From 907070454f9c90ce704f2d3822625728de859bfb Mon Sep 17 00:00:00 2001
From: Siraj Yasin <sirajudeen.yasin@gmail.com>
Date: Wed, 15 Sep 2021 21:05:11 +0000
Subject: [PATCH] Allow pulling from a private airshipctl repo

* Added the logic to support pulling airshipctl from a
  private github repo with basic http authentication.

* Added Username, Password in secrets

Relates-To: #632
Relates-To: #636
Change-Id: If1a1bbfaf9ce543cf35377d367b70676f9e3e9ef
---
 .../artifact-setup/assets/entrypoint.sh       | 15 ++++++-
 .../examples/airshipctl/kustomization.yaml    |  5 +++
 .../examples/airshipctl/replacements.yaml     | 17 +++-----
 .../airshipctl/secret_replacements.yaml       | 42 +++++++++++++++++++
 .../examples/base/airship-in-a-pod.yaml       | 30 ++++++++++---
 .../runner/assets/entrypoint.sh               | 13 ++++++
 6 files changed, 103 insertions(+), 19 deletions(-)
 create mode 100644 tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml

diff --git a/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh b/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh
index 53b6dea33..9c79c4898 100755
--- a/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh
+++ b/tools/airship-in-a-pod/artifact-setup/assets/entrypoint.sh
@@ -27,7 +27,7 @@ function reportStatus() {
 }
 trap reportStatus EXIT
 
-function cloneRepo() {
+function cloneAirshipctlRepo() {
   repo_dir=$1
   repo_url=$2
   repo_ref=$3
@@ -35,8 +35,19 @@ function cloneRepo() {
   mkdir -p "$repo_dir"
   cd "$repo_dir"
 
+  set +x
+  if [[ "$AIRSHIPCTL_REPO_AUTH_TYPE" = "http-basic" ]]
+  then
+    AIRSHIPCTL_REPO_AUTH_USERNAME=$( cat /opt/aiap-secret-volume/AIRSHIPCTL_REPO_AUTH_USERNAME )
+    AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD )
+    proto="$(cut -f1 -d":" <<< $repo_url)://"
+    url="${repo_url/$proto/}"
+    repo_url="${proto}${AIRSHIPCTL_REPO_AUTH_USERNAME}:${AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD}@${url}"
+  fi
+
   git init
   git fetch "$repo_url" "$repo_ref"
+  set -x
   git checkout FETCH_HEAD
 }
 
@@ -70,7 +81,7 @@ else
   check_docker_readiness
 
   repo_dir="$ARTIFACTS_DIR/airshipctl"
-  cloneRepo "$repo_dir" "$AIRSHIPCTL_REPO_URL" "$AIRSHIPCTL_REPO_REF"
+  cloneAirshipctlRepo "$repo_dir" "$AIRSHIPCTL_REPO_URL" "$AIRSHIPCTL_REPO_REF"
 
   cd "$repo_dir"
   ./tools/deployment/21_systemwide_executable.sh
diff --git a/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml b/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml
index 408ebe6e0..3f9eee724 100644
--- a/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml
+++ b/tools/airship-in-a-pod/examples/airshipctl/kustomization.yaml
@@ -21,3 +21,8 @@ patchesJson6902:
     kind: Pod
     name: airship-in-a-pod
   path: replacements.yaml
+- target:
+    version: v1 # apiVersion
+    kind: Secret
+    name: aiap-secret
+  path: secret_replacements.yaml
diff --git a/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml b/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml
index 04100c74b..4f76be008 100644
--- a/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml
+++ b/tools/airship-in-a-pod/examples/airshipctl/replacements.yaml
@@ -42,18 +42,13 @@
 - op: replace
   path: "/spec/containers/6/env/10/value"
   value: none
-# The username to use when using the https protocol (basic-auth)
+
+# The following relate to authorization for pulling the airshipctl repository
+# This is the type of authorization to use. Currently supported types are
+# [none http-basic ssh-key]
 - op: replace
-  path: "/spec/containers/6/env/11/value"
-  value:
-# The password to use when using the https protocol (basic-auth)
-- op: replace
-  path: "/spec/containers/6/env/12/value"
-  value:
-# The password to use when using the git protocol (ssh-key)
-- op: replace
-  path: "/spec/containers/6/env/13/value"
-  value:
+  path: "/spec/containers/4/env/5/value"
+  value: none
 
