hook up blob auth to the build reconciler

Signed-off-by: Bohan Chen <bohanc@vmware.com>

Author: Bohan Chen

cmd/build-init/main.go

@@ -36,6 +36,7 @@ var (
 	gitRevision             = flag.String("git-revision", os.Getenv("GIT_REVISION"), "The Git revision to make the repository HEAD.")
 	gitInitializeSubmodules = flag.Bool("git-initialize-submodules", getenvBool("GIT_INITIALIZE_SUBMODULES"), "Initialize submodules during git clone")
 	blobURL                 = flag.String("blob-url", os.Getenv("BLOB_URL"), "The url of the source code blob.")
+	blobAuth                = flag.Bool("blob-auth", getenvBool("BLOB_AUTH"), "If authentication should be used for blobs")
 	stripComponents         = flag.Int("strip-components", getenvInt("BLOB_STRIP_COMPONENTS", 0), "The number of directory components to strip from the blobs content when extracting.")
 	registryImage           = flag.String("registry-image", os.Getenv("REGISTRY_IMAGE"), "The registry location of the source code image.")
 	hostName                = flag.String("dns-probe-hostname", os.Getenv("DNS_PROBE_HOSTNAME"), "hostname to dns poll")
@@ -49,6 +50,7 @@ var (
 
 	basicGitCredentials     flaghelpers.CredentialsFlags
 	sshGitCredentials       flaghelpers.CredentialsFlags
+	blobCredentials         flaghelpers.CredentialsFlags
 	basicDockerCredentials  flaghelpers.CredentialsFlags
 	dockerCfgCredentials    flaghelpers.CredentialsFlags
 	dockerConfigCredentials flaghelpers.CredentialsFlags
@@ -60,6 +62,7 @@ var (
 func init() {
 	flag.Var(&basicGitCredentials, "basic-git", "Basic authentication for git of the form 'secretname=git.domain.com'")
 	flag.Var(&sshGitCredentials, "ssh-git", "SSH authentication for git of the form 'secretname=git.domain.com'")
+	flag.Var(&blobCredentials, "blob", "Authentication for blob of the form 'secretname=git.domain.com'")
 	flag.Var(&basicDockerCredentials, "basic-docker", "Basic authentication for docker of the form 'secretname=git.domain.com'")
 	flag.Var(&dockerCfgCredentials, "dockercfg", "Docker Cfg credentials in the form of the path to the credential")
 	flag.Var(&dockerConfigCredentials, "dockerconfig", "Docker Config JSON credentials in the form of the path to the credential")
@@ -220,8 +223,27 @@ func fetchSource(logger *log.Logger, keychain authn.Keychain) error {
 		}
 		return fetcher.Fetch(appDir, *gitURL, *gitRevision, projectMetadataDir)
 	case *blobURL != "":
+		var (
+			blobKeychain blob.Keychain
+			err          error
+		)
+		if *blobAuth {
+			if len(blobCredentials) == 0 {
+				logger.Println("Loading blob credentials from helpers")
+				blobKeychain = blob.DefaultKeychain
+			} else {
+				logger.Println("Loading blob credentials from service account secrets")
+				logLoadingSecrets(logger, blobCredentials)
+				blobKeychain, err = blob.NewMountedSecretBlobKeychain(buildSecretsDir, blobCredentials)
+				if err != nil {
+					return err
+				}
+			}
+		}
+
 		fetcher := blob.Fetcher{
-			Logger: logger,
+			Logger:   logger,
+			Keychain: blobKeychain,
 		}
 		return fetcher.Fetch(appDir, *blobURL, *stripComponents, projectMetadataDir)
 	case *registryImage != "":

cmd/completion/main.go

@@ -48,6 +48,7 @@ var (
 	cosignDockerMediaTypes  flaghelpers.CredentialsFlags
 	basicGitCredentials     flaghelpers.CredentialsFlags
 	sshGitCredentials       flaghelpers.CredentialsFlags
+	blobCredentials         flaghelpers.CredentialsFlags
 	logger                  *log.Logger
 )
 
