Skip to content

Commit

Permalink
Merge pull request #93 from jduimovich/env-var-declarations
Browse files Browse the repository at this point in the history 
add env vars declarations and comments for Image Registry user/pw
  • Loading branch information
@jduimovich
jduimovich authored Nov 26, 2024
2 parents 9d02bb4 + e85d29c commit 9df1d41
Show file tree
Hide file tree
Showing 8 changed files with 155 additions and 42 deletions.
43 changes: 29 additions & 14 deletions generated/gitops-template/githubactions/.github/workflows/gitops-promotion.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ env:
# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ${{ secrets.IMAGE_REGISTRY }}
IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}

# Used to verify the image signature and attestation
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
Expand All @@ -25,8 +23,16 @@ env:
TRUSTIFICATION_OIDC_CLIENT_ID: ${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}
TRUSTIFICATION_OIDC_CLIENT_SECRET: ${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: ${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}
QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
# Set this to the user for your specific registry
IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
# Set this password for your specific registry
IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
# QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
# QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
# ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
# ARTIFACTORY_IO_CREDS_PSW: ${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}
# NEXUS_IO_CREDS_USR: ${{ secrets.NEXUS_IO_CREDS_USR }}
# NEXUS_IO_CREDS_PSW: ${{ secrets.NEXUS_IO_CREDS_PSW }}

# 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below.
IMAGE_TAGS: ""
Expand All @@ -53,17 +59,26 @@ jobs:
script: |
const secrets = {
IMAGE_REGISTRY: `${{ secrets.IMAGE_REGISTRY }}`,
IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`,
TRUSTIFICATION_BOMBASTIC_API_URL: `${{ secrets.TRUSTIFICATION_BOMBASTIC_API_URL }}`,
TRUSTIFICATION_OIDC_ISSUER_URL: `${{ secrets.TRUSTIFICATION_OIDC_ISSUER_URL }}`,
TRUSTIFICATION_OIDC_CLIENT_ID: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}`,
TRUSTIFICATION_OIDC_CLIENT_SECRET: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}`,
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: `${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}`,
QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`,
QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`,
/* Used to verify the image signature and attestation */
COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`,
/* URL of the BOMbastic api host (e.g. https://sbom.trustification.dev) */
TRUSTIFICATION_BOMBASTIC_API_URL: `${{ secrets.TRUSTIFICATION_BOMBASTIC_API_URL }}`,
/* URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken) */
TRUSTIFICATION_OIDC_ISSUER_URL: `${{ secrets.TRUSTIFICATION_OIDC_ISSUER_URL }}`,
TRUSTIFICATION_OIDC_CLIENT_ID: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}`,
TRUSTIFICATION_OIDC_CLIENT_SECRET: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}`,
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: `${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}`,
/* Set this to the user for your specific registry */
IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
/* Set this password for your specific registry */
IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
/*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
/*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
/*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */
/*ARTIFACTORY_IO_CREDS_PSW: `${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}`, */
/*NEXUS_IO_CREDS_USR: `${{ secrets.NEXUS_IO_CREDS_USR }}`, */
/*NEXUS_IO_CREDS_PSW: `${{ secrets.NEXUS_IO_CREDS_PSW }}`, */
};
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
Expand Down
6 changes: 6 additions & 0 deletions generated/gitops-template/jenkins/Jenkinsfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,13 @@ pipeline {
TRUSTIFICATION_OIDC_CLIENT_ID = credentials('TRUSTIFICATION_OIDC_CLIENT_ID')
TRUSTIFICATION_OIDC_CLIENT_SECRET = credentials('TRUSTIFICATION_OIDC_CLIENT_SECRET')
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION = credentials('TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION')
/* Set this to the user for your specific registry */
/* IMAGE_REGISTRY_USER = credentials('IMAGE_REGISTRY_USER') */
/* Set this password for your specific registry */
/* IMAGE_REGISTRY_PASSWORD = credentials('IMAGE_REGISTRY_PASSWORD') */
QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
/* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
/* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
}
stages {
stage('Verify EC') {
Expand Down
44 changes: 30 additions & 14 deletions generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,22 @@ env:
# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ${{ secrets.IMAGE_REGISTRY }}
IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}

ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }}
ROX_CENTRAL_ENDPOINT: ${{ secrets.ROX_CENTRAL_ENDPOINT }}
GITOPS_AUTH_PASSWORD: ${{ secrets.GITOPS_AUTH_PASSWORD }}
QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
# Uncomment this when using Gitlab
# GITOPS_AUTH_USERNAME: ${{ secrets.GITOPS_AUTH_USERNAME }}
# Set this to the user for your specific registry
IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
# Set this password for your specific registry
IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
# QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
# QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
# ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
# ARTIFACTORY_IO_CREDS_PSW: ${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}
# NEXUS_IO_CREDS_USR: ${{ secrets.NEXUS_IO_CREDS_USR }}
# NEXUS_IO_CREDS_PSW: ${{ secrets.NEXUS_IO_CREDS_PSW }}
COSIGN_SECRET_PASSWORD: ${{ secrets.COSIGN_SECRET_PASSWORD }}
COSIGN_SECRET_KEY: ${{ secrets.COSIGN_SECRET_KEY }}
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
Expand Down Expand Up @@ -56,17 +64,25 @@ jobs:
script: |
const secrets = {
IMAGE_REGISTRY: `${{ secrets.IMAGE_REGISTRY }}`,
IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
ROX_API_TOKEN: `${{ secrets.ROX_API_TOKEN }}`,
ROX_CENTRAL_ENDPOINT: `${{ secrets.ROX_CENTRAL_ENDPOINT }}`,
GITOPS_AUTH_PASSWORD: `${{ secrets.GITOPS_AUTH_PASSWORD }}`,
QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`,
QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`,
COSIGN_SECRET_PASSWORD: `${{ secrets.COSIGN_SECRET_PASSWORD }}`,
COSIGN_SECRET_KEY: `${{ secrets.COSIGN_SECRET_KEY }}`,
COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`,
ROX_API_TOKEN: `${{ secrets.ROX_API_TOKEN }}`,
ROX_CENTRAL_ENDPOINT: `${{ secrets.ROX_CENTRAL_ENDPOINT }}`,
GITOPS_AUTH_PASSWORD: `${{ secrets.GITOPS_AUTH_PASSWORD }}`,
/* Uncomment this when using Gitlab */
/*GITOPS_AUTH_USERNAME: `${{ secrets.GITOPS_AUTH_USERNAME }}`, */
/* Set this to the user for your specific registry */
IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
/* Set this password for your specific registry */
IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
/*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
/*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
/*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */
/*ARTIFACTORY_IO_CREDS_PSW: `${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}`, */
/*NEXUS_IO_CREDS_USR: `${{ secrets.NEXUS_IO_CREDS_USR }}`, */
/*NEXUS_IO_CREDS_PSW: `${{ secrets.NEXUS_IO_CREDS_PSW }}`, */
COSIGN_SECRET_PASSWORD: `${{ secrets.COSIGN_SECRET_PASSWORD }}`,
COSIGN_SECRET_KEY: `${{ secrets.COSIGN_SECRET_KEY }}`,
COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`,
};
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
Expand Down
7 changes: 7 additions & 0 deletions generated/source-repo/jenkins/Jenkinsfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,14 @@ pipeline {
GITOPS_AUTH_PASSWORD = credentials('GITOPS_AUTH_PASSWORD')
/* Uncomment this when using Gitlab */
/* GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME') */
/* Set this to the user for your specific registry */
/* IMAGE_REGISTRY_USER = credentials('IMAGE_REGISTRY_USER') */
/* Set this password for your specific registry */
/* IMAGE_REGISTRY_PASSWORD = credentials('IMAGE_REGISTRY_PASSWORD') */
/* Default registry is set to quay.io */
QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
/* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
/* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
COSIGN_SECRET_PASSWORD = credentials('COSIGN_SECRET_PASSWORD')
COSIGN_SECRET_KEY = credentials('COSIGN_SECRET_KEY')
COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
Expand Down
1 change: 0 additions & 1 deletion rhtap/init.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ REQUIRED_BINARY+="python3 "
# BUILD TARGETS AND REGISTRY
# remember to leave a space when you add them to a prior ENV list
REQUIRED_ENV="IMAGE_URL IMAGE "
REQUIRED_ENV+="QUAY_IO_CREDS_USR QUAY_IO_CREDS_PSW "
# Cosign signing
REQUIRED_ENV+="COSIGN_SECRET_PASSWORD COSIGN_SECRET_KEY COSIGN_PUBLIC_KEY "
# SCANS
Expand Down
75 changes: 75 additions & 0 deletions templates/data.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,49 @@ build_secrets:
- name: GITOPS_AUTH_USERNAME
commented_out: true
comment: Uncomment this when using Gitlab

- name: IMAGE_REGISTRY_USER
if: 'isGitHub'
comment: "Set this to the user for your specific registry"
- name: IMAGE_REGISTRY_PASSWORD
if: 'isGitHub'
comment: "Set this password for your specific registry"
- name: IMAGE_REGISTRY_USER
if: '!isGitHub'
commented_out: true
comment: "Set this to the user for your specific registry"
- name: IMAGE_REGISTRY_PASSWORD
if: '!isGitHub'
commented_out: true
comment: "Set this password for your specific registry"

