🚧 Add kinto core secret allowing builder to call core (#15)

images/entrypoint.sh

@@ -11,6 +11,7 @@ if [ "$KINTO_CLI_GIT_INIT_ENABLED" == "true" ]; then
   "$KINTO_PATH"/kintocli release commit \
     --kintoCoreHost="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_HOST" \
     --kintoCoreOverTls="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_OVER_TLS" \
+    --kintoCoreSecretKey="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_SECRET_KEY" \
     --envId="$KINTO_CLI_RELEASE_COMMIT_ENV_ID" \
     --blockName="$KINTO_CLI_RELEASE_COMMIT_BLOCK_NAME" \
     --releaseId="$KINTO_CLI_RELEASE_COMMIT_RELEASE_ID" \

images/kinto-cli/README.md

@@ -47,23 +47,24 @@ kintocli dockerfile \
 
 ```shell script
 kinto-cli release status \
-  --kintoCoreHost="$KINTO_CORE_HOST" \
-  --kintoCoreOverTls="$IS_KINTO_CORE_OVER_TLS" \
-  --envId="$ENVIRONMENT_ID" \
-  --blockName="$BLOCK_NAME" \
-  --releaseId="$RELEASE_ID" \
-  --status="$STATUS"
+  --kintoCoreHost="$KINTO_CLI_RELEASE_STATUS_KINTO_CORE_HOST" \
+  --kintoCoreOverTls="$KINTO_CLI_RELEASE_STATUS_IS_KINTO_CORE_OVER_TLS" \
+  --kintoCoreSecretKey="$KINTO_CLI_RELEASE_STATUS_KINTO_CORE_SECRET_KEY" \
+  --envId="$KINTO_CLI_RELEASE_STATUS_ENVIRONMENT_ID" \
+  --blockName="$KINTO_CLI_RELEASE_STATUS_BLOCK_NAME" \
+  --releaseId="$KINTO_CLI_RELEASE_STATUS_RELEASE_ID" \
+  --status="$KINTO_CLI_RELEASE_STATUS_STATUS"
 ```
 
 ### Update release commit sha
 
 ```shell script
 kintocli release commit \
-    --kintoCoreHost="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_HOST" \
-	--kintoCoreOverTls="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_OVER_TLS" \
-	--envId="$KINTO_CLI_RELEASE_COMMIT_ENV_ID" \
-	--blockName="$KINTO_CLI_RELEASE_COMMIT_BLOCK_NAME" \
-	--releaseId="$KINTO_CLI_RELEASE_COMMIT_RELEASE_ID" \
-	--commitSha="$(cat /workspace/.git/`cat /workspace/.git/HEAD | cut -d \  -f 2`)"
-```
-
+  --kintoCoreHost="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_HOST" \
+  --kintoCoreOverTls="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_OVER_TLS" \
+  --kintoCoreSecretKey="$KINTO_CLI_RELEASE_COMMIT_KINTO_CORE_SECRET_KEY" \
+  --envId="$KINTO_CLI_RELEASE_COMMIT_ENV_ID" \
+  --blockName="$KINTO_CLI_RELEASE_COMMIT_BLOCK_NAME" \
+  --releaseId="$KINTO_CLI_RELEASE_COMMIT_RELEASE_ID" \
+  --commitSha="$(cat /workspace/.git/`cat /workspace/.git/HEAD | cut -d \  -f 2`)"
+```

images/kinto-cli/cmd-release/cmd-release-commit-sha.go

@@ -5,15 +5,16 @@ import (
 	"github.com/kintoproj/kinto-core/pkg/types"
 )
 
-func UpdateReleaseCommitSha(kintoCoreHost, envId, blockName, releaseId, commitSha string, kintoCoreOverTls bool) error {
+func UpdateReleaseCommitSha(
+	kintoCoreHost, envId, blockName, releaseId, commitSha string, kintoCoreOverTls bool, kintoCoreSecretKey string) error {
 	commitShaRequest := &types.UpdateBuildCommitShaRequest{
 		BlockName: blockName,
 		EnvId:     envId,
 		ReleaseId: releaseId,
 		CommitSha: commitSha,
 	}
 
-	kintoCoreClient, err := newKintoCoreReleaseClient(kintoCoreHost, kintoCoreOverTls)
+	kintoCoreClient, err := newKintoCoreReleaseClient(kintoCoreHost, kintoCoreOverTls, kintoCoreSecretKey)
