fix(KFLUXBUGS-1215): prefetch: add git auth support and logging

task/prefetch-dependencies/0.1/README.md

@@ -4,12 +4,14 @@ Task that uses Cachi2 to prefetch build dependencies.
 See docs at https://github.com/containerbuildsystem/cachi2#basic-usage.
 
 ## Parameters
-|name|description|default value|required|
-|---|---|---|---|
-|input|Configures project packages that will have their dependencies prefetched.||true|
-|dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false|
+|name| description                                                                                                                                         |default value|required|
+|---|-----------------------------------------------------------------------------------------------------------------------------------------------------|---|---|
+|input| Configures project packages that will have their dependencies prefetched.                                                                           ||true|
+|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk.                          |false|false|
+|log-level| Set cachi2 log level |info|false|
 
 ## Workspaces
 |name|description|optional|
 |---|---|---|
 |source|Workspace with the source code, cachi2 artifacts will be stored on the workspace as well|false|
+|basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. |true|

task/prefetch-dependencies/0.1/prefetch-dependencies.yaml

@@ -19,6 +19,10 @@ spec:
       notice. Use at your own risk.
     name: dev-package-managers
     default: "false"
+  - description: >
+      Set cachi2 log level
+    name: log-level
+    default: "info"
   - name: caTrustConfigMapName
     type: string
     description: The name of the ConfigMap to read CA bundle data from.
@@ -27,6 +31,11 @@ spec:
     type: string
     description: The name of the key in the ConfigMap that contains the CA bundle data.
     default: ca-bundle.crt
+  - default: /tekton/home
+    description: |
+      Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.
+    name: userHome
+    type: string
   steps:
   - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
@@ -38,6 +47,14 @@ spec:
       value: $(params.input)
     - name: DEV_PACKAGE_MANAGERS
       value: $(params.dev-package-managers)
+    - name: LOG_LEVEL
+      value: $(params.log-level)
+    - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
+      value: $(workspaces.basic-auth.bound)
+    - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
+      value: $(workspaces.basic-auth.path)
+    - name: PARAM_USER_HOME
+      value: $(params.userHome)
     volumeMounts:
       - name: trusted-ca
         mountPath: /mnt/trusted-ca
@@ -55,29 +72,72 @@ spec:
         dev_pacman_flag=""
       fi
 
+      if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
+        if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then
+          cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
+          cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
+          #
+          # needed or else you'll see "could not read Username for 'https://gitlab.com':"
+          # See https://wahlnetwork.com/2020/08/11/using-private-git-repositories-as-terraform-modules/
+          #   (1) add path to creds in gitconfig file
+          sed -i "s#store#store --file ${PARAM_USER_HOME}/.git-credentials#g" "${PARAM_USER_HOME}/.gitconfig"
+          #   (2) add this snippet to the cloned repo's config
+          cat "${PARAM_USER_HOME}/.gitconfig" >> $(workspaces.source.path)/source/.git/config
+          #
+        # Compatibility with kubernetes.io/basic-auth secrets
+        elif [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password" ]; then
+          HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')
+          echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" > "${PARAM_USER_HOME}/.git-credentials"
+          echo -e "[credential \"https://$HOSTNAME\"]\n  helper = store --file ${PARAM_USER_HOME}/.git-credentials" > "${PARAM_USER_HOME}/.gitconfig"
+        else
+          echo "Unknown basic-auth workspace format"
+          exit 1
+        fi
+        chmod 400 "${PARAM_USER_HOME}/.git-credentials"
+        chmod 400 "${PARAM_USER_HOME}/.gitconfig"
+      fi
+
       ca_bundle=/mnt/trusted-ca/ca-bundle.crt
       if [ -f "$ca_bundle" ]; then
         echo "INFO: Using mounted CA bundle: $ca_bundle"
         cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
         update-ca-trust
       fi
 
-      cachi2 fetch-deps \
+      log_level_flag="--log-level=${LOG_LEVEL}"
+
+      cachi2 \
+      $log_level_flag \
+      fetch-deps \
       $dev_pacman_flag \
       --source=$(workspaces.source.path)/source \
       --output=$(workspaces.source.path)/cachi2/output \
       "${INPUT}"
 
-      cachi2 generate-env $(workspaces.source.path)/cachi2/output \
+      cachi2 \
+      $log_level_flag \
+      generate-env \
+      $(workspaces.source.path)/cachi2/output \
       --format env \
       --for-output-dir=/cachi2/output \
       --output $(workspaces.source.path)/cachi2/cachi2.env
 
-      cachi2 inject-files $(workspaces.source.path)/cachi2/output \
+      cachi2 \
+      $log_level_flag \
+      inject-files \
+      $(workspaces.source.path)/cachi2/output \
       --for-output-dir=/cachi2/output
   workspaces:
   - name: source
     description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well
+  - description: |
+      A Workspace containing a .gitconfig and .git-credentials file or username and password.
+      These will be copied to the user's home before any git commands are run. Any
+      other files in this Workspace are ignored. It is strongly recommended
+      to use ssh-directory over basic-auth whenever possible and to bind a
+      Secret to this Workspace over other volume types.
+    name: basic-auth
+    optional: true
   volumes:
     - name: trusted-ca
       configMap: