refactor: distinguish secrets from vars in CI

Rename configuration fields to separate GitHub secrets (sensitive)
from variables (non-sensitive):

- Registry URL/user changed from secrets to variables
- Add separate registryUrlVar for `func deploy --registry=URL`
- Renamed selfHostedRunner to useSelfHostedRunner for consistency

Update workflow generation to use ${{ vars.* }} for variables and
${{ secrets.* }} for secrets.

Issue SRVOCF-744

Signed-off-by: Stanislav Jakuschevskij <sjakusch@redhat.com>

Author: twoGiants

cmd/ci/config.go

@@ -12,13 +12,14 @@ type CIConfig struct {
 	githubWorkflowDir,
 	githubWorkflowFilename,
 	workflowName,
-	kubeconfigSecretKey,
-	registryUrlSecretKey,
-	registryUserSecretKey,
-	registryPassSecretKey string
+	kubeconfigSecret,
+	registryLoginUrlVar,
+	registryUserVar,
+	registryPassSecret,
+	registryUrlVar string
 	useRegistryLogin,
 	useRemoteBuild,
-	selfHostedRunner,
+	useSelfHostedRunner,
 	debug bool
 }
 
@@ -42,28 +43,32 @@ func (cc *CIConfig) UseRemoteBuild() bool {
 	return cc.useRemoteBuild
 }
 
-func (cc *CIConfig) SelfHostedRunner() bool {
-	return cc.selfHostedRunner
+func (cc *CIConfig) UseSelfHostedRunner() bool {
+	return cc.useSelfHostedRunner
 }
 
 func (cc *CIConfig) UseDebug() bool {
 	return cc.debug
 }
 
-func (cc *CIConfig) KubeconfigSecretKey() string {
-	return cc.kubeconfigSecretKey
+func (cc *CIConfig) KubeconfigSecret() string {
+	return cc.kubeconfigSecret
 }
 
-func (cc *CIConfig) RegistryUrlSecretKey() string {
-	return cc.registryUrlSecretKey
+func (cc *CIConfig) RegistryLoginUrlVar() string {
+	return cc.registryLoginUrlVar
 }
 
-func (cc *CIConfig) RegistryUserSecretKey() string {
-	return cc.registryUserSecretKey
+func (cc *CIConfig) RegistryUserVar() string {
+	return cc.registryUserVar
 }
 
-func (cc *CIConfig) RegistryPassSecretKey() string {
-	return cc.registryPassSecretKey
+func (cc *CIConfig) RegistryPassSecret() string {
+	return cc.registryPassSecret
+}
+
+func (cc *CIConfig) RegistryUrlVar() string {
+	return cc.registryUrlVar
 }
 
 type ciConfigBuilder struct {
@@ -77,13 +82,14 @@ func NewCIConfigBuilder() *ciConfigBuilder {
 			githubWorkflowDir:      ".github/workflows",
 			githubWorkflowFilename: "remote-build-and-deploy.yaml",
 			workflowName:           "Remote Build and Deploy",
-			kubeconfigSecretKey:    "KUBECONFIG",
-			registryUrlSecretKey:   "REGISTRY_URL",
-			registryUserSecretKey:  "REGISTRY_USERNAME",
-			registryPassSecretKey:  "REGISTRY_PASSWORD",
+			kubeconfigSecret:       "KUBECONFIG",
+			registryLoginUrlVar:    "REGISTRY_LOGIN_URL",
+			registryUserVar:        "REGISTRY_USERNAME",
+			registryPassSecret:     "REGISTRY_PASSWORD",
+			registryUrlVar:         "REGISTRY_URL",
 			useRegistryLogin:       true,
 			useRemoteBuild:         false,
-			selfHostedRunner:       false,
+			useSelfHostedRunner:    false,
 			debug:                  false,
 		},
 	}
@@ -94,23 +100,23 @@ func (b *ciConfigBuilder) WithWorkflowName(name string) *ciConfigBuilder {
 	return b
 }
 
-func (b *ciConfigBuilder) WithKubeconfigKey(key string) *ciConfigBuilder {
-	b.result.kubeconfigSecretKey = key
+func (b *ciConfigBuilder) WithKubeconfigSecret(v string) *ciConfigBuilder {
+	b.result.kubeconfigSecret = v
 	return b
 }
 
-func (b *ciConfigBuilder) WithRegistryUrlKey(key string) *ciConfigBuilder {
-	b.result.registryUrlSecretKey = key
+func (b *ciConfigBuilder) WithRegistryLoginUrlVar(v string) *ciConfigBuilder {
+	b.result.registryLoginUrlVar = v
 	return b
 }
 
