containerbuildsystem · lcarva · Dec 8, 2016 · Nov 30, 2016 · Dec 8, 2016 · lcarva
diff --git a/docs/configuration_file.md b/docs/configuration_file.md
@@ -53,6 +53,12 @@ Some options are also mandatory.
 
 * `koji_certs_secret` (*optional*, `string`) — name of [kubernetes secret](https://github.com/kubernetes/kubernetes/blob/master/docs/design/secrets.md) to use for koji authentication
 
+* `koji_use_kerberos` (*optional*, `boolean`) — will set [atomic-reactor](https://github.com/projectatomic/atomic-reactor) plugins to use kerberos to authenticate to koji.
+
+* `koji_kerberos_keytab` (*optional*, `string`) - location of the keytab that will be used to initialize kerberos credentials for [atomic-reactor](https://github.com/projectatomic/atomic-reactor) plugins - usually in the form `FILE:<absolute_path>`, see [kerberos documentation](http://web.mit.edu/Kerberos/krb5-latest/doc/basic/keytab_def.html) for other possible values
+
+* `koji_kerberos_principal` (*optional*, `string`) - kerberos principal for the keytab provided in `koji_kerberos_keytab`
+
 * `sources_command` (*optional*, `string`) — command to use to get dist-git artifacts from lookaside cache (e.g. `fedpkg sources`)
 
 * `username`, `password` (*optional*, `string`) — when OpenShift is hidden behind authentication proxy, you can specify username and password for basic authentication

diff --git a/inputs/prod_inner.json b/inputs/prod_inner.json
@@ -154,7 +154,9 @@
         "kojihub": "{{KOJI_HUB}}",
         "url": "{{OPENSHIFT_URI}}",
         "verify_ssl": false,
-        "blocksize": 10485760
+        "blocksize": 10485760,
+        "koji_keytab": false,
+        "koji_principal": false
       }
     },
     {

diff --git a/osbs/api.py b/osbs/api.py
@@ -393,6 +393,9 @@ def create_prod_build(self, git_uri, git_ref,
             koji_target=target,
             koji_certs_secret=self.build_conf.get_koji_certs_secret(),
             koji_task_id=koji_task_id,
+            koji_use_kerberos=self.build_conf.get_koji_use_kerberos(),
+            koji_kerberos_keytab=self.build_conf.get_koji_kerberos_keytab(),
+            koji_kerberos_principal=self.build_conf.get_koji_kerberos_principal(),
             architecture=architecture,
             vendor=self.build_conf.get_vendor(),
             build_host=self.build_conf.get_build_host(),

diff --git a/osbs/build/build_request.py b/osbs/build/build_request.py
@@ -486,7 +486,13 @@ def render_koji_promote(self, use_auth=None):
 
             if use_auth is not None:
                 self.dj.dock_json_set_arg('exit_plugins', 'koji_promote',
-                                          'use_auth', use_auth)
+                                            'use_auth', use_auth)
+
+            if self.spec.koji_use_kerberos.value:
+                self.dj.dock_json_set_arg('exit_plugins', 'koji_promote',
+                    'koji_principal', self.spec.koji_kerberos_principal.value)
+                self.dj.dock_json_set_arg('exit_plugins', 'koji_promote',
+                    'koji_keytab', self.spec.koji_kerberos_keytab.value)
         else:
             logger.info("removing koji_promote from request as no kojihub "
                         "specified")

diff --git a/osbs/build/spec.py b/osbs/build/spec.py
@@ -147,6 +147,9 @@ class BuildSpec(object):
     kojihub = BuildParam("kojihub", allow_none=True)
     koji_certs_secret = BuildParam("koji_certs_secret", allow_none=True)
     koji_task_id = BuildParam("koji_task_id", allow_none=True)
+    koji_use_kerberos = BuildParam("koji_use_kerberos", allow_none=True)
+    koji_kerberos_principal = BuildParam("koji_kerberos_principal", allow_none=True)
+    koji_kerberos_keytab = BuildParam("koji_kerberos_keytab", allow_none=True)
     image_tag = BuildParam("image_tag")
     pulp_secret = BuildParam("pulp_secret", allow_none=True)
     pulp_registry = BuildParam("pulp_registry", allow_none=True)
@@ -197,7 +200,8 @@ def set_params(self, git_uri=None, git_ref=None,
                    sources_command=None, architecture=None, vendor=None,
                    build_host=None, authoritative_registry=None, distribution_scope=None,
                    koji_target=None, kojiroot=None, kojihub=None, koji_certs_secret=None,
-                   koji_task_id=None,
+                   koji_use_kerberos=None, koji_kerberos_keytab=None,
+                   koji_kerberos_principal=None, koji_task_id=None,
                    source_secret=None,  # compatibility name for pulp_secret
                    pulp_secret=None, pulp_registry=None, pdc_secret=None, pdc_url=None,
                    smtp_uri=None, nfs_server_path=None,
@@ -240,6 +244,9 @@ def set_params(self, git_uri=None, git_ref=None,
         self.kojiroot.value = kojiroot
         self.kojihub.value = kojihub
         self.koji_certs_secret.value = koji_certs_secret
+        self.koji_use_kerberos.value = koji_use_kerberos
+        self.koji_kerberos_principal.value = koji_kerberos_principal
+        self.koji_kerberos_keytab.value = koji_kerberos_keytab
         self.koji_task_id.value = koji_task_id
         self.pulp_secret.value = pulp_secret or source_secret
         self.pulp_registry.value = pulp_registry

diff --git a/osbs/conf.py b/osbs/conf.py
@@ -211,6 +211,15 @@ def get_koji_target(self):
     def get_koji_certs_secret(self):
         return self._get_value("koji_certs_secret", self.conf_section, "koji_certs_secret")
 
+    def get_koji_use_kerberos(self):
+        return self._get_value("koji_use_kerberos", self.conf_section, "koji_use_kerberos", is_bool_val=True)
+
+    def get_koji_kerberos_keytab(self):
+        return self._get_value("koji_kerberos_keytab", self.conf_section, "koji_kerberos_keytab")
+
+    def get_koji_kerberos_principal(self):
+        return self._get_value("koji_kerberos_principal", self.conf_section, "koji_kerberos_principal")
+
     def get_sources_command(self):
         return self._get_value("sources_command", self.conf_section, "sources_command")
 

diff --git a/tests/build/test_build_request.py b/tests/build/test_build_request.py
@@ -1279,6 +1279,57 @@ def test_render_prod_request_with_koji_secret(self, tmpdir):
                                                   koji_certs_secret_name)
         assert get_plugin(plugins, 'exit_plugins', 'koji_promote')['args']['koji_ssl_certs'] == mount_path
 
+    def test_render_prod_request_with_koji_kerberos(self, tmpdir):
+        self.create_image_change_trigger_json(str(tmpdir))
+        build_request = BuildRequest(str(tmpdir))
+        name_label = "fedora/resultingimage"
+        push_url = "ssh://{username}git.example.com/git/{component}.git"
+        koji_task_id = 1234
+        koji_use_kerberos = True
+        koji_kerberos_keytab = "FILE:/tmp/fakekeytab"
+        koji_kerberos_principal = "myprincipal@OSBSDOMAIN.COM"
+        kwargs = {
+            'git_uri': TEST_GIT_URI,
+            'git_ref': TEST_GIT_REF,
+            'git_branch': TEST_GIT_BRANCH,
+            'user': "john-foo",
+            'component': TEST_COMPONENT,
+            'base_image': 'fedora:latest',
+            'name_label': name_label,
+            'registry_uri': "example.com",
+            'openshift_uri': "http://openshift/",
+            'builder_openshift_url': "http://openshift/",
+            'koji_target': "koji-target",
+            'kojiroot': "http://root/",
+            'kojihub': "http://hub/",
+            'sources_command': "make",
+            'koji_task_id': koji_task_id,
+            'koji_use_kerberos': koji_use_kerberos,
+            'koji_kerberos_keytab': koji_kerberos_keytab,
+            'koji_kerberos_principal': koji_kerberos_principal,
+            'vendor': "Foo Vendor",
+            'authoritative_registry': "registry.example.com",
+            'distribution_scope': "authoritative-source-only",
+            'registry_api_versions': ['v1'],
+            'git_push_url': push_url.format(username='', component=TEST_COMPONENT),
+            'git_push_username': 'example',
+        }
+        build_request.set_params(**kwargs)
+        build_json = build_request.render()
+
+        assert build_json["metadata"]["labels"]["koji-task-id"] == str(koji_task_id)
+
+        plugins = get_plugins_from_build_json(build_json)
+        assert get_plugin(plugins, "exit_plugins", "koji_promote")
+        assert plugin_value_get(plugins, "exit_plugins", "koji_promote",
+                                "args", "kojihub") == kwargs["kojihub"]
+        assert plugin_value_get(plugins, "exit_plugins", "koji_promote",
+                                "args", "url") == kwargs["openshift_uri"]
+
+        assert get_plugin(plugins, 'exit_plugins', 'koji_promote')['args']['koji_principal'] == koji_kerberos_principal
+        assert get_plugin(plugins, 'exit_plugins', 'koji_promote')['args']['koji_keytab'] == koji_kerberos_keytab
+
+
     @pytest.mark.parametrize(('base_image', 'is_custom'), [
         ('fedora', False),
         ('fedora:latest', False),