Commit f0ef198c authored by Marc Barussaud's avatar Marc Barussaud
Browse files

Merge branch '180-connector-tool-and-variant-for-azure-container-registry' into 'main' 

feat: implement ACR variant

Closes #180

See merge request to-be-continuous/docker!195
parents 531cff7c 617f7f4c

README.md

+42 −0
Original line number Diff line number Diff line
@@ -868,3 +868,45 @@ include: 
      aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci"

      aws-region: "us-east-1"

```



### Azure Container Registry variant



This variant allows publishing your container images to Azure's [Container Registry](https://learn.microsoft.com/en-us/azure/container-registry/).



List of requirements before using this variant for publishing your container images:



1. You must have a Container Registry,

2. You must have a managed identity or an application with *Container Registry Repository Writer* role on the registry,

3. You must have federated identity credentials for this managed identity or application.



#### Configuration



| Input / Variable                                            | Description                                                                                                                                                             | Default value                                                           |

| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- |

| `TBC_AZURE_PROVIDER_IMAGE`                                  | The [Azure Auth Provider](https://gitlab.com/to-be-continuous/tools/azure-auth-provider) image to use (can be overridden)                                               | `registry.gitlab.com/to-be-continuous/tools/azure-auth-provider:latest` |

| `azure-oidc-aud` / `AZURE_OIDC_AUD`                         | The `aud` claim for the JWT token                                                                                                                                       | `api://AzureADTokenExchange`                                            |

| `azure-tenant-id` / `AZURE_TENANT_ID`                       | Default Azure Tenant Id of the target registry                                                                                                                          | _none_                                                                  |

| `azure-client-id` / `AZURE_CLIENT_ID`                       | Default Client Id of the identity used by the [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/azure/)                                                   | _none_                                                                  |

| `azure-snapshot-tenant-id` / `AZURE_SNAPSHOT_TENANT_ID`     | Azure Tenant Id of the target registry for the snapshot image _(only if different from default)_                                                                        | _none_                                                                  |

| `azure-snapshot-client-id` / `AZURE_SNAPSHOT_CLIENT_ID`     | Client Id of the identity used by the [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/azure/) for the snapshot iamge _(only if different from default)_ | _none_                                                                  |

| `azure-release-tenant-id` / `AZURE_RELEASE_TENANT_ID`       | Azure Tenant Id of the target registry for the release image _(only if different from default)_                                                                         | _none_                                                                  |

| `azure-release-client-id` / `AZURE_RELEASE_CLIENT_ID`       | Client Id of the identity used by the [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/azure/) for the release image _(only if different from default)_  | _none_                                                                  |



#### Example



```yaml

include:

  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@8.2.0

    inputs:

      build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET

      # untested & unverified container image

      snapshot-image: "{YOUR_REPOSITORY}.azurecr.io/{YOUR_IMAGE_NAME}/snapshot:$CI_COMMIT_REF_SLUG"

      # validated container image (published)

      release-image: "{YOUR_REPOSITORY}.azurecr.io/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"

  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-acr@8.2.0

    inputs:

      # default Azure tenant id

      azure-tenant-id: "12345678-acbd-abcd-acbd-1234567890ab"