 	if err != nil {
 		return err
 	}

images/kinto-cli/cmd-release/cmd-release-status.go

@@ -7,13 +7,14 @@ import (
 	"github.com/kintoproj/kinto-core/pkg/types"
 )
 
-func UpdateReleaseStatus(kintoCoreHost, envId, blockName, releaseId, status string, kintoCoreOverTls bool) error {
+func UpdateReleaseStatus(
+	kintoCoreHost, envId, blockName, releaseId, status string, kintoCoreOverTls bool, kintoCoreSecretKey string) error {
 	buildStatus, err := convertToBuildStatusRequest(envId, blockName, releaseId, status)
 	if err != nil {
 		return err
 	}
 
-	kintoCoreClient, err := newKintoCoreReleaseClient(kintoCoreHost, kintoCoreOverTls)
+	kintoCoreClient, err := newKintoCoreReleaseClient(kintoCoreHost, kintoCoreOverTls, kintoCoreSecretKey)
 	if err != nil {
 		return err
 	}

images/kinto-cli/cmd-release/kintoCoreReleaseClient.go

@@ -7,18 +7,20 @@ import (
 	"github.com/kintoproj/kinto-core/pkg/types"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/metadata"
 )
 
 type kintoCoreReleaseClient struct {
-	client types.KintoCoreServiceClient
+	client             types.KintoCoreServiceClient
+	kintoCoreSecretKey string
 }
 
 type kintoCoreReleaseClientInterface interface {
 	updateBuildStatus(buildStatusRequest *types.UpdateBuildStatusRequest) (string, error)
 	updateBuildCommitSha(req *types.UpdateBuildCommitShaRequest) error
 }
 
-func newKintoCoreReleaseClient(kintoCoreHost string, isOverTLS bool) (kintoCoreReleaseClientInterface, error) {
+func newKintoCoreReleaseClient(kintoCoreHost string, isOverTLS bool, kintoCoreSecretKey string) (kintoCoreReleaseClientInterface, error) {
 	dialOption := grpc.WithInsecure()
 
 	if isOverTLS {
@@ -38,22 +40,33 @@ func newKintoCoreReleaseClient(kintoCoreHost string, isOverTLS bool) (kintoCoreR
 
 	buildClient := types.NewKintoCoreServiceClient(conn)
 	return &kintoCoreReleaseClient{
-		client: buildClient,
+		client:             buildClient,
+		kintoCoreSecretKey: kintoCoreSecretKey,
 	}, nil
 }
 
-func (r *kintoCoreReleaseClient) updateBuildStatus(buildStatusRequest *types.UpdateBuildStatusRequest) (string, error) {
-	resp, err := r.client.UpdateBuildStatus(context.Background(), buildStatusRequest)
+func (k *kintoCoreReleaseClient) updateBuildStatus(buildStatusRequest *types.UpdateBuildStatusRequest) (string, error) {
+	ctx := k.setAuthorization(context.Background())
+	resp, err := k.client.UpdateBuildStatus(ctx, buildStatusRequest)
 	if err != nil {
 		return "", err
 	}
 	return resp.Id, nil
 }
 
-func (r *kintoCoreReleaseClient) updateBuildCommitSha(req *types.UpdateBuildCommitShaRequest) error {
-	_, err := r.client.UpdateBuildCommitSha(context.Background(), req)
+func (k *kintoCoreReleaseClient) updateBuildCommitSha(req *types.UpdateBuildCommitShaRequest) error {
+	ctx := k.setAuthorization(context.Background())
+	_, err := k.client.UpdateBuildCommitSha(ctx, req)
 	if err != nil {
 		return err
 	}
 	return nil
 }
+
+func (k *kintoCoreReleaseClient) setAuthorization(ctx context.Context) context.Context {
+	if k.kintoCoreSecretKey != "" {
+		return metadata.AppendToOutgoingContext(ctx, "authorization", k.kintoCoreSecretKey)
+	} else {
+		return ctx
+	}
