Implement --deploy-token-auth in GitLab bootstrapping
This change set implements support for the `--deploy-token-auth` option in the `flux bootstrap gitlab` command. That option will reconcile a GitLab Project Deploy Token to use for the authentication of the GitLab git repository. A GitLab Project Deploy Token can be used the same way as a Personal Access Token which is already supported via `--token-auth`. The difference with the GitLab Project Deploy Token is that the token is managed (created, updated, deleted) by Flux and not provided by the user. This change is transparent to the source-controller. A prerequisite for this change is the `fluxcd/go-git-providers` change here: * https://github.com/fluxcd/go-git-providers/pull/191 See related discussion here: https://github.com/fluxcd/flux2/discussions/3595 GitLab Issue here: https://gitlab.com/gitlab-org/gitlab/-/issues/392605 Signed-off-by: Timo Furrer <tuxtimo@gmail.com>
This commit is contained in:
Timo Furrer
committed by
Hidde Beydals
Hidde Beydals
parent
91d1e1df48
commit
2e1721ca85
@@ -59,6 +59,8 @@ type GitProviderBootstrapper struct {
|
||||
|
||||
sshHostname string
|
||||
|
||||
useDeployTokenAuth bool
|
||||
|
||||
provider gitprovider.Client
|
||||
}
|
||||
|
||||
@@ -184,6 +186,16 @@ func (o reconcileOption) applyGitProvider(b *GitProviderBootstrapper) {
|
||||
b.reconcile = true
|
||||
}
|
||||
|
||||
func WithDeployTokenAuth() GitProviderOption {
|
||||
return deployTokenAuthOption(true)
|
||||
}
|
||||
|
||||
type deployTokenAuthOption bool
|
||||
|
||||
func (o deployTokenAuthOption) applyGitProvider(b *GitProviderBootstrapper) {
|
||||
b.useDeployTokenAuth = true
|
||||
}
|
||||
|
||||
func (b *GitProviderBootstrapper) ReconcileSyncConfig(ctx context.Context, options sync.Options) error {
|
||||
if b.repository == nil {
|
||||
return errors.New("repository is required")
|
||||
@@ -208,6 +220,26 @@ func (b *GitProviderBootstrapper) ReconcileSyncConfig(ctx context.Context, optio
|
||||
return b.PlainGitBootstrapper.ReconcileSyncConfig(ctx, options)
|
||||
}
|
||||
|
||||
func (b *GitProviderBootstrapper) ReconcileSourceSecret(ctx context.Context, options sourcesecret.Options) error {
|
||||
if b.repository == nil {
|
||||
return errors.New("repository is required")
|
||||
}
|
||||
|
||||
if b.useDeployTokenAuth {
|
||||
deployTokenInfo, err := b.reconcileDeployToken(ctx, options)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if deployTokenInfo != nil {
|
||||
options.Username = deployTokenInfo.Username
|
||||
options.Password = deployTokenInfo.Token
|
||||
}
|
||||
}
|
||||
|
||||
return b.PlainGitBootstrapper.ReconcileSourceSecret(ctx, options)
|
||||
}
|
||||
|
||||
// ReconcileRepository reconciles an organization or user repository with the
|
||||
// GitProviderBootstrapper configuration. On success, the URL in the embedded
|
||||
// PlainGitBootstrapper is set to clone URL for the configured protocol.
|
||||
@@ -261,6 +293,32 @@ func (b *GitProviderBootstrapper) reconcileDeployKey(ctx context.Context, secret
|
||||
return nil
|
||||
}
|
||||
|
||||
func (b *GitProviderBootstrapper) reconcileDeployToken(ctx context.Context, options sourcesecret.Options) (*gitprovider.DeployTokenInfo, error) {
|
||||
dts, err := b.repository.DeployTokens()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
b.logger.Actionf("checking to reconcile deploy token for source secret")
|
||||
name := deployTokenName(options.Namespace, b.branch, options.Name, options.TargetPath)
|
||||
deployTokenInfo := gitprovider.DeployTokenInfo{Name: name}
|
||||
|
||||
deployToken, changed, err := dts.Reconcile(ctx, deployTokenInfo)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if changed {
|
||||
b.logger.Successf("configured deploy token %q for %q", deployTokenInfo.Name, b.repository.Repository().String())
|
||||
deployTokenInfo := deployToken.Get()
|
||||
return &deployTokenInfo, nil
|
||||
}
|
||||
|
||||
b.logger.Successf("reconciled deploy token for source secret")
|
||||
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// reconcileOrgRepository reconciles a gitprovider.OrgRepository
|
||||
// with the GitProviderBootstrapper values, including any
|
||||
// gitprovider.TeamAccessInfo configurations.
|
||||
@@ -554,6 +612,17 @@ func deployKeyName(namespace, secretName, branch, path string) string {
|
||||
return name
|
||||
}
|
||||
|
||||
func deployTokenName(namespace, secretName, branch, path string) string {
|
||||
var elems []string
|
||||
for _, v := range []string{namespace, secretName, branch, path} {
|
||||
if v == "" {
|
||||
continue
|
||||
}
|
||||
elems = append(elems, v)
|
||||
}
|
||||
return strings.Join(elems, "-")
|
||||
}
|
||||
|
||||
// setHostname is a helper to replace the hostname of the given URL.
|
||||
// TODO(hidde): support for this should be added in go-git-providers.
|
||||
func setHostname(URL, hostname string) (string, error) {
|
||||
|
||||
Reference in New Issue
Block a user