-func (b *ciConfigBuilder) WithRegistryUserKey(key string) *ciConfigBuilder {
-	b.result.registryUserSecretKey = key
+func (b *ciConfigBuilder) WithRegistryUserVar(v string) *ciConfigBuilder {
+	b.result.registryUserVar = v
 	return b
 }
 
-func (b *ciConfigBuilder) WithRegistryPassKey(key string) *ciConfigBuilder {
-	b.result.registryPassSecretKey = key
+func (b *ciConfigBuilder) WithRegistryPassSecret(v string) *ciConfigBuilder {
+	b.result.registryPassSecret = v
 	return b
 }
 
@@ -125,7 +131,7 @@ func (b *ciConfigBuilder) WithRemoteBuild() *ciConfigBuilder {
 }
 
 func (b *ciConfigBuilder) WithSelfHosted() *ciConfigBuilder {
-	b.result.selfHostedRunner = true
+	b.result.useSelfHostedRunner = true
 	return b
 }
 

cmd/ci/workflow.go

@@ -95,17 +95,18 @@ func (s *Step) withActionConfig(key, value string) *Step {
 
 func NewGithubWorkflow(
 	name,
-	kubeconfigSecretKey,
-	registryUrlSecretKey,
-	registryUserSecretKey,
-	registryPassSecretKey string,
+	kubeconfigSecret,
+	registryLoginUrlVar,
+	registryUserEnvVar,
+	registryPassSecret,
+	registryUrlVar string,
 	useRegistryLogin,
 	useRemoteBuild,
-	selfHosted,
+	useSelfHosted,
 	useDebug bool,
 ) *GithubWorkflow {
 	runsOn := "ubuntu-latest"
-	if selfHosted {
+	if useSelfHosted {
 		runsOn = "self-hosted"
 	}
 
@@ -119,15 +120,15 @@ func NewGithubWorkflow(
 	setupK8Context := newStep("Setup Kubernetes context").
 		withUses("azure/k8s-set-context@v4").
 		withActionConfig("method", "kubeconfig").
-		withActionConfig("kubeconfig", newSecret(kubeconfigSecretKey))
+		withActionConfig("kubeconfig", newSecret(kubeconfigSecret))
 	steps = append(steps, *setupK8Context)
 
 	if useRegistryLogin {
 		loginToContainerRegistry := newStep("Login to container registry").
 			withUses("docker/login-action@v3").
-			withActionConfig("registry", newSecret(registryUrlSecretKey)).
-			withActionConfig("username", newSecret(registryUserSecretKey)).
-			withActionConfig("password", newSecret(registryPassSecretKey))
+			withActionConfig("registry", newVariable(registryLoginUrlVar)).
+			withActionConfig("username", newVariable(registryUserEnvVar)).
+			withActionConfig("password", newSecret(registryPassSecret))
 		steps = append(steps, *loginToContainerRegistry)
 	}
 
@@ -154,8 +155,12 @@ func NewGithubWorkflow(
 		runFuncDeploy += " --remote"
 		name = "Remote Build and Deploy"
 	}
+	registryUrl := newVariable(registryUrlVar)
+	if useRegistryLogin {
+		registryUrl = newVariable(registryLoginUrlVar) + "/" + newVariable(registryUserEnvVar)
+	}
 	deployFunc := newStep("Deploy function").
-		withRun(runFuncDeploy + " --registry=" + newSecret(registryUrlSecretKey) + " -v")
+		withRun(runFuncDeploy + " --registry=" + registryUrl + " -v")
 	steps = append(steps, *deployFunc)
 
 	return &GithubWorkflow{
@@ -226,3 +231,7 @@ func (gw *GithubWorkflow) toYaml() ([]byte, error) {
 func newSecret(key string) string {
 	return fmt.Sprintf("${{ secrets.%s }}", key)
 }
+
+func newVariable(key string) string {
+	return fmt.Sprintf("${{ vars.%s }}", key)
+}

cmd/ci/workflow_test.go

@@ -12,9 +12,10 @@ func TestGithubWorkflow_PersistAndLoad(t *testing.T) {
 	gw := ci.NewGithubWorkflow(
 		"gw-test",
 		"KUBECONFIG",
-		"REGISTRY_URL",
+		"REGISTRY_LOGIN_URL",
 		"REGISTRY_USERNAME",
 		"REGISTRY_PASSWORD",
+		"REGISTRY_URL",
 		false,
 		false,
 		false,

cmd/config_ci.go

@@ -74,13 +74,14 @@ func runConfigCIGithub(
 
 	githubWorkflow := ci.NewGithubWorkflow(
 		ciConfig.WorkflowName(),
-		ciConfig.KubeconfigSecretKey(),
-		ciConfig.RegistryUrlSecretKey(),
-		ciConfig.RegistryUserSecretKey(),
-		ciConfig.RegistryPassSecretKey(),
+		ciConfig.KubeconfigSecret(),
+		ciConfig.RegistryLoginUrlVar(),
+		ciConfig.RegistryUserVar(),
+		ciConfig.RegistryPassSecret(),
+		cfg.RegistryUrlVar(),
 		cfg.UseRegistryLogin(),
 		cfg.UseRemoteBuild(),
-		cfg.SelfHostedRunner(),
+		cfg.UseSelfHostedRunner(),
 		cfg.UseDebug(),
 	)
 	if err := githubWorkflow.Persist(ciConfig.FnGithubWorkflowFilepath(f.Root)); err != nil {

cmd/config_ci_test.go

@@ -80,10 +80,10 @@ func TestNewConfigCICmd_WorkflowYAMLHasCustomValues(t *testing.T) {
 	// GIVEN
 	ciConfig := ci.NewCIConfigBuilder().
 		WithWorkflowName("Custom Remote Build and Deploy").
-		WithKubeconfigKey("DEV_CLUSTER_KUBECONFIG").
-		WithRegistryUrlKey("DEV_REGISTRY_URL").
-		WithRegistryUserKey("DEV_REGISTRY_USER").
-		WithRegistryPassKey("DEV_REGISTRY_PASS").
+		WithKubeconfigSecret("DEV_CLUSTER_KUBECONFIG").
+		WithRegistryLoginUrlVar("DEV_REGISTRY_URL").
+		WithRegistryUserVar("DEV_REGISTRY_USER").
+		WithRegistryPassSecret("DEV_REGISTRY_PASS").
 		Build()
 	options := opts{
 		withFuncInTempDir: true,
@@ -99,10 +99,10 @@ func TestNewConfigCICmd_WorkflowYAMLHasCustomValues(t *testing.T) {
 	assertWorkflowFileExists(t, result)
 	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.WorkflowName()))
 	assert.Assert(t, yamlContains(result.gwYamlString, "self-hosted"))
-	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.KubeconfigSecretKey()))
-	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.RegistryUrlSecretKey()))
-	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.RegistryUserSecretKey()))
-	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.RegistryPassSecretKey()))
+	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.KubeconfigSecret()))
+	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.RegistryLoginUrlVar()))
+	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.RegistryUserVar()))
+	assert.Assert(t, yamlContains(result.gwYamlString, ciConfig.RegistryPassSecret()))
 }
 
 func TestNewConfigCICmd_WorkflowHasNoRegistryLogin(t *testing.T) {
@@ -120,6 +120,7 @@ func TestNewConfigCICmd_WorkflowHasNoRegistryLogin(t *testing.T) {
 	assertWorkflowFileExists(t, result)
 	assert.Assert(t, !strings.Contains(result.gwYamlString, "docker/login-action@v3"))
 	assert.Assert(t, !strings.Contains(result.gwYamlString, "Login to container registry"))
+	assert.Assert(t, yamlContains(result.gwYamlString, "--registry=${{ vars.REGISTRY_URL }}"))
 }
 
 func TestNewConfigCICmd_RemoteBuildAndDeployWorkflow(t *testing.T) {
@@ -264,8 +265,8 @@ func assertWorkflowFileContent(t *testing.T, actualGw string) {
 
 	assert.Assert(t, yamlContains(actualGw, "Login to container registry"))
 	assert.Assert(t, yamlContains(actualGw, "docker/login-action@v3"))
-	assert.Assert(t, yamlContains(actualGw, "registry: ${{ secrets.REGISTRY_URL }}"))
-	assert.Assert(t, yamlContains(actualGw, "username: ${{ secrets.REGISTRY_USERNAME }}"))
+	assert.Assert(t, yamlContains(actualGw, "registry: ${{ vars.REGISTRY_LOGIN_URL }}"))
+	assert.Assert(t, yamlContains(actualGw, "username: ${{ vars.REGISTRY_USERNAME }}"))
 	assert.Assert(t, yamlContains(actualGw, "password: ${{ secrets.REGISTRY_PASSWORD }}"))
 
 	assert.Assert(t, yamlContains(actualGw, "Install func cli"))
@@ -274,7 +275,7 @@ func assertWorkflowFileContent(t *testing.T, actualGw string) {
 	assert.Assert(t, yamlContains(actualGw, "name: func"))
 
 	assert.Assert(t, yamlContains(actualGw, "Deploy function"))
-	assert.Assert(t, yamlContains(actualGw, "func deploy --registry=${{ secrets.REGISTRY_URL }} -v"))
+	assert.Assert(t, yamlContains(actualGw, "func deploy --registry=${{ vars.REGISTRY_LOGIN_URL }}/${{ vars.REGISTRY_USERNAME }} -v"))
 }
 
 func yamlContains(yaml, substr string) cmp.Comparison {