feat: Add secret for pulling pending repos for sign-index-image task

Author: JakubDurkac

ansible/inventory/group_vars/operator-pipeline.yml

@@ -25,6 +25,7 @@ operator_pipeline_private_cert_local_path: ../../vaults/{{ env }}/operator-pipel
 
 operator_hosted_pipeline_registry_auth_path: ../../vaults/{{ env }}/registry-auth/hosted-pipeline.json
 operator_release_pipeline_registry_auth_pull_path: ../../vaults/{{ env }}/registry-auth/release-pipeline-pull.json
+operator_release_pipeline_registry_auth_pull_pending_path: ../../vaults/{{ env }}/registry-auth/release-pipeline-pull-pending.json
 operator_release_pipeline_registry_auth_push_path: ../../vaults/{{ env }}/registry-auth/release-pipeline-push.json
 operator_release_pipeline_registry_auth_serve_path: ../../vaults/{{ env }}/registry-auth/release-pipeline-serve.json
 

ansible/roles/operator-pipeline/tasks/pipeline-secrets.yml

@@ -126,6 +126,27 @@
       data:
         .dockerconfigjson: "{{ lookup('file', operator_release_pipeline_registry_auth_serve_path, rstrip=False) | b64encode }}"
 
+- name: Create Operator release pipeline pull pending registry auth secret
+  no_log: true
+  tags:
+    - secrets
+  kubernetes.core.k8s:
+    state: present
+    force: true
+    namespace: "{{ oc_namespace }}"
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: opaque
+      metadata:
+        name: release-pipeline-pull-pending-registry-auth
+        labels:
+          app: operator-pipeline
+          suffix: "{{ suffix }}"
+          env: "{{ env }}"
+      data:
+        config.json: "{{ lookup('file', operator_release_pipeline_registry_auth_pull_pending_path, rstrip=False) | b64encode }}"
+
 - name: Create Operator pipeline github bot token secret
   no_log: true
   tags:

ansible/roles/operator-pipeline/templates/openshift/pipelines/operator-release-pipeline.yml

@@ -65,6 +65,9 @@ spec:
     - name: signing_pub_secret_key
       description: The key within the Kubernetes Secret that contains the public key for verifying signatures.
       default: sig-key.pub
+    - name: registry_pull_pending_secret_name
+      description: The name of the Kubernetes Secret that contains registry credentials for pulling from pending repositories.
+      default: release-pipeline-pull-pending-registry-auth
     - name: cert_project_required
       description: >-
         A flag determines whether a cert project identifier is required
@@ -649,6 +652,9 @@ spec:
           value: "$(params.signing_pub_secret_name)"
         - name: signing_pub_secret_key
           value: "$(params.signing_pub_secret_key)"
+
+        - name: registry_auth_secret_name
+          value: "$(params.registry_pull_pending_secret_name)"
       workspaces:
         - name: results
           workspace: results

ansible/roles/operator-pipeline/templates/openshift/tasks/sign-index-image.yml

@@ -106,6 +106,8 @@ spec:
         if [[ -f /tmp/registry-auth/config.json ]]; then
           echo "Registry auth file found. Using it for skopeo."
           SKOPEO_EXTRA_ARGS="--authfile /tmp/registry-auth/config.json"
+        else
+          echo "WARNING: No registry auth found. Skopeo will use no --authfile."
         fi
 
         DOCKER_REFERENCES=""

ansible/vaults/dev/registry-auth/release-pipeline-pull-pending.json

@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+38373539366435613038333238626361653630326462343434613236663037366530306635616665
+3233613038343732363531633365343335336166633130660a356665346139616366393334633936
+35653838613164663137363161393263313566353665383832353464613533346635313262663663
+6338633336613262370a393830346638613032313032323632323636353062353964313234353133
+36376564373636386436393339383965366330313135663466326265356264343666333533643863
+35613965323138303333623232376431623639646130353436343738383761626663313162373838
+63643030343364326238313330373037653732376661646136396537623539343532646134386131
+63666236376434333737346239636634323332323334616331333030633334353237633866373032
+38653436333563376533623966343038376564643039353137303264633237343335366265663866
+39653039623261626132363166316637373139323865386139393231653336343963356236373535
+30306266313863323332366663376466666435613432636564613461646334646133316131323235
+61383133616438613938333739346638373635333932303237653861623835353463306265656338
+38333333626464613732383766326634353966656635666363376334343337376663663837626436
+32343833613838373663376161646332313233323264656262666138323539303863636164393238
+336231643662366237653765663739313639

ansible/vaults/integration-tests/registry-auth/release-pipeline-pull-pending.json

