Skip to content
Snippets Groups Projects
Commit 7b0b1d96 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat(ecr): add Amazon ECR variant

parent f437fdb4
No related branches found
No related tags found
No related merge requests found
...@@ -77,7 +77,6 @@ The **snapshot** and **release** images are defined by the following variables: ...@@ -77,7 +77,6 @@ The **snapshot** and **release** images are defined by the following variables:
| `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` | | `DOCKER_SNAPSHOT_IMAGE` | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
| `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` | | `DOCKER_RELEASE_IMAGE` | Docker release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` |
As you can see, the Docker template is configured by default to use the GitLab container registry. As you can see, the Docker template is configured by default to use the GitLab container registry.
You may perfectly override this and use another Docker registry, but be aware of a few things: You may perfectly override this and use another Docker registry, but be aware of a few things:
...@@ -104,7 +103,6 @@ variables: ...@@ -104,7 +103,6 @@ variables:
| :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry | | :lock: `DOCKER_REGISTRY_USER` | Docker registry username for image registry |
| :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry | | :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry |
#### Using different registries for snapshot and release #### Using different registries for snapshot and release
If you use **different registries** for snapshot and release images, you shall use separate configuration variables: If you use **different registries** for snapshot and release images, you shall use separate configuration variables:
...@@ -116,8 +114,6 @@ If you use **different registries** for snapshot and release images, you shall u ...@@ -116,8 +114,6 @@ If you use **different registries** for snapshot and release images, you shall u
| :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry | | :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry |
| :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD`| Docker registry password for release image registry | | :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD`| Docker registry password for release image registry |
#### Setting your own Docker configuration file (advanced) #### Setting your own Docker configuration file (advanced)
There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files): There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files):
...@@ -641,6 +637,9 @@ List of requirements before using this variant for publishing your container ima ...@@ -641,6 +637,9 @@ List of requirements before using this variant for publishing your container ima
| `GCP_RELEASE_OIDC_PROVIDER` | Workload Identity Provider to push the release image _(only define if different from default)_ | _none_ | | `GCP_RELEASE_OIDC_PROVIDER` | Workload Identity Provider to push the release image _(only define if different from default)_ | _none_ |
| `GCP_RELEASE_OIDC_ACCOUNT` | Service Account to use to push the release image _(only define if different from default)_ | _none_ | | `GCP_RELEASE_OIDC_ACCOUNT` | Service Account to use to push the release image _(only define if different from default)_ | _none_ |
:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
to use the snapshot image repository (will host your snapshot image as well as cached layers).
#### Example #### Example
```yaml ```yaml
...@@ -654,9 +653,10 @@ include: ...@@ -654,9 +653,10 @@ include:
variables: variables:
# untested & unverified container image # untested & unverified container image
DOCKER_SNAPSHOT_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot" DOCKER_SNAPSHOT_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot:$CI_COMMIT_REF_SLUG"
# ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko
# validated container image (published) # validated container image (published)
DOCKER_RELEASE_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}" DOCKER_RELEASE_IMAGE: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"
# default WIF provider # default WIF provider
GCP_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod" GCP_OIDC_PROVIDER: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
# default GCP Service Account # default GCP Service Account
...@@ -667,3 +667,74 @@ variables: ...@@ -667,3 +667,74 @@ variables:
GCP_SNAPSHOT_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com" GCP_SNAPSHOT_OIDC_ACCOUNT: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"
DOCKER_BUILD_TOOL: "kaniko" # Only Kaniko has been proved to work for this use case YET DOCKER_BUILD_TOOL: "kaniko" # Only Kaniko has been proved to work for this use case YET
``` ```
### Amazon Elastic Container Registry
This variant allows publishing your container images to Amazon's [Elastic Container Registry](https://docs.aws.amazon.com/ecr/).
It takes care of retrieving an [ECR authorization token](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html)
that will be used as a temporary credential to login to the ECR registry.
In order to use the AWS APIs, the variant supports two authentication methods:
1. [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) (**recommended method**),
2. or basic authentication with AWS access key ID & secret access key.
:warning: when using this variant, you must have created the ECR repositories to push the snapshot and/or the release images.
#### Configuration
| Name | description | default value |
| ------------------------ | -------------------------------------- | ----------------- |
| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master` |
| `AWS_REGION` | Default region (where the ECR registry is located) | _none_ |
| `AWS_SNAPSHOT_REGION` | Region of the ECR registry for the snapshot image _(only define if different from default)_ | _none_ |
| `AWS_RELEASE_REGION` | Region of the ECR registry for the release image _(only define if different from default)_ | _none_ |
:warning: if using Kaniko, don't forget to either create the cache repository (snapshot image repository + `/cache`) or override `$KANIKO_SNAPSHOT_IMAGE_CACHE`
to use the snapshot image repository (will host your snapshot image as well as cached layers).
##### OIDC authentication config
This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
then set the required configuration.