+}

images/kinto-cli/cmd/root.go

@@ -139,7 +139,7 @@ func NewReleaseCommand() *cobra.Command {
 }
 
 func NewReleaseStatusCommand() *cobra.Command {
-	var kintoCoreHost, envId, blockName, releaseId, status string
+	var kintoCoreHost, envId, blockName, releaseId, status, kintoCoreSecretKey string
 	var kintoCoreOverTls bool
 
 	c := &cobra.Command{
@@ -151,7 +151,8 @@ func NewReleaseStatusCommand() *cobra.Command {
 				os.Exit(1)
 			}
 
-			err := cmd_release.UpdateReleaseStatus(kintoCoreHost, envId, blockName, releaseId, status, kintoCoreOverTls)
+			err := cmd_release.UpdateReleaseStatus(
+				kintoCoreHost, envId, blockName, releaseId, status, kintoCoreOverTls, kintoCoreSecretKey)
 
 			if err != nil {
 				fmt.Printf(chalk.Red.Color("%v"), err)
@@ -168,6 +169,9 @@ func NewReleaseStatusCommand() *cobra.Command {
 	c.PersistentFlags().BoolVar(
 		&kintoCoreOverTls, "kintoCoreOverTls", false,
 		"Is Kinto Kube Core API over TLS")
+	c.PersistentFlags().StringVar(
+		&kintoCoreSecretKey, "kintoCoreSecretKey", "",
+		"Kinto Core Secret Key - can be empty if disabled on kinto core")
 	c.PersistentFlags().StringVar(
 		&envId, "envId", "",
 		"Environment Id of the block")
@@ -185,7 +189,7 @@ func NewReleaseStatusCommand() *cobra.Command {
 }
 
 func NewReleaseCommitCommand() *cobra.Command {
-	var kintoCoreHost, envId, blockName, releaseId, commitSha string
+	var kintoCoreHost, envId, blockName, releaseId, commitSha, kintoCoreSecretKey string
 	var kintoCoreOverTls bool
 
 	c := &cobra.Command{
@@ -197,7 +201,8 @@ func NewReleaseCommitCommand() *cobra.Command {
 				os.Exit(1)
 			}
 
-			err := cmd_release.UpdateReleaseCommitSha(kintoCoreHost, envId, blockName, releaseId, commitSha, kintoCoreOverTls)
+			err := cmd_release.UpdateReleaseCommitSha(
+				kintoCoreHost, envId, blockName, releaseId, commitSha, kintoCoreOverTls, kintoCoreSecretKey)
 
 			if err != nil {
 				fmt.Printf(chalk.Red.Color("%v"), err)
@@ -214,6 +219,9 @@ func NewReleaseCommitCommand() *cobra.Command {
 	c.PersistentFlags().BoolVar(
 		&kintoCoreOverTls, "kintoCoreOverTls", false,
 		"Is Kinto Core API over TLS")
+	c.PersistentFlags().StringVar(
+		&kintoCoreSecretKey, "kintoCoreSecretKey", "",
+		"Kinto Core Secret Key - can be empty if disabled on kinto core")
 	c.PersistentFlags().StringVar(
 		&envId, "envId", "",
 		"Environment Id of the block")

kinto-build/.env-example

@@ -7,64 +7,67 @@ SERVER_PORT=8080
 
 IMAGE_REGISTRY_HOST=asia.gcr.io/kinto-development
 
-# Enables friendly / clean non debug related logs from the build service
+##  Enables friendly / clean non debug related logs from the build service
 USER_FRIENDLY_BUILD_LOGS_ENABLED=false
 
-# Kinto Core server hostname
-# By default, tls is disabled
+##  Kinto Core server hostname
+##  By default, tls is disabled
 KINTO_CORE_HOST_NAME=kinto-core:8080
 KINTO_CORE_OVER_TLS=false
 
-# Proxless Fully Qualified Domain Name in Kubernetes
+##  Proxless Fully Qualified Domain Name in Kubernetes
 PROXLESS_FQDN=kinto-proxless.kintohub.svc.cluster.local
 
-# Workflow timeout
+##  Workflow timeout
 WORKFLOW_TIMEOUT=600
 
+##  See KINTO_CORE_SECRET value on kinto core.