- name: QUAY_IO_CREDS
if: isJenkins
comment: "Default registry is set to quay.io"
- name: QUAY_IO_CREDS_USR
if: '!isJenkins'
commented_out: true
- name: QUAY_IO_CREDS_PSW
if: '!isJenkins'
commented_out: true
- name: ARTIFACTORY_IO_CREDS
if: isJenkins
commented_out: true
- name: ARTIFACTORY_IO_CREDS_USR
if: '!isJenkins'
commented_out: true
- name: ARTIFACTORY_IO_CREDS_PSW
if: '!isJenkins'
commented_out: true
- name: NEXUS_IO_CREDS
if: isJenkins
commented_out: true
- name: NEXUS_IO_CREDS_USR
if: '!isJenkins'
commented_out: true
- name: NEXUS_IO_CREDS_PSW
if: '!isJenkins'
commented_out: true
- name: COSIGN_SECRET_PASSWORD
- name: COSIGN_SECRET_KEY
- name: COSIGN_PUBLIC_KEY
Expand All @@ -49,9 +85,48 @@ gitops_secrets:
- name: TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION
# If the OCI registry is not public then ec needs some credentials so it can see the attestations.
# Todo: Use different credentials here so we provide read access only instead of read/write access.
# github always uses these
- name: IMAGE_REGISTRY_USER
if: 'isGitHub'
comment: "Set this to the user for your specific registry"
- name: IMAGE_REGISTRY_PASSWORD
if: 'isGitHub'
comment: "Set this password for your specific registry"
# other CIs in transition so comment out and leave Quay.io
- name: IMAGE_REGISTRY_USER
if: '!isGitHub'
commented_out: true
comment: "Set this to the user for your specific registry"
- name: IMAGE_REGISTRY_PASSWORD
if: '!isGitHub'
commented_out: true
comment: "Set this password for your specific registry"
# show all the values options in the jenkins file and other CIs
# this gives users a way to know what to set. Not perfect but better
# to be documented
- name: QUAY_IO_CREDS
if: isJenkins
- name: QUAY_IO_CREDS_USR
if: '!isJenkins'
commented_out: true
- name: QUAY_IO_CREDS_PSW
if: '!isJenkins'
commented_out: true
- name: ARTIFACTORY_IO_CREDS
if: isJenkins
commented_out: true
- name: ARTIFACTORY_IO_CREDS_USR
if: '!isJenkins'
commented_out: true
- name: ARTIFACTORY_IO_CREDS_PSW
if: '!isJenkins'
commented_out: true
- name: NEXUS_IO_CREDS
if: isJenkins
commented_out: true
- name: NEXUS_IO_CREDS_USR
if: '!isJenkins'
commented_out: true
- name: NEXUS_IO_CREDS_PSW
if: '!isJenkins'
commented_out: true
11 changes: 5 additions & 6 deletions templates/gitops-template/gitops-promotion.yml.njk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,12 @@ env:
# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ${{ "secrets.IMAGE_REGISTRY" | inCurlies }}
IMAGE_REGISTRY_USER: ${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}
IMAGE_REGISTRY_PASSWORD: ${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}
{% for secret in gitops_secrets %}
{%- if secret | eval_if_condition %}
{%- if secret.comment %}
# {{ secret.comment }}
{%- endif %}
{{ secret.name }}: ${{ ("secrets." + secret.name) | inCurlies }}
{% if secret.commented_out %}# {% endif %}{{ secret.name }}: ${{ ("secrets." + secret.name) | inCurlies }}
{%- endif %}
{%- endfor %}

Expand Down Expand Up @@ -52,11 +50,12 @@ jobs:
#}
const secrets = {
IMAGE_REGISTRY: `${{ "secrets.IMAGE_REGISTRY" | inCurlies }}`,
IMAGE_REGISTRY_USER: `${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}`,
IMAGE_REGISTRY_PASSWORD: `${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}`,
{% for secret in gitops_secrets %}
{%- if secret | eval_if_condition %}
{{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`,
{%- if secret.comment %}
/* {{ secret.comment }} */
{%- endif %}
{% if secret.commented_out %}/*{% endif %}{{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`, {% if secret.commented_out %}*/{% endif %}
{%- endif %}
{%- endfor %}
};
Expand Down
10 changes: 3 additions & 7 deletions templates/source-repo/build-and-update-gitops.yml.njk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ env:
# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ${{ "secrets.IMAGE_REGISTRY" | inCurlies }}
IMAGE_REGISTRY_USER: ${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}
IMAGE_REGISTRY_PASSWORD: ${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}
{% for secret in build_secrets %}
{%- if secret | eval_if_condition %}
{%- if secret.comment %}
Expand Down Expand Up @@ -58,14 +56,12 @@ jobs:
#}
const secrets = {
IMAGE_REGISTRY: `${{ "secrets.IMAGE_REGISTRY" | inCurlies }}`,
IMAGE_REGISTRY_USER: `${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}`,
IMAGE_REGISTRY_PASSWORD: `${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}`,
{% for secret in build_secrets %}
{%- if secret | eval_if_condition %}
{%- if secret.comment %}
# {{ secret.comment }}
{%- endif %}
{% if secret.commented_out %}# {% endif %}{{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`,
/* {{ secret.comment }} */
{%- endif %}
{% if secret.commented_out %}/*{% endif %}{{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`, {% if secret.commented_out %}*/{% endif %}
{%- endif %}
{%- endfor %}

Expand Down

0 comments on commit 9df1d41

Please sign in to comment.