Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: remove use of k8s secret #2565

Merged
merged 1 commit into from
Jun 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 35 additions & 10 deletions src/internal/packager/helm/post-render.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,24 +159,49 @@ func (r *renderer) adoptAndUpdateNamespaces(ctx context.Context) error {
continue
}

// Create the secret
validRegistrySecret := c.GenerateRegistryPullCreds(name, config.ZarfImagePullSecretName, r.state.RegistryInfo)

// Try to get a valid existing secret
currentRegistrySecret, _ := c.GetSecret(ctx, name, config.ZarfImagePullSecretName)
validRegistrySecret := c.GenerateRegistryPullCreds(name, config.ZarfImagePullSecretName, r.state.RegistryInfo)
// TODO: Refactor as error is not checked instead of checking for not found error.
currentRegistrySecret, _ := c.Clientset.CoreV1().Secrets(name).Get(ctx, config.ZarfImagePullSecretName, metav1.GetOptions{})
if currentRegistrySecret.Name != config.ZarfImagePullSecretName || !reflect.DeepEqual(currentRegistrySecret.Data, validRegistrySecret.Data) {
// Create or update the zarf registry secret
if _, err := c.CreateOrUpdateSecret(ctx, validRegistrySecret); err != nil {
err := func() error {
_, err := c.Clientset.CoreV1().Secrets(validRegistrySecret.Namespace).Create(ctx, validRegistrySecret, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return err
}
if err == nil {
return nil
}
_, err = c.Clientset.CoreV1().Secrets(validRegistrySecret.Namespace).Update(ctx, validRegistrySecret, metav1.UpdateOptions{})
if err != nil {
return err
}
return nil
}()
if err != nil {
message.WarnErrf(err, "Problem creating registry secret for the %s namespace", name)
}

// Generate the git server secret
gitServerSecret := c.GenerateGitPullCreds(name, config.ZarfGitServerSecretName, r.state.GitServer)

// Create or update the zarf git server secret
if _, err := c.CreateOrUpdateSecret(ctx, gitServerSecret); err != nil {
gitServerSecret := c.GenerateGitPullCreds(name, config.ZarfGitServerSecretName, r.state.GitServer)
err = func() error {
_, err := c.Clientset.CoreV1().Secrets(gitServerSecret.Namespace).Create(ctx, gitServerSecret, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return err
}
if err == nil {
return nil
}
_, err = c.Clientset.CoreV1().Secrets(gitServerSecret.Namespace).Update(ctx, gitServerSecret, metav1.UpdateOptions{})
if err != nil {
return err
}
return nil
}()
if err != nil {
message.WarnErrf(err, "Problem creating git server secret for the %s namespace", name)
}

}
}
return nil
Expand Down
58 changes: 41 additions & 17 deletions src/pkg/cluster/secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,6 @@ type DockerConfigEntryWithAuth struct {

// GenerateRegistryPullCreds generates a secret containing the registry credentials.
func (c *Cluster) GenerateRegistryPullCreds(namespace, name string, registryInfo types.RegistryInfo) *corev1.Secret {
secretDockerConfig := c.GenerateSecret(namespace, name, corev1.SecretTypeDockerConfigJson)

// Auth field must be username:password and base64 encoded
fieldValue := registryInfo.PullUsername + ":" + registryInfo.PullPassword
authEncodedValue := base64.StdEncoding.EncodeToString([]byte(fieldValue))
Expand All @@ -56,22 +54,49 @@ func (c *Cluster) GenerateRegistryPullCreds(namespace, name string, registryInfo
message.WarnErrf(err, "Unable to marshal the .dockerconfigjson secret data for the image pull secret")
}

// Add to the secret data
secretDockerConfig.Data[".dockerconfigjson"] = dockerConfigData

secretDockerConfig := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: map[string]string{
ZarfManagedByLabel: "zarf",
},
},
Type: corev1.SecretTypeDockerConfigJson,
Data: map[string][]byte{
".dockerconfigjson": dockerConfigData,
},
}
return secretDockerConfig
}

// GenerateGitPullCreds generates a secret containing the git credentials.
func (c *Cluster) GenerateGitPullCreds(namespace, name string, gitServerInfo types.GitServerInfo) *corev1.Secret {
message.Debugf("k8s.GenerateGitPullCreds(%s, %s, gitServerInfo)", namespace, name)

gitServerSecret := c.GenerateSecret(namespace, name, corev1.SecretTypeOpaque)
gitServerSecret.StringData = map[string]string{
"username": gitServerInfo.PullUsername,
"password": gitServerInfo.PullPassword,
gitServerSecret := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: map[string]string{
ZarfManagedByLabel: "zarf",
},
},
Type: corev1.SecretTypeOpaque,
Data: map[string][]byte{},
StringData: map[string]string{
"username": gitServerInfo.PullUsername,
"password": gitServerInfo.PullPassword,
},
}

