From 05efee76fa3fe1810e2b82f1613abf00ced4b50e Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Boll <jboll@redhat.com>
Date: Tue, 17 Sep 2024 16:22:56 +0200
Subject: [PATCH 1/3] Support overwrite for secrets

Various quay orgs might require different secrets, thus allow chaning secret identifier
---
 .../configurations/mvp-dev-acr.bicepparam     |  4 ++
 dev-infrastructure/templates/dev-acr.bicep    | 70 +++++++++----------
 2 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/dev-infrastructure/configurations/mvp-dev-acr.bicepparam b/dev-infrastructure/configurations/mvp-dev-acr.bicepparam
index 6f7996de2..3a3a985eb 100644
--- a/dev-infrastructure/configurations/mvp-dev-acr.bicepparam
+++ b/dev-infrastructure/configurations/mvp-dev-acr.bicepparam
@@ -12,6 +12,8 @@ param quayRepositoriesToCache = [
     purgeFilter: 'quay.io/openshift-release-dev/.*:.*'
     purgeAfter: '2d'
     imagesToKeep: 1
+    userIdentifier: 'quay-username'
+    passwordIdentifier: 'quay-password'
   }
   {
     ruleName: 'csSandboxImages'
@@ -20,6 +22,8 @@ param quayRepositoriesToCache = [
     purgeFilter: 'quay.io/app-sre/ocm-clusters-service-sandbox:.*'
     purgeAfter: '2d'
     imagesToKeep: 1
+    userIdentifier: 'quay-componentsync-username'
+    passwordIdentifier: 'quay-componentsync-password'
   }
 ]
 
diff --git a/dev-infrastructure/templates/dev-acr.bicep b/dev-infrastructure/templates/dev-acr.bicep
index 51c48fdfe..680ba8961 100644
--- a/dev-infrastructure/templates/dev-acr.bicep
+++ b/dev-infrastructure/templates/dev-acr.bicep
@@ -9,14 +9,6 @@ param location string = resourceGroup().location
 @description('Service tier of the Azure Container Registry.')
 param acrSku string
 
-@description('KeyVault secret name with the password used to log into quay.')
-#disable-next-line secure-secrets-in-params
-param passwordSecretIdentifier string = 'quay-password'
-
-@description('KeyVault secret name with the username used to log into quay.')
-#disable-next-line secure-secrets-in-params
-param usernameSecretIdentifier string = 'quay-username'
-
 @description('List of quay repositories to cache in the Azure Container Registry.')
 param quayRepositoriesToCache array = []
 
@@ -95,48 +87,52 @@ steps:
 @description('Login server property for later use')
 output loginServer string = acrResource.properties.loginServer
 
-resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = if (length(quayRepositoriesToCache) > 0) {
-  name: 'quayPullCredential'
-  parent: acrResource
-  identity: {
-    type: 'SystemAssigned'
-  }
-  properties: {
-    authCredentials: [
-      {
-        name: 'Credential1'
-        passwordSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${passwordSecretIdentifier}'
-        usernameSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${usernameSecretIdentifier}'
-      }
-    ]
-    loginServer: 'quay.io'
+resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = [
+  for repo in quayRepositoriesToCache: {
+    name: repo.ruleName
+    parent: acrResource
+    identity: {
+      type: 'SystemAssigned'
+    }
+    properties: {
+      authCredentials: [
+        {
+          name: 'Credential1'
+          passwordSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${repo.passwordIdentifier}'
+          usernameSecretIdentifier: '${keyVault.properties.vaultUri}secrets/${repo.userIdentifier}'
+        }
+      ]
+      loginServer: 'quay.io'
+    }
   }
-}
+]
 
 resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = [
-  for repo in quayRepositoriesToCache: {
+  for (repo, i) in quayRepositoriesToCache: {
     name: repo.ruleName
     parent: acrResource
     properties: {
-      credentialSetResourceId: pullCredential.id
+      credentialSetResourceId: pullCredential[i].id
       sourceRepository: repo.sourceRepo
       targetRepository: repo.targetRepo
     }
   }
 ]
 
-resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (length(quayRepositoriesToCache) > 0) {
-  scope: keyVault
-  name: guid(keyVault.id, 'quayPullSecrets', 'read')
-  properties: {
-    roleDefinitionId: subscriptionResourceId(
-      'Microsoft.Authorization/roleDefinitions/',
-      '4633458b-17de-408a-b874-0445c86b69e6'
-    )
-    principalId: pullCredential.identity.principalId
-    principalType: 'ServicePrincipal'
+resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for (repo, i) in quayRepositoriesToCache: {
+    scope: keyVault
+    name: guid(keyVault.id, 'quayPullSecrets', 'read')
+    properties: {
+      roleDefinitionId: subscriptionResourceId(
+        'Microsoft.Authorization/roleDefinitions/',
+        '4633458b-17de-408a-b874-0445c86b69e6'
+      )
+      principalId: pullCredential[i].identity.principalId
+      principalType: 'ServicePrincipal'
+    }
   }
-}
+]
 
 resource purgeCached 'Microsoft.ContainerRegistry/registries/tasks@2019-04-01' = [
   for repo in quayRepositoriesToCache: {

From 3136e7be90ec993ad3b839186549d0d646614e6b Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Boll <jboll@redhat.com>
Date: Tue, 17 Sep 2024 16:27:21 +0200
Subject: [PATCH 2/3] role assignment name should be unique

---
 dev-infrastructure/templates/dev-acr.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-infrastructure/templates/dev-acr.bicep b/dev-infrastructure/templates/dev-acr.bicep
index 680ba8961..23e86ae4a 100644
--- a/dev-infrastructure/templates/dev-acr.bicep
+++ b/dev-infrastructure/templates/dev-acr.bicep
@@ -122,7 +122,7 @@ resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01
 resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for (repo, i) in quayRepositoriesToCache: {
     scope: keyVault
-    name: guid(keyVault.id, 'quayPullSecrets', 'read')
+    name: guid(keyVault.id, 'quayPullSecrets', 'read', repo.ruleName)
     properties: {
       roleDefinitionId: subscriptionResourceId(
         'Microsoft.Authorization/roleDefinitions/',

From bf1b52460f95f1124ce917708587419a4f7546c8 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Boll <jboll@redhat.com>
Date: Wed, 18 Sep 2024 08:37:19 +0200
Subject: [PATCH 3/3] Fix cron schedule, acr purge is actually daily and other
 schedule was accidentically hourly

---
 dev-infrastructure/templates/dev-acr.bicep | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev-infrastructure/templates/dev-acr.bicep b/dev-infrastructure/templates/dev-acr.bicep
index 23e86ae4a..4f99c8bf6 100644
--- a/dev-infrastructure/templates/dev-acr.bicep
+++ b/dev-infrastructure/templates/dev-acr.bicep
@@ -76,7 +76,7 @@ steps:
     trigger: {
       timerTriggers: [
         {
-          name: 'weekly'
+          name: 'daily'
           schedule: '0 0 * * *'
         }
       ]
@@ -167,7 +167,7 @@ steps:
         timerTriggers: [
           {
             name: 'daily'
-            schedule: '0 * * * *'
+            schedule: '0 0 * * *'
           }
         ]
       }