Feat: Support retrieving modules in private git repo through SSH

.github/workflows/e2e-test.yml

@@ -44,6 +44,7 @@ jobs:
           kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
           kubectl version
           kubectl cluster-info
+          kubectl describe nodes
 
       - name: Load Image to kind cluster
         run: make kind-load

.golangci.yml

@@ -44,7 +44,7 @@ linters-settings:
 
   gocyclo:
     # minimal code complexity to report, 30 by default (but we recommend 10-20)
-    min-complexity: 30
+    min-complexity: 32
 
   maligned:
     # print struct with more effective memory layout or not, false by default
@@ -179,6 +179,14 @@ issues:
       linters:
         - revive
 
+    - text: "package-comments:"
+      linters:
+        - revive
+
+    - text: "exported:"
+      linters:
+        - revive
+
   # Independently from option `exclude` we use default exclude patterns,
   # it can be disabled by this option. To list all
   # excluded by default patterns execute `golangci-lint run --help`.

Makefile

@@ -90,7 +90,7 @@ else
 CONTROLLER_GEN=$(shell which controller-gen)
 endif
 
-GOLANGCILINT_VERSION ?= v1.38.0
+GOLANGCILINT_VERSION ?= v1.50.1
 HOSTOS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
 HOSTARCH := $(shell uname -m)
 ifeq ($(HOSTARCH),x86_64)

api/v1beta2/configuration_types.go

@@ -17,12 +17,12 @@ limitations under the License.
 package v1beta2
 
 import (
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	state "github.com/oam-dev/terraform-controller/api/types"
 	types "github.com/oam-dev/terraform-controller/api/types/crossplane-runtime"
-	v1 "k8s.io/api/core/v1"
 )
 
 // ConfigurationSpec defines the desired state of Configuration

controllers/configuration/configuration.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	apitypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
@@ -153,3 +154,19 @@ func GetProviderNamespacedName(configuration v1beta2.Configuration) *crossplane.
 		Namespace: provider.DefaultNamespace,
 	}
 }
+
+// GetGitCredentialsFromConfiguration will get the secret containing the SSH private key & known_hosts
+func GetGitCredentialsFromConfiguration(ctx context.Context, k8sClient client.Client, namespace, name string) (*v1.Secret, error) {
+	var secret = &v1.Secret{}
+
+	if err := k8sClient.Get(ctx, client.ObjectKey{Name: name, Namespace: namespace}, secret); err != nil {
+		if kerrors.IsNotFound(err) {
+			return nil, nil
+		}
+		errMsg := "failed to get git credentials Secret object"
+		klog.ErrorS(err, errMsg, "Name", name, "Namespace", namespace)
+		return nil, errors.Wrap(err, errMsg)
+	}
+
+	return secret, nil
+}

controllers/configuration_controller.go

@@ -65,8 +65,9 @@ const (
 	// terraformContainerName is the name of the container that executes the terraform in the pod
 	terraformContainerName     = "terraform-executor"
 	terraformInitContainerName = "terraform-init"
-
-	GitAuthConfigVolumeName      = "git-auth-configuration"
+	// GitAuthConfigVolumeName is the volume name for git auth configurtaion
+	GitAuthConfigVolumeName = "git-auth-configuration"
+	// GitAuthConfigVolumeMountPath is the volume mount path for git auth configurtaion
 	GitAuthConfigVolumeMountPath = "/root/.ssh"
 )
 
@@ -547,22 +548,23 @@ func (r *ConfigurationReconciler) preCheck(ctx context.Context, configuration *v
 			}
 			meta.JobEnv = jobEnv
 		}
-
 		if err := meta.getCredentials(ctx, k8sClient, p); err != nil {
 			return err
 		}
 	}
 
-	gitCreds, err := provider.GetGitCredentialsFromConfiguration(ctx, k8sClient, meta.GitCredentialsReference.Namespace, meta.GitCredentialsReference.Name)
-	if gitCreds == nil {
-		msg := "Git credentials Secret is not found"
-		if err != nil {
-			msg = err.Error()
-		}
-		if updateStatusErr := meta.updateApplyStatus(ctx, k8sClient, types.Authorizing, msg); updateStatusErr != nil {
-			return errors.Wrap(updateStatusErr, msg)
+	if meta.GitCredentialsReference != nil {
+		gitCreds, err := tfcfg.GetGitCredentialsFromConfiguration(ctx, k8sClient, meta.GitCredentialsReference.Namespace, meta.GitCredentialsReference.Name)
+		if gitCreds == nil {
+			msg := "git credentials Secret not found"
+			if err != nil {
+				msg = err.Error()
+			}
+			if updateStatusErr := meta.updateApplyStatus(ctx, k8sClient, types.Authorizing, msg); updateStatusErr != nil {
+				return errors.Wrap(updateStatusErr, msg)
+			}
+			return errors.New(msg)
 		}
-		return errors.New(msg)
 	}
 
 	// Render configuration with backend
@@ -730,10 +732,6 @@ func (meta *TFConfigurationMeta) assembleTerraformJob(executionType TerraformExe
 			Name:      BackendVolumeName,
 			MountPath: BackendVolumeMountPath,
 		},
-		{
-			Name:      GitAuthConfigVolumeName,
-			MountPath: GitAuthConfigVolumeMountPath,
-		},
 	}
 
 	// prepare local Terraform .tf files
@@ -754,18 +752,33 @@ func (meta *TFConfigurationMeta) assembleTerraformJob(executionType TerraformExe
 	hclPath := filepath.Join(BackendVolumeMountPath, meta.RemoteGitPath)
 
 	if meta.RemoteGit != "" {
+		cloneCommand := fmt.Sprintf("git clone %s %s && cp -r %s/* %s", meta.RemoteGit, BackendVolumeMountPath, hclPath, WorkingVolumeMountPath)
+
+		// Check for git credentials, mount the SSH known hosts and private key, add private key into the SSH authentication agent
+		if meta.GitCredentialsReference != nil {
+			initContainerVolumeMounts = append(initContainerVolumeMounts,
+				v1.VolumeMount{
+					Name:      GitAuthConfigVolumeName,
+					MountPath: GitAuthConfigVolumeMountPath,
+				})
+
+			sshCommand := fmt.Sprintf("eval `ssh-agent` && ssh-add %s/%s", GitAuthConfigVolumeMountPath, v1.SSHAuthPrivateKey)
+			cloneCommand = fmt.Sprintf("%s && %s", sshCommand, cloneCommand)
+		}
+
+		command := []string{
+			"sh",
+			"-c",
+			cloneCommand,
+		}
+
 		initContainers = append(initContainers,
 			v1.Container{
 				Name:            "git-configuration",
 				Image:           meta.GitImage,
 				ImagePullPolicy: v1.PullIfNotPresent,
-				Command: []string{
-					"sh",
-					"-c",
-					fmt.Sprintf("eval `ssh-agent` && ssh-add %s/%s && git clone %s %s && cp -r %s/* %s", GitAuthConfigVolumeMountPath, v1.SSHAuthPrivateKey, meta.RemoteGit, BackendVolumeMountPath,
-						hclPath, WorkingVolumeMountPath),
-				},
-				VolumeMounts: initContainerVolumeMounts,
+				Command:         command,
+				VolumeMounts:    initContainerVolumeMounts,
 			})
 	}
 
@@ -879,8 +892,12 @@ func (meta *TFConfigurationMeta) assembleExecutorVolumes() []v1.Volume {
 	workingVolume.EmptyDir = &v1.EmptyDirVolumeSource{}
 	inputTFConfigurationVolume := meta.createConfigurationVolume()
 	tfBackendVolume := meta.createTFBackendVolume()
-	gitAuthConfigVolume := meta.createGitAuthConfigVolume()
-	return []v1.Volume{workingVolume, inputTFConfigurationVolume, tfBackendVolume, gitAuthConfigVolume}
+	if meta.GitCredentialsReference != nil {
+		gitAuthConfigVolume := meta.createGitAuthConfigVolume()
+		return []v1.Volume{workingVolume, inputTFConfigurationVolume, tfBackendVolume, gitAuthConfigVolume}
+	}
+
+	return []v1.Volume{workingVolume, inputTFConfigurationVolume, tfBackendVolume}
 }
 
 func (meta *TFConfigurationMeta) createConfigurationVolume() v1.Volume {

controllers/provider/credentials.go

@@ -141,21 +141,6 @@ func GetProviderFromConfiguration(ctx context.Context, k8sClient client.Client,
 	return provider, nil
 }
 
-func GetGitCredentialsFromConfiguration(ctx context.Context, k8sClient client.Client, namespace, name string) (*v1.Secret, error) {
-	var secret = &v1.Secret{}
-
-	if err := k8sClient.Get(ctx, client.ObjectKey{Name: name, Namespace: namespace}, secret); err != nil {
-		if kerrors.IsNotFound(err) {
-			return nil, nil
-		}
-		errMsg := "failed to get git credentials Secret object"
-		klog.ErrorS(err, errMsg, "Name", name, "Namespace", namespace)
-		return nil, errors.Wrap(err, errMsg)
-	}
-
-	return secret, nil
-}
-
 // checkAlibabaCloudProvider checks if the credentials from the provider are valid
 func checkAlibabaCloudCredentials(region string, accessKeyID, accessKeySecret, stsToken string) error {
 	var (

e2e/normal/configuration_test.go

@@ -2,15 +2,18 @@ package normal
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
+	"text/template"
 	"time"
 
 	"gotest.tools/assert"
+	coreV1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
@@ -28,9 +31,9 @@ var (
 		"examples/alibaba/eip/configuration_eip_remote_subdirectory.yaml",
 		"examples/alibaba/oss/configuration_hcl_bucket.yaml",
 	}
-	testConfigurationsForceDelete = "examples/random/configuration_force_delete.yaml"
-
-	chartNamespace = "terraform"
+	testConfigurationsForceDelete             = "examples/random/configuration_force_delete.yaml"
+	testConfigurationsGitCredsSecretReference = "../examples/random/configuration_git_ssh.yaml"
+	chartNamespace                            = "terraform"
 )
 
 type ConfigurationAttr struct {
@@ -284,6 +287,80 @@ func TestForceDeleteConfiguration(t *testing.T) {
 	}
 }
 
+func TestGitCredentialsSecretReference(t *testing.T) {
+	configuration := ConfigurationAttr{
+		Name:                   "random-e2e-git-creds-secret-ref",
+		YamlPath:               testConfigurationsGitCredsSecretReference,
+		TFConfigMapName:        "tf-random-e2e-git-creds-secret-ref",
+		BackendStateSecretName: "tfstate-default-random-e2e-git-creds-secret-ref",
+		OutputsSecretName:      "random-e2e-git-creds-secret-ref-conn",
+		VariableSecretName:     "variable-random-e2e-git-creds-secret-ref",
+	}
+
+	clientSet, err := client.Init()
+	assert.NilError(t, err)
+	pwd, _ := os.Getwd()
+	gitServer := filepath.Join(pwd, "..", "../examples/git-credentials")
+	gitServerApplyCmd := fmt.Sprintf("kubectl apply -f %s", gitServer)
+	gitServerDeleteCmd := fmt.Sprintf("kubectl apply -f %s", gitServer)
+
+	beforeApply := func(ctx *TestContext) {
+		err = exec.Command("bash", "-c", gitServerApplyCmd).Run()
+		assert.NilError(t, err)
+
+		klog.Info("- Checking git-server pod status")
+		for i := 0; i < 120; i++ {
+			pod, _ := clientSet.CoreV1().Pods("default").Get(ctx, "git-server", v1.GetOptions{})
+			conditions := pod.Status.Conditions
+			var index int
+			for count, condition := range conditions {
+				index = count
+				if condition.Status == "True" && condition.Type == coreV1.PodReady {
+					klog.Info("- pod=git-server ", condition.Type, "=", condition.Status)
+					break
+				}
+			}
+			if conditions[index].Status == "True" && conditions[index].Type == coreV1.PodReady {
+				break
+			}
+			if i == 119 {
+				t.Error("git-server pod is not running")
+			}
+			time.Sleep(10 * time.Second)
+		}
+
+		getKnownHostsCmd := "kubectl exec pod/git-server -- ssh-keyscan git-server"
+		knownHosts, err := exec.Command("bash", "-c", getKnownHostsCmd).Output()
+		assert.NilError(t, err)
+
+		gitSshAuthSecretTmpl := filepath.Join(gitServer, "templates/git-ssh-auth-secret.tmpl")
+		tmpl := template.Must(template.ParseFiles(gitSshAuthSecretTmpl))
+		gitSshAuthSecretYaml := filepath.Join(gitServer, "git-ssh-auth-secret.yaml")
+		gitSshAuthSecretYamlFile, err := os.Create(gitSshAuthSecretYaml)
+		assert.NilError(t, err)
+		err = tmpl.Execute(gitSshAuthSecretYamlFile, base64.StdEncoding.EncodeToString(knownHosts))
+		assert.NilError(t, err)
+
+		err = exec.Command("bash", "-c", gitServerDeleteCmd).Run()
+		assert.NilError(t, err)
+	}
+
+	cleanUp := func(ctx *TestContext) {
+		err = exec.Command("bash", "-c", gitServerDeleteCmd).Run()
+		assert.NilError(t, err)
+	}
+
+	testBase(
+		t,
+		configuration,
+		Injector{
+			BeforeApplyConfiguration: beforeApply,
+			CleanUp:                  cleanUp,
+		},
+		false,
+	)
+}
+
 //func TestBasicConfigurationRegression(t *testing.T) {
 //	var retryTimes = 120
 //