Commit 5f945e6d authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feature/gcp_af_login' into 'master' 

Feature/gcp af login

See merge request to-be-continuous/docker!74
parents f0041310 ecac4a69

README.md

+51 −0
Original line number Diff line number Diff line
@@ -564,3 +564,54 @@ variables: 
    VAULT_BASE_URL: "https://vault.acme.host/v1"

    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable

```



### Google Cloud variant



This variant allows publishing your container images to Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry).



:warning: this template doesn't support Google Cloud's [Container Registry](https://cloud.google.com/container-registry) that is [deprecated](https://cloud.google.com/container-registry/docs/deprecations/container-registry-deprecation) and whose support will be discontinued in May 2024.



List of requirements before using this variant for publishing your container images:



1. You must have a **Docker** repository in Artifact Registry,

2. You must have a Workload Identity Federation Pool,

3. You must have a Service Account with enough permissions to push to your Artifact Registry repository.



#### Configuration



| Name                     | description                            | default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main` |

| `GCP_OIDC_PROVIDER`      | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |

| `GCP_OIDC_ACCOUNT`       | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |

| `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define if different from default)_ | _none_ |

| `GCP_SNAPSHOT_OIDC_ACCOUNT`  | Service Account to use to push the snapshot image _(only define if different from default)_ | _none_ |

| `GCP_RELEASE_OIDC_PROVIDER`  | Workload Identity Provider to push the release image _(only define if different from default)_ | _none_ |

| `GCP_RELEASE_OIDC_ACCOUNT`   | Service Account to use to push the release image _(only define if different from default)_ | _none_ |



#### Example



```yaml

include:

  - project: 'to-be-continuous/docker'

    ref: "feature/gcp_af_login"

    file: '/templates/gitlab-ci-docker.yml'

  - project: 'to-be-continuous/docker'

    ref: "feature/gcp_af_login"

    file: '/templates/gitlab-ci-docker-gcp.yml'



variables:

  # untested & unverified container image

  DOCKER_SNAPSHOT_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot"

  # validated container image (published)

  DOCKER_RELEASE_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}"

  # default WIF provider

  GCP_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"

  # default GCP Service Account

  GCP_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"

  # WIF provider for snapshot images

  GCP_SNAPSHOT_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"

  # GCP Service Account for snapshot images

  GCP_SNAPSHOT_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"

  DOCKER_BUILD_TOOL: "kaniko" # Only Kaniko has been proved to work for this use case YET

```

kicker.json

+42 −0
Original line number Diff line number Diff line
@@ -242,6 +242,48 @@ 
          "secret": true

        }

      ]

    },

    {

      "id": "gcp",

      "name": "Google Cloud",

      "description": "Retrieves a registry authentication for the Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry)",

      "template_path": "templates/gitlab-ci-docker-gcp.yml",

      "variables": [

        {

          "name": "TBC_GCP_PROVIDER_IMAGE",

          "description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use",

          "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",

          "advanced": true

        },

        {

          "name": "GCP_OIDC_ACCOUNT",

          "description": "Default Service Account to which impersonate with OpenID Connect authentication"

        },

        {

          "name": "GCP_OIDC_PROVIDER",

          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"

        },

        {

          "name": "GCP_SNAPSHOT_OIDC_ACCOUNT",

          "description": "Service Account to use to push the snapshot image _(only define if different from default)_",

          "advanced": true

        },

        {

          "name": "GCP_SNAPSHOT_OIDC_PROVIDER",

          "description": "Workload Identity Provider to push the snapshot image _(only define if different from default)_",

          "advanced": true

        },

        {

          "name": "GCP_RELEASE_OIDC_ACCOUNT",

          "description": "Service Account to use to push the release image _(only define if different from default)_",

          "advanced": true

        },

        {

          "name": "GCP_RELEASE_OIDC_PROVIDER",

          "description": "Workload Identity Provider to push the release image _(only define if different from default)_",

          "advanced": true

        }

      ]

    }

  ]

}

templates/gitlab-ci-docker-gcp.yml

0 → 100644
+16 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === GCP Auth template variant

# =====================================================================================================================

variables:

    TBC_GCP_AUTH_PROVIDER: "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main"

    CI_JOB_JWT_V2: $CI_JOB_JWT_V2 # For the gitlab runner authentication in TBC_GCP_AUTH_PROVIDER

    DOCKER_REGISTRY_SNAPSHOT_USER: oauth2accesstoken

    DOCKER_REGISTRY_RELEASE_USER: oauth2accesstoken

    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: '@url@http://gcp-auth-provider/token?envType=snapshot'

    DOCKER_REGISTRY_RELEASE_PASSWORD: '@url@http://gcp-auth-provider/token?envType=release'

.docker-base:

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "docker", "5.1.0"]

    - name: "$TBC_GCP_AUTH_PROVIDER"

      alias: "gcp-auth-provider"