Merge branch 'feat/add-aws-variant' into 'master'

| `DOCKER_SNAPSHOT_IMAGE`   | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |

| `DOCKER_RELEASE_IMAGE`    | Docker release image  | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME`          |

As you can see, the Docker template is configured by default to use the GitLab container registry.

You may perfectly override this and use another Docker registry, but be aware of a few things:

| :lock: `DOCKER_REGISTRY_USER`    | Docker registry username for image registry |

| :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry  |

#### Using different registries for snapshot and release

If you use **different registries** for snapshot and release images, you shall use separate configuration variables:

| :lock: `DOCKER_REGISTRY_RELEASE_USER`    | Docker registry username for release image registry |

| :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD`| Docker registry password for release image registry |

#### Setting your own Docker configuration file (advanced)

There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files):

| `GCP_RELEASE_OIDC_PROVIDER`  | Workload Identity Provider to push the release image _(only define if different from default)_ | _none_ |

| `GCP_RELEASE_OIDC_ACCOUNT`   | Service Account to use to push the release image _(only define if different from default)_ | _none_ |

:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`

to use the snapshot image repository (will host your snapshot image as well as cached layers).

#### Example

```yaml

variables:

  # untested & unverified container image

  DOCKER_SNAPSHOT_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot"

  DOCKER_SNAPSHOT_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot:$CI_COMMIT_REF_SLUG"

  # ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko

  # validated container image (published)

  DOCKER_RELEASE_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}"

  DOCKER_RELEASE_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"

  # default WIF provider

  GCP_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"

  # default GCP Service Account

  GCP_SNAPSHOT_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"

  DOCKER_BUILD_TOOL: "kaniko" # Only Kaniko has been proved to work for this use case YET

```

### Amazon Elastic Container Registry

This variant allows publishing your container images to Amazon's [Elastic Container Registry](https://docs.aws.amazon.com/ecr/).

It takes care of retrieving an [ECR authorization token](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html)

that will be used as a temporary credential to login to the ECR registry.

In order to use the AWS APIs, the variant supports two authentication methods:

1. [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) (**recommended method**),

2. or basic authentication with AWS access key ID & secret access key.

:warning: when using this variant, you must have created the ECR repositories to push the snapshot and/or the release images.

#### Configuration

| Name                     | description                            | default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master` |

| `AWS_REGION`             | Default region (where the ECR registry is located) | _none_ |

| `AWS_SNAPSHOT_REGION`    | Region of the ECR registry for the snapshot image _(only define if different from default)_ | _none_ |

| `AWS_RELEASE_REGION`     | Region of the ECR registry for the release image _(only define if different from default)_ | _none_ |

:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`

to use the snapshot image repository (will host your snapshot image as well as cached layers).

##### OIDC authentication config

This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/),

then set the required configuration.

| Name                     | description                            | default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `AWS_OIDC_AUD`           | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |

| `AWS_OIDC_ROLE_ARN`      | Default IAM Role ARN associated with GitLab | _none_ |

| `AWS_SNAPSHOT_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the snapshot image _(only define if different from default)_| _none_ |

| `AWS_RELEASE_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the release image _(only define if different from default)_| _none_ |

##### Basic authentication config

| Name                     | description                            | default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `AWS_ACCESS_KEY_ID`      | Default access key ID | _none_ (disabled) |

| `AWS_SECRET_ACCESS_KEY`  | Default secret access key | _none_ (disabled) |

| `AWS_SNAPSHOT_ACCESS_KEY_ID`| Access key ID for the snapshot image _(only define if different from default)_ | _none_ |

| `AWS_SNAPSHOT_SECRET_ACCESS_KEY`| Secret access key for the snapshot image _(only define if different from default)_ | _none_ |

| `AWS_RELEASE_ACCESS_KEY_ID`| Access key ID for the release image _(only define if different from default)_ | _none_ |

| `AWS_RELEASE_SECRET_ACCESS_KEY`| Secret access key for the release image _(only define if different from default)_ | _none_ |

#### Example

```yaml

include:

  - project: 'to-be-continuous/docker'

    ref: "5.2.0"

    file: '/templates/gitlab-ci-docker.yml'

  - project: 'to-be-continuous/docker'

    ref: "5.2.0"

    file: '/templates/gitlab-ci-docker-ecr.yml'

variables:

  AWS_REGION: "us-east-1"

  # untested & unverified container image

  DOCKER_SNAPSHOT_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot:$CI_COMMIT_REF_SLUG"

  # ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko

  # validated container image (published)

  DOCKER_RELEASE_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH:$CI_COMMIT_REF_NAME"

  # default Role ARN (using OIDC authentication method)

  AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/gitlab-ci"

```

        {

          "name": "TBC_GCP_PROVIDER_IMAGE",

          "description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use",

          "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",

          "default": "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main",

          "advanced": true

        },

        {

          "advanced": true

        }

      ]

    },

    {

      "id": "ecr",

      "name": "Amazon ECR",

      "description": "Retrieves a registry authentication for the Amazon's [Elastic Container Registry](https://docs.aws.amazon.com/ecr/)",

      "template_path": "templates/gitlab-ci-docker-ecr.yml",

      "variables": [

        {

          "name": "TBC_AWS_PROVIDER_IMAGE",

          "description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",

          "default": "$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master",

          "advanced": true

        },

        {

          "name": "AWS_REGION",

          "description": "Default region (where the ECR registry is located)"

        },

        {

          "name": "AWS_SNAPSHOT_REGION",

          "description": "Region of the ECR registry for the snapshot image _(only define if different from default)_",

          "advanced": true

        },

        {

          "name": "AWS_RELEASE_REGION",

          "description": "Region of the ECR registry for the release image _(only define if different from default)_",

          "advanced": true

        },

        {

          "name": "AWS_OIDC_AUD",

          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",

          "default": "$CI_SERVER_URL",

          "advanced": true

        },

        {

          "name": "AWS_OIDC_ROLE_ARN",

          "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"

        },

        {

          "name": "AWS_SNAPSHOT_OIDC_ROLE_ARN",

          "description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",

          "advanced": true

        },

        {

          "name": "AWS_RELEASE_OIDC_ROLE_ARN",

          "description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",

          "advanced": true

        },

        {

          "name": "AWS_ACCESS_KEY_ID",

          "description": "Default access key ID (only required for basic authentication)",

          "secret": true,

          "advanced": true

        },

        {

          "name": "AWS_SECRET_ACCESS_KEY",

          "description": "Default secret access key (only required for basic authentication)",

          "secret": true,

          "advanced": true

        },

        {

          "name": "AWS_SNAPSHOT_ACCESS_KEY_ID",

          "description": "Access key ID for the snapshot image (only required for basic authentication and if different from default)",

          "secret": true,

          "advanced": true

        },

        {

          "name": "AWS_SNAPSHOT_SECRET_ACCESS_KEY",

          "description": "Secret access key for the snapshot image (only required for basic authentication and if different from default)",

          "secret": true,

          "advanced": true

        },

        {

          "name": "AWS_RELEASE_ACCESS_KEY_ID",

          "description": "Access key ID for the release image (only required for basic authentication and if different from default)",

          "secret": true,

          "advanced": true

        },

        {

          "name": "AWS_RELEASE_SECRET_ACCESS_KEY",

          "description": "Secret access key for the release image (only required for basic authentication and if different from default)",

          "secret": true,

          "advanced": true

        }

      ]

    }

  ]

}

# =====================================================================================================================

# === AWS Auth template variant

# =====================================================================================================================

variables:

  TBC_AWS_AUTH_PROVIDER: "$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master"

  AWS_OIDC_AUD: "$CI_SERVER_URL"

.docker-base:

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "docker", "5.4.1"]

    - name: "$TBC_AWS_AUTH_PROVIDER"

      alias: "aws-auth-provider"

  id_tokens:

    # required for OIDC auth

    AWS_JWT:

      aud: "$AWS_OIDC_AUD"

  variables:

    # DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://aws-auth-provider/ecr/auth/username?env_ctx=SNAPSHOT"

    # DOCKER_REGISTRY_RELEASE_USER: "@url@http://aws-auth-provider/ecr/auth/username?env_ctx=RELEASE"

    DOCKER_REGISTRY_SNAPSHOT_USER: "AWS" # GetAuthorizationToken API always generate token for user 'AWS'

    DOCKER_REGISTRY_RELEASE_USER: "AWS" # GetAuthorizationToken API always generate token for user 'AWS'

    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://aws-auth-provider/ecr/auth/password?env_ctx=SNAPSHOT"

    DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://aws-auth-provider/ecr/auth/password?env_ctx=RELEASE"

    #  secrets have to be explicitly declared in the YAML to be exported to the service

    AWS_JWT: "$AWS_JWT"

    # can't use AWS_ACCESS_KEY_ID as it is read by boto3

    AWS_DEFAULT_ACCESS_KEY_ID: "$AWS_ACCESS_KEY_ID"

    # can't use AWS_SECRET_ACCESS_KEY as it is read by boto3

    AWS_DEFAULT_SECRET_ACCESS_KEY: "$AWS_SECRET_ACCESS_KEY"

    AWS_SNAPSHOT_ACCESS_KEY_ID: "$AWS_SNAPSHOT_ACCESS_KEY_ID"

    AWS_SNAPSHOT_SECRET_ACCESS_KEY: "$AWS_SNAPSHOT_SECRET_ACCESS_KEY"

    AWS_RELEASE_ACCESS_KEY_ID: "$AWS_RELEASE_ACCESS_KEY_ID"

    AWS_RELEASE_SECRET_ACCESS_KEY: "$AWS_RELEASE_SECRET_ACCESS_KEY"