diff --git a/cmd/ci-operator/main.go b/cmd/ci-operator/main.go index 73707bfcb8c..317de9af6e5 100644 --- a/cmd/ci-operator/main.go +++ b/cmd/ci-operator/main.go @@ -429,7 +429,6 @@ type options struct { dependencyOverrides stringSlice targetAdditionalSuffix string - manifestToolDockerCfg string localRegistryDNS string restrictNetworkAccess bool @@ -504,7 +503,6 @@ func bindOptions(flag *flag.FlagSet) *options { flag.StringVar(&opt.targetAdditionalSuffix, "target-additional-suffix", "", "Inject an additional suffix onto the targeted test's 'as' name. Used for adding an aggregate index") - flag.StringVar(&opt.manifestToolDockerCfg, "manifest-tool-dockercfg", "/secrets/manifest-tool/.dockerconfigjson", "The dockercfg file path to be used to push the manifest listed image after build. This is being used by the manifest-tool binary.") flag.StringVar(&opt.localRegistryDNS, "local-registry-dns", "image-registry.openshift-image-registry.svc:5000", "Defines the target image registry.") opt.resultsOptions.Bind(flag) @@ -902,7 +900,7 @@ func (o *options) Run() []error { // load the graph from the configuration buildSteps, promotionSteps, err := defaults.FromConfig(ctx, o.configSpec, &o.graphConfig, o.jobSpec, o.templates, o.writeParams, o.promote, o.clusterConfig, o.podPendingTimeout, leaseClient, o.targets.values, o.cloneAuthConfig, o.pullSecret, o.pushSecret, o.censor, o.hiveKubeconfig, - o.consoleHost, o.nodeName, nodeArchitectures, o.targetAdditionalSuffix, o.manifestToolDockerCfg, o.localRegistryDNS, streams, injectedTest) + o.consoleHost, o.nodeName, nodeArchitectures, o.targetAdditionalSuffix, o.localRegistryDNS, streams, injectedTest) if err != nil { return []error{results.ForReason("defaulting_config").WithError(err).Errorf("failed to generate steps from config: %v", err)} } diff --git a/images/ci-operator/Dockerfile b/images/ci-operator/Dockerfile index 2cce6ff6c4a..07f048f5861 100644 --- a/images/ci-operator/Dockerfile +++ b/images/ci-operator/Dockerfile @@ -2,6 +2,5 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest RUN microdnf install -y git python3 findutils tar jq -ADD manifest-tool /usr/bin/manifest-tool ADD ci-operator /usr/bin/ci-operator ENTRYPOINT ["/usr/bin/ci-operator"] diff --git a/pkg/api/constant.go b/pkg/api/constant.go index 8e7bd4db5ff..48e8e33933d 100644 --- a/pkg/api/constant.go +++ b/pkg/api/constant.go @@ -15,9 +15,6 @@ const ( GCSUploadCredentialsSecret = "gce-sa-credentials-gcs-publisher" GCSUploadCredentialsSecretMountPath = "/secrets/gcs" - ManifestToolLocalPusherSecret = "manifest-tool-local-pusher" - ManifestToolLocalPusherSecretMountPath = "/secrets/manifest-tool" - ReleaseAnnotationSoftDelete = "release.openshift.io/soft-delete" // DPTPRequesterLabel is the label on a Kubernates CR whose value indicates the automated tool that requests the CR diff --git a/pkg/controller/multiarchbuildconfig/multiarchbuildconfig.go b/pkg/controller/multiarchbuildconfig/multiarchbuildconfig.go index 77bd656fb7b..b982163056e 100644 --- a/pkg/controller/multiarchbuildconfig/multiarchbuildconfig.go +++ b/pkg/controller/multiarchbuildconfig/multiarchbuildconfig.go @@ -77,7 +77,7 @@ func AddToManager(mgr manager.Manager, architectures []string, dockerCfgPath str logger: logger, client: mgr.GetClient(), architectures: architectures, - manifestPusher: manifestpusher.NewManifestPusher(logger, registryURL, dockerCfgPath), + manifestPusher: manifestpusher.NewManifestPusher(logger, registryURL), imageMirrorer: &ocImage{log: logger, registryConfig: dockerCfgPath}, scheme: mgr.GetScheme(), }); err != nil { diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go index ab81af6f567..7ff14c05622 100644 --- a/pkg/defaults/defaults.go +++ b/pkg/defaults/defaults.go @@ -78,7 +78,6 @@ func FromConfig( nodeName string, nodeArchitectures []string, targetAdditionalSuffix string, - manifestToolDockerCfg string, localRegistryDNS string, integratedStreams map[string]*configresolver.IntegratedStream, injectedTest bool, @@ -94,7 +93,7 @@ func FromConfig( if err != nil { return nil, nil, fmt.Errorf("could not get build client for cluster config: %w", err) } - buildClient := steps.NewBuildClient(client, buildGetter.RESTClient(), nodeArchitectures, manifestToolDockerCfg, localRegistryDNS) + buildClient := steps.NewBuildClient(client, buildGetter.RESTClient(), nodeArchitectures, localRegistryDNS) templateGetter, err := templateclientset.NewForConfig(clusterConfig) if err != nil { diff --git a/pkg/defaults/defaults_test.go b/pkg/defaults/defaults_test.go index 4796cd48cba..9ea768458f8 100644 --- a/pkg/defaults/defaults_test.go +++ b/pkg/defaults/defaults_test.go @@ -1285,7 +1285,7 @@ func TestFromConfig(t *testing.T) { t.Fatal(err) } } - buildClient := steps.NewBuildClient(client, nil, nil, "", "") + buildClient := steps.NewBuildClient(client, nil, nil, "") var templateClient steps.TemplateClient podClient := kubernetes.NewPodClient(client, nil, nil, 0) diff --git a/pkg/manifestpusher/manifestpusher.go b/pkg/manifestpusher/manifestpusher.go index f0381b4b7e8..4279ee77ca9 100644 --- a/pkg/manifestpusher/manifestpusher.go +++ b/pkg/manifestpusher/manifestpusher.go @@ -2,6 +2,7 @@ package manifestpusher import ( "fmt" + "os" "github.com/estesp/manifest-tool/v2/pkg/registry" "github.com/estesp/manifest-tool/v2/pkg/types" @@ -12,30 +13,31 @@ import ( ) const ( - nodeArchitectureLabel = "kubernetes.io/arch" + nodeArchitectureLabel = "kubernetes.io/arch" + serviceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" ) type ManifestPusher interface { PushImageWithManifest(builds []buildv1.Build, targetImageRef string) error } -func NewManifestPusher(logger *logrus.Entry, registryURL string, dockercfgPath string) ManifestPusher { - return &manifestPusher{ - logger: logger, - registryURL: registryURL, - dockercfgPath: dockercfgPath, - } +func NewManifestPusher(logger *logrus.Entry, registryURL string) ManifestPusher { + return &manifestPusher{logger: logger, registryURL: registryURL} } type manifestPusher struct { - logger *logrus.Entry - registryURL string - dockercfgPath string + logger *logrus.Entry + registryURL string } func (m manifestPusher) PushImageWithManifest(builds []buildv1.Build, targetImageRef string) error { srcImages := []types.ManifestEntry{} + serviceAccountToken, err := resolveServiceAccountToken() + if err != nil { + return fmt.Errorf("couldn't get the service account token: %w", err) + } + for _, build := range builds { srcImages = append(srcImages, types.ManifestEntry{ Image: fmt.Sprintf("%s/%s/%s", m.registryURL, build.Spec.Output.To.Namespace, build.Spec.Output.To.Name), @@ -47,14 +49,14 @@ func (m manifestPusher) PushImageWithManifest(builds []buildv1.Build, targetImag } digest, _, err := registry.PushManifestList( - "", // username: we don't we use basic auth - "", // password: " + "ci-operator", + serviceAccountToken, types.YAMLInput{Image: fmt.Sprintf("%s/%s", m.registryURL, targetImageRef), Manifests: srcImages}, false, // --ignore-missing. We don't want to ignore missing images. true, // --insecure to allow pushing to the local registry. false, // --plain-http is false by default in manifest-tool. False for the OpenShift registry. types.Docker, // we only need docker type manifest. - m.dockercfgPath, + "", ) if err != nil { return err @@ -63,3 +65,11 @@ func (m manifestPusher) PushImageWithManifest(builds []buildv1.Build, targetImag return nil } + +func resolveServiceAccountToken() (string, error) { + data, err := os.ReadFile(serviceAccountTokenPath) + if err != nil { + return "", fmt.Errorf("failed to read token file: %w", err) + } + return string(data), nil +} diff --git a/pkg/prowgen/podspec.go b/pkg/prowgen/podspec.go index d08237eb910..74f1ba77bbf 100644 --- a/pkg/prowgen/podspec.go +++ b/pkg/prowgen/podspec.go @@ -46,11 +46,6 @@ var defaultPodSpec = corev1.PodSpec{ MountPath: cioperatorapi.GCSUploadCredentialsSecretMountPath, ReadOnly: true, }, - { - Name: "manifest-tool-local-pusher", - MountPath: cioperatorapi.ManifestToolLocalPusherSecretMountPath, - ReadOnly: true, - }, }, }, }, @@ -67,12 +62,6 @@ var defaultPodSpec = corev1.PodSpec{ Secret: &corev1.SecretVolumeSource{SecretName: "result-aggregator"}, }, }, - { - Name: "manifest-tool-local-pusher", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{SecretName: cioperatorapi.ManifestToolLocalPusherSecret}, - }, - }, }, } diff --git a/pkg/steps/build_client.go b/pkg/steps/build_client.go index d29a41dac27..b3570d300dc 100644 --- a/pkg/steps/build_client.go +++ b/pkg/steps/build_client.go @@ -16,25 +16,22 @@ type BuildClient interface { loggingclient.LoggingClient Logs(namespace, name string, options *buildapi.BuildLogOptions) (io.ReadCloser, error) NodeArchitectures() []string - ManifestToolDockerCfg() string LocalRegistryDNS() string } type buildClient struct { loggingclient.LoggingClient - client rest.Interface - nodeArchitectures []string - manifestToolDockerCfg string - localRegistryDNS string + client rest.Interface + nodeArchitectures []string + localRegistryDNS string } -func NewBuildClient(client loggingclient.LoggingClient, restClient rest.Interface, nodeArchitectures []string, manifestToolDockerCfg, localRegistryDNS string) BuildClient { +func NewBuildClient(client loggingclient.LoggingClient, restClient rest.Interface, nodeArchitectures []string, localRegistryDNS string) BuildClient { return &buildClient{ - LoggingClient: client, - client: restClient, - nodeArchitectures: nodeArchitectures, - manifestToolDockerCfg: manifestToolDockerCfg, - localRegistryDNS: localRegistryDNS, + LoggingClient: client, + client: restClient, + nodeArchitectures: nodeArchitectures, + localRegistryDNS: localRegistryDNS, } } @@ -52,10 +49,6 @@ func (c *buildClient) NodeArchitectures() []string { return c.nodeArchitectures } -func (c *buildClient) ManifestToolDockerCfg() string { - return c.manifestToolDockerCfg -} - func (c *buildClient) LocalRegistryDNS() string { return c.localRegistryDNS } diff --git a/pkg/steps/index_generator_test.go b/pkg/steps/index_generator_test.go index ba163643871..6011a92b856 100644 --- a/pkg/steps/index_generator_test.go +++ b/pkg/steps/index_generator_test.go @@ -231,7 +231,7 @@ func TestDatabaseIndex(t *testing.T) { if err := yaml.Unmarshal(rawImageStreamTag, ist); err != nil { t.Fatalf("failed to unmarshal imagestreamTag: %v", err) } - actual, actualErr := databaseIndex(NewBuildClient(loggingclient.New(fakectrlruntimeclient.NewClientBuilder().WithObjects(ist, image).Build()), nil, nil, "", ""), + actual, actualErr := databaseIndex(NewBuildClient(loggingclient.New(fakectrlruntimeclient.NewClientBuilder().WithObjects(ist, image).Build()), nil, nil, ""), testCase.isTagName, "ns") if diff := cmp.Diff(testCase.expectedErr, actualErr, testhelper.EquateErrorMessage); diff != "" { t.Fatalf("actual