Enable Goole WIF Support for Tecton-Caches

SRVKP-6522 - Enable Google WIF Support

SRVKP-6522 - Fix Lint

dev/google-wif.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -x
+#Step 0 - Define Common Variables
+
+    POOL_ID=openshift-pool
+    PROVIDER_ID=opeshift-wif
+    NAMESPACE=default
+    SERVICE_ACCOUNT=default
+    PROJECT_ID=pipelines-qe
+    PROJECT_NUMBER=272779626560
+    MAPPED_SUBJECT=system:serviceaccount:$NAMESPACE:$SERVICE_ACCOUNT
+
+#Step 1 - Enable IAM APIs on Google Cloud
+
+# Step 2 - Define an attribute mapping and condition
+    MAPPINGS=google.subject=assertion.sub
+
+
+#Step 3 - Create workload identity pool and provider
+    ISSUER=$(kubectl get --raw /.well-known/openid-configuration | jq -r .issuer)
+
+
+# Download the cluster's JSON Web Key Set (JWKS):
+    kubectl get --raw /openid/v1/jwks > cluster-jwks.json
+
+
+#   Create a new workload identity pool:
+    gcloud iam workload-identity-pools create $POOL_ID \
+        --location="global" \
+        --description="DESCRIPTION" \
+        --display-name="DISPLAY_NAME"
+
+
+#   Add the Kubernetes cluster as a workload identity pool provider and upload the cluster's JWKS:
+
+    gcloud iam workload-identity-pools providers create-oidc $PROVIDER_ID \
+        --location="global" \
+        --workload-identity-pool=$POOL_ID \
+        --issuer-uri=$ISSUER \
+        --attribute-mapping=$MAPPINGS \
+        --jwk-json-path="cluster-jwks.json"
+
+
+# Create Service Account or use default one
+
+#    kubectl create serviceaccount $KSA_NAME --namespace $NAMESPACE
+
+#   Grant IAM access to the Kubernetes ServiceAccount for a Google Cloud resource.
+    gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
+        --role=roles/owner \
+        --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/$MAPPED_SUBJECT \
+        --condition=None
+
+    gcloud iam workload-identity-pools create-cred-config \
+        projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID \
+        --credential-source-file=/workspace/token/token \
+        --credential-source-type=text \
+        --output-file=credential-configuration.json
+
+
+
+    kubectl -n $NAMESPACE create secret generic gcs-cred --from-file=credential-configuration.json

dev/install.sh

@@ -1,9 +1,29 @@
 #!/usr/bin/env bash
 
+# Create a Kind Cluster if dont have sone
+#kind create cluster --name tekton-caches --config kind/kind-config.yaml
 
+
+# Install Pipelines if not already installed.
+#kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
+
+#Enable Step Actions Feature
 kubectl patch configmap -n tekton-pipelines --type merge -p '{"data":{"enable-step-actions": "true"}}' feature-flags
 
-kubectl create secret generic regcred \
-        --from-file=config.json=${HOME}/.docker/config.json
+# Create Docker creds secret Specifc to OCI Images
+#kubectl create secret generic regcred  --from-file=config.json=${HOME}/.docker/config.json
+
+# Create Secret for AWS S3
+#kubectl create secret generic aws-cred  --from-file=${HOME}/.aws/config --from-file=${HOME}/.aws/credentials 
+
+#Deploy Step Actions
+ko apply -BRf ./step-action
+
+# Deploy Pipelines
+kubectl apply -f ./pipeline
+
+#Create PipelineRuns using this command
+kubectl create -f ./pr
+
 
 

dev/kind/kind-config.yaml

@@ -0,0 +1,7 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+- role: worker
+- role: worker
+- role: worker

