Merge branch 'main' into google_analytics

zarf-dev · May 21, 2024 · 30af5ee · 30af5ee
2 parents ec7736b + 097a6ee
commit 30af5ee
Show file tree

Hide file tree

Showing 36 changed files with 864 additions and 140 deletions.
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -5,6 +5,7 @@ linters:
   enable:
     - gosimple
     - govet
+    - ineffassign
     - staticcheck
     - unused
     - revive

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -33,7 +33,7 @@ repos:
         entry: golangci-lint run --enable-only goimports --fix
         types: [go]
         language: golang
-        pass_filenames: true
+        pass_filenames: false
       - id: lint
         name: golangci-lint go lint
         entry: golangci-lint run

diff --git a/packages/zarf-agent/manifests/deployment.yaml b/packages/zarf-agent/manifests/deployment.yaml
@@ -20,6 +20,7 @@ spec:
       imagePullSecrets:
         - name: private-registry
       priorityClassName: system-node-critical
+      serviceAccountName: zarf
       containers:
         - name: server
           image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"

diff --git a/packages/zarf-agent/manifests/role.yaml b/packages/zarf-agent/manifests/role.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: zarf-agent
+  namespace: zarf
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
diff --git a/packages/zarf-agent/manifests/rolebinding.yaml b/packages/zarf-agent/manifests/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: zarf-agent-binding
+  namespace: zarf
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: zarf-agent
+subjects:
+- kind: ServiceAccount
+  name: zarf
+  namespace: zarf
diff --git a/packages/zarf-agent/manifests/serviceaccount.yaml b/packages/zarf-agent/manifests/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: zarf
+  namespace: zarf
diff --git a/packages/zarf-agent/zarf.yaml b/packages/zarf-agent/zarf.yaml
@@ -27,6 +27,9 @@ components:
           - manifests/secret.yaml
           - manifests/deployment.yaml
           - manifests/webhook.yaml
+          - manifests/role.yaml
+          - manifests/rolebinding.yaml
+          - manifests/serviceaccount.yaml
     actions:
       onCreate:
         before:

diff --git a/src/cmd/package.go b/src/cmd/package.go
@@ -133,9 +133,9 @@ var packageListCmd = &cobra.Command{
 	Short:   lang.CmdPackageListShort,
 	Run: func(cmd *cobra.Command, _ []string) {
 		ctx := cmd.Context()
-		deployedZarfPackages, errs := common.NewClusterOrDie(ctx).GetDeployedZarfPackages(ctx)
-		if len(errs) > 0 && len(deployedZarfPackages) == 0 {
-			message.Fatalf(errs, lang.CmdPackageListNoPackageWarn)
+		deployedZarfPackages, err := common.NewClusterOrDie(ctx).GetDeployedZarfPackages(ctx)
+		if err != nil && len(deployedZarfPackages) == 0 {
+			message.Fatalf(err, lang.CmdPackageListNoPackageWarn)
 		}
 
 		// Populate a matrix of all the deployed packages
@@ -157,8 +157,8 @@ var packageListCmd = &cobra.Command{
 		message.Table(header, packageData)
 
 		// Print out any unmarshalling errors
-		if len(errs) > 0 {
-			message.Fatalf(errs, lang.CmdPackageListUnmarshalErr)
+		if err != nil {
+			message.Fatalf(err, lang.CmdPackageListUnmarshalErr)
 		}
 	},
 }

diff --git a/src/cmd/tools/crane.go b/src/cmd/tools/crane.go
@@ -227,8 +227,8 @@ func pruneImages(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	zarfPackages, errs := c.GetDeployedZarfPackages(ctx)
-	if len(errs) > 0 {
+	zarfPackages, err := c.GetDeployedZarfPackages(ctx)
+	if err != nil {
 		return lang.ErrUnableToGetPackages
 	}
 

diff --git a/src/cmd/tools/zarf.go b/src/cmd/tools/zarf.go
@@ -7,25 +7,27 @@ package tools
 import (
 	"fmt"
 	"os"
-
 	"slices"
 
