diff --git a/src/internal/packager2/layout/create.go b/src/internal/packager2/layout/create.go new file mode 100644 index 0000000000..c9c0a0845c --- /dev/null +++ b/src/internal/packager2/layout/create.go @@ -0,0 +1,475 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package layout + +import ( + "archive/tar" + "context" + "crypto/sha256" + "encoding/hex" + "fmt" + "io" + "io/fs" + "os" + "path/filepath" + "runtime" + "slices" + "strconv" + "strings" + "time" + + "github.com/defenseunicorns/pkg/helpers/v2" + goyaml "github.com/goccy/go-yaml" + "github.com/mholt/archiver/v3" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + + "github.com/zarf-dev/zarf/src/api/v1alpha1" + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/config/lang" + "github.com/zarf-dev/zarf/src/internal/packager/helm" + "github.com/zarf-dev/zarf/src/internal/packager/kustomize" + "github.com/zarf-dev/zarf/src/pkg/lint" + "github.com/zarf-dev/zarf/src/pkg/packager/deprecated" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/pkg/zoci" +) + +// CreateOptions are the options for creating a skeleton package. +type CreateOptions struct { + Flavor string + RegistryOverrides map[string]string + SigningKeyPath string + SigningKeyPassword string + SetVariables map[string]string +} + +// CreateSkeleton creates a skeleton package and returns the path to the created package. +func CreateSkeleton(ctx context.Context, packagePath string, opt CreateOptions) (string, error) { + b, err := os.ReadFile(filepath.Join(packagePath, ZarfYAML)) + if err != nil { + return "", err + } + var pkg v1alpha1.ZarfPackage + err = goyaml.Unmarshal(b, &pkg) + if err != nil { + return "", err + } + buildPath, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return "", err + } + + pkg.Metadata.Architecture = config.GetArch() + + pkg, err = resolveImports(ctx, pkg, packagePath, pkg.Metadata.Architecture, opt.Flavor) + if err != nil { + return "", err + } + + pkg.Metadata.Architecture = zoci.SkeletonArch + + err = validate(pkg, packagePath, opt.SetVariables) + if err != nil { + return "", err + } + + for _, component := range pkg.Components { + err := assembleComponent(component, packagePath, buildPath) + if err != nil { + return "", err + } + } + + checksumContent, checksumSha, err := getChecksum(buildPath) + if err != nil { + return "", err + } + checksumPath := filepath.Join(buildPath, Checksums) + err = os.WriteFile(checksumPath, []byte(checksumContent), helpers.ReadWriteUser) + if err != nil { + return "", err + } + pkg.Metadata.AggregateChecksum = checksumSha + + pkg = recordPackageMetadata(pkg, opt.Flavor, opt.RegistryOverrides) + + b, err = goyaml.Marshal(pkg) + if err != nil { + return "", err + } + err = os.WriteFile(filepath.Join(buildPath, ZarfYAML), b, helpers.ReadWriteUser) + if err != nil { + return "", err + } + + err = signPackage(buildPath, opt.SigningKeyPath, opt.SigningKeyPassword) + if err != nil { + return "", err + } + + return buildPath, nil +} + +func validate(pkg v1alpha1.ZarfPackage, packagePath string, setVariables map[string]string) error { + err := lint.ValidatePackage(pkg) + if err != nil { + return fmt.Errorf("package validation failed: %w", err) + } + findings, err := lint.ValidatePackageSchemaAtPath(packagePath, setVariables) + if err != nil { + return fmt.Errorf("unable to check schema: %w", err) + } + if len(findings) == 0 { + return nil + } + return &lint.LintError{ + BaseDir: packagePath, + PackageName: pkg.Metadata.Name, + Findings: findings, + } +} + +func assembleComponent(component v1alpha1.ZarfComponent, packagePath, buildPath string) error { + tmpBuildPath, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return err + } + defer os.RemoveAll(tmpBuildPath) + compBuildPath := filepath.Join(tmpBuildPath, component.Name) + err = os.MkdirAll(compBuildPath, 0o700) + if err != nil { + return err + } + + for chartIdx, chart := range component.Charts { + if chart.LocalPath != "" { + rel := filepath.Join(string(ChartsComponentDir), fmt.Sprintf("%s-%d", chart.Name, chartIdx)) + dst := filepath.Join(compBuildPath, rel) + + err := helpers.CreatePathAndCopy(filepath.Join(packagePath, chart.LocalPath), dst) + if err != nil { + return err + } + + component.Charts[chartIdx].LocalPath = rel + } + + for valuesIdx, path := range chart.ValuesFiles { + if helpers.IsURL(path) { + continue + } + + rel := fmt.Sprintf("%s-%d", helm.StandardName(string(ValuesComponentDir), chart), valuesIdx) + component.Charts[chartIdx].ValuesFiles[valuesIdx] = rel + + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, path), filepath.Join(compBuildPath, rel)); err != nil { + return fmt.Errorf("unable to copy chart values file %s: %w", path, err) + } + } + } + + for filesIdx, file := range component.Files { + if helpers.IsURL(file.Source) { + continue + } + + rel := filepath.Join(string(FilesComponentDir), strconv.Itoa(filesIdx), filepath.Base(file.Target)) + dst := filepath.Join(compBuildPath, rel) + destinationDir := filepath.Dir(dst) + + if file.ExtractPath != "" { + if err := archiver.Extract(filepath.Join(packagePath, file.Source), file.ExtractPath, destinationDir); err != nil { + return fmt.Errorf(lang.ErrFileExtract, file.ExtractPath, file.Source, err.Error()) + } + + // Make sure dst reflects the actual file or directory. + updatedExtractedFileOrDir := filepath.Join(destinationDir, file.ExtractPath) + if updatedExtractedFileOrDir != dst { + if err := os.Rename(updatedExtractedFileOrDir, dst); err != nil { + return fmt.Errorf(lang.ErrWritingFile, dst, err) + } + } + } else { + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, file.Source), dst); err != nil { + return fmt.Errorf("unable to copy file %s: %w", file.Source, err) + } + } + + // Change the source to the new relative source directory (any remote files will have been skipped above) + component.Files[filesIdx].Source = rel + + // Remove the extractPath from a skeleton since it will already extract it + component.Files[filesIdx].ExtractPath = "" + + // Abort packaging on invalid shasum (if one is specified). + if file.Shasum != "" { + if err := helpers.SHAsMatch(dst, file.Shasum); err != nil { + return err + } + } + + if file.Executable || helpers.IsDir(dst) { + err = os.Chmod(dst, helpers.ReadWriteExecuteUser) + if err != nil { + return err + } + } else { + err = os.Chmod(dst, helpers.ReadWriteUser) + if err != nil { + return err + } + } + } + + for dataIdx, data := range component.DataInjections { + rel := filepath.Join(string(DataComponentDir), strconv.Itoa(dataIdx), filepath.Base(data.Target.Path)) + dst := filepath.Join(compBuildPath, rel) + + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, data.Source), dst); err != nil { + return fmt.Errorf("unable to copy data injection %s: %s", data.Source, err.Error()) + } + + component.DataInjections[dataIdx].Source = rel + } + + // Iterate over all manifests. + for manifestIdx, manifest := range component.Manifests { + for fileIdx, path := range manifest.Files { + rel := filepath.Join(string(ManifestsComponentDir), fmt.Sprintf("%s-%d.yaml", manifest.Name, fileIdx)) + dst := filepath.Join(compBuildPath, rel) + + // Copy manifests without any processing. + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, path), dst); err != nil { + return fmt.Errorf("unable to copy manifest %s: %w", path, err) + } + + component.Manifests[manifestIdx].Files[fileIdx] = rel + } + + for kustomizeIdx, path := range manifest.Kustomizations { + // Generate manifests from kustomizations and place in the package. + kname := fmt.Sprintf("kustomization-%s-%d.yaml", manifest.Name, kustomizeIdx) + rel := filepath.Join(string(ManifestsComponentDir), kname) + dst := filepath.Join(compBuildPath, rel) + + if err := kustomize.Build(filepath.Join(packagePath, path), dst, manifest.KustomizeAllowAnyDirectory); err != nil { + return fmt.Errorf("unable to build kustomization %s: %w", path, err) + } + } + + // remove kustomizations + component.Manifests[manifestIdx].Kustomizations = nil + } + + // Write the tar component. + entries, err := os.ReadDir(compBuildPath) + if err != nil { + return err + } + if len(entries) == 0 { + return nil + } + err = os.MkdirAll(filepath.Join(compBuildPath, "temp"), 0o700) + if err != nil { + return err + } + tarPath := filepath.Join(buildPath, "components", fmt.Sprintf("%s.tar", component.Name)) + err = os.MkdirAll(filepath.Join(buildPath, "components"), 0o700) + if err != nil { + return err + } + err = createReproducibleTarballFromDir(compBuildPath, component.Name, tarPath) + if err != nil { + return err + } + return nil +} + +func recordPackageMetadata(pkg v1alpha1.ZarfPackage, flavor string, registryOverrides map[string]string) v1alpha1.ZarfPackage { + now := time.Now() + // Just use $USER env variable to avoid CGO issue. + // https://groups.google.com/g/golang-dev/c/ZFDDX3ZiJ84. + // Record the name of the user creating the package. + if runtime.GOOS == "windows" { + pkg.Build.User = os.Getenv("USERNAME") + } else { + pkg.Build.User = os.Getenv("USER") + } + + // Record the hostname of the package creation terminal. + // The error here is ignored because the hostname is not critical to the package creation. + hostname, _ := os.Hostname() + pkg.Build.Terminal = hostname + + if pkg.IsInitConfig() { + pkg.Metadata.Version = config.CLIVersion + } + + pkg.Build.Architecture = pkg.Metadata.Architecture + + // Record the Zarf Version the CLI was built with. + pkg.Build.Version = config.CLIVersion + + // Record the time of package creation. + pkg.Build.Timestamp = now.Format(time.RFC1123Z) + + // Record the migrations that will be ran on the package. + pkg.Build.Migrations = []string{ + deprecated.ScriptsToActionsMigrated, + deprecated.PluralizeSetVariable, + } + + // Record the flavor of Zarf used to build this package (if any). + pkg.Build.Flavor = flavor + + pkg.Build.RegistryOverrides = registryOverrides + + // Record the latest version of Zarf without breaking changes to the package structure. + pkg.Build.LastNonBreakingVersion = deprecated.LastNonBreakingVersion + + return pkg +} + +func getChecksum(dirPath string) (string, string, error) { + checksumData := []string{} + err := filepath.Walk(dirPath, func(path string, info fs.FileInfo, err error) error { + if err != nil { + return err + } + if info.IsDir() { + return nil + } + rel, err := filepath.Rel(dirPath, path) + if err != nil { + return err + } + if rel == ZarfYAML || rel == Checksums { + return nil + } + sum, err := helpers.GetSHA256OfFile(path) + if err != nil { + return err + } + checksumData = append(checksumData, fmt.Sprintf("%s %s", sum, filepath.ToSlash(rel))) + return nil + }) + if err != nil { + return "", "", err + } + slices.Sort(checksumData) + + checksumContent := strings.Join(checksumData, "\n") + "\n" + sha := sha256.Sum256([]byte(checksumContent)) + return checksumContent, hex.EncodeToString(sha[:]), nil +} + +func signPackage(dirPath, signingKeyPath, signingKeyPassword string) error { + if signingKeyPath == "" { + return nil + } + passFunc := func(_ bool) ([]byte, error) { + return []byte(signingKeyPassword), nil + } + keyOpts := options.KeyOpts{ + KeyRef: signingKeyPath, + PassFunc: passFunc, + } + rootOpts := &options.RootOptions{ + Verbose: false, + Timeout: options.DefaultTimeout, + } + _, err := sign.SignBlobCmd( + rootOpts, + keyOpts, + filepath.Join(dirPath, ZarfYAML), + true, + filepath.Join(dirPath, Signature), + "", + false) + if err != nil { + return err + } + return nil +} + +func createReproducibleTarballFromDir(dirPath, dirPrefix, tarballPath string) error { + tb, err := os.Create(tarballPath) + if err != nil { + return fmt.Errorf("error creating tarball: %w", err) + } + defer tb.Close() + + tw := tar.NewWriter(tb) + defer tw.Close() + + // Walk through the directory and process each file + return filepath.Walk(dirPath, func(filePath string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + link := "" + if info.Mode().Type() == os.ModeSymlink { + link, err = os.Readlink(filePath) + if err != nil { + return fmt.Errorf("error reading symlink: %w", err) + } + } + + // Create a new header + header, err := tar.FileInfoHeader(info, link) + if err != nil { + return fmt.Errorf("error creating tar header: %w", err) + } + + // Strip non-deterministic header data + header.ModTime = time.Time{} + header.AccessTime = time.Time{} + header.ChangeTime = time.Time{} + header.Uid = 0 + header.Gid = 0 + header.Uname = "" + header.Gname = "" + + // When run on windows the header mode will set all permission octals to the same value as the first octal. + // A file created with 0o700 will return 0o777 when read back. This discrepancy causes differences between packages + // created on Windows and Linux. + // https://medium.com/@MichalPristas/go-and-file-perms-on-windows-3c944d55dd44 + // To mitigate this difference we zero all but the last permission octal when writing files to the tar. Making sure + // that when unpackaged files from packages created on Windows and Linux will have the same permissions. + // The &^ operator called AND NOT sets the bits to 0 in the left hand if the right hand bits are 1. + // https://medium.com/learning-the-go-programming-language/bit-hacking-with-go-e0acee258827 + header.Mode = header.Mode &^ 0o077 + + // Ensure the header's name is correctly set relative to the base directory + name, err := filepath.Rel(dirPath, filePath) + if err != nil { + return fmt.Errorf("error getting relative path: %w", err) + } + name = filepath.Join(dirPrefix, name) + name = filepath.ToSlash(name) + header.Name = name + + // Write the header to the tarball + if err := tw.WriteHeader(header); err != nil { + return fmt.Errorf("error writing header: %w", err) + } + + // If it's a file, write its content + if info.Mode().IsRegular() { + file, err := os.Open(filePath) + if err != nil { + return fmt.Errorf("error opening file: %w", err) + } + defer file.Close() + + if _, err := io.Copy(tw, file); err != nil { + return fmt.Errorf("error writing file to tarball: %w", err) + } + } + + return nil + }) +} diff --git a/src/internal/packager2/layout/create_test.go b/src/internal/packager2/layout/create_test.go new file mode 100644 index 0000000000..7e29bb875a --- /dev/null +++ b/src/internal/packager2/layout/create_test.go @@ -0,0 +1,109 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package layout + +import ( + "os" + "path/filepath" + "testing" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/stretchr/testify/require" + + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/lint" + "github.com/zarf-dev/zarf/src/test/testutil" +) + +func TestCreateSkeleton(t *testing.T) { + t.Parallel() + + ctx := testutil.TestContext(t) + + lint.ZarfSchema = testutil.LoadSchema(t, "../../../../zarf.schema.json") + + opt := CreateOptions{} + path, err := CreateSkeleton(ctx, "./testdata/zarf-package", opt) + require.NoError(t, err) + + pkgPath := layout.New(path) + _, warnings, err := pkgPath.ReadZarfYAML() + require.NoError(t, err) + require.Empty(t, warnings) + b, err := os.ReadFile(filepath.Join(pkgPath.Base, "checksums.txt")) + require.NoError(t, err) + expectedChecksum := `54f657b43323e1ebecb0758835b8d01a0113b61b7bab0f4a8156f031128d00f9 components/data-injections.tar +879bfe82d20f7bdcd60f9e876043cc4343af4177a6ee8b2660c304a5b6c70be7 components/files.tar +c497f1a56559ea0a9664160b32e4b377df630454ded6a3787924130c02f341a6 components/manifests.tar +fb7ebee94a4479bacddd71195030a483b0b0b96d4f73f7fcd2c2c8e0fce0c5c6 components/helm-charts.tar +` + require.Equal(t, expectedChecksum, string(b)) +} + +func TestGetChecksum(t *testing.T) { + t.Parallel() + + tmpDir := t.TempDir() + files := map[string]string{ + "empty.txt": "", + "foo": "bar", + "zarf.yaml": "Zarf Yaml Data", + "checksums.txt": "Old Checksum Data", + "nested/directory/file.md": "nested", + } + for k, v := range files { + err := os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(k)), 0o700) + require.NoError(t, err) + err = os.WriteFile(filepath.Join(tmpDir, k), []byte(v), 0o600) + require.NoError(t, err) + } + + checksumContent, checksumHash, err := getChecksum(tmpDir) + require.NoError(t, err) + + expectedContent := `233562de1a0288b139c4fa40b7d189f806e906eeb048517aeb67f34ac0e2faf1 nested/directory/file.md +e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 empty.txt +fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9 foo +` + require.Equal(t, expectedContent, checksumContent) + require.Equal(t, "7c554cf67e1c2b50a1b728299c368cd56d53588300c37479623f29a52812ca3f", checksumHash) +} + +func TestSignPackage(t *testing.T) { + t.Parallel() + + tmpDir := t.TempDir() + yamlPath := filepath.Join(tmpDir, "zarf.yaml") + signedPath := filepath.Join(tmpDir, "zarf.yaml.sig") + + err := os.WriteFile(yamlPath, []byte("foobar"), 0o644) + require.NoError(t, err) + + err = signPackage(tmpDir, "", "") + require.NoError(t, err) + require.NoFileExists(t, signedPath) + + err = signPackage(tmpDir, "./testdata/cosign.key", "wrongpassword") + require.EqualError(t, err, "reading key: decrypt: encrypted: decryption failed") + + err = signPackage(tmpDir, "./testdata/cosign.key", "test") + require.NoError(t, err) + require.FileExists(t, signedPath) +} + +func TestCreateReproducibleTarballFromDir(t *testing.T) { + t.Parallel() + + tmpDir := t.TempDir() + err := os.WriteFile(filepath.Join(tmpDir, "test.txt"), []byte("hello world"), 0o600) + require.NoError(t, err) + tarPath := filepath.Join(t.TempDir(), "data.tar") + + err = createReproducibleTarballFromDir(tmpDir, "", tarPath) + require.NoError(t, err) + + shaSum, err := helpers.GetSHA256OfFile(tarPath) + require.NoError(t, err) + require.Equal(t, "c09d17f612f241cdf549e5fb97c9e063a8ad18ae7a9f3af066332ed6b38556ad", shaSum) +} diff --git a/src/internal/packager2/layout/import.go b/src/internal/packager2/layout/import.go new file mode 100644 index 0000000000..a1c917eee0 --- /dev/null +++ b/src/internal/packager2/layout/import.go @@ -0,0 +1,414 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package layout + +import ( + "context" + "errors" + "fmt" + "os" + "path/filepath" + "slices" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/defenseunicorns/pkg/oci" + "github.com/mholt/archiver/v3" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + ocistore "oras.land/oras-go/v2/content/oci" + + "github.com/zarf-dev/zarf/src/api/v1alpha1" + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/zoci" +) + +func resolveImports(ctx context.Context, pkg v1alpha1.ZarfPackage, packagePath, arch, flavor string) (v1alpha1.ZarfPackage, error) { + variables := pkg.Variables + constants := pkg.Constants + components := []v1alpha1.ZarfComponent{} + + for _, component := range pkg.Components { + if !compatibleComponent(component, pkg.Metadata.Architecture, flavor) { + continue + } + + // Skip as component does not have any imports. + if component.Import.Path == "" && component.Import.URL == "" { + components = append(components, component) + continue + } + + if err := validateComponentCompose(component); err != nil { + return v1alpha1.ZarfPackage{}, fmt.Errorf("invalid imported definition for %s: %w", component.Name, err) + } + + var importedPkg v1alpha1.ZarfPackage + if component.Import.Path != "" { + b, err := os.ReadFile(filepath.Join(packagePath, component.Import.Path, layout.ZarfYAML)) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + importedPkg, err = ParseZarfPackage(b) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + } else if component.Import.URL != "" { + remote, err := zoci.NewRemote(component.Import.URL, zoci.PlatformForSkeleton()) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + _, err = remote.ResolveRoot(ctx) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + importedPkg, err = remote.FetchZarfYAML(ctx) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + } + + name := component.Name + if component.Import.Name != "" { + name = component.Import.Name + } + found := []v1alpha1.ZarfComponent{} + for _, component := range importedPkg.Components { + if component.Name == name && compatibleComponent(component, arch, flavor) { + found = append(found, component) + } + } + if len(found) == 0 { + return v1alpha1.ZarfPackage{}, fmt.Errorf("component %s not found", name) + } else if len(found) > 1 { + return v1alpha1.ZarfPackage{}, fmt.Errorf("multiple components named %s found", name) + } + importedComponent := found[0] + if importedComponent.Import.Path != "" || importedComponent.Import.URL != "" { + return v1alpha1.ZarfPackage{}, fmt.Errorf("imported component %s has imports which is not supported", importedComponent.Name) + } + + importPath, err := fetchOCISkeleton(ctx, component, packagePath) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + importedComponent = fixPaths(importedComponent, importPath, packagePath) + composed, err := overrideMetadata(importedComponent, component) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + composed = overrideDeprecated(composed, component) + composed = overrideActions(composed, component) + composed = overrideResources(composed, component) + + components = append(components, composed) + variables = append(variables, importedPkg.Variables...) + constants = append(constants, importedPkg.Constants...) + } + + pkg.Components = components + pkg.Variables = slices.CompactFunc(variables, func(l, r v1alpha1.InteractiveVariable) bool { + return l.Name == r.Name + }) + pkg.Constants = slices.CompactFunc(constants, func(l, r v1alpha1.Constant) bool { + return l.Name == r.Name + }) + + return pkg, nil +} + +func validateComponentCompose(c v1alpha1.ZarfComponent) error { + errs := []error{} + if c.Import.Path == "" && c.Import.URL == "" { + errs = append(errs, errors.New("neither a path nor a URL was provided")) + } + if c.Import.Path != "" && c.Import.URL != "" { + errs = append(errs, errors.New("both a path and a URL were provided")) + } + if c.Import.URL == "" && c.Import.Path != "" { + if filepath.IsAbs(c.Import.Path) { + errs = append(errs, errors.New("path cannot be an absolute path")) + } + } + if c.Import.URL != "" && c.Import.Path == "" { + ok := helpers.IsOCIURL(c.Import.URL) + if !ok { + errs = append(errs, errors.New("URL is not a valid OCI URL")) + } + } + return errors.Join(errs...) +} + +func compatibleComponent(c v1alpha1.ZarfComponent, arch, flavor string) bool { + satisfiesArch := c.Only.Cluster.Architecture == "" || c.Only.Cluster.Architecture == arch + satisfiesFlavor := c.Only.Flavor == "" || c.Only.Flavor == flavor + return satisfiesArch && satisfiesFlavor +} + +// TODO (phillebaba): Refactor package structure so that pullOCI can be used instead. +func fetchOCISkeleton(ctx context.Context, component v1alpha1.ZarfComponent, packagePath string) (string, error) { + if component.Import.URL == "" { + return component.Import.Path, nil + } + + name := component.Name + if component.Import.Name != "" { + name = component.Import.Name + } + + absCachePath, err := config.GetAbsCachePath() + if err != nil { + return "", err + } + cache := filepath.Join(absCachePath, "oci") + if err := helpers.CreateDirectory(cache, helpers.ReadWriteExecuteUser); err != nil { + return "", err + } + + // Get the descriptor for the component. + remote, err := zoci.NewRemote(component.Import.URL, zoci.PlatformForSkeleton()) + if err != nil { + return "", err + } + _, err = remote.ResolveRoot(ctx) + if err != nil { + return "", fmt.Errorf("published skeleton package for %s does not exist: %w", component.Import.URL, err) + } + manifest, err := remote.FetchRoot(ctx) + if err != nil { + return "", err + } + componentDesc := manifest.Locate(filepath.Join(layout.ComponentsDir, fmt.Sprintf("%s.tar", name))) + if oci.IsEmptyDescriptor(componentDesc) { + return "", fmt.Errorf("component %s not found", name) + } + + store, err := ocistore.New(cache) + if err != nil { + return "", err + } + exists, err := store.Exists(ctx, componentDesc) + if err != nil { + return "", err + } + if !exists { + err = remote.CopyToTarget(ctx, []ocispec.Descriptor{componentDesc}, store, remote.GetDefaultCopyOpts()) + if err != nil { + return "", err + } + } + dir := filepath.Join(cache, "dirs", componentDesc.Digest.Encoded()) + if err := helpers.CreateDirectory(dir, helpers.ReadWriteExecuteUser); err != nil { + return "", err + } + tu := archiver.Tar{ + OverwriteExisting: true, + // removes // from the paths + StripComponents: 1, + } + tb := filepath.Join(cache, "blobs", "sha256", componentDesc.Digest.Encoded()) + err = tu.Unarchive(tb, dir) + if err != nil { + return "", err + } + abs, err := filepath.Abs(packagePath) + if err != nil { + return "", err + } + rel, err := filepath.Rel(abs, dir) + if err != nil { + return "", err + } + return rel, nil +} + +func overrideMetadata(comp v1alpha1.ZarfComponent, override v1alpha1.ZarfComponent) (v1alpha1.ZarfComponent, error) { + // Metadata + comp.Name = override.Name + comp.Default = override.Default + comp.Required = override.Required + + // Override description if it was provided. + if override.Description != "" { + comp.Description = override.Description + } + + if override.Only.LocalOS != "" { + if comp.Only.LocalOS != "" { + return v1alpha1.ZarfComponent{}, fmt.Errorf("component %q: \"only.localOS\" %q cannot be redefined as %q during compose", comp.Name, comp.Only.LocalOS, override.Only.LocalOS) + } + comp.Only.LocalOS = override.Only.LocalOS + } + return comp, nil +} + +func overrideDeprecated(comp v1alpha1.ZarfComponent, override v1alpha1.ZarfComponent) v1alpha1.ZarfComponent { + // Override cosign key path if it was provided. + if override.DeprecatedCosignKeyPath != "" { + comp.DeprecatedCosignKeyPath = override.DeprecatedCosignKeyPath + } + + comp.DeprecatedGroup = override.DeprecatedGroup + + // Merge deprecated scripts for backwards compatibility with older zarf binaries. + comp.DeprecatedScripts.Before = append(comp.DeprecatedScripts.Before, override.DeprecatedScripts.Before...) + comp.DeprecatedScripts.After = append(comp.DeprecatedScripts.After, override.DeprecatedScripts.After...) + + if override.DeprecatedScripts.Retry { + comp.DeprecatedScripts.Retry = true + } + if override.DeprecatedScripts.ShowOutput { + comp.DeprecatedScripts.ShowOutput = true + } + if override.DeprecatedScripts.TimeoutSeconds > 0 { + comp.DeprecatedScripts.TimeoutSeconds = override.DeprecatedScripts.TimeoutSeconds + } + return comp +} + +func overrideActions(comp v1alpha1.ZarfComponent, override v1alpha1.ZarfComponent) v1alpha1.ZarfComponent { + comp.Actions.OnCreate.Defaults = override.Actions.OnCreate.Defaults + comp.Actions.OnCreate.Before = append(comp.Actions.OnCreate.Before, override.Actions.OnCreate.Before...) + comp.Actions.OnCreate.After = append(comp.Actions.OnCreate.After, override.Actions.OnCreate.After...) + comp.Actions.OnCreate.OnFailure = append(comp.Actions.OnCreate.OnFailure, override.Actions.OnCreate.OnFailure...) + comp.Actions.OnCreate.OnSuccess = append(comp.Actions.OnCreate.OnSuccess, override.Actions.OnCreate.OnSuccess...) + + comp.Actions.OnDeploy.Defaults = override.Actions.OnDeploy.Defaults + comp.Actions.OnDeploy.Before = append(comp.Actions.OnDeploy.Before, override.Actions.OnDeploy.Before...) + comp.Actions.OnDeploy.After = append(comp.Actions.OnDeploy.After, override.Actions.OnDeploy.After...) + comp.Actions.OnDeploy.OnFailure = append(comp.Actions.OnDeploy.OnFailure, override.Actions.OnDeploy.OnFailure...) + comp.Actions.OnDeploy.OnSuccess = append(comp.Actions.OnDeploy.OnSuccess, override.Actions.OnDeploy.OnSuccess...) + + comp.Actions.OnRemove.Defaults = override.Actions.OnRemove.Defaults + comp.Actions.OnRemove.Before = append(comp.Actions.OnRemove.Before, override.Actions.OnRemove.Before...) + comp.Actions.OnRemove.After = append(comp.Actions.OnRemove.After, override.Actions.OnRemove.After...) + comp.Actions.OnRemove.OnFailure = append(comp.Actions.OnRemove.OnFailure, override.Actions.OnRemove.OnFailure...) + comp.Actions.OnRemove.OnSuccess = append(comp.Actions.OnRemove.OnSuccess, override.Actions.OnRemove.OnSuccess...) + return comp +} + +func overrideResources(comp v1alpha1.ZarfComponent, override v1alpha1.ZarfComponent) v1alpha1.ZarfComponent { + comp.DataInjections = append(comp.DataInjections, override.DataInjections...) + comp.Files = append(comp.Files, override.Files...) + comp.Images = append(comp.Images, override.Images...) + comp.Repos = append(comp.Repos, override.Repos...) + + // Merge charts with the same name to keep them unique + for _, overrideChart := range override.Charts { + existing := false + for idx := range comp.Charts { + if comp.Charts[idx].Name == overrideChart.Name { + if overrideChart.Namespace != "" { + comp.Charts[idx].Namespace = overrideChart.Namespace + } + if overrideChart.ReleaseName != "" { + comp.Charts[idx].ReleaseName = overrideChart.ReleaseName + } + comp.Charts[idx].ValuesFiles = append(comp.Charts[idx].ValuesFiles, overrideChart.ValuesFiles...) + comp.Charts[idx].Variables = append(comp.Charts[idx].Variables, overrideChart.Variables...) + existing = true + } + } + + if !existing { + comp.Charts = append(comp.Charts, overrideChart) + } + } + + // Merge manifests with the same name to keep them unique + for _, overrideManifest := range override.Manifests { + existing := false + for idx := range comp.Manifests { + if comp.Manifests[idx].Name == overrideManifest.Name { + if overrideManifest.Namespace != "" { + comp.Manifests[idx].Namespace = overrideManifest.Namespace + } + comp.Manifests[idx].Files = append(comp.Manifests[idx].Files, overrideManifest.Files...) + comp.Manifests[idx].Kustomizations = append(comp.Manifests[idx].Kustomizations, overrideManifest.Kustomizations...) + + existing = true + } + } + + if !existing { + comp.Manifests = append(comp.Manifests, overrideManifest) + } + } + + comp.HealthChecks = append(comp.HealthChecks, override.HealthChecks...) + + return comp +} + +func makePathRelativeTo(path, relativeTo string) string { + if helpers.IsURL(path) { + return path + } + return filepath.Join(relativeTo, path) +} + +func fixPaths(child v1alpha1.ZarfComponent, relativeToHead, packagePath string) v1alpha1.ZarfComponent { + for fileIdx, file := range child.Files { + composed := makePathRelativeTo(file.Source, relativeToHead) + child.Files[fileIdx].Source = composed + } + + for chartIdx, chart := range child.Charts { + for valuesIdx, valuesFile := range chart.ValuesFiles { + composed := makePathRelativeTo(valuesFile, relativeToHead) + child.Charts[chartIdx].ValuesFiles[valuesIdx] = composed + } + if child.Charts[chartIdx].LocalPath != "" { + composed := makePathRelativeTo(chart.LocalPath, relativeToHead) + child.Charts[chartIdx].LocalPath = composed + } + } + + for manifestIdx, manifest := range child.Manifests { + for fileIdx, file := range manifest.Files { + composed := makePathRelativeTo(file, relativeToHead) + child.Manifests[manifestIdx].Files[fileIdx] = composed + } + for