+KINTO_CORE_SECRET=
+
 ####################################
 #### ARGO ENVIRONMENT VARIABLES ####
 ####################################
 
-# Leave empty if `kinto-build` run in a pod
+##  Leave empty if `kinto-build` run in a pod
 ARGO_KUBE_CONFIG_PATH=/Users/benjaminapprederisse/.kube/config
 
-# TTL in seconds for deleting the workflow from kubernetes after completion (success or failure)
+##  TTL in seconds for deleting the workflow from kubernetes after completion (success or failure)
 ARGO_WORKFLOW_TTL_SECONDS=600
 
-# Kubernetes namespace where all the workflows are gonna run
+##  Kubernetes namespace where all the workflows are gonna run
 ARGO_WORKFLOW_NAMESPACE=kintohub
 
-# Kubernetes secret used by kaniko to push the image into ${IMAGE_REGISTRY_HOST}
-# Must be a docker secret - `kubernetes.io/dockerconfigjson`
-# Must be in ${ARGO_WORKFLOW_NAMESPACE} namespace
+##  Kubernetes secret used by kaniko to push the image into ${IMAGE_REGISTRY_HOST}
+## Must be a docker secret - `kubernetes.io/dockerconfigjson`
+##  Must be in ${ARGO_WORKFLOW_NAMESPACE} namespace
 ARGO_WORKFLOW_DOCKER_SECRET=kinto-builder-workflow-docker
 
-# Kubernetes service account used by the workflow to interact with the kubernetes api
-# Must be in ARGO_WORKFLOW_NAMESPACE namespace
+##  Kubernetes service account used by the workflow to interact with the kubernetes api
+##  Must be in ARGO_WORKFLOW_NAMESPACE namespace
 ARGO_WORKFLOW_SERVICE_ACCOUNT=kinto-builder-workflow
 
-# Hostname for minio which is used for logs storage. Mandatory when Argo Workflows are enabled
+##  Hostname for minio which is used for logs storage. Mandatory when Argo Workflows are enabled
 ARGO_WORKFLOW_MINIO_HOST=kinto-minio:9000
 
-# Access Key for accessing Minio. Mandatory when Argo Workflows are enabled
+##  Access Key for accessing Minio. Mandatory when Argo Workflows are enabled
 ARGO_WORKFLOW_MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
 
-# Secret key for accessing minio. Mandatory when Argo Workflows are enabled
+##  Secret key for accessing minio. Mandatory when Argo Workflows are enabled
 ARGO_WORKFLOW_MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 
-# Bucket name in minio which the logs exists. Mandatory when Argo Workflows are enabled
+##  Bucket name in minio which the logs exists. Mandatory when Argo Workflows are enabled
 ARGO_WORKFLOW_MINIO_BUCKET=argo-artifacts
 
-# Kubernetes Container Pull Policy that every argo step will follow.
+##  Kubernetes Container Pull Policy that every argo step will follow.
 ARGO_WORKFLOW_IMAGE_PULL_POLICY=IfNotPresent
 
 ARGO_WORKFLOW_MAIN_IMAGE=kintohub/kinto-workflow-main:latest
 ARGO_WORKFLOW_CLI_IMAGE=kintohub/kinto-workflow-cli:latest
 
-# Argo workflow use an `emptyDir` ephemeral storage. Be careful setting up this limit since it's gonna use the node volume.