 	"github.com/AlecAivazis/survey/v2"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/spf13/cobra"
+
 	"github.com/defenseunicorns/pkg/helpers"
 	"github.com/defenseunicorns/pkg/oci"
+
 	"github.com/defenseunicorns/zarf/src/cmd/common"
 	"github.com/defenseunicorns/zarf/src/config"
 	"github.com/defenseunicorns/zarf/src/config/lang"
 	"github.com/defenseunicorns/zarf/src/internal/packager/git"
 	"github.com/defenseunicorns/zarf/src/internal/packager/helm"
 	"github.com/defenseunicorns/zarf/src/internal/packager/template"
+	"github.com/defenseunicorns/zarf/src/pkg/cluster"
 	"github.com/defenseunicorns/zarf/src/pkg/message"
 	"github.com/defenseunicorns/zarf/src/pkg/packager/sources"
 	"github.com/defenseunicorns/zarf/src/pkg/pki"
 	"github.com/defenseunicorns/zarf/src/pkg/zoci"
 	"github.com/defenseunicorns/zarf/src/types"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/spf13/cobra"
 )
 
 var subAltNames []string
@@ -92,8 +94,8 @@ var updateCredsCmd = &cobra.Command{
 			// If no distro the zarf secret did not load properly
 			message.Fatalf(nil, lang.ErrLoadState)
 		}
-		var newState *types.ZarfState
-		if newState, err = c.MergeZarfState(oldState, updateCredsInitOpts, args); err != nil {
+		newState, err := cluster.MergeZarfState(oldState, updateCredsInitOpts, args)
+		if err != nil {
 			message.Fatal(err, lang.CmdToolsUpdateCredsUnableUpdateCreds)
 		}
 

diff --git a/src/config/config.go b/src/config/config.go
@@ -29,7 +29,6 @@ const (
 	ZarfConnectAnnotationDescription = "zarf.dev/connect-description"
 	ZarfConnectAnnotationURL         = "zarf.dev/connect-url"
 
-	ZarfManagedByLabel     = "app.kubernetes.io/managed-by"
 	ZarfCleanupScriptsPath = "/opt/zarf"
 
 	ZarfPackagePrefix = "zarf-package-"

diff --git a/src/config/lang/english.go b/src/config/lang/english.go
@@ -664,7 +664,7 @@ const (
 	AgentErrBadRequest             = "could not read request body: %s"
 	AgentErrBindHandler            = "Unable to bind the webhook handler"
 	AgentErrCouldNotDeserializeReq = "could not deserialize request: %s"
-	AgentErrGetState               = "failed to load zarf state from file: %w"
+	AgentErrGetState               = "failed to load zarf state: %w"
 	AgentErrHostnameMatch          = "failed to complete hostname matching: %w"
 	AgentErrImageSwap              = "Unable to swap the host for (%s)"
 	AgentErrInvalidMethod          = "invalid method only POST requests are allowed"

diff --git a/src/internal/agent/hooks/pods.go b/src/internal/agent/hooks/pods.go
@@ -5,13 +5,14 @@
 package hooks
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 
 	"github.com/defenseunicorns/zarf/src/config"
 	"github.com/defenseunicorns/zarf/src/config/lang"
 	"github.com/defenseunicorns/zarf/src/internal/agent/operations"
-	"github.com/defenseunicorns/zarf/src/internal/agent/state"
+	"github.com/defenseunicorns/zarf/src/pkg/cluster"
 	"github.com/defenseunicorns/zarf/src/pkg/message"
 	"github.com/defenseunicorns/zarf/src/pkg/transform"
 	v1 "k8s.io/api/admission/v1"
@@ -20,11 +21,15 @@ import (
 )
 
 // NewPodMutationHook creates a new instance of pods mutation hook.
-func NewPodMutationHook() operations.Hook {
+func NewPodMutationHook(ctx context.Context, cluster *cluster.Cluster) operations.Hook {
 	message.Debug("hooks.NewMutationHook()")
 	return operations.Hook{
-		Create: mutatePod,
-		Update: mutatePod,
+		Create: func(r *v1.AdmissionRequest) (*operations.Result, error) {
+			return mutatePod(ctx, r, cluster)
+		},
+		Update: func(r *v1.AdmissionRequest) (*operations.Result, error) {
+			return mutatePod(ctx, r, cluster)
+		},
 	}
 }
 
@@ -34,14 +39,12 @@ func parsePod(object []byte) (*corev1.Pod, error) {
 	if err := json.Unmarshal(object, &pod); err != nil {
 		return nil, err
 	}
-
 	return &pod, nil
 }
 
-func mutatePod(r *v1.AdmissionRequest) (*operations.Result, error) {
+func mutatePod(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (*operations.Result, error) {
 	message.Debugf("hooks.mutatePod()(*v1.AdmissionRequest) - %#v , %s/%s: %#v", r.Kind, r.Namespace, r.Name, r.Operation)
 
-	var patchOperations []operations.PatchOperation
 	pod, err := parsePod(r.Object.Raw)
 	if err != nil {
 		return &operations.Result{Msg: err.Error()}, nil
@@ -51,24 +54,26 @@ func mutatePod(r *v1.AdmissionRequest) (*operations.Result, error) {
 		// We've already played with this pod, just keep swimming 🐟
 		return &operations.Result{
 			Allowed:  true,
-			PatchOps: patchOperations,
+			PatchOps: []operations.PatchOperation{},
 		}, nil
 	}
 
-	// Add the zarf secret to the podspec
-	zarfSecret := []corev1.LocalObjectReference{{Name: config.ZarfImagePullSecretName}}
-	patchOperations = append(patchOperations, operations.ReplacePatchOperation("/spec/imagePullSecrets", zarfSecret))
-
-	zarfState, err := state.GetZarfStateFromAgentPod()
+	state, err := cluster.LoadZarfState(ctx)
 	if err != nil {
 		return nil, fmt.Errorf(lang.AgentErrGetState, err)
 	}
-	containerRegistryURL := zarfState.RegistryInfo.Address
+	registryURL := state.RegistryInfo.Address
+
+	var patchOperations []operations.PatchOperation
+
+	// Add the zarf secret to the podspec
+	zarfSecret := []corev1.LocalObjectReference{{Name: config.ZarfImagePullSecretName}}
+	patchOperations = append(patchOperations, operations.ReplacePatchOperation("/spec/imagePullSecrets", zarfSecret))
 
 	// update the image host for each init container
 	for idx, container := range pod.Spec.InitContainers {
 		path := fmt.Sprintf("/spec/initContainers/%d/image", idx)
-		replacement, err := transform.ImageTransformHost(containerRegistryURL, container.Image)
+		replacement, err := transform.ImageTransformHost(registryURL, container.Image)
 		if err != nil {
 			message.Warnf(lang.AgentErrImageSwap, container.Image)
 			continue // Continue, because we might as well attempt to mutate the other containers for this pod
@@ -79,7 +84,7 @@ func mutatePod(r *v1.AdmissionRequest) (*operations.Result, error) {
 	// update the image host for each ephemeral container
 	for idx, container := range pod.Spec.EphemeralContainers {
 		path := fmt.Sprintf("/spec/ephemeralContainers/%d/image", idx)
-		replacement, err := transform.ImageTransformHost(containerRegistryURL, container.Image)
+		replacement, err := transform.ImageTransformHost(registryURL, container.Image)
 		if err != nil {
 			message.Warnf(lang.AgentErrImageSwap, container.Image)
 			continue // Continue, because we might as well attempt to mutate the other containers for this pod
@@ -90,7 +95,7 @@ func mutatePod(r *v1.AdmissionRequest) (*operations.Result, error) {
 	// update the image host for each normal container
 	for idx, container := range pod.Spec.Containers {
 		path := fmt.Sprintf("/spec/containers/%d/image", idx)
-		replacement, err := transform.ImageTransformHost(containerRegistryURL, container.Image)
+		replacement, err := transform.ImageTransformHost(registryURL, container.Image)
 		if err != nil {
 			message.Warnf(lang.AgentErrImageSwap, container.Image)
 			continue // Continue, because we might as well attempt to mutate the other containers for this pod
@@ -99,7 +104,15 @@ func mutatePod(r *v1.AdmissionRequest) (*operations.Result, error) {
 	}
 
 	// Add a label noting the zarf mutation
-	patchOperations = append(patchOperations, operations.ReplacePatchOperation("/metadata/labels/zarf-agent", "patched"))
+	if pod.Labels == nil {
+		// If the labels path does not exist - create with map[string]string value
+		patchOperations = append(patchOperations, operations.AddPatchOperation("/metadata/labels",
+			map[string]string{
+				"zarf-agent": "patched",
+			}))
+	} else {
+		patchOperations = append(patchOperations, operations.ReplacePatchOperation("/metadata/labels/zarf-agent", "patched"))
+	}
 
 	return &operations.Result{
 		Allowed:  true,