diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d76225d8b809..0d2f7b60d483 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,6 +28,10 @@ jobs: go-version: ${{ env.go_version }} - name: generate release artifacts run: | + export REGISTRY=docker.io/mesosphere + export PROD_REGISTRY=$REGISTRY + export STAGING_REGISTRY=$REGISTRY + export TAG=${{ env.RELEASE_TAG }} make release - name: Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v1 @@ -35,3 +39,16 @@ jobs: draft: true files: out/* body: "TODO: Copy release notes shared by the comms team" + - name: Login to Dockerhub Registry + uses: docker/login-action@v2 + with: + username: ${{ secrets.NEXUS_USERNAME }} + password: ${{ secrets.NEXUS_PASSWORD }} + - name: Build and push docker images + run: | + export REGISTRY=docker.io/mesosphere + export PROD_REGISTRY=$REGISTRY + export STAGING_REGISTRY=$REGISTRY + export TAG=${{ env.RELEASE_TAG }} + make ALL_ARCH="amd64 arm64" docker-build-all + make ALL_ARCH="amd64 arm64" docker-push-all diff --git a/config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesets.yaml b/config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesets.yaml index f00315537a2c..bfffa113f709 100644 --- a/config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesets.yaml +++ b/config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesets.yaml @@ -112,6 +112,7 @@ spec: Defaults to ApplyOnce. This field is immutable. enum: - ApplyOnce + - ApplyAlways type: string required: - clusterSelector @@ -439,6 +440,7 @@ spec: Defaults to ApplyOnce. This field is immutable. enum: - ApplyOnce + - ApplyAlways - Reconcile type: string required: diff --git a/exp/addons/api/v1beta1/clusterresourceset_types.go b/exp/addons/api/v1beta1/clusterresourceset_types.go index e64dccd29714..6c9b983c3935 100644 --- a/exp/addons/api/v1beta1/clusterresourceset_types.go +++ b/exp/addons/api/v1beta1/clusterresourceset_types.go @@ -46,7 +46,7 @@ type ClusterResourceSetSpec struct { Resources []ResourceRef `json:"resources,omitempty"` // Strategy is the strategy to be used during applying resources. Defaults to ApplyOnce. This field is immutable. - // +kubebuilder:validation:Enum=ApplyOnce;Reconcile + // +kubebuilder:validation:Enum=ApplyOnce;ApplyAlways;Reconcile // +optional Strategy string `json:"strategy,omitempty"` } @@ -83,6 +83,9 @@ const ( // ClusterResourceSetStrategyReconcile reapplies the resources managed by a ClusterResourceSet // if their normalized hash changes. ClusterResourceSetStrategyReconcile ClusterResourceSetStrategy = "Reconcile" + // ClusterResourceSetStrategyApplyAlways is the strategy where changes to the ClusterResourceSet + // are applied always if they exist already in clusters or created if they do not. + ClusterResourceSetStrategyApplyAlways ClusterResourceSetStrategy = "ApplyAlways" ) // SetTypedStrategy sets the Strategy field to the string representation of ClusterResourceSetStrategy. diff --git a/exp/addons/api/v1beta1/clusterresourceset_webhook.go b/exp/addons/api/v1beta1/clusterresourceset_webhook.go index 61f8f6dc5c02..604a79c3fc5b 100644 --- a/exp/addons/api/v1beta1/clusterresourceset_webhook.go +++ b/exp/addons/api/v1beta1/clusterresourceset_webhook.go @@ -48,6 +48,8 @@ func (m *ClusterResourceSet) Default() { // ClusterResourceSet Strategy defaults to ApplyOnce. if m.Spec.Strategy == "" { m.Spec.Strategy = string(ClusterResourceSetStrategyApplyOnce) + } else if m.Spec.Strategy == string(ClusterResourceSetStrategyApplyAlways) { + m.Spec.Strategy = string(ClusterResourceSetStrategyReconcile) } } @@ -98,10 +100,15 @@ func (m *ClusterResourceSet) validate(old *ClusterResourceSet) error { } if old != nil && old.Spec.Strategy != "" && old.Spec.Strategy != m.Spec.Strategy { - allErrs = append( - allErrs, - field.Invalid(field.NewPath("spec", "strategy"), m.Spec.Strategy, "field is immutable"), - ) + // Allow changing from ApplyAlways (a strategy that was added in this fork) to Reconcile. + // ApplyAlways is an "alias" for Reconcile and migrating to Reconcile will enable us to stop using a fork. + if !