nestoca · davidmdm · May 13, 2024 · May 8, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -25,12 +25,14 @@ COPY --chown=golang:root internal ./internal
 
 RUN go build -v -o joy-generator ./cmd/server
 
-FROM scratch AS prod
+FROM alpine:3.18 AS prod
 
 COPY --from=build /etc/passwd /etc/group  /etc/
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=build --chown=golang:root /app/joy-generator /app/
 
+RUN apk add helm
+
 USER golang:root
 EXPOSE 8080
 

diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -1,3 +1,4 @@
+{{- $withCredentials := (and .Values.credentialsSecret .Values.credentialsSecret.name .Values.credentialsSecret.key) -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -35,6 +36,14 @@ spec:
           secret:
             secretName: {{ include "joy-generator.fullname" . }}-github-app-key
         {{- end }}
+        {{- if $withCredentials }}
+        - name: credentials
+          secret:
+            secretName: {{ .Values.credentialsSecret.name }}
+            items:
+              - key: {{ .Values.credentialsSecret.key }}
+                path: credentials.json
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -48,6 +57,11 @@ spec:
             - mountPath: /etc/joy/config
               name: github-app-private-key
             {{- end }}
+            {{- if $withCredentials }}
+            - mountPath: /etc/joy/secrets
+              name: credentials
+              readOnly: true
+            {{- end }}
           env:
           {{- range $key, $value := .Values.env }}
           {{- if $value }}
@@ -59,6 +73,10 @@ spec:
             - name: GH_APP_PRIVATE_KEY_PATH
               value: /etc/joy/config/githubApp.pem
           {{- end }}
+          {{- if $withCredentials }}
+            - name: CREDENTIALS_FILE
+              value: /etc/joy/secrets/credentials.json
+          {{- end }}
           envFrom:
             - secretRef:
                 name: {{ include "joy-generator.fullname" . }}-config

diff --git a/chart/templates/secret.yaml b/chart/templates/secret.yaml
@@ -25,9 +25,8 @@ stringData:
 {{ toYaml .Values.secretEnv.values | indent 2 }}
 {{- end }}
 
----
-
 {{- if .Values.env.GH_APP_ID }}
+---
 {{- and (required ".Values.env.GH_APP_INSTALLATION_ID is required" .Values.env.GH_APP_INSTALLATION_ID) "" |  -}}
 {{- and (required ".Values.githubAppPrivateKey is required" .Values.githubAppPrivateKey) "" -}}
 {{- if $sealedSecret }}

diff --git a/chart/tests/with-credentials/expected.yaml b/chart/tests/with-credentials/expected.yaml
@@ -0,0 +1,117 @@
+---
+# Source: joy-generator/templates/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-release-joy-generator-config
+stringData:
+  GH_TOKEN: "12312312312312"
+  PLUGIN_TOKEN: '@very!l0ngands3curet0ken'
+---
+# Source: joy-generator/templates/argocd-config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: my-release-joy-generator-config
+data:
+  token: "$my-release-joy-generator-config:PLUGIN_TOKEN"
+  baseUrl: "http://my-release-joy-generator"
+---
+# Source: joy-generator/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-release-joy-generator
+  labels:
+    helm.sh/chart: joy-generator-1.0.0
+    app.kubernetes.io/name: joy-generator
+    app.kubernetes.io/instance: my-release
+    app.kubernetes.io/version: "1.0.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: joy-generator
+    app.kubernetes.io/instance: my-release
+---
+# Source: joy-generator/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-release-joy-generator
+  labels:
+    helm.sh/chart: joy-generator-1.0.0
+    app.kubernetes.io/name: joy-generator
+    app.kubernetes.io/instance: my-release
+    app.kubernetes.io/version: "1.0.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: joy-generator
+      app.kubernetes.io/instance: my-release
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: joy-generator
+        app.kubernetes.io/instance: my-release
+    spec:
+      securityContext:
+        {}
+      volumes:
+        - name: catalog-dir
+          emptyDir: {}
+        - name: credentials
+          secret:
+            secretName: super-secret
+            items:
+              - key: street-creds
+                path: credentials.json
+      containers:
+        - name: joy-generator
+          securityContext:
+            {}
+          image: "ghcr.io/nestoca/joy-generator:0.1.2"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /tmp/catalog
+              name: catalog-dir
+            - mountPath: /etc/joy/secrets
+              name: credentials
+              readOnly: true
+          env:
+            - name: CATALOG_DIR
+              value: "/tmp/catalog"
+            - name: CATALOG_URL
+              value: "https://github.com/example/foobar.git"
+            - name: GH_USER
+              value: "username"
+            - name: GRACE_PERIOD
+              value: "10s"
+            - name: PORT
+              value: ":8080"
+            - name: CREDENTIALS_FILE
+              value: /etc/joy/secrets/credentials.json
+          envFrom:
+            - secretRef:
+                name: my-release-joy-generator-config
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /api/v1/health
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /api/v1/readiness
+              port: http
+          resources:
+            {}
diff --git a/chart/tests/with-credentials/values.yaml b/chart/tests/with-credentials/values.yaml
@@ -0,0 +1,19 @@
+# Default values for joy-generator.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+env:
+  CATALOG_URL: https://github.com/example/foobar.git
+  GH_USER: username
+
+secretEnv:
+  values:
+    PLUGIN_TOKEN: "@very!l0ngands3curet0ken"
+    GH_TOKEN: "12312312312312"
+
+image:
+  tag: 0.1.2
+
+credentialsSecret:
+  name: super-secret
+  key: street-creds
diff --git a/cmd/server/api_get_params_test.go b/cmd/server/api_get_params_test.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -27,10 +28,14 @@ func TestGetParamsE2E(t *testing.T) {
 	}
 
 	var (
-		user    github.User
-		catalog github.RepoMetadata
+		user        github.User
+		catalog     github.RepoMetadata
+		registry    string
+		credentials []byte
 	)
 