did not match expected, diff: %s", diff) diff --git a/pkg/steps/source.go b/pkg/steps/source.go index 36b81d90182..90bb6ae5273 100644 --- a/pkg/steps/source.go +++ b/pkg/steps/source.go @@ -493,7 +493,7 @@ func handleBuilds(ctx context.Context, buildClient BuildClient, podClient kubern } if len(errs) == 0 { - manifestPusher := manifestpusher.NewManifestPusher(logrus.WithField("for-build", build.Name), buildClient.LocalRegistryDNS(), buildClient.ManifestToolDockerCfg()) + manifestPusher := manifestpusher.NewManifestPusher(logrus.WithField("for-build", build.Name), buildClient.LocalRegistryDNS()) if err := manifestPusher.PushImageWithManifest(builds, fmt.Sprintf("%s/%s", build.Spec.Output.To.Namespace, build.Spec.Output.To.Name)); err != nil { errs = append(errs, err) } diff --git a/pkg/steps/source_test.go b/pkg/steps/source_test.go index c42109db7f6..d75a7f673e5 100644 --- a/pkg/steps/source_test.go +++ b/pkg/steps/source_test.go @@ -455,7 +455,7 @@ func TestWaitForBuild(t *testing.T) { CompletionTimestamp: &end, }, }, - ).Build()), nil, nil, "", ""), + ).Build()), nil, nil, ""), expected: fmt.Errorf("build didn't start running within 0s (phase: Pending)"), }, { @@ -484,7 +484,7 @@ func TestWaitForBuild(t *testing.T) { Namespace: ns, }, }, - ).Build()), nil, nil, "", ""), + ).Build()), nil, nil, ""), expected: fmt.Errorf("build didn't start running within 0s (phase: Pending):\nFound 0 events for Pod some-build-build:"), }, { @@ -525,7 +525,7 @@ func TestWaitForBuild(t *testing.T) { }}, }, }, - ).Build()), nil, nil, "", ""), + ).Build()), nil, nil, ""), expected: fmt.Errorf(`build didn't start running within 0s (phase: Pending): * Container the-container is not ready with reason the_reason and message the_message Found 0 events for Pod some-build-build:`), @@ -544,7 +544,7 @@ Found 0 events for Pod some-build-build:`), StartTimestamp: &start, CompletionTimestamp: &end, }, - }).Build()), nil, nil, "", ""), + }).Build()), nil, nil, ""), timeout: 30 * time.Minute, }, { @@ -588,7 +588,7 @@ Found 0 events for Pod some-build-build:`), Time: now.Add(-59 * time.Minute), }, }, - }).Build()), nil, nil, "", ""), + }).Build()), nil, nil, ""), timeout: 30 * time.Minute, }, { diff --git a/test/e2e/framework/ci-operator.go b/test/e2e/framework/ci-operator.go index 926de251eea..ed787e6c844 100644 --- a/test/e2e/framework/ci-operator.go +++ b/test/e2e/framework/ci-operator.go @@ -87,7 +87,6 @@ func newCiOperatorCommand(t *T) CiOperatorCommand { cmd := exec.CommandContext(ctx, "ci-operator", "--input-hash="+strconv.Itoa(rand.Int()), // we need unique namespaces GCSPushCredentialsFlag(t), - ManifestToolCredentialsFlag(t), LocalRegistryDNSFlag(t), ) cmd.Env = append(cmd.Env, KubernetesClientEnv(t)...) diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 68901ce3a44..3e6d26b9831 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -114,16 +114,6 @@ func GCSPushCredentialsFlag(t *T) string { return flag("gcs-upload-secret", value) } -// ManifestToolCredentialsFlag formats a flag to provide access to push the manifest listed image -// to the target registry for ci-operator, failing if the required env is not present to supply it. -func ManifestToolCredentialsFlag(t *T) string { - value, set := os.LookupEnv("MANIFEST_TOOL_SECRET") - if !set { - t.Fatal("required environment MANIFEST_TOOL_SECRET is not set") - } - return flag("manifest-tool-dockercfg", value) -} - // LocalRegistryDNSFlag formats a flag for the targeted image registry DNS for ci-operator, // failing if the required env is not present to supply it. func LocalRegistryDNSFlag(t *T) string {