fix: Pass overwrite tokens using env vars instead of CLI args

Author: JakubDurkac

ansible/roles/operator-pipeline/templates/openshift/tasks/add-bundle-to-index.yml

@@ -113,7 +113,7 @@ spec:
         if [[ "$(workspaces.iib-credentials.bound)" == "true" ]]; then
           IIB_QUAY_USER=$(cat $(workspaces.iib-credentials.path)/username)
           IIB_QUAY_TOKEN=$(cat $(workspaces.iib-credentials.path)/password)
-          EXTRA_ARGS+=" --iib-overwrite-token ${IIB_QUAY_USER}:${IIB_QUAY_TOKEN}"
+          export IIB_OVERWRITE_TOKEN="${IIB_QUAY_USER}:${IIB_QUAY_TOKEN}"
 
           # Add build tags suffix for consistent tagging with publish task
           if [[ "$(params.build_tags_suffix)" != "" ]]; then

ansible/roles/operator-pipeline/templates/openshift/tasks/build-fbc-index-images.yml

@@ -99,28 +99,28 @@ spec:
             exit 0
         fi
 
-        # Build IIB token argument if credentials workspace is provided (for release pipeline)
-        TOKEN_ARG=""
+        # Add IIB overwrite token if credentials workspace is provided (for release pipeline)
+        EXTRA_ARGS=""
         if [[ "$(workspaces.iib-credentials.bound)" == "true" ]]; then
           IIB_QUAY_USER=$(cat $(workspaces.iib-credentials.path)/username)
           IIB_QUAY_TOKEN=$(cat $(workspaces.iib-credentials.path)/password)
-          TOKEN_ARG="--iib-overwrite-token ${IIB_QUAY_USER}:${IIB_QUAY_TOKEN}"
+          export IIB_OVERWRITE_TOKEN="${IIB_QUAY_USER}:${IIB_QUAY_TOKEN}"
 
           # Add build tags suffix for consistent tagging with publish task
           if [[ "$(params.build_tags_suffix)" != "" ]]; then
-            TOKEN_ARG+=" --build-tags-suffix $(params.build_tags_suffix)"
+            EXTRA_ARGS+=" --build-tags-suffix $(params.build_tags_suffix)"
           fi
         fi
 
-        # DO NOT use `--verbose` to avoid auth headers appearing in logs
         add-fbc-fragments-to-index \
           --iib-url "$(params.iib_url)" \
           --indices $INDEX_IMAGES \
           --catalog-names "$(params.catalogs_with_added_or_modified_operators)" \
           --image-repository "$(params.image_repository)" \
           --commit-sha "$(params.commit_sha)" \
           --image-output index-image-paths.txt \
-          $TOKEN_ARG
+          --verbose \
+          $EXTRA_ARGS
 
         cat index-image-paths.txt
 
@@ -158,26 +158,26 @@ spec:
             exit 0
         fi
 
-        # Build IIB token argument if credentials workspace is provided (for release pipeline)
-        TOKEN_ARG=""
+        # Add IIB overwrite token if credentials workspace is provided (for release pipeline)
+        EXTRA_ARGS=""
         if [[ "$(workspaces.iib-credentials.bound)" == "true" ]]; then
           IIB_QUAY_USER=$(cat $(workspaces.iib-credentials.path)/username)
           IIB_QUAY_TOKEN=$(cat $(workspaces.iib-credentials.path)/password)
-          TOKEN_ARG="--iib-overwrite-token ${IIB_QUAY_USER}:${IIB_QUAY_TOKEN}"
+          export IIB_OVERWRITE_TOKEN="${IIB_QUAY_USER}:${IIB_QUAY_TOKEN}"
 
           # Add build tags suffix for consistent tagging with publish task
           if [[ "$(params.build_tags_suffix)" != "" ]]; then
-            TOKEN_ARG+=" --build-tags-suffix $(params.build_tags_suffix)"
+            EXTRA_ARGS+=" --build-tags-suffix $(params.build_tags_suffix)"
           fi
         fi
 
