mirror of
https://github.com/fluxcd/flux2.git
synced 2025-11-04 11:56:11 +08:00
291 lines
11 KiB
Go
291 lines
11 KiB
Go
/*
|
|
Copyright 2021 The Flux authors
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/fluxcd/pkg/git"
|
|
"github.com/fluxcd/pkg/git/gogit"
|
|
"github.com/spf13/cobra"
|
|
|
|
"github.com/fluxcd/flux2/v2/internal/flags"
|
|
"github.com/fluxcd/flux2/v2/internal/utils"
|
|
"github.com/fluxcd/flux2/v2/pkg/bootstrap"
|
|
"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
|
|
"github.com/fluxcd/flux2/v2/pkg/manifestgen"
|
|
"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
|
|
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
|
|
"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
|
|
)
|
|
|
|
var bootstrapBServerCmd = &cobra.Command{
|
|
Use: "bitbucket-server",
|
|
Short: "Deploy Flux on a cluster connected to a Bitbucket Server repository",
|
|
Long: `The bootstrap bitbucket-server command creates the Bitbucket Server repository if it doesn't exists and
|
|
commits the Flux manifests to the master branch.
|
|
Then it configures the target cluster to synchronize with the repository.
|
|
If the Flux components are present on the cluster,
|
|
the bootstrap command will perform an upgrade if needed.`,
|
|
Example: ` # Create a Bitbucket Server API token and export it as an env var
|
|
export BITBUCKET_TOKEN=<my-token>
|
|
|
|
# Run bootstrap for a private repository using HTTPS token authentication
|
|
flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --token-auth --path=clusters/my-cluster
|
|
|
|
# Run bootstrap for a private repository using SSH authentication
|
|
flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --hostname=<domain> --path=clusters/my-cluster
|
|
|
|
# Run bootstrap for a public repository on a personal account
|
|
flux bootstrap bitbucket-server --owner=<user> --repository=<repository name> --private=false --personal --hostname=<domain> --token-auth --path=clusters/my-cluster
|
|
|
|
# Run bootstrap for a an existing repository with a branch named main
|
|
flux bootstrap bitbucket-server --owner=<project> --username=<user> --repository=<repository name> --branch=main --hostname=<domain> --token-auth --path=clusters/my-cluster`,
|
|
RunE: bootstrapBServerCmdRun,
|
|
}
|
|
|
|
const (
|
|
bServerDefaultPermission = "push"
|
|
bServerTokenEnvVar = "BITBUCKET_TOKEN"
|
|
)
|
|
|
|
type bServerFlags struct {
|
|
owner string
|
|
repository string
|
|
interval time.Duration
|
|
personal bool
|
|
username string
|
|
private bool
|
|
hostname string
|
|
path flags.SafeRelativePath
|
|
teams []string
|
|
readWriteKey bool
|
|
reconcile bool
|
|
}
|
|
|
|
var bServerArgs bServerFlags
|
|
|
|
func init() {
|
|
bootstrapBServerCmd.Flags().StringVar(&bServerArgs.owner, "owner", "", "Bitbucket Server user or project name")
|
|
bootstrapBServerCmd.Flags().StringVar(&bServerArgs.repository, "repository", "", "Bitbucket Server repository name")
|
|
bootstrapBServerCmd.Flags().StringSliceVar(&bServerArgs.teams, "group", []string{}, "Bitbucket Server groups to be given write access (also accepts comma-separated values)")
|
|
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.personal, "personal", false, "if true, the owner is assumed to be a Bitbucket Server user; otherwise a group")
|
|
bootstrapBServerCmd.Flags().StringVarP(&bServerArgs.username, "username", "u", "git", "authentication username")
|
|
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.private, "private", true, "if true, the repository is setup or configured as private")
|
|
bootstrapBServerCmd.Flags().DurationVar(&bServerArgs.interval, "interval", time.Minute, "sync interval")
|
|
bootstrapBServerCmd.Flags().StringVar(&bServerArgs.hostname, "hostname", "", "Bitbucket Server hostname")
|
|
bootstrapBServerCmd.Flags().Var(&bServerArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
|
|
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
|
|
bootstrapBServerCmd.Flags().BoolVar(&bServerArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
|
|
|
|
bootstrapCmd.AddCommand(bootstrapBServerCmd)
|
|
}
|
|
|
|
func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
|
|
bitbucketToken := os.Getenv(bServerTokenEnvVar)
|
|
if bitbucketToken == "" {
|
|
var err error
|
|
bitbucketToken, err = readPasswordFromStdin("Please enter your Bitbucket personal access token (PAT): ")
|
|
if err != nil {
|
|
return fmt.Errorf("could not read token: %w", err)
|
|
}
|
|
}
|
|
|
|
if bServerArgs.hostname == "" {
|
|
return fmt.Errorf("invalid hostname %q", bServerArgs.hostname)
|
|
}
|
|
|
|
if err := bootstrapValidate(); err != nil {
|
|
return err
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
|
|
defer cancel()
|
|
|
|
kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Manifest base
|
|
if ver, err := getVersion(bootstrapArgs.version); err != nil {
|
|
return err
|
|
} else {
|
|
bootstrapArgs.version = ver
|
|
}
|
|
manifestsBase, err := buildEmbeddedManifestBase()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer os.RemoveAll(manifestsBase)
|
|
|
|
user := bServerArgs.username
|
|
if bServerArgs.personal {
|
|
user = bServerArgs.owner
|
|
}
|
|
|
|
var caBundle []byte
|
|
if bootstrapArgs.caFile != "" {
|
|
var err error
|
|
caBundle, err = os.ReadFile(bootstrapArgs.caFile)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to read TLS CA file: %w", err)
|
|
}
|
|
}
|
|
|
|
// Build Bitbucket Server provider
|
|
providerCfg := provider.Config{
|
|
Provider: provider.GitProviderStash,
|
|
Hostname: bServerArgs.hostname,
|
|
Username: user,
|
|
Token: bitbucketToken,
|
|
CaBundle: caBundle,
|
|
}
|
|
|
|
providerClient, err := provider.BuildGitProvider(providerCfg)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Lazy go-git repository
|
|
tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create temporary working dir: %w", err)
|
|
}
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
|
|
gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
|
|
Transport: git.HTTPS,
|
|
Username: user,
|
|
Password: bitbucketToken,
|
|
CAFile: caBundle,
|
|
}, clientOpts...)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create a Git client: %w", err)
|
|
}
|
|
|
|
// Install manifest config
|
|
installOptions := install.Options{
|
|
BaseURL: rootArgs.defaults.BaseURL,
|
|
Version: bootstrapArgs.version,
|
|
Namespace: *kubeconfigArgs.Namespace,
|
|
Components: bootstrapComponents(),
|
|
Registry: bootstrapArgs.registry,
|
|
ImagePullSecret: bootstrapArgs.imagePullSecret,
|
|
WatchAllNamespaces: bootstrapArgs.watchAllNamespaces,
|
|
NetworkPolicy: bootstrapArgs.networkPolicy,
|
|
LogLevel: bootstrapArgs.logLevel.String(),
|
|
NotificationController: rootArgs.defaults.NotificationController,
|
|
ManifestFile: rootArgs.defaults.ManifestFile,
|
|
Timeout: rootArgs.timeout,
|
|
TargetPath: bServerArgs.path.ToSlash(),
|
|
ClusterDomain: bootstrapArgs.clusterDomain,
|
|
TolerationKeys: bootstrapArgs.tolerationKeys,
|
|
}
|
|
if customBaseURL := bootstrapArgs.manifestsPath; customBaseURL != "" {
|
|
installOptions.BaseURL = customBaseURL
|
|
}
|
|
|
|
// Source generation and secret config
|
|
secretOpts := sourcesecret.Options{
|
|
Name: bootstrapArgs.secretName,
|
|
Namespace: *kubeconfigArgs.Namespace,
|
|
TargetPath: bServerArgs.path.String(),
|
|
ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
|
|
}
|
|
if bootstrapArgs.tokenAuth {
|
|
if bServerArgs.personal {
|
|
secretOpts.Username = bServerArgs.owner
|
|
} else {
|
|
secretOpts.Username = bServerArgs.username
|
|
}
|
|
secretOpts.Password = bitbucketToken
|
|
secretOpts.CAFile = caBundle
|
|
} else {
|
|
keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretOpts.Keypair = keypair
|
|
secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
|
|
secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
|
|
secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
|
|
|
|
secretOpts.SSHHostname = bServerArgs.hostname
|
|
if bootstrapArgs.sshHostname != "" {
|
|
secretOpts.SSHHostname = bootstrapArgs.sshHostname
|
|
}
|
|
}
|
|
|
|
// Sync manifest config
|
|
syncOpts := sync.Options{
|
|
Interval: bServerArgs.interval,
|
|
Name: *kubeconfigArgs.Namespace,
|
|
Namespace: *kubeconfigArgs.Namespace,
|
|
Branch: bootstrapArgs.branch,
|
|
Secret: bootstrapArgs.secretName,
|
|
TargetPath: bServerArgs.path.ToSlash(),
|
|
ManifestFile: sync.MakeDefaultOptions().ManifestFile,
|
|
RecurseSubmodules: bootstrapArgs.recurseSubmodules,
|
|
}
|
|
|
|
entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Bootstrap config
|
|
|
|
bootstrapOpts := []bootstrap.GitProviderOption{
|
|
bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
|
|
bootstrap.WithBranch(bootstrapArgs.branch),
|
|
bootstrap.WithBootstrapTransportType("https"),
|
|
bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
|
|
bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
|
|
bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
|
|
bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
|
|
bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
|
|
bootstrap.WithLogger(logger),
|
|
bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
|
|
}
|
|
if bootstrapArgs.sshHostname != "" {
|
|
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
|
|
}
|
|
if bootstrapArgs.tokenAuth {
|
|
bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
|
|
}
|
|
if !bServerArgs.private {
|
|
bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
|
|
}
|
|
if bServerArgs.reconcile {
|
|
bootstrapOpts = append(bootstrapOpts, bootstrap.WithReconcile())
|
|
}
|
|
|
|
// Setup bootstrapper with constructed configs
|
|
b, err := bootstrap.NewGitProviderBootstrapper(gitClient, providerClient, kubeClient, bootstrapOpts...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Run
|
|
return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
|
|
}
|