Red Hat subscription manager integration

task/prefetch-dependencies-oci-ta/0.1/README.md

@@ -26,10 +26,10 @@ params:
 ## Parameters
 |name|description|default value|required|
 |---|---|---|---|
+|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false|
 |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
 |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
 |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
-|config-file-content|Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! |""|false|
 |dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false|
 |input|Configures project packages that will have their dependencies prefetched.||true|
 |log-level|Set cachi2 log level (debug, info, warning, error)|info|false|

task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml

@@ -33,6 +33,10 @@ spec:
 
     [available configuration parameters]: https://github.com/containerbuildsystem/cachi2?tab=readme-ov-file#available-configuration-parameters
   params:
+    - name: ACTIVATION_KEY
+      description: Name of secret which contains subscription activation key
+      type: string
+      default: activation-key
     - name: SOURCE_ARTIFACT
       description: The Trusted Artifact URI pointing to the artifact with
         the application source code.
@@ -46,11 +50,6 @@ spec:
       description: The name of the ConfigMap to read CA bundle data from.
       type: string
       default: trusted-ca
-    - name: config-file-content
-      description: |
-        Pass configuration to cachi2.
-        Note this needs to be passed as a YAML-formatted config dump, not as a file path!
-      default: ""
     - name: dev-package-managers
       description: |
         Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk.
@@ -79,7 +78,13 @@ spec:
         the application source code.
       type: string
   volumes:
-    - name: config
+    - name: activation-key
+      secret:
+        optional: true
+        secretName: $(params.ACTIVATION_KEY)
+    - name: etc-pki-entitlement
+      emptyDir: {}
+    - name: shared
       emptyDir: {}
     - name: trusted-ca
       configMap:
@@ -104,12 +109,7 @@ spec:
         performing http(s) requests.
       optional: true
   stepTemplate:
-    env:
-      - name: CONFIG_FILE_CONTENT
-        value: $(params.config-file-content)
     volumeMounts:
-      - mountPath: /mnt/config
-        name: config
       - mountPath: /var/workdir
         name: workdir
   steps:
@@ -134,24 +134,105 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
-    - name: sanitize-cachi2-config-file-with-yq
-      image: quay.io/konflux-ci/yq:latest@sha256:f758d9a25bc88cc114bfb6137fd4d649db427de5a4217e818b8466ad5bf9255c
+    - name: check-prefetch-input
+      image: quay.io/bcook/cachi2@sha256:cd0ee8284eb41838071e7987644fcfe05cef77f89ac426c14a2fa4ed5bd1b5ac
+      env:
+        - name: INPUT
+          value: $(params.input)
       script: |
-        if [ -n "${CONFIG_FILE_CONTENT}" ]; then
-          # we need to drop 'goproxy_url' for safety reasons until cachi2 decides what the SBOM
-          # impact of this configuration option will be:
-          # https://github.com/containerbuildsystem/cachi2/issues/577
-          yq 'del(.goproxy_url)' <<<"${CONFIG_FILE_CONTENT}"  >/mnt/config/config.yaml
+        if [ -z "${INPUT}" ]; then
+          # Confirm input was provided though it's likely the whole task would be skipped if it wasn't
+          echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps"
+          exit 0
+        fi
+    - name: register-red-hat
+      image: quay.io/bcook/cachi2@sha256:cd0ee8284eb41838071e7987644fcfe05cef77f89ac426c14a2fa4ed5bd1b5ac
+      results:
+        - name: registered
+          type: string
+      volumeMounts:
+        - mountPath: /shared
+          name: shared
+        - mountPath: /activation-key
+          name: activation-key
+      env:
+        - name: INPUT
+          value: $(params.input)
+        - name: ACTIVATION_KEY
+          value: $(params.ACTIVATION_KEY)
+      script: |
+        #!/bin/bash
+        echo "false" >/shared/registered
+        ACTIVATION_KEY_PATH="/activation-key"
+
+        if [ -e /activation-key/org ]; then
+          cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
+          mkdir /shared/rhsm-tmp
+          VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
+
+          echo "Registering with Red Hat subscription manager."
+          subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)"
+
+          # copy generated certificates to /shared/rhsm-tmp
+          cp /etc/pki/entitlement/*.pem /shared/rhsm-tmp
+          echo "true" >/shared/registered
+
+        else
+          echo "false" >/shared/registered
         fi
+    - name: preprocess-input
+      image: quay.io/bcook/cachi2@sha256:cd0ee8284eb41838071e7987644fcfe05cef77f89ac426c14a2fa4ed5bd1b5ac
+      args:
+        - $(params.input)
+      volumeMounts:
+        - mountPath: /shared
+          name: shared
+      env:
+        - name: INPUT
+          value: $(params.input)
+        - name: ACTIVATION_KEY
+          value: $(params.ACTIVATION_KEY)
+      script: "#!/bin/python3\nimport json\nimport os\nimport sys\n\ndef string_to_json(input:
+        str):\n    if input in [\"gomod\", \"pip\", \"npm\", \"yarn\", \"bundler\",
+        \"rpm\"]:\n        input = '{\"type\": \"%s\"}' % input\n        print(\"json:
+        %s\" % input)\n    return input\n\n\ndef json_to_list(input: str):\n
+        \   input = json.loads(input)\n    if type(input) is dict:\n        input
+        = [input]\n    return json.dumps(input)\n\n\ndef inject_certs(input:
+        str):\n    input = json.loads(input)\n    if type(input is list):\n
+        \       cert = os.getenv(\"RHT_CERT\", None)\n        key = os.getenv(\"RHT_KEY\",
+        None)\n        ca_bundle = os.getenv(\"CA_BUNDLE\", None)\n\n        for
+        pkg_man in input:\n            if pkg_man[\"type\"] == \"rpm\":\n\n
+        \               # preserve verify setting\n                verify
+        = \\\n                    pkg_man.get(\"options\", {}).get(\"ssl\",
+        {}).get(\"verify\", 1)\n\n                # preserve other options\n
+        \               options = pkg_man.get('options', {})\n                dnf
+        = options.get('options', None)\n                \n                ssl_options
+        = {\n                    \"client_key\": key,\n                    \"client_cert\":
+        cert,\n                    \"ca_bundle\": ca_bundle,\n                    \"verify\":
+        verify}\n\n                options['ssl'] = ssl_options\n                options['dnf']
+        = dnf\n                pkg_man[\"options\"] = options\n        return
+        (json.dumps(input))\n\n    else:\n        # throw an error\n        print(\"boooo!\")\n\n\n\ndef
+        convert_input(input):\n    input = string_to_json(input)\n    input
+        = json_to_list(input)\n    input = inject_certs(input)\n    return
+        input\n\n\nif __name__ == '__main__':\n    f = open(\"/shared/registered\",
+        \"r\")\n    registered = f.read().strip(\"\\n\")\n    if registered
+        == \"false\":\n        print(\"System is not registered.\")\n        input
+        = sys.argv[1]\n\n    elif registered == \"true\":\n        input =
+        sys.argv[1]\n        input = convert_input(input)\n    else:\n        print(\"unexpected
+        result for 'registered': %s\" % repr(registered))\n        sys.exit(1)\n\n
+        \   print(\"Preprocessing result: %s\" % input)\n    with open('/shared/preprocessed_input',
+        'w') as f:\n        f.write(input)\n"
     - name: prefetch-dependencies
-      image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2
+      image: quay.io/bcook/cachi2@sha256:cd0ee8284eb41838071e7987644fcfe05cef77f89ac426c14a2fa4ed5bd1b5ac
       volumeMounts:
         - mountPath: /mnt/trusted-ca
           name: trusted-ca
           readOnly: true
+        - mountPath: /activation-key
+          name: activation-key
+        - mountPath: /shared
+          name: shared
       env:
-        - name: INPUT
-          value: $(params.input)
         - name: DEV_PACKAGE_MANAGERS
           value: $(params.dev-package-managers)
         - name: LOG_LEVEL
@@ -165,17 +246,8 @@ spec:
         - name: WORKSPACE_NETRC_PATH
           value: $(workspaces.netrc.path)
       script: |
-        if [ -z "${INPUT}" ]; then
-          # Confirm input was provided though it's likely the whole task would be skipped if it wasn't
-          echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps"
-          exit 0
-        fi
-
-        if [ -f /mnt/config/config.yaml ]; then
-          config_flag=--config-file=/mnt/config/config.yaml
-        else
-          config_flag=""
-        fi
+        export INPUT=$(cat /shared/preprocessed_input)
+        echo $INPUT
 
         if [ "$DEV_PACKAGE_MANAGERS" = "true" ]; then
           dev_pacman_flag=--dev-package-managers
@@ -212,7 +284,7 @@ spec:
           update-ca-trust
         fi
 
-        cachi2 --log-level="$LOG_LEVEL" $config_flag fetch-deps \
+        cachi2 --log-level="$LOG_LEVEL" fetch-deps \
           $dev_pacman_flag \
           --source=/var/workdir/source \
           --output=/var/workdir/cachi2/output \