Merge pull request #93 from jduimovich/env-var-declarations

add env vars declarations and comments for Image Registry user/pw

Author: jduimovich

generated/gitops-template/githubactions/.github/workflows/gitops-promotion.yml

@@ -13,8 +13,6 @@ env:
   # 🖊️ EDIT to change the image registry settings.
   # Registries such as GHCR, Quay.io, and Docker Hub are supported.
   IMAGE_REGISTRY: ${{ secrets.IMAGE_REGISTRY }}
-  IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
-  IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
 
   # Used to verify the image signature and attestation
   COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
@@ -25,8 +23,16 @@ env:
   TRUSTIFICATION_OIDC_CLIENT_ID: ${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}
   TRUSTIFICATION_OIDC_CLIENT_SECRET: ${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}
   TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: ${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}
-  QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
-  QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
+  # Set this to the user for your specific registry
+  IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
+  # Set this password for your specific registry
+  IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
+  # QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
+  # QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
+  # ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
+  # ARTIFACTORY_IO_CREDS_PSW: ${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}
+  # NEXUS_IO_CREDS_USR: ${{ secrets.NEXUS_IO_CREDS_USR }}
+  # NEXUS_IO_CREDS_PSW: ${{ secrets.NEXUS_IO_CREDS_PSW }}
 
   # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below.
   IMAGE_TAGS: ""
@@ -53,17 +59,26 @@ jobs:
         script: |
           const secrets = {
             IMAGE_REGISTRY: `${{ secrets.IMAGE_REGISTRY }}`,
-            IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
-            IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
 
-            COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`,
-            TRUSTIFICATION_BOMBASTIC_API_URL: `${{ secrets.TRUSTIFICATION_BOMBASTIC_API_URL }}`,
-            TRUSTIFICATION_OIDC_ISSUER_URL: `${{ secrets.TRUSTIFICATION_OIDC_ISSUER_URL }}`,
-            TRUSTIFICATION_OIDC_CLIENT_ID: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}`,
-            TRUSTIFICATION_OIDC_CLIENT_SECRET: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}`,
-            TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: `${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}`,
-            QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`,
-            QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`,
+            /* Used to verify the image signature and attestation */
+            COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`, 
+            /* URL of the BOMbastic api host (e.g. https://sbom.trustification.dev) */
+            TRUSTIFICATION_BOMBASTIC_API_URL: `${{ secrets.TRUSTIFICATION_BOMBASTIC_API_URL }}`, 
+            /* URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken) */
+            TRUSTIFICATION_OIDC_ISSUER_URL: `${{ secrets.TRUSTIFICATION_OIDC_ISSUER_URL }}`, 
+            TRUSTIFICATION_OIDC_CLIENT_ID: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}`, 
+            TRUSTIFICATION_OIDC_CLIENT_SECRET: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}`, 
+            TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: `${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}`, 
+            /* Set this to the user for your specific registry */
+            IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`, 
+            /* Set this password for your specific registry */
+            IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`, 
+            /*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
+            /*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
+            /*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */
+            /*ARTIFACTORY_IO_CREDS_PSW: `${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}`, */
+            /*NEXUS_IO_CREDS_USR: `${{ secrets.NEXUS_IO_CREDS_USR }}`, */
+            /*NEXUS_IO_CREDS_PSW: `${{ secrets.NEXUS_IO_CREDS_PSW }}`, */
           };
           const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
             if (value.length === 0) {

generated/gitops-template/jenkins/Jenkinsfile

@@ -19,7 +19,13 @@ pipeline {
         TRUSTIFICATION_OIDC_CLIENT_ID = credentials('TRUSTIFICATION_OIDC_CLIENT_ID')
         TRUSTIFICATION_OIDC_CLIENT_SECRET = credentials('TRUSTIFICATION_OIDC_CLIENT_SECRET')
         TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION = credentials('TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION')
+        /* Set this to the user for your specific registry */
+        /* IMAGE_REGISTRY_USER = credentials('IMAGE_REGISTRY_USER') */
+        /* Set this password for your specific registry */
+        /* IMAGE_REGISTRY_PASSWORD = credentials('IMAGE_REGISTRY_PASSWORD') */
         QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
+        /* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
+        /* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
     }
     stages {
         stage('Verify EC') {

generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml

@@ -13,14 +13,22 @@ env:
   # 🖊️ EDIT to change the image registry settings.
   # Registries such as GHCR, Quay.io, and Docker Hub are supported.
   IMAGE_REGISTRY: ${{ secrets.IMAGE_REGISTRY }}
-  IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
-  IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
 
   ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }}
   ROX_CENTRAL_ENDPOINT: ${{ secrets.ROX_CENTRAL_ENDPOINT }}
   GITOPS_AUTH_PASSWORD: ${{ secrets.GITOPS_AUTH_PASSWORD }}
-  QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
-  QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
+  # Uncomment this when using Gitlab
+  # GITOPS_AUTH_USERNAME: ${{ secrets.GITOPS_AUTH_USERNAME }}
+  # Set this to the user for your specific registry
+  IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
+  # Set this password for your specific registry
+  IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
+  # QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
+  # QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
+  # ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
+  # ARTIFACTORY_IO_CREDS_PSW: ${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}
+  # NEXUS_IO_CREDS_USR: ${{ secrets.NEXUS_IO_CREDS_USR }}
+  # NEXUS_IO_CREDS_PSW: ${{ secrets.NEXUS_IO_CREDS_PSW }}
   COSIGN_SECRET_PASSWORD: ${{ secrets.COSIGN_SECRET_PASSWORD }}
   COSIGN_SECRET_KEY: ${{ secrets.COSIGN_SECRET_KEY }}
   COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
@@ -56,17 +64,25 @@ jobs:
         script: |
           const secrets = {
             IMAGE_REGISTRY: `${{ secrets.IMAGE_REGISTRY }}`,
-            IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
-            IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
 
-            ROX_API_TOKEN: `${{ secrets.ROX_API_TOKEN }}`,
-            ROX_CENTRAL_ENDPOINT: `${{ secrets.ROX_CENTRAL_ENDPOINT }}`,
-            GITOPS_AUTH_PASSWORD: `${{ secrets.GITOPS_AUTH_PASSWORD }}`,
-            QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`,
-            QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`,
-            COSIGN_SECRET_PASSWORD: `${{ secrets.COSIGN_SECRET_PASSWORD }}`,
-            COSIGN_SECRET_KEY: `${{ secrets.COSIGN_SECRET_KEY }}`,
-            COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`,
+            ROX_API_TOKEN: `${{ secrets.ROX_API_TOKEN }}`, 
+            ROX_CENTRAL_ENDPOINT: `${{ secrets.ROX_CENTRAL_ENDPOINT }}`, 
+            GITOPS_AUTH_PASSWORD: `${{ secrets.GITOPS_AUTH_PASSWORD }}`, 
+            /* Uncomment this when using Gitlab */
+            /*GITOPS_AUTH_USERNAME: `${{ secrets.GITOPS_AUTH_USERNAME }}`, */
+            /* Set this to the user for your specific registry */
+            IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`, 
+            /* Set this password for your specific registry */
+            IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`, 
+            /*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
+            /*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
+            /*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */
+            /*ARTIFACTORY_IO_CREDS_PSW: `${{ secrets.ARTIFACTORY_IO_CREDS_PSW }}`, */
+            /*NEXUS_IO_CREDS_USR: `${{ secrets.NEXUS_IO_CREDS_USR }}`, */
+            /*NEXUS_IO_CREDS_PSW: `${{ secrets.NEXUS_IO_CREDS_PSW }}`, */
+            COSIGN_SECRET_PASSWORD: `${{ secrets.COSIGN_SECRET_PASSWORD }}`, 
+            COSIGN_SECRET_KEY: `${{ secrets.COSIGN_SECRET_KEY }}`, 
+            COSIGN_PUBLIC_KEY: `${{ secrets.COSIGN_PUBLIC_KEY }}`, 
 
