add stronghold token

Signed-off-by: Maxim Vasilenko <5184586+mvasl@users.noreply.github.com>
deckhouse · Dec 2, 2024 · ef27ba3 · ef27ba3
1 parent 1e11fa5
commit ef27ba3
Show file tree

Hide file tree

Showing 11 changed files with 56 additions and 3 deletions.
diff --git a/.github/ci_includes/werf_envs.yml b/.github/ci_includes/werf_envs.yml
@@ -19,5 +19,10 @@ CLOUD_PROVIDERS_SOURCE_REPO: "${{secrets.CLOUD_PROVIDERS_SOURCE_REPO}}"
 GOPROXY: "${{secrets.GOPROXY}}"
 # observability source repo should contain creds for repo for ex https://user:password@my-repo.com/group
 OBSERVABILITY_SOURCE_REPO: "${{secrets.OBSERVABILITY_SOURCE_REPO}}"
+# Next two are required for accessing the stronghold repo during d8 cli builds.
+# Stronghold pull token should contain CI token with read access to stronghold repos.
+STRONGHOLD_PULL_TOKEN: "${{secrets.STRONGHOLD_PULL_TOKEN}}"
+# deckhouse private repo should contain the host address of proprietary parts of deckhouse ecosystem. Ex "repo.my-repo.com".
+DECKHOUSE_PRIVATE_REPO: "${{secrets.DECKHOUSE_PRIVATE_REPO}}"
 # </template: git_source_envs>
 {!{- end -}!}
diff --git a/.github/workflows/build-and-test_dev.yml b/.github/workflows/build-and-test_dev.yml
@@ -42,6 +42,11 @@ env:
   GOPROXY: "${{secrets.GOPROXY}}"
   # observability source repo should contain creds for repo for ex https://user:password@my-repo.com/group
   OBSERVABILITY_SOURCE_REPO: "${{secrets.OBSERVABILITY_SOURCE_REPO}}"
+  # Next two are required for accessing the stronghold repo during d8 cli builds.
+  # Stronghold pull token should contain CI token with read access to stronghold repos.
+  STRONGHOLD_PULL_TOKEN: "${{secrets.STRONGHOLD_PULL_TOKEN}}"
+  # deckhouse private repo should contain the host address of proprietary parts of deckhouse ecosystem. Ex "repo.my-repo.com".
+  DECKHOUSE_PRIVATE_REPO: "${{secrets.DECKHOUSE_PRIVATE_REPO}}"
   # </template: git_source_envs>
 
 # Cancel in-progress jobs for the same PR (pull_request_target event) or for the same branch (push event).

diff --git a/.github/workflows/build-and-test_pre-release.yml b/.github/workflows/build-and-test_pre-release.yml
@@ -44,6 +44,11 @@ env:
   GOPROXY: "${{secrets.GOPROXY}}"
   # observability source repo should contain creds for repo for ex https://user:password@my-repo.com/group
   OBSERVABILITY_SOURCE_REPO: "${{secrets.OBSERVABILITY_SOURCE_REPO}}"
+  # Next two are required for accessing the stronghold repo during d8 cli builds.
+  # Stronghold pull token should contain CI token with read access to stronghold repos.
+  STRONGHOLD_PULL_TOKEN: "${{secrets.STRONGHOLD_PULL_TOKEN}}"
+  # deckhouse private repo should contain the host address of proprietary parts of deckhouse ecosystem. Ex "repo.my-repo.com".
+  DECKHOUSE_PRIVATE_REPO: "${{secrets.DECKHOUSE_PRIVATE_REPO}}"
   # </template: git_source_envs>
 
 # Cancel in-progress jobs for the same branch.

diff --git a/.github/workflows/build-and-test_release.yml b/.github/workflows/build-and-test_release.yml
@@ -57,6 +57,11 @@ env:
   GOPROXY: "${{secrets.GOPROXY}}"
   # observability source repo should contain creds for repo for ex https://user:password@my-repo.com/group
   OBSERVABILITY_SOURCE_REPO: "${{secrets.OBSERVABILITY_SOURCE_REPO}}"
+  # Next two are required for accessing the stronghold repo during d8 cli builds.
+  # Stronghold pull token should contain CI token with read access to stronghold repos.
+  STRONGHOLD_PULL_TOKEN: "${{secrets.STRONGHOLD_PULL_TOKEN}}"
+  # deckhouse private repo should contain the host address of proprietary parts of deckhouse ecosystem. Ex "repo.my-repo.com".
+  DECKHOUSE_PRIVATE_REPO: "${{secrets.DECKHOUSE_PRIVATE_REPO}}"
   # </template: git_source_envs>
 
 # Cancel in-progress jobs for the same tag/branch.

diff --git a/.werf/werf-modules.yaml b/.werf/werf-modules.yaml
@@ -56,6 +56,8 @@ args:
   SOURCE_REPO: {{ .SOURCE_REPO }}
   CLOUD_PROVIDERS_SOURCE_REPO: {{ .CLOUD_PROVIDERS_SOURCE_REPO }}
   OBSERVABILITY_SOURCE_REPO: {{ .OBSERVABILITY_SOURCE_REPO }}
+  STRONGHOLD_PULL_TOKEN: {{ .STRONGHOLD_PULL_TOKEN }}
+  DECKHOUSE_PRIVATE_REPO: {{ .DECKHOUSE_PRIVATE_REPO }}
   # proxies for various packages
   GOPROXY: {{ .GOPROXY }}
   {{- if not (has (list .ModuleName .ImageName | join "/") (list "common/distroless")) }}
@@ -130,6 +132,8 @@ dependencies:
       {{- $_ := set $ctx "CLOUD_PROVIDERS_SOURCE_REPO" $Root.CLOUD_PROVIDERS_SOURCE_REPO }}
       {{- $_ := set $ctx "OBSERVABILITY_SOURCE_REPO" $Root.OBSERVABILITY_SOURCE_REPO }}
       {{- $_ := set $ctx "GOPROXY" $Root.GOPROXY }}
+      {{- $_ := set $ctx "DECKHOUSE_PRIVATE_REPO" $Root.DECKHOUSE_PRIVATE_REPO }}
+      {{- $_ := set $ctx "STRONGHOLD_PULL_TOKEN" $Root.STRONGHOLD_PULL_TOKEN }}
       {{- $_ := set $ctx "DistroPackagesProxy" $Root.DistroPackagesProxy }}
       {{- $_ := set $ctx "CargoProxy" $Root.CargoProxy }}
 ---

diff --git a/candi/version_map.yml b/candi/version_map.yml
@@ -158,4 +158,4 @@ k8s:
       snapshotter: v8.1.0
       livenessprobe: v2.14.0
 d8:
-  d8CliVersion: v0.4.0
+  d8CliVersion: v0.5.0
diff --git a/modules/007-registrypackages/images/d8/werf.inc.yaml b/modules/007-registrypackages/images/d8/werf.inc.yaml
@@ -26,12 +26,18 @@ git:
       - '**/*'
 shell:
   setup:
+  {{- include "debian packages proxy" . | nindent 2 }}
   - export GOPROXY={{ $.GOPROXY }}
+  - export PRIVATE_REPO={{ $.DECKHOUSE_PRIVATE_REPO }}
+  - export PRIVATE_REPO_TOKEN={{ $.STRONGHOLD_PULL_TOKEN }}
+  - export GOPRIVATE={{ $.DECKHOUSE_PRIVATE_REPO }}
+  - git config --global url."https://gitlab-ci-token:${PRIVATE_REPO_TOKEN}@${PRIVATE_REPO}/".insteadOf https://${PRIVATE_REPO}/
+  - mkdir -p ~/.ssh && echo "StrictHostKeyChecking accept-new" > ~/.ssh/config
   - go install github.com/go-task/task/v3/cmd/task@latest
   - git clone --depth 1 --branch {{ .CandiVersionMap.d8.d8CliVersion }} {{ $.SOURCE_REPO }}/deckhouse/deckhouse-cli.git
   - cd /deckhouse-cli
-  {{- include "debian packages proxy" . | nindent 2 }}
   - apt-get install -y libbtrfs-dev
   - task build:dist:linux:amd64
   - mv ./dist/{{ .CandiVersionMap.d8.d8CliVersion }}/linux-amd64/d8 /d8
   - chmod +x /d8 /install /uninstall
+  - rm ~/.gitconfig # Prevent PRIVATE_REPO_TOKEN from leaking into the image layer
diff --git a/modules/800-deckhouse-tools/images/web/werf.inc.yaml b/modules/800-deckhouse-tools/images/web/werf.inc.yaml
@@ -35,15 +35,21 @@ shell:
   setup:
     {{- include "debian packages proxy" . | nindent 4 }}
     - export GOPROXY={{ $.GOPROXY }}
+    - export PRIVATE_REPO={{ $.DECKHOUSE_PRIVATE_REPO }}
+    - export PRIVATE_REPO_TOKEN={{ $.STRONGHOLD_PULL_TOKEN }}
+    - export GOPRIVATE={{ $.DECKHOUSE_PRIVATE_REPO }}
     - apt-get install -y libbtrfs-dev jq
+    - git config --global url."https://gitlab-ci-token:${PRIVATE_REPO_TOKEN}@${PRIVATE_REPO}/".insteadOf https://${PRIVATE_REPO}/
     - go install github.com/go-task/task/v3/cmd/task@latest
+    - mkdir -p ~/.ssh && echo "StrictHostKeyChecking accept-new" > ~/.ssh/config
     - git clone --depth 1 --branch {{ .CandiVersionMap.d8.d8CliVersion }} {{ $.SOURCE_REPO }}/deckhouse/deckhouse-cli.git
     - cd /deckhouse-cli
     - task build:dist:all
     - mkdir -p /app/files/d8-cli
     - mv dist/{{ .CandiVersionMap.d8.d8CliVersion }}/* /app/files/d8-cli
     - jq '[.[] | .version="{{ .CandiVersionMap.d8.d8CliVersion }}"]' /static/tools.json > /app/tools.json
     - mv /static/robots.txt /app
+    - rm ~/.gitconfig # Prevent PRIVATE_REPO_TOKEN from leaking into the image layer
 ---
 artifact: {{ .ModuleName }}/{{ .ImageName }}-frontend-artifact
 from: {{ .Images.BASE_NODE_20_ALPINE_DEV }}