+##  Argo workflow use an `emptyDir` ephemeral storage. Be careful setting up this limit since it's gonna use the node volume.
 ARGO_WORKFLOW_VOLUME_SIZE=1Gi
 
-# Resources for the main step
+##  Resources for the main step
 ARGO_WORKFLOW_MEMORY_LIMIT=2Gi # must be > 2Gi
 ARGO_WORKFLOW_CPU_LIMIT=1 # must be > 500m
 ARGO_WORKFLOW_MEMORY_REQUEST=

kinto-build/internal/build/argo/argo.go

@@ -156,10 +156,11 @@ func (c *BuildClient) BuildAndDeployRelease(req *types.BuildAndDeployRequest) (*
 	templates := []v1alpha1.Template{
 		genStepsTemplate(true),
 		genBuildAndDeployWorkflow(
-			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, req.BuildConfig, config.KintoCoreOverTls, req.IsStaticBuild),
+			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, req.BuildConfig,
+			config.KintoCoreOverTls, req.IsStaticBuild, config.KintoCoreSecretKey),
 		genOnExitHandlerStepsTemplate(),
 		genWorkflowUpdateStatusTemplate(
-			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls),
+			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls, config.KintoCoreSecretKey),
 	}
 
 	if config.ArgoWorkflowNodePoolLabelValue != "" {
@@ -189,7 +190,7 @@ func (c *BuildClient) DeployRelease(req *types.DeployRequest) (*types.WorkflowRe
 		genDeployOnlyWorkflow(req.Namespace, req.BlockName, req.ReleaseId, types.Release_DEPLOY),
 		genOnExitHandlerStepsTemplate(),
 		genWorkflowUpdateStatusTemplate(
-			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls),
+			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls, config.KintoCoreSecretKey),
 	}
 
 	if config.ArgoWorkflowNodePoolLabelValue != "" {
@@ -217,10 +218,10 @@ func (c *BuildClient) DeployReleaseFromCatalog(req *types.DeployCatalogRequest)
 	templates := []v1alpha1.Template{
 		genStepsTemplate(true),
 		genDeployCatalogWorkflow(
-			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, req.Repo, config.KintoCoreOverTls),
+			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, req.Repo, config.KintoCoreOverTls, config.KintoCoreSecretKey),
 		genOnExitHandlerStepsTemplate(),
 		genWorkflowUpdateStatusTemplate(
-			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls),
+			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls, config.KintoCoreSecretKey),
 	}
 
 	if config.ArgoWorkflowNodePoolLabelValue != "" {
@@ -250,7 +251,7 @@ func (c *BuildClient) UndeployRelease(req *types.UndeployRequest) (*types.Workfl
 		genDeployOnlyWorkflow(req.Namespace, req.BlockName, "", types.Release_UNDEPLOY),
 		// we are forced to generated the update status template even if `false`. otherwise argo fails
 		genWorkflowUpdateStatusTemplate(
-			req.Namespace, req.BlockName, "", config.KintoCoreHostname, config.KintoCoreOverTls),
+			req.Namespace, req.BlockName, "", config.KintoCoreHostname, config.KintoCoreOverTls, config.KintoCoreSecretKey),
 	}
 
 	if config.ArgoWorkflowNodePoolLabelValue != "" {
@@ -280,7 +281,7 @@ func (c *BuildClient) SuspendRelease(req *types.SuspendRequest) (*types.Workflow
 		genDeployOnlyWorkflow(req.Namespace, req.BlockName, req.ReleaseId, types.Release_SUSPEND),
 		genOnExitHandlerStepsTemplate(),
 		genWorkflowUpdateStatusTemplate(
-			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls),
+			req.Namespace, req.BlockName, req.ReleaseId, config.KintoCoreHostname, config.KintoCoreOverTls, config.KintoCoreSecretKey),
 	}
 
 	if config.ArgoWorkflowNodePoolLabelValue != "" {