ImagePullSecrets: Add GAR secret to image_pull_secret in .drone.yml (#80912)

* Add GAR secret to image_pull_secret * Fix starlark fmt
2025-02-25 18:55:37 -06:00 · 2024-01-19 19:29:49 +02:00 · 2024-01-19 19:29:49 +02:00 · 65104a7efa
commit 65104a7efa
parent 361c49233d
3 changed files with 102 additions and 48 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -5,7 +5,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-verify-drone
 node:
@ -55,7 +56,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-verify-starlark
 node:
@ -105,7 +107,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-test-frontend
 node:
@ -184,7 +187,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-lint-frontend
 node:
@ -274,7 +278,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-test-backend
 node:
@ -380,7 +385,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-lint-backend
 node:
@ -475,7 +481,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-build-e2e
 node:
@ -757,7 +764,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-integration-tests
 node:
@ -1021,7 +1029,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-docs
 node:
@ -1095,7 +1104,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-shellcheck
 node:
@ -1137,7 +1147,8 @@ clone:
  retries: 3
 depends_on: []
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-swagger-gen
 node:
@ -1200,7 +1211,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: pr-integration-benchmarks
 node:
@ -1376,7 +1388,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-docs
 node:
@ -1451,7 +1464,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-test-frontend
 node:
@ -1508,7 +1522,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-lint-frontend
 node:
@ -1576,7 +1591,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-test-backend
 node:
@ -1655,7 +1671,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-lint-backend
 node:
@ -1729,7 +1746,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-build-e2e-publish
 node:
@ -2129,7 +2147,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-integration-tests
 node:
@ -2372,7 +2391,8 @@ depends_on:
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-windows
 platform:
@ -2416,7 +2436,8 @@ depends_on:
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: main-trigger-downstream
 node:
@ -2499,7 +2520,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: publish-docker-public
 node:
@ -2605,7 +2627,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: publish-artifacts-public
 node:
@ -2674,7 +2697,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: publish-npm-packages-public
 node:
@ -2739,7 +2763,8 @@ depends_on:
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: publish-packages
 node:
@ -2827,7 +2852,8 @@ depends_on:
 - main-test-backend
 - main-test-frontend
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-main-prerelease
 node:
@ -2902,7 +2928,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: release-whatsnew-checker
 node:
@ -2946,7 +2973,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: release-test-frontend
 node:
@ -3001,7 +3029,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: release-test-backend
 node:
@ -3078,7 +3107,8 @@ depends_on:
 - release-test-backend
 - release-test-frontend
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-tag-prerelease
 node:
@ -3149,7 +3179,8 @@ clone:
 depends_on:
 - rgm-tag-prerelease
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-tag-prerelease-windows
 platform:
@ -3213,7 +3244,8 @@ depends_on:
 - rgm-tag-prerelease
 - rgm-tag-prerelease-windows
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-tag-verify-prerelease-assets
 node:
@ -3258,7 +3290,8 @@ depends_on:
 - release-test-backend
 - release-test-frontend
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-version-branch-prerelease
 node:
@ -3323,7 +3356,8 @@ clone:
 depends_on:
 - rgm-version-branch-prerelease
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-prerelease-verify-prerelease-assets
 node:
@ -3362,7 +3396,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: nightly-test-frontend
 node:
@ -3415,7 +3450,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: nightly-test-backend
 node:
@ -3490,7 +3526,8 @@ depends_on:
 - nightly-test-backend
 - nightly-test-frontend
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-nightly-build
 node:
@ -3597,7 +3634,8 @@ clone:
 depends_on:
 - rgm-nightly-build
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-nightly-publish
 node:
@ -3744,7 +3782,8 @@ clone:
  retries: 3
 depends_on: []
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: rgm-promotion
 node:
@ -3846,7 +3885,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: testing-test-backend-windows
 platform:
@ -3898,7 +3938,8 @@ depends_on: []
 environment:
  EDITION: oss
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: integration-tests
 node:
@ -4121,7 +4162,8 @@ clone:
  disable: true
 depends_on: []
 image_pull_secrets:
- dockerconfigjson
+- gcr
 - gar
 kind: pipeline
 name: publish-ci-windows-test-image
 platform:
@ -4560,7 +4602,13 @@ get:
  name: .dockerconfigjson
  path: secret/data/common/gcr
 kind: secret
-name: dockerconfigjson
+name: gcr
 ---
 get:
  name: .dockerconfigjson
  path: secret/data/common/gar
 kind: secret
 name: gar
 ---
 get:
  name: pat
@ -4731,6 +4779,6 @@ kind: secret
 name: gcr_credentials
 ---
 kind: signature
-hmac: f5bca13f4f753f2c911b11b8a2102a51243ce8a215126d2075dc73f8b7628a4d
+hmac: c960d3059e4cb4c852b4b51ce07867d9ea1ab42cb0f30f5775e9889dba71dff3
 ...
--- a/scripts/drone/utils/utils.star
+++ b/scripts/drone/utils/utils.star
@ -6,7 +6,11 @@ load(
    "scripts/drone/steps/lib.star",
    "slack_step",
 )
-load("scripts/drone/vault.star", "pull_secret")
+load(
    "scripts/drone/vault.star",
    "gar_pull_secret",
    "gcr_pull_secret",
 )
 failure_template = "Build {{build.number}} failed for commit: <https://github.com/{{repo.owner}}/{{repo.name}}/commit/{{build.commit}}|{{ truncate build.commit 8 }}>: {{build.link}}\nBranch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}>\nAuthor: {{build.author}}"
@ -83,7 +87,7 @@ def pipeline(
            },
        ],
        "depends_on": depends_on,
-        "image_pull_secrets": [pull_secret],
+        "image_pull_secrets": [gcr_pull_secret, gar_pull_secret],
    }
    if environment:
        pipeline.update(
--- a/scripts/drone/vault.star
+++ b/scripts/drone/vault.star
@ -1,7 +1,8 @@
 """
 This module returns functions for generating Drone secrets fetched from Vault.
 """
-pull_secret = "dockerconfigjson"
+gcr_pull_secret = "gcr"
 gar_pull_secret = "gar"
 drone_token = "drone_token"
 prerelease_bucket = "prerelease_bucket"
 gcp_upload_artifacts_key = "gcp_upload_artifacts_key"
@ -43,7 +44,8 @@ def secrets():
        vault_secret(gcp_grafanauploads, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials.json"),
        vault_secret(gcp_grafanauploads_base64, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials_base64"),
        vault_secret("grafana_api_key", "infra/data/ci/grafana-release-eng/grafanacom", "api_key"),
-        vault_secret(pull_secret, "secret/data/common/gcr", ".dockerconfigjson"),
+        vault_secret(gcr_pull_secret, "secret/data/common/gcr", ".dockerconfigjson"),
        vault_secret(gar_pull_secret, "secret/data/common/gar", ".dockerconfigjson"),
        vault_secret("github_token", "infra/data/ci/github/grafanabot", "pat"),
        vault_secret(drone_token, "infra/data/ci/drone", "machine-user-token"),
        vault_secret(prerelease_bucket, "infra/data/ci/grafana/prerelease", "bucket"),