Skip to content

Commit

Permalink
feat: allow ssh git clone (#25)
Browse files Browse the repository at this point in the history
* feat: allow ssh git clone

* chore: update go.sum

* chore: update go.sum

* chore: update go.sum

* fix: use go-git v5 for plumbing ssh

* feat: make the runner handle the secret keys

* feat: mount secrets only if secretRef is specified

* feat: use gcr for runner image

* fix: add auth if password and username are specified

* feat: add ssh know hosts env var for runner

* feat: mount ssh known host file from configmap

* fix: typo

* feat: use var to point to known_hosts file

* chore: rename method

* chore: mount known hosts to other path

* feat: use secretName instead of secretRef in terraform repository

* chore: remove all fatalf in runner
  • Loading branch information
spoukke authored Dec 30, 2022
1 parent 67239c3 commit 4158c89
Show file tree
Hide file tree
Showing 9 changed files with 140 additions and 314 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
.ssh/*

# Binaries for programs and plugins
*.exe
Expand Down
5 changes: 2 additions & 3 deletions api/v1alpha1/terraformrepository_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ limitations under the License.
package v1alpha1

import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand All @@ -33,8 +32,8 @@ type TerraformRepositorySpec struct {
}

type TerraformRepositoryRepository struct {
Url string `json:"url,omitempty"`
SecretRef corev1.SecretReference `json:"secretRef,omitempty"`
Url string `json:"url,omitempty"`
SecretName string `json:"secretName,omitempty"`
}

// TerraformRepositoryStatus defines the observed state of TerraformRepository
Expand Down
3 changes: 1 addition & 2 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions burrito/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,10 @@ type ControllerTimers struct {
}

type RepositoryConfig struct {
URL string `yaml:"url"`
SSH string `yaml:"ssh"`
Username string `yaml:"username"`
Password string `yaml:"password"`
URL string `yaml:"url"`
SSHPrivateKey string `yaml:"sshPrivateKey"`
Username string `yaml:"username"`
Password string `yaml:"password"`
}

type RunnerConfig struct {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,20 +38,8 @@ spec:
properties:
repository:
properties:
secretRef:
description: SecretReference represents a Secret Reference. It
has enough information to retrieve secret in any namespace
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which the
secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
secretName:
type: string
url:
type: string
type: object
Expand Down
71 changes: 58 additions & 13 deletions controllers/pod.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,44 @@ func getPod(layer *configv1alpha1.TerraformLayer, repository *configv1alpha1.Ter
Value: "apply",
})
}
if repository.Spec.Repository.SecretName != "" {
pod.Spec.Containers[0].Env = append(pod.Spec.Containers[0].Env, corev1.EnvVar{
Name: "BURRITO_RUNNER_REPOSITORY_USERNAME",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: repository.Spec.Repository.SecretName,
},
Key: "username",
Optional: &[]bool{true}[0],
},
},
})
pod.Spec.Containers[0].Env = append(pod.Spec.Containers[0].Env, corev1.EnvVar{
Name: "BURRITO_RUNNER_REPOSITORY_PASSWORD",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: repository.Spec.Repository.SecretName,
},
Key: "password",
Optional: &[]bool{true}[0],
},
},
})
pod.Spec.Containers[0].Env = append(pod.Spec.Containers[0].Env, corev1.EnvVar{
Name: "BURRITO_RUNNER_REPOSITORY_SSHPRIVATEKEY",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: repository.Spec.Repository.SecretName,
},
Key: "sshPrivateKey",
Optional: &[]bool{true}[0],
},
},
})
}
return pod
}

Expand All @@ -42,20 +80,35 @@ func defaultPodSpec(layer *configv1alpha1.TerraformLayer, repository *configv1al
Name: "repository",
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
},
{
Name: "ssh-known-hosts",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "burrito-ssh-known-hosts",
},
Optional: &[]bool{true}[0],
},
},
},
},
RestartPolicy: corev1.RestartPolicyNever,
ServiceAccountName: "burrito-runner",
Containers: []corev1.Container{
{
Name: "runner",
Image: fmt.Sprintf("ghcr.io/padok-team/burrito:%s", "latest"),
Image: fmt.Sprintf("eu.gcr.io/padok-playground/burrito:%s", "latest"),
WorkingDir: "/repository",
Args: []string{"runner", "start"},
VolumeMounts: []corev1.VolumeMount{
{
Name: "repository",
MountPath: "/repository",
},
{
MountPath: "/go/.ssh/",
Name: "ssh-known-hosts",
},
},
Env: []corev1.EnvVar{
{
Expand All @@ -74,18 +127,6 @@ func defaultPodSpec(layer *configv1alpha1.TerraformLayer, repository *configv1al
Name: "BURRITO_RUNNER_REPOSITORY_URL",
Value: repository.Spec.Repository.Url,
},
{
Name: "BURRITO_RUNNER_REPOSITORY_SSH",
Value: "",
},
{
Name: "BURRITO_RUNNER_REPOSITORY_USERNAME",
Value: "",
},
{
Name: "BURRITO_RUNNER_REPOSITORY_PASSWORD",
Value: "",
},
{
Name: "BURRITO_RUNNER_PATH",
Value: layer.Spec.Path,
Expand All @@ -106,6 +147,10 @@ func defaultPodSpec(layer *configv1alpha1.TerraformLayer, repository *configv1al
Name: "BURRITO_RUNNER_LAYER_NAMESPACE",
Value: layer.GetObjectMeta().GetNamespace(),
},
{
Name: "SSH_KNOWN_HOSTS",
Value: "/go/.ssh/known_hosts",
},
},
},
},
Expand Down
29 changes: 5 additions & 24 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -31,41 +31,26 @@ require (
)

require (
cloud.google.com/go v0.104.0 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.27 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/go-git/go-git v4.7.0+incompatible
github.com/go-git/go-git/v5 v5.5.1
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-logr/zapr v1.2.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/go-playground/webhooks v5.17.0+incompatible
github.com/go-redis/redis v6.15.9+incompatible
github.com/go-redis/redis/v8 v8.11.5 // indirect
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
github.com/go-redis/redis/v8 v8.11.5
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/gofuzz v1.1.0 // indirect
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/hashicorp/go-version v1.6.0
github.com/hashicorp/hc-install v0.4.0
Expand All @@ -82,8 +67,6 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nxadm/tail v1.4.8 // indirect
github.com/onsi/ginkgo v1.16.5 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.0.5 // indirect
github.com/pkg/errors v0.9.1 // indirect
Expand All @@ -93,10 +76,10 @@ require (
github.com/prometheus/procfs v0.8.0 // indirect
github.com/spf13/afero v1.9.2 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/cobra v1.6.1 // indirect
github.com/spf13/cobra v1.6.1
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.14.0 // indirect
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.14.0
github.com/subosito/gotenv v1.4.1 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
Expand All @@ -108,16 +91,14 @@ require (
golang.org/x/term v0.3.0 // indirect
golang.org/x/text v0.5.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.2.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.28.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.26.0 // indirect
k8s.io/api v0.26.0
k8s.io/apiextensions-apiserver v0.26.0 // indirect
k8s.io/component-base v0.26.0 // indirect
k8s.io/klog/v2 v2.80.1 // indirect
Expand Down
Loading

0 comments on commit 4158c89

Please sign in to comment.