Private Helm Git Repo Repository Support

This PR adds the ability to specify an environment variable
`accessTokenVariable` per service tracked in `bedrock.yaml`. This env variable
will automatically be injected into `access.yaml` as a the holder of a PAT to
use while cloning the value specified in `--helm-config-git` in `hld reconcile`.

closes microsoft/bedrock#914

Author: evanlouie

guides/auth-private-helm-repos.md

@@ -0,0 +1,82 @@
+# Private Helm/Git Repositories -- Authorization/PAT For HLD to Materialized Pipeline
+
+An operator may want to store their Helm charts in a different repository than
+their application code. In this scenario, the operators Helm chart git
+repository will most likely be private; making the ability to clone it in the
+HLD-to-Materialized pipeline an issue. To facilitate the ability to clone the
+Helm chart repository, we can piggy back off the ability for
+[Fabrikate to consume env variables consuming personal access tokens (PATs)](https://github.com/microsoft/fabrikate/blob/master/docs/auth.md).
+
+## Utilizing The Default PAT (ACCESS_TOKEN_SECRET)
+
+By default, all services created via `spk service create` with the the
+`--helm-config-*` family of options will be setup to consume the environment
+variable `ACCESS_TOKEN_SECRET` -- The PAT used to clone the application
+repository in the HLD-to-Materialized pipeline. So if the PAT used to setup your
+HLD-to-Materialized pipeline has full read access to the Azure DevOps
+organizations your Helm git repositories are stored, the pipeline is all set to
+clone the Helm charts by default.
+
+## Making The Pipeline Aware of Custom Environment Variables
+
+In order to tell the pipeline that it needs to utilize a PAT stored in a user
+defined environment variable in the HLD-to-Materialized pipeline, the
+environment variable name -- not the PAT itself -- needs to be tracked in the
+`bedrock.yaml`. This environment variable will be used to clone the `https` git
+URI for the Helm chart git repository.
+
+Visit https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables
+for more information on how to add a variables to your pipeline.
+
+### Setting Up At Service Create Time
+
+If you already have a environment variable name in mind you want to consume or
+already have it available in your pipeline before you create your service, you
+can make it aware of it via the `--helm-config-access-token-variable` flag in
+the `spk service create` command.
+
+```sh
+spk service create my-service \
+  --helm-config-git https://dev.azure.com/my-org/my-project/_git/my-repo \
+  --helm-config-branch master \
+  --helm-config-path my-service-helm-chart \
+  --helm-config-access-token-variable MY_ENV_VAR
+```
+
+**Note**: it is important that the git URI you pass is an `https` URI and does
+NOT contain a username in it. By default, the clone URIs that the Azure DevOps
+creates presents in the UI contain your username in them (eg.
+`https://<my-username>@dev.azure.com/my-org/my-project/_git/my-repo`). Fabrikate
+will not inject the PAT if the username is there as the value contained in place
+of the username can be a PAT itself.
+
+`MY_ENV_VAR` will be tracked in the service definition in your `bedrock.yaml`:
+
+```yaml
+rings:
+  master:
+    isDefault: true
+services:
+  ./my-service:
+    displayName: ""
+    helm:
+      chart:
+        accessTokenVariable: MY_ENV_VAR # Note: this is where the environment variable gets tracked
+        branch: master
+        git: "https://dev.azure.com/my-org/my-project/_git/my-repo" # Note: it is important that the HTTPS URI does NOT contain your username
+        path: my-service-helm-chart
+    k8sBackend: ""
+    k8sBackendPort: 80
+    middlewares: []
+    pathPrefix: ""
+    pathPrefixMajorVersion: ""
+variableGroups:
+  - my-var-group
+```
+
+### Updating/Changing The Environment Variable
+
+If you want to change the the environment variable used after creating your
+service, simply change the value of `accessTokenVariable` in your `bedrock.yaml`
+to the target environment variable (and ensure that the environment variable
+exists in your HLD-to-Materialized pipeline).

src/commands/hld/reconcile.test.ts

@@ -1,6 +1,7 @@
+import path from "path";
 import { create as createBedrockYaml } from "../../lib/bedrockYaml";
 import { disableVerboseLogging, enableVerboseLogging } from "../../logger";
-
+import { IBedrockFile, IBedrockServiceConfig } from "../../types";
 import {
   addChartToRing,
   checkForFabrikate,
@@ -21,8 +22,6 @@ import {
 } from "./reconcile";
 import * as reconcile from "./reconcile";
 
-import { IBedrockFile, IBedrockServiceConfig } from "../../types";
-
 beforeAll(() => {
   enableVerboseLogging();
 });
@@ -270,21 +269,22 @@ describe("addChartToRing", () => {
 
     const branch = "v1";
     const git = "github.com/company/service";
-    const path = "/charts/service";
+    const chartPath = "/charts/service";
 
     const serviceConfig: IBedrockServiceConfig = {
       helm: {
         chart: {
           branch,
           git,
-          path
+          path: chartPath
         }
       },
       k8sBackendPort: 1337
     };
 
