mirror of https://github.com/fluxcd/flux2.git
465 lines
14 KiB
Go
465 lines
14 KiB
Go
/*
|
|
Copyright 2021 The Flux authors
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package bootstrap
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/ProtonMail/go-crypto/openpgp"
|
|
gogit "github.com/fluxcd/go-git/v5"
|
|
corev1 "k8s.io/api/core/v1"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
|
"k8s.io/cli-runtime/pkg/genericclioptions"
|
|
"sigs.k8s.io/cli-utils/pkg/object"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/kustomize/api/konfig"
|
|
"sigs.k8s.io/yaml"
|
|
|
|
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
|
|
"github.com/fluxcd/pkg/kustomize/filesys"
|
|
runclient "github.com/fluxcd/pkg/runtime/client"
|
|
|
|
"github.com/fluxcd/flux2/internal/utils"
|
|
"github.com/fluxcd/flux2/pkg/log"
|
|
"github.com/fluxcd/flux2/pkg/manifestgen/install"
|
|
"github.com/fluxcd/flux2/pkg/manifestgen/kustomization"
|
|
"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
|
|
"github.com/fluxcd/flux2/pkg/manifestgen/sync"
|
|
"github.com/fluxcd/flux2/pkg/status"
|
|
"github.com/fluxcd/pkg/git"
|
|
"github.com/fluxcd/pkg/git/repository"
|
|
)
|
|
|
|
type PlainGitBootstrapper struct {
|
|
url string
|
|
branch string
|
|
|
|
signature git.Signature
|
|
commitMessageAppendix string
|
|
|
|
gpgKeyRing openpgp.EntityList
|
|
gpgPassphrase string
|
|
gpgKeyID string
|
|
|
|
restClientGetter genericclioptions.RESTClientGetter
|
|
restClientOptions *runclient.Options
|
|
|
|
postGenerateSecret []PostGenerateSecretFunc
|
|
|
|
gitClient repository.Client
|
|
kube client.Client
|
|
logger log.Logger
|
|
}
|
|
|
|
type GitOption interface {
|
|
applyGit(b *PlainGitBootstrapper)
|
|
}
|
|
|
|
func WithRepositoryURL(url string) GitOption {
|
|
return repositoryURLOption(url)
|
|
}
|
|
|
|
type repositoryURLOption string
|
|
|
|
func (o repositoryURLOption) applyGit(b *PlainGitBootstrapper) {
|
|
b.url = string(o)
|
|
}
|
|
|
|
func WithPostGenerateSecretFunc(callback PostGenerateSecretFunc) GitOption {
|
|
return postGenerateSecret(callback)
|
|
}
|
|
|
|
type postGenerateSecret PostGenerateSecretFunc
|
|
|
|
func (o postGenerateSecret) applyGit(b *PlainGitBootstrapper) {
|
|
b.postGenerateSecret = append(b.postGenerateSecret, PostGenerateSecretFunc(o))
|
|
}
|
|
|
|
func NewPlainGitProvider(git repository.Client, kube client.Client, opts ...GitOption) (*PlainGitBootstrapper, error) {
|
|
b := &PlainGitBootstrapper{
|
|
gitClient: git,
|
|
kube: kube,
|
|
}
|
|
for _, opt := range opts {
|
|
opt.applyGit(b)
|
|
}
|
|
return b, nil
|
|
}
|
|
|
|
func (b *PlainGitBootstrapper) ReconcileComponents(ctx context.Context, manifestsBase string, options install.Options, _ sourcesecret.Options) error {
|
|
// Clone if not already
|
|
if _, err := b.gitClient.Head(); err != nil {
|
|
if err != git.ErrNoGitRepository {
|
|
return err
|
|
}
|
|
|
|
b.logger.Actionf("cloning branch %q from Git repository %q", b.branch, b.url)
|
|
var cloned bool
|
|
if err = retry(1, 2*time.Second, func() (err error) {
|
|
_, err = b.gitClient.Clone(ctx, b.url, repository.CloneOptions{
|
|
CheckoutStrategy: repository.CheckoutStrategy{
|
|
Branch: b.branch,
|
|
},
|
|
})
|
|
if err != nil {
|
|
b.logger.Warningf(" clone failure: %s", err)
|
|
}
|
|
if err == nil {
|
|
cloned = true
|
|
}
|
|
return
|
|
}); err != nil {
|
|
return fmt.Errorf("failed to clone repository: %w", err)
|
|
}
|
|
if cloned {
|
|
b.logger.Successf("cloned repository")
|
|
}
|
|
}
|
|
|
|
// Generate component manifests
|
|
b.logger.Actionf("generating component manifests")
|
|
manifests, err := install.Generate(options, manifestsBase)
|
|
if err != nil {
|
|
return fmt.Errorf("component manifest generation failed: %w", err)
|
|
}
|
|
b.logger.Successf("generated component manifests")
|
|
|
|
// Write generated files and make a commit
|
|
var signer *openpgp.Entity
|
|
if b.gpgKeyRing != nil {
|
|
signer, err = getOpenPgpEntity(b.gpgKeyRing, b.gpgPassphrase, b.gpgKeyID)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate OpenPGP entity: %w", err)
|
|
}
|
|
}
|
|
commitMsg := fmt.Sprintf("Add Flux %s component manifests", options.Version)
|
|
if b.commitMessageAppendix != "" {
|
|
commitMsg = commitMsg + "\n\n" + b.commitMessageAppendix
|
|
}
|
|
|
|
commit, err := b.gitClient.Commit(git.Commit{
|
|
Author: b.signature,
|
|
Message: commitMsg,
|
|
}, repository.WithFiles(map[string]io.Reader{
|
|
manifests.Path: strings.NewReader(manifests.Content),
|
|
}), repository.WithSigner(signer))
|
|
if err != nil && err != git.ErrNoStagedFiles {
|
|
return fmt.Errorf("failed to commit sync manifests: %w", err)
|
|
}
|
|
|
|
if err == nil {
|
|
b.logger.Successf("committed sync manifests to %q (%q)", b.branch, commit)
|
|
b.logger.Actionf("pushing component manifests to %q", b.url)
|
|
if err = b.gitClient.Push(ctx); err != nil {
|
|
return fmt.Errorf("failed to push manifests: %w", err)
|
|
}
|
|
} else {
|
|
b.logger.Successf("component manifests are up to date")
|
|
}
|
|
|
|
// Conditionally install manifests
|
|
if mustInstallManifests(ctx, b.kube, options.Namespace) {
|
|
b.logger.Actionf("installing components in %q namespace", options.Namespace)
|
|
|
|
componentsYAML := filepath.Join(b.gitClient.Path(), manifests.Path)
|
|
kfile := filepath.Join(filepath.Dir(componentsYAML), konfig.DefaultKustomizationFileName())
|
|
if _, err := os.Stat(kfile); err == nil {
|
|
// Apply the components and their patches
|
|
if _, err := utils.Apply(ctx, b.restClientGetter, b.restClientOptions, b.gitClient.Path(), kfile); err != nil {
|
|
return err
|
|
}
|
|
} else {
|
|
// Apply the CRDs and controllers
|
|
if _, err := utils.Apply(ctx, b.restClientGetter, b.restClientOptions, b.gitClient.Path(), componentsYAML); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
b.logger.Successf("installed components")
|
|
}
|
|
|
|
b.logger.Successf("reconciled components")
|
|
return nil
|
|
}
|
|
|
|
func (b *PlainGitBootstrapper) ReconcileSourceSecret(ctx context.Context, options sourcesecret.Options) error {
|
|
// Determine if there is an existing secret
|
|
secretKey := client.ObjectKey{Name: options.Name, Namespace: options.Namespace}
|
|
b.logger.Actionf("determining if source secret %q exists", secretKey)
|
|
ok, err := secretExists(ctx, b.kube, secretKey)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to determine if deploy key secret exists: %w", err)
|
|
}
|
|
|
|
// Return early if exists and no custom config is passed
|
|
if ok && options.Keypair == nil && len(options.CAFile) == 0 && len(options.Username+options.Password) == 0 {
|
|
b.logger.Successf("source secret up to date")
|
|
return nil
|
|
}
|
|
|
|
// Generate source secret
|
|
b.logger.Actionf("generating source secret")
|
|
manifest, err := sourcesecret.Generate(options)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
var secret corev1.Secret
|
|
if err := yaml.Unmarshal([]byte(manifest.Content), &secret); err != nil {
|
|
return fmt.Errorf("failed to unmarshal generated source secret manifest: %w", err)
|
|
}
|
|
|
|
for _, callback := range b.postGenerateSecret {
|
|
if err = callback(ctx, secret, options); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Apply source secret
|
|
b.logger.Actionf("applying source secret %q", secretKey)
|
|
if err = reconcileSecret(ctx, b.kube, secret); err != nil {
|
|
return err
|
|
}
|
|
b.logger.Successf("reconciled source secret")
|
|
|
|
return nil
|
|
}
|
|
|
|
func (b *PlainGitBootstrapper) ReconcileSyncConfig(ctx context.Context, options sync.Options) error {
|
|
// Confirm that sync configuration does not overwrite existing config
|
|
if curPath, err := kustomizationPathDiffers(ctx, b.kube, client.ObjectKey{Name: options.Name, Namespace: options.Namespace}, options.TargetPath); err != nil {
|
|
return fmt.Errorf("failed to determine if sync configuration would overwrite existing Kustomization: %w", err)
|
|
} else if curPath != "" {
|
|
return fmt.Errorf("sync path configuration (%q) would overwrite path (%q) of existing Kustomization", options.TargetPath, curPath)
|
|
}
|
|
|
|
// Clone if not already
|
|
if _, err := b.gitClient.Head(); err != nil {
|
|
if err == git.ErrNoGitRepository {
|
|
b.logger.Actionf("cloning branch %q from Git repository %q", b.branch, b.url)