return gitServerSecret
}

Expand All @@ -87,7 +112,7 @@ func (c *Cluster) UpdateZarfManagedImageSecrets(ctx context.Context, state *type
} else {
// Update all image pull secrets
for _, namespace := range namespaceList.Items {
currentRegistrySecret, err := c.GetSecret(ctx, namespace.Name, config.ZarfImagePullSecretName)
currentRegistrySecret, err := c.Clientset.CoreV1().Secrets(namespace.Name).Get(ctx, config.ZarfImagePullSecretName, metav1.GetOptions{})
if err != nil {
continue
}
Expand All @@ -97,11 +122,10 @@ func (c *Cluster) UpdateZarfManagedImageSecrets(ctx context.Context, state *type
(namespace.Labels[k8s.AgentLabel] != "skip" && namespace.Labels[k8s.AgentLabel] != "ignore") {
spinner.Updatef("Updating existing Zarf-managed image secret for namespace: '%s'", namespace.Name)

// Create the secret
newRegistrySecret := c.GenerateRegistryPullCreds(namespace.Name, config.ZarfImagePullSecretName, state.RegistryInfo)
if !reflect.DeepEqual(currentRegistrySecret.Data, newRegistrySecret.Data) {
// Create or update the zarf registry secret
if _, err := c.CreateOrUpdateSecret(ctx, newRegistrySecret); err != nil {
_, err := c.Clientset.CoreV1().Secrets(newRegistrySecret.Namespace).Update(ctx, newRegistrySecret, metav1.UpdateOptions{})
if err != nil {
message.WarnErrf(err, "Problem creating registry secret for the %s namespace", namespace.Name)
}
}
Expand All @@ -123,7 +147,7 @@ func (c *Cluster) UpdateZarfManagedGitSecrets(ctx context.Context, state *types.
} else {
// Update all git pull secrets
for _, namespace := range namespaceList.Items {
currentGitSecret, err := c.GetSecret(ctx, namespace.Name, config.ZarfGitServerSecretName)
currentGitSecret, err := c.Clientset.CoreV1().Secrets(namespace.Name).Get(ctx, config.ZarfGitServerSecretName, metav1.GetOptions{})
if err != nil {
continue
}
Expand All @@ -136,8 +160,8 @@ func (c *Cluster) UpdateZarfManagedGitSecrets(ctx context.Context, state *types.
// Create the secret
newGitSecret := c.GenerateGitPullCreds(namespace.Name, config.ZarfGitServerSecretName, state.GitServer)
if !reflect.DeepEqual(currentGitSecret.StringData, newGitSecret.StringData) {
// Create or update the zarf git secret
if _, err := c.CreateOrUpdateSecret(ctx, newGitSecret); err != nil {
_, err := c.Clientset.CoreV1().Secrets(newGitSecret.Namespace).Update(ctx, newGitSecret, metav1.UpdateOptions{})
if err != nil {
message.WarnErrf(err, "Problem creating git server secret for the %s namespace", namespace.Name)
}
}
Expand Down
27 changes: 15 additions & 12 deletions src/pkg/cluster/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (

// Zarf Cluster Constants.
const (
ZarfManagedByLabel = "app.kubernetes.io/managed-by"
ZarfNamespaceName = "zarf"
ZarfStateSecretName = "zarf-state"
ZarfStateDataKey = "state"
Expand Down Expand Up @@ -214,7 +215,7 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO
// LoadZarfState returns the current zarf/zarf-state secret data or an empty ZarfState.
func (c *Cluster) LoadZarfState(ctx context.Context) (state *types.ZarfState, err error) {
// Set up the API connection
secret, err := c.GetSecret(ctx, ZarfNamespaceName, ZarfStateSecretName)
secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, ZarfStateSecretName, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("%w. %s", err, message.ColorWrap("Did you remember to zarf init?", color.Bold))
}
Expand Down Expand Up @@ -267,17 +268,10 @@ func (c *Cluster) debugPrintZarfState(state *types.ZarfState) {
func (c *Cluster) SaveZarfState(ctx context.Context, state *types.ZarfState) error {
c.debugPrintZarfState(state)

// Convert the data back to JSON.
data, err := json.Marshal(&state)
if err != nil {
return err
}

// Set up the data wrapper.
dataWrapper := make(map[string][]byte)
dataWrapper[ZarfStateDataKey] = data

// The secret object.
secret := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Expand All @@ -291,14 +285,23 @@ func (c *Cluster) SaveZarfState(ctx context.Context, state *types.ZarfState) err
},
},
Type: corev1.SecretTypeOpaque,
Data: dataWrapper,
Data: map[string][]byte{
ZarfStateDataKey: data,
},
}