@@ -60,6 +61,7 @@ func init() {
 	flag.Var(&dockerConfigCredentials, "dockerconfig", "Docker Config JSON credentials in the form of the path to the credential")
 	flag.Var(&basicGitCredentials, "basic-git", "Basic authentication for git of the form 'secretname=git.domain.com'")
 	flag.Var(&sshGitCredentials, "ssh-git", "SSH authentication for git of the form 'secretname=git.domain.com'")
+	flag.Var(&blobCredentials, "blob", "Authentication for blob of the form 'secretname=git.domain.com'")
 
 	flag.Var(&cosignAnnotations, "cosign-annotations", "Cosign custom signing annotations")
 	flag.Var(&cosignRepositories, "cosign-repositories", "Cosign signing repository of the form 'secretname=registry.example.com/project'")

pkg/apis/build/v1alpha2/build_pod.go

@@ -43,6 +43,7 @@ const (
 	cosignRespositoryAnnotationPrefix      = "kpack.io/cosign.repository"
 	DOCKERSecretAnnotationPrefix           = "kpack.io/docker"
 	GITSecretAnnotationPrefix              = "kpack.io/git"
+	BlobSecretAnnotationPrefix             = "kpack.io/blob"
 	IstioInject                            = "sidecar.istio.io/inject"
 	BuildReadyAnnotation                   = "build.kpack.io/ready"
 
@@ -234,7 +235,9 @@ func (b *Build) BuildPod(images BuildPodImages, buildContext BuildContext) (*cor
 		buildEnv = append(buildEnv, envVar)
 	}
 
-	secretVolumes, secretVolumeMounts, secretArgs := b.setupSecretVolumesAndArgs(buildContext.Secrets, gitAndDockerSecrets)
+	blobAuthUseSecrets := b.Spec.Source.Blob != nil && b.Spec.Source.Blob.Auth == string(corev1alpha1.BlobAuthSecret)
+
+	secretVolumes, secretVolumeMounts, secretArgs := b.setupSecretVolumesAndArgs(buildContext.Secrets, buildSecrets(blobAuthUseSecrets))
 	cosignVolumes, cosignVolumeMounts, cosignSecretArgs := b.setupCosignVolumes(buildContext.Secrets)
 	imagePullVolumes, imagePullVolumeMounts, imagePullArgs := b.setupImagePullVolumes(buildContext.ImagePullSecrets)
 
@@ -978,8 +981,18 @@ func (b *Build) cacheVolume(os string) []corev1.Volume {
 	}}
 }
 
-func gitAndDockerSecrets(secret corev1.Secret) bool {
-	return secret.Annotations[GITSecretAnnotationPrefix] != "" || dockerSecrets(secret)
+func buildSecrets(includeBlobSecrets bool) func(corev1.Secret) bool {
+	return func(secret corev1.Secret) bool {
+		return gitSecrets(secret) || blobSecrets(includeBlobSecrets, secret) || dockerSecrets(secret)
+	}
+}
+
+func gitSecrets(secret corev1.Secret) bool {
+	return secret.Annotations[GITSecretAnnotationPrefix] != ""
+}
+
+func blobSecrets(includeBlobSecret bool, secret corev1.Secret) bool {
+	return includeBlobSecret && secret.Annotations[BlobSecretAnnotationPrefix] != ""
 }
 
 func dockerSecrets(secret corev1.Secret) bool {
@@ -1009,6 +1022,9 @@ func (b *Build) setupSecretVolumesAndArgs(secrets []corev1.Secret, filter func(s
 		case secret.Type == corev1.SecretTypeSSHAuth:
 			annotatedUrl := secret.Annotations[GITSecretAnnotationPrefix]
 			args = append(args, fmt.Sprintf("-ssh-%s=%s=%s", "git", secret.Name, annotatedUrl))
+		case secret.Annotations[BlobSecretAnnotationPrefix] != "":
+			annotatedUrl := secret.Annotations[BlobSecretAnnotationPrefix]
+			args = append(args, fmt.Sprintf("-blob=%s=%s", secret.Name, annotatedUrl))
 		default:
 			//ignoring secret
 			continue

pkg/apis/build/v1alpha2/build_pod_test.go

@@ -138,6 +138,15 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 			},
 			Type: corev1.SecretTypeDockerConfigJson,
 		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "blob-secret",
+				Annotations: map[string]string{
+					buildapi.BlobSecretAnnotationPrefix: "blobstore.com",
+				},
+			},
+			Type: corev1.SecretTypeOpaque,
+		},
 		{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "secret-to-ignore",
@@ -273,9 +282,9 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 				ServiceAccountName: serviceAccount,
 				Source: corev1alpha1.SourceConfig{
 					Git: &corev1alpha1.Git{
-						URL:      "giturl.com/git.git",
-						Revision: "gitrev1234",
-                        InitializeSubmodules: true,
+						URL:                  "giturl.com/git.git",
+						Revision:             "gitrev1234",
+						InitializeSubmodules: true,
 					},
 				},
 				Cache: &buildapi.BuildCacheConfig{
@@ -580,6 +589,65 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 
 		})
 
