First to be written in the modern config form
This commit is contained in:
@@ -1,96 +1,34 @@
|
|||||||
(ns k8s.preparers.harbor
|
(ns k8s.preparers.harbor)
|
||||||
(:require
|
|
||||||
["@pulumi/pulumi" :as pulumi]
|
|
||||||
["@pulumi/command/local" :as local]
|
|
||||||
["@pulumiverse/harbor" :as harbor]
|
|
||||||
[utils.harbor :refer [deploy-stack]]
|
|
||||||
[utils.k8s :refer [default-secret create-component]]))
|
|
||||||
|
|
||||||
(defn login [harbor-provider vault-provider url]
|
(defn execute-fn [env]
|
||||||
(let [harbor-resources (deploy-stack
|
(let [docker-string (:docker-json-string env)]
|
||||||
:vault-secrets :project :robot-account
|
{:docker-string docker-string}))
|
||||||
{:provider harbor-provider
|
|
||||||
:vault-provider vault-provider
|
|
||||||
:harbor-app-name "harbor"
|
|
||||||
:harbor-app-namespace "harbor"
|
|
||||||
:name "apps"})
|
|
||||||
robot-account (:robot-account harbor-resources)
|
|
||||||
robot-username (.-fullName robot-account)
|
|
||||||
robot-password (.-secret robot-account)
|
|
||||||
login-cmd (.apply (pulumi/all (clj->js [robot-username robot-password]))
|
|
||||||
(fn [values]
|
|
||||||
(let [[username password] (js->clj values)
|
|
||||||
host-str url]
|
|
||||||
(str "printf \"%s\" " password " | docker login " host-str
|
|
||||||
" --username '" username "' --password-stdin"))))]
|
|
||||||
(new local/Command "docker-login-to-harbor"
|
|
||||||
(clj->js {:create login-cmd})
|
|
||||||
(clj->js {:dependsOn [robot-account]}))))
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
(defn create-pull-robot-secret [provider harbor-provider vault-provider url]
|
|
||||||
(let [harbor-resources (deploy-stack
|
|
||||||
:vault-secrets :robot-account
|
|
||||||
{:provider harbor-provider
|
|
||||||
:vault-provider vault-provider
|
|
||||||
:robot-opts {:name (str "kube" "-robot")
|
|
||||||
:namespace "apps"
|
|
||||||
:level "project"
|
|
||||||
:permissions [{
|
|
||||||
:kind "project"
|
|
||||||
:namespace "apps"
|
|
||||||
:access [{:action "pull" :resource "repository"}
|
|
||||||
{:action "list" :resource "repository"}]}]}
|
|
||||||
:harbor-app-name "harbor"
|
|
||||||
:harbor-app-namespace "harbor"
|
|
||||||
:name "kube"})
|
|
||||||
robot-account (:robot-account harbor-resources)
|
|
||||||
robot-username (.-fullName robot-account)
|
|
||||||
robot-password (.-secret robot-account)]
|
|
||||||
(.apply (pulumi/all (clj->js [robot-username robot-password]))
|
|
||||||
(fn [values]
|
|
||||||
(let [[username password] (js->clj values)
|
|
||||||
auth-str (-> (.from js/Buffer (str username ":" password))
|
|
||||||
(.toString "base64"))
|
|
||||||
docker-config-map {:auths (hash-map url
|
|
||||||
{:auth auth-str})}
|
|
||||||
docker-json-string (.stringify js/JSON (clj->js docker-config-map))
|
|
||||||
secret-opts {:metadata {:annotations {"replicator.v1.mittwald.de/replicate-to" "*"}}
|
|
||||||
:type "kubernetes.io/dockerconfigjson"
|
|
||||||
:stringData {".dockerconfigjson" docker-json-string}}
|
|
||||||
app-name "harbor-creds"
|
|
||||||
app-namespace "kube-system"]
|
|
||||||
(create-component #{:secret} :secret provider app-name nil secret-opts (default-secret {:app-name app-name :app-namespace app-namespace}) nil {}))))))
|
|
||||||
|
|
||||||
(defn merged-callbacks [provider harbor-provider vault-provider url]
|
|
||||||
(login harbor-provider vault-provider url)
|
|
||||||
(create-pull-robot-secret provider harbor-provider vault-provider url))
|
|
||||||
|
|
||||||
(defn generate-robot-account [provider-inputs provider vault-provider callback-fns]
|
|
||||||
(.apply provider-inputs
|
|
||||||
(fn [values]
|
|
||||||
(let [[url username password] (js->clj values)
|
|
||||||
harbor-provider (harbor/Provider.
|
|
||||||
"harbor-provider"
|
|
||||||
(clj->js {:url (str "https://" url)
|
|
||||||
:username username
|
|
||||||
:password password}))]
|
|
||||||
(callback-fns provider harbor-provider vault-provider url)))))
|
|
||||||
|
|
||||||
(defn execute-fn [{:keys [provider vault-provider]}]
|
|
||||||
(let [stack-ref (new pulumi/StackReference "shared")
|
|
||||||
harbor-provider-inputs (pulumi/all
|
|
||||||
(clj->js [(.getOutput stack-ref "url")
|
|
||||||
(.getOutput stack-ref "username")
|
|
||||||
(.getOutput stack-ref "password")]))]
|
|
||||||
(generate-robot-account harbor-provider-inputs provider vault-provider merged-callbacks)))
|
|
||||||
|
|
||||||
(def config
|
(def config
|
||||||
{:stack [:execute]
|
{:stack [:vault:retrieve [:harbor :project :robot-account] :k8s:secret]
|
||||||
:no-namespace true
|
:no-namespace true
|
||||||
:app-name "harbor"
|
:app-name "apps"
|
||||||
:app-namespace "harbor"
|
:app-namespace "generic"
|
||||||
:image-port 80
|
:image-port 80
|
||||||
:vault-load-yaml false
|
:vault-load-yaml false
|
||||||
:exec-fn execute-fn})
|
:exec-fn execute-fn
|
||||||
|
:k8s:secret-opts {:metadata
|
||||||
|
{:name "harbor-creds-secrets"
|
||||||
|
:namespace "kube-system"
|
||||||
|
:annotations {"replicator.v1.mittwald.de/replicate-to" "*"}}
|
||||||
|
:type "kubernetes.io/dockerconfigjson"
|
||||||
|
:stringData {".dockerconfigjson" '(str "{\"auths\":{\""
|
||||||
|
host
|
||||||
|
"\":{\"auth\":\""
|
||||||
|
(b64e (str (-> :harbor:robot-account .-name) ":" (-> :harbor:robot-account .-secret)))
|
||||||
|
"\"}}}")}}
|
||||||
|
:harbor:robot-opts {:name (str "kube" "-robot")
|
||||||
|
:namespace 'app-name
|
||||||
|
:level "project"
|
||||||
|
:permissions [{:kind "project"
|
||||||
|
:namespace 'app-name
|
||||||
|
:access [{:action "pull" :resource "repository"}
|
||||||
|
{:action "list" :resource "repository"}]}]}
|
||||||
|
:vault:retrieve-opts {:app-name "harbor"
|
||||||
|
:app-namespace "harbor"}})
|
||||||
Reference in New Issue
Block a user