feat(CAS): AWS S3 blob storage support (#390)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/artifact-cas/cmd/main.go

@@ -25,8 +25,6 @@ import (
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/conf"
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/server"
 	backend "github.com/chainloop-dev/chainloop/internal/blobmanager"
-	"github.com/chainloop-dev/chainloop/internal/blobmanager/azureblob"
-	"github.com/chainloop-dev/chainloop/internal/blobmanager/oci"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	"github.com/chainloop-dev/chainloop/internal/credentials/manager"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
@@ -64,16 +62,6 @@ type app struct {
 	backend.Providers
 }
 
-func loadCASBackendProviders(creader credentials.Reader) backend.Providers {
-	// Initialize CAS backend providers
-	ociProvider := oci.NewBackendProvider(creader)
-	azureBlobProvider := azureblob.NewBackendProvider(creader)
-	return backend.Providers{
-		ociProvider.ID():       ociProvider,
-		azureBlobProvider.ID(): azureBlobProvider,
-	}
-}
-
 func newApp(logger log.Logger, gs *grpc.Server, hs *http.Server, ms *server.HTTPMetricsServer, providers backend.Providers) *app {
 	return &app{
 		kratos.New(

app/artifact-cas/cmd/wire.go

@@ -24,6 +24,7 @@ import (
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/conf"
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/server"
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/service"
+	"github.com/chainloop-dev/chainloop/internal/blobmanager/loader"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/wire"
@@ -35,7 +36,7 @@ func wireApp(*conf.Server, *conf.Auth, credentials.Reader, log.Logger) (*app, fu
 		wire.Build(
 			server.ProviderSet,
 			service.ProviderSet,
-			loadCASBackendProviders,
+			loader.LoadProviders,
 			newApp,
 			serviceOpts,
 		),

app/artifact-cas/cmd/wire_gen.go

@@ -41,7 +41,7 @@ func newCASBackendAddCmd() *cobra.Command {
 	cmd.PersistentFlags().Bool("default", false, "set the backend as default in your organization")
 	cmd.PersistentFlags().String("description", "", "descriptive information for this registration")
 
-	cmd.AddCommand(newCASBackendAddOCICmd(), newCASBackendAddAzureBlobStorageCmd())
+	cmd.AddCommand(newCASBackendAddOCICmd(), newCASBackendAddAzureBlobStorageCmd(), newCASBackendAddAWSS3Cmd())
 	return cmd
 }
 
@@ -54,7 +54,7 @@ func newCASBackendUpdateCmd() *cobra.Command {
 	cmd.PersistentFlags().Bool("default", false, "set the backend as default in your organization")
 	cmd.PersistentFlags().String("description", "", "descriptive information for this registration")
 
-	cmd.AddCommand(newCASBackendUpdateOCICmd(), newCASBackendUpdateInlineCmd(), newCASBackendUpdateAzureBlobCmd())
+	cmd.AddCommand(newCASBackendUpdateOCICmd(), newCASBackendUpdateInlineCmd(), newCASBackendUpdateAzureBlobCmd(), newCASBackendUpdateAWSS3Cmd())
 	return cmd
 }
 

app/cli/cmd/casbackend.go

@@ -0,0 +1,86 @@
+//
+// Copyright 2023 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/chainloop-dev/chainloop/app/cli/internal/action"
+	"github.com/chainloop-dev/chainloop/internal/blobmanager/s3"
+	"github.com/go-kratos/kratos/v2/log"
+	"github.com/spf13/cobra"
+)
+
+func newCASBackendAddAWSS3Cmd() *cobra.Command {
+	var bucketName, accessKeyID, secretAccessKey, region string
+	cmd := &cobra.Command{
+		Use:   "aws-s3",
+		Short: "Register a AWS S3 storage bucket",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			isDefault, err := cmd.Flags().GetBool("default")
+			cobra.CheckErr(err)
+
+			description, err := cmd.Flags().GetString("description")
+			cobra.CheckErr(err)
+
+			if isDefault {
+				if confirmed, err := confirmDefaultCASBackendOverride(actionOpts, ""); err != nil {
+					return err
+				} else if !confirmed {
+					log.Info("Aborting...")
+					return nil
+				}
+			}
+
+			opts := &action.NewCASBackendAddOpts{
+				Location:    bucketName,
+				Provider:    s3.ProviderID,
+				Description: description,
+				Credentials: map[string]any{
+					"accessKeyID":     accessKeyID,
+					"secretAccessKey": secretAccessKey,
+					"region":          region,
+				},
+				Default: isDefault,
+			}
+
+			res, err := action.NewCASBackendAdd(actionOpts).Run(opts)
+			if err != nil {
+				return err
+			} else if res == nil {
+				return nil
+			}
+
+			return encodeOutput([]*action.CASBackendItem{res}, casBackendListTableOutput)
+		},
+	}
+
+	cmd.Flags().StringVar(&bucketName, "bucket", "", "S3 bucket name")
+	err := cmd.MarkFlagRequired("bucket")
+	cobra.CheckErr(err)
+
+	cmd.Flags().StringVar(&accessKeyID, "access-key-id", "", "AWS Access Key ID")
+	err = cmd.MarkFlagRequired("access-key-id")
+	cobra.CheckErr(err)
+
+	cmd.Flags().StringVar(&secretAccessKey, "secret-access-key", "", "AWS Secret Access Key")
+	err = cmd.MarkFlagRequired("secret-access-key")
+	cobra.CheckErr(err)
+
+	cmd.Flags().StringVar(&region, "region", "", "AWS region for the bucket")
+	err = cmd.MarkFlagRequired("region")
+	cobra.CheckErr(err)
+
+	return cmd
+}

