allow osbuilder to inject ecr specific env var to exporter

api/v1alpha2/osartifact_types.go

@@ -54,12 +54,31 @@ type SecretKeySelector struct {
 	Key string `json:"key,omitempty"`
 }
 
+type RegistryCloud string
+
+const (
+	// RegistryCloudECR ensures that special env variables will be injected
+	// into the exporter job to allow kaniko to automatically auth with the
+	// ecr registry to push the images.
+	RegistryCloudECR RegistryCloud = "ecr"
+	// RegistryCloudOther requires from user to provide username/password secret
+	// in order for kaniko to be able to authenticate with the container registry.
+	RegistryCloudOther RegistryCloud = "other"
+)
+
 type OutputImage struct {
+	// +kubebuilder:validation:Enum=ecr;other
+	// +kubebuilder:default=other
+	// +required
+	Cloud RegistryCloud `json:"cloud"`
+	// +optional
 	Registry string `json:"registry,omitempty"`
+	// +optional
 	Repository string `json:"repository,omitempty"`
+	// +optional
 	Tag string `json:"tag,omitempty"`
-	Username             string             `json:"username,omitempty"`
+	// +optional
-	PasswordSecretKeyRef *SecretKeySelector `json:"passwordSecretKeyRef,omitempty"`
+	DockerConfigSecretKeyRef *SecretKeySelector `json:"dockerConfigSecretKeyRef,omitempty"`
 }
 
 type ArtifactPhase string

api/v1alpha2/zz_generated.deepcopy.go

@@ -151,8 +151,8 @@ func (in *OSArtifactStatus) DeepCopy() *OSArtifactStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputImage) DeepCopyInto(out *OutputImage) {
 	*out = *in
-	if in.PasswordSecretKeyRef != nil {
+	if in.DockerConfigSecretKeyRef != nil {
-		in, out := &in.PasswordSecretKeyRef, &out.PasswordSecretKeyRef
+		in, out := &in.DockerConfigSecretKeyRef, &out.DockerConfigSecretKeyRef
 		*out = new(SecretKeySelector)
 		**out = **in
 	}

charts/osartifact/templates/secret.yaml

@@ -23,6 +23,8 @@ stringData:
     hostname: plural-edge-{{ `{{ trunc 10 .MachineID }}` }}
 
     users:
+      - name: kairos
+        lock_passwd: true
       - name: {{ .Values.username }}
         passwd: {{ $password }}
         {{- with .Values.defaultUser }}

charts/osbuilder/templates/registry/deployment.yaml

@@ -1,3 +1,5 @@
+{{- if .Values.registry.enabled }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -77,3 +79,4 @@ spec:
           secret:
             secretName: {{ .Values.registry.auth.htpasswd.existingSecret.name | default (printf "%s-%s" (include "helm-chart.fullname" .) "htpasswd") }}
         {{- end }}
+{{- end }}

charts/osbuilder/templates/registry/ingress.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.registry.ingress.enabled }}
+{{- if and (.Values.registry.enabled .Values.registry.ingress.enabled) }}
 
 apiVersion: networking.k8s.io/v1
 kind: Ingress

charts/osbuilder/templates/registry/secret.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq .Values.registry.auth.realm "basic-realm") (not .Values.registry.auth.htpasswd.existingSecret.name) }}
+{{- if and (eq .Values.registry.auth.realm "basic-realm") (not .Values.registry.auth.htpasswd.existingSecret.name) (.Values.registry.enabled) }}
 
 {{- if not .Values.registry.auth.htpasswd.secret.name }}
   {{- fail "A valid .Values.registry.auth.htpasswd.secret.name required when auth realm set to 'basic-realm'" }}

charts/osbuilder/templates/registry/service.yaml

@@ -1,3 +1,5 @@
+{{- if .Values.registry.enabled }}
+
 apiVersion: v1
 kind: Service
 metadata:
@@ -21,3 +23,5 @@ spec:
       protocol: TCP
       targetPort: debug
     {{- end }}
+
+{{- end }}

charts/osbuilder/values.yaml

@@ -41,6 +41,7 @@ builder:
         memory: 50Mi
 
 registry:
+  enabled: false
   # Secrets to pull container images from private registries
   imagePullSecrets: []
   image:

config/crd/bases/build.kairos.io_osartifacts.yaml

@@ -72,7 +72,13 @@ spec:
                 type: string
               outputImage:
                 properties:
-                  passwordSecretKeyRef:
+                  cloud:
+                    default: other
+                    enum:
+                    - ecr
+                    - other
+                    type: string
+                  dockerConfigSecretKeyRef:
                     properties:
                       key:
                         type: string
@@ -87,8 +93,8 @@ spec:
                     type: string
                   tag:
                     type: string
-                  username:
+                required:
-                    type: string
+                - cloud
                 type: object
             type: object
           status:

controllers/job.go

@@ -19,10 +19,11 @@ package controllers
 import (
 	"fmt"
 
-	osbuilder "github.com/kairos-io/osbuilder/api/v1alpha2"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	osbuilder "github.com/kairos-io/osbuilder/api/v1alpha2"
 )
 
 func unpackContainer(id, containerImage, pullImage string) corev1.Container {

controllers/osartifact_controller.go

@@ -319,10 +319,18 @@ func (r *OSArtifactReconciler) checkExport(ctx context.Context, artifact *osbuil
 					},
 				},
 			}
-			if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.PasswordSecretKeyRef != nil {
+
-				if err := r.Get(ctx, client.ObjectKey{Namespace: artifact.Namespace, Name: artifact.Spec.OutputImage.PasswordSecretKeyRef.Name}, &corev1.Secret{}); err != nil {
+			if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.Cloud == osbuilder.RegistryCloudECR {
+				container.Env = []corev1.EnvVar{
+					{Name: "AWS_SDK_LOAD_CONFIG", Value: "true"},
+					{Name: "AWS_EC2_METADATA_DISABLED", Value: "true"},
+				}
+			}
+
+			if artifact.Spec.OutputImage != nil && artifact.Spec.OutputImage.DockerConfigSecretKeyRef != nil {
+				if err := r.Get(ctx, client.ObjectKey{Namespace: artifact.Namespace, Name: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name}, &corev1.Secret{}); err != nil {
 					if errors.IsNotFound(err) {
-						logger.Info(fmt.Sprintf("Secret %s/%s not found", artifact.Namespace, artifact.Spec.OutputImage.PasswordSecretKeyRef.Name))
+						logger.Info(fmt.Sprintf("Secret %s/%s not found", artifact.Namespace, artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name))
 						return requeue, nil
 					}
 					return ctrl.Result{}, err
@@ -335,7 +343,11 @@ func (r *OSArtifactReconciler) checkExport(ctx context.Context, artifact *osbuil
 					Name: "docker-secret",
 					VolumeSource: corev1.VolumeSource{
 						Secret: &corev1.SecretVolumeSource{
-							SecretName: artifact.Spec.OutputImage.PasswordSecretKeyRef.Name,
+							SecretName: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Name,
+							Items: []corev1.KeyToPath{{
+								Key:  artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Key,
+								Path: artifact.Spec.OutputImage.DockerConfigSecretKeyRef.Key,
+							}},
 						},
 					},
 				})