dev/pipeline/pipeline-wif.yaml

@@ -0,0 +1,107 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: pipeline-wif
+spec:
+  params:
+    - name: repo_url
+      type: string
+    - name: revision
+      type: string
+    - name: registry
+      type: string
+    - name: buildCommand
+      type: string
+      default: go build -v .
+    - name: cachePatterns
+      type: array
+      default: [ "**go.mod", "**go.sum" ]
+    - name: image
+      type: string
+      default: golang:latest
+    - name: force-cache-upload
+      type: string
+      default: "false"
+  workspaces:
+    - name: source
+    - name: cred
+    - name: token
+  tasks:
+    - displayName: Build go application
+      name: build-task
+      workspaces:
+        - name: source
+        - name: cred
+        - name: token
+      taskSpec:
+        params:
+          - name: buildCommand
+            default: $(params.buildCommand)
+          - name: cachePatterns
+            default: $(params.cachePatterns)
+          - name: image
+            default: $(params.image)
+        steps:
+          - name: create-repo
+            image: $(params.image)
+            script: |
+              mkdir -p $(workspaces.source.path)/repo
+              chmod 777 $(workspaces.source.path)/repo
+          - name: fetch-repo
+            ref:
+              resolver: http
+              params:
+                - name: url
+                  value: https://raw.githubusercontent.com/tektoncd/catalog/main/stepaction/git-clone/0.1/git-clone.yaml
+            params:
+              - name: output-path
+                value: $(workspaces.source.path)/repo
+              - name: url
+                value: $(params.repo_url)
+              - name: revision
+                value: $(params.revision)
+          - name: cache-fetch
+            ref:
+              name: cache-fetch
+            params:
+             - name: patterns
+               value: $(params.cachePatterns)
+             - name: source
+               value: $(params.registry)/cache-go:{{hash}}
+             - name: cachePath
+               value: $(workspaces.source.path)/cache
+             - name: workingdir
+               value: $(workspaces.source.path)/repo
+             - name: googleCredentialsPath
+               value: $(workspaces.cred.path)/credential-configuration.json
+
+          - name: run-go-build
+            workingDir: $(workspaces.source.path)/repo
+            image: $(params.image)
+            env:
+              - name: GOCACHE
+                value: $(workspaces.source.path)/cache/gocache
+              - name: GOMODCACHE
+                value: $(workspaces.source.path)/cache/gomodcache
+            script: |
+              set -x
+              git config --global --add safe.directory $(workspaces.source.path)/repo
+              $(params.buildCommand)
+              echo "Cache size is $(du -sh $(workspaces.source.path)/cache)"
+          - name: cache-upload
+            ref:
+              name: cache-upload
+            params:
+              - name: patterns
+                value: $(params.cachePatterns)
+              - name: target
+                value: $(params.registry)/cache-go:{{hash}}
+              - name: cachePath
+                value: $(workspaces.source.path)/cache
+              - name: workingdir
+                value: $(workspaces.source.path)/repo
+              - name: googleCredentialsPath
+                value: $(workspaces.cred.path)/credential-configuration.json
+              - name: force-cache-upload
+                value: $(params.force-cache-upload)

dev/pr/gcs-wif-pipelinerun.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: pipelinerun-gcs-
+spec:
+  pipelineRef:
+    name: pipeline-wif
+  params:
+    - name: repo_url
+      value: https://github.com/chmouel/go-helloworld
+    - name: revision
+      value: main
+      # This uses GCS bucket  to upload Caches
+    - name: registry
+      value: gs://tekton-caches
+    - name: buildCommand
+      value: go build -v ./
+    - name: image
+      value: golang:1.21
+  workspaces:
+    - name: source
+      emptyDir: { }
+    - name: cred
+      secret:
+        secretName: gcs-cred
+    - name: token
+      projected:
+        sources:
+          - serviceAccountToken:
+              audience: https://iam.googleapis.com/projects/272779626560/locations/global/workloadIdentityPools/openshift-pool/providers/opeshift-wif
+              expirationSeconds: 3600
+              path: token
+

dev/step-action/cache-upload.yaml

@@ -70,12 +70,12 @@ spec:
       value: $(params.googleCredentialsPath)
     - name: CRED_STORE
       value: $(params.cred-store)
-  # FIXME: use a released version once something is released :)
   image: ko://github.com/openshift-pipelines/tekton-caches/cmd/cache
   args: ["$(params.patterns[*])"]
   script: |
     #!/usr/bin/env sh
     set -x
+    
     if [[ ${PARAM_FORCE_CACHE_UPLOAD} == "false" && ${RESULT_CACHE_FETCHED} == "true" ]]; then
       echo "no need to upload cache"
       exit 0

internal/fetch/fetch.go

@@ -7,12 +7,10 @@ import (
 	"os"
 	"strings"
 
-	"github.com/openshift-pipelines/tekton-caches/internal/tar"
-
-	"github.com/openshift-pipelines/tekton-caches/internal/provider/s3"
-
 	"github.com/openshift-pipelines/tekton-caches/internal/provider/gcs"
 	"github.com/openshift-pipelines/tekton-caches/internal/provider/oci"
+	"github.com/openshift-pipelines/tekton-caches/internal/provider/s3"
+	"github.com/openshift-pipelines/tekton-caches/internal/tar"
 )
 
 func Fetch(ctx context.Context, hash, target, folder string, insecure bool) error {
@@ -39,7 +37,10 @@ func Fetch(ctx context.Context, hash, target, folder string, insecure bool) erro
 		}
 		return tar.Untar(ctx, file, folder)
 	case "gs":
-		return gcs.Fetch(ctx, hash, source, folder)
+		if err := gcs.Fetch(ctx, source, file.Name()); err != nil {
+			return err
+		}
+		return tar.Untar(ctx, file, folder)
 	default:
 		return fmt.Errorf("unknown schema: %s", target)
 	}