Skip to content

Commit

Permalink
prefetch: add git auth support and logging
Browse files Browse the repository at this point in the history
- needed for private repos
- add ability to turn on cachi2 debug logging

Signed-off-by: Scott Hebert <[email protected]>
  • Loading branch information
scoheb committed Apr 17, 2024
1 parent c5ea8d8 commit ebdc1a2
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 7 deletions.
10 changes: 6 additions & 4 deletions task/prefetch-dependencies/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@ Task that uses Cachi2 to prefetch build dependencies.
See docs at https://github.com/containerbuildsystem/cachi2#basic-usage.

## Parameters
|name|description|default value|required|
|---|---|---|---|
|input|Configures project packages that will have their dependencies prefetched.||true|
|dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false|
|name| description |default value|required|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------------|---|---|
|input| Configures project packages that will have their dependencies prefetched. ||true|
|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false|
|enable-debug-logging| Enable debug logging with cachi2 |false|false|

## Workspaces
|name|description|optional|
|---|---|---|
|source|Workspace with the source code, cachi2 artifacts will be stored on the workspace as well|false|
|basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. |true|
64 changes: 61 additions & 3 deletions task/prefetch-dependencies/0.1/prefetch-dependencies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ spec:
notice. Use at your own risk.
name: dev-package-managers
default: "false"
- description: >
Enable cachi2 debug logging
name: enable-debug-logging
default: "false"
- name: caTrustConfigMapName
type: string
description: The name of the ConfigMap to read CA bundle data from.
Expand All @@ -27,6 +31,11 @@ spec:
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data.
default: ca-bundle.crt
- default: /tekton/home
description: |
Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.
name: userHome
type: string
steps:
- image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
Expand All @@ -38,6 +47,14 @@ spec:
value: $(params.input)
- name: DEV_PACKAGE_MANAGERS
value: $(params.dev-package-managers)
- name: ENABLE_DEBUG
value: $(params.enable-debug-logging)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
- name: PARAM_USER_HOME
value: $(params.userHome)
volumeMounts:
- name: trusted-ca
mountPath: /mnt/trusted-ca
Expand All @@ -55,29 +72,70 @@ spec:
dev_pacman_flag=""
fi
if [ "$ENABLE_DEBUG" = "true" ]; then
debug_log_flag="--log-level=debug"
else
debug_log_flag=""
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
# Compatibility with kubernetes.io/basic-auth secrets
elif [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password" ]; then
HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')
echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" > "${PARAM_USER_HOME}/.git-credentials"
echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${PARAM_USER_HOME}/.gitconfig"
else
echo "Unknown basic-auth workspace format"
exit 1
fi
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
# needed or else you'll see "could not read Username for 'https://gitlab.com':"
cd $(workspaces.source.path)/source && git config remote.origin.url $(cat "${PARAM_USER_HOME}/.git-credentials")
fi
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
cachi2 fetch-deps \
cachi2 \
$debug_log_flag \
fetch-deps \
$dev_pacman_flag \
--source=$(workspaces.source.path)/source \
--output=$(workspaces.source.path)/cachi2/output \
"${INPUT}"
cachi2 generate-env $(workspaces.source.path)/cachi2/output \
cachi2 \
$debug_log_flag \
generate-env \
$(workspaces.source.path)/cachi2/output \
--format env \
--for-output-dir=/cachi2/output \
--output $(workspaces.source.path)/cachi2/cachi2.env
cachi2 inject-files $(workspaces.source.path)/cachi2/output \
cachi2 \
$debug_log_flag \
inject-files \
$(workspaces.source.path)/cachi2/output \
--for-output-dir=/cachi2/output
workspaces:
- name: source
description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well
- description: |
A Workspace containing a .gitconfig and .git-credentials file or username and password.
These will be copied to the user's home before any git commands are run. Any
other files in this Workspace are ignored. It is strongly recommended
to use ssh-directory over basic-auth whenever possible and to bind a
Secret to this Workspace over other volume types.
name: basic-auth
optional: true
volumes:
- name: trusted-ca
configMap:
Expand Down

0 comments on commit ebdc1a2

Please sign in to comment.