(old.Spec.Strategy == string(ClusterResourceSetStrategyApplyAlways) && + m.Spec.Strategy == string(ClusterResourceSetStrategyReconcile)) { + allErrs = append( + allErrs, + field.Invalid(field.NewPath("spec", "strategy"), m.Spec.Strategy, "field is immutable"), + ) + } } if old != nil && !reflect.DeepEqual(old.Spec.ClusterSelector, m.Spec.ClusterSelector) { diff --git a/exp/addons/api/v1beta1/clusterresourceset_webhook_test.go b/exp/addons/api/v1beta1/clusterresourceset_webhook_test.go index 525300b0cc43..2c76bab85003 100644 --- a/exp/addons/api/v1beta1/clusterresourceset_webhook_test.go +++ b/exp/addons/api/v1beta1/clusterresourceset_webhook_test.go @@ -38,6 +38,23 @@ func TestClusterResourcesetDefault(t *testing.T) { g.Expect(clusterResourceSet.Spec.Strategy).To(Equal(string(ClusterResourceSetStrategyApplyOnce))) } +func TestClusterResourcesetDefaultWithClusterResourceSetStrategyApplyAlways(t *testing.T) { + g := NewWithT(t) + clusterResourceSet := &ClusterResourceSet{ + Spec: ClusterResourceSetSpec{ + Strategy: string(ClusterResourceSetStrategyApplyAlways), + }, + } + defaultingValidationCRS := clusterResourceSet.DeepCopy() + defaultingValidationCRS.Spec.ClusterSelector = metav1.LabelSelector{ + MatchLabels: map[string]string{"foo": "bar"}, + } + t.Run("for ClusterResourceSet", utildefaulting.DefaultValidateTest(defaultingValidationCRS)) + clusterResourceSet.Default() + + g.Expect(clusterResourceSet.Spec.Strategy).To(Equal(string(ClusterResourceSetStrategyReconcile))) +} + func TestClusterResourceSetLabelSelectorAsSelectorValidation(t *testing.T) { tests := []struct { name string @@ -104,6 +121,18 @@ func TestClusterResourceSetStrategyImmutable(t *testing.T) { newStrategy: "", expectErr: true, }, + { + name: "when the Strategy has changed, but the old value was ApplyAlways", + oldStrategy: string(ClusterResourceSetStrategyApplyAlways), + newStrategy: string(ClusterResourceSetStrategyReconcile), + expectErr: false, + }, + { + name: "when the Strategy has changed, but the old value was ApplyAlways and the new value is ApplyOnce", + oldStrategy: string(ClusterResourceSetStrategyApplyAlways), + newStrategy: string(ClusterResourceSetStrategyApplyOnce), + expectErr: true, + }, } for _, tt := range tests { diff --git a/exp/addons/internal/controllers/clusterresourceset_controller_test.go b/exp/addons/internal/controllers/clusterresourceset_controller_test.go index 916a1687d6fa..644d9fb6db45 100644 --- a/exp/addons/internal/controllers/clusterresourceset_controller_test.go +++ b/exp/addons/internal/controllers/clusterresourceset_controller_test.go @@ -996,6 +996,392 @@ metadata: return err == nil }, timeout).Should(BeTrue()) }) + + t.Run("Should create ClusterResourceSet with strategy 'AlwaysApply' and reconcile when configmap changes data", func(t *testing.T) { + g := NewWithT(t) + ns := setup(t, g) + defer teardown(t, g, ns) + + t.Log("Updating the cluster with labels") + testCluster.SetLabels(labels) + g.Expect(env.Update(ctx, testCluster)).To(Succeed()) + + clusterResourceSetInstance := &addonsv1.ClusterResourceSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: clusterResourceSetName, + Namespace: ns.Name, + }, + Spec: addonsv1.ClusterResourceSetSpec{ + ClusterSelector: metav1.LabelSelector{ + MatchLabels: labels, + }, + Strategy: "ApplyAlways", + Resources: []addonsv1.ResourceRef{{Name: configmapName, Kind: "ConfigMap"}}, + }, + } + // Create the ClusterResourceSet. + g.Expect(env.Create(ctx, clusterResourceSetInstance)).To(Succeed()) + + // Wait until ClusterResourceSetBinding is created for the Cluster + clusterResourceSetBindingKey := client.ObjectKey{ + Namespace: testCluster.Namespace, + Name: testCluster.Name, + } + + t.Log("Getting ClusterResourceSetBinding") + oldHash := "" + g.Eventually(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // should only have one binding + if len(bindings) != 1 { + return false + } + + // only one resource is applied + resource := bindings[0].Resources[0] + oldHash = resource.Hash + return resource.Applied + }, timeout).Should(BeTrue()) + + // Get configmap obj, update the configmap + cmKey := client.ObjectKey{ + Namespace: ns.Name, + Name: configmapName, + } + cm := &corev1.ConfigMap{} + g.Expect(env.Get(ctx, cmKey, cm)).To(Succeed()) + + cmUpdate := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: cm.GetName(), + Namespace: cm.GetNamespace(), + ResourceVersion: cm.ResourceVersion, + UID: cm.GetUID(), + }, + Data: map[string]string{ + "cm": `kind: ConfigMap +apiVersion: v1 +metadata: + name: resource-configmap + namespace: default +data: + hello: "world!"`, + }, + } + + // update the configmap data + t.Log("Updating the configmap resource") + g.Expect(env.Update(ctx, cmUpdate)).To(Succeed()) + + t.Log("Check if reconciled hash has updated for the changed configmap resource") + g.Eventually(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // should only have one binding + if len(bindings) != 1 { + return false + } + + // only one resource is applied + resource := bindings[0].Resources[0] + return resource.Hash != oldHash + }, timeout).Should(BeTrue()) + }) + + t.Run("Should create ClusterResourceSet with strategy 'AlwaysApply' and reconcile when secret changes data", func(t *testing.T) { + g := NewWithT(t) + ns := setup(t, g) + defer teardown(t, g, ns) + + t.Log("Updating the cluster with labels") + testCluster.SetLabels(labels) + g.Expect(env.Update(ctx, testCluster)).To(Succeed()) + + clusterResourceSetInstance := &addonsv1.ClusterResourceSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: clusterResourceSetName, + Namespace: ns.Name, + }, + Spec: addonsv1.ClusterResourceSetSpec{ + ClusterSelector: metav1.LabelSelector{ + MatchLabels: labels, + }, + Strategy: "ApplyAlways", + Resources: []addonsv1.ResourceRef{{Name: secretName, Kind: "Secret"}}, + }, + } + // Create the ClusterResourceSet. + g.Expect(env.Create(ctx, clusterResourceSetInstance)).To(Succeed()) + + // Wait until ClusterResourceSetBinding is created for the Cluster + clusterResourceSetBindingKey := client.ObjectKey{ + Namespace: testCluster.Namespace, + Name: testCluster.Name, + } + + t.Log("Getting ClusterResourceSetBinding") + oldHash := "" + g.Eventually(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // should only have one binding + if len(bindings) != 1 { + return false + } + + // only one resource is applied + resource := bindings[0].Resources[0] + oldHash = resource.Hash + return resource.Applied + }, timeout).Should(BeTrue()) + + secretKey := client.ObjectKey{ + Namespace: ns.Name, + Name: secretName, + } + secret := &corev1.Secret{} + g.Expect(env.Get(ctx, secretKey, secret)).To(Succeed()) + + secretUpdate := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secret.GetName(), + Namespace: secret.GetNamespace(), + ResourceVersion: secret.ResourceVersion, + UID: secret.GetUID(), + }, + Type: "addons.cluster.x-k8s.io/resource-set", + StringData: map[string]string{ + "cm": `kind: ConfigMap +apiVersion: v1 +metadata: + name: resource-configmap + namespace: default +data: + hello: "world!"