wip

Author: duanhongyi

boot.go

@@ -47,7 +47,7 @@ func main() {
 			Name:    "server",
 			Aliases: []string{"srv"},
 			Usage:   "Run the git server",
-			Action: func(ctx context.Context, cmd *cli.Command) error {
+			Action: func(_ context.Context, _ *cli.Command) error {
 				cnf := new(sshd.Config)
 				if err := envconfig.Process(serverConfAppName, cnf); err != nil {
 					return fmt.Errorf("getting config for %s [%s]", serverConfAppName, err)
@@ -106,7 +106,7 @@ func main() {
 			Name:    "git-receive",
 			Aliases: []string{"gr"},
 			Usage:   "Run the git-receive hook",
-			Action: func(ctx context.Context, cmd *cli.Command) error {
+			Action: func(_ context.Context, _ *cli.Command) error {
 				cnf := new(gitreceive.Config)
 				if err := envconfig.Process(gitReceiveConfAppName, cnf); err != nil {
 					return fmt.Errorf("error getting config for %s [%s]", gitReceiveConfAppName, err)

charts/builder/templates/_helpers.tpl

@@ -22,6 +22,32 @@ env:
       fieldPath: metadata.namespace
 - name: "DRYCC_CONTROLLER_URL"
   value: http://drycc-controller-api
+{{- if .Values.passport.enabled }}
+- name: "DRYCC_PASSPORT_URL"
+{{- if .Values.global.certManagerEnabled }}
+  value: https://drycc-passport.{{ .Values.global.platformDomain }}
+{{- else }}
+  value: http://drycc-passport.{{ .Values.global.platformDomain }}
+{{- end }}
+- name: DRYCC_PASSPORT_KEY
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: drycc-passport-builder-key
+- name: DRYCC_PASSPORT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: drycc-passport-builder-secret
+{{- else }}
+- name: DRYCC_PASSPORT_URL
+  valueFrom:
+    secretKeyRef:
+      name: builder-secret
+      key: passport-url
+- name: DRYCC_PASSPORT_KEY
+  valueFrom:
+    secretKeyRef:
 {{- if (.Values.storageEndpoint) }}
 - name: "DRYCC_STORAGE_BUCKET"
   valueFrom:

charts/builder/templates/builder-secret.yaml

@@ -7,6 +7,15 @@ metadata:
 type: Opaque
 data:
   {{- if (.Values.registryHost) }}
+  {{- if (.Values.passportUrl) }}
+  passport-url: {{ .Values.passportUrl | b64enc }}
+  {{- end }}
+  {{- if (.Values.passportKey) }}
+  passport-key: {{ .Values.passportKey | b64enc }}
+  {{- end }}
+  {{- if (.Values.passportSecret) }}
+  passport-secret: {{ .Values.passportSecret | b64enc }}
+  {{- end }}
   registry-host: {{ .Values.registryHost | b64enc }}
   registry-username: {{ .Values.registryUsername | b64enc }}
   registry-password: {{ .Values.registryPassword | b64enc }}

pkg/conf/config.go

@@ -2,10 +2,8 @@
 package conf
 
 import (
-	"fmt"
 	"net"
 	"net/url"
-	"os"
 	"strings"
 
 	"github.com/drycc/builder/pkg/sys"
@@ -19,22 +17,9 @@ const (
 	storagePathStyleEnvVar = "DRYCC_STORAGE_PATH_STYLE"
 )
 
-// ServiceKeyLocation holds the path of the service key secret.
-var ServiceKeyLocation = "/var/run/secrets/drycc/controller/service-key"
-
 // Parameters is map which contains storage params
 type Parameters map[string]any
 
