Remove admin access to container registry from pipelines (#7492)

As part of the Safe Secrets Standard, we need to ensure that our Azure Container Registry resources do not have their local admin accounts enabled. In our test pipelines that set up IoT Edge with credentials for pulling daily builds of our Docker images, we need to use short-lived tokens to pull images, rather than grabbing the local admin credentials from a key vault.

This change makes the appropriate changes to our test pipelines. It removes the old key vault secret references, adds a new template that can generate a short-lived token (plus server address and username), and uses the new information throughout the pipelines, in place of the old secrets.

To test, I disabled the local admin on the key vaults we use in our test pipelines, then I ran the following pipelines and confirmed they succeed:
- Checkin end-to-end tests
- End-to-end tests
- Nested end-to-end tests
- ISA-95 smoke tests
- Connectivity tests

## Azure IoT Edge PR checklist:

Author: damonbarry

builds/checkin/e2e-checkin.yaml

@@ -60,21 +60,27 @@ stages:
         steps:
         - template: ../e2e/templates/e2e-vault-secrets.yaml
           parameters:
-            azureSubscription: $(az.subscription)
-            keyVaultName: $(kv.name)
+            azureSubscription: '$(az.subscription)'
+            keyVaultName: '$(kv.name)'
         - template: ../e2e/templates/storage-token.yaml
           parameters:
-            azureSubscription: $(az.subscription)
+            azureSubscription: '$(az.subscription)'
+        - template: ../e2e/templates/acr-credentials.yaml
+          parameters:
+            acrName: '$(cr.name)'
+            serviceConnection: '$(az.subscription)'
         - template: ../e2e/templates/e2e-setup.yaml
           parameters:
+            containerRegistryServer: '$(acrServer)'
+            containerRegistryUsername: '$(acrUsername)'
             iotHubResourceId: '$(iotHubResourceId)'
             rootCaCertificate: '$(rootCaCertificate)'
             rootCaKey: '$(rootCaKey)'
         - template: ../e2e/templates/e2e-run.yaml
           parameters:
-            containerRegistryPassword: '$(containerRegistryPassword)'
+            containerRegistryPassword: '$(acrPassword)'
             dpsGroupKeySymmetric: '$(dpsGroupKeySymmetric)'
             eventHubCompatibleEndpoint: '$(eventHubCompatibleEndpoint)'
             iotHubConnectionString: '$(iotHubConnectionString)'
             rootCaPassword: '$(rootCaPassword)'
-            sas_uri: $(sas_uri)
+            sas_uri: '$(sas_uri)'

builds/e2e/connectivity.yaml

@@ -42,11 +42,26 @@ jobs:
           azureSubscription: $(azure.subscription)
           crossJobVariables: true
 
