Add secret-ref flag to git source

Add secret-ref flag to Helm source Add secret-ref to bucket source
2025-11-01 18:26:25 +08:00 · 2020-10-16 16:21:28 +01:00
parent 4eaf72fa3e
commit 2d67ea5f7f
6 changed files with 115 additions and 78 deletions
--- a/cmd/gotk/create_source_bucket.go
+++ b/cmd/gotk/create_source_bucket.go
@ -69,6 +69,7 @@ var (
 	sourceBucketSecretKey string
 	sourceBucketRegion    string
 	sourceBucketInsecure  bool
+	sourceBucketSecretRef string
 )

 func init() {
@ -79,6 +80,7 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretKey, "secret-key", "", "the bucket secret key")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketRegion, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketInsecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
+	createSourceBucketCmd.Flags().StringVar(&sourceBucketSecretRef, "secret-ref", "", "the name of an existing secret containing credentials")

 	createSourceCmd.AddCommand(createSourceBucketCmd)
 }
@ -88,7 +90,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("Bucket source name is required")
 	}
 	name := args[0]
-	secretName := fmt.Sprintf("bucket-%s", name)

 	if sourceBucketName == "" {
 		return fmt.Errorf("bucket-name is required")
@ -126,6 +127,11 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 			},
 		},
 	}
+	if sourceHelmSecretRef != "" {
+		bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+			Name: sourceBucketSecretRef,
+		}
+	}

 	if export {
 		return exportBucket(*bucket)
@ -141,28 +147,32 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {

 	logger.Generatef("generating Bucket source")

-	secret := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      secretName,
-			Namespace: namespace,
-		},
-		StringData: map[string]string{},
-	}
+	if sourceBucketSecretRef == "" {
+		secretName := fmt.Sprintf("bucket-%s", name)

-	if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" {
-		secret.StringData["accesskey"] = sourceBucketAccessKey
-		secret.StringData["secretkey"] = sourceBucketSecretKey
-	}
+		secret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretName,
+				Namespace: namespace,
+			},
+			StringData: map[string]string{},
+		}

-	if len(secret.StringData) > 0 {
-		logger.Actionf("applying secret with the bucket credentials")
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
+		if sourceBucketAccessKey != "" && sourceBucketSecretKey != "" {
+			secret.StringData["accesskey"] = sourceBucketAccessKey
+			secret.StringData["secretkey"] = sourceBucketSecretKey
 		}
-		bucket.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: secretName,
+
+		if len(secret.StringData) > 0 {
+			logger.Actionf("applying secret with the bucket credentials")
+			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+				return err
+			}
+			bucket.Spec.SecretRef = &corev1.LocalObjectReference{
+				Name: secretName,
+			}
+			logger.Successf("authentication configured")
 		}
-		logger.Successf("authentication configured")
 	}

 	logger.Actionf("applying Bucket source")
--- a/cmd/gotk/create_source_git.go
+++ b/cmd/gotk/create_source_git.go
@ -87,15 +87,17 @@ For private Git repositories, the basic authentication credentials are stored in
 }

 var (
-	sourceGitURL          string
-	sourceGitBranch       string
-	sourceGitTag          string
-	sourceGitSemver       string
-	sourceGitUsername     string
-	sourceGitPassword     string
+	sourceGitURL      string
+	sourceGitBranch   string
+	sourceGitTag      string
+	sourceGitSemver   string
+	sourceGitUsername string
+	sourceGitPassword string
+
 	sourceGitKeyAlgorithm flags.PublicKeyAlgorithm = "rsa"
 	sourceGitRSABits      flags.RSAKeyBits         = 2048
 	sourceGitECDSACurve                            = flags.ECDSACurve{Curve: elliptic.P384()}
+	sourceGitSecretRef    string
 )

 func init() {
@ -108,6 +110,7 @@ func init() {
 	createSourceGitCmd.Flags().Var(&sourceGitKeyAlgorithm, "ssh-key-algorithm", sourceGitKeyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", sourceGitRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", sourceGitECDSACurve.Description())
+	createSourceGitCmd.Flags().StringVarP(&sourceGitSecretRef, "secret-ref", "", "", "the name of an existing secret containing SSH or basic credentials")

 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@ -162,6 +165,11 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	if export {
+		if sourceGitSecretRef != "" {
+			gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+				Name: sourceGitSecretRef,
+			}
+		}
 		return exportGit(gitRepository)
 	}

@ -175,7 +183,9 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {

 	withAuth := false
 	// TODO(hidde): move all auth prep to separate func?
-	if u.Scheme == "ssh" {
+	if sourceGitSecretRef != "" {
+		withAuth = true
+	} else if u.Scheme == "ssh" {
 		logger.Actionf("generating deploy key pair")
 		pair, err := generateKeyPair(ctx)
 		if err != nil {
@ -240,8 +250,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Generatef("generating GitRepository source")

 	if withAuth {
+		secretName := name
+		if sourceGitSecretRef != "" {
+			secretName = sourceGitSecretRef
+		}
 		gitRepository.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: name,
+			Name: secretName,
 		}
 	}

