cnoe-io · cmoulliard · Nov 8, 2024 · Nov 8, 2024 · Nov 8, 2024 · Nov 8, 2024
diff --git a/api/v1alpha1/gitrepository_types.go b/api/v1alpha1/gitrepository_types.go
@@ -5,12 +5,13 @@ import (
 )
 
 const (
-	GitProviderGitea   = "gitea"
-	GitProviderGitHub  = "github"
-	GiteaAdminUserName = "giteaAdmin"
-	SourceTypeLocal    = "local"
-	SourceTypeRemote   = "remote"
-	SourceTypeEmbedded = "embedded"
+	GitProviderGitea       = "gitea"
+	GitProviderGitHub      = "github"
+	GiteaAdminUserName     = "giteaAdmin"
+	GiteaDeveloperUserName = "developer"
+	SourceTypeLocal        = "local"
+	SourceTypeRemote       = "remote"
+	SourceTypeEmbedded     = "embedded"
 )
 
 type GitRepositorySpec struct {

diff --git a/api/v1alpha1/localbuild_types.go b/api/v1alpha1/localbuild_types.go
@@ -53,6 +53,7 @@ type BuildCustomizationSpec struct {
 	Port           string `json:"port,omitempty"`
 	UsePathRouting bool   `json:"usePathRouting,omitempty"`
 	SelfSignedCert string `json:"selfSignedCert,omitempty"`
+	DevMode        bool   `json:"devMode,omitempty"`
 }
 
 type LocalbuildSpec struct {

diff --git a/hack/argo-cd/argocd-cm.yaml b/hack/argo-cd/argocd-cm.yaml
@@ -4,6 +4,7 @@ metadata:
   name: argocd-cm
 data:
   application.resourceTrackingMethod: annotation
+  accounts.developer: apiKey, login
   timeout.reconciliation: 60s
   resource.exclusions: |
     - kinds:

diff --git a/hack/argo-cd/argocd-rbac-dev.yaml b/hack/argo-cd/argocd-rbac-dev.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-rbac-cm
+  namespace: argocd
+data:
+  policy.csv: |
+    p, role:developer, applications, *, *, allow
+    g, developer, role:developer
diff --git a/hack/argo-cd/kustomization.yaml b/hack/argo-cd/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.7/manifests/install.yaml
+  - argocd-rbac-dev.yaml
 
 patches:
   - path: dex-server.yaml

diff --git a/pkg/build/build.go b/pkg/build/build.go
@@ -28,6 +28,7 @@ var (
 
 type Build struct {
 	name                 string
+	devMode              bool
 	cfg                  v1alpha1.BuildCustomizationSpec
 	kindConfigPath       string
 	kubeConfigPath       string
@@ -278,5 +279,6 @@ func isBuildCustomizationSpecEqual(s1, s2 v1alpha1.BuildCustomizationSpec) bool
 		s1.IngressHost == s2.IngressHost &&
 		s1.Port == s2.Port &&
 		s1.UsePathRouting == s2.UsePathRouting &&
-		s1.SelfSignedCert == s2.SelfSignedCert
+		s1.SelfSignedCert == s2.SelfSignedCert &&
+		s1.DevMode == s2.DevMode
 }
diff --git a/pkg/cmd/create/root.go b/pkg/cmd/create/root.go
@@ -20,6 +20,7 @@ import (
 const (
 	recreateClusterUsage   = "Delete cluster first if it already exists."
 	buildNameUsage         = "Name for build (Prefix for kind cluster name, pod names, etc)."
+	devModeUsage           = "When enabled, the platform will run the core packages with developer password."
 	kubeVersionUsage       = "Version of the kind kubernetes cluster to create."
 	extraPortsMappingUsage = "List of extra ports to expose on the docker container and kubernetes cluster as nodePort " +
 		"(e.g. \"22:32222,9090:39090,etc\")."
@@ -40,6 +41,7 @@ var (
 	// Flags
 	recreateCluster           bool
 	buildName                 string
+	devMode                   bool
 	kubeVersion               string
 	extraPortsMapping         string
 	kindConfigPath            string
@@ -67,6 +69,7 @@ func init() {
 	CreateCmd.PersistentFlags().StringVar(&buildName, "build-name", "localdev", buildNameUsage)
 	CreateCmd.PersistentFlags().MarkDeprecated("build-name", "use --name instead.")
 	CreateCmd.PersistentFlags().StringVar(&buildName, "name", "localdev", buildNameUsage)
+	CreateCmd.PersistentFlags().BoolVar(&devMode, "dev", false, devModeUsage)
 	CreateCmd.PersistentFlags().StringVar(&kubeVersion, "kube-version", "v1.30.3", kubeVersionUsage)
 	CreateCmd.PersistentFlags().StringVar(&extraPortsMapping, "extra-ports", "", extraPortsMappingUsage)
 	CreateCmd.PersistentFlags().StringVar(&kindConfigPath, "kind-config", "", kindConfigPathUsage)
@@ -143,6 +146,7 @@ func create(cmd *cobra.Command, args []string) error {
 			IngressHost:    ingressHost,
 			Port:           port,
 			UsePathRouting: pathRouting,
+			DevMode:        devMode,
 		},
 
 		CustomPackageDirs:    absDirPaths,

diff --git a/pkg/controllers/localbuild/argo.go b/pkg/controllers/localbuild/argo.go
@@ -3,6 +3,13 @@ package localbuild
 import (
 	"context"
 	"embed"
+	"encoding/json"
+	"fmt"
+	"golang.org/x/crypto/bcrypt"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"time"
 
 	"github.com/cnoe-io/idpbuilder/api/v1alpha1"
 	"github.com/cnoe-io/idpbuilder/globals"
@@ -15,6 +22,14 @@ import (
 //go:embed resources/argo/*
 var installArgoFS embed.FS
 
+const (
+	argocdDevModePassword         = "developer"
+	argocdAdminSecretName         = "argocd-secret"
+	argocdInitialAdminSecretName  = "argocd-initial-admin-secret"
+	argocdInitialAdminPasswordKey = "argocd-initial-admin-secret"
+	argocdNamespace               = "argocd"
+)
+
 func RawArgocdInstallResources(templateData any, config v1alpha1.PackageCustomization, scheme *runtime.Scheme) ([][]byte, error) {
 	return k8s.BuildCustomizedManifests(config.FilePath, "resources/argo", installArgoFS, scheme, templateData)
 }
@@ -53,7 +68,74 @@ func (r *LocalbuildReconciler) ReconcileArgo(ctx context.Context, req ctrl.Reque
 	if result, err := argocd.Install(ctx, resource, r.Client, r.Scheme, r.Config); err != nil {
 		return result, err
 	}
-
 	resource.Status.ArgoCD.Available = true
+
+	// Let's patch the existing argocd admin secret if devmode is enabled to set the default password
+	if r.Config.DevMode {
+		// Hash password using bcrypt
+		password := argocdDevModePassword
+		hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), 0)
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("Error hashing password: %w", err)
+		}
+
+		// Prepare the patch for the Secret's `stringData` field
+		patchData := map[string]interface{}{
+			"stringData": map[string]string{
+				"accounts.developer.password":      string(hashedPassword),
+				"accounts.developer.passwordMtime": time.Now().Format(time.RFC3339),
+			},
+		}
+		// Convert patch data to JSON
+		patchBytes, err := json.Marshal(patchData)
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("Error marshalling patch data: %w", err)
+		}
+
+		kubeClient, err := k8s.GetKubeClient()
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("getting kube client: %w", err)
+		}
+
+		// Getting the argocd-secret
+		s := v1.Secret{}
+		err = kubeClient.Get(ctx, client.ObjectKey{Name: argocdAdminSecretName, Namespace: argocdNamespace}, &s)
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("getting argocd secret: %w", err)
+		}
+
+		// Patching the argocd-secret with the user's hashed password
+		err = kubeClient.Patch(ctx, &s, client.RawPatch(types.StrategicMergePatchType, patchBytes))
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("Error patching the Secret: %w", err)
+		}
 return r.Client.Patch(ctx, &u, client.Apply, client.ForceOwnership, client.FieldOwner(v1alpha1.FieldManager)) 
 u := unstructured.Unstructured{} 
 u.SetName(giteaAdminSecret) 
 u.SetNamespace(giteaNamespace) 
