Merge pull request Azure#616 from Azure/use-correct-secrets

Support overwrite for secrets
ahitacat · Sep 18, 2024 · dd17e82 · dd17e82
2 parents bf5117c + bf1b524
commit dd17e82
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 39 deletions.
diff --git a/dev-infrastructure/configurations/mvp-dev-acr.bicepparam b/dev-infrastructure/configurations/mvp-dev-acr.bicepparam
@@ -12,6 +12,8 @@ param quayRepositoriesToCache = [
     purgeFilter: 'quay.io/openshift-release-dev/.*:.*'
     purgeAfter: '2d'
     imagesToKeep: 1
+    userIdentifier: 'quay-username'
+    passwordIdentifier: 'quay-password'
   }
   {
     ruleName: 'csSandboxImages'
@@ -20,6 +22,8 @@ param quayRepositoriesToCache = [
     purgeFilter: 'quay.io/app-sre/ocm-clusters-service-sandbox:.*'
     purgeAfter: '2d'
     imagesToKeep: 1
+    userIdentifier: 'quay-componentsync-username'
+    passwordIdentifier: 'quay-componentsync-password'
   }
 ]
 

diff --git a/dev-infrastructure/templates/dev-acr.bicep b/dev-infrastructure/templates/dev-acr.bicep
@@ -9,14 +9,6 @@ param location string = resourceGroup().location
 @description('Service tier of the Azure Container Registry.')
 param acrSku string
 
-@description('KeyVault secret name with the password used to log into quay.')
-#disable-next-line secure-secrets-in-params
-param passwordSecretIdentifier string = 'quay-password'
-
-@description('KeyVault secret name with the username used to log into quay.')
-#disable-next-line secure-secrets-in-params
-param usernameSecretIdentifier string = 'quay-username'
-
 @description('List of quay repositories to cache in the Azure Container Registry.')
 param quayRepositoriesToCache array = []
 
@@ -84,7 +76,7 @@ steps:
     trigger: {
       timerTriggers: [
         {
-          name: 'weekly'
+          name: 'daily'
           schedule: '0 0 * * *'
         }
       ]
@@ -95,48 +87,52 @@ steps:
 @description('Login server property for later use')
 output loginServer string = acrResource.properties.loginServer
 
-resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = if (length(quayRepositoriesToCache) > 0) {
-  name: 'quayPullCredential'
-  parent: acrResource
-  identity: {
-    type: 'SystemAssigned'
-  }
-  properties: {
-    authCredentials: [
-      {
-        name: 'Credential1'
-        passwordSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${passwordSecretIdentifier}'
-        usernameSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${usernameSecretIdentifier}'
-      }
-    ]
-    loginServer: 'quay.io'
+resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = [
+  for repo in quayRepositoriesToCache: {
+    name: repo.ruleName
+    parent: acrResource
+    identity: {
+      type: 'SystemAssigned'
+    }
+    properties: {
+      authCredentials: [
+        {
+          name: 'Credential1'
+          passwordSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${repo.passwordIdentifier}'
+          usernameSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${repo.userIdentifier}'
+        }
+      ]
+      loginServer: 'quay.io'
+    }
   }
-}
+]
 
 resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = [
-  for repo in quayRepositoriesToCache: {
+  for (repo, i) in quayRepositoriesToCache: {
     name: repo.ruleName
     parent: acrResource
     properties: {
-      credentialSetResourceId: pullCredential.id
+      credentialSetResourceId: pullCredential[i].id
       sourceRepository: repo.sourceRepo
       targetRepository: repo.targetRepo
     }
   }
 ]
 
-resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (length(quayRepositoriesToCache) > 0) {
-  scope: keyVault
-  name: guid(keyVault.id, 'quayPullSecrets', 'read')
-  properties: {
-    roleDefinitionId: subscriptionResourceId(
-      'Microsoft.Authorization/roleDefinitions/',
-      '4633458b-17de-408a-b874-0445c86b69e6'
-    )
-    principalId: pullCredential.identity.principalId
-    principalType: 'ServicePrincipal'
+resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for (repo, i) in quayRepositoriesToCache: {
+    scope: keyVault
+    name: guid(keyVault.id, 'quayPullSecrets', 'read', repo.ruleName)
+    properties: {
+      roleDefinitionId: subscriptionResourceId(
+        'Microsoft.Authorization/roleDefinitions/',
+        '4633458b-17de-408a-b874-0445c86b69e6'
+      )
+      principalId: pullCredential[i].identity.principalId
+      principalType: 'ServicePrincipal'
+    }
   }
-}
+]
 
 resource purgeCached 'Microsoft.ContainerRegistry/registries/tasks@2019-04-01' = [
   for repo in quayRepositoriesToCache: {
@@ -171,7 +167,7 @@ steps:
         timerTriggers: [
           {
             name: 'daily'
-            schedule: '0 * * * *'
+            schedule: '0 0 * * *'
           }
         ]
       }