feat: [CDS-73704]: add support for OCI helm with ESO (#638)

* feat: [CDS-73704]: add support for OCI helm with ESO Signed-off-by: Mirko Teodorovic <[email protected]> * feat: [CDS-73704]: add readme files Signed-off-by: Mirko Teodorovic <[email protected]> --------- Signed-off-by: Mirko Teodorovic <[email protected]>
harness · Aug 1, 2023 · d7fc5c1 · d7fc5c1
1 parent b27000b
commit d7fc5c1
Show file tree

Hide file tree

Showing 9 changed files with 909 additions and 32 deletions.
diff --git a/.changelog/638.txt b/.changelog/638.txt
@@ -0,0 +1,5 @@
+```release-note:enhancement
+resource/harness_platform_gitops_repository: add support for token update for OCI helm repo with ESO
+```
+
+
diff --git a/docs/data-sources/platform_gitops_repository.md b/docs/data-sources/platform_gitops_repository.md
@@ -34,6 +34,7 @@ data "harness_platform_gitops_repository" "example" {
 ### Optional
 
 - `creds_only` (Boolean) Indicates if to operate on credential set instead of repository.
+- `enable_oci` (Boolean) Indicates if helm-oci support must be enabled for this repo.
 - `org_id` (String) Organization identifier of the GitOps repository.
 - `project_id` (String) Project identifier of the GitOps repository.
 - `query_force_refresh` (Boolean) Indicates to force refresh query for repository.
@@ -80,5 +81,3 @@ Read-Only:
 - `tls_client_cert_key` (String)
 - `type_` (String)
 - `username` (String)
-
-
diff --git a/docs/resources/platform_gitops_repository.md b/docs/resources/platform_gitops_repository.md
@@ -13,6 +13,7 @@ Resource for creating Harness Gitops Repositories.
 ## Example Usage
 
 ```terraform
+// Create a git repository at project level
 resource "harness_platform_gitops_repository" "example" {
   identifier = "identifier"
   account_id = "account_id"
@@ -27,6 +28,156 @@ resource "harness_platform_gitops_repository" "example" {
   }
   upsert = true
 }
+
+// Create a HELM repository at project level
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "https://charts.helm.sh/stable"
+    name            = "repo_name"
+    insecure        = true
+    connection_type = "HTTPS_ANONYMOUS"
+    type_           = "helm"
+  }
+  upsert = true
+}
+
+// Create a OCI HELM repository at project level
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "ghcr.io/wings-software"
+    name            = "repo_name"
+    insecure        = false
+    username        = "username"
+    password        = "ghp_xxxxxxxx"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  upsert = true
+}
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "806630305776.dkr.ecr.us-west-1.amazonaws.com"
+    name            = "repo_name"
+    insecure        = false
+    username        = "AWS"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "AWS_ECR"
+  ecr_gen {
+    region = "us-west-1"
+    secret_ref {
+      aws_access_key_id     = "AWS_ACCESS_KEY_ID"
+      aws_secret_access_key = "AWS_SECRET_ACCESS_KEY"
+    }
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
+
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "806630305776.dkr.ecr.us-west-1.amazonaws.com"
+    name            = "repo_name"
+    insecure        = false
+    username        = "AWS"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "AWS_ECR"
+  ecr_gen {
+    region = "us-west-1"
+    jwt_auth {
+      name      = "name"
+      namespace = "namespace"
+    }
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
+
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "us.gcr.io/projectID/repo_name"
+    name            = "repo_name"
+    insecure        = false
+    username        = "oauth2accesstoken"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "GOOGLE_GCR"
+  gcr_gen {
+    projectID = "projectID"
+    accessKey = "{  \"type\": \"service_account\",  \"project_id\": \"google-project-id\",  \"private_key_id\": \"5ef370c719dd12674be7be2312313caaab31231\",  \"private_key\": \"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDQXwd7zfou3NDB\nP9TwgQMWyHYpWRJENC7RTpCaQ1KqBElEHPUBzPpv2L/ayn50qpsmtxYTWdQwR7OL\n8qK+8hrYfSvwSTph/PMOtesrZpWrloIG2virgw1y1zeUDP3DKQDemerVrpve189h\nxxTLTriLS0JMsDniE0HHzeeMtxTbi0NcojDufSq3gTZ4TJ80jPtdIURYAwfW4jHA\nOW1nq8EY3VjOkUDHZ++xtHen9FT4OzpcTSkGyovaYZfLUPFDrtZqmcdS5IjFmTpE\nHfIibB+roT0jynhBBPwuBUWtbJEjXg8Gw2hRquSChCMxKkD9PjttyQMjmlhVrLqR\nG1p4vBSDAgMBAAECggEAS8nUsf4oOjVMpI1wCQ4Troy5Fa71CuOkB7M4uzMzdO1c\nLK8PmlkQ2e+PUKgIOKz5A6riF6W7nNfngUZ+VU8/3nAgtCQeXReg3D/kyoNkeuWi\nY5Xvjop7MMMAzxOulPZr/4siNBhvTy1Vm63KbWwziU6VTclnNEhmy6KjzrWkm3ky\ndcYsnGr5eWbQvmSAE38EeSMw6+OoiEmPYk/hoRg85lVouQ72d4FHaNjU3NNCR1Y0\nUEdj8r9K19nZ7ICTxJ6AZp5rc3Z2rG8MrBY2UEhGhFLZmad8hUtyo5Ol93kOwSHW\n+baGXRasBhWN3uZ3PYCh3NzEJeHEVX0HT4FYUF8NQQKBgQD1OMOVAF9XWESPTuyw\nz5/4S+kRWdplXkP9dEacQ21hIwgX5PFWZFHD1VhwSVniIPWao2Fa/QMZK4np+g9d\nnEkgPlFatPsLT0q3/QT59oHEIAIEorOdz0RXxAkU9xo0RfXQWsXFDgcwcKd9yeet\nxbiQO/LscNomM/CcWW63O1l5IwKBgQDZh596QU9Y3z07OfF9pl86X+QIQlEY0nxr\nx2L+JspVXWnIHoVGlODOoP/EmCfS23oJdZZC7TWLSS9GDCsTC4UPcHW5I0cFFT69\n9M0ZvP2P6oCf2Jg7QOX8DIamcv6wI0MQKdUFDW+wtf01hiS/6lwEQL8xFBhw2+xq\njIKdkoOdIQKBgQCN6Z7OURvb6Xor0UoK/O0f/ZZQ80X/mfEQ8cSXVDItn99kLJs6\nGu5yvbnjqZ95zQc1yc1iob+0Rk0W+h8AVpy/KzFbpBcQsX+VQLkri2wHu1pPonT+\nI9/yRsHWvzYMAFzEinOfmYGxl9BmbH1GRIGN/xOTn6+voilh4iO/qHocLwKBgCNy\n7pJFwmCBQME+GBSZ4DrrFYYjCIQ7CPunaoJwX9i5eFucXau650fFBOlMwnCiQ6j2\n+J2/elJQgtuvb/WSdqSJFyYskY5KgAcEtcfT/J5PYNarvWMqmFAS2n6Vjtu1Y2Bm\n8Mf6AJGTlsf6LFL6JjSrOH0PAUyjCkvyyfZTwgw3BAoGBAOrOYrOC6zigjC5Kmve3\nORnw318hPOV5oo7a7NpztSwwY1/7xZuOJZLaflZXnYCO1BXY+PosshI1cdfrv6PT\niEr+SQ+mbaaxcFxtJUP6Y4GBI4ayeHnmqafuVwPEd//rnPD6YA5RRFF/dfI619Hu\nAt9fAayERhb7iptxMQw6wpbF\n-----END PRIVATE KEY-----\n\",  \"client_email\": \"[email protected]\",  \"client_id\": \"xxxxxxxxxxx0161940\",  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",  \"token_uri\": \"https://oauth2.googleapis.com/token\",  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/[email protected]\",  \"universe_domain\": \"googleapis.com\"}"
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
+
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "us.gcr.io/projectID/repo_name"
+    name            = "repo_name"
+    insecure        = false
+    username        = "oauth2accesstoken"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "GOOGLE_GCR"
+  gcr_gen {
+    project_id = "projectID"
+    workload_identity {
+      cluster_location   = "GCPClusterLocation"
+      cluster_name       = "GCPClusterName"
+      cluster_project_id = "GCPClusterProjectID"
+      service_account_ref {
+        name      = "name"
+        namespace = "namespace"
+      }
+    }
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -42,11 +193,16 @@ resource "harness_platform_gitops_repository" "example" {
 ### Optional
 
 - `creds_only` (Boolean) Indicates if to operate on credential set instead of repository.