           };
           const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {

generated/source-repo/jenkins/Jenkinsfile

@@ -12,7 +12,14 @@ pipeline {
         GITOPS_AUTH_PASSWORD = credentials('GITOPS_AUTH_PASSWORD')
         /* Uncomment this when using Gitlab */
         /* GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME') */
+        /* Set this to the user for your specific registry */
+        /* IMAGE_REGISTRY_USER = credentials('IMAGE_REGISTRY_USER') */
+        /* Set this password for your specific registry */
+        /* IMAGE_REGISTRY_PASSWORD = credentials('IMAGE_REGISTRY_PASSWORD') */
+        /* Default registry is set to quay.io */
         QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
+        /* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
+        /* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
         COSIGN_SECRET_PASSWORD = credentials('COSIGN_SECRET_PASSWORD')
         COSIGN_SECRET_KEY = credentials('COSIGN_SECRET_KEY')
         COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')

rhtap/init.sh

@@ -22,7 +22,6 @@ REQUIRED_BINARY+="python3 "
 # BUILD TARGETS AND REGISTRY
 # remember to leave a space when you add them to a prior ENV list
 REQUIRED_ENV="IMAGE_URL IMAGE "
-REQUIRED_ENV+="QUAY_IO_CREDS_USR QUAY_IO_CREDS_PSW "
 # Cosign signing
 REQUIRED_ENV+="COSIGN_SECRET_PASSWORD COSIGN_SECRET_KEY COSIGN_PUBLIC_KEY "
 # SCANS

templates/data.yaml

@@ -20,13 +20,49 @@ build_secrets:
   - name: GITOPS_AUTH_USERNAME
     commented_out: true
     comment: Uncomment this when using Gitlab
+
+  - name: IMAGE_REGISTRY_USER 
+    if: 'isGitHub'
+    comment: "Set this to the user for your specific registry"
+  - name: IMAGE_REGISTRY_PASSWORD 
+    if: 'isGitHub'
+    comment: "Set this password for your specific registry" 
+  - name: IMAGE_REGISTRY_USER
+    if: '!isGitHub'
+    commented_out: true
+    comment: "Set this to the user for your specific registry"
+  - name: IMAGE_REGISTRY_PASSWORD
     if: '!isGitHub'
+    commented_out: true
+    comment: "Set this password for your specific registry" 
+
   - name: QUAY_IO_CREDS
     if: isJenkins
+    comment: "Default registry is set to quay.io" 
   - name: QUAY_IO_CREDS_USR
     if: '!isJenkins'
+    commented_out: true 
   - name: QUAY_IO_CREDS_PSW
+    if: '!isJenkins' 
+    commented_out: true 
+  - name: ARTIFACTORY_IO_CREDS
+    if: isJenkins
+    commented_out: true 
+  - name: ARTIFACTORY_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true 
+  - name: ARTIFACTORY_IO_CREDS_PSW
+    if: '!isJenkins'  
+    commented_out: true 
+  - name: NEXUS_IO_CREDS
+    if: isJenkins
+    commented_out: true 
+  - name: NEXUS_IO_CREDS_USR
     if: '!isJenkins'
+    commented_out: true 
+  - name: NEXUS_IO_CREDS_PSW
+    if: '!isJenkins'  
+    commented_out: true 
   - name: COSIGN_SECRET_PASSWORD
   - name: COSIGN_SECRET_KEY
   - name: COSIGN_PUBLIC_KEY
@@ -49,9 +85,48 @@ gitops_secrets:
   - name: TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION
   # If the OCI registry is not public then ec needs some credentials so it can see the attestations.
   # Todo: Use different credentials here so we provide read access only instead of read/write access.
+  # github always uses these 
+  - name: IMAGE_REGISTRY_USER 
+    if: 'isGitHub'
+    comment: "Set this to the user for your specific registry"
+  - name: IMAGE_REGISTRY_PASSWORD 
+    if: 'isGitHub'
+    comment: "Set this password for your specific registry" 
+  # other CIs in transition so comment out and leave Quay.io
+  - name: IMAGE_REGISTRY_USER
+    if: '!isGitHub'
+    commented_out: true
+    comment: "Set this to the user for your specific registry"
+  - name: IMAGE_REGISTRY_PASSWORD
+    if: '!isGitHub'
+    commented_out: true
+    comment: "Set this password for your specific registry" 
+  # show all the values options in the jenkins file and other CIs
+  # this gives users a way to know what to set. Not perfect but better
+  # to be documented 
   - name: QUAY_IO_CREDS
     if: isJenkins
   - name: QUAY_IO_CREDS_USR
     if: '!isJenkins'
+    commented_out: true 
   - name: QUAY_IO_CREDS_PSW
+    if: '!isJenkins' 
+    commented_out: true 
+  - name: ARTIFACTORY_IO_CREDS
+    if: isJenkins
+    commented_out: true 
+  - name: ARTIFACTORY_IO_CREDS_USR
+    if: '!isJenkins'
+    commented_out: true 
+  - name: ARTIFACTORY_IO_CREDS_PSW
+    if: '!isJenkins'  
+    commented_out: true 
+  - name: NEXUS_IO_CREDS
+    if: isJenkins
+    commented_out: true 
+  - name: NEXUS_IO_CREDS_USR
     if: '!isJenkins'
+    commented_out: true 
+  - name: NEXUS_IO_CREDS_PSW
+    if: '!isJenkins'  
+    commented_out: true 