kustomizeIdx, kustomization := range manifest.Kustomizations { + composed := makePathRelativeTo(kustomization, relativeToHead) + // kustomizations can use non-standard urls, so we need to check if the composed path exists on the local filesystem + invalid := helpers.InvalidPath(filepath.Join(packagePath, composed)) + if !invalid { + child.Manifests[manifestIdx].Kustomizations[kustomizeIdx] = composed + } + } + } + + for dataInjectionsIdx, dataInjection := range child.DataInjections { + composed := makePathRelativeTo(dataInjection.Source, relativeToHead) + child.DataInjections[dataInjectionsIdx].Source = composed + } + + defaultDir := child.Actions.OnCreate.Defaults.Dir + child.Actions.OnCreate.Before = fixActionPaths(child.Actions.OnCreate.Before, defaultDir, relativeToHead) + child.Actions.OnCreate.After = fixActionPaths(child.Actions.OnCreate.After, defaultDir, relativeToHead) + child.Actions.OnCreate.OnFailure = fixActionPaths(child.Actions.OnCreate.OnFailure, defaultDir, relativeToHead) + child.Actions.OnCreate.OnSuccess = fixActionPaths(child.Actions.OnCreate.OnSuccess, defaultDir, relativeToHead) + + // deprecated + if child.DeprecatedCosignKeyPath != "" { + composed := makePathRelativeTo(child.DeprecatedCosignKeyPath, relativeToHead) + child.DeprecatedCosignKeyPath = composed + } + + return child +} + +// fixActionPaths takes a slice of actions and mutates the Dir to be relative to the head node +func fixActionPaths(actions []v1alpha1.ZarfComponentAction, defaultDir, relativeToHead string) []v1alpha1.ZarfComponentAction { + for actionIdx, action := range actions { + var composed string + if action.Dir != nil { + composed = makePathRelativeTo(*action.Dir, relativeToHead) + } else { + composed = makePathRelativeTo(defaultDir, relativeToHead) + } + actions[actionIdx].Dir = &composed + } + return actions +} diff --git a/src/internal/packager2/layout/import_test.go b/src/internal/packager2/layout/import_test.go new file mode 100644 index 0000000000..1508882059 --- /dev/null +++ b/src/internal/packager2/layout/import_test.go @@ -0,0 +1,199 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package layout + +import ( + "path/filepath" + "strings" + "testing" + + "github.com/stretchr/testify/require" + "github.com/zarf-dev/zarf/src/api/v1alpha1" +) + +func TestValidateComponentCompose(t *testing.T) { + t.Parallel() + + abs, err := filepath.Abs(".") + require.NoError(t, err) + + tests := []struct { + name string + component v1alpha1.ZarfComponent + expectedErrs []string + }{ + { + name: "valid path", + component: v1alpha1.ZarfComponent{ + Name: "component1", + Import: v1alpha1.ZarfComponentImport{ + Path: "relative/path", + }, + }, + expectedErrs: nil, + }, + { + name: "valid URL", + component: v1alpha1.ZarfComponent{ + Name: "component2", + Import: v1alpha1.ZarfComponentImport{ + URL: "oci://example.com/package:v0.0.1", + }, + }, + expectedErrs: nil, + }, + { + name: "neither path nor URL provided", + component: v1alpha1.ZarfComponent{ + Name: "neither", + }, + expectedErrs: []string{ + "neither a path nor a URL was provided", + }, + }, + { + name: "both path and URL provided", + component: v1alpha1.ZarfComponent{ + Name: "both", + Import: v1alpha1.ZarfComponentImport{ + Path: "relative/path", + URL: "https://example.com", + }, + }, + expectedErrs: []string{ + "both a path and a URL were provided", + }, + }, + { + name: "absolute path provided", + component: v1alpha1.ZarfComponent{ + Name: "abs-path", + Import: v1alpha1.ZarfComponentImport{ + Path: abs, + }, + }, + expectedErrs: []string{ + "path cannot be an absolute path", + }, + }, + { + name: "invalid URL provided", + component: v1alpha1.ZarfComponent{ + Name: "bad-url", + Import: v1alpha1.ZarfComponentImport{ + URL: "https://example.com", + }, + }, + expectedErrs: []string{ + "URL is not a valid OCI URL", + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + err := validateComponentCompose(tt.component) + if tt.expectedErrs == nil { + require.NoError(t, err) + return + } + require.Error(t, err) + errs := strings.Split(err.Error(), "\n") + require.ElementsMatch(t, tt.expectedErrs, errs) + }) + } +} + +func TestCompatibleComponent(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + component v1alpha1.ZarfComponent + arch string + flavor string + expectedResult bool + }{ + { + name: "set architecture and set flavor", + component: v1alpha1.ZarfComponent{ + Only: v1alpha1.ZarfComponentOnlyTarget{ + Cluster: v1alpha1.ZarfComponentOnlyCluster{ + Architecture: "amd64", + }, + Flavor: "foo", + }, + }, + arch: "amd64", + flavor: "foo", + expectedResult: true, + }, + { + name: "set architecture and empty flavor", + component: v1alpha1.ZarfComponent{ + Only: v1alpha1.ZarfComponentOnlyTarget{ + Cluster: v1alpha1.ZarfComponentOnlyCluster{ + Architecture: "amd64", + }, + Flavor: "", + }, + }, + arch: "amd64", + flavor: "foo", + expectedResult: true, + }, + { + name: "empty architecture and set flavor", + component: v1alpha1.ZarfComponent{ + Only: v1alpha1.ZarfComponentOnlyTarget{ + Cluster: v1alpha1.ZarfComponentOnlyCluster{ + Architecture: "", + }, + Flavor: "foo", + }, + }, + arch: "amd64", + flavor: "foo", + expectedResult: true, + }, + { + name: "architecture miss match", + component: v1alpha1.ZarfComponent{ + Only: v1alpha1.ZarfComponentOnlyTarget{ + Cluster: v1alpha1.ZarfComponentOnlyCluster{ + Architecture: "arm", + }, + Flavor: "foo", + }, + }, + arch: "amd64", + flavor: "foo", + expectedResult: false, + }, + { + name: "flavor miss match", + component: v1alpha1.ZarfComponent{ + Only: v1alpha1.ZarfComponentOnlyTarget{ + Cluster: v1alpha1.ZarfComponentOnlyCluster{ + Architecture: "arm", + }, + Flavor: "bar", + }, + }, + arch: "amd64", + flavor: "foo", + expectedResult: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + result := compatibleComponent(tt.component, tt.arch, tt.flavor) + require.Equal(t, tt.expectedResult, result) + }) + } +} diff --git a/src/internal/packager2/layout/layout.go b/src/internal/packager2/layout/layout.go index 7dcd09971c..356bb9a77f 100644 --- a/src/internal/packager2/layout/layout.go +++ b/src/internal/packager2/layout/layout.go @@ -4,6 +4,13 @@ // Package layout contains functions for inteacting the Zarf packages. package layout +import ( + goyaml "github.com/goccy/go-yaml" + + "github.com/zarf-dev/zarf/src/api/v1alpha1" + "github.com/zarf-dev/zarf/src/pkg/packager/deprecated" +) + // Constants used in the default package layout. const ( ZarfYAML = "zarf.yaml" @@ -32,3 +39,18 @@ const ( DataComponentDir ComponentDir = "data" ValuesComponentDir ComponentDir = "values" ) + +// ParseZarfPackage parses the yaml passed as a byte slice and applies potential schema migrations. +func ParseZarfPackage(b []byte) (v1alpha1.ZarfPackage, error) { + var pkg v1alpha1.ZarfPackage + err := goyaml.Unmarshal(b, &pkg) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + if len(pkg.Build.Migrations) > 0 { + for idx, component := range pkg.Components { + pkg.Components[idx], _ = deprecated.MigrateComponent(pkg.Build, component) + } + } + return pkg, nil +} diff --git a/src/internal/packager2/layout/package.go b/src/internal/packager2/layout/package.go index cf8dbf179b..966bcc07dd 100644 --- a/src/internal/packager2/layout/package.go +++ b/src/internal/packager2/layout/package.go @@ -15,7 +15,6 @@ import ( "strings" "github.com/defenseunicorns/pkg/helpers/v2" - goyaml "github.com/goccy/go-yaml" registryv1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/mholt/archiver/v3" @@ -25,7 +24,6 @@ import ( "github.com/zarf-dev/zarf/src/api/v1alpha1" "github.com/zarf-dev/zarf/src/config" - "github.com/zarf-dev/zarf/src/pkg/packager/deprecated" "github.com/zarf-dev/zarf/src/pkg/transform" "github.com/zarf-dev/zarf/src/pkg/utils" ) @@ -92,17 +90,10 @@ func LoadFromDir(ctx context.Context, dirPath string, opt PackageLayoutOptions) if err != nil { return nil, err } - var pkg v1alpha1.ZarfPackage - err = goyaml.Unmarshal(b, &pkg) + pkg, err := ParseZarfPackage(b) if err != nil { return nil, err } - if len(pkg.Build.Migrations) > 0 { - for idx, component := range pkg.Components { - pkg.Components[idx], _ = deprecated.MigrateComponent(pkg.Build, component) - } - } - pkgLayout := &PackageLayout{ dirPath: dirPath, Pkg: pkg, diff --git a/src/internal/packager2/layout/testdata/cosign.key b/src/internal/packager2/layout/testdata/cosign.key new file mode 100644 index 0000000000..90fe1f9dfb --- /dev/null +++ b/src/internal/packager2/layout/testdata/cosign.