-// GetServiceKey returns the key to be used as token to interact with drycc-controller
-func GetServiceKey() (string, error) {
-	serviceKeyBytes, err := os.ReadFile(ServiceKeyLocation)
-	if err != nil {
-		return "", fmt.Errorf("couldn't get builder key from %s (%s)", ServiceKeyLocation, err)
-	}
-	serviceKey := strings.TrimSuffix(string(serviceKeyBytes), "\n")
-	return serviceKey, nil
-}
-
 // GetStorageParams returns the credentials required for connecting to object storage
 func GetStorageParams(env sys.Env) (Parameters, error) {
 	params := make(map[string]any)

pkg/conf/config_test.go

@@ -1,8 +1,6 @@
 package conf
 
 import (
-	"os"
-	"path/filepath"
 	"testing"
 
 	"github.com/drycc/builder/pkg/sys"
@@ -29,31 +27,3 @@ func TestGetStorageParams(t *testing.T) {
 	assert.Equal(t, params["accesskey"], "admin", "accesskey")
 	assert.Equal(t, params["secretkey"], "adminpass", "secretkey")
 }
-
-func TestGetControllerClient(t *testing.T) {
-	tmpDir, err := os.MkdirTemp("", "tmpdir")
-	if err != nil {
-		t.Fatalf("error creating temp directory (%s)", err)
-	}
-
-	defer func() {
-		if err := os.RemoveAll(tmpDir); err != nil {
-			t.Fatalf("failed to remove service-key from %s (%s)", tmpDir, err)
-		}
-	}()
-
-	ServiceKeyLocation = filepath.Join(tmpDir, "service-key")
-	data := []byte("testbuilderkey")
-	if err := os.WriteFile(ServiceKeyLocation, data, 0o644); err != nil {
-		t.Fatalf("error creating %s (%s)", ServiceKeyLocation, err)
-	}
-
-	key, err := GetServiceKey()
-	assert.Equal(t, err, nil)
-	assert.Equal(t, key, string(data), "data")
-}
-
-func TestGetServiceKeyError(t *testing.T) {
-	_, err := GetServiceKey()
-	assert.True(t, err != nil, "no error received when there should have been")
-}

pkg/controller/utils.go

@@ -2,24 +2,64 @@
 package controller
 
 import (
-	"github.com/drycc/builder/pkg/conf"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
 	drycc "github.com/drycc/controller-sdk-go"
 	"github.com/drycc/pkg/log"
 )
 
+type tokenResponse struct {
+	AccessToken string `json:"access_token"`
+	TokenType   string `json:"token_type"`
+}
+
 // New creates a new SDK client configured as the builder.
-func New(url string) (*drycc.Client, error) {
-	client, err := drycc.New(true, url, "")
+func New(controllerURL string) (*drycc.Client, error) {
+	client, err := drycc.New(true, controllerURL, "")
 	if err != nil {
 		return client, err
 	}
 	client.UserAgent = "drycc-builder"
 
-	serviceKey, err := conf.GetServiceKey()
+	passportURL := os.Getenv("DRYCC_PASSPORT_URL")
+	passportKey := os.Getenv("DRYCC_PASSPORT_KEY")
+	passportSecret := os.Getenv("DRYCC_PASSPORT_SECRET")
+	if passportURL == "" || passportKey == "" || passportSecret == "" {
+		return client, fmt.Errorf("passport credentials not configured")
+	}
+
+	data := url.Values{}
+	data.Set("grant_type", "client_credentials")
+	data.Set("client_id", passportKey)
+	data.Set("client_secret", passportSecret)
+
+	req, err := http.NewRequest("POST", fmt.Sprintf("%s/oauth/token/", passportURL), strings.NewReader(data.Encode()))
 	if err != nil {
-		return client, err
+		return client, fmt.Errorf("failed to create token request: %v", err)
 	}
-	client.ServiceKey = serviceKey
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return client, fmt.Errorf("failed to request token: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return client, fmt.Errorf("failed to get token: HTTP %d", resp.StatusCode)
+	}
+
+	var tr tokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&tr); err != nil {
+		return client, fmt.Errorf("failed to decode token response: %v", err)
+	}
+
+	client.Token = tr.TokenType + " " + tr.AccessToken
 
 	return client, nil
 }

pkg/controller/utils_test.go

@@ -2,38 +2,34 @@ package controller
 
 import (
 	"errors"
+	"net/http"
+	"net/http/httptest"
 	"os"
-	"path/filepath"
 	"testing"
 
-	builderconf "github.com/drycc/builder/pkg/conf"
 	drycc "github.com/drycc/controller-sdk-go"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestNew(t *testing.T) {
-	tmpDir, err := os.MkdirTemp("", "tmpdir")
-	if err != nil {
-		t.Fatalf("error creating temp directory (%s)", err)
-	}
-
-	defer func() {
-		if err := os.RemoveAll(tmpDir); err != nil {
-			t.Fatalf("failed to remove service-key from %s (%s)", tmpDir, err)
-		}
-	}()
-
-	builderconf.ServiceKeyLocation = filepath.Join(tmpDir, "service-key")
-	data := []byte("testbuilderkey")
-	if err := os.WriteFile(builderconf.ServiceKeyLocation, data, 0o644); err != nil {
-		t.Fatalf("error creating %s (%s)", builderconf.ServiceKeyLocation, err)
-	}
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.Write([]byte(`{"access_token": "testing_token", "token_type": "Bearer"}`))
+	}))
+	defer ts.Close()
+
+	os.Setenv("DRYCC_PASSPORT_URL", ts.URL)
+	os.Setenv("DRYCC_PASSPORT_KEY", "testing_key")
+	os.Setenv("DRYCC_PASSPORT_SECRET", "testing_secret")
+	defer os.Unsetenv("DRYCC_PASSPORT_URL")
+	defer os.Unsetenv("DRYCC_PASSPORT_KEY")
+	defer os.Unsetenv("DRYCC_PASSPORT_SECRET")
 
 	url := "http://127.0.0.1:80"
 	cli, err := New(url)
 	assert.Equal(t, err, nil)
 	assert.Equal(t, cli.ControllerURL.String(), url, "data")
-	assert.Equal(t, cli.ServiceKey, string(data), "data")
+	assert.Equal(t, cli.Token, "Bearer testing_token", "data")
 	assert.Equal(t, cli.UserAgent, "drycc-builder", "user-agent")
 
 	url = "http://127.0.0.1:invalid-port-number"
@@ -42,7 +38,8 @@ func TestNew(t *testing.T) {
 	}
 }
 
-func TestNewWithInvalidBuilderKeyPath(t *testing.T) {
+func TestNewWithInvalidCredentials(t *testing.T) {
+	os.Unsetenv("DRYCC_PASSPORT_URL")
 	url := "http://127.0.0.1:80"
 	_, err := New(url)
 	assert.True(t, err != nil, "no error received when there should have been")

pkg/gitreceive/build_test.go

@@ -5,12 +5,10 @@ import (
 	"context"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"testing"
 
 	"github.com/distribution/distribution/v3/registry/storage/driver/factory"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
-	builderconf "github.com/drycc/builder/pkg/conf"
 	"github.com/drycc/builder/pkg/sys"
 	"github.com/drycc/controller-sdk-go/api"
 	"github.com/drycc/pkg/log"
@@ -73,13 +71,7 @@ func TestBuild(t *testing.T) {
 	config.ControllerURL = "http://localhost:1234"
 
 	if err := build(config, storageDriver, nil, env, sha); err == nil {
-		t.Error("expected running build() without a valid builder key to fail")
-	}
-
-	builderconf.ServiceKeyLocation = filepath.Join(tmpDir, "service-key")
-	data := []byte("testbuilderkey")
-	if err := os.WriteFile(builderconf.ServiceKeyLocation, data, 0o644); err != nil {
-		t.Fatalf("error creating %s (%s)", builderconf.ServiceKeyLocation, err)
+		t.Error("expected running build() without valid credentials to fail")
 	}
 
 	if err := build(config, storageDriver, nil, env, sha); err == nil {