Implemented automatic fetching ACR password from Azure KeyVault

argo-workflows/acr-pusher.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: edu-agentpool
+  namespace: argo

argo-workflows/argo-workflow-manager-role.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: argo
+  name: argo-workflow-manager
+rules:
+  - apiGroups: ["argoproj.io"]
+    resources: ["workflowtaskresults"]
+    verbs: ["create", "get", "list", "update", "patch", "delete"]
+  - apiGroups: ["argoproj.io"]
+    resources: ["workflows"]
+    verbs: ["create", "get", "list", "update", "patch", "delete"]

argo-workflows/build.yaml

@@ -0,0 +1,142 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+  generateName: build-workflow-
+spec:
+  entrypoint: main
+  arguments:
+    parameters:
+      - name: repo
+        value: https://gitea.marcin00.pl/pikram/user-microservice.git
+      - name: branch
+        value: main
+      - name: image
+        value: marcin00.azurecr.io/user-microservice
+      - name: registry_server
+        value: marcin00.azurecr.io
+  serviceAccountName: edu-agentpool
+  volumeClaimTemplates:
+  - metadata:
+      name: workspace
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 128Mi
+  volumes:
+  - name: secrets-store
+    csi:
+      driver: secrets-store.csi.k8s.io
+      readOnly: true
+      volumeAttributes:
+        secretProviderClass: azure-keyvault
+  templates:
+
+  # 🔁 Main steps sequence
+  - name: main
+    steps:
+      - - name: checkout
+          template: checkout
+          arguments:
+            parameters:
+              - name: repo
+                value: "{{workflow.parameters.repo}}"
+              - name: branch
+                value: "{{workflow.parameters.branch}}"
+      - - name: tests
+          template: tests
+      - - name: build-test-and-push-image
+          template: build-test-and-push-image
+          arguments:
+            parameters:
+              - name: git-sha
+                value: "{{steps.checkout.outputs.parameters.git-sha}}"
+
+  # 📦 GIT CHECKOUT
+  - name: checkout
+    inputs:
+      parameters:
+        - name: repo
+        - name: branch
+    container:
+      image: alpine/git
+      command: [sh,-c]
+      workingDir: /workspace
+      args:
+        - |
+          git clone --depth 1 --branch "{{inputs.parameters.branch}}" --single-branch "{{inputs.parameters.repo}}" repo
+          cd repo
+          git rev-parse HEAD > /tmp/gitsha.txt
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+    outputs:
+      parameters:
+        - name: git-sha
+          valueFrom:
+            path: /tmp/gitsha.txt
+
+  # 🧪 PYTHON TESTS
+  - name: tests
+    script:
+      image: python:3.11.7-alpine
+      command: [sh]
+      workingDir: /workspace/repo/api
+      source: |
+        python3 -m venv env
+        . env/bin/activate
+        pip install -r requirements.txt pytest
+        python3 -m pytest --junit-xml=pytest_junit.xml
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+
+# 🐳 BUILDS AND GOSS TESTS
+  - name: build-test-and-push-image
+    inputs:
+      parameters:
+        - name: git-sha
+    container:
+      image: docker:dind
+      command: [sh, -c]
+      workingDir: /workspace/repo
+      args:
+        - |
+          dockerd-entrypoint.sh &
+          sleep 3
+          DOCKER_IMAGE={{workflow.parameters.image}}:{{inputs.parameters.git-sha}}
+          docker build -t $DOCKER_IMAGE .
+
+          apk add --no-cache bash
+
+          wget https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -O goss
+          wget https://github.com/aelsabbahy/goss/releases/latest/download/dgoss -O dgoss
+          chmod +rx *goss
+
+          export GOSS_OPTS="-f junit"
+          export GOSS_PATH=./goss
+          export GOSS_SLEEP=3
+          ./dgoss run -e SQLALCHEMY_DATABASE_URI=sqlite:///:memory: $DOCKER_IMAGE > /workspace/goss_junit.xml
+          
+          echo "===> Logging into ACR"
+          ACR_PASSWORD=$(cat /mnt/secrets/acr-password)
+          echo "$ACR_PASSWORD" | docker login {{workflow.parameters.registry_server}} -u $ACR_USERNAME --password-stdin
+
+          echo "===> Pushing image to ACR"
+          docker push $DOCKER_IMAGE
+      env:
+        - name: ACR_USERNAME
+          value: marcin00
+      securityContext:
+        privileged: true
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+        - name: docker-library
+          mountPath: /var/lib/docker
+        - name: secrets-store
+          mountPath: "/mnt/secrets"
+          readOnly: true
+    volumes:
+      - name: docker-library
+        emptyDir: {}

argo-workflows/role-binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-edu-agentpool-binding
+  namespace: argo
+subjects:
+  - kind: ServiceAccount
+    name: edu-agentpool
+    namespace: argo
+roleRef:
+  kind: Role
+  name: argo-workflow-manager
+  apiGroup: rbac.authorization.k8s.io

argo-workflows/secret-store.yaml

@@ -0,0 +1,25 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: azure-keyvault
+  namespace: argo
+spec:
+  provider: azure
+  secretObjects:
+    - secretName: acr-creds
+      type: Opaque
+      data:
+        - objectName: acr-password
+        - key: password
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "true"
+    userAssignedIdentityID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
+    clientID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd"               # client_id of the user-assigned managed identity
+    keyvaultName: "dev-aks"
+    objects:  |
+      array:
+        - |
+          objectName: acr-password
+          objectType: secret
+    tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"