templates/gitops-template/gitops-promotion.yml.njk

@@ -13,14 +13,12 @@ env:
   # 🖊️ EDIT to change the image registry settings.
   # Registries such as GHCR, Quay.io, and Docker Hub are supported.
   IMAGE_REGISTRY: ${{ "secrets.IMAGE_REGISTRY" | inCurlies }}
-  IMAGE_REGISTRY_USER: ${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}
-  IMAGE_REGISTRY_PASSWORD: ${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}
 {% for secret in gitops_secrets %}
 {%- if secret | eval_if_condition %}
 {%- if secret.comment %}
   # {{ secret.comment }}
 {%- endif %}
-  {{ secret.name }}: ${{ ("secrets." + secret.name) | inCurlies }}
+  {% if secret.commented_out %}# {% endif %}{{ secret.name }}: ${{ ("secrets." + secret.name) | inCurlies }}
 {%- endif %}
 {%- endfor %}
 
@@ -52,11 +50,12 @@ jobs:
           #}
           const secrets = {
             IMAGE_REGISTRY: `${{ "secrets.IMAGE_REGISTRY" | inCurlies }}`,
-            IMAGE_REGISTRY_USER: `${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}`,
-            IMAGE_REGISTRY_PASSWORD: `${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}`,
 {% for secret in gitops_secrets %}
 {%- if secret | eval_if_condition %}
-            {{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`,
+{%- if secret.comment %}
+            /* {{ secret.comment }} */
+{%- endif %}
+            {% if secret.commented_out %}/*{% endif %}{{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`, {% if secret.commented_out %}*/{% endif %}
 {%- endif %}
 {%- endfor %}
           };

templates/source-repo/build-and-update-gitops.yml.njk

@@ -13,8 +13,6 @@ env:
   # 🖊️ EDIT to change the image registry settings.
   # Registries such as GHCR, Quay.io, and Docker Hub are supported.
   IMAGE_REGISTRY: ${{ "secrets.IMAGE_REGISTRY" | inCurlies }}
-  IMAGE_REGISTRY_USER: ${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}
-  IMAGE_REGISTRY_PASSWORD: ${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}
 {% for secret in build_secrets %}
 {%- if secret | eval_if_condition %}
 {%- if secret.comment %}
@@ -58,14 +56,12 @@ jobs:
           #}
           const secrets = {
             IMAGE_REGISTRY: `${{ "secrets.IMAGE_REGISTRY" | inCurlies }}`,
-            IMAGE_REGISTRY_USER: `${{ "secrets.IMAGE_REGISTRY_USER" | inCurlies }}`,
-            IMAGE_REGISTRY_PASSWORD: `${{ "secrets.IMAGE_REGISTRY_PASSWORD" | inCurlies }}`,
 {% for secret in build_secrets %}
 {%- if secret | eval_if_condition %}
 {%- if secret.comment %}
-            # {{ secret.comment }}
-{%- endif %}
-            {% if secret.commented_out %}# {% endif %}{{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`,
+            /* {{ secret.comment }} */
+      {%- endif %}
+            {% if secret.commented_out %}/*{% endif %}{{ secret.name }}: `${{ ("secrets." + secret.name) | inCurlies }}`, {% if secret.commented_out %}*/{% endif %}
 {%- endif %}
 {%- endfor %}