Commit d97846a4 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch '85-aws-codeartifact-variant' into 'master' 

feat: aws codeartifact variant

Closes #85

See merge request to-be-continuous/python!126
parents 78b1210f 128fb995

README.md

+69 −0
Original line number Diff line number Diff line
@@ -575,3 +575,72 @@ include: 
      gcp-oidc-provider: "projects/<gcp_nonprod_proj_id>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>"

      gcp-oidc-account: "<name>@$<gcp_nonprod_proj_id>.iam.gserviceaccount.com"

```



### AWS CodeArtifact variant



This variant allows to use PyPi packages from AWS CodeArtifact. The variant follow the recommendation [Authenticate for using client libraries](https://docs.aws.amazon.com/codeartifact/latest/ug/python-configure.html) 



It authenticates with AWS CodeArtifact, retrieves and sets the following environment variable:



- `CODEARTIFACT_AUTH_TOKEN` - the AWS CodeArtifact authentication token

- `CODEARTIFACT_REPOSITORY_ENDPOINT` - the AWS CodeArtifact repository endpoint

- `CODEARTIFACT_URL` - Formatted URL for the AWS CodeArtifact repository



Most importantly, the variant sets the `pip global.index-url` to the CodeArtifact url.



The variant supports two authentication methods:



1. [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) (**recommended method**),

2. or basic authentication with AWS access key ID & secret access key.



:warning: when using this variant, you must have created the CodeArtifact repository.



#### Configuration



The variant *requires* the additional configuration parameters:



| Input / Variable                              | Description                                                                                                           | Default value                                                         |

| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- |

| `TBC_AWS_PROVIDER_IMAGE`                      | The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest` |

| `aws-region` / `AWS_REGION`                   | Default region (where the Codeartifact repository is located)                                                         | _none_                                                                |

| `aws-codeartifact-domain` / `AWS_CODEARTIFACT_DOMAIN` | The CodeArtifact domain name                                                                                       | _none_                                                                |

| `aws-codeartifact-domain-owner` / `AWS_CODEARTIFACT_DOMAIN_OWNER` | The CodeArtifact domain owner account ID                                                                      | _none_                                                                |

| `aws-codeartifact-repository` / `AWS_CODEARTIFACT_REPOSITORY` | The CodeArtifact repository name                                                                                 | _none_                                                                |



##### OIDC authentication config



This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/),

then set the required configuration.



| Input / Variable                                            | Description                                                                                    | Default value    |

| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ---------------- |

| `aws-oidc-aud` / `AWS_OIDC_AUD`                             | The `aud` claim for the JWT token                                                              | `$CI_SERVER_URL` |

| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN`                   | Default IAM Role ARN associated with GitLab                                                    | _none_           |



##### Basic authentication config



| Variable                                | Description                                                                  | Default value     |

| --------------------------------------- | ---------------------------------------------------------------------------- | ----------------- |

| :lock: `AWS_ACCESS_KEY_ID`              | Default access key ID                                                        | _none_ (disabled) |

| :lock: `AWS_SECRET_ACCESS_KEY`          | Default secret access key                                                    | _none_ (disabled) |





#### Example



```yaml

include:

  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.3.2

    # 2: set/override component inputs

    inputs:

      image: registry.hub.docker.com/library/python:3.12-slim

      pytest-enabled: true



  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-aws-ca@7.3.2

    inputs:

      aws-region: "us-east-1"

      aws-codeartifact-domain: "acme"

      aws-codeartifact-domain-owner: "123456789012"

      aws-codeartifact-repository: "my-repo"

      # common OIDC config for non-prod envs

      aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci"

```
 
 No newline at end of file

kicker.json

+55 −0
Original line number Diff line number Diff line
@@ -348,6 +348,61 @@ 
          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"

        }

      ]

    },

    {

      "id": "aws-codeartifact",

      "name": "AWS CodeArtifact",

      "description": "Retrieves AWS CodeArtifact credentials",

      "template_path": "templates/gitlab-ci-python-aws-codeartifact.yml",

      "variables": [

        {

          "name": "TBC_AWS_PROVIDER_IMAGE",

          "description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",

          "default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest",

          "advanced": true

        },

        {

          "name": "AWS_REGION",

          "description": "Default region (where the codeartifact repository is located)"

        },

        {

          "name": "AWS_OIDC_AUD",

          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",

          "default": "$CI_SERVER_URL",

          "advanced": true

        },

        {

          "name": "AWS_OIDC_ROLE_ARN",

          "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"

        },

        {

          "name": "AWS_ACCESS_KEY_ID",

          "description": "Default access key ID (only required for basic authentication)",

          "secret": true,

          "advanced": true

        },

        {

          "name": "AWS_SECRET_ACCESS_KEY",

          "description": "Default secret access key (only required for basic authentication)",

          "secret": true,

          "advanced": true

        },

        {

          "name": "AWS_CODEARTIFACT_DOMAIN",

          "description": "The AWS CodeArtifact domain",

          "mandatory": true

        },

        {

          "name": "AWS_CODEARTIFACT_DOMAIN_OWNER",

          "description": "The AWS CodeArtifact domain owner",

          "mandatory": true

        },

        {

          "name": "AWS_CODEARTIFACT_REPOSITORY",

          "description": "The AWS CodeArtifact repository",

          "mandatory": true

        }

      ]

    }

  ]

}

templates/gitlab-ci-python-aws-codeartifact.yml

0 → 100644
+60 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === AWS CodeArtifact Auth template variant

# =====================================================================================================================

spec:

  inputs:

    aws-codeartifact-domain:

      description: AWS CodeArtifact domain name

      default: ''

    aws-codeartifact-domain-owner:

      description: AWS CodeArtifact domain owner account ID

      default: ''

    aws-codeartifact-repository:

      description: AWS CodeArtifact repository name

      default: ''

    aws-region:

      description: Default region (where the Codeartifact registry is located)

      default: ''

    aws-oidc-aud:

      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_

      default: $CI_SERVER_URL

    aws-oidc-role-arn:

      description: Default IAM Role ARN associated with GitLab _(only required for [OIDC

        authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_

      default: ''

---

variables:

  TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest

  AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]

  AWS_REGION: $[[ inputs.aws-region ]]

  AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]

  AWS_CODEARTIFACT_DOMAIN: $[[ inputs.aws-codeartifact-domain ]]

  AWS_CODEARTIFACT_DOMAIN_OWNER: $[[ inputs.aws-codeartifact-domain-owner ]]

  AWS_CODEARTIFACT_REPOSITORY: $[[ inputs.aws-codeartifact-repository ]]





.codeartifact-pip-config:

  before_script:

    - CODEARTIFACT_URL=https://aws:${CODEARTIFACT_AUTH_TOKEN}@${CODEARTIFACT_REPOSITORY_ENDPOINT#https://}simple

    - pip config set global.index-url $CODEARTIFACT_URL



.python-base:

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "python", "7.3.0"]

    - name: "$TBC_AWS_PROVIDER_IMAGE"

      alias: "aws-auth-provider"

  id_tokens:

    # required for OIDC auth

    AWS_JWT:

      aud: "$AWS_OIDC_AUD"

  variables:

    CODEARTIFACT_AUTH_TOKEN: "@url@http://aws-auth-provider/codeartifact/auth/token"

    CODEARTIFACT_REPOSITORY_ENDPOINT: "@url@http://aws-auth-provider/codeartifact/repository/endpoint?format=pypi"

    AWS_JWT: "$AWS_JWT"

  before_script:

    - !reference [.codeartifact-pip-config:]

    - !reference [.python-scripts]

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - cd ${PYTHON_PROJECT_DIR}

    - guess_build_system