111 lines
4.8 KiB
TypeScript
111 lines
4.8 KiB
TypeScript
import * as ec2 from '../../aws-ec2';
|
|
import type * as ecr from '../../aws-ecr';
|
|
import * as iam from '../../aws-iam';
|
|
import type * as secretsmanager from '../../aws-secretsmanager';
|
|
/**
|
|
* Represents credentials used to access a Docker registry.
|
|
*/
|
|
export declare abstract class DockerCredential {
|
|
protected readonly usages?: DockerCredentialUsage[] | undefined;
|
|
/**
|
|
* Creates a DockerCredential for DockerHub.
|
|
* Convenience method for `customRegistry('https://index.docker.io/v1/', opts)`.
|
|
*/
|
|
static dockerHub(secret: secretsmanager.ISecret, opts?: ExternalDockerCredentialOptions): DockerCredential;
|
|
/**
|
|
* Creates a DockerCredential for a registry, based on its domain name (e.g., 'www.example.com').
|
|
*/
|
|
static customRegistry(registryDomain: string, secret: secretsmanager.ISecret, opts?: ExternalDockerCredentialOptions): DockerCredential;
|
|
/**
|
|
* Creates a DockerCredential for one or more ECR repositories.
|
|
*
|
|
* NOTE - All ECR repositories in the same account and region share a domain name
|
|
* (e.g., 0123456789012.dkr.ecr.eu-west-1.amazonaws.com), and can only have one associated
|
|
* set of credentials (and DockerCredential). Attempting to associate one set of credentials
|
|
* with one ECR repo and another with another ECR repo in the same account and region will
|
|
* result in failures when using these credentials in the pipeline.
|
|
*/
|
|
static ecr(repositories: ecr.IRepository[], opts?: EcrDockerCredentialOptions): DockerCredential;
|
|
constructor(usages?: DockerCredentialUsage[] | undefined);
|
|
/**
|
|
* Determines if this credential is relevant to the input usage.
|
|
* @internal
|
|
*/
|
|
_applicableForUsage(usage: DockerCredentialUsage): boolean;
|
|
/**
|
|
* Grant read-only access to the registry credentials.
|
|
* This grants read access to any secrets, and pull access to any repositories.
|
|
*/
|
|
abstract grantRead(grantee: iam.IGrantable, usage: DockerCredentialUsage): void;
|
|
/**
|
|
* Creates and returns the credential configuration, to be used by `cdk-assets`
|
|
* to support the `docker-credential-cdk-assets` tool for `docker login`.
|
|
* @internal
|
|
*/
|
|
abstract _renderCdkAssetsConfig(): DockerCredentialCredentialSource;
|
|
}
|
|
/** Options for defining credentials for a Docker Credential */
|
|
export interface ExternalDockerCredentialOptions {
|
|
/**
|
|
* The name of the JSON field of the secret which contains the user/login name.
|
|
* @default 'username'
|
|
*/
|
|
readonly secretUsernameField?: string;
|
|
/**
|
|
* The name of the JSON field of the secret which contains the secret/password.
|
|
* @default 'secret'
|
|
*/
|
|
readonly secretPasswordField?: string;
|
|
/**
|
|
* An IAM role to assume prior to accessing the secret.
|
|
* @default - none. The current execution role will be used.
|
|
*/
|
|
readonly assumeRole?: iam.IRole;
|
|
/**
|
|
* Defines which stages of the pipeline should be granted access to these credentials.
|
|
* @default - all relevant stages (synth, self-update, asset publishing) are granted access.
|
|
*/
|
|
readonly usages?: DockerCredentialUsage[];
|
|
}
|
|
/** Options for defining access for a Docker Credential composed of ECR repos */
|
|
export interface EcrDockerCredentialOptions {
|
|
/**
|
|
* An IAM role to assume prior to accessing the secret.
|
|
* @default - none. The current execution role will be used.
|
|
*/
|
|
readonly assumeRole?: iam.IRole;
|
|
/**
|
|
* Defines which stages of the pipeline should be granted access to these credentials.
|
|
* @default - all relevant stages (synth, self-update, asset publishing) are granted access.
|
|
*/
|
|
readonly usages?: DockerCredentialUsage[];
|
|
}
|
|
/** Defines which stages of a pipeline require the specified credentials */
|
|
export declare enum DockerCredentialUsage {
|
|
/** Synth/Build */
|
|
SYNTH = "SYNTH",
|
|
/** Self-update */
|
|
SELF_UPDATE = "SELF_UPDATE",
|
|
/** Asset publishing */
|
|
ASSET_PUBLISHING = "ASSET_PUBLISHING"
|
|
}
|
|
/** Format for the CDK assets config. See the cdk-assets `DockerDomainCredentialSource` */
|
|
interface DockerCredentialCredentialSource {
|
|
readonly secretsManagerSecretId?: string;
|
|
readonly secretsUsernameField?: string;
|
|
readonly secretsPasswordField?: string;
|
|
readonly ecrRepository?: boolean;
|
|
readonly assumeRoleArn?: string;
|
|
}
|
|
/**
|
|
* Creates a set of OS-specific buildspec installation commands for setting up the given
|
|
* registries and associated credentials.
|
|
*
|
|
* @param registries - Registries to configure credentials for. It is an error to provide
|
|
* multiple registries for the same domain.
|
|
* @param osType - (optional) Defaults to Linux.
|
|
* @returns An array of commands to configure cdk-assets to use these credentials.
|
|
*/
|
|
export declare function dockerCredentialsInstallCommands(usage: DockerCredentialUsage, registries?: DockerCredential[], osType?: ec2.OperatingSystemType | 'both'): string[];
|
|
export {};
|