feat(ldap): adds LDAP group to project membership

This adds LDAP group as member to the respective harbor project in the
jarvis-projects chart.

Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: Icb50ccb2d3bb82dd630c87c372caadf04730a536

charts/jarvis-project/templates/Job-project.yaml

@@ -36,6 +36,16 @@ spec:
               value: "https://{{ .Values.params.gerrit.host }}"
             - name: HARBOR_URL
               value: "https://{{ .Values.params.harbor.host }}"
+            - name: PROJECT_LDAP_DN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "helpers.labels.fullname" . }}
+                  key: harbor-project-ldap-dn
+            - name: STAGING_LDAP_DN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "helpers.labels.fullname" . }}
+                  key: harbor-staging-ldap-dn
           command:
             - sh
             - -cex
@@ -78,10 +88,30 @@ spec:
                   esac
                 done
               }
+              add_ldap_member_to_project(){
+                project_name=$1
+                ldap_dn=$2
+                project_json=$(curl -sSL --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X GET \
+                  -H "Accept: application/json" \
+                  ${HARBOR_URL}/api/v2.0/projects?name=${project_name})
+                project_id=$(echo $project_json | grep -o '"project_id":[[:digit:]]*' | head -1 | awk -F':' '{print $2}')
+
+                curl -sSL -D - --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X POST \
+                  -H "Content-Type: application/json" \
+                  --data-raw '{
+                    "role_id": 2,
+                    "member_group": {
+                      "group_name": "'${project_name}'-users-group",
+                      "ldap_group_dn": "'${ldap_dn}'",
+                      "group_type": 1
+                    }
+                  }' ${HARBOR_URL}/api/v2.0/projects/${project_id}/members
+              }
+
               # Add project and staging project in harbor
               project_in_harbor "${JARVIS_PROJECT_NAME}" "${JARVIS_PROJECT_NAME}-staging"
-
+              add_ldap_member_to_project "${JARVIS_PROJECT_NAME}" "${PROJECT_LDAP_DN}"
-
+              add_ldap_member_to_project "${JARVIS_PROJECT_NAME}-staging" "${STAGING_LDAP_DN}"
           volumeMounts:
             - name: gerrit-creds
               mountPath: /run/jarvis/gerrit-authfile

charts/jarvis-project/templates/Secret-project.yaml

@@ -9,6 +9,8 @@ data:
   gerrit-username: "{{ b64enc .Values.params.gerrit.user }}"
   gerrit-authfile: "{{ b64enc ( printf "%s:%s" .Values.params.gerrit.user .Values.params.gerrit.password ) }}"
   gerrit-ssh-key: "{{ b64enc ( .Values.params.gerrit.ssh_key ) }}"
+  harbor-project-ldap-dn: "{{ b64enc ( .Values.params.harbor.member_ldap_dn.project ) }}"
+  harbor-staging-ldap-dn: "{{ b64enc ( .Values.params.harbor.member_ldap_dn.staging ) }}"
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-project" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-project" ) }}

charts/jarvis-project/values.yaml

@@ -26,6 +26,9 @@ params:
     host: gerrit.jarvis.local
   harbor:
     host: harbor-core.jarvis.local
+    member_ldap_dn:
+      project: ""
+      staging: ""
   endpoints:
     hostname: localhost
     tls:
@@ -40,4 +43,3 @@ config:
   test:
     ldap_username: jarvis
     ldap_password: password
-

tools/gate/jarvis/800-deploy-jarvis-projects.sh

@@ -27,16 +27,28 @@ for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth
     voting_ci="false"
   fi
 
+  project_override=$(mktemp --suffix=.yaml)
+  tee ${project_override} <<EOF
+config:
+  ci:
+    verify: ${voting_ci}
+params:
+  harbor:
+    member_ldap_dn:
+      project: cn=${jarvis_project}-harbor-users-group,ou=Groups,dc=jarvis,dc=local
+      staging: cn=${jarvis_project}-harbor-staging-users-group,ou=Groups,dc=jarvis,dc=local
+EOF
+
   # shellcheck disable=SC2046
   helm upgrade \
-      --create-namespace \
+    --create-namespace \
-      --install \
+    --install \
-      --namespace=jarvis-projects \
+    --namespace=jarvis-projects \
-      "${jarvis_project}" \
+    "${jarvis_project}" \
-      "./charts/jarvis-project" \
+    "./charts/jarvis-project" \
-      --values="${gerrit_creds_override}" \
+    --values="${gerrit_creds_override}" \
-      --set config.ci.verify="$voting_ci" \
+    --values="${project_override}" \
-      $(./tools/deployment/common/get-values-overrides.sh jarvis-project)
+    $(./tools/deployment/common/get-values-overrides.sh jarvis-project)
 
   ./tools/deployment/common/wait-for-pods.sh jarvis-projects