From 2bd4ede6df449e0998bd0df1f49da9a7af4b73e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jasmin=20M=C3=BCller?= <9011011+jazzlyn@users.noreply.github.com> Date: Sat, 24 Aug 2024 08:40:45 +0200 Subject: [PATCH] docs(docker): add ghworkflows example for GAR with Workload Identity (#30692) --- docs/usage/docker.md | 51 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 84fb5f1e95d6be..0405e5d53a3e99 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -279,12 +279,51 @@ To make use of this authentication mechanism, specify the username as `AWS`: #### Google Container Registry / Google Artifact Registry -##### Using Application Default Credentials / Workload Identity (Self-Hosted only) +##### Using Workload Identity + +To let Renovate authenticate with [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity), you must: + +- Configure Workload Identity +- Give the Service Account the `artifactregistry.repositories.downloadArtifacts` permission + +###### With Application Default Credentials (self-hosted only) + +To let Renovate authenticate with [ADC](https://cloud.google.com/docs/authentication/provide-credentials-adc), you must: + +- Configure ADC as normal +- _Not_ provide a username, password or token + +Renovate will get the credentials with the [`google-auth-library`](https://www.npmjs.com/package/google-auth-library). + +###### With short-lived access token / GitHub Actions (self-hosted only) + +```yaml title="Example for Workload Identity plus Renovate host rules" +- name: authenticate to google cloud + id: auth + uses: google-github-actions/auth@v2.1.3 + with: + token_format: 'access_token' + workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ env.SERVICE_ACCOUNT }} + +- name: renovate + uses: renovatebot/github-action@v40.2.4 + env: + RENOVATE_HOST_RULES: | + [ + { + matchHost: "us-central1-docker.pkg.dev", + hostType: "docker", + username: "oauth2accesstoken", + password: "${{ steps.auth.outputs.access_token }}" + } + ] + with: + token: ${{ secrets.RENOVATE_TOKEN }} + configurationFile: .github/renovate.json5 +``` -Just configure [ADC](https://cloud.google.com/docs/authentication/provide-credentials-adc) / -[Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) as normal and _don't_ -provide a username, password or token. Renovate will automatically retrieve the credentials using the -google-auth-library. +You can find a full GitHub Workflow example on the [renovatebot/github-action](https://github.com/renovatebot/github-action) repository. ##### Using long-lived service account credentials @@ -386,7 +425,7 @@ If you have dependencies on Google Container Registry (and Artifact Registry) yo } ``` -##### Using short-lived access tokens +##### Using short-lived access token / Gitlab CI / Google Cloud Assume you are running GitLab CI in the Google Cloud, and you are storing your Docker images in the Google Container Registry (GCR).