+		it("configures prepare with blob credentials when using secret", func() {
+			build.Spec.Source = corev1alpha1.SourceConfig{
+				Blob: &corev1alpha1.Blob{
+					URL:  "blobstore.com/source",
+					Auth: "secret",
+				},
+			}
+
+			pod, err := build.BuildPod(config, buildContext)
+			require.NoError(t, err)
+
+			assert.Equal(t, pod.Spec.InitContainers[0].Name, "prepare")
+			assert.Equal(t, pod.Spec.InitContainers[0].Image, config.BuildInitImage)
+
+			assert.Contains(t, pod.Spec.InitContainers[0].Args, "-blob=blob-secret=blobstore.com")
+			assert.Contains(t, pod.Spec.InitContainers[0].VolumeMounts,
+				corev1.VolumeMount{
+					Name:      "secret-volume-7",
+					MountPath: "/var/build-secrets/blob-secret",
+				},
+			)
+			assert.Contains(t, pod.Spec.InitContainers[0].Env,
+				corev1.EnvVar{
+					Name:  "BLOB_AUTH",
+					Value: "true",
+				},
+			)
+		})
+
+		it("configures prepare with blob credentials when using helper", func() {
+			build.Spec.Source = corev1alpha1.SourceConfig{
+				Blob: &corev1alpha1.Blob{
+					URL:  "blobstore.com/source",
+					Auth: "helper",
+				},
+			}
+
+			pod, err := build.BuildPod(config, buildContext)
+			require.NoError(t, err)
+
+			assert.Equal(t, pod.Spec.InitContainers[0].Name, "prepare")
+			assert.Equal(t, pod.Spec.InitContainers[0].Image, config.BuildInitImage)
+
+			assert.NotContains(t, pod.Spec.InitContainers[0].Args, "-blob=blob-secret=blobstore.com")
+			assert.NotContains(t, pod.Spec.InitContainers[0].VolumeMounts,
+				corev1.VolumeMount{
+					Name:      "secret-volume-7",
+					MountPath: "/var/build-secrets/blob-secret",
+				},
+			)
+
+			assert.Contains(t, pod.Spec.InitContainers[0].Env,
+				corev1.EnvVar{
+					Name:  "BLOB_AUTH",
+					Value: "true",
+				},
+			)
+		})
+
 		it("configures prepare with the build configuration", func() {
 			pod, err := build.BuildPod(config, buildContext)
 			require.NoError(t, err)
@@ -1464,15 +1532,15 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 						assertSecretPresent(t, pod, secretName)
 					}
 					require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-						Name:      "secret-volume-8",
+						Name:      "secret-volume-9",
 						MountPath: "/var/build-secrets/cosign/cosign-secret-1",
 					})
 					require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-						Name:      "secret-volume-9",
+						Name:      "secret-volume-10",
 						MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-1",
 					})
 					require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-						Name:      "secret-volume-10",
+						Name:      "secret-volume-11",
 						MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-2",
 					})
 
@@ -1674,15 +1742,15 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 						assertSecretPresent(t, pod, secretName)
 					}
 					require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-						Name:      "secret-volume-8",
+						Name:      "secret-volume-9",
 						MountPath: "/var/build-secrets/cosign/cosign-secret-1",
 					})
 					require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-						Name:      "secret-volume-9",
+						Name:      "secret-volume-10",
 						MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-1",
 					})
 					require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-						Name:      "secret-volume-10",
+						Name:      "secret-volume-11",
 						MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-2",
 					})
 					require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
@@ -1797,15 +1865,15 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 					assertSecretPresent(t, pod, secretName)
 				}
 				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-					Name:      "secret-volume-8",
+					Name:      "secret-volume-9",
 					MountPath: "/var/build-secrets/cosign/cosign-secret-1",
 				})
 				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-					Name:      "secret-volume-9",
+					Name:      "secret-volume-10",
 					MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-1",
 				})
 				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-					Name:      "secret-volume-10",
+					Name:      "secret-volume-11",
 					MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-2",
 				})
 
@@ -1964,15 +2032,15 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 					assertSecretPresent(t, pod, secretName)
 				}
 				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-					Name:      "secret-volume-8",
+					Name:      "secret-volume-9",
 					MountPath: "/var/build-secrets/cosign/cosign-secret-1",
 				})
 				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-					Name:      "secret-volume-9",
+					Name:      "secret-volume-10",
 					MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-1",
 				})
 				require.Contains(t, pod.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
-					Name:      "secret-volume-10",
+					Name:      "secret-volume-11",
 					MountPath: "/var/build-secrets/cosign/cosign-secret-no-password-2",
 				})
 

pkg/apis/core/v1alpha1/source_types.go

@@ -65,10 +65,19 @@ func (in *Git) ImagePullSecretsVolume(name string) corev1.Volume {
 	}
 }
 
+type BlobAuthKind string
+
+const (
+	BlobAuthNone   BlobAuthKind = ""
+	BlobAuthHelper BlobAuthKind = "helper"
+	BlobAuthSecret BlobAuthKind = "secret"
+)
+
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=true
 type Blob struct {
 	URL             string `json:"url"`
+	Auth            string `json:"auth,omitempty"`
 	StripComponents int64  `json:"stripComponents,omitempty"`
 }
 
@@ -91,6 +100,10 @@ func (b *Blob) BuildEnvVars() []corev1.EnvVar {
 			Name:  "BLOB_STRIP_COMPONENTS",
 			Value: strconv.FormatInt(b.StripComponents, 10),
 		},
+		{
+			Name:  "BLOB_AUTH",
+			Value: strconv.FormatBool(b.Auth != string(BlobAuthNone)),
+		},
 	}
 }
 
@@ -200,6 +213,7 @@ func (gs *ResolvedGitSource) IsPollable() bool {
 // +k8s:deepcopy-gen=true
 type ResolvedBlobSource struct {
 	URL             string `json:"url"`
+	Auth            string `json:"auth,omitempty"`
 	SubPath         string `json:"subPath,omitempty"`
 	StripComponents int64  `json:"stripComponents,omitempty"`
 }
@@ -208,6 +222,7 @@ func (bs *ResolvedBlobSource) SourceConfig() SourceConfig {
 	return SourceConfig{
 		Blob: &Blob{
 			URL:             bs.URL,
+			Auth:            bs.Auth,
 			StripComponents: bs.StripComponents,
 		},
 		SubPath: bs.SubPath,

pkg/apis/core/v1alpha1/source_validation.go

@@ -47,6 +47,10 @@ func (b *Blob) Validate(ctx context.Context) *apis.FieldError {
 		return nil
 	}
 
+	if b.Auth != "" && b.Auth != "helper" && b.Auth != "secret" {
+		return apis.ErrInvalidValue(b.Auth, "auth", "must be one of '', 'helper', or 'secret'")
+	}
+
 	fieldError := validate.FieldNotEmpty(b.URL, "url").
 		Also(validate.StripComponents(b.StripComponents))
 

pkg/blob/fetch.go

@@ -37,6 +37,9 @@ func (f *Fetcher) Fetch(dir string, blobURL string, stripComponents int, metadat
 			return fmt.Errorf("failed to resolve creds: %v", err)
 		}
 
+		if headers == nil {
+			headers = make(map[string]string)
+		}
 		headers["Authorization"] = auth
 	}
 

pkg/blob/resolver.go

@@ -14,6 +14,7 @@ func (*Resolver) Resolve(ctx context.Context, sourceResolver *buildapi.SourceRes
 	return corev1alpha1.ResolvedSourceConfig{
 		Blob: &corev1alpha1.ResolvedBlobSource{
 			URL:     sourceResolver.Spec.Source.Blob.URL,
+			Auth:    sourceResolver.Spec.Source.Blob.Auth,
 			SubPath: sourceResolver.Spec.Source.SubPath,
 		},
 	}, nil