+  - job: ContainerRegistryCredentials
+    displayName: 'Get ACR Credentials'
+    pool:
+      name: $(pool.linux.name)
+      demands:
+        - ImageOverride -equals agent-aziotedge-ubuntu-22.04-msmoby
+    steps:
+      - template: templates/acr-credentials.yaml
+        parameters:
+          acrName: $(cr.name)
+          crossJobVariables: true
+          serviceConnection: $(azure.subscription)
+
 ################################################################################
   - job: linux_amd64_moby
 ################################################################################
     displayName: Linux AMD64 Moby
-    dependsOn: Token
+    dependsOn:
+      - Token
+      - ContainerRegistryCredentials
     condition: and(succeeded('Token'), eq(variables['run.linux.amd64.moby'], 'true'), ne(variables['agent.group'], ''))
     timeoutInMinutes: 240
     strategy:
@@ -107,6 +122,9 @@ jobs:
       identity.artifact.name: 'aziot-identity-ubuntu22.04-amd64'
       edgelet.artifact.name: 'iotedged-ubuntu22.04-amd64'
       sas_uri: $[ dependencies.Token.outputs['generate.sas_uri'] ]
+      cr.server: $[ dependencies.ContainerRegistryCredentials.outputs['acrgen.acrServer'] ]
+      cr.username: $[ dependencies.ContainerRegistryCredentials.outputs['acrgen.acrUsername'] ]
+      cr.token: $[ dependencies.ContainerRegistryCredentials.outputs['acrgen.acrPassword'] ]
     steps:
       - task: Bash@3
         name: Print_test_parameters
@@ -134,8 +152,6 @@ jobs:
           azureSubscription: $(azure.subscription)
           KeyVaultName: 'edgebuildkv'
           SecretsFilter: >-
-            edgebuilds-azurecr-io-username,
-            edgebuilds-azurecr-io-pwd,
             kvLogAnalyticWorkspaceId,
             kvLogAnalyticSharedKey,
       - task: AzureKeyVault@2
@@ -205,9 +221,9 @@ jobs:
           identity.artifact.name: '$(identity.artifact.name)'
           edgelet.artifact.name: '$(edgelet.artifact.name)'
           images.artifact.name: '$(images.artifact.name.linux)'
-          container.registry: '$(container.registry)'
-          container.registry.username: '$(edgebuilds-azurecr-io-username)'
-          container.registry.password: '$(edgebuilds-azurecr-io-pwd)'
+          container.registry: '$(cr.server)'
+          container.registry.username: '$(cr.username)'
+          container.registry.password: '$(cr.token)'
           iotHub.connectionString: '$(IotHub-ConnStr)'
           eventHub.connectionString: '$(IotHub-EventHubConnStr)'
           deploymentFileName: '$(deploymentFileName)'
@@ -238,7 +254,9 @@ jobs:
   - job: linux_arm32v7_moby
 ################################################################################
     displayName: Linux ARM32v7 Moby
-    dependsOn: Token
+    dependsOn:
+      - Token
+      - ContainerRegistryCredentials
     condition: and(succeeded('Token'), eq(variables['run.linux.arm32v7.moby'], 'true'), ne(variables['agent.group'], ''))
     timeoutInMinutes: 240 
     strategy:
@@ -303,6 +321,9 @@ jobs:
       identity.artifact.name: 'aziot-identity-debian11-arm32v7'
       edgelet.artifact.name: 'iotedged-debian11-arm32v7'
       sas_uri: $[ dependencies.Token.outputs['generate.sas_uri'] ]
+      cr.server: $[ dependencies.ContainerRegistryCredentials.outputs['acrgen.acrServer'] ]
+      cr.username: $[ dependencies.ContainerRegistryCredentials.outputs['acrgen.acrUsername'] ]
+      cr.token: $[ dependencies.ContainerRegistryCredentials.outputs['acrgen.acrPassword'] ]
     steps:
       - task: Bash@3
         name: Print_test_parameters
@@ -330,8 +351,6 @@ jobs:
           azureSubscription: $(azure.subscription)
           KeyVaultName: 'edgebuildkv'
           SecretsFilter: >-
-            edgebuilds-azurecr-io-username,
-            edgebuilds-azurecr-io-pwd,
             kvLogAnalyticWorkspaceId,
             kvLogAnalyticSharedKey,
       - task: AzureKeyVault@2
@@ -398,9 +417,9 @@ jobs:
           identity.artifact.name: '$(identity.artifact.name)'
           edgelet.artifact.name: '$(edgelet.artifact.name)'
           images.artifact.name: '$(images.artifact.name.linux)'
-          container.registry: '$(container.registry)'
-          container.registry.username: '$(edgebuilds-azurecr-io-username)'
-          container.registry.password: '$(edgebuilds-azurecr-io-pwd)'
+          container.registry: '$(cr.server)'
+          container.registry.username: '$(cr.username)'
+          container.registry.password: '$(cr.token)'
           iotHub.connectionString: '$(EdgeConnectivityTestHubARM32ConnString)'
           eventHub.connectionString: '$(EdgeConnectivityEventHubARM32ConnString)'
           deploymentFileName: '$(deploymentFileName)'