Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(docker): add ghworkflows example for GAR with Workload Identity #30692

Merged
merged 4 commits into from
Aug 24, 2024
Merged

docs(docker): add ghworkflows example for GAR with Workload Identity #30692

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5712730
docs(docker): add ghworkflows example for GAR with Workload Identity
jazzlyn Aug 10, 2024
327b587
chore: linting
jazzlyn Aug 11, 2024
f382780
docs(docker): refinement
jazzlyn Aug 13, 2024
5d68857
docs(docker): refinement
jazzlyn Aug 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 45 additions & 6 deletions docs/usage/docker.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -279,12 +279,51 @@ To make use of this authentication mechanism, specify the username as `AWS`:

#### Google Container Registry / Google Artifact Registry

##### Using Application Default Credentials / Workload Identity (Self-Hosted only)
##### Using Workload Identity

To let Renovate authenticate with [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity), you must:

- Configure Workload Identity
- Give the Service Account the `artifactregistry.repositories.downloadArtifacts` permission

###### With Application Default Credentials (self-hosted only)

To let Renovate authenticate with [ADC](https://cloud.google.com/docs/authentication/provide-credentials-adc), you must:

- Configure ADC as normal
- _Not_ provide a username, password or token

Renovate will get the credentials with the [`google-auth-library`](https://www.npmjs.com/package/google-auth-library).

###### With short-lived access token / GitHub Actions (self-hosted only)

```yaml title="Example for Workload Identity plus Renovate host rules"
- name: authenticate to google cloud
id: auth
uses: google-github-actions/[email protected]
with:
token_format: 'access_token'
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.SERVICE_ACCOUNT }}

- name: renovate
uses: renovatebot/[email protected]
env:
RENOVATE_HOST_RULES: |
[
{
matchHost: "us-central1-docker.pkg.dev",
hostType: "docker",
username: "oauth2accesstoken",
password: "${{ steps.auth.outputs.access_token }}"
}
]
with:
token: ${{ secrets.RENOVATE_TOKEN }}
configurationFile: .github/renovate.json5
```

jazzlyn marked this conversation as resolved.
Show resolved Hide resolved
Just configure [ADC](https://cloud.google.com/docs/authentication/provide-credentials-adc) /
[Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) as normal and _don't_
provide a username, password or token. Renovate will automatically retrieve the credentials using the
google-auth-library.
You can find a full GitHub Workflow example on the [renovatebot/github-action](https://github.com/renovatebot/github-action) repository.

##### Using long-lived service account credentials

Expand Down Expand Up @@ -386,7 +425,7 @@ If you have dependencies on Google Container Registry (and Artifact Registry) yo
}
```

##### Using short-lived access tokens
##### Using short-lived access token / Gitlab CI / Google Cloud
jazzlyn marked this conversation as resolved.
Show resolved Hide resolved

Assume you are running GitLab CI in the Google Cloud, and you are storing your Docker images in the Google Container Registry (GCR).

Expand Down
Loading