Merge pull request #400 from kube-tarian/cosign-docker-sec

update cosign docker secrets

capten/agent/internal/capten-store/argocd_projects.go

@@ -68,7 +68,7 @@ func (a *Store) executeArgoCDProjectsSelectQuery(query string) ([]*model.ArgoCDP
 		&project.Id, &project.GitProjectId, &project.Status, &project.LastUpdateTime) {
 		gitProject, err := a.GetGitProjectForID(project.GitProjectId)
 		if err != nil {
-			a.log.Errorf("argocd project %s not exist in git projects", project.GitProjectId)
+			a.log.Debugf("argocd project %s not exist in git projects, %v", project.GitProjectId, err)
 			continue
 		}
 

capten/agent/internal/capten-store/crossplane_project.go

@@ -122,7 +122,7 @@ func (a *Store) executeCrossplaneProjectsSelectQuery(query string) ([]*model.Cro
 
 		gitProject, err := a.GetGitProjectForID(project.GitProjectId)
 		if err != nil {
-			a.log.Errorf("Crossplane project %s not exist in git projects", project.Id)
+			a.log.Debugf("Crossplane project %s not exist in git projects, %v", project.Id, err)
 			continue
 		}
 

capten/agent/internal/capten-store/tekton_projects.go

@@ -123,7 +123,7 @@ func (a *Store) executeTektonProjectsSelectQuery(query string) ([]*model.TektonP
 		&project.Id, &project.GitProjectId, &project.Status, &project.LastUpdateTime, &project.WorkflowId, &project.WorkflowStatus) {
 		gitProject, err := a.GetGitProjectForID(project.Id)
 		if err != nil {
-			a.log.Errorf("tekton project %s not exist in git projects", project.Id)
+			a.log.Debugf("tekton project %s not exist in git projects, %v", project.Id, err)
 			continue
 		}
 

capten/config-worker/internal/app_config/app_git_helper.go

@@ -46,17 +46,22 @@ type Config struct {
 var logger = logging.NewLogger()
 
 type AppGitConfigHelper struct {
-	cfg         Config
-	gitClient   *git.GitClient
-	accessToken string
+	cfg          Config
+	gitClient    *git.GitClient
+	argocdClient *argocd.ArgoCDClient
+	accessToken  string
 }
 
 func NewAppGitConfigHelper() (*AppGitConfigHelper, error) {
 	cfg := Config{}
 	if err := envconfig.Process("", &cfg); err != nil {
 		return nil, err
 	}
-	return &AppGitConfigHelper{cfg: cfg, gitClient: git.NewClient()}, nil
+	argocdClient, err := argocd.NewClient(logger)
+	if err != nil {
+		return nil, err
+	}
+	return &AppGitConfigHelper{cfg: cfg, gitClient: git.NewClient(), argocdClient: argocdClient}, nil
 }
 
 func (ca *AppGitConfigHelper) GetGitCreds(ctx context.Context, projectId string) (string, string, error) {
@@ -205,12 +210,7 @@ func (ca *AppGitConfigHelper) DeployMainApp(ctx context.Context, fileName string
 }
 
 func (ca *AppGitConfigHelper) SyncArgoCDApp(ctx context.Context, ns, resName string) error {
-	client, err := argocd.NewClient(logger)
-	if err != nil {
-		return err
-	}
-
-	_, err = client.TriggerAppSync(ctx, ns, resName)
+	_, err := ca.argocdClient.TriggerAppSync(ctx, ns, resName)
 	if err != nil {
 		return err
 	}
@@ -219,17 +219,12 @@ func (ca *AppGitConfigHelper) SyncArgoCDApp(ctx context.Context, ns, resName str
 }
 
 func (ca *AppGitConfigHelper) DeleteArgoCDApp(ctx context.Context, ns, resName, mainApp string) error {
-	client, err := argocd.NewClient(logger)
-	if err != nil {
-		return err
-	}
-
 	// _, err = client.Delete(&model.DeleteRequestPayload{Namespace: ns, ReleaseName: resName})
 	// if err != nil {
 	// 	return err
 	// }
 