+	conf.Var(conf.Environ, &registry, "REGISTRY", conf.Required[string](true))
+	conf.Var(conf.Environ, &credentials, "CREDENTIALS", conf.Required[[]byte](true))
 	conf.Var(conf.Environ, &catalog.Path, "CATALOG_PATH", conf.Default(filepath.Join(os.TempDir(), "catalog")))
 	conf.Var(conf.Environ, &catalog.URL, "CATALOG_URL", conf.Required[string](true))
 	conf.Var(conf.Environ, &catalog.TargetRevision, "CATALOG_REVISION", conf.Default("master"))
@@ -39,6 +44,8 @@ func TestGetParamsE2E(t *testing.T) {
 
 	require.NoError(t, conf.Environ.Parse())
 
+	require.NoError(t, AuthenticateHelm(context.Background(), registry, credentials))
+
 	require.NoError(t, os.RemoveAll(catalog.Path))
 
 	repo, err := user.NewRepo(catalog)
@@ -49,13 +56,20 @@ func TestGetParamsE2E(t *testing.T) {
 
 	repo = repo.WithLogger(logger)
 
+	cacheDir, err := os.MkdirTemp("", "joy-cache-*")
+	require.NoError(t, err)
+
+	t.Logf("cache dir: %s", cacheDir)
+
 	handler := Handler(HandlerParams{
 		pluginToken: "test-token",
 		logger:      logger,
 		repo:        repo,
 		generator: &generator.Generator{
+			CacheRoot:      cacheDir,
 			LoadJoyContext: generator.RepoLoader(repo),
 			Logger:         logger,
+			ChartPuller:    generator.ChartPuller{Logger: logger},
 		},
 	})
 
@@ -79,7 +93,6 @@ func TestGetParamsE2E(t *testing.T) {
 
 	var response generator.GetParamsResponse
 	require.NoError(t, json.Unmarshal(body.Bytes(), &response))
-
 	require.Greater(t, len(response.Output.Parameters), 0)
 
 	for _, result := range response.Output.Parameters {
@@ -92,8 +105,12 @@ func TestGetParamsE2E(t *testing.T) {
 	require.Greater(t, len(logs.Records), 0)
 	for _, record := range logs.Records {
 		require.NotEmpty(t, record["level"])
-		require.NotEqual(t, "error", record["level"])
+		require.NotEqualf(t, "error", record["level"], "unexpected error log: %+v", record)
 	}
+
+	entries, err := os.ReadDir(cacheDir)
+	require.NoError(t, err)
+	require.Greater(t, len(entries), 0)
 }
 
 type TestLogOutputs struct {

diff --git a/cmd/server/config.go b/cmd/server/config.go
@@ -18,6 +18,14 @@ type Config struct {
 
 	Catalog github.RepoMetadata
 
+	CacheRoot string
+
+	Google struct {
+		Repository          string
+		CredentialsFilePath string
+		RawCredentials      []byte
+	}
+
 	Github struct {
 		User github.User
 		App  github.App
@@ -27,19 +35,37 @@ type Config struct {
 func GetConfig() Config {
 	var cfg Config
 
+	home, err := os.UserHomeDir()
+	if err != nil {
+		panic(err)
+	}
+
+	conf.Var(conf.Environ, &cfg.CacheRoot, "CACHE_ROOT", conf.Default(filepath.Join(home, ".cache", "joy")))
 	conf.Var(conf.Environ, &cfg.Port, "PORT", conf.Default(":8080"))
 	conf.Var(conf.Environ, &cfg.GracePeriod, "GRACE_PERIOD", conf.Default(10*time.Second))
 	conf.Var(conf.Environ, &cfg.PluginToken, "PLUGIN_TOKEN")
+
 	conf.Var(conf.Environ, &cfg.Catalog.URL, "CATALOG_URL")
 	conf.Var(conf.Environ, &cfg.Catalog.Path, "CATALOG_DIR", conf.Default(filepath.Join(os.TempDir(), "catalog")))
 	conf.Var(conf.Environ, &cfg.Catalog.TargetRevision, "CATALOG_REVISION")
+
 	conf.Var(conf.Environ, &cfg.Github.User.Token, "GH_TOKEN")
 	conf.Var(conf.Environ, &cfg.Github.User.Name, "GH_USER")
 	conf.Var(conf.Environ, &cfg.Github.App.ID, "GH_APP_ID")
 	conf.Var(conf.Environ, &cfg.Github.App.InstallationID, "GH_APP_INSTALLATION_ID")
 	conf.Var(conf.Environ, &cfg.Github.App.PrivateKeyPath, "GH_APP_PRIVATE_KEY_PATH")
 
+	conf.Var(conf.Environ, &cfg.Google.CredentialsFilePath, "CREDENTIALS_FILE")
+	conf.Var(conf.Environ, &cfg.Google.Repository, "GOOGLE_ARTIFACT_REPOSITORY")
+
 	conf.Environ.MustParse()
 
+	if path := cfg.Google.CredentialsFilePath; path != "" {
+		fs := conf.MakeParser(conf.FileSystem(conf.FileSystemOptions{}))
+		defer fs.MustParse()
+
+		conf.Var(fs, &cfg.Google.RawCredentials, path, conf.Required[[]byte](true))
+	}
+
 	return cfg
 }