From 128fb9950c1354c211abe17d5cba19d75dd66ecc Mon Sep 17 00:00:00 2001 From: Eytan Dahan <eytan@captain-eye.com> Date: Fri, 8 Nov 2024 20:28:23 +0000 Subject: [PATCH] feat: add AWS CodeArtifact support (variant) --- README.md | 69 +++++++++++++++++++ kicker.json | 55 +++++++++++++++ .../gitlab-ci-python-aws-codeartifact.yml | 60 ++++++++++++++++ 3 files changed, 184 insertions(+) create mode 100644 templates/gitlab-ci-python-aws-codeartifact.yml diff --git a/README.md b/README.md index 4af1d89..325ff9b 100644 --- a/README.md +++ b/README.md @@ -575,3 +575,72 @@ include: gcp-oidc-provider: "projects/<gcp_nonprod_proj_id>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>" gcp-oidc-account: "<name>@$<gcp_nonprod_proj_id>.iam.gserviceaccount.com" ``` + +### AWS CodeArtifact variant + +This variant allows to use PyPi packages from AWS CodeArtifact. The variant follow the recommendation [Authenticate for using client libraries](https://docs.aws.amazon.com/codeartifact/latest/ug/python-configure.html) + +It authenticates with AWS CodeArtifact, retrieves and sets the following environment variable: + +- `CODEARTIFACT_AUTH_TOKEN` - the AWS CodeArtifact authentication token +- `CODEARTIFACT_REPOSITORY_ENDPOINT` - the AWS CodeArtifact repository endpoint +- `CODEARTIFACT_URL` - Formatted URL for the AWS CodeArtifact repository + +Most importantly, the variant sets the `pip global.index-url` to the CodeArtifact url. + +The variant supports two authentication methods: + +1. [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) (**recommended method**), +2. or basic authentication with AWS access key ID & secret access key. + +:warning: when using this variant, you must have created the CodeArtifact repository. + +#### Configuration + +The variant *requires* the additional configuration parameters: + +| Input / Variable | Description | Default value | +| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | +| `TBC_AWS_PROVIDER_IMAGE` | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest` | +| `aws-region` / `AWS_REGION` | Default region (where the Codeartifact repository is located) | _none_ | +| `aws-codeartifact-domain` / `AWS_CODEARTIFACT_DOMAIN` | The CodeArtifact domain name | _none_ | +| `aws-codeartifact-domain-owner` / `AWS_CODEARTIFACT_DOMAIN_OWNER` | The CodeArtifact domain owner account ID | _none_ | +| `aws-codeartifact-repository` / `AWS_CODEARTIFACT_REPOSITORY` | The CodeArtifact repository name | _none_ | + +##### OIDC authentication config + +This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/), +then set the required configuration. + +| Input / Variable | Description | Default value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ---------------- | +| `aws-oidc-aud` / `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` | +| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab | _none_ | + +##### Basic authentication config + +| Variable | Description | Default value | +| --------------------------------------- | ---------------------------------------------------------------------------- | ----------------- | +| :lock: `AWS_ACCESS_KEY_ID` | Default access key ID | _none_ (disabled) | +| :lock: `AWS_SECRET_ACCESS_KEY` | Default secret access key | _none_ (disabled) | + + +#### Example + +```yaml +include: + - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.3.2 + # 2: set/override component inputs + inputs: + image: registry.hub.docker.com/library/python:3.12-slim + pytest-enabled: true + + - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-aws-ca@7.3.2 + inputs: + aws-region: "us-east-1" + aws-codeartifact-domain: "acme" + aws-codeartifact-domain-owner: "123456789012" + aws-codeartifact-repository: "my-repo" + # common OIDC config for non-prod envs + aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci" +``` \ No newline at end of file diff --git a/kicker.json b/kicker.json index c6110d1..4f55200 100644 --- a/kicker.json +++ b/kicker.json @@ -348,6 +348,61 @@ "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)" } ] + }, + { + "id": "aws-codeartifact", + "name": "AWS CodeArtifact", + "description": "Retrieves AWS CodeArtifact credentials", + "template_path": "templates/gitlab-ci-python-aws-codeartifact.yml", + "variables": [ + { + "name": "TBC_AWS_PROVIDER_IMAGE", + "description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use", + "default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest", + "advanced": true + }, + { + "name": "AWS_REGION", + "description": "Default region (where the codeartifact repository is located)" + }, + { + "name": "AWS_OIDC_AUD", + "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_", + "default": "$CI_SERVER_URL", + "advanced": true + }, + { + "name": "AWS_OIDC_ROLE_ARN", + "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_" + }, + { + "name": "AWS_ACCESS_KEY_ID", + "description": "Default access key ID (only required for basic authentication)", + "secret": true, + "advanced": true + }, + { + "name": "AWS_SECRET_ACCESS_KEY", + "description": "Default secret access key (only required for basic authentication)", + "secret": true, + "advanced": true + }, + { + "name": "AWS_CODEARTIFACT_DOMAIN", + "description": "The AWS CodeArtifact domain", + "mandatory": true + }, + { + "name": "AWS_CODEARTIFACT_DOMAIN_OWNER", + "description": "The AWS CodeArtifact domain owner", + "mandatory": true + }, + { + "name": "AWS_CODEARTIFACT_REPOSITORY", + "description": "The AWS CodeArtifact repository", + "mandatory": true + } + ] } ] } diff --git a/templates/gitlab-ci-python-aws-codeartifact.yml b/templates/gitlab-ci-python-aws-codeartifact.yml new file mode 100644 index 0000000..f95fd93 --- /dev/null +++ b/templates/gitlab-ci-python-aws-codeartifact.yml @@ -0,0 +1,60 @@ +# ===================================================================================================================== +# === AWS CodeArtifact Auth template variant +# ===================================================================================================================== +spec: + inputs: + aws-codeartifact-domain: + description: AWS CodeArtifact domain name + default: '' + aws-codeartifact-domain-owner: + description: AWS CodeArtifact domain owner account ID + default: '' + aws-codeartifact-repository: + description: AWS CodeArtifact repository name + default: '' + aws-region: + description: Default region (where the Codeartifact registry is located) + default: '' + aws-oidc-aud: + description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_ + default: $CI_SERVER_URL + aws-oidc-role-arn: + description: Default IAM Role ARN associated with GitLab _(only required for [OIDC + authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_ + default: '' +--- +variables: + TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest + AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]] + AWS_REGION: $[[ inputs.aws-region ]] + AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]] + AWS_CODEARTIFACT_DOMAIN: $[[ inputs.aws-codeartifact-domain ]] + AWS_CODEARTIFACT_DOMAIN_OWNER: $[[ inputs.aws-codeartifact-domain-owner ]] + AWS_CODEARTIFACT_REPOSITORY: $[[ inputs.aws-codeartifact-repository ]] + + +.codeartifact-pip-config: + before_script: + - CODEARTIFACT_URL=https://aws:${CODEARTIFACT_AUTH_TOKEN}@${CODEARTIFACT_REPOSITORY_ENDPOINT#https://}simple + - pip config set global.index-url $CODEARTIFACT_URL + +.python-base: + services: + - name: "$TBC_TRACKING_IMAGE" + command: ["--service", "python", "7.3.0"] + - name: "$TBC_AWS_PROVIDER_IMAGE" + alias: "aws-auth-provider" + id_tokens: + # required for OIDC auth + AWS_JWT: + aud: "$AWS_OIDC_AUD" + variables: + CODEARTIFACT_AUTH_TOKEN: "@url@http://aws-auth-provider/codeartifact/auth/token" + CODEARTIFACT_REPOSITORY_ENDPOINT: "@url@http://aws-auth-provider/codeartifact/repository/endpoint?format=pypi" + AWS_JWT: "$AWS_JWT" + before_script: + - !reference [.codeartifact-pip-config:] + - !reference [.python-scripts] + - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}" + - cd ${PYTHON_PROJECT_DIR} + - guess_build_system -- GitLab