imjasonh/gcr-creds.yaml

## gcr-creds.yaml
# Demonstrates a GCR creds-updating sidecar

# - The `creds-refresh` sidecar periodically fetches a Service Account auth
# token and uses it with `docker login` to authorize docker pushes to GCR.
# - The dind sidecar provides an ephemeral Docker daemon to run builds and
# store images before they're pushed.
# - The step periodically uses these credentials to push an image to GCR.

# $ kubectl create -f gcr-creds.yaml
# taskrun.tekton.dev/gcr-creds-9d7t7 created
# $ tkn tr logs gcr-creds-9d7t7

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  generateName: gcr-creds-
spec:
  taskSpec:
    steps:
    # NB: If this is running *without* Workload Identity, the node SA
    # ([projnum]-compute@developer.gserviceaccount.com needs to have Storage
    # Read/Write scopes (not the default Read-Only).
    - image: docker
      script: |
        #!/bin/sh
        set -ex
        docker pull busybox
        while true; do
          tag=$(date +%s)
          docker tag busybox gcr.io/jasonhall-kube/date:$tag
          docker push gcr.io/jasonhall-kube/date:$tag
          sleep 60
        done
      env:
      - name: DOCKER_CONFIG
        value: /gcb-compat/
      # Connect to the sidecar over TCP, with TLS.
      - name: DOCKER_HOST
        value: tcp://localhost:2376
      # Verify TLS.
      - name: DOCKER_TLS_VERIFY
        value: '1'
      # Use the certs generated by the sidecar daemon.
      - name: DOCKER_CERT_PATH
        value: /certs/client
      volumeMounts:
      - name: docker-config
        mountPath: /gcb-compat/
      - mountPath: /certs/client
        name: dind-certs

    sidecars:
    - image: docker:dind
      name: server
      args:
        - --storage-driver=vfs
        - --userland-proxy=false
        - --debug
      securityContext:
        privileged: true
      env:
      # Write generated certs to the path shared with the client.
      - name: DOCKER_TLS_CERTDIR
        value: /certs
      volumeMounts:
      - mountPath: /certs/client
        name: dind-certs
      # Wait for the dind daemon to generate the certs it will share with the
      # client.
      readinessProbe:
        periodSeconds: 1
        exec:
          command: ['ls', '/certs/client/ca.pem']

    - name: creds-refresh
      image: docker
      script: |
        #!/bin/sh
        set -e
        while true; do
          t=$(wget -qO- --header="Metadata-Flavor: Google" \
              http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?alt=text)
          p=$(echo $t | cut -d' ' -f2)
          echo $p | docker login -u oauth2accesstoken --password-stdin https://gcr.io
          sleep 300 # 5 minutes
        done
      # Wait for the config file to be written.
      readinessProbe:
        periodSeconds: 1
        exec:
          command: ['ls', '/gcb-compat/config.json']
      env:
      - name: DOCKER_CONFIG
        value: /gcb-compat/
      volumeMounts:
      - name: docker-config
        mountPath: /gcb-compat/

    volumes:
    - name: docker-config
      emptyDir: {}
    - name: dind-certs
      emptyDir: {}
	# Demonstrates a GCR creds-updating sidecar

	# - The `creds-refresh` sidecar periodically fetches a Service Account auth
	# token and uses it with `docker login` to authorize docker pushes to GCR.
	# - The dind sidecar provides an ephemeral Docker daemon to run builds and
	# store images before they're pushed.
	# - The step periodically uses these credentials to push an image to GCR.

	# $ kubectl create -f gcr-creds.yaml
	# taskrun.tekton.dev/gcr-creds-9d7t7 created
	# $ tkn tr logs gcr-creds-9d7t7

	apiVersion: tekton.dev/v1beta1
	kind: TaskRun
	metadata:
	generateName: gcr-creds-
	spec:
	taskSpec:
	steps:
	# NB: If this is running without Workload Identity, the node SA
	# ([projnum]-compute@developer.gserviceaccount.com needs to have Storage
	# Read/Write scopes (not the default Read-Only).
	- image: docker
	script: \|
	#!/bin/sh
	set -ex
	docker pull busybox
	while true; do
	tag=$(date +%s)
	docker tag busybox gcr.io/jasonhall-kube/date:$tag
	docker push gcr.io/jasonhall-kube/date:$tag
	sleep 60
	done
	env:
	- name: DOCKER_CONFIG
	value: /gcb-compat/
	# Connect to the sidecar over TCP, with TLS.
	- name: DOCKER_HOST
	value: tcp://localhost:2376
	# Verify TLS.
	- name: DOCKER_TLS_VERIFY
	value: '1'
	# Use the certs generated by the sidecar daemon.
	- name: DOCKER_CERT_PATH
	value: /certs/client
	volumeMounts:
	- name: docker-config
	mountPath: /gcb-compat/
	- mountPath: /certs/client
	name: dind-certs

	sidecars:
	- image: docker:dind
	name: server
	args:
	- --storage-driver=vfs
	- --userland-proxy=false
	- --debug
	securityContext:
	privileged: true
	env:
	# Write generated certs to the path shared with the client.
	- name: DOCKER_TLS_CERTDIR
	value: /certs
	volumeMounts:
	- mountPath: /certs/client
	name: dind-certs
	# Wait for the dind daemon to generate the certs it will share with the
	# client.
	readinessProbe:
	periodSeconds: 1
	exec:
	command: ['ls', '/certs/client/ca.pem']

	- name: creds-refresh
	image: docker
	script: \|
	#!/bin/sh
	set -e
	while true; do
	t=$(wget -qO- --header="Metadata-Flavor: Google" \
	http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?alt=text)
	p=$(echo $t \| cut -d' ' -f2)
	echo $p \| docker login -u oauth2accesstoken --password-stdin https://gcr.io
	sleep 300 # 5 minutes
	done
	# Wait for the config file to be written.
	readinessProbe:
	periodSeconds: 1
	exec:
	command: ['ls', '/gcb-compat/config.json']
	env:
	- name: DOCKER_CONFIG
	value: /gcb-compat/
	volumeMounts:
	- name: docker-config
	mountPath: /gcb-compat/

	volumes:
	- name: docker-config
	emptyDir: {}
	- name: dind-certs
	emptyDir: {}