      # default Azure client id

      azure-client-id: "abcdef01-2345-6789-0123-abcdef012345"

```

kicker.json

+48 −0
Original line number Diff line number Diff line
@@ -439,6 +439,54 @@ 
          "advanced": true

        }

      ]

    },

    {

      "id": "acr",

      "name": "Azure Container Registry",

      "description": "Retrieves a registry authentication for the Azure's [Container Registry](https://learn.microsoft.com/en-us/azure/container-registry/)",

      "template_path": "templates/gitlab-ci-docker-acr.yml",

      "variables": [

        {

          "name": "TBC_AZURE_PROVIDER_IMAGE",

          "description": "The [Azure Auth Provider](https://gitlab.com/to-be-continuous/tools/azure-auth-provider) image to use",

          "default": "registry.gitlab.com/to-be-continuous/tools/azure-auth-provider:latest",

          "advanced": true

        },

        {

          "name": "AZURE_TENANT_ID",

          "description": "Default Azure Tenant Id of the target registry"

        },

        {

          "name": "AZURE_SNAPSHOT_TENANT_ID",

          "description": "Azure Tenant Id of the target registry for the snapshot image _(only define if different from default)_",

          "advanced": true

        },

        {

          "name": "AZURE_RELEASE_TENANT_ID",

          "description": "Azure Tenant Id of the target registry for the release image _(only define if different from default)_",

          "advanced": true

        },

        {

          "name": "AZURE_OIDC_AUD",

          "description": "The `aud` claim for the JWT token",

          "default": "api://AzureADTokenExchange",

          "advanced": true

        },

        {

          "name": "AZURE_CLIENT_ID",

          "description": "Default Client Id of the identity used by the [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/azure/)"

        },

        {

          "name": "AZURE_SNAPSHOT_CLIENT_ID",

          "description": "Client Id of the identity used by the [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/azure/) for the snapshot image _(only if different from default)_",

          "advanced": true

        },

        {

          "name": "AZURE_RELEASE_CLIENT_ID",

          "description": "Client Id of the identity used by the [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/azure/) for the release image _(only if different from default)_",

          "advanced": true

        }

      ]

    }

  ]

}

templates/gitlab-ci-docker-acr.yml

0 → 100644
+61 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === Azure Auth template variant

# =====================================================================================================================

spec:

  inputs:

    azure-tenant-id:

      description: Azure Tenant Id of the target registry

      default: ''

    azure-snapshot-tenant-id:

      description: Azure Tenant Id of the target registry for the snapshot image _(only define if

        different from default)_

      default: ''

    azure-release-tenant-id:

      description: Azure Tenant Id of the target registry for the release image _(only define if

        different from default)_

      default: ''

    azure-oidc-aud:

      description: The `aud` claim for the JWT token used for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/azure/)

      default: 'api://AzureADTokenExchange'

    azure-client-id:

      description: Client Id of the identity used by the [OIDC

        authentication](https://docs.gitlab.com/ci/cloud_services/azure/)

      default: ''

    azure-snapshot-client-id:

      description: Client Id of the identity used by the [OIDC

        authentication](https://docs.gitlab.com/ci/cloud_services/azure/) for

        the snapshot image _(only if different from default)_

      default: ''

    azure-release-client-id:

      description: Client Id of the identity used by the [OIDC

        authentication](https://docs.gitlab.com/ci/cloud_services/azure/) for

        the release image _(only if different from default)_

      default: ''

---

variables:

  TBC_AZURE_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/azure-auth-provider:latest

  AZURE_OIDC_AUD: $[[ inputs.azure-oidc-aud ]]

  AZURE_TENANT_ID: $[[ inputs.azure-tenant-id ]]

  AZURE_SNAPSHOT_TENANT_ID: $[[ inputs.azure-snapshot-tenant-id ]]

  AZURE_RELEASE_TENANT_ID: $[[ inputs.azure-release-tenant-id ]]

  AZURE_CLIENT_ID: $[[ inputs.azure-client-id ]]

  AZURE_SNAPSHOT_CLIENT_ID: $[[ inputs.azure-snapshot-client-id ]]

  AZURE_RELEASE_CLIENT_ID: $[[ inputs.azure-release-client-id ]]



.docker-base:

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "docker", "8.2.0"]

    - name: "$TBC_AZURE_PROVIDER_IMAGE"

      alias: "azure-auth-provider"

  id_tokens:

    # required for OIDC auth

    AZURE_JWT:

      aud: "$AZURE_OIDC_AUD"

  variables:

    DOCKER_REGISTRY_SNAPSHOT_USER: "00000000-0000-0000-0000-000000000000" # ACR Login API always generate token for user '00000000-0000-0000-0000-000000000000'

    DOCKER_REGISTRY_RELEASE_USER: "00000000-0000-0000-0000-000000000000" # ACR Login API always generate token for user '00000000-0000-0000-0000-000000000000'

    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://azure-auth-provider/acr/auth/password?env_ctx=SNAPSHOT"

    DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://azure-auth-provider/acr/auth/password?env_ctx=RELEASE"

    #  secrets have to be explicitly declared in the YAML to be exported to the service

    AZURE_JWT: "$AZURE_JWT"