,5 @@ spec: - name: htpasswd-volume secret: secretName: {{ .Values.registry.auth.htpasswd.existingSecret.name | default (printf "%s-%s" (include "helm-chart.fullname" .) "htpasswd") }} - {{- end }} \ No newline at end of file + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/osbuilder/templates/registry/ingress.yaml b/charts/osbuilder/templates/registry/ingress.yaml index 965d077..7af1e14 100644 --- a/charts/osbuilder/templates/registry/ingress.yaml +++ b/charts/osbuilder/templates/registry/ingress.yaml @@ -1,4 +1,4 @@ -{{- if .Values.registry.ingress.enabled }} +{{- if and (.Values.registry.enabled .Values.registry.ingress.enabled) }} apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/charts/osbuilder/templates/registry/secret.yaml b/charts/osbuilder/templates/registry/secret.yaml index 78a6ae9..e750af9 100644 --- a/charts/osbuilder/templates/registry/secret.yaml +++ b/charts/osbuilder/templates/registry/secret.yaml @@ -1,4 +1,4 @@ -{{- if and (eq .Values.registry.auth.realm "basic-realm") (not .Values.registry.auth.htpasswd.existingSecret.name) }} +{{- if and (eq .Values.registry.auth.realm "basic-realm") (not .Values.registry.auth.htpasswd.existingSecret.name) (.Values.registry.enabled) }} {{- if not .Values.registry.auth.htpasswd.secret.name }} {{- fail "A valid .Values.registry.auth.htpasswd.secret.name required when auth realm set to 'basic-realm'" }} diff --git a/charts/osbuilder/templates/registry/service.yaml b/charts/osbuilder/templates/registry/service.yaml index 2218699..8728623 100644 --- a/charts/osbuilder/templates/registry/service.yaml +++ b/charts/osbuilder/templates/registry/service.yaml @@ -1,3 +1,5 @@ +{{- if .Values.registry.enabled }} + apiVersion: v1 kind: Service metadata: @@ -21,3 +23,5 @@ spec: protocol: TCP targetPort: debug {{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/osbuilder/values.yaml b/charts/osbuilder/values.yaml index 0972dc6..26288ab 100644 --- a/charts/osbuilder/values.yaml +++ b/charts/osbuilder/values.yaml @@ -41,6 +41,7 @@ builder: memory: 50Mi registry: + enabled: false # Secrets to pull container images from private registries imagePullSecrets: [] image: diff --git a/config/crd/bases/build.kairos.io_osartifacts.yaml b/config/crd/bases/build.kairos.io_osartifacts.yaml index 6084565..d5f1df6 100644 --- a/config/crd/bases/build.kairos.io_osartifacts.yaml +++ b/config/crd/bases/build.kairos.io_osartifacts.yaml @@ -72,7 +72,13 @@ spec: type: string outputImage: properties: - passwordSecretKeyRef: + cloud: + default: other + enum: + - ecr + - other + type: string + dockerConfigSecretKeyRef: properties: key: type: string @@ -87,8 +93,8 @@ spec: type: string tag: type: string - username: - type: string + required: + - cloud type: object type: object status: diff --git a/controllers/job.go b/controllers/job.go index 789fad8..95ed00e 100644 --- a/controllers/job.go +++ b/controllers/job.go @@ -19,10 +19,11 @@ package controllers import ( "fmt" - osbuilder "github.com/kairos-io/osbuilder/api/v1alpha2" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + osbuilder "github.com/kairos-io/osbuilder/api/v1alpha2" ) func unpackContainer(id, containerImage, pullImage string) corev1.Container { diff --git a/controllers/osartifact_controller.go b/controllers/osartifact_controller.go index 249d6aa..12505d7 100644 --- a/controllers/osartifact_controller.go +++ b/controllers/osartifact_controller.go @@ -319,10 +319,18 @@ func (r *OSArtifactReconciler) checkExport(ctx context.Context, artifact *osbuil }, }, } - if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.PasswordSecretKeyRef != nil { - if err := r.Get(ctx, client.ObjectKey{Namespace: artifact.Namespace, Name: artifact.Spec.OutputImage.PasswordSecretKeyRef.Name}, &corev1.Secret{}); err != nil { + + if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.Cloud == osbuilder.RegistryCloudECR { + container.Env = []corev1.EnvVar{ + {Name: "AWS_SDK_LOAD_CONFIG", Value: "true"}, + {Name: "AWS_EC2_METADATA_DISABLED", Value: "true"}, + } + } + + if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.DockerConfigSecretKeyRef != nil { + if err := r.Get(ctx, client.ObjectKey{Namespace: artifact.Namespace, Name: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name}, &corev1.Secret{}); err != nil { if errors.IsNotFound(err) { - logger.Info(fmt.Sprintf("Secret %s/%s not found", artifact.Namespace, artifact.Spec.OutputImage.PasswordSecretKeyRef.Name)) + logger.Info(fmt.Sprintf("Secret %s/%s not found", artifact.Namespace, artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name)) return requeue, nil } return ctrl.Result{}, err @@ -335,7 +343,11 @@ func (r *OSArtifactReconciler) checkExport(ctx context.Context, artifact *osbuil Name: "docker-secret", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: artifact.Spec.OutputImage.PasswordSecretKeyRef.Name, + SecretName: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name, + Items: []corev1.KeyToPath{{ + Key: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Key, + Path: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Key, + }}, }, }, })