Merge "Allow pulling from a private airshipctl repo"

2021-09-28 19:44:56 +00:00 · 2021-09-28 19:44:56 +00:00 · b1bbb820b7
commit b1bbb820b7
parent f9ee918eb6 907070454f
6 changed files with 103 additions and 19 deletions
--- a/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh
+++ b/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh
@ -27,7 +27,7 @@ function reportStatus() {
 }
 trap reportStatus EXIT

-function cloneRepo() {
+function cloneAirshipctlRepo() {
  repo_dir=$1
  repo_url=$2
  repo_ref=$3
@ -35,8 +35,19 @@ function cloneRepo() {
  mkdir -p "$repo_dir"
  cd "$repo_dir"

+  set +x
+  if [[ "$AIRSHIPCTL_REPO_AUTH_TYPE" = "http-basic" ]]
+  then
+    AIRSHIPCTL_REPO_AUTH_USERNAME=$( cat /opt/aiap-secret-volume/AIRSHIPCTL_REPO_AUTH_USERNAME )
+    AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD )
+    proto="$(cut -f1 -d":" <<< $repo_url)://"
+    url="${repo_url/$proto/}"
+    repo_url="${proto}${AIRSHIPCTL_REPO_AUTH_USERNAME}:${AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD}@${url}"
+  fi
+
  git init
  git fetch "$repo_url" "$repo_ref"
+  set -x
  git checkout FETCH_HEAD
 }

@ -70,7 +81,7 @@ else
  check_docker_readiness

  repo_dir="$ARTIFACTS_DIR/airshipctl"
-  cloneRepo "$repo_dir" "$AIRSHIPCTL_REPO_URL" "$AIRSHIPCTL_REPO_REF"
+  cloneAirshipctlRepo "$repo_dir" "$AIRSHIPCTL_REPO_URL" "$AIRSHIPCTL_REPO_REF"

  cd "$repo_dir"
  ./tools/deployment/21_systemwide_executable.sh
--- a/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml
+++ b/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml
@ -21,3 +21,8 @@ patchesJson6902:
    kind: Pod
    name: airship-in-a-pod
  path: replacements.yaml
+- target:
+    version: v1 # apiVersion
+    kind: Secret
+    name: aiap-secret
+  path: secret_replacements.yaml
--- a/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml
+++ b/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml
@ -42,18 +42,13 @@
 - op: replace
  path: "/spec/containers/6/env/10/value"
  value: none
-# The username to use when using the https protocol (basic-auth)
+
+# The following relate to authorization for pulling the airshipctl repository
+# This is the type of authorization to use. Currently supported types are
+# [none http-basic ssh-key]
 - op: replace
-  path: "/spec/containers/6/env/11/value"
-  value:
-# The password to use when using the https protocol (basic-auth)
- op: replace
-  path: "/spec/containers/6/env/12/value"
-  value:
-# The password to use when using the git protocol (ssh-key)
- op: replace
-  path: "/spec/containers/6/env/13/value"
-  value:
+  path: "/spec/containers/4/env/5/value"
+  value: none

 # This is the location on the host machine of the artifacts directory. Note
 # that it should be the same across containers
--- a/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml
+++ b/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml
@ -0,0 +1,42 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The following relate to authorization for pulling the manifest repository
+# The username to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIPCTL_REPO_AUTH_USERNAME"
+  value: ""
+# The password to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD"
+  value: ""
+# The ssh-key to use when using the git protocol (ssh-key)
+- op: replace
+  path: "/data/AIRSHIPCTL_REPO_AUTH_SSH_KEY"
+  value: ""
+
+# The following relate to authorization for pulling the manifest repository
+# This is the type of authorization to use. Currently supported types are
+# [none http-basic ssh-pass]
+# The username to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME"
+  value: ""
+# The password to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD"
+  value: ""
+# The ssh-key to use when using the git protocol (ssh-key)
+- op: replace
+  path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD"
+  value: ""
+
--- a/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml
+++ b/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml
@ -10,6 +10,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aiap-secret
+  labels:
+    aiap: aiap
+data:
+  AIRSHIPCTL_REPO_AUTH_USERNAME: ""
+  AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD: ""
+  AIRSHIPCTL_REPO_AUTH_SSH_KEY: ""
+  AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME: ""
+  AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD: ""
+  AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD: ""
+---
+
 apiVersion: v1
 kind: Pod
 metadata:
@ -215,6 +231,8 @@ spec:
        value: https://opendev.org/airship/airshipctl
      - name: AIRSHIPCTL_REPO_REF
        value: master
+      - name: AIRSHIPCTL_REPO_AUTH_TYPE
+        value: "none"
      - name: USE_PROXY
        value:
      - name: no_proxy
@ -236,6 +254,8 @@ spec:
        mountPath: /var/run
      - name: var-run-libvirt
        mountPath: /var/run/libvirt
+      - name: aiap-secret-volume
+        mountPath: /opt/aiap-secret-volume

  - name: infra-builder
    image: quay.io/airshipit/aiap-infra-builder:latest
@ -311,12 +331,7 @@ spec:
        value:
      - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE
        value: "none"
-      - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME
-        value: ""
-      - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD
-        value: ""
-      - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD
-        value: ""
+
    volumeMounts:
      - name: cache
        mountPath: /opt/aiap-cache
@ -389,3 +404,6 @@ spec:
        medium: "Memory"
    - name: dind-storage
      emptyDir: {}
+    - name: aiap-secret-volume
+      secret:
+        secretName: aiap-secret
--- a/tools/airship-in-a-pod/runner/assets/entrypoint.sh
+++ b/tools/airship-in-a-pod/runner/assets/entrypoint.sh
@ -52,7 +52,20 @@ echo "export SOPS_PGP_FP=${SOPS_PGP_FP}" >> ~/.bashrc
 install "$ARTIFACTS_DIR/airshipctl/bin/airshipctl" /usr/local/bin
 cd "$ARTIFACTS_DIR/airshipctl"

+set +x
 export AIRSHIP_CONFIG_MANIFEST_DIRECTORY="$ARTIFACTS_DIR/manifests"
+if [[ "$AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE" = "http-basic" ]]
+then
+  export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME )
+  export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD )
+fi
+
+if [[ "$AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE" = "ssh-pass" ]]
+then
+  export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD )
+fi
+set -x
+
 ./tools/deployment/22_test_configs.sh
 if [[ -n "$AIRSHIP_CONFIG_PHASE_REPO_REF" ]]; then
  export NO_CHECKOUT="false"