`, + }, + } + + // update the secret data + t.Log("Updating the secret resource") + g.Expect(env.Update(ctx, secretUpdate)).To(Succeed()) + + t.Log("Check if reconciled hash has updated for the changed secret resource") + g.Eventually(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // should only have one binding + if len(bindings) != 1 { + return false + } + + // only one resource is applied + resource := bindings[0].Resources[0] + return resource.Hash != oldHash + }, timeout).Should(BeTrue()) + }) + + t.Run("Should create ClusterResourceSet with strategy 'AlwaysApply' and reconcile configmap only once if data has not changed", func(t *testing.T) { + g := NewWithT(t) + ns := setup(t, g) + defer teardown(t, g, ns) + + t.Log("Updating the cluster with labels") + testCluster.SetLabels(labels) + g.Expect(env.Update(ctx, testCluster)).To(Succeed()) + + clusterResourceSetInstance := &addonsv1.ClusterResourceSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: clusterResourceSetName, + Namespace: ns.Name, + }, + Spec: addonsv1.ClusterResourceSetSpec{ + ClusterSelector: metav1.LabelSelector{ + MatchLabels: labels, + }, + Strategy: "ApplyAlways", + Resources: []addonsv1.ResourceRef{{Name: configmapName, Kind: "ConfigMap"}}, + }, + } + // Create the ClusterResourceSet. + g.Expect(env.Create(ctx, clusterResourceSetInstance)).To(Succeed()) + + // Wait until ClusterResourceSetBinding is created for the Cluster + clusterResourceSetBindingKey := client.ObjectKey{ + Namespace: testCluster.Namespace, + Name: testCluster.Name, + } + + // Wait until ClusterResourceSetBinding is created for the Cluster + t.Log("Waiting for the ClusterResourceSetBinding to be created") + oldHash := "" + var oldLastAppliedTime *metav1.Time + g.Eventually(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // should only have one binding + if len(bindings) != 1 { + return false + } + + // only one resource is applied + resource := bindings[0].Resources[0] + oldHash = resource.Hash + oldLastAppliedTime = resource.LastAppliedTime + return resource.Applied + }, timeout).Should(BeTrue()) + + // Get configmap obj, update the configmap + cmKey := client.ObjectKey{ + Namespace: ns.Name, + Name: configmapName, + } + cm := &corev1.ConfigMap{} + g.Expect(env.Get(ctx, cmKey, cm)).To(Succeed()) + + cm.Labels = map[string]string{"foo": "bar"} + + // The CRS controller writes a lastAppliedTime field, which is of type metav1.Time. The precision at most a + // second. Therefore, if the controller re-applies the resource twice within one second, the lastAppliedTime + // value is unlikely to change. Our test below compares the lastAppliedTime values of two reconciles, so we wait + // to prevent the reconciles from running within the same second. Related issue: https://issues.k8s.io/15262 + t.Log("Letting some time pass before updating the resource, so that lastAppliedTime will be different.") + time.Sleep(2 * time.Second) + + // update the configmap data + t.Log("Updating the configmap resource") + g.Expect(env.Update(ctx, cm)).To(Succeed()) + + t.Log("Verifying that resource is not re-applied over a period of time.") + g.Consistently(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // only one resource is applied + resource := bindings[0].Resources[0] + return oldHash == resource.Hash && oldLastAppliedTime.Equal(resource.LastAppliedTime) + }, timeout).Should(BeTrue()) + }) + + t.Run("Should create ClusterResourceSet with strategy 'AlwaysApply' and reconcile secrets only once if data has