// Attempt to create or update the secret and return.
if _, err := c.CreateOrUpdateSecret(ctx, secret); err != nil {
return fmt.Errorf("unable to create the zarf state secret")
_, err = c.Clientset.CoreV1().Secrets(secret.Namespace).Create(ctx, secret, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return fmt.Errorf("unable to create the zarf state secret: %w", err)
}
if err == nil {
return nil
}
_, err = c.Clientset.CoreV1().Secrets(secret.Namespace).Update(ctx, secret, metav1.UpdateOptions{})
if err != nil {
return fmt.Errorf("unable to update the zarf state secret: %w", err)
}

return nil
}

Expand Down
56 changes: 41 additions & 15 deletions src/pkg/cluster/zarf.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,24 @@ import (
"strings"
"time"

autoscalingV2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"github.com/defenseunicorns/zarf/src/config"
"github.com/defenseunicorns/zarf/src/pkg/k8s"
"github.com/defenseunicorns/zarf/src/pkg/message"
"github.com/defenseunicorns/zarf/src/types"
autoscalingV2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// GetDeployedZarfPackages gets metadata information about packages that have been deployed to the cluster.
// We determine what packages have been deployed to the cluster by looking for specific secrets in the Zarf namespace.
// Returns a list of DeployedPackage structs and a list of errors.
func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.DeployedPackage, error) {
// Get the secrets that describe the deployed packages
secrets, err := c.GetSecretsWithLabel(ctx, ZarfNamespaceName, ZarfPackageInfoLabel)
listOpts := metav1.ListOptions{LabelSelector: ZarfPackageInfoLabel}
secrets, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).List(ctx, listOpts)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -54,7 +57,7 @@ func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.Deployed
// We determine what packages have been deployed to the cluster by looking for specific secrets in the Zarf namespace.
func (c *Cluster) GetDeployedPackage(ctx context.Context, packageName string) (deployedPackage *types.DeployedPackage, err error) {
// Get the secret that describes the deployed package
secret, err := c.GetSecret(ctx, ZarfNamespaceName, config.ZarfPackagePrefix+packageName)
secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, config.ZarfPackagePrefix+packageName, metav1.GetOptions{})
if err != nil {
return deployedPackage, err
}
Expand Down Expand Up @@ -178,11 +181,6 @@ func (c *Cluster) RecordPackageDeploymentAndWait(ctx context.Context, pkg types.
func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg types.ZarfPackage, components []types.DeployedComponent, connectStrings types.ConnectStrings, generation int) (deployedPackage *types.DeployedPackage, err error) {
packageName := pkg.Metadata.Name

// Generate a secret that describes the package that is being deployed
secretName := config.ZarfPackagePrefix + packageName
deployedPackageSecret := c.GenerateSecret(ZarfNamespaceName, secretName, corev1.SecretTypeOpaque)
deployedPackageSecret.Labels[ZarfPackageInfoLabel] = packageName

// Attempt to load information about webhooks for the package
var componentWebhooks map[string]map[string]types.Webhook
existingPackageSecret, err := c.GetDeployedPackage(ctx, packageName)
Expand All @@ -209,16 +207,44 @@ func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg types.ZarfPac
}

// Update the package secret
deployedPackageSecret.Data = map[string][]byte{"data": packageData}
var updatedSecret *corev1.Secret
if updatedSecret, err = c.CreateOrUpdateSecret(ctx, deployedPackageSecret); err != nil {
deployedPackageSecret := &corev1.Secret{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
Kind: "Secret",
},
ObjectMeta: metav1.ObjectMeta{
Name: config.ZarfPackagePrefix + packageName,
Namespace: ZarfNamespaceName,
Labels: map[string]string{
ZarfManagedByLabel: "zarf",
ZarfPackageInfoLabel: packageName,
},
},
Type: corev1.SecretTypeOpaque,
Data: map[string][]byte{
"data": packageData,
},
}
updatedSecret, err := func() (*corev1.Secret, error) {
secret, err := c.Clientset.CoreV1().Secrets(deployedPackageSecret.Namespace).Create(ctx, deployedPackageSecret, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return nil, err
}
if err == nil {
return secret, nil
}
secret, err = c.Clientset.CoreV1().Secrets(deployedPackageSecret.Namespace).Update(ctx, deployedPackageSecret, metav1.UpdateOptions{})
if err != nil {
return nil, err
}
return secret, nil
}()
if err != nil {
return nil, fmt.Errorf("failed to record package deployment in secret '%s'", deployedPackageSecret.Name)
}

if err := json.Unmarshal(updatedSecret.Data["data"], &deployedPackage); err != nil {
return nil, err
}

return deployedPackage, nil
}

Expand Down
Loading
Loading