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6 +OCwicCI6MX0sInNhbHQiOiJEM1h4S3huclZqU3JjSkdvYTZIcTVWYkEwYUhwUldW +akJKR3F2L0pHZDMwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJSOGZWZzlIczVIdFZKWENDVmJnODhwVFFObTRsQnh0RCJ9LCJj +aXBoZXJ0ZXh0IjoiclNHS3A0RGpMQzdnd0RnU0F6SnIwQXhVbmxxeG1EVVZ2ci9p +MzRHTk8vaGRCblRTVEpQYU5YRWJiZDd3R1hDMlVUeU9QOS92Q2NBUUI0dVBFNnZD +V3ZzSFVwOWYyZlJoazY1TXVFQkFLWStVaE1uQ0QzcGlueWhGNktOUmxEaG1tZCtZ +SnI4ZW4rczBMZnFQREJWRkRFb2lLVlJENEMxYVF5eTdveGJJOEZDWG9FSStTd284 +WnpsK2F1anpxdlYxTlg0NHJaeU9sZVRyV3c9PSJ9 +-----END ENCRYPTED SIGSTORE PRIVATE KEY----- diff --git a/src/internal/packager2/layout/testdata/cosign.pub b/src/internal/packager2/layout/testdata/cosign.pub new file mode 100644 index 0000000000..da98deb626 --- /dev/null +++ b/src/internal/packager2/layout/testdata/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWa56xczL+HvqDx5tUg9ThYzIAGcc +Geic52+Ajs65OgUKePRK49fki3cSZpqV1yCfqHUPnU+SaQjAiCPK3SAW9g== +-----END PUBLIC KEY----- diff --git a/src/internal/packager2/layout/testdata/zarf-package/archive.tar b/src/internal/packager2/layout/testdata/zarf-package/archive.tar new file mode 100644 index 0000000000..cbbd80680c Binary files /dev/null and b/src/internal/packager2/layout/testdata/zarf-package/archive.tar differ diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/.helmignore b/src/internal/packager2/layout/testdata/zarf-package/chart/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/Chart.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/Chart.yaml new file mode 100644 index 0000000000..0ae3bfd45f --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +version: 6.4.0 +appVersion: 6.4.0 +name: podinfo +engine: gotpl +description: Podinfo Helm chart for Kubernetes +home: https://github.com/stefanprodan/podinfo +maintainers: +- email: stefanprodan@users.noreply.github.com + name: stefanprodan +sources: +- https://github.com/stefanprodan/podinfo +kubeVersion: ">=1.23.0-0" diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/LICENSE b/src/internal/packager2/layout/testdata/zarf-package/chart/LICENSE new file mode 100644 index 0000000000..1b92ec15f9 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2018 Stefan Prodan. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/NOTICE b/src/internal/packager2/layout/testdata/zarf-package/chart/NOTICE new file mode 100644 index 0000000000..5b0414f8c2 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/NOTICE @@ -0,0 +1 @@ +All files from this chart are from https://github.com/stefanprodan/podinfo/tree/6.4.0/charts/podinfo. diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/NOTES.txt b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/NOTES.txt new file mode 100644 index 0000000000..d8329725ef --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/NOTES.txt @@ -0,0 +1,20 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "podinfo.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "podinfo.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl -n {{ .Release.Namespace }} port-forward deploy/{{ template "podinfo.fullname" . }} 8080:{{ .Values.service.externalPort }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/_helpers.tpl b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/_helpers.tpl new file mode 100644 index 0000000000..1f5a052871 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/_helpers.tpl @@ -0,0 +1,69 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "podinfo.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "podinfo.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "podinfo.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "podinfo.labels" -}} +helm.sh/chart: {{ include "podinfo.chart" . }} +{{ include "podinfo.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "podinfo.selectorLabels" -}} +app.kubernetes.io/name: {{ include "podinfo.fullname" . }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "podinfo.serviceAccountName" -}} +{{- if .Values.serviceAccount.enabled }} +{{- default (include "podinfo.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the tls secret for secure port +*/}} +{{- define "podinfo.tlsSecretName" -}} +{{- $fullname := include "podinfo.fullname" . -}} +{{- default (printf "%s-tls" $fullname) .Values.tls.secretName }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/deployment.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/deployment.yaml new file mode 100644 index 0000000000..87ed373534 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/deployment.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + {{- if not .Values.hpa.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "podinfo.selectorLabels" . | nindent 8 }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.service.httpPort }}" + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + terminationGracePeriodSeconds: 30 + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ template "podinfo.serviceAccountName" . }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- else if (or .Values.service.hostPort .Values.tls.hostPort) }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- end }} + command: + - ./podinfo + - --port={{ .Values.service.httpPort | default 9898 }} + {{- if .Values.host }} + - --host={{ .Values.host }} + {{- end }} + {{- if .Values.tls.enabled }} + - --secure-port={{ .Values.tls.port }} + {{- end }} + {{- if .Values.tls.certPath }} + - --cert-path={{ .Values.tls.certPath }} + {{- end }} + {{- if .Values.service.metricsPort }} + - --port-metrics={{ .Values.service.metricsPort }} + {{- end }} + {{- if .Values.service.grpcPort }} + - --grpc-port={{ .Values.service.grpcPort }} + {{- end }} + {{- if .Values.service.grpcService }} + - --grpc-service-name={{ .Values.service.grpcService }} + {{- end }} + {{- range .Values.backends }} + - --backend-url={{ . }} + {{- end }} + {{- if .Values.cache }} + - --cache-server={{ .Values.cache }} + {{- else if .Values.redis.enabled }} + - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379 + {{- end }} + - --level={{ .Values.logLevel }} + - --random-delay={{ .Values.faults.delay }} + - --random-error={{ .Values.faults.error }} + {{- if .Values.faults.unhealthy }} + - --unhealthy + {{- end }} + {{- if .Values.faults.unready }} + - --unready + {{- end }} + {{- if .Values.h2c.enabled }} + - --h2c + {{- end }} + env: + {{- if .Values.ui.message }} + - name: PODINFO_UI_MESSAGE + value: {{ quote .Values.ui.message }} + {{- end }} + {{- if .Values.ui.logo }} + - name: PODINFO_UI_LOGO + value: {{ .Values.ui.logo }} + {{- end }} + {{- if .Values.ui.color }} + - name: PODINFO_UI_COLOR + value: {{ quote .Values.ui.color }} + {{- end }} + {{- if .Values.backend }} + - name: PODINFO_BACKEND_URL + value: {{ .Values.backend }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.service.httpPort | default 9898 }} + protocol: TCP + {{- if .Values.service.hostPort }} + hostPort: {{ .Values.service.hostPort }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: https + containerPort: {{ .Values.tls.port | default 9899 }} + protocol: TCP + {{- if .Values.tls.hostPort }} + hostPort: {{ .Values.tls.hostPort }} + {{- end }} + {{- end }} + {{- if .Values.service.metricsPort }} + - name: http-metrics + containerPort: {{ .Values.service.metricsPort }} + protocol: TCP + {{- end }} + {{- if .Values.service.grpcPort }} + - name: grpc + containerPort: {{ .Values.service.grpcPort }} + protocol: TCP + {{- end }} + {{- if .Values.probes.startup.enable }} + startupProbe: + exec: + command: + - podcli + - check + - http + - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz + {{- with .Values.probes.startup }} + initialDelaySeconds: {{ .initialDelaySeconds | default 1 }} + timeoutSeconds: {{ .timeoutSeconds | default 5 }} + failureThreshold: {{ .failureThreshold | default 3 }} + successThreshold: {{ .successThreshold | default 1 }} + periodSeconds: {{ .periodSeconds | default 10 }} + {{- end }} + {{- end }} + livenessProbe: + exec: + command: + - podcli + - check + - http + - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz + {{- with .Values.probes.liveness }} + initialDelaySeconds: {{ .initialDelaySeconds | default 1 }} + timeoutSeconds: {{ .timeoutSeconds | default 5 }} + failureThreshold: {{ .failureThreshold | default 3 }} + successThreshold: {{ .successThreshold | default 1 }} + periodSeconds: {{ .periodSeconds | default 10 }} + {{- end }} + readinessProbe: + exec: + command: + - podcli + - check + - http + - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz + {{- with .Values.probes.readiness }} + initialDelaySeconds: {{ .initialDelaySeconds | default 1 }} + timeoutSeconds: {{ .timeoutSeconds | default 5 }} + failureThreshold: {{ .failureThreshold | default 3 }} + successThreshold: {{ .successThreshold | default 1 }} + periodSeconds: {{ .periodSeconds | default 10 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /data + {{- if .Values.tls.enabled }} + - name: tls + mountPath: {{ .Values.tls.certPath | default "/data/cert" }} + readOnly: true + {{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: data + emptyDir: {} + {{- if .Values.tls.enabled }} + - name: tls + secret: + secretName: {{ template "podinfo.tlsSecretName" . }} + {{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/hpa.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/hpa.yaml new file mode 100644 index 0000000000..f2fb8df1b8 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/hpa.yaml @@ -0,0 +1,41 @@ +{{- if .Values.hpa.enabled -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "podinfo.fullname" . }} + minReplicas: {{ .Values.replicaCount }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + metrics: + {{- if .Values.hpa.cpu }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.hpa.cpu }} + {{- end }} + {{- if .Values.hpa.memory }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ .Values.hpa.memory }} + {{- end }} + {{- if .Values.hpa.requests }} + - type: Pods + pods: + metric: + name: http_requests + target: + type: AverageValue + averageValue: {{ .Values.hpa.requests }} + {{- end }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/ingress.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/ingress.yaml new file mode 100644 index 0000000000..93f9ae437a --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "podinfo.fullname" . -}} +{{- $svcPort := .Values.service.externalPort -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} + {{- end }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/service.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/service.yaml new file mode 100644 index 0000000000..6014e78853 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/service.yaml @@ -0,0 +1,36 @@ +{{- if .Values.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +{{- with .Values.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: http + protocol: TCP + name: http + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + {{- if .Values.tls.enabled }} + - port: {{ .Values.tls.port | default 9899 }} + targetPort: https + protocol: TCP + name: https + {{- end }} + {{- if .Values.service.grpcPort }} + - port: {{ .Values.service.grpcPort }} + targetPort: grpc + protocol: TCP + name: grpc + {{- end }} + selector: + {{- include "podinfo.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/serviceaccount.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/serviceaccount.yaml new file mode 100644 index 0000000000..d39b798967 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "podinfo.serviceAccountName" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end -}} +{{- end -}} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/values.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/values.yaml new file mode 100644 index 0000000000..89b2bd9129 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/values.yaml @@ -0,0 +1,164 @@ +# Default values for podinfo. + +replicaCount: 1 +logLevel: info +host: #0.0.0.0 +backend: #http://backend-podinfo:9898/echo +backends: [] + +image: + repository: ghcr.io/stefanprodan/podinfo + tag: 6.4.0 + pullPolicy: IfNotPresent + +ui: + color: "#34577c" + message: "" + logo: "" + +# failure conditions +faults: + delay: false + error: false + unhealthy: false + unready: false + testFail: false + testTimeout: false + +# Kubernetes Service settings +service: + enabled: true + annotations: {} + type: ClusterIP + metricsPort: 9797 + httpPort: 9898 + externalPort: 9898 + grpcPort: 9999 + grpcService: podinfo + nodePort: 31198 + # the port used to bind the http port to the host + # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing + # in local clusters such as kind without port forwarding + hostPort: + +# enable h2c protocol (non-TLS version of HTTP/2) +h2c: + enabled: false + +# enable tls on the podinfo service +tls: + enabled: false + # the name of the secret used to mount the certificate key pair + secretName: + # the path where the certificate key pair will be mounted + certPath: /data/cert + # the port used to host the tls endpoint on the service + port: 9899 + # the port used to bind the tls port to the host + # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing + # in local clusters such as kind without port forwarding + hostPort: + +# create a certificate manager certificate (cert-manager required) +certificate: + create: false + # the issuer used to issue the certificate + issuerRef: + kind: ClusterIssuer + name: self-signed + # the hostname / subject alternative names for the certificate + dnsNames: + - podinfo + +# metrics-server add-on required +hpa: + enabled: false + maxReplicas: 10 + # average total CPU usage per pod (1-100) + cpu: + # average memory usage per pod (100Mi-1Gi) + memory: + # average http requests per second per pod (k8s-prometheus-adapter) + requests: + +# Redis address in the format tcp://: +cache: "" +# Redis deployment +redis: + enabled: false + repository: redis + tag: 7.0.7 + +serviceAccount: + # Specifies whether a service account should be created + enabled: false + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + # List of image pull secrets if pulling from private registries + imagePullSecrets: [] + +# set container security context +securityContext: {} + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: podinfo.