-	_, err = client.TriggerAppSync(ctx, ns, mainApp)
+	_, err := ca.argocdClient.TriggerAppSync(ctx, ns, mainApp)
 	if err != nil {
 		return err
 	}
@@ -252,12 +247,7 @@ func (ca *AppGitConfigHelper) CreateCluster(ctx context.Context, id, clusterName
 		return "", err
 	}
 
-	client, err := argocd.NewClient(logger)
-	if err != nil {
-		return "", err
-	}
-
-	err = client.CreateOrUpdateCluster(ctx, clusterName, cred[kubeConfig])
+	err = ca.argocdClient.CreateOrUpdateCluster(ctx, clusterName, cred[kubeConfig])
 	if err != nil {
 		return "", err
 	}
@@ -266,14 +256,9 @@ func (ca *AppGitConfigHelper) CreateCluster(ctx context.Context, id, clusterName
 }
 
 func (ca *AppGitConfigHelper) WaitForArgoCDToSync(ctx context.Context, ns, resName string) error {
-	client, err := argocd.NewClient(logger)
-	if err != nil {
-		return err
-	}
-
 	synched := false
 	for i := 0; i < 3; i++ {
-		app, err := client.GetAppSyncStatus(ctx, ns, resName)
+		app, err := ca.argocdClient.GetAppSyncStatus(ctx, ns, resName)
 		if err != nil {
 			return fmt.Errorf("app %s synch staus fetch failed", resName)
 		}

capten/config-worker/internal/crossplane/config_cluster_secrets.go

@@ -52,7 +52,7 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
 		if err != nil {
 			return fmt.Errorf("failed to create cluter vault token secret, %v", err)
 		}
-		logger.Infof("create %s/%s on cluster cluster %s/%s", namespace, secretStoreName, clusterName)
+		logger.Infof("created %s/%s on cluster cluster %s", namespace, secretStoreName, clusterName)
 	}
 
 	for _, extSecret := range extSecrets {
@@ -67,7 +67,7 @@ func (cp *CrossPlaneApp) configureExternalSecretsOnCluster(ctx context.Context,
 			logger.Infof("failed to create vault external secret, %v", err)
 			continue
 		}
-		logger.Infof("create %s/%s on cluster cluster %s/%s", extSecret.Namespace, externalSecretName, clusterName)
+		logger.Infof("created %s/%s on cluster cluster %s", extSecret.Namespace, externalSecretName, clusterName)
 	}
 	return nil
 }

capten/config-worker/internal/tekton/config_tekton_app.go

@@ -29,7 +29,8 @@ var (
 	githubWebhook           = "github-webhook-secret"
 	argoCred                = "argocd"
 	crossplaneProjectConfig = "extraconfig"
-	secrets                 = []string{gitCred, dockerCred, githubWebhook, argoCred, crossplaneProjectConfig}
+	cosignDockerSecret      = "cosign-docker-secret"
+	secrets                 = []string{gitCred, dockerCred, githubWebhook, argoCred, crossplaneProjectConfig, cosignDockerSecret}
 	pipelineNamespace       = "tekton-pipelines"
 	tektonChildTasks        = []string{"tekton-cluster-tasks"}
 	addPipeline             = "add"
@@ -203,16 +204,14 @@ func (cp *TektonApp) deleteProjectAndApps(ctx context.Context, req *model.Tekton
 }
 