app/cli/cmd/casbackend_add_s3.go

@@ -0,0 +1,92 @@
+//
+// Copyright 2023 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/chainloop-dev/chainloop/app/cli/internal/action"
+	"github.com/go-kratos/kratos/v2/log"
+	"github.com/spf13/cobra"
+)
+
+func newCASBackendUpdateAWSS3Cmd() *cobra.Command {
+	var backendID, accessKeyID, secretAccessKey, region string
+	cmd := &cobra.Command{
+		Use:   "aws-s3",
+		Short: "Update a AWS S3 CAS Backend description, credentials or default status",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// If we are setting the default, we list existing CAS backends
+			// and ask the user to confirm the rewrite
+			isDefault, err := cmd.Flags().GetBool("default")
+			cobra.CheckErr(err)
+
+			description, err := cmd.Flags().GetString("description")
+			cobra.CheckErr(err)
+
+			// If we are overriding the default we ask for confirmation
+			if isDefault {
+				if confirmed, err := confirmDefaultCASBackendOverride(actionOpts, backendID); err != nil {
+					return err
+				} else if !confirmed {
+					log.Info("Aborting...")
+					return nil
+				}
+			} else {
+				// If we are removing the default we ask for confirmation too
+				if confirmed, err := confirmDefaultCASBackendUnset(backendID, "You are setting the default CAS backend to false", actionOpts); err != nil {
+					return err
+				} else if !confirmed {
+					log.Info("Aborting...")
+					return nil
+				}
+			}
+
+			opts := &action.NewCASBackendUpdateOpts{
+				ID:          backendID,
+				Description: description,
+				Credentials: map[string]any{
+					"accessKeyID":     accessKeyID,
+					"secretAccessKey": secretAccessKey,
+					"region":          region,
+				},
+				Default: isDefault,
+			}
+
+			// this means that we are not updating credentials
+			if accessKeyID == "" && secretAccessKey == "" && region == "" {
+				opts.Credentials = nil
+			}
+
+			res, err := action.NewCASBackendUpdate(actionOpts).Run(opts)
+			if err != nil {
+				return err
+			} else if res == nil {
+				return nil
+			}
+
+			return encodeOutput([]*action.CASBackendItem{res}, casBackendListTableOutput)
+		},
+	}
+
+	cmd.Flags().StringVar(&backendID, "id", "", "CAS Backend ID")
+	err := cmd.MarkFlagRequired("id")
+	cobra.CheckErr(err)
+
+	cmd.Flags().StringVar(&accessKeyID, "access-key-id", "", "AWS Access Key ID")
+	cmd.Flags().StringVar(&secretAccessKey, "secret-access-key", "", "AWS Secret Access Key")
+	cmd.Flags().StringVar(&region, "region", "", "AWS region for the bucket")
+
+	return cmd
+}

app/cli/cmd/casbackend_update_s3.go

@@ -28,9 +28,6 @@ import (
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/server"
 	"github.com/chainloop-dev/chainloop/app/controlplane/plugins"
 	"github.com/chainloop-dev/chainloop/app/controlplane/plugins/sdk/v1"
-	backends "github.com/chainloop-dev/chainloop/internal/blobmanager"
-	"github.com/chainloop-dev/chainloop/internal/blobmanager/azureblob"
-	"github.com/chainloop-dev/chainloop/internal/blobmanager/oci"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	"github.com/chainloop-dev/chainloop/internal/credentials/manager"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
@@ -171,16 +168,6 @@ func maskArgs(keyvals []interface{}) {
 	}
 }
 
-func loadCASBackendProviders(creader credentials.Reader) backends.Providers {
-	// Initialize CAS backend providers
-	ociProvider := oci.NewBackendProvider(creader)
-	azureBlobProvider := azureblob.NewBackendProvider(creader)
-	return backends.Providers{
-		ociProvider.ID():       ociProvider,
-		azureBlobProvider.ID(): azureBlobProvider,
-	}
-}
-
 func initSentry(c *conf.Bootstrap, logger log.Logger) (cleanupFunc func(), err error) {
 	cleanupFunc = func() {
 		sentry.Flush(2 * time.Second)

app/controlplane/cmd/main.go

@@ -28,6 +28,7 @@ import (
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/server"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/service"
 	"github.com/chainloop-dev/chainloop/app/controlplane/plugins/sdk/v1"
+	"github.com/chainloop-dev/chainloop/internal/blobmanager/loader"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/wire"
@@ -40,7 +41,7 @@ func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.Availabl
 			server.ProviderSet,
 			data.ProviderSet,
 			biz.ProviderSet,
-			loadCASBackendProviders,
+			loader.LoadProviders,
 			service.ProviderSet,
 			wire.Bind(new(biz.CASClient), new(*biz.CASClientUseCase)),
 			serviceOpts,

app/controlplane/cmd/wire.go

@@ -26,6 +26,7 @@ import (
 	backend "github.com/chainloop-dev/chainloop/internal/blobmanager"
 	"github.com/chainloop-dev/chainloop/internal/blobmanager/azureblob"
 	"github.com/chainloop-dev/chainloop/internal/blobmanager/oci"
+	"github.com/chainloop-dev/chainloop/internal/blobmanager/s3"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 	"github.com/go-kratos/kratos/v2/log"
@@ -470,7 +471,7 @@ func (uc *CASBackendUseCase) PerformValidation(ctx context.Context, id string) (
 
 // Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues
 func (CASBackendProvider) Values() (kinds []string) {
-	for _, s := range []CASBackendProvider{azureblob.ProviderID, oci.ProviderID, CASBackendInline} {
+	for _, s := range []CASBackendProvider{azureblob.ProviderID, oci.ProviderID, CASBackendInline, s3.ProviderID} {
 		kinds = append(kinds, string(s))
 	}