Skip to content

Commit

Permalink
Merge branch 'main' into remove/k8s-deprecations
Browse files Browse the repository at this point in the history
  • Loading branch information
Lucas Rodriguez authored May 30, 2024
2 parents 5a20f91 + bc89697 commit df5831f
Show file tree
Hide file tree
Showing 11 changed files with 258 additions and 24 deletions.
4 changes: 4 additions & 0 deletions src/internal/agent/hooks/argocd-application.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"github.com/defenseunicorns/zarf/src/pkg/transform"
"github.com/defenseunicorns/zarf/src/types"
v1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// Application is a definition of an ArgoCD Application resource.
Expand All @@ -29,6 +30,7 @@ import (
// For more information: https://argo-cd.readthedocs.io/en/stable/user-guide/import/
type Application struct {
Spec ApplicationSpec `json:"spec"`
metav1.ObjectMeta
}

// ApplicationSpec represents desired application state. Contains link to repository with application definition.
Expand Down Expand Up @@ -93,6 +95,8 @@ func mutateApplication(ctx context.Context, r *v1.AdmissionRequest, cluster *clu
}
}

patches = append(patches, getLabelPatch(app.Labels))

return &operations.Result{
Allowed: true,
PatchOps: patches,
Expand Down
6 changes: 6 additions & 0 deletions src/internal/agent/hooks/argocd-application_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ func TestArgoAppWebhook(t *testing.T) {
"/spec/sources/1/repoURL",
"https://git-server.com/a-push-user/almonds-640159520",
),
operations.ReplacePatchOperation(
"/metadata/labels",
map[string]string{
"zarf-agent": "patched",
},
),
},
code: http.StatusOK,
},
Expand Down
5 changes: 4 additions & 1 deletion src/internal/agent/hooks/argocd-repository.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,9 +95,12 @@ func mutateRepositorySecret(ctx context.Context, r *v1.AdmissionRequest, cluster
message.Debugf("original url of (%s) got mutated to (%s)", repoCreds.URL, patchedURL)
}

patches := populateArgoRepositoryPatchOperations(patchedURL, state.GitServer)
patches = append(patches, getLabelPatch(secret.Labels))

return &operations.Result{
Allowed: true,
PatchOps: populateArgoRepositoryPatchOperations(patchedURL, state.GitServer),
PatchOps: patches,
}, nil
}

Expand Down
14 changes: 14 additions & 0 deletions src/internal/agent/hooks/argocd-repository_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,13 @@ func TestArgoRepoWebhook(t *testing.T) {
"/data/password",
b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullPassword)),
),
operations.ReplacePatchOperation(
"/metadata/labels",
map[string]string{
"argocd.argoproj.io/secret-type": "repository",
"zarf-agent": "patched",
},
),
},
code: http.StatusOK,
},
Expand Down Expand Up @@ -103,6 +110,13 @@ func TestArgoRepoWebhook(t *testing.T) {
"/data/password",
b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullPassword)),
),
operations.ReplacePatchOperation(
"/metadata/labels",
map[string]string{
"argocd.argoproj.io/secret-type": "repository",
"zarf-agent": "patched",
},
),
},
code: http.StatusOK,
},
Expand Down
15 changes: 15 additions & 0 deletions src/internal/agent/hooks/common.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// SPDX-License-Identifier: Apache-2.0
// SPDX-FileCopyrightText: 2021-Present The Zarf Authors

// Package hooks contains the mutation hooks for the Zarf agent.
package hooks

import "github.com/defenseunicorns/zarf/src/internal/agent/operations"

func getLabelPatch(currLabels map[string]string) operations.PatchOperation {
if currLabels == nil {
currLabels = make(map[string]string)
}
currLabels["zarf-agent"] = "patched"
return operations.ReplacePatchOperation("/metadata/labels", currLabels)
}
1 change: 1 addition & 0 deletions src/internal/agent/hooks/flux.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ func mutateGitRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster

// Patch updates of the repo spec
patches = populatePatchOperations(patchedURL)
patches = append(patches, getLabelPatch(repo.Labels))

return &operations.Result{
Allowed: true,
Expand Down
12 changes: 12 additions & 0 deletions src/internal/agent/hooks/flux_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@ func TestFluxMutationWebhook(t *testing.T) {
"/spec/secretRef",
fluxmeta.LocalObjectReference{Name: config.ZarfGitServerSecretName},
),
operations.ReplacePatchOperation(
"/metadata/labels",
map[string]string{
"zarf-agent": "patched",
},
),
},
code: http.StatusOK,
},
Expand Down Expand Up @@ -100,6 +106,12 @@ func TestFluxMutationWebhook(t *testing.T) {
"/spec/secretRef",
fluxmeta.LocalObjectReference{Name: config.ZarfGitServerSecretName},
),
operations.ReplacePatchOperation(
"/metadata/labels",
map[string]string{
"zarf-agent": "patched",
},
),
},
code: http.StatusOK,
},
Expand Down
23 changes: 7 additions & 16 deletions src/internal/agent/hooks/pods.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,11 @@ func mutatePod(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Clu
}
registryURL := state.RegistryInfo.Address

var patchOperations []operations.PatchOperation
var patches []operations.PatchOperation

// Add the zarf secret to the podspec
zarfSecret := []corev1.LocalObjectReference{{Name: config.ZarfImagePullSecretName}}
patchOperations = append(patchOperations, operations.ReplacePatchOperation("/spec/imagePullSecrets", zarfSecret))
patches = append(patches, operations.ReplacePatchOperation("/spec/imagePullSecrets", zarfSecret))

// update the image host for each init container
for idx, container := range pod.Spec.InitContainers {
Expand All @@ -78,7 +78,7 @@ func mutatePod(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Clu
message.Warnf(lang.AgentErrImageSwap, container.Image)
continue // Continue, because we might as well attempt to mutate the other containers for this pod
}
patchOperations = append(patchOperations, operations.ReplacePatchOperation(path, replacement))
patches = append(patches, operations.ReplacePatchOperation(path, replacement))
}

// update the image host for each ephemeral container
Expand All @@ -89,7 +89,7 @@ func mutatePod(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Clu
message.Warnf(lang.AgentErrImageSwap, container.Image)
continue // Continue, because we might as well attempt to mutate the other containers for this pod
}
patchOperations = append(patchOperations, operations.ReplacePatchOperation(path, replacement))
patches = append(patches, operations.ReplacePatchOperation(path, replacement))
}

// update the image host for each normal container
Expand All @@ -100,22 +100,13 @@ func mutatePod(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Clu
message.Warnf(lang.AgentErrImageSwap, container.Image)
continue // Continue, because we might as well attempt to mutate the other containers for this pod
}
patchOperations = append(patchOperations, operations.ReplacePatchOperation(path, replacement))
patches = append(patches, operations.ReplacePatchOperation(path, replacement))
}

// Add a label noting the zarf mutation
if pod.Labels == nil {
// If the labels path does not exist - create with map[string]string value
patchOperations = append(patchOperations, operations.AddPatchOperation("/metadata/labels",
map[string]string{
"zarf-agent": "patched",
}))
} else {
patchOperations = append(patchOperations, operations.ReplacePatchOperation("/metadata/labels/zarf-agent", "patched"))
}
patches = append(patches, getLabelPatch(pod.Labels))

return &operations.Result{
Allowed: true,
PatchOps: patchOperations,
PatchOps: patches,
}, nil
}
12 changes: 8 additions & 4 deletions src/internal/agent/hooks/pods_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ func TestPodMutationWebhook(t *testing.T) {
name: "pod with label should be mutated",
admissionReq: createPodAdmissionRequest(t, v1.Create, &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{"should-be": "mutated"},
Labels: map[string]string{"should-be": "mutated"},
Annotations: map[string]string{"should-be": "mutated"},
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{{Image: "nginx"}},
Expand Down Expand Up @@ -78,8 +79,11 @@ func TestPodMutationWebhook(t *testing.T) {
"127.0.0.1:31999/library/nginx:latest-zarf-3793515731",
),
operations.ReplacePatchOperation(
"/metadata/labels/zarf-agent",
"patched",
"/metadata/labels",
map[string]string{
"zarf-agent": "patched",
"should-be": "mutated",
},
),
},
code: http.StatusOK,
Expand Down Expand Up @@ -116,7 +120,7 @@ func TestPodMutationWebhook(t *testing.T) {
"/spec/containers/0/image",
"127.0.0.1:31999/library/nginx:latest-zarf-3793515731",
),
operations.AddPatchOperation(
operations.ReplacePatchOperation(
"/metadata/labels",
map[string]string{"zarf-agent": "patched"},
),
Expand Down
25 changes: 23 additions & 2 deletions src/pkg/cluster/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,9 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO
if err != nil {
return err
}
if len(nodeList.Items) == 0 {
return fmt.Errorf("cannot init Zarf state in empty cluster")
}
namespaceList, err := c.Clientset.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
if err != nil {
return err
Expand All @@ -90,6 +93,10 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO
}
// Mark existing namespaces as ignored for the zarf agent to prevent mutating resources we don't own.
for _, namespace := range namespaces.Items {
// Skip Zarf namespace if it already exists.
if namespace.Name == ZarfNamespaceName {
continue
}
spinner.Updatef("Marking existing namespace %s as ignored by Zarf Agent", namespace.Name)
if namespace.Labels == nil {
// Ensure label map exists to avoid nil panic
Expand All @@ -107,8 +114,22 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO
// Try to create the zarf namespace.
spinner.Updatef("Creating the Zarf namespace")
zarfNamespace := NewZarfManagedNamespace(ZarfNamespaceName)
if _, err := c.CreateNamespace(ctx, zarfNamespace); err != nil {
return fmt.Errorf("unable to create the zarf namespace: %w", err)
err = func() error {
_, err := c.Clientset.CoreV1().Namespaces().Create(ctx, zarfNamespace, metav1.CreateOptions{})
if err != nil && !kerrors.IsAlreadyExists(err) {
return fmt.Errorf("unable to create the Zarf namespace: %w", err)
}
if err == nil {
return nil
}
_, err = c.Clientset.CoreV1().Namespaces().Update(ctx, zarfNamespace, metav1.UpdateOptions{})
if err != nil {
return fmt.Errorf("unable to update the Zarf namespace: %w", err)
}
return nil
}()
if err != nil {
return err
}

// Wait up to 2 minutes for the default service account to be created.
Expand Down
Loading

0 comments on commit df5831f

Please sign in to comment.