radix-platform icon indicating copy to clipboard operation
radix-platform copied to clipboard

Published 20 hours ago verified publisher icon equinor

🔐 An application build (buildah) will not have access to other repositories in the Registry

Open Richard87 opened this issue 1 year ago • 1 comments

ALTERNATIVE: https://external-secrets.io/latest/api/generator/acr/

We can leverage ExternalSecretsOperator with Workload Identity to create short lived tokens that only have access to individual repositories and cache.

ALTERNATIVE 2: Create ACR Refresh tokens ourselves like we do in Vulnerability Scanner

Since pipeline runner runs in the user-app-namespace, we cant use its own workload identity, we probably have to use the Operator or the APIs workload identity to create the token, and pass it to the pipeline runner via secrets

BLOCKER: https://github.com/Azure/acr/issues/380

Currently:

Right now we use password auth, but it requires secret and rotating keys. We should instead use workload identity and fetch a short lived token on-demand to simplify infrastructure and maintenance, and to improve security.

It would be nice if ACR supported scoped access for managed identity, but currently they et access to all repositories in the registry: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions#limitations

Alternative use a managed identity to create a scoped access password when required for limited access to Buildah.

You can add this block to terraform/infrastructure/s941/dev/acr/acr.tf to create a managed identity with access to the repository:

resource "azurerm_user_assigned_identity" "acr_id" {
  for_each = toset(var.K8S_ENVIROMENTS)

  name                = "id_radix_acr_cache-${each.value}-${var.AZ_LOCATION}"
  location            = var.AZ_LOCATION
  resource_group_name = var.AZ_RESOURCE_GROUP_COMMON
}

resource "azurerm_role_assignment" "RADIX_ACR_CACHE_PULL" {
  for_each = toset(var.K8S_ENVIROMENTS)

  principal_id                     = azurerm_user_assigned_identity.acr_id[each.key].principal_id
  scope                            = azurerm_container_registry.acr[each.key].id
  role_definition_name             = "AcrPull"
  skip_service_principal_aad_check = true
}
resource "azurerm_role_assignment" "RADIX_ACR_CACHE_PUSH" {
  for_each = toset(var.K8S_ENVIROMENTS)

  principal_id                     = azurerm_user_assigned_identity.acr_id[each.key].principal_id
  scope                            = azurerm_container_registry.acr[each.key].id
  role_definition_name             = "AcrPush"
  skip_service_principal_aad_check = true
}

The managed identity would replace the pull-image-secret we are uplading to kubernetes, and this file could probably be deleted: terraform/infrastructure/s941/dev/acr/pull-image-secret.tf

Richard87 avatar Oct 25 '23 10:10 Richard87