diff --git a/tekton/publish.yaml b/tekton/publish.yaml index 361d1f5de79..48c09956485 100644 --- a/tekton/publish.yaml +++ b/tekton/publish.yaml @@ -30,6 +30,9 @@ spec: default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64 - name: serviceAccountPath description: The name of the service account path within the release-secret workspace + - name: registryUser + description: Username to be used to login to the container registry + default: "_json_key" workspaces: - name: source description: >- @@ -50,6 +53,8 @@ spec: value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)" - name: CONTAINER_REGISTRY value: "$(params.imageRegistry)/$(params.imageRegistryPath)" + - name: CONTAINER_REGISTRY_USER + value: "$(params.registryUser)" - name: REGIONS value: "$(params.imageRegistryRegions)" - name: OUTPUT_RELEASE_DIR @@ -68,7 +73,7 @@ spec: # Login to the container registry DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \ - crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \ + crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \ sed 's,^.*logged in via \(.*\)$,\1,g') # Auth with account credentials for all regions. diff --git a/tekton/release-cheat-sheet.md b/tekton/release-cheat-sheet.md index af86c88f57d..929d273a71f 100644 --- a/tekton/release-cheat-sheet.md +++ b/tekton/release-cheat-sheet.md @@ -62,9 +62,11 @@ the pipelines repo, a terminal window and a text editor. --serviceaccount=release-right-meow \ --param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \ --param=serviceAccountPath=release.json \ + --param=serviceAccountImagesPath=release.json \ --param=versionTag="${TEKTON_VERSION}" \ --param=releaseBucket=gs://tekton-releases/pipeline \ --workspace name=release-secret,secret=release-secret \ + --workspace name=release-images-secret,secret=release-secret \ --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \ --tasks-timeout 2h \ --pipeline-timeout 3h diff --git a/tekton/release-pipeline.yaml b/tekton/release-pipeline.yaml index a6875d844a0..fc3cc6d5245 100644 --- a/tekton/release-pipeline.yaml +++ b/tekton/release-pipeline.yaml @@ -19,6 +19,9 @@ spec: - name: imageRegistryRegions description: The target image registry regions default: "us eu asia" + - name: imageRegistryUser + description: The user for the image registry credentials + default: _json_key - name: versionTag description: The X.Y.Z version that the artifacts should be tagged with - name: releaseBucket @@ -38,11 +41,15 @@ spec: default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64 - name: serviceAccountPath description: The path to the service account file within the release-secret workspace + - name: serviceAccountImagesPath + description: The path to the service account file or credentials within the release-images-secret workspace workspaces: - name: workarea description: The workspace where the repo will be cloned. - name: release-secret - description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket + description: The secret that contains a service account authorized to push to the output bucket + - name: release-images-secret + description: The secret that contains a service account authorized to push to the imageRegistry results: - name: commit-sha description: the sha of the commit that was released @@ -157,12 +164,12 @@ spec: value: $(params.imageRegistry) - name: imageRegistryPath value: $(params.imageRegistryPath) - - name: imageRegistryRegions - value: $(params.imageRegistryRegions) + - name: imageRegistryUser + value: $(params.registryUser) - name: releaseAsLatest value: $(params.releaseAsLatest) - name: serviceAccountPath - value: $(params.serviceAccountPath) + value: $(params.serviceAccountImagesPath) - name: platforms value: $(params.publishPlatforms) workspaces: @@ -173,7 +180,7 @@ spec: workspace: workarea subpath: bucket - name: release-secret - workspace: release-secret + workspace: release-images-secret timeout: 2h - name: publish-to-bucket runAfter: [publish-images]