@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+39613330663635646430326564303037333738366161643462626636656535303365303465666133
+3037323666653139346364336365353633323365386162650a636133353665343662323038646461
+38333539323636336332616233343136303538633131626531333162363764363962343766653931
+3739613965633864650a653935623039323963623330313565333636373731343265653962386530
+63653033306465653961646532666465323363613033346234643634306135376531626331333537
+36373530396266383766353664383961363432376165376532636262626230343031623963616436
+62333763613433623437373039343437343435333261326137363839376163326335336231316439
+62643830613736656137313432323530656433376137366236353435323034303738643038663033
+37613465306661323939313833643133353330353562373066653566323737626531626435306163
+37666464326463396461343566323861653066356334646466623564396235323836376165373733
+37643430306463616463626135373538663863323338623863616236383933373366383137313165
+32663934323035626534663135663261646563303139653263366132323432636165356561613831
+36346463613232393538326262306232383863623334346337393038386561393436356632306161
+65363734386539386663333266653231316530646463383562363938646633386435393566663464
+383233313037626639353562363131353835

ansible/vaults/prod/registry-auth/release-pipeline-pull-pending.json

@@ -0,0 +1,15 @@
+$ANSIBLE_VAULT;1.1;AES256
+64653264626537366665383633386436383936323665303961336637366661316237623434643765
+3936633566616235643430363130303563306663633634320a343365663932666330663637393561
+32323961323332623937366233333763306332313364663539386161656234373632336532306430
+3238643465373838310a623863393831323637346637643038393034386362363038363134346330
+30666431393833623636643333353663316537653330343835336165326662333030383162343132
+64633336396564386338316435333364393065663632353732313763343561373137626137313039
+39323134623861396665626532636264373265333731663564336438323730373935376333353964
+33643339363735636334313664313631396334343731613031363030396566313363643934356164
+61373664636433373939343466323664323837636262383233373361333464363333633837336137
+36326338366633333238343731313131633663343636353332663831616563363133616661363464
+65613063373532323261323436316161303238623662366335396266393764626134633665376331
+33333665343761386631323936613334383564316432653932316262386436386261373062613430
+39386532386532666330636633636630313238373036336633323237663663386430656535323965
+3736663334323530306137343563643931633433643030313664

ansible/vaults/qa/registry-auth/release-pipeline-pull-pending.json

@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+64623731633436353461356563646165323039356133656638623038356637313537646535663836
+3161373662666137656431626263393962333433313237350a343135326237636433316639353863
+32333061383035616365643335393931333763303938393533373734343361633538393765393737
+6663313637383737620a353464633432393461383439613331376434386166613139323261646165
+33636237326132303734643731363339353432316136383031653035656130383335313335336431
+34323663313432636239656436343233393232363537616462326264346564666466316536653739
+34636239396166313032306433366363356632633262326361303337343864393166326335663662
+37393232343264306562306436643937316133623266386530396333636332666237303061376432
+38343036653365313332303938626439383165363265663337303065613431633838643933326132
+39326332383936356634383236623065643435646536653332303538633437623664643633333465
+39373533333933643464353062636238353164396434313362616438336532613535306638666434
+30306233646135333138636435616439313337633962313837323862373634313139383163656261
+64623762643563346630336664323338353837353837333463383933313866313465636631663565
+65623761383734393666333936666363393833343436306561393533643231653763306233623735
+386164393430303836636563386466623838

ansible/vaults/stage/registry-auth/release-pipeline-pull-pending.json

@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+63343164346539623637623464323635326261303936373933396635326263353366366666353864
+3531343463303233376330643435396566353632616666660a346462343166616263306538666663
+34633430356338636266363236353034663863363336313131616434386136646232366530393661
+3564376330373833640a326162316161303334636238353663633138666239396532653562373831
+32663861346163633339313939336636346439343639366263353163323737376130313830346139
+35616431616661653436373261366231386636363262333666316133656635313766656637346532
+65383530383734396462366462663965623331646431666136313937303234393664353861646533
+63383764323361643865646230313131343732373761656431383633363631663334326531666130
+31306434623031633030336134363336383162623332613330313062366465306361393961643133
+35363233316632336566383733663263363436323332336238663538616231373230663232356436
+61386137373336653364323539353763346230346463363733653363366665623933376565306335
+34313034666332623134303436653236323866313338613833613239343261323362303338306163
+32343338323461633066363165343232316132653533336337313064373762656136336365636364
+36333266646631643938393239326232386134383434396636383263643038633431623435313832
+646438386162303139616561356565643831