--- a/cmd/gotk/create_source_helm.go
+++ b/cmd/gotk/create_source_helm.go
@ -63,12 +63,13 @@ For private Helm repositories, the basic authentication credentials are stored i
 }

 var (
-	sourceHelmURL      string
-	sourceHelmUsername string
-	sourceHelmPassword string
-	sourceHelmCertFile string
-	sourceHelmKeyFile  string
-	sourceHelmCAFile   string
+	sourceHelmURL       string
+	sourceHelmUsername  string
+	sourceHelmPassword  string
+	sourceHelmCertFile  string
+	sourceHelmKeyFile   string
+	sourceHelmCAFile    string
+	sourceHelmSecretRef string
 )

 func init() {
@ -78,6 +79,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmCertFile, "cert-file", "", "TLS authentication cert file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmKeyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmCAFile, "ca-file", "", "TLS authentication CA file path")
+	createSourceHelmCmd.Flags().StringVarP(&sourceHelmSecretRef, "secret-ref", "", "", "the name of an existing secret containing TLS or basic auth credentials")

 	createSourceCmd.AddCommand(createSourceHelmCmd)
 }
@ -87,7 +89,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("HelmRepository source name is required")
 	}
 	name := args[0]
-	secretName := fmt.Sprintf("helm-%s", name)

 	if sourceHelmURL == "" {
 		return fmt.Errorf("url is required")
@ -122,6 +123,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}

+	if sourceHelmSecretRef != "" {
+		helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+			Name: sourceHelmSecretRef,
+		}
+	}
+
 	if export {
 		return exportHelmRepository(*helmRepository)
 	}
@ -135,51 +142,54 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	logger.Generatef("generating HelmRepository source")
+	if sourceHelmSecretRef == "" {
+		secretName := fmt.Sprintf("helm-%s", name)

-	secret := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      secretName,
-			Namespace: namespace,
-		},
-		StringData: map[string]string{},
-	}
-
-	if sourceHelmUsername != "" && sourceHelmPassword != "" {
-		secret.StringData["username"] = sourceHelmUsername
-		secret.StringData["password"] = sourceHelmPassword
-	}
-
-	if sourceHelmCertFile != "" && sourceHelmKeyFile != "" {
-		cert, err := ioutil.ReadFile(sourceHelmCertFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err)
+		secret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretName,
+				Namespace: namespace,
+			},
+			StringData: map[string]string{},
 		}
-		secret.StringData["certFile"] = string(cert)

-		key, err := ioutil.ReadFile(sourceHelmKeyFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err)
+		if sourceHelmUsername != "" && sourceHelmPassword != "" {
+			secret.StringData["username"] = sourceHelmUsername
+			secret.StringData["password"] = sourceHelmPassword
 		}
-		secret.StringData["keyFile"] = string(key)
-	}

-	if sourceHelmCAFile != "" {
-		ca, err := ioutil.ReadFile(sourceHelmCAFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err)
-		}
-		secret.StringData["caFile"] = string(ca)
-	}
+		if sourceHelmCertFile != "" && sourceHelmKeyFile != "" {
+			cert, err := ioutil.ReadFile(sourceHelmCertFile)
+			if err != nil {
+				return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmCertFile, err)
+			}
+			secret.StringData["certFile"] = string(cert)

-	if len(secret.StringData) > 0 {
-		logger.Actionf("applying secret with repository credentials")
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
+			key, err := ioutil.ReadFile(sourceHelmKeyFile)
+			if err != nil {
+				return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmKeyFile, err)
+			}
+			secret.StringData["keyFile"] = string(key)
 		}
-		helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
-			Name: secretName,
+
+		if sourceHelmCAFile != "" {
+			ca, err := ioutil.ReadFile(sourceHelmCAFile)
+			if err != nil {
+				return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmCAFile, err)
+			}
+			secret.StringData["caFile"] = string(ca)
+		}
+
+		if len(secret.StringData) > 0 {
+			logger.Actionf("applying secret with repository credentials")
+			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+				return err
+			}
+			helmRepository.Spec.SecretRef = &corev1.LocalObjectReference{
+				Name: secretName,
+			}
+			logger.Successf("authentication configured")
 		}
-		logger.Successf("authentication configured")
 	}

 	logger.Actionf("applying HelmRepository source")
--- a/docs/cmd/gotk_create_source_bucket.md
+++ b/docs/cmd/gotk_create_source_bucket.md
@ -45,6 +45,7 @@ gotk create source bucket [name] [flags]
      --provider sourceBucketProvider   the S3 compatible storage provider name, available options are: (generic, aws) (default generic)
      --region string                   the bucket region
      --secret-key string               the bucket secret key
+      --secret-ref string               the name of an existing secret containing credentials
 ```

 ### Options inherited from parent commands
--- a/docs/cmd/gotk_create_source_git.md
+++ b/docs/cmd/gotk_create_source_git.md
@ -58,6 +58,7 @@ gotk create source git [name] [flags]
      --branch string                          git branch (default "master")
  -h, --help                                   help for git
  -p, --password string                        basic authentication password
+      --secret-ref string                      the name of an existing secret containing SSH or basic credentials
      --ssh-ecdsa-curve ecdsaCurve             SSH ECDSA public key curve (p256, p384, p521) (default p384)
      --ssh-key-algorithm publicKeyAlgorithm   SSH public key algorithm (rsa, ecdsa, ed25519) (default rsa)
      --ssh-rsa-bits rsaKeyBits                SSH RSA public key bit size (multiplies of 8) (default 2048)
--- a/docs/cmd/gotk_create_source_helm.md
+++ b/docs/cmd/gotk_create_source_helm.md
@ -38,13 +38,14 @@ gotk create source helm [name] [flags]
 ### Options

 ```
-      --ca-file string     TLS authentication CA file path
-      --cert-file string   TLS authentication cert file path
-  -h, --help               help for helm
-      --key-file string    TLS authentication key file path
-  -p, --password string    basic authentication password
-      --url string         Helm repository address
-  -u, --username string    basic authentication username
+      --ca-file string      TLS authentication CA file path
+      --cert-file string    TLS authentication cert file path
+  -h, --help                help for helm
+      --key-file string     TLS authentication key file path
+  -p, --password string     basic authentication password
+      --secret-ref string   the name of an existing secret containing TLS or basic auth credentials
+      --url string          Helm repository address
+  -u, --username string     basic authentication username
 ```

 ### Options inherited from parent commands