+- `ecr_gen` (Block List, Max: 1) ECR access token generator specific configuration. (see [below for nested schema](#nestedblock--ecr_gen))
+- `gcr_gen` (Block List, Max: 1) GCR access token generator specific configuration. (see [below for nested schema](#nestedblock--gcr_gen))
+- `gen_type` (String) Default: "UNSET"
+Enum: "UNSET" "AWS_ECR" "GOOGLE_GCR"
 - `org_id` (String) Organization identifier of the GitOps repository.
 - `project_id` (String) Project identifier of the GitOps repository.
 - `query_force_refresh` (Boolean) Indicates to force refresh query for repository.
 - `query_project` (String) Project to query for the GitOps repo.
 - `query_repo` (String) GitOps repository to query.
+- `refresh_interval` (String) For OCI repos, this is the interval to refresh the token to access the registry.
 - `update_mask` (Block List) Update mask of the repository. (see [below for nested schema](#nestedblock--update_mask))
 - `upsert` (Boolean) Indicates if the GitOps repository should be updated if existing and inserted if not.
 
@@ -84,6 +240,67 @@ Optional:
 - `username` (String) Username used for authenticating at the remote repository.
 
 
+<a id="nestedblock--ecr_gen"></a>
+### Nested Schema for `ecr_gen`
+
+Optional:
+
+- `jwt_auth` (Block List, Max: 1) JWT authentication specific configuration. (see [below for nested schema](#nestedblock--ecr_gen--jwt_auth))
+- `region` (String) AWS region.
+- `secret_ref` (Block List, Max: 1) Secret reference to the AWS credentials. (see [below for nested schema](#nestedblock--ecr_gen--secret_ref))
+
+<a id="nestedblock--ecr_gen--jwt_auth"></a>
+### Nested Schema for `ecr_gen.jwt_auth`
+
+Optional:
+
+- `audiences` (List of String) Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+- `name` (String) The name of the ServiceAccount resource being referred to.
+- `namespace` (String) Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+
+
+<a id="nestedblock--ecr_gen--secret_ref"></a>
+### Nested Schema for `ecr_gen.secret_ref`
+
+Optional:
+
+- `aws_access_key_id` (String) AWS access key id.
+- `aws_secret_access_key` (String) AWS secret access key.
+- `aws_session_token` (String) AWS session token.
+
+
+
+<a id="nestedblock--gcr_gen"></a>
+### Nested Schema for `gcr_gen`
+
+Optional:
+
+- `access_key` (String) GCP access key.
+- `project_id` (String) GCP project id.
+- `workload_identity` (Block List, Max: 1) GCP workload identity. (see [below for nested schema](#nestedblock--gcr_gen--workload_identity))
+
+<a id="nestedblock--gcr_gen--workload_identity"></a>
+### Nested Schema for `gcr_gen.workload_identity`
+
+Optional:
+
+- `cluster_location` (String) Cluster location.
+- `cluster_name` (String) Cluster name.
+- `cluster_project_id` (String) Cluster project id.
+- `service_account_ref` (Block List, Max: 1) Service account reference. (see [below for nested schema](#nestedblock--gcr_gen--workload_identity--service_account_ref))
+
+<a id="nestedblock--gcr_gen--workload_identity--service_account_ref"></a>
+### Nested Schema for `gcr_gen.workload_identity.service_account_ref`
+
+Optional:
+
+- `audiences` (List of String) Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+- `name` (String) The name of the ServiceAccount resource being referred to.
+- `namespace` (String) Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+
+
+
+
 <a id="nestedblock--update_mask"></a>
 ### Nested Schema for `update_mask`
 

diff --git a/examples/resources/harness_platform_gitops_repository/resource.tf b/examples/resources/harness_platform_gitops_repository/resource.tf
@@ -50,3 +50,116 @@ resource "harness_platform_gitops_repository" "example" {
   }
   upsert = true
 }
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "806630305776.dkr.ecr.us-west-1.amazonaws.com"
+    name            = "repo_name"
+    insecure        = false
+    username        = "AWS"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "AWS_ECR"
+  ecr_gen {
+    region = "us-west-1"
+    secret_ref {
+      aws_access_key_id     = "AWS_ACCESS_KEY_ID"
+      aws_secret_access_key = "AWS_SECRET_ACCESS_KEY"
+    }
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
+
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "806630305776.dkr.ecr.us-west-1.amazonaws.com"
+    name            = "repo_name"
+    insecure        = false
+    username        = "AWS"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "AWS_ECR"
+  ecr_gen {
+    region = "us-west-1"
+    jwt_auth {
+      name      = "name"
+      namespace = "namespace"
+    }
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
+
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "us.gcr.io/projectID/repo_name"
+    name            = "repo_name"
+    insecure        = false
+    username        = "oauth2accesstoken"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "GOOGLE_GCR"
+  gcr_gen {
+    projectID = "projectID"
+    accessKey = "{  \"type\": \"service_account\",  \"project_id\": \"google-project-id\",  \"private_key_id\": \"5ef370c719dd12674be7be2312313caaab31231\",  \"private_key\": \"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDQXwd7zfou3NDB\nP9TwgQMWyHYpWRJENC7RTpCaQ1KqBElEHPUBzPpv2L/ayn50qpsmtxYTWdQwR7OL\n8qK+8hrYfSvwSTph/PMOtesrZpWrloIG2virgw1y1zeUDP3DKQDemerVrpve189h\nxxTLTriLS0JMsDniE0HHzeeMtxTbi0NcojDufSq3gTZ4TJ80jPtdIURYAwfW4jHA\nOW1nq8EY3VjOkUDHZ++xtHen9FT4OzpcTSkGyovaYZfLUPFDrtZqmcdS5IjFmTpE\nHfIibB+roT0jynhBBPwuBUWtbJEjXg8Gw2hRquSChCMxKkD9PjttyQMjmlhVrLqR\nG1p4vBSDAgMBAAECggEAS8nUsf4oOjVMpI1wCQ4Troy5Fa71CuOkB7M4uzMzdO1c\nLK8PmlkQ2e+PUKgIOKz5A6riF6W7nNfngUZ+VU8/3nAgtCQeXReg3D/kyoNkeuWi\nY5Xvjop7MMMAzxOulPZr/4siNBhvTy1Vm63KbWwziU6VTclnNEhmy6KjzrWkm3ky\ndcYsnGr5eWbQvmSAE38EeSMw6+OoiEmPYk/hoRg85lVouQ72d4FHaNjU3NNCR1Y0\nUEdj8r9K19nZ7ICTxJ6AZp5rc3Z2rG8MrBY2UEhGhFLZmad8hUtyo5Ol93kOwSHW\n+baGXRasBhWN3uZ3PYCh3NzEJeHEVX0HT4FYUF8NQQKBgQD1OMOVAF9XWESPTuyw\nz5/4S+kRWdplXkP9dEacQ21hIwgX5PFWZFHD1VhwSVniIPWao2Fa/QMZK4np+g9d\nnEkgPlFatPsLT0q3/QT59oHEIAIEorOdz0RXxAkU9xo0RfXQWsXFDgcwcKd9yeet\nxbiQO/LscNomM/CcWW63O1l5IwKBgQDZh596QU9Y3z07OfF9pl86X+QIQlEY0nxr\nx2L+JspVXWnIHoVGlODOoP/EmCfS23oJdZZC7TWLSS9GDCsTC4UPcHW5I0cFFT69\n9M0ZvP2P6oCf2Jg7QOX8DIamcv6wI0MQKdUFDW+wtf01hiS/6lwEQL8xFBhw2+xq\njIKdkoOdIQKBgQCN6Z7OURvb6Xor0UoK/O0f/ZZQ80X/mfEQ8cSXVDItn99kLJs6\nGu5yvbnjqZ95zQc1yc1iob+0Rk0W+h8AVpy/KzFbpBcQsX+VQLkri2wHu1pPonT+\nI9/yRsHWvzYMAFzEinOfmYGxl9BmbH1GRIGN/xOTn6+voilh4iO/qHocLwKBgCNy\n7pJFwmCBQME+GBSZ4DrrFYYjCIQ7CPunaoJwX9i5eFucXau650fFBOlMwnCiQ6j2\n+J2/elJQgtuvb/WSdqSJFyYskY5KgAcEtcfT/J5PYNarvWMqmFAS2n6Vjtu1Y2Bm\n8Mf6AJGTlsf6LFL6JjSrOH0PAUyjCkvyyfZTwgw3BAoGBAOrOYrOC6zigjC5Kmve3\nORnw318hPOV5oo7a7NpztSwwY1/7xZuOJZLaflZXnYCO1BXY+PosshI1cdfrv6PT\niEr+SQ+mbaaxcFxtJUP6Y4GBI4ayeHnmqafuVwPEd//rnPD6YA5RRFF/dfI619Hu\nAt9fAayERhb7iptxMQw6wpbF\n-----END PRIVATE KEY-----\n\",  \"client_email\": \"[email protected]\",  \"client_id\": \"xxxxxxxxxxx0161940\",  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",  \"token_uri\": \"https://oauth2.googleapis.com/token\",  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/[email protected]\",  \"universe_domain\": \"googleapis.com\"}"
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
+
+resource "harness_platform_gitops_repository" "example" {
+  identifier = "identifier"
+  account_id = "account_id"
+  project_id = "project_id"
+  org_id     = "org_id"
+  agent_id   = "agent_id"
+  repo {
+    repo            = "us.gcr.io/projectID/repo_name"
+    name            = "repo_name"
+    insecure        = false
+    username        = "oauth2accesstoken"
+    password        = "aws_ecr_token"
+    connection_type = "HTTPS"
+    type_           = "helm"
+    enable_oci      = true
+  }
+  gen_type = "GOOGLE_GCR"
+  gcr_gen {
+    project_id = "projectID"
+    workload_identity {
+      cluster_location   = "GCPClusterLocation"
+      cluster_name       = "GCPClusterName"
+      cluster_project_id = "GCPClusterProjectID"
+      service_account_ref {
+        name      = "name"
+        namespace = "namespace"
+      }
+    }
+  }
+  refreshInterval = "1m"
+  upsert          = false
+}
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.18
 require (
 	github.com/antihax/optional v1.0.0
 	github.com/docker/docker v20.10.22+incompatible
-	github.com/harness/harness-go-sdk v0.3.40
+	github.com/harness/harness-go-sdk v0.3.41
 	github.com/harness/harness-openapi-go-client v0.0.17
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.27.0
 	github.com/pkg/errors v0.9.1