From 2d67ea5f7f0b2bb4f7df639d77a12479e4dd9f23 Mon Sep 17 00:00:00 2001 From: Ally Parker Date: Fri, 16 Oct 2020 16:21:28 +0100 Subject: [PATCH] Add secret-ref flag to git source Add secret-ref flag to Helm source Add secret-ref to bucket source --- cmd/gotk/create_source_bucket.go | 48 ++++++++------ cmd/gotk/create_source_git.go | 30 ++++++--- cmd/gotk/create_source_helm.go | 96 +++++++++++++++------------ docs/cmd/gotk_create_source_bucket.md | 1 + docs/cmd/gotk_create_source_git.md | 1 + docs/cmd/gotk_create_source_helm.md | 15 +++-- 6 files changed, 114 insertions(+), 77 deletions(-) diff --git a/cmd/gotk/create_source_bucket.go b/cmd/gotk/create_source_bucket.go index 9511ab54..7ed080e7 100644 --- a/cmd/gotk/create_source_bucket.go +++ b/cmd/gotk/create_source_bucket.go @@ -69,6 +69,7 @@ var ( sourceBucketSecretKey string sourceBucketRegion string sourceBucketInsecure bool + sourceBucketSecretRef string ) func init() { @@ -79,6 +80,7 @@ func init() { createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretKey, "secret-key", "", "the bucket secret key") createSourceBucketCmd.Flags().StringVar(&sourceBucketRegion, "region", "", "the bucket region") createSourceBucketCmd.Flags().BoolVar(&sourceBucketInsecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint") + createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretRef, "secret-ref", "", "the name of an existing secret containing credentials") createSourceCmd.AddCommand(createSourceBucketCmd) } @@ -88,7 +90,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error { return fmt.Errorf("Bucket source name is required") } name := args[0] - secretName := fmt.Sprintf("bucket-%s", name) if sourceBucketName == "" { return fmt.Errorf("bucket-name is required") @@ -126,6 +127,11 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error { }, }, } + if sourceHelmSecretRef != "" { + bucket.Spec.SecretRef = &corev1.LocalObjectReference{ + Name: sourceBucketSecretRef, + } + } if export { return exportBucket(*bucket) @@ -141,28 +147,32 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error { logger.Generatef("generating Bucket source") - secret := corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: secretName, - Namespace: namespace, - }, - StringData: map[string]string{}, - } + if sourceBucketSecretRef == "" { + secretName := fmt.Sprintf("bucket-%s", name) - if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" { - secret.StringData["accesskey"] = sourceBucketAccessKey - secret.StringData["secretkey"] = sourceBucketSecretKey - } + secret := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secretName, + Namespace: namespace, + }, + StringData: map[string]string{}, + } - if len(secret.StringData) > 0 { - logger.Actionf("applying secret with the bucket credentials") - if err := upsertSecret(ctx, kubeClient, secret); err != nil { - return err + if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" { + secret.StringData["accesskey"] = sourceBucketAccessKey + secret.StringData["secretkey"] = sourceBucketSecretKey } - bucket.Spec.SecretRef = &corev1.LocalObjectReference{ - Name: secretName, + + if len(secret.StringData) > 0 { + logger.Actionf("applying secret with the bucket credentials") + if err := upsertSecret(ctx, kubeClient, secret); err != nil { + return err + } + bucket.Spec.SecretRef = &corev1.LocalObjectReference{ + Name: secretName, + } + logger.Successf("authentication configured") } - logger.Successf("authentication configured") } logger.Actionf("applying Bucket source") diff --git a/cmd/gotk/create_source_git.go b/cmd/gotk/create_source_git.go index 5330b5ad..495ab654 100644 --- a/cmd/gotk/create_source_git.go +++ b/cmd/gotk/create_source_git.go @@ -87,15 +87,17 @@ For private Git repositories, the basic authentication credentials are stored in } var ( - sourceGitURL string - sourceGitBranch string - sourceGitTag string - sourceGitSemver string - sourceGitUsername string - sourceGitPassword string + sourceGitURL string + sourceGitBranch string + sourceGitTag string + sourceGitSemver string + sourceGitUsername string + sourceGitPassword string + sourceGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa" sourceGitRSABits flags.RSAKeyBits = 2048 sourceGitECDSACurve = flags.ECDSACurve{Curve: elliptic.P384()} + sourceGitSecretRef string ) func init() { @@ -108,6 +110,7 @@ func init() { createSourceGitCmd.Flags().Var(&sourceGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description()) createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description()) createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description()) + createSourceGitCmd.Flags().StringVarP(&sourceGitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials") createSourceCmd.AddCommand(createSourceGitCmd) } @@ -162,6 +165,11 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error { } if export { + if sourceGitSecretRef != "" { + gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{ + Name: sourceGitSecretRef, + } + } return exportGit(gitRepository) } @@ -175,7 +183,9 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error { withAuth := false // TODO(hidde): move all auth prep to separate func? - if u.Scheme == "ssh" { + if sourceGitSecretRef != "" { + withAuth = true + } else if u.Scheme == "ssh" { logger.Actionf("generating deploy key pair") pair, err := generateKeyPair(ctx) if err != nil { @@ -240,8 +250,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error { logger.Generatef("generating GitRepository source") if withAuth { + secretName := name + if sourceGitSecretRef != "" { + secretName = sourceGitSecretRef + } gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{ - Name: name, + Name: secretName, } } diff --git a/cmd/gotk/create_source_helm.go b/cmd/gotk/create_source_helm.go index e8e61f41..5598d0ac 100644 --- a/cmd/gotk/create_source_helm.go +++ b/cmd/gotk/create_source_helm.go @@ -63,12 +63,13 @@ For private Helm repositories, the basic authentication credentials are stored i } var ( - sourceHelmURL string - sourceHelmUsername string - sourceHelmPassword string - sourceHelmCertFile string - sourceHelmKeyFile string - sourceHelmCAFile string + sourceHelmURL string + sourceHelmUsername string + sourceHelmPassword string + sourceHelmCertFile string + sourceHelmKeyFile string + sourceHelmCAFile string + sourceHelmSecretRef string ) func init() { @@ -78,6 +79,7 @@ func init() { createSourceHelmCmd.Flags().StringVar(&sourceHelmCertFile, "cert-file", "", "TLS authentication cert file path") createSourceHelmCmd.Flags().StringVar(&sourceHelmKeyFile, "key-file", "", "TLS authentication key file path") createSourceHelmCmd.Flags().StringVar(&sourceHelmCAFile, "ca-file", "", "TLS authentication CA file path") + createSourceHelmCmd.Flags().StringVarP(&sourceHelmSecretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials") createSourceCmd.AddCommand(createSourceHelmCmd) } @@ -87,7 +89,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error { return fmt.Errorf("HelmRepository source name is required") } name := args[0] - secretName := fmt.Sprintf("helm-%s", name) if sourceHelmURL == "" { return fmt.Errorf("url is required") @@ -122,6 +123,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error { }, } + if sourceHelmSecretRef != "" { + helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{ + Name: sourceHelmSecretRef, + } + } + if export { return exportHelmRepository(*helmRepository) } @@ -135,51 +142,54 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error { } logger.Generatef("generating HelmRepository source") + if sourceHelmSecretRef == "" { + secretName := fmt.Sprintf("helm-%s", name) - secret := corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: secretName, - Namespace: namespace, - }, - StringData: map[string]string{}, - } - - if sourceHelmUsername != "" && sourceHelmPassword != "" { - secret.StringData["username"] = sourceHelmUsername - secret.StringData["password"] = sourceHelmPassword - } - - if sourceHelmCertFile != "" && sourceHelmKeyFile != "" { - cert, err := ioutil.ReadFile(sourceHelmCertFile) - if err != nil { - return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err) + secret := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secretName, + Namespace: namespace, + }, + StringData: map[string]string{}, } - secret.StringData["certFile"] = string(cert) - key, err := ioutil.ReadFile(sourceHelmKeyFile) - if err != nil { - return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err) + if sourceHelmUsername != "" && sourceHelmPassword != "" { + secret.StringData["username"] = sourceHelmUsername + secret.StringData["password"] = sourceHelmPassword } - secret.StringData["keyFile"] = string(key) - } - if sourceHelmCAFile != "" { - ca, err := ioutil.ReadFile(sourceHelmCAFile) - if err != nil { - return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err) + if sourceHelmCertFile != "" && sourceHelmKeyFile != "" { + cert, err := ioutil.ReadFile(sourceHelmCertFile) + if err != nil { + return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err) + } + secret.StringData["certFile"] = string(cert) + + key, err := ioutil.ReadFile(sourceHelmKeyFile) + if err != nil { + return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err) + } + secret.StringData["keyFile"] = string(key) } - secret.StringData["caFile"] = string(ca) - } - if len(secret.StringData) > 0 { - logger.Actionf("applying secret with repository credentials") - if err := upsertSecret(ctx, kubeClient, secret); err != nil { - return err + if sourceHelmCAFile != "" { + ca, err := ioutil.ReadFile(sourceHelmCAFile) + if err != nil { + return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err) + } + secret.StringData["caFile"] = string(ca) } - helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{ - Name: secretName, + + if len(secret.StringData) > 0 { + logger.Actionf("applying secret with repository credentials") + if err := upsertSecret(ctx, kubeClient, secret); err != nil { + return err + } + helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{ + Name: secretName, + } + logger.Successf("authentication configured") } - logger.Successf("authentication configured") } logger.Actionf("applying HelmRepository source") diff --git a/docs/cmd/gotk_create_source_bucket.md b/docs/cmd/gotk_create_source_bucket.md index ded84619..abfa06f7 100644 --- a/docs/cmd/gotk_create_source_bucket.md +++ b/docs/cmd/gotk_create_source_bucket.md @@ -45,6 +45,7 @@ gotk create source bucket [name] [flags] --provider sourceBucketProvider the S3 compatible storage provider name, available options are: (generic, aws) (default generic) --region string the bucket region --secret-key string the bucket secret key + --secret-ref string the name of an existing secret containing credentials ``` ### Options inherited from parent commands diff --git a/docs/cmd/gotk_create_source_git.md b/docs/cmd/gotk_create_source_git.md index e0be5c48..4ee59b48 100644 --- a/docs/cmd/gotk_create_source_git.md +++ b/docs/cmd/gotk_create_source_git.md @@ -58,6 +58,7 @@ gotk create source git [name] [flags] --branch string git branch (default "master") -h, --help help for git -p, --password string basic authentication password + --secret-ref string the name of an existing secret containing SSH or basic credentials --ssh-ecdsa-curve ecdsaCurve SSH ECDSA public key curve (p256, p384, p521) (default p384) --ssh-key-algorithm publicKeyAlgorithm SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa) --ssh-rsa-bits rsaKeyBits SSH RSA public key bit size (multiplies of 8) (default 2048) diff --git a/docs/cmd/gotk_create_source_helm.md b/docs/cmd/gotk_create_source_helm.md index 5470e180..b3baeb1c 100644 --- a/docs/cmd/gotk_create_source_helm.md +++ b/docs/cmd/gotk_create_source_helm.md @@ -38,13 +38,14 @@ gotk create source helm [name] [flags] ### Options ``` - --ca-file string TLS authentication CA file path - --cert-file string TLS authentication cert file path - -h, --help help for helm - --key-file string TLS authentication key file path - -p, --password string basic authentication password - --url string Helm repository address - -u, --username string basic authentication username + --ca-file string TLS authentication CA file path + --cert-file string TLS authentication cert file path + -h, --help help for helm + --key-file string TLS authentication key file path + -p, --password string basic authentication password + --secret-ref string the name of an existing secret containing TLS or basic auth credentials + --url string Helm repository address + -u, --username string basic authentication username ``` ### Options inherited from parent commands