     /* tslint:disable-next-line: no-string-literal */
-    const addHelmChartCommand = `fab add chart --source ${git} --path ${path} --branch ${branch} --type helm`;
+    const addHelmChartCommand = `fab add chart --source ${git} --path ${chartPath} --branch ${branch} --type helm`;
+
     const expectedInvocation = `cd ${ringPath} && ${addHelmChartCommand}`;
 
     await addChartToRing(exec, ringPath, serviceConfig);
@@ -298,21 +298,22 @@ describe("addChartToRing", () => {
 
     const sha = "f8a33e1d";
     const git = "github.com/company/service";
-    const path = "/charts/service";
+    const chartPath = "/charts/service";
 
     const serviceConfig: IBedrockServiceConfig = {
       helm: {
         chart: {
           git,
-          path,
+          path: chartPath,
           sha
         }
       },
       k8sBackendPort: 1337
     };
 
     /* tslint:disable-next-line: no-string-literal */
-    const addHelmChartCommand = `fab add chart --source ${git} --path ${path} --version ${sha} --type helm`;
+    const addHelmChartCommand = `fab add chart --source ${git} --path ${chartPath} --version ${sha} --type helm`;
+
     const expectedInvocation = `cd ${ringPath} && ${addHelmChartCommand}`;
 
     await addChartToRing(exec, ringPath, serviceConfig);
@@ -425,8 +426,8 @@ describe("reconcile tests", () => {
   let bedrockYaml: IBedrockFile;
   const sha = "f8a33e1d";
   const git = "github.com/company/service";
-  const path = "/charts/service";
-
+  const pathToChart = "/charts/service";
+  const accessTokenVariable = "SECRET_TOKEN";
   beforeEach(() => {
     dependencies = {
       addChartToRing: jest.fn().mockReturnValue(Promise.resolve({})),
@@ -452,12 +453,13 @@ describe("reconcile tests", () => {
         prod: {}
       },
       services: {
-        "./path/to/svc/": {
+        "./path/to/a/svc/": {
           disableRouteScaffold: false,
           helm: {
             chart: {
+              accessTokenVariable,
               git,
-              path,
+              path: pathToChart,
               sha
             }
           },
@@ -486,6 +488,12 @@ describe("reconcile tests", () => {
     expect(dependencies.createStaticComponent).toHaveBeenCalledTimes(2);
     expect(dependencies.createMiddlewareForRing).toHaveBeenCalledTimes(2);
     expect(dependencies.createIngressRouteForRing).toHaveBeenCalledTimes(2);
+    expect(dependencies.generateAccessYaml).toHaveBeenCalledTimes(1);
+    expect(dependencies.generateAccessYaml).toBeCalledWith(
+      "path/to/hld/service",
+      git,
+      accessTokenVariable
+    );
   });
 
   it("should be able to create a HLD without rings, when no rings are provided", async () => {
@@ -519,7 +527,7 @@ describe("reconcile tests", () => {
           helm: {
             chart: {
               git,
-              path,
+              path: pathToChart,
               sha
             }
           },
@@ -597,7 +605,7 @@ describe("reconcile tests", () => {
         helm: {
           chart: {
             git,
-            path,
+            path: pathToChart,
             sha
           }
         },
@@ -626,7 +634,7 @@ describe("reconcile tests", () => {
         helm: {
           chart: {
             git,
-            path,
+            path: pathToChart,
             sha
           }
         },
@@ -659,7 +667,7 @@ describe("reconcile tests", () => {
         helm: {
           chart: {
             git,
-            path,
+            path: pathToChart,
             sha
           }
         },
@@ -681,6 +689,43 @@ describe("reconcile tests", () => {
       (dependencies.createServiceComponent as jest.Mock).mock.calls[0][2]
     ).toBe(displayName);
   });
+
+  it("properly updates access.yaml", async () => {
+    const anotherGit = "github.com/foobar/baz";
+    const anotherToken = "MY_FANCY_ENV_VAR";
+    bedrockYaml.services["another/service"] = {
+      disableRouteScaffold: false,
+      helm: {
+        chart: {
+          accessTokenVariable: anotherToken,
+          git: anotherGit,
+          path: "path/to/chart",
+          sha: "12345"
+        }
+      },
+      k8sBackendPort: 8888
+    };
+    const pathToHLD = "./the/path/to/hld";
+    const service = "service";
+    await reconcileHld(
+      dependencies,
+      bedrockYaml,
+      service,
+      pathToHLD,
+      "./path/to/app"
+    );
+    expect(dependencies.generateAccessYaml).toHaveBeenCalledTimes(2);
+    expect(dependencies.generateAccessYaml).toHaveBeenCalledWith(
+      path.join(pathToHLD, service),
+      git,
+      accessTokenVariable
+    );
+    expect(dependencies.generateAccessYaml).toHaveBeenCalledWith(
+      path.join(pathToHLD, service),
+      anotherGit,
+      anotherToken
+    );
+  });
 });
 
 describe("normalizedName", () => {