|
|
var cloned bool
|
|
if err = retry(1, 2*time.Second, func() (err error) {
|
|
_, err = b.gitClient.Clone(ctx, b.url, repository.CloneOptions{
|
|
CheckoutStrategy: repository.CheckoutStrategy{
|
|
Branch: b.branch,
|
|
},
|
|
})
|
|
if err == nil {
|
|
cloned = true
|
|
}
|
|
return
|
|
}); err != nil {
|
|
return fmt.Errorf("failed to clone repository: %w", err)
|
|
}
|
|
if cloned {
|
|
b.logger.Successf("cloned repository")
|
|
}
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Generate sync manifests and write to Git repository
|
|
b.logger.Actionf("generating sync manifests")
|
|
manifests, err := sync.Generate(options)
|
|
if err != nil {
|
|
return fmt.Errorf("sync manifests generation failed: %w", err)
|
|
}
|
|
|
|
// Create secure Kustomize FS
|
|
fs, err := filesys.MakeFsOnDiskSecureBuild(b.gitClient.Path())
|
|
if err != nil {
|
|
return fmt.Errorf("failed to initialize Kustomize file system: %w", err)
|
|
}
|
|
|
|
if err = fs.WriteFile(filepath.Join(b.gitClient.Path(), manifests.Path), []byte(manifests.Content)); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Generate Kustomization
|
|
kusManifests, err := kustomization.Generate(kustomization.Options{
|
|
FileSystem: fs,
|
|
BaseDir: b.gitClient.Path(),
|
|
TargetPath: filepath.Dir(manifests.Path),
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("%s generation failed: %w", konfig.DefaultKustomizationFileName(), err)
|
|
}
|
|
b.logger.Successf("generated sync manifests")
|
|
|
|
// Write generated files and make a commit
|
|
var signer *openpgp.Entity
|
|
if b.gpgKeyRing != nil {
|
|
signer, err = getOpenPgpEntity(b.gpgKeyRing, b.gpgPassphrase, b.gpgKeyID)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate OpenPGP entity: %w", err)
|
|
}
|
|
}
|
|
commitMsg := fmt.Sprintf("Add Flux sync manifests")
|
|
if b.commitMessageAppendix != "" {
|
|
commitMsg = commitMsg + "\n\n" + b.commitMessageAppendix
|
|
}
|
|
|
|
commit, err := b.gitClient.Commit(git.Commit{
|
|
Author: b.signature,
|
|
Message: commitMsg,
|
|
}, repository.WithFiles(map[string]io.Reader{
|
|
kusManifests.Path: strings.NewReader(kusManifests.Content),
|
|
}), repository.WithSigner(signer))
|
|
if err != nil && err != git.ErrNoStagedFiles {
|
|
return fmt.Errorf("failed to commit sync manifests: %w", err)
|
|
}
|
|
|
|
if err == nil {
|
|
b.logger.Successf("committed sync manifests to %q (%q)", b.branch, commit)
|
|
b.logger.Actionf("pushing sync manifests to %q", b.url)
|
|
err = b.gitClient.Push(ctx)
|
|
if err != nil {
|
|
if strings.HasPrefix(err.Error(), gogit.ErrNonFastForwardUpdate.Error()) {
|
|
b.logger.Waitingf("git conflict detected, retrying with a fresh clone")
|
|
if err := os.RemoveAll(b.gitClient.Path()); err != nil {
|
|
return fmt.Errorf("failed to remove tmp dir: %w", err)
|
|
}
|
|
if err := os.Mkdir(b.gitClient.Path(), 0o700); err != nil {
|
|
return fmt.Errorf("failed to recreate tmp dir: %w", err)
|
|
}
|
|
if err = retry(1, 2*time.Second, func() (err error) {
|
|
_, err = b.gitClient.Clone(ctx, b.url, repository.CloneOptions{
|
|
CheckoutStrategy: repository.CheckoutStrategy{
|
|
Branch: b.branch,
|
|
},
|
|
})
|
|
return
|
|
}); err != nil {
|
|
return fmt.Errorf("failed to clone repository: %w", err)
|
|
}
|
|
return b.ReconcileSyncConfig(ctx, options)
|
|
}
|
|
return fmt.Errorf("failed to push sync manifests: %w", err)
|
|
}
|
|
} else {
|
|
b.logger.Successf("sync manifests are up to date")
|
|
}
|
|
|
|
// Apply to cluster
|
|
b.logger.Actionf("applying sync manifests")
|
|
if _, err := utils.Apply(ctx, b.restClientGetter, b.restClientOptions, b.gitClient.Path(), filepath.Join(b.gitClient.Path(), kusManifests.Path)); err != nil {
|
|
return err
|
|
}
|
|
|
|
b.logger.Successf("reconciled sync configuration")
|
|
|
|
return nil
|
|
}
|
|
|
|
func (b *PlainGitBootstrapper) ReportKustomizationHealth(ctx context.Context, options sync.Options, pollInterval, timeout time.Duration) error {
|
|
head, err := b.gitClient.Head()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
objKey := client.ObjectKey{Name: options.Name, Namespace: options.Namespace}
|
|
|
|
b.logger.Waitingf("waiting