 func (cp *TektonApp) synchPipelineConfig(req *model.TektonPipelineUseCase, templateDir, reqRepo string) error {
-	if _, err := os.Stat(filepath.Join(reqRepo, cp.pluginConfig.TektonProject)); err != nil {
-		for _, config := range []string{cp.pluginConfig.TektonProject, filepath.Join(cp.pluginConfig.TektonPipelinePath, cp.pluginConfig.PipelineClusterConfigSyncPath)} {
-			err := copy.Copy(filepath.Join(templateDir, config), filepath.Join(reqRepo, config),
-				copy.Options{
-					OnDirExists: func(src, dest string) copy.DirExistsAction {
-						return copy.Replace
-					}})
-			if err != nil {
-				return fmt.Errorf("failed to copy dir from template to user repo, %v", err)
-			}
+	for _, config := range []string{cp.pluginConfig.TektonProject, filepath.Join(cp.pluginConfig.TektonPipelinePath, cp.pluginConfig.PipelineClusterConfigSyncPath)} {
+		err := copy.Copy(filepath.Join(templateDir, config), filepath.Join(reqRepo, config),
+			copy.Options{
+				OnDirExists: func(src, dest string) copy.DirExistsAction {
+					return copy.Replace
+				}})
+		if err != nil {
+			return fmt.Errorf("failed to copy dir from template to user repo, %v", err)
 		}
 	}
 
@@ -330,6 +329,20 @@ func (cp *TektonApp) createOrUpdateSecrets(ctx context.Context, req *model.Tekto
 				return fmt.Errorf("failed to create/update k8s secret, %v", err)
 			}
 
+		case cosignDockerSecret:
+			username, password, err := cp.helper.GetContainerRegCreds(ctx,
+				req.CredentialIdentifiers[agentmodel.Container].Identifier, req.CredentialIdentifiers[agentmodel.Container].Id)
+			if err != nil {
+				return fmt.Errorf("failed to get docker cfg secret, %v", err)
+			}
+			strdata["username"] = []byte(username)
+			strdata["password"] = []byte(password)
+			strdata["registry"] = []byte(req.CredentialIdentifiers[agentmodel.Container].Url)
+			if err := k8sclient.CreateOrUpdateSecret(ctx, pipelineNamespace, secName,
+				v1.SecretTypeOpaque, strdata, map[string]string{}); err != nil {
+				return fmt.Errorf("failed to create/update k8s secret, %v", err)
+			}
+
 		case gitCred, githubWebhook:
 			username, token, err := cp.helper.GetGitCreds(ctx, req.CredentialIdentifiers[agentmodel.GitOrg].Id)
 			if err != nil {
@@ -363,9 +376,16 @@ func (cp *TektonApp) createOrUpdateSecrets(ctx context.Context, req *model.Tekto
 			if err != nil {
 				return fmt.Errorf("failed to get GetClusterCreds, %v", err)
 			}
+
+			projectURL := req.CredentialIdentifiers[agentmodel.CrossplaneGitProject].Url
+			projectURLParts := strings.Split(projectURL, "https://")
+			if len(projectURLParts) != 2 {
+				return fmt.Errorf("project url not in correct format, %s", projectURL)
+			}
+
 			strdata["GIT_USER_NAME"] = []byte(username)
 			strdata["GIT_TOKEN"] = []byte(token)
-			strdata["GIT_PROJECT_URL"] = []byte(req.CredentialIdentifiers[agentmodel.CrossplaneGitProject].Url)
+			strdata["GIT_PROJECT_URL"] = []byte(projectURLParts[1])
 			strdata["APP_CONFIG_PATH"] = []byte(filepath.Join(cp.crossplanConfig.ClusterEndpointUpdates.ClusterDefaultAppValuesPath, req.CredentialIdentifiers[agentmodel.ManagedCluster].Url, "apps"))
 			strdata["CLUSTER_CA"] = []byte(kubeCa)
 			strdata["CLUSTER_ENDPOINT"] = []byte(kubeEndpoint)

server/pkg/agent/client.go

@@ -77,7 +77,7 @@ func getConnection(cfg *Config, oryClient oryclient.OryClient) (*grpc.ClientConn
 	}
 
 	dialOptions := []grpc.DialOption{
-		grpc.WithUnaryInterceptor(timeout.UnaryClientInterceptor(5 * time.Second)),
+		grpc.WithUnaryInterceptor(timeout.UnaryClientInterceptor(60 * time.Second)),
 	}
 
 	if cfg.AuthEnabled {