 # This is the location on the host machine of the artifacts directory. Note
 # that it should be the same across containers
diff --git a/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml b/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml
new file mode 100644
index 000000000..ee772495b
--- /dev/null
+++ b/tools/airship-in-a-pod/examples/airshipctl/secret_replacements.yaml
@@ -0,0 +1,42 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The following relate to authorization for pulling the manifest repository
+# The username to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIPCTL_REPO_AUTH_USERNAME"
+  value: ""
+# The password to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD"
+  value: ""
+# The ssh-key to use when using the git protocol (ssh-key)
+- op: replace
+  path: "/data/AIRSHIPCTL_REPO_AUTH_SSH_KEY"
+  value: ""
+
+# The following relate to authorization for pulling the manifest repository
+# This is the type of authorization to use. Currently supported types are
+# [none http-basic ssh-pass]
+# The username to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME"
+  value: ""
+# The password to use when using the https protocol (basic-auth)
+- op: replace
+  path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD"
+  value: ""
+# The ssh-key to use when using the git protocol (ssh-key)
+- op: replace
+  path: "/data/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD"
+  value: ""
+
diff --git a/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml b/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml
index 936da1f90..3659ac17b 100644
--- a/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml
+++ b/tools/airship-in-a-pod/examples/base/airship-in-a-pod.yaml
@@ -10,6 +10,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aiap-secret
+  labels:
+    aiap: aiap
+data:
+  AIRSHIPCTL_REPO_AUTH_USERNAME: ""
+  AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD: ""
+  AIRSHIPCTL_REPO_AUTH_SSH_KEY: ""
+  AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME: ""
+  AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD: ""
+  AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD: ""
+---
+
 apiVersion: v1
 kind: Pod
 metadata:
@@ -215,6 +231,8 @@ spec:
         value: https://opendev.org/airship/airshipctl
       - name: AIRSHIPCTL_REPO_REF
         value: master
+      - name: AIRSHIPCTL_REPO_AUTH_TYPE
+        value: "none"
       - name: USE_PROXY
         value:
       - name: no_proxy
@@ -236,6 +254,8 @@ spec:
         mountPath: /var/run
       - name: var-run-libvirt
         mountPath: /var/run/libvirt
+      - name: aiap-secret-volume
+        mountPath: /opt/aiap-secret-volume
 
   - name: infra-builder
     image: quay.io/airshipit/aiap-infra-builder:latest
@@ -311,12 +331,7 @@ spec:
         value:
       - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE
         value: "none"
-      - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME
-        value: ""
-      - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD
-        value: ""
-      - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD
-        value: ""
+
     volumeMounts:
       - name: cache
         mountPath: /opt/aiap-cache
@@ -389,3 +404,6 @@ spec:
         medium: "Memory"
     - name: dind-storage
       emptyDir: {}
+    - name: aiap-secret-volume
+      secret:
+        secretName: aiap-secret
diff --git a/tools/airship-in-a-pod/runner/assets/entrypoint.sh b/tools/airship-in-a-pod/runner/assets/entrypoint.sh
index df2761d36..72a1fef55 100755
--- a/tools/airship-in-a-pod/runner/assets/entrypoint.sh
+++ b/tools/airship-in-a-pod/runner/assets/entrypoint.sh
@@ -52,7 +52,20 @@ echo "export SOPS_PGP_FP=${SOPS_PGP_FP}" >> ~/.bashrc
 install "$ARTIFACTS_DIR/airshipctl/bin/airshipctl" /usr/local/bin
 cd "$ARTIFACTS_DIR/airshipctl"
 
+set +x
 export AIRSHIP_CONFIG_MANIFEST_DIRECTORY="$ARTIFACTS_DIR/manifests"
+if [[ "$AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE" = "http-basic" ]]
+then
+  export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME )
+  export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD )
+fi
+
+if [[ "$AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE" = "ssh-pass" ]]
+then
+  export AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD=$( cat /opt/aiap-secret-volume/AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD )
+fi
+set -x
+
 ./tools/deployment/22_test_configs.sh
 if [[ -n "$AIRSHIP_CONFIG_PHASE_REPO_REF" ]]; then
   export NO_CHECKOUT="false"