not changed", func(t *testing.T) { + g := NewWithT(t) + ns := setup(t, g) + defer teardown(t, g, ns) + + t.Log("Updating the cluster with labels") + testCluster.SetLabels(labels) + g.Expect(env.Update(ctx, testCluster)).To(Succeed()) + + clusterResourceSetInstance := &addonsv1.ClusterResourceSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: clusterResourceSetName, + Namespace: ns.Name, + }, + Spec: addonsv1.ClusterResourceSetSpec{ + ClusterSelector: metav1.LabelSelector{ + MatchLabels: labels, + }, + Strategy: "ApplyAlways", + Resources: []addonsv1.ResourceRef{{Name: secretName, Kind: "Secret"}}, + }, + } + // Create the ClusterResourceSet. + g.Expect(env.Create(ctx, clusterResourceSetInstance)).To(Succeed()) + + // Wait until ClusterResourceSetBinding is created for the Cluster + clusterResourceSetBindingKey := client.ObjectKey{ + Namespace: testCluster.Namespace, + Name: testCluster.Name, + } + + t.Log("Waiting for the ClusterResourceSetBinding to be created") + oldHash := "" + var oldLastAppliedTime *metav1.Time + g.Eventually(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // should only have one binding + if len(bindings) != 1 { + return false + } + + // only one resource is applied + resource := bindings[0].Resources[0] + oldHash = resource.Hash + oldLastAppliedTime = resource.LastAppliedTime + return resource.Applied + }, timeout).Should(BeTrue()) + + secretKey := client.ObjectKey{ + Namespace: ns.Name, + Name: secretName, + } + secret := &corev1.Secret{} + g.Expect(env.Get(ctx, secretKey, secret)).To(Succeed()) + + // Overwrite the Secret labels to cause the ClusterResourceSet controller to reconcile any CRS that references + // the Secret. + secret.Labels = map[string]string{"foo": "bar"} + + // The CRS controller writes a lastAppliedTime field, which is of type metav1.Time. The precision at most a + // second. Therefore, if the controller re-applies the resource twice within one second, the lastAppliedTime + // value is unlikely to change. Our test below compares the lastAppliedTime values of two reconciles, so we wait + // to prevent the reconciles from running within the same second. Related issue: https://issues.k8s.io/15262 + t.Log("Letting some time pass before updating the resource, so that lastAppliedTime will be different.") + time.Sleep(2 * time.Second) + + // update the secrete, but not its data + t.Log("Updating the secret resource") + g.Expect(env.Update(ctx, secret)).To(Succeed()) + + t.Log("Verifying that resource is not re-applied over a period of time.") + g.Consistently(func() bool { + binding := &addonsv1.ClusterResourceSetBinding{} + err := env.Get(ctx, clusterResourceSetBindingKey, binding) + if err != nil { + return false + } + + bindings := binding.Spec.Bindings + // only one resource is applied + resource := bindings[0].Resources[0] + return oldHash == resource.Hash && oldLastAppliedTime.Equal(resource.LastAppliedTime) + }, timeout).Should(BeTrue()) + }) } func clusterResourceSetBindingReady(env *envtest.Environment, cluster *clusterv1.Cluster) func() bool { diff --git a/exp/addons/internal/controllers/clusterresourceset_scope.go b/exp/addons/internal/controllers/clusterresourceset_scope.go index 921a752e0d54..396b6dc3c1d7 100644 --- a/exp/addons/internal/controllers/clusterresourceset_scope.go +++ b/exp/addons/internal/controllers/clusterresourceset_scope.go @@ -82,6 +82,8 @@ func newResourceReconcileScope( return &reconcileApplyOnceScope{base} case addonsv1.ClusterResourceSetStrategyReconcile: return &reconcileStrategyScope{base} + case addonsv1.ClusterResourceSetStrategyApplyAlways: + return &reconcileStrategyScope{base} default: return nil }