From 907070454f9c90ce704f2d3822625728de859bfb Mon Sep 17 00:00:00 2001 From: Siraj Yasin Date: Wed, 15 Sep 2021 21:05:11 +0000 Subject: [PATCH] Allow pulling from a private airshipctl repo * Added the logic to support pulling airshipctl from a private github repo with basic http authentication. * Added Username, Password in secrets Relates-To: #632 Relates-To: #636 Change-Id: If1a1bbfaf9ce543cf35377d367b70676f9e3e9ef --- .../artifact-setup/assets/entrypoint.sh | 15 ++++++- .../examples/airshipctl/kustomization.yaml | 5 +++ .../examples/airshipctl/replacements.yaml | 17 +++----- .../airshipctl/secret_replacements.yaml | 42 +++++++++++++++++++ .../examples/base/airship-in-a-pod.yaml | 30 ++++++++++--- .../runner/assets/entrypoint.sh | 13 ++++++ 6 files changed, 103 insertions(+), 19 deletions(-) create mode 100644 tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml diff --git a/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh b/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh index 53b6dea33..9c79c4898 100755 --- a/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh +++ b/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh @@ -27,7 +27,7 @@ function reportStatus() { } trap reportStatus EXIT -function cloneRepo() { +function cloneAirshipctlRepo() { repo_dir=$1 repo_url=$2 repo_ref=$3 @@ -35,8 +35,19 @@ function cloneRepo() { mkdir -p "$repo_dir" cd "$repo_dir" + set +x + if [[ "$AIRSHIPCTL_REPO_AUTH_TYPE" = "http-basic" ]] + then + AIRSHIPCTL_REPO_AUTH_USERNAME=$( cat /opt/aiap-secret-volume/AIRSHIPCTL_REPO_AUTH_USERNAME ) + AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD ) + proto="$(cut -f1 -d":" <<< $repo_url)://" + url="${repo_url/$proto/}" + repo_url="${proto}${AIRSHIPCTL_REPO_AUTH_USERNAME}:${AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD}@${url}" + fi + git init git fetch "$repo_url" "$repo_ref" + set -x git checkout FETCH_HEAD } @@ -70,7 +81,7 @@ else check_docker_readiness repo_dir="$ARTIFACTS_DIR/airshipctl" - cloneRepo "$repo_dir" "$AIRSHIPCTL_REPO_URL" "$AIRSHIPCTL_REPO_REF" + cloneAirshipctlRepo "$repo_dir" "$AIRSHIPCTL_REPO_URL" "$AIRSHIPCTL_REPO_REF" cd "$repo_dir" ./tools/deployment/21_systemwide_executable.sh diff --git a/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml b/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml index 408ebe6e0..3f9eee724 100644 --- a/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml +++ b/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml @@ -21,3 +21,8 @@ patchesJson6902: kind: Pod name: airship-in-a-pod path: replacements.yaml +- target: + version: v1 # apiVersion + kind: Secret + name: aiap-secret + path: secret_replacements.yaml diff --git a/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml b/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml index 04100c74b..4f76be008 100644 --- a/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml +++ b/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml @@ -42,18 +42,13 @@ - op: replace path: "/spec/containers/6/env/10/value" value: none -# The username to use when using the https protocol (basic-auth) + +# The following relate to authorization for pulling the airshipctl repository +# This is the type of authorization to use. Currently supported types are +# [none http-basic ssh-key] - op: replace - path: "/spec/containers/6/env/11/value" - value: -# The password to use when using the https protocol (basic-auth) -- op: replace - path: "/spec/containers/6/env/12/value" - value: -# The password to use when using the git protocol (ssh-key) -- op: replace - path: "/spec/containers/6/env/13/value" - value: + path: "/spec/containers/4/env/5/value" + value: none # This is the location on the host machine of the artifacts directory. Note # that it should be the same across containers diff --git a/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml b/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml new file mode 100644 index 000000000..ee772495b --- /dev/null +++ b/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml @@ -0,0 +1,42 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The following relate to authorization for pulling the manifest repository +# The username to use when using the https protocol (basic-auth) +- op: replace + path: "/data/AIRSHIPCTL_REPO_AUTH_USERNAME" + value: "" +# The password to use when using the https protocol (basic-auth) +- op: replace + path: "/data/AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD" + value: "" +# The ssh-key to use when using the git protocol (ssh-key) +- op: replace + path: "/data/AIRSHIPCTL_REPO_AUTH_SSH_KEY" + value: "" + +# The following relate to authorization for pulling the manifest repository +# This is the type of authorization to use. Currently supported types are +# [none http-basic ssh-pass] +# The username to use when using the https protocol (basic-auth) +- op: replace + path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME" + value: "" +# The password to use when using the https protocol (basic-auth) +- op: replace + path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD" + value: "" +# The ssh-key to use when using the git protocol (ssh-key) +- op: replace + path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD" + value: "" + diff --git a/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml b/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml index 936da1f90..3659ac17b 100644 --- a/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml +++ b/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml @@ -10,6 +10,22 @@ # See the License for the specific language governing permissions and # limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: aiap-secret + labels: + aiap: aiap +data: + AIRSHIPCTL_REPO_AUTH_USERNAME: "" + AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD: "" + AIRSHIPCTL_REPO_AUTH_SSH_KEY: "" + AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME: "" + AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD: "" + AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD: "" +--- + apiVersion: v1 kind: Pod metadata: @@ -215,6 +231,8 @@ spec: value: https://opendev.org/airship/airshipctl - name: AIRSHIPCTL_REPO_REF value: master + - name: AIRSHIPCTL_REPO_AUTH_TYPE + value: "none" - name: USE_PROXY value: - name: no_proxy @@ -236,6 +254,8 @@ spec: mountPath: /var/run - name: var-run-libvirt mountPath: /var/run/libvirt + - name: aiap-secret-volume + mountPath: /opt/aiap-secret-volume - name: infra-builder image: quay.io/airshipit/aiap-infra-builder:latest @@ -311,12 +331,7 @@ spec: value: - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE value: "none" - - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME - value: "" - - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD - value: "" - - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD - value: "" + volumeMounts: - name: cache mountPath: /opt/aiap-cache @@ -389,3 +404,6 @@ spec: medium: "Memory" - name: dind-storage emptyDir: {} + - name: aiap-secret-volume + secret: + secretName: aiap-secret diff --git a/tools/airship-in-a-pod/runner/assets/entrypoint.sh b/tools/airship-in-a-pod/runner/assets/entrypoint.sh index df2761d36..72a1fef55 100755 --- a/tools/airship-in-a-pod/runner/assets/entrypoint.sh +++ b/tools/airship-in-a-pod/runner/assets/entrypoint.sh @@ -52,7 +52,20 @@ echo "export SOPS_PGP_FP=${SOPS_PGP_FP}" >> ~/.bashrc install "$ARTIFACTS_DIR/airshipctl/bin/airshipctl" /usr/local/bin cd "$ARTIFACTS_DIR/airshipctl" +set +x export AIRSHIP_CONFIG_MANIFEST_DIRECTORY="$ARTIFACTS_DIR/manifests" +if [[ "$AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE" = "http-basic" ]] +then + export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME ) + export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD ) +fi + +if [[ "$AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE" = "ssh-pass" ]] +then + export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD ) +fi +set -x + ./tools/deployment/22_test_configs.sh if [[ -n "$AIRSHIP_CONFIG_PHASE_REPO_REF" ]]; then export NO_CHECKOUT="false"