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +linkerd: + profile: + enabled: false + +# create Prometheus Operator monitor +serviceMonitor: + enabled: false + interval: 15s + additionalLabels: {} + +resources: + limits: + requests: + cpu: 1m + memory: 16Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +podAnnotations: {} + +# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes +probes: + readiness: + initialDelaySeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + periodSeconds: 10 + liveness: + initialDelaySeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + periodSeconds: 10 + startup: + enable: false + initialDelaySeconds: 10 + timeoutSeconds: 5 + failureThreshold: 20 + successThreshold: 1 + periodSeconds: 10 diff --git a/src/internal/packager2/layout/testdata/zarf-package/data.txt b/src/internal/packager2/layout/testdata/zarf-package/data.txt new file mode 100644 index 0000000000..557db03de9 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/data.txt @@ -0,0 +1 @@ +Hello World diff --git a/src/internal/packager2/layout/testdata/zarf-package/deployment.yaml b/src/internal/packager2/layout/testdata/zarf-package/deployment.yaml new file mode 100644 index 0000000000..685c17aa68 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/src/internal/packager2/layout/testdata/zarf-package/injection/data.txt b/src/internal/packager2/layout/testdata/zarf-package/injection/data.txt new file mode 100644 index 0000000000..1269488f7f --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/injection/data.txt @@ -0,0 +1 @@ +data diff --git a/src/internal/packager2/layout/testdata/zarf-package/kustomize/kustomization.yaml b/src/internal/packager2/layout/testdata/zarf-package/kustomize/kustomization.yaml new file mode 100644 index 0000000000..736967b1a3 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/kustomize/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - namespace.yaml diff --git a/src/internal/packager2/layout/testdata/zarf-package/kustomize/namespace.yaml b/src/internal/packager2/layout/testdata/zarf-package/kustomize/namespace.yaml new file mode 100644 index 0000000000..7c265c0193 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/kustomize/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test diff --git a/src/internal/packager2/layout/testdata/zarf-package/values.yaml b/src/internal/packager2/layout/testdata/zarf-package/values.yaml new file mode 100644 index 0000000000..f86a45afe7 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/values.yaml @@ -0,0 +1,5 @@ +ui: + color: "#0d133d" + message: "greetings from podinfo (as deployed by Zarf)" + # Replace the githubusercontent URL for the airgap + logo: "" diff --git a/src/internal/packager2/layout/testdata/zarf-package/zarf.yaml b/src/internal/packager2/layout/testdata/zarf-package/zarf.yaml new file mode 100644 index 0000000000..695ac11604 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/zarf.yaml @@ -0,0 +1,41 @@ +kind: ZarfPackageConfig +metadata: + name: test + version: v0.0.1 +components: + - name: helm-charts + required: true + charts: + - name: podinfo-local + version: 6.4.0 + namespace: podinfo-from-local-chart + localPath: chart + valuesFiles: + - values.yaml + - name: files + required: true + files: + - source: data.txt + target: data.txt + - source: archive.tar + extractPath: archive-data.txt + target: archive-data.txt + - name: data-injections + required: true + dataInjections: + - source: injection + target: + namespace: test + selector: app=test + container: test + path: /test + compress: true + - name: manifests + required: true + manifests: + - name: deployment + namespace: httpd + files: + - deployment.yaml + kustomizations: + - kustomize diff --git a/src/pkg/lint/schema.go b/src/pkg/lint/schema.go index b6cb5f6e3e..a5f9009dc9 100644 --- a/src/pkg/lint/schema.go +++ b/src/pkg/lint/schema.go @@ -7,6 +7,7 @@ package lint import ( "fmt" "io/fs" + "path/filepath" "regexp" "github.com/xeipuuv/gojsonschema" @@ -17,6 +18,23 @@ import ( // ZarfSchema is exported so main.go can embed the schema file var ZarfSchema fs.ReadFileFS +// ValidatePackageSchemaAtPath checks the Zarf package in the current directory against the Zarf schema +func ValidatePackageSchemaAtPath(path string, setVariables map[string]string) ([]PackageFinding, error) { + var untypedZarfPackage interface{} + if err := utils.ReadYaml(filepath.Join(path, layout.ZarfYAML), &untypedZarfPackage); err != nil { + return nil, err + } + jsonSchema, err := ZarfSchema.ReadFile("zarf.schema.json") + if err != nil { + return nil, err + } + _, err = templateZarfObj(&untypedZarfPackage, setVariables) + if err != nil { + return nil, err + } + return getSchemaFindings(jsonSchema, untypedZarfPackage) +} + // ValidatePackageSchema checks the Zarf package in the current directory against the Zarf schema func ValidatePackageSchema(setVariables map[string]string) ([]PackageFinding, error) { var untypedZarfPackage interface{} diff --git a/src/pkg/packager/publish.go b/src/pkg/packager/publish.go index 6e421efd1f..95d4c66a36 100644 --- a/src/pkg/packager/publish.go +++ b/src/pkg/packager/publish.go @@ -13,6 +13,7 @@ import ( "github.com/defenseunicorns/pkg/helpers/v2" "github.com/defenseunicorns/pkg/oci" ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/zarf-dev/zarf/src/api/v1alpha1" "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/pkg/layout" diff --git a/src/test/e2e/14_oci_compose_test.go b/src/test/e2e/14_oci_compose_test.go index e186a6e076..6a983c7fc3 100644 --- a/src/test/e2e/14_oci_compose_test.go +++ b/src/test/e2e/14_oci_compose_test.go @@ -104,8 +104,6 @@ func (suite *PublishCopySkeletonSuite) Test_1_Compose_Everything_Inception() { suite.NoError(err) targets := []string{ - "import-component-local == import-component-local", - "import-component-oci == import-component-oci", "file-imports == file-imports", "local-chart-import == local-chart-import", } diff --git a/src/test/packages/14-import-everything/inception/zarf.yaml b/src/test/packages/14-import-everything/inception/zarf.yaml index 6721fbd109..d4361f08ef 100644 --- a/src/test/packages/14-import-everything/inception/zarf.yaml +++ b/src/test/packages/14-import-everything/inception/zarf.yaml @@ -5,16 +5,6 @@ metadata: version: 0.0.1 components: - - name: import-component-local - required: true - import: - url: oci://localhost:31888/import-everything:0.0.1 - - - name: import-component-oci - required: true - import: - url: oci://localhost:31888/import-everything:0.0.1 - - name: file-imports required: true import: diff --git a/src/test/packages/14-import-everything/oci-import/zarf.yaml b/src/test/packages/14-import-everything/oci-import/zarf.yaml deleted file mode 100644 index 5dffce9116..0000000000 --- a/src/test/packages/14-import-everything/oci-import/zarf.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: ZarfPackageConfig -metadata: - name: import-oci - description: Test OCI import of helm charts - version: 0.0.1 - -components: - - name: import-component-oci - description: "import-component-oci == ###ZARF_COMPONENT_NAME###" - required: false - import: - name: demo-helm-charts - url: oci://localhost:31888/helm-charts:0.0.1 diff --git a/src/test/packages/14-import-everything/zarf.yaml b/src/test/packages/14-import-everything/zarf.yaml index 5a096ae3db..72b2be156c 100644 --- a/src/test/packages/14-import-everything/zarf.yaml +++ b/src/test/packages/14-import-everything/zarf.yaml @@ -5,21 +5,13 @@ metadata: version: 0.0.1 components: - # Test every simple primitive that Zarf has through a local import - - name: import-component-local - description: "import-component-local == ###ZARF_COMPONENT_NAME###" - required: false - import: - path: ../09-composable-packages - name: test-compose-package - - # Test nested local to oci imports + # Test OCI import - name: import-component-oci description: "import-component-oci == ###ZARF_COMPONENT_NAME###" required: false import: - name: import-component-oci - path: oci-import + name: demo-helm-charts + url: oci://localhost:31888/helm-charts:0.0.1 # Test file imports including cosignKeyPath - name: file-imports