 u.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret")) 
 func ApplyAnnotation(ctx context.Context, kubeClient client.Client, obj client.Object, annotations map[string]string, opts ...client.PatchOption) error { 
 	// MUST be unstructured to avoid managing fields we do not care about. 
 	u := unstructured.Unstructured{} 
 	u.SetAnnotations(annotations) 
 	u.SetName(obj.GetName()) 
 	u.SetNamespace(obj.GetNamespace()) 
 	u.SetGroupVersionKind(obj.GetObjectKind().GroupVersionKind()) 
 	return kubeClient.Patch(ctx, &u, client.Apply, opts...) 
 } 
 return r.Client.Patch(ctx, &u, client.Apply, client.ForceOwnership, client.FieldOwner(v1alpha1.FieldManager)) 
 u := unstructured.Unstructured{} 
 u.SetName(giteaAdminSecret) 
 u.SetNamespace(giteaNamespace) 
 u.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret")) 
 func ApplyAnnotation(ctx context.Context, kubeClient client.Client, obj client.Object, annotations map[string]string, opts ...client.PatchOption) error { 
 	// MUST be unstructured to avoid managing fields we do not care about. 
 	u := unstructured.Unstructured{} 
 	u.SetAnnotations(annotations) 
 	u.SetName(obj.GetName()) 
 	u.SetNamespace(obj.GetNamespace()) 
 	u.SetGroupVersionKind(obj.GetObjectKind().GroupVersionKind()) 
 	return kubeClient.Patch(ctx, &u, client.Apply, opts...) 
 } 
+
+		/*
+			   This is not needed as we will not generate a new admin password
+
+			   adminSecret := v1.Secret{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       "Secret",
+						APIVersion: "v1",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      argocdInitialAdminSecretName,
+						Namespace: argocdNamespace,
+					},
+					StringData: map[string]string{
+						argocdInitialAdminPasswordKey: argocdDevModePassword,
+					},
+				}
+
+				// Re-creating the initial admin password secret: argocd-initial-admin-secret as used with "idpbuilder get secrets -p argocd"
+				err = kubeClient.Create(ctx, &adminSecret)
+				if err != nil {
+					return ctrl.Result{}, fmt.Errorf("Error creating the initial admin secret: %w", err)
+				} else {
+					return ctrl.Result{}, nil
+				}*/
+
+	}
+
 	return ctrl.Result{}, nil
 }
diff --git a/pkg/controllers/localbuild/argo_test.go b/pkg/controllers/localbuild/argo_test.go
@@ -80,8 +80,8 @@ func TestGetK8sInstallResources(t *testing.T) {
 		t.Fatalf("GetK8sInstallResources() error: %v", err)
 	}
 
-	if len(objs) != 58 {
-		t.Fatalf("Expected 58 Argo Install Resources, got: %d", len(objs))
+	if len(objs) != 59 {
+		t.Fatalf("Expected 59 Argo Install Resources, got: %d", len(objs))
 	}
 }
 

diff --git a/pkg/controllers/localbuild/gitea.go b/pkg/controllers/localbuild/gitea.go
@@ -24,6 +24,8 @@ import (
 )
 
 const (
+	giteaDevModePassword = "developer"
+
 	// hardcoded values from what we have in the yaml installation file.
 	giteaNamespace           = "gitea"
 	giteaAdminSecret         = "gitea-credential"
@@ -56,14 +58,24 @@ func giteaAdminSecretObject() corev1.Secret {
 	}
 }
 
-func newGiteaAdminSecret() (corev1.Secret, error) {
-	pass, err := util.GeneratePassword()
-	if err != nil {
-		return corev1.Secret{}, err
+func newGiteaAdminSecret(devMode bool) (corev1.Secret, error) {
+	pass := giteaDevModePassword
+	// TODO: Reverting to giteaAdmin till we know why a different user - developer fails
+	userName := v1alpha1.GiteaAdminUserName
+
+	if !devMode {
+		var err error
+		pass, err = util.GeneratePassword()
+		if err != nil {
+			return corev1.Secret{}, err
+		}
+
+		userName = v1alpha1.GiteaAdminUserName
 	}
+
 	obj := giteaAdminSecretObject()
 	obj.StringData = map[string]string{
-		"username": v1alpha1.GiteaAdminUserName,
+		"username": userName,
 		"password": pass,
 	}
 	return obj, nil
@@ -93,7 +105,7 @@ func (r *LocalbuildReconciler) ReconcileGitea(ctx context.Context, req ctrl.Requ
 
 	if err != nil {
 		if k8serrors.IsNotFound(err) {
-			giteaCreds, err := newGiteaAdminSecret()
+			giteaCreds, err := newGiteaAdminSecret(r.Config.DevMode)
 			if err != nil {
 				return ctrl.Result{}, fmt.Errorf("generating gitea admin secret: %w", err)
 			}

diff --git a/pkg/controllers/localbuild/resources/argo/install.yaml b/pkg/controllers/localbuild/resources/argo/install.yaml
@@ -21081,6 +21081,20 @@ subjects:
 ---
 apiVersion: v1
 data:
+  policy.csv: |-
+    p, role:developer, applications, *, *, allow
+    g, developer, role:developer
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-rbac-cm
+  namespace: argocd
+---
+apiVersion: v1
+data:
+  accounts.developer: apiKey, login
   application.resourceTrackingMethod: annotation
   resource.exclusions: |
     - kinds:

diff --git a/pkg/controllers/resources/idpbuilder.cnoe.io_localbuilds.yaml b/pkg/controllers/resources/idpbuilder.cnoe.io_localbuilds.yaml
@@ -41,6 +41,8 @@ spec:
                 description: BuildCustomizationSpec fields cannot change once a cluster
                   is created
                 properties:
+                  devMode:
+                    type: boolean
                   host:
                     type: string
                   ingressHost:

diff --git a/pkg/k8s/util.go b/pkg/k8s/util.go
@@ -2,13 +2,22 @@ package k8s
 
 import (
 	"embed"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/util/homedir"
 	"os"
+	"path/filepath"
+	ctrl "sigs.k8s.io/controller-runtime"
 
 	"github.com/cnoe-io/idpbuilder/pkg/util"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+var (
+	setupLog = ctrl.Log.WithName("k8s")
+)
+
 func BuildCustomizedManifests(filePath, fsPath string, resourceFS embed.FS, scheme *runtime.Scheme, templateData any) ([][]byte, error) {
 	rawResources, err := util.ConvertFSToBytes(resourceFS, fsPath, templateData)
 	if err != nil {
@@ -58,3 +67,33 @@ func applyOverrides(filePath string, originalFiles [][]byte, scheme *runtime.Sch
 
 	return ConvertYamlToObjectsWithOverride(scheme, originalFiles, rendered)
 }
+
+func GetKubeConfig(kubeConfigPath ...string) (*rest.Config, error) {
+	// Set default path if no path is provided
+	path := filepath.Join(homedir.HomeDir(), ".kube", "config")
+
+	if len(kubeConfigPath) > 0 {
+		path = kubeConfigPath[0]
+	}
+
+	kubeConfig, err := clientcmd.BuildConfigFromFlags("", path)
+	if err != nil {
+		setupLog.Error(err, "Error building kubeconfig from kind cluster")
+		return nil, err
+	}
+	return kubeConfig, nil
+}
+
+func GetKubeClient(kubeConfigPath ...string) (client.Client, error) {
+	kubeCfg, err := GetKubeConfig(kubeConfigPath...)
+	if err != nil {
+		setupLog.Error(err, "Error getting kubeconfig")
+		return nil, err
+	}
+	kubeClient, err := client.New(kubeCfg, client.Options{Scheme: GetScheme()})
+	if err != nil {
+		setupLog.Error(err, "Error creating kubernetes client")
+		return nil, err
+	}
+	return kubeClient, nil
+}