-        # DO NOT use `--verbose` to avoid auth headers appearing in logs
         rm-operator-from-index  \
           --iib-url "$(params.iib_url)" \
           --indices $INDEX_IMAGES \
           --fragment-builds-output index-image-paths.txt \
           --rm-catalog-operators "$(params.deleted_catalog_operators)" \
           --image-output index-image-paths.txt \
-          $TOKEN_ARG
+          --verbose \
+          $EXTRA_ARGS
 
         cat index-image-paths.txt

operatorcert/entrypoints/add_fbc_fragments_to_index.py

@@ -2,8 +2,6 @@
 IIB module for building a file based catalog for a bundle
 """
 
-# pylint: disable=duplicate-code
-
 import argparse
 import logging
 import os
@@ -63,14 +61,6 @@ def setup_argparser() -> argparse.ArgumentParser:
         "unpublished index images built by IIB.",
     )
 
-    parser.add_argument(
-        "--iib-overwrite-token",
-        help=(
-            "Token for IIB to authenticate with from_index registry "
-            "and enable overwrite (format: username:password)"
-        ),
-    )
-
     parser.add_argument(
         "--build-tags-suffix",
         help="Timestamp suffix for build tags (used with overwrite to ensure consistent tagging)",
@@ -265,6 +255,7 @@ def main() -> None:
     setup_logger(level=log_level)
 
     utils.set_client_keytab(os.environ.get("KRB_KEYTAB_FILE", "/etc/krb5.krb"))
+    overwrite_token = os.environ.get("IIB_OVERWRITE_TOKEN")
 
     index_fragment_mapping = map_index_to_fragment(
         args.indices,
@@ -277,7 +268,7 @@ def main() -> None:
         args.iib_url,
         index_fragment_mapping,
         args.image_output,
-        args.iib_overwrite_token,
+        overwrite_token,
         args.build_tags_suffix,
     )
 

operatorcert/entrypoints/index.py

@@ -61,14 +61,6 @@ def setup_argparser() -> argparse.ArgumentParser:  # pragma: no cover
     )
     parser.add_argument("--authfile", help="")
 
-    parser.add_argument(
-        "--iib-overwrite-token",
-        help=(
-            "Token for IIB to authenticate with from_index registry "
-            "and enable overwrite (format: username:password)"
-        ),
-    )
-
     parser.add_argument(
         "--build-tags-suffix",
         help="Timestamp suffix for build tags (used with overwrite to ensure consistent tagging)",
@@ -175,14 +167,15 @@ def main() -> None:  # pragma: no cover
     setup_logger(level=log_level)
 
     utils.set_client_keytab(os.environ.get("KRB_KEYTAB_FILE", "/etc/krb5.krb"))
+    overwrite_token = os.environ.get("IIB_OVERWRITE_TOKEN")
 
     iib_response = add_bundle_to_index(
         args.bundle_pullspec,
         args.iib_url,
         args.indices,
         args.image_output,
         args.mode,
-        args.iib_overwrite_token,
+        overwrite_token,
         args.build_tags_suffix,
     )
     if args.index_image_destination:

operatorcert/entrypoints/rm_operator_from_index.py

@@ -49,14 +49,6 @@ def setup_argparser() -> argparse.ArgumentParser:
         help="Base URL for IIB API",
     )
 
-    parser.add_argument(
-        "--iib-overwrite-token",
-        help=(
-            "Token for IIB to authenticate with from_index registry "
-            "and enable overwrite (format: username:password)"
-        ),
-    )
-
     parser.add_argument(
         "--build-tags-suffix",
         help="Timestamp suffix for build tags (used with overwrite to ensure consistent tagging)",
@@ -305,6 +297,7 @@ def main() -> None:  # pragma: no cover
     setup_logger(level=log_level)
 
     utils.set_client_keytab(os.environ.get("KRB_KEYTAB_FILE", "/etc/krb5.krb"))
+    overwrite_token = os.environ.get("IIB_OVERWRITE_TOKEN")
 
     # In case there was a previous run of fragment builds, read the output and use
     # it as a base for removal process. In case the file does not exist, set it to
@@ -326,7 +319,7 @@ def main() -> None:  # pragma: no cover
 
     # Remove operators from the index images using IIB API
     iib_rm_response = rm_operator_from_index(
-        index_images, args.iib_url, args.iib_overwrite_token, args.build_tags_suffix
+        index_images, args.iib_url, overwrite_token, args.build_tags_suffix
     )
 
     # Merge the output from the removal process with the output from the