Support Cloning From Private Git Repository (#2840)

Author: martinmaly

porch/api/porch/types_packagerevisions.go

@@ -124,6 +124,14 @@ type GitPackage struct {
 
 	// Directory within the Git repository where the packages are stored. A subdirectory of this directory containing a Kptfile is considered a package.
 	Directory string `json:"directory"`
+
+	// Reference to secret containing authentication credentials. Optional.
+	SecretRef SecretRef `json:"secretRef,omitempty"`
+}
+
+type SecretRef struct {
+	// Name of the secret. The secret is expected to be located in the same namespace as the resource containing the reference.
+	Name string `json:"name"`
 }
 
 // OciPackage describes a repository compatible with the Open Coutainer Registry standard.

porch/api/porch/v1alpha1/types_packagerevisions.go

@@ -125,6 +125,14 @@ type GitPackage struct {
 
 	// Directory within the Git repository where the packages are stored. A subdirectory of this directory containing a Kptfile is considered a package.
 	Directory string `json:"directory"`
+
+	// Reference to secret containing authentication credentials. Optional.
+	SecretRef SecretRef `json:"secretRef,omitempty"`
+}
+
+type SecretRef struct {
+	// Name of the secret. The secret is expected to be located in the same namespace as the resource containing the reference.
+	Name string `json:"name"`
 }
 
 // OciPackage describes a repository compatible with the Open Coutainer Registry standard.

porch/api/porch/v1alpha1/zz_generated.conversion.go

@@ -54,7 +54,7 @@ type GitConfig struct {
 	Branch    string   `json:"branch"`
 	Directory string   `json:"directory"`
 	Username  string   `json:"username"`
-	Password  Password `json:"token"`
+	Password  Password `json:"password"`
 }
 
 type OciConfig struct {

porch/api/porch/v1alpha1/zz_generated.deepcopy.go

@@ -30,8 +30,10 @@ import (
 )
 
 type clonePackageMutation struct {
-	task *api.Task
-	name string // package target name
+	task               *api.Task
+	namespace          string
+	name               string // package target name
+	credentialResolver repository.CredentialResolver
 }
 
 func (m *clonePackageMutation) Apply(ctx context.Context, resources repository.PackageResources) (repository.PackageResources, *api.Task, error) {
@@ -72,6 +74,9 @@ func (m *clonePackageMutation) cloneFromGit(ctx context.Context, gitPackage *api
 		Repo:      gitPackage.Repo,
 		Branch:    gitPackage.Ref,
 		Directory: gitPackage.Directory,
+		SecretRef: configapi.SecretRef{
+			Name: gitPackage.SecretRef.Name,
+		},
 	}
 
 	dir, err := ioutil.TempDir("", "clone-git-package-*")
@@ -80,8 +85,7 @@ func (m *clonePackageMutation) cloneFromGit(ctx context.Context, gitPackage *api
 	}
 	defer os.RemoveAll(dir)
 
-	// TODO: Add support for authentication.
-	var credentialResolver repository.CredentialResolver = nil
+	credentialResolver := m.credentialResolver
 	r, err := git.OpenRepository(ctx, "", "", &spec, credentialResolver, dir)
 	if err != nil {
 		return repository.PackageResources{}, fmt.Errorf("cannot clone Git repository: %w", err)

porch/api/porch/zz_generated.deepcopy.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"math/rand"
 	"net"
 	"net/http"
 	"os"
@@ -111,8 +112,8 @@ func createRepoWithContents(t *testing.T, contentDir string) *gogit.Repository {
 	return repo
 }
 
-func startGitServer(t *testing.T, repo *gogit.Repository) string {
-	server, err := git.NewGitServer(repo)
+func startGitServer(t *testing.T, repo *gogit.Repository, opts ...git.GitServerOption) string {
+	server, err := git.NewGitServer(repo, opts...)
 	if err != nil {
 		t.Fatalf("Failed to create git server: %v", err)
 	}
@@ -143,13 +144,31 @@ func startGitServer(t *testing.T, repo *gogit.Repository) string {
 	return fmt.Sprintf("http://%s", address)
 }
 
-type cr struct{}
+type credentialResolver struct {
+	username, password string
+}
+
+func randomString(n int) string {
+	const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	result := make([]byte, n)
+	for i := range result {
+		result[i] = letters[rand.Intn(len(letters))]
+	}
+	return string(result)
+}
+
+func randomCredentials() *credentialResolver {
+	return &credentialResolver{
+		username: randomString(30),
+		password: randomString(30),
+	}
+}
 
-func (cr) ResolveCredential(ctx context.Context, namespace, name string) (repository.Credential, error) {
+func (r *credentialResolver) ResolveCredential(ctx context.Context, namespace, name string) (repository.Credential, error) {
 	return repository.Credential{
 		Data: map[string][]byte{
-			"username": []byte(""),
-			"password": []byte(""),
+			"username": []byte(r.username),
+			"password": []byte(r.password),
 		},
 	}, nil
 }
@@ -159,8 +178,10 @@ func TestCloneGitBasicAuth(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to find testdata: %v", err)
 	}
+
+	auth := randomCredentials()
 	repo := createRepoWithContents(t, testdata)
-	addr := startGitServer(t, repo)
+	addr := startGitServer(t, repo, git.WithBasicAuth(auth.username, auth.password))
 
 	cpm := clonePackageMutation{
 		task: &v1alpha1.Task{
@@ -172,13 +193,28 @@ func TestCloneGitBasicAuth(t *testing.T) {
 						Repo:      addr,
 						Ref:       "main",
 						Directory: "configmap",
+						SecretRef: v1alpha1.SecretRef{
+							Name: "git-credentials",
+						},
 					},
 				},
 			},
 		},
-		name: "test-configmap",
+		namespace: "test-namespace",
+		name:      "test-configmap",
+		credentialResolver: &credentialResolver{
+			username: "",
+			password: "",
+		},
 	}
 
+	_, _, err = cpm.Apply(context.Background(), repository.PackageResources{})
+	if err == nil {
+		t.Errorf("Expected error (unauthorized); got none")
+	}
+
+	cpm.credentialResolver = auth
+
 	r, _, err := cpm.Apply(context.Background(), repository.PackageResources{})
 	if err != nil {
 		t.Errorf("task apply failed: %v", err)

porch/apiserver/pkg/e2e/suite.go

@@ -106,8 +106,10 @@ func (cad *cadEngine) mapTaskToMutation(ctx context.Context, obj *api.PackageRev
 			return nil, fmt.Errorf("clone not set for task of type %q", task.Type)
 		}
 		return &clonePackageMutation{
-			task: task,
-			name: obj.Spec.PackageName,
+			task:               task,
+			namespace:          obj.Namespace,
+			name:               obj.Spec.PackageName,
+			credentialResolver: cad.credentialResolver,
 		}, nil
 
 	case api.TaskTypePatch: