Skip to content

Commit

Permalink
refactor: remove use of k8s secret
Browse files Browse the repository at this point in the history
  • Loading branch information
phillebaba committed May 31, 2024
1 parent ff83e19 commit 7e14308
Show file tree
Hide file tree
Showing 6 changed files with 184 additions and 166 deletions.
45 changes: 35 additions & 10 deletions src/internal/packager/helm/post-render.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,24 +150,49 @@ func (r *renderer) adoptAndUpdateNamespaces(ctx context.Context) error {
continue
}

// Create the secret
validRegistrySecret := c.GenerateRegistryPullCreds(name, config.ZarfImagePullSecretName, r.state.RegistryInfo)

// Try to get a valid existing secret
currentRegistrySecret, _ := c.GetSecret(ctx, name, config.ZarfImagePullSecretName)
validRegistrySecret := c.GenerateRegistryPullCreds(name, config.ZarfImagePullSecretName, r.state.RegistryInfo)
// TODO: Refactor as error is not checked instead of checking for not found error.
currentRegistrySecret, _ := c.Clientset.CoreV1().Secrets(name).Get(ctx, config.ZarfImagePullSecretName, metav1.GetOptions{})
if currentRegistrySecret.Name != config.ZarfImagePullSecretName || !reflect.DeepEqual(currentRegistrySecret.Data, validRegistrySecret.Data) {
// Create or update the zarf registry secret
if _, err := c.CreateOrUpdateSecret(ctx, validRegistrySecret); err != nil {
err := func() error {
_, err := c.Clientset.CoreV1().Secrets(validRegistrySecret.Namespace).Create(ctx, validRegistrySecret, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return err
}
if err == nil {
return nil
}
_, err = c.Clientset.CoreV1().Secrets(validRegistrySecret.Namespace).Update(ctx, validRegistrySecret, metav1.UpdateOptions{})
if err != nil {
return err
}
return nil
}()
if err != nil {
message.WarnErrf(err, "Problem creating registry secret for the %s namespace", name)
}

// Generate the git server secret
gitServerSecret := c.GenerateGitPullCreds(name, config.ZarfGitServerSecretName, r.state.GitServer)

// Create or update the zarf git server secret
if _, err := c.CreateOrUpdateSecret(ctx, gitServerSecret); err != nil {
gitServerSecret := c.GenerateGitPullCreds(name, config.ZarfGitServerSecretName, r.state.GitServer)
err = func() error {
_, err := c.Clientset.CoreV1().Secrets(gitServerSecret.Namespace).Create(ctx, gitServerSecret, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return err
}
if err == nil {
return nil
}
_, err = c.Clientset.CoreV1().Secrets(gitServerSecret.Namespace).Update(ctx, gitServerSecret, metav1.UpdateOptions{})
if err != nil {
return err
}
return nil
}()
if err != nil {
message.WarnErrf(err, "Problem creating git server secret for the %s namespace", name)
}

}
}
return nil
Expand Down
59 changes: 42 additions & 17 deletions src/pkg/cluster/secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"reflect"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"github.com/defenseunicorns/zarf/src/config"
"github.com/defenseunicorns/zarf/src/pkg/k8s"
Expand All @@ -33,8 +34,6 @@ type DockerConfigEntryWithAuth struct {

// GenerateRegistryPullCreds generates a secret containing the registry credentials.
func (c *Cluster) GenerateRegistryPullCreds(namespace, name string, registryInfo types.RegistryInfo) *corev1.Secret {
secretDockerConfig := c.GenerateSecret(namespace, name, corev1.SecretTypeDockerConfigJson)

// Auth field must be username:password and base64 encoded
fieldValue := registryInfo.PullUsername + ":" + registryInfo.PullPassword
authEncodedValue := base64.StdEncoding.EncodeToString([]byte(fieldValue))
Expand All @@ -55,22 +54,49 @@ func (c *Cluster) GenerateRegistryPullCreds(namespace, name string, registryInfo
message.WarnErrf(err, "Unable to marshal the .dockerconfigjson secret data for the image pull secret")
}

// Add to the secret data
secretDockerConfig.Data[".dockerconfigjson"] = dockerConfigData

secretDockerConfig := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: map[string]string{
ZarfManagedByLabel: "zarf",
},
},
Type: corev1.SecretTypeDockerConfigJson,
Data: map[string][]byte{
".dockerconfigjson": dockerConfigData,
},
}
return secretDockerConfig
}

// GenerateGitPullCreds generates a secret containing the git credentials.
func (c *Cluster) GenerateGitPullCreds(namespace, name string, gitServerInfo types.GitServerInfo) *corev1.Secret {
message.Debugf("k8s.GenerateGitPullCreds(%s, %s, gitServerInfo)", namespace, name)

gitServerSecret := c.GenerateSecret(namespace, name, corev1.SecretTypeOpaque)
gitServerSecret.StringData = map[string]string{
"username": gitServerInfo.PullUsername,
"password": gitServerInfo.PullPassword,
gitServerSecret := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: map[string]string{
ZarfManagedByLabel: "zarf",
},
},
Type: corev1.SecretTypeOpaque,
Data: map[string][]byte{},
StringData: map[string]string{
"username": gitServerInfo.PullUsername,
"password": gitServerInfo.PullPassword,
},
}

return gitServerSecret
}

Expand All @@ -85,7 +111,7 @@ func (c *Cluster) UpdateZarfManagedImageSecrets(ctx context.Context, state *type
} else {
// Update all image pull secrets
for _, namespace := range namespaces.Items {
currentRegistrySecret, err := c.GetSecret(ctx, namespace.Name, config.ZarfImagePullSecretName)
currentRegistrySecret, err := c.Clientset.CoreV1().Secrets(namespace.Name).Get(ctx, config.ZarfImagePullSecretName, metav1.GetOptions{})
if err != nil {
continue
}
Expand All @@ -95,11 +121,10 @@ func (c *Cluster) UpdateZarfManagedImageSecrets(ctx context.Context, state *type
(namespace.Labels[k8s.AgentLabel] != "skip" && namespace.Labels[k8s.AgentLabel] != "ignore") {
spinner.Updatef("Updating existing Zarf-managed image secret for namespace: '%s'", namespace.Name)

// Create the secret
newRegistrySecret := c.GenerateRegistryPullCreds(namespace.Name, config.ZarfImagePullSecretName, state.RegistryInfo)
if !reflect.DeepEqual(currentRegistrySecret.Data, newRegistrySecret.Data) {
// Create or update the zarf registry secret
if _, err := c.CreateOrUpdateSecret(ctx, newRegistrySecret); err != nil {
_, err := c.Clientset.CoreV1().Secrets(newRegistrySecret.Namespace).Update(ctx, newRegistrySecret, metav1.UpdateOptions{})
if err != nil {
message.WarnErrf(err, "Problem creating registry secret for the %s namespace", namespace.Name)
}
}
Expand All @@ -120,7 +145,7 @@ func (c *Cluster) UpdateZarfManagedGitSecrets(ctx context.Context, state *types.
} else {
// Update all git pull secrets
for _, namespace := range namespaces.Items {
currentGitSecret, err := c.GetSecret(ctx, namespace.Name, config.ZarfGitServerSecretName)
currentGitSecret, err := c.Clientset.CoreV1().Secrets(namespace.Name).Get(ctx, config.ZarfGitServerSecretName, metav1.GetOptions{})
if err != nil {
continue
}
Expand All @@ -133,8 +158,8 @@ func (c *Cluster) UpdateZarfManagedGitSecrets(ctx context.Context, state *types.
// Create the secret
newGitSecret := c.GenerateGitPullCreds(namespace.Name, config.ZarfGitServerSecretName, state.GitServer)
if !reflect.DeepEqual(currentGitSecret.StringData, newGitSecret.StringData) {
// Create or update the zarf git secret
if _, err := c.CreateOrUpdateSecret(ctx, newGitSecret); err != nil {
_, err := c.Clientset.CoreV1().Secrets(newGitSecret.Namespace).Update(ctx, newGitSecret, metav1.UpdateOptions{})
if err != nil {
message.WarnErrf(err, "Problem creating git server secret for the %s namespace", namespace.Name)
}
}
Expand Down
31 changes: 19 additions & 12 deletions src/pkg/cluster/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (

// Zarf Cluster Constants.
const (
ZarfManagedByLabel = "app.kubernetes.io/managed-by"
ZarfNamespaceName = "zarf"
ZarfStateSecretName = "zarf-state"
ZarfStateDataKey = "state"
Expand Down Expand Up @@ -217,7 +218,7 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO
// LoadZarfState returns the current zarf/zarf-state secret data or an empty ZarfState.
func (c *Cluster) LoadZarfState(ctx context.Context) (state *types.ZarfState, err error) {
// Set up the API connection
secret, err := c.GetSecret(ctx, ZarfNamespaceName, ZarfStateSecretName)
secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, ZarfStateSecretName, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("%w. %s", err, message.ColorWrap("Did you remember to zarf init?", color.Bold))
}
Expand Down Expand Up @@ -270,17 +271,10 @@ func (c *Cluster) debugPrintZarfState(state *types.ZarfState) {
func (c *Cluster) SaveZarfState(ctx context.Context, state *types.ZarfState) error {
c.debugPrintZarfState(state)

// Convert the data back to JSON.
data, err := json.Marshal(&state)
if err != nil {
return err
}

// Set up the data wrapper.
dataWrapper := make(map[string][]byte)
dataWrapper[ZarfStateDataKey] = data

// The secret object.
secret := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Expand All @@ -294,14 +288,27 @@ func (c *Cluster) SaveZarfState(ctx context.Context, state *types.ZarfState) err
},
},
Type: corev1.SecretTypeOpaque,
Data: dataWrapper,
Data: map[string][]byte{
ZarfStateDataKey: data,
},
}

// Attempt to create or update the secret and return.
if _, err := c.CreateOrUpdateSecret(ctx, secret); err != nil {
return fmt.Errorf("unable to create the zarf state secret")
_, err = c.Clientset.CoreV1().Secrets(secret.Namespace).Get(ctx, secret.Name, metav1.GetOptions{})
if err != nil && !kerrors.IsNotFound(err) {
return err
}
if kerrors.IsNotFound(err) {
_, err = c.Clientset.CoreV1().Secrets(secret.Namespace).Create(ctx, secret, metav1.CreateOptions{})
if err != nil {
return fmt.Errorf("unable to create the zarf state secret: %w", err)
}
return nil
}
_, err = c.Clientset.CoreV1().Secrets(secret.Namespace).Update(ctx, secret, metav1.UpdateOptions{})
if err != nil {
return fmt.Errorf("unable to update the zarf state secret: %w", err)
}

return nil
}

Expand Down
56 changes: 41 additions & 15 deletions src/pkg/cluster/zarf.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,24 @@ import (
"strings"
"time"

autoscalingV2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"github.com/defenseunicorns/zarf/src/config"
"github.com/defenseunicorns/zarf/src/pkg/k8s"
"github.com/defenseunicorns/zarf/src/pkg/message"
"github.com/defenseunicorns/zarf/src/types"
autoscalingV2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// GetDeployedZarfPackages gets metadata information about packages that have been deployed to the cluster.
// We determine what packages have been deployed to the cluster by looking for specific secrets in the Zarf namespace.
// Returns a list of DeployedPackage structs and a list of errors.
func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.DeployedPackage, error) {
// Get the secrets that describe the deployed packages
secrets, err := c.GetSecretsWithLabel(ctx, ZarfNamespaceName, ZarfPackageInfoLabel)
listOpts := metav1.ListOptions{LabelSelector: ZarfPackageInfoLabel}
secrets, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).List(ctx, listOpts)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -54,7 +57,7 @@ func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.Deployed
// We determine what packages have been deployed to the cluster by looking for specific secrets in the Zarf namespace.
func (c *Cluster) GetDeployedPackage(ctx context.Context, packageName string) (deployedPackage *types.DeployedPackage, err error) {
// Get the secret that describes the deployed package
secret, err := c.GetSecret(ctx, ZarfNamespaceName, config.ZarfPackagePrefix+packageName)
secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, config.ZarfPackagePrefix+packageName, metav1.GetOptions{})
if err != nil {
return deployedPackage, err
}
Expand Down Expand Up @@ -176,11 +179,6 @@ func (c *Cluster) RecordPackageDeploymentAndWait(ctx context.Context, pkg types.
func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg types.ZarfPackage, components []types.DeployedComponent, connectStrings types.ConnectStrings, generation int) (deployedPackage *types.DeployedPackage, err error) {
packageName := pkg.Metadata.Name

// Generate a secret that describes the package that is being deployed
secretName := config.ZarfPackagePrefix + packageName
deployedPackageSecret := c.GenerateSecret(ZarfNamespaceName, secretName, corev1.SecretTypeOpaque)
deployedPackageSecret.Labels[ZarfPackageInfoLabel] = packageName

// Attempt to load information about webhooks for the package
var componentWebhooks map[string]map[string]types.Webhook
existingPackageSecret, err := c.GetDeployedPackage(ctx, packageName)
Expand All @@ -207,16 +205,44 @@ func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg types.ZarfPac
}

// Update the package secret
deployedPackageSecret.Data = map[string][]byte{"data": packageData}
var updatedSecret *corev1.Secret
if updatedSecret, err = c.CreateOrUpdateSecret(ctx, deployedPackageSecret); err != nil {
deployedPackageSecret := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: config.ZarfPackagePrefix + packageName,
Namespace: ZarfNamespaceName,
Labels: map[string]string{
ZarfManagedByLabel: "zarf",
ZarfPackageInfoLabel: packageName,
},
},
Type: corev1.SecretTypeOpaque,
Data: map[string][]byte{
"data": packageData,
},
}
updatedSecret, err := func() (*corev1.Secret, error) {
secret, err := c.Clientset.CoreV1().Secrets(deployedPackageSecret.Namespace).Create(ctx, deployedPackageSecret, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return nil, err
}
if err == nil {
return secret, nil
}
secret, err = c.Clientset.CoreV1().Secrets(deployedPackageSecret.Namespace).Update(ctx, deployedPackageSecret, metav1.UpdateOptions{})
if err != nil {
return nil, err
}
return secret, nil
}()
if err != nil {
return nil, fmt.Errorf("failed to record package deployment in secret '%s'", deployedPackageSecret.Name)
}

if err := json.Unmarshal(updatedSecret.Data["data"], &deployedPackage); err != nil {
return nil, err
}

return deployedPackage, nil
}

Expand Down
Loading

0 comments on commit 7e14308

Please sign in to comment.