| Name | description | default value |
| ------------------------ | -------------------------------------- | ----------------- |
| `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
| `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab | _none_ |
| `AWS_SNAPSHOT_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the snapshot image _(only define if different from default)_| _none_ |
| `AWS_RELEASE_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab for the release image _(only define if different from default)_| _none_ |
##### Basic authentication config
| Name | description | default value |
| ------------------------ | -------------------------------------- | ----------------- |
| `AWS_ACCESS_KEY_ID` | Default access key ID | _none_ (disabled) |
| `AWS_SECRET_ACCESS_KEY` | Default secret access key | _none_ (disabled) |
| `AWS_SNAPSHOT_ACCESS_KEY_ID`| Access key ID for the snapshot image _(only define if different from default)_ | _none_ |
| `AWS_SNAPSHOT_SECRET_ACCESS_KEY`| Secret access key for the snapshot image _(only define if different from default)_ | _none_ |
| `AWS_RELEASE_ACCESS_KEY_ID`| Access key ID for the release image _(only define if different from default)_ | _none_ |
| `AWS_RELEASE_SECRET_ACCESS_KEY`| Secret access key for the release image _(only define if different from default)_ | _none_ |
#### Example
```yaml
include:
- project: 'to-be-continuous/docker'
ref: "5.2.0"
file: '/templates/gitlab-ci-docker.yml'
- project: 'to-be-continuous/docker'
ref: "5.2.0"
file: '/templates/gitlab-ci-docker-ecr.yml'
variables:
AWS_REGION: "us-east-1"
# untested & unverified container image
DOCKER_SNAPSHOT_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot:$CI_COMMIT_REF_SLUG"
# ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko
# validated container image (published)
DOCKER_RELEASE_IMAGE: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH:$CI_COMMIT_REF_NAME"
# default Role ARN (using OIDC authentication method)
AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/gitlab-ci"
```
...@@ -269,7 +269,7 @@ ...@@ -269,7 +269,7 @@
{ {
"name": "TBC_GCP_PROVIDER_IMAGE", "name": "TBC_GCP_PROVIDER_IMAGE",
"description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use", "description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use",
"default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master", "default": "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main",
"advanced": true "advanced": true
}, },
{ {
...@@ -301,6 +301,90 @@ ...@@ -301,6 +301,90 @@
"advanced": true "advanced": true
} }
] ]
},
{
"id": "ecr",
"name": "Amazon ECR",
"description": "Retrieves a registry authentication for the Amazon's [Elastic Container Registry](https://docs.aws.amazon.com/ecr/)",
"template_path": "templates/gitlab-ci-docker-ecr.yml",
"variables": [
{
"name": "TBC_AWS_PROVIDER_IMAGE",
"description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",
"default": "$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master",
"advanced": true
},
{
"name": "AWS_REGION",
"description": "Default region (where the ECR registry is located)"
},
{
"name": "AWS_SNAPSHOT_REGION",
"description": "Region of the ECR registry for the snapshot image _(only define if different from default)_",
"advanced": true
},
{
"name": "AWS_RELEASE_REGION",
"description": "Region of the ECR registry for the release image _(only define if different from default)_",
"advanced": true
},
{
"name": "AWS_OIDC_AUD",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL",
"advanced": true
},
{
"name": "AWS_OIDC_ROLE_ARN",
"description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"
},
{
"name": "AWS_SNAPSHOT_OIDC_ROLE_ARN",
"description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
"name": "AWS_RELEASE_OIDC_ROLE_ARN",
"description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
"name": "AWS_ACCESS_KEY_ID",
"description": "Default access key ID (only required for basic authentication)",
"secret": true,
"advanced": true
},
{
"name": "AWS_SECRET_ACCESS_KEY",
"description": "Default secret access key (only required for basic authentication)",
"secret": true,
"advanced": true
},
{
"name": "AWS_SNAPSHOT_ACCESS_KEY_ID",
"description": "Access key ID for the snapshot image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
},
{
"name": "AWS_SNAPSHOT_SECRET_ACCESS_KEY",
"description": "Secret access key for the snapshot image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
},
{
"name": "AWS_RELEASE_ACCESS_KEY_ID",
"description": "Access key ID for the release image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
},
{
"name": "AWS_RELEASE_SECRET_ACCESS_KEY",
"description": "Secret access key for the release image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
}
]
} }
] ]
} }
# =====================================================================================================================
# === AWS Auth template variant
# =====================================================================================================================
variables:
TBC_AWS_AUTH_PROVIDER: "$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master"
AWS_OIDC_AUD: "$CI_SERVER_URL"
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.4.1"]
- name: "$TBC_AWS_AUTH_PROVIDER"
alias: "aws-auth-provider"
id_tokens:
# required for OIDC auth
AWS_JWT:
aud: "$AWS_OIDC_AUD"
variables:
# DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://aws-auth-provider/ecr/auth/username?env_ctx=SNAPSHOT"
# DOCKER_REGISTRY_RELEASE_USER: "@url@http://aws-auth-provider/ecr/auth/username?env_ctx=RELEASE"
DOCKER_REGISTRY_SNAPSHOT_USER: "AWS" # GetAuthorizationToken API always generate token for user 'AWS'
DOCKER_REGISTRY_RELEASE_USER: "AWS" # GetAuthorizationToken API always generate token for user 'AWS'
DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://aws-auth-provider/ecr/auth/password?env_ctx=SNAPSHOT"
DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://aws-auth-provider/ecr/auth/password?env_ctx=RELEASE"
# secrets have to be explicitly declared in the YAML to be exported to the service
AWS_JWT: "$AWS_JWT"
# can't use AWS_ACCESS_KEY_ID as it is read by boto3
AWS_DEFAULT_ACCESS_KEY_ID: "$AWS_ACCESS_KEY_ID"
# can't use AWS_SECRET_ACCESS_KEY as it is read by boto3
AWS_DEFAULT_SECRET_ACCESS_KEY: "$AWS_SECRET_ACCESS_KEY"
AWS_SNAPSHOT_ACCESS_KEY_ID: "$AWS_SNAPSHOT_ACCESS_KEY_ID"
AWS_SNAPSHOT_SECRET_ACCESS_KEY: "$AWS_SNAPSHOT_SECRET_ACCESS_KEY"
AWS_RELEASE_ACCESS_KEY_ID: "$AWS_RELEASE_ACCESS_KEY_ID"
AWS_RELEASE_SECRET_ACCESS_KEY: "$AWS_RELEASE_SECRET_ACCESS_KEY"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment