From edffb778238c9deb3151ea69ea2acb816d2b141d Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Mon, 1 Mar 2021 08:27:45 -0600
Subject: [PATCH] feat(ldap): adds LDAP group to project membership

This adds LDAP group as member to the respective harbor project in the
jarvis-projects chart.

Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: Icb50ccb2d3bb82dd630c87c372caadf04730a536
---
 .../jarvis-project/templates/Job-project.yaml | 34 +++++++++++++++++--
 .../templates/Secret-project.yaml             |  4 ++-
 charts/jarvis-project/values.yaml             |  4 ++-
 .../gate/jarvis/800-deploy-jarvis-projects.sh | 28 ++++++++++-----
 4 files changed, 58 insertions(+), 12 deletions(-)

diff --git a/charts/jarvis-project/templates/Job-project.yaml b/charts/jarvis-project/templates/Job-project.yaml
index b1fd4b50..ebbb38ef 100644
--- a/charts/jarvis-project/templates/Job-project.yaml
+++ b/charts/jarvis-project/templates/Job-project.yaml
@@ -36,6 +36,16 @@ spec:
               value: "https://{{ .Values.params.gerrit.host }}"
             - name: HARBOR_URL
               value: "https://{{ .Values.params.harbor.host }}"
+            - name: PROJECT_LDAP_DN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "helpers.labels.fullname" . }}
+                  key: harbor-project-ldap-dn
+            - name: STAGING_LDAP_DN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "helpers.labels.fullname" . }}
+                  key: harbor-staging-ldap-dn
           command:
             - sh
             - -cex
@@ -78,10 +88,30 @@ spec:
                   esac
                 done
               }
+              add_ldap_member_to_project(){
+                project_name=$1
+                ldap_dn=$2
+                project_json=$(curl -sSL --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X GET \
+                  -H "Accept: application/json" \
+                  ${HARBOR_URL}/api/v2.0/projects?name=${project_name})
+                project_id=$(echo $project_json | grep -o '"project_id":[[:digit:]]*' | head -1 | awk -F':' '{print $2}')
+
+                curl -sSL -D - --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X POST \
+                  -H "Content-Type: application/json" \
+                  --data-raw '{
+                    "role_id": 2,
+                    "member_group": {
+                      "group_name": "'${project_name}'-users-group",
+                      "ldap_group_dn": "'${ldap_dn}'",
+                      "group_type": 1
+                    }
+                  }' ${HARBOR_URL}/api/v2.0/projects/${project_id}/members
+              }
+
               # Add project and staging project in harbor
               project_in_harbor "${JARVIS_PROJECT_NAME}" "${JARVIS_PROJECT_NAME}-staging"
-
-
+              add_ldap_member_to_project "${JARVIS_PROJECT_NAME}" "${PROJECT_LDAP_DN}"
+              add_ldap_member_to_project "${JARVIS_PROJECT_NAME}-staging" "${STAGING_LDAP_DN}"
           volumeMounts:
             - name: gerrit-creds
               mountPath: /run/jarvis/gerrit-authfile
diff --git a/charts/jarvis-project/templates/Secret-project.yaml b/charts/jarvis-project/templates/Secret-project.yaml
index 7221b119..23545ecb 100644
--- a/charts/jarvis-project/templates/Secret-project.yaml
+++ b/charts/jarvis-project/templates/Secret-project.yaml
@@ -9,6 +9,8 @@ data:
   gerrit-username: "{{ b64enc .Values.params.gerrit.user }}"
   gerrit-authfile: "{{ b64enc ( printf "%s:%s" .Values.params.gerrit.user .Values.params.gerrit.password ) }}"
   gerrit-ssh-key: "{{ b64enc ( .Values.params.gerrit.ssh_key ) }}"
+  harbor-project-ldap-dn: "{{ b64enc ( .Values.params.harbor.member_ldap_dn.project ) }}"
+  harbor-staging-ldap-dn: "{{ b64enc ( .Values.params.harbor.member_ldap_dn.staging ) }}"
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-project" ) }}
\ No newline at end of file
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-project" ) }}
diff --git a/charts/jarvis-project/values.yaml b/charts/jarvis-project/values.yaml
index 4d9c9f17..dc98e7f8 100644
--- a/charts/jarvis-project/values.yaml
+++ b/charts/jarvis-project/values.yaml
@@ -26,6 +26,9 @@ params:
     host: gerrit.jarvis.local
   harbor:
     host: harbor-core.jarvis.local
+    member_ldap_dn:
+      project: ""
+      staging: ""
   endpoints:
     hostname: localhost
     tls:
@@ -40,4 +43,3 @@ config:
   test:
     ldap_username: jarvis
     ldap_password: password
-
diff --git a/tools/gate/jarvis/800-deploy-jarvis-projects.sh b/tools/gate/jarvis/800-deploy-jarvis-projects.sh
index bad87732..b84c9232 100755
--- a/tools/gate/jarvis/800-deploy-jarvis-projects.sh
+++ b/tools/gate/jarvis/800-deploy-jarvis-projects.sh
@@ -27,16 +27,28 @@ for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth
     voting_ci="false"
   fi
 
+  project_override=$(mktemp --suffix=.yaml)
+  tee ${project_override} <<EOF
+config:
+  ci:
+    verify: ${voting_ci}
+params:
+  harbor:
+    member_ldap_dn:
+      project: cn=${jarvis_project}-harbor-users-group,ou=Groups,dc=jarvis,dc=local
+      staging: cn=${jarvis_project}-harbor-staging-users-group,ou=Groups,dc=jarvis,dc=local
+EOF
+
   # shellcheck disable=SC2046
   helm upgrade \
-      --create-namespace \
-      --install \
-      --namespace=jarvis-projects \
-      "${jarvis_project}" \
-      "./charts/jarvis-project" \
-      --values="${gerrit_creds_override}" \
-      --set config.ci.verify="$voting_ci" \
-      $(./tools/deployment/common/get-values-overrides.sh jarvis-project)
+    --create-namespace \
+    --install \
+    --namespace=jarvis-projects \
+    "${jarvis_project}" \
+    "./charts/jarvis-project" \
+    --values="${gerrit_creds_override}" \
+    --values="${project_override}" \
+    $(./tools/deployment/common/get-values-overrides.sh jarvis-project)
 
   ./tools/deployment/common/wait-for-pods.sh jarvis-projects