diff --git a/task/prefetch-dependencies/0.1/README.md b/task/prefetch-dependencies/0.1/README.md index 076b1f338b..eabf51b5bf 100644 --- a/task/prefetch-dependencies/0.1/README.md +++ b/task/prefetch-dependencies/0.1/README.md @@ -4,12 +4,14 @@ Task that uses Cachi2 to prefetch build dependencies. See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. ## Parameters -|name|description|default value|required| -|---|---|---|---| -|input|Configures project packages that will have their dependencies prefetched.||true| -|dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false| +|name| description |default value|required| +|---|-----------------------------------------------------------------------------------------------------------------------------------------------------|---|---| +|input| Configures project packages that will have their dependencies prefetched. ||true| +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false| +|log-level| Set cachi2 log level |info|false| ## Workspaces |name|description|optional| |---|---|---| |source|Workspace with the source code, cachi2 artifacts will be stored on the workspace as well|false| +|basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. |true| diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index a290248a15..c4aba18076 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -19,6 +19,10 @@ spec: notice. Use at your own risk. name: dev-package-managers default: "false" + - description: > + Set cachi2 log level + name: log-level + default: "info" - name: caTrustConfigMapName type: string description: The name of the ConfigMap to read CA bundle data from. @@ -27,6 +31,11 @@ spec: type: string description: The name of the key in the ConfigMap that contains the CA bundle data. default: ca-bundle.crt + - default: /tekton/home + description: | + Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. + name: userHome + type: string steps: - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting @@ -38,6 +47,14 @@ spec: value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) + - name: LOG_LEVEL + value: $(params.log-level) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + - name: PARAM_USER_HOME + value: $(params.userHome) volumeMounts: - name: trusted-ca mountPath: /mnt/trusted-ca @@ -55,6 +72,31 @@ spec: dev_pacman_flag="" fi + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then + if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" + # + # needed or else you'll see "could not read Username for 'https://gitlab.com':" + # See https://wahlnetwork.com/2020/08/11/using-private-git-repositories-as-terraform-modules/ + # (1) add path to creds in gitconfig file + sed -i "s#store#store --file ${PARAM_USER_HOME}/.git-credentials#g" "${PARAM_USER_HOME}/.gitconfig" + # (2) add this snippet to the cloned repo's config + cat "${PARAM_USER_HOME}/.gitconfig" >> $(workspaces.source.path)/source/.git/config + # + # Compatibility with kubernetes.io/basic-auth secrets + elif [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password" ]; then + HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}') + echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" > "${PARAM_USER_HOME}/.git-credentials" + echo -e "[credential \"https://$HOSTNAME\"]\n helper = store --file ${PARAM_USER_HOME}/.git-credentials" > "${PARAM_USER_HOME}/.gitconfig" + else + echo "Unknown basic-auth workspace format" + exit 1 + fi + chmod 400 "${PARAM_USER_HOME}/.git-credentials" + chmod 400 "${PARAM_USER_HOME}/.gitconfig" + fi + ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -62,22 +104,40 @@ spec: update-ca-trust fi - cachi2 fetch-deps \ + log_level_flag="--log-level=${LOG_LEVEL}" + + cachi2 \ + $log_level_flag \ + fetch-deps \ $dev_pacman_flag \ --source=$(workspaces.source.path)/source \ --output=$(workspaces.source.path)/cachi2/output \ "${INPUT}" - cachi2 generate-env $(workspaces.source.path)/cachi2/output \ + cachi2 \ + $log_level_flag \ + generate-env \ + $(workspaces.source.path)/cachi2/output \ --format env \ --for-output-dir=/cachi2/output \ --output $(workspaces.source.path)/cachi2/cachi2.env - cachi2 inject-files $(workspaces.source.path)/cachi2/output \ + cachi2 \ + $log_level_flag \ + inject-files \ + $(workspaces.source.path)/cachi2/output \ --for-output-dir=/cachi2/output workspaces: - name: source description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well + - description: | + A Workspace containing a .gitconfig and .git-credentials file or username and password. + These will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. + name: basic-auth + optional: true volumes: - name: trusted-ca configMap: