From dcbca6b1bf4f1a7f230ed315b0caadfa3960d99b Mon Sep 17 00:00:00 2001 From: Jabar Asadi Date: Wed, 1 Nov 2023 15:46:17 +0100 Subject: [PATCH] feat: add gitea bootstrapper Signed-off-by: Jabar Asadi --- cmd/flux/bootstrap_gitea.go | 275 +++++++++++++++++++++++++++++ go.mod | 4 + go.sum | 10 ++ pkg/bootstrap/provider/factory.go | 12 ++ pkg/bootstrap/provider/provider.go | 1 + 5 files changed, 302 insertions(+) create mode 100644 cmd/flux/bootstrap_gitea.go diff --git a/cmd/flux/bootstrap_gitea.go b/cmd/flux/bootstrap_gitea.go new file mode 100644 index 0000000000..37d53c9266 --- /dev/null +++ b/cmd/flux/bootstrap_gitea.go @@ -0,0 +1,275 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "context" + "fmt" + "os" + "time" + + "github.com/fluxcd/pkg/git" + "github.com/fluxcd/pkg/git/gogit" + "github.com/spf13/cobra" + + "github.com/fluxcd/flux2/v2/internal/flags" + "github.com/fluxcd/flux2/v2/internal/utils" + "github.com/fluxcd/flux2/v2/pkg/bootstrap" + "github.com/fluxcd/flux2/v2/pkg/bootstrap/provider" + "github.com/fluxcd/flux2/v2/pkg/manifestgen" + "github.com/fluxcd/flux2/v2/pkg/manifestgen/install" + "github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret" + "github.com/fluxcd/flux2/v2/pkg/manifestgen/sync" +) + +var bootstrapGiteaCmd = &cobra.Command{ + Use: "gitea", + Short: "Deploy Flux on a cluster connected to a Gitea repository", + Long: `The bootstrap gitea command creates the Gitea repository if it doesn't exists and +commits the Flux manifests to the specified branch. +Then it configures the target cluster to synchronize with that repository. +If the Flux components are present on the cluster, +the bootstrap command will perform an upgrade if needed.`, + Example: ` # Create a Gitea personal access token and export it as an env var + export GITEA_TOKEN= + + # Run bootstrap for a private repository owned by a Gitea organization + flux bootstrap gitea --owner= --repository= --path=clusters/my-cluster + + # Run bootstrap for a private repository and assign organization teams to it + flux bootstrap gitea --owner= --repository= --team= --team= --path=clusters/my-cluster + + # Run bootstrap for a private repository and assign organization teams with their access level(e.g maintain, admin) to it + flux bootstrap gitea --owner= --repository= --team=: --path=clusters/my-cluster + + # Run bootstrap for a public repository on a personal account + flux bootstrap gitea --owner= --repository= --private=false --personal=true --path=clusters/my-cluster + + # Run bootstrap for a private repository hosted on Gitea Enterprise using SSH auth + flux bootstrap gitea --owner= --repository= --hostname= --ssh-hostname= --path=clusters/my-cluster + + # Run bootstrap for a private repository hosted on Gitea Enterprise using HTTPS auth + flux bootstrap gitea --owner= --repository= --hostname= --token-auth --path=clusters/my-cluster + + # Run bootstrap for an existing repository with a branch named main + flux bootstrap gitea --owner= --repository= --branch=main --path=clusters/my-cluster`, + RunE: bootstrapGiteaCmdRun, +} + +type giteaFlags struct { + owner string + repository string + interval time.Duration + personal bool + private bool + hostname string + path flags.SafeRelativePath + teams []string + readWriteKey bool + reconcile bool +} + +const ( + gtDefaultPermission = "maintain" + gtDefaultDomain = "gitea.com" + gtTokenEnvVar = "GITEA_TOKEN" +) + +var giteaArgs giteaFlags + +func init() { + bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.owner, "owner", "", "Gitea user or organization name") + bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.repository, "repository", "", "Gitea repository name") + bootstrapGiteaCmd.Flags().StringSliceVar(&giteaArgs.teams, "team", []string{}, "Gitea team and the access to be given to it(team:maintain). Defaults to maintainer access if no access level is specified (also accepts comma-separated values)") + bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.personal, "personal", false, "if true, the owner is assumed to be a Gitea user; otherwise an org") + bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.private, "private", true, "if true, the repository is setup or configured as private") + bootstrapGiteaCmd.Flags().DurationVar(&giteaArgs.interval, "interval", time.Minute, "sync interval") + bootstrapGiteaCmd.Flags().StringVar(&giteaArgs.hostname, "hostname", gtDefaultDomain, "Gitea hostname") + bootstrapGiteaCmd.Flags().Var(&giteaArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path") + bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions") + bootstrapGiteaCmd.Flags().BoolVar(&giteaArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists") + + bootstrapCmd.AddCommand(bootstrapGiteaCmd) +} + +func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error { + gtToken := os.Getenv(gtTokenEnvVar) + if gtToken == "" { + var err error + gtToken, err = readPasswordFromStdin("Please enter your Gitea personal access token (PAT): ") + if err != nil { + return fmt.Errorf("could not read token: %w", err) + } + } + + if err := bootstrapValidate(); err != nil { + return err + } + + ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout) + defer cancel() + + kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions) + if err != nil { + return err + } + + // Manifest base + if ver, err := getVersion(bootstrapArgs.version); err != nil { + return err + } else { + bootstrapArgs.version = ver + } + manifestsBase, err := buildEmbeddedManifestBase() + if err != nil { + return err + } + defer os.RemoveAll(manifestsBase) + + var caBundle []byte + if bootstrapArgs.caFile != "" { + var err error + caBundle, err = os.ReadFile(bootstrapArgs.caFile) + if err != nil { + return fmt.Errorf("unable to read TLS CA file: %w", err) + } + } + // Build Gitea provider + providerCfg := provider.Config{ + Provider: provider.GitProviderGitea, + Hostname: giteaArgs.hostname, + Token: gtToken, + CaBundle: caBundle, + } + providerClient, err := provider.BuildGitProvider(providerCfg) + if err != nil { + return err + } + + tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-") + if err != nil { + return fmt.Errorf("failed to create temporary working dir: %w", err) + } + defer os.RemoveAll(tmpDir) + + clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()} + gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{ + Transport: git.HTTPS, + Username: giteaArgs.owner, + Password: gtToken, + CAFile: caBundle, + }, clientOpts...) + if err != nil { + return fmt.Errorf("failed to create a Git client: %w", err) + } + + // Install manifest config + installOptions := install.Options{ + BaseURL: rootArgs.defaults.BaseURL, + Version: bootstrapArgs.version, + Namespace: *kubeconfigArgs.Namespace, + Components: bootstrapComponents(), + Registry: bootstrapArgs.registry, + ImagePullSecret: bootstrapArgs.imagePullSecret, + WatchAllNamespaces: bootstrapArgs.watchAllNamespaces, + NetworkPolicy: bootstrapArgs.networkPolicy, + LogLevel: bootstrapArgs.logLevel.String(), + NotificationController: rootArgs.defaults.NotificationController, + ManifestFile: rootArgs.defaults.ManifestFile, + Timeout: rootArgs.timeout, + TargetPath: giteaArgs.path.ToSlash(), + ClusterDomain: bootstrapArgs.clusterDomain, + TolerationKeys: bootstrapArgs.tolerationKeys, + } + if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" { + installOptions.BaseURL = customBaseURL + } + + // Source generation and secret config + secretOpts := sourcesecret.Options{ + Name: bootstrapArgs.secretName, + Namespace: *kubeconfigArgs.Namespace, + TargetPath: giteaArgs.path.ToSlash(), + ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile, + } + if bootstrapArgs.tokenAuth { + secretOpts.Username = "git" + secretOpts.Password = gtToken + secretOpts.CAFile = caBundle + } else { + secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm) + secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits) + secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve + + secretOpts.SSHHostname = giteaArgs.hostname + if bootstrapArgs.sshHostname != "" { + secretOpts.SSHHostname = bootstrapArgs.sshHostname + } + } + + // Sync manifest config + syncOpts := sync.Options{ + Interval: giteaArgs.interval, + Name: *kubeconfigArgs.Namespace, + Namespace: *kubeconfigArgs.Namespace, + Branch: bootstrapArgs.branch, + Secret: bootstrapArgs.secretName, + TargetPath: giteaArgs.path.ToSlash(), + ManifestFile: sync.MakeDefaultOptions().ManifestFile, + RecurseSubmodules: bootstrapArgs.recurseSubmodules, + } + + entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath) + if err != nil { + return err + } + + // Bootstrap config + bootstrapOpts := []bootstrap.GitProviderOption{ + bootstrap.WithProviderRepository(giteaArgs.owner, giteaArgs.repository, giteaArgs.personal), + bootstrap.WithBranch(bootstrapArgs.branch), + bootstrap.WithBootstrapTransportType("https"), + bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail), + bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix), + bootstrap.WithProviderTeamPermissions(mapTeamSlice(giteaArgs.teams, gtDefaultPermission)), + bootstrap.WithReadWriteKeyPermissions(giteaArgs.readWriteKey), + bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions), + bootstrap.WithLogger(logger), + bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID), + } + if bootstrapArgs.sshHostname != "" { + bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname)) + } + if bootstrapArgs.tokenAuth { + bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https")) + } + if !giteaArgs.private { + bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public")) + } + if giteaArgs.reconcile { + bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile()) + } + + // Setup bootstrapper with constructed configs + b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...) + if err != nil { + return err + } + + // Run + return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout) +} diff --git a/go.mod b/go.mod index b7bd001727..9f6434b1c5 100644 --- a/go.mod +++ b/go.mod @@ -63,6 +63,7 @@ require ( ) require ( + code.gitea.io/sdk/gitea v0.16.0 // indirect dario.cat/mergo v1.0.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 // indirect @@ -95,6 +96,7 @@ require ( github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davidmz/go-pageant v1.0.2 // indirect github.com/docker/cli v24.0.0+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect github.com/docker/docker v24.0.7+incompatible // indirect @@ -114,6 +116,7 @@ require ( github.com/fluxcd/pkg/apis/kustomize v1.1.1 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/go-errors/errors v1.4.2 // indirect + github.com/go-fed/httpsig v1.1.0 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.5.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect @@ -141,6 +144,7 @@ require ( github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-retryablehttp v0.7.4 // indirect + github.com/hashicorp/go-version v1.5.0 // indirect github.com/hashicorp/golang-lru/arc/v2 v2.0.5 // indirect github.com/hashicorp/golang-lru/v2 v2.0.5 // indirect github.com/imdario/mergo v0.3.15 // indirect diff --git a/go.sum b/go.sum index 8f7fcefc9d..58202d13d6 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +code.gitea.io/sdk/gitea v0.16.0 h1:gAfssETO1Hv9QbE+/nhWu7EjoFQYKt6kPoyDytQgw00= +code.gitea.io/sdk/gitea v0.16.0/go.mod h1:ndkDk99BnfiUCCYEUhpNzi0lpmApXlwRFqClBlOlEBg= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic= @@ -97,6 +99,8 @@ github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davidmz/go-pageant v1.0.2 h1:bPblRCh5jGU+Uptpz6LgMZGD5hJoOt7otgT454WvHn0= +github.com/davidmz/go-pageant v1.0.2/go.mod h1:P2EDDnMqIwG5Rrp05dTRITj9z2zpGcD9efWSkTNKLIE= github.com/distribution/distribution/v3 v3.0.0-20230823142118-4f7424c8eb41 h1:vlGNYFw1NB27Gk5tIwJpiog1Ti6FKOUI+DoFZKoCDZo= github.com/distribution/distribution/v3 v3.0.0-20230823142118-4f7424c8eb41/go.mod h1:WREzLx07iIFUGvbm6tBoqGt40zOC3whiM1qkcWOMFrs= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= @@ -190,6 +194,8 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI= +github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= @@ -301,6 +307,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA= github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/hashicorp/go-version v1.5.0 h1:O293SZ2Eg+AAYijkVK3jR786Am1bhDEh2GHT0tIVE5E= +github.com/hashicorp/go-version v1.5.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw= github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU= github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4= @@ -506,7 +514,9 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= diff --git a/pkg/bootstrap/provider/factory.go b/pkg/bootstrap/provider/factory.go index 575cb5518c..bd490334b4 100644 --- a/pkg/bootstrap/provider/factory.go +++ b/pkg/bootstrap/provider/factory.go @@ -19,6 +19,7 @@ package provider import ( "fmt" + "github.com/fluxcd/go-git-providers/gitea" "github.com/fluxcd/go-git-providers/github" "github.com/fluxcd/go-git-providers/gitlab" "github.com/fluxcd/go-git-providers/gitprovider" @@ -45,6 +46,17 @@ func BuildGitProvider(config Config) (gitprovider.Client, error) { if client, err = github.NewClient(opts...); err != nil { return nil, err } + case GitProviderGitea: + opts := []gitprovider.ClientOption{} + if config.Hostname != "" { + opts = append(opts, gitprovider.WithDomain(config.Hostname)) + } + if config.CaBundle != nil { + opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle)) + } + if client, err = gitea.NewClient(config.Token, opts...); err != nil { + return nil, err + } case GitProviderGitLab: opts := []gitprovider.ClientOption{ gitprovider.WithConditionalRequests(true), diff --git a/pkg/bootstrap/provider/provider.go b/pkg/bootstrap/provider/provider.go index 4d1f92accb..f458184bfd 100644 --- a/pkg/bootstrap/provider/provider.go +++ b/pkg/bootstrap/provider/provider.go @@ -21,6 +21,7 @@ type GitProvider string const ( GitProviderGitHub GitProvider = "github" + GitProviderGitea GitProvider = "gitea" GitProviderGitLab GitProvider = "gitlab" GitProviderStash GitProvider = "stash" )