diff --git a/tools/images_tags/main.go b/tools/images_tags/main.go
@@ -75,7 +75,17 @@ func main() {
 	// Run werf config render to get config file from which  we calculate images names
 	cmd := exec.Command("werf", "config", "render", "--dev", "--log-quiet")
 	cmd.Env = os.Environ()
-	cmd.Env = append(cmd.Env, "CI_COMMIT_REF_NAME=", "CI_COMMIT_TAG=", "WERF_ENV=FE", "SOURCE_REPO=", "GOPROXY=", "CLOUD_PROVIDERS_SOURCE_REPO=", "OBSERVABILITY_SOURCE_REPO=")
+	cmd.Env = append(cmd.Env,
+		"CI_COMMIT_REF_NAME=",
+		"CI_COMMIT_TAG=",
+		"WERF_ENV=FE",
+		"SOURCE_REPO=",
+		"GOPROXY=",
+		"CLOUD_PROVIDERS_SOURCE_REPO=",
+		"OBSERVABILITY_SOURCE_REPO=",
+		"STRONGHOLD_PULL_TOKEN=",
+		"DECKHOUSE_PRIVATE_REPO=",
+	)
 	cmd.Dir = path.Join("..")
 	out, err := cmd.CombinedOutput()
 	if err != nil {

diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml
@@ -11,6 +11,8 @@ config:
     - OBSERVABILITY_SOURCE_REPO
     - DISTRO_PACKAGES_PROXY
     - CARGO_PROXY
+    - STRONGHOLD_PULL_TOKEN
+    - DECKHOUSE_PRIVATE_REPO
     allowUncommittedFiles: [ "tools/build_includes/*" ]
   stapel:
     mount:

diff --git a/werf.yaml b/werf.yaml
@@ -120,12 +120,17 @@ cleanup:
 # Source repo with observability private code
 {{- $_ := set . "OBSERVABILITY_SOURCE_REPO" (env "OBSERVABILITY_SOURCE_REPO" | default "https://example.com") }}
 
+# Stronghold repo access for building d8 cli
+{{- $_ := set . "STRONGHOLD_PULL_TOKEN" (env "STRONGHOLD_PULL_TOKEN") }}
+{{- $_ := set . "DECKHOUSE_PRIVATE_REPO" (env "DECKHOUSE_PRIVATE_REPO") }}
+
 # goproxy  settings
 {{- $_ := set . "GOPROXY" (env "GOPROXY") }}
 ---
 {{ range $path, $content := .Files.Glob ".werf/werf-**.yaml" }}
 {{ tpl $content $ }}
 {{ end }}
+
 ---
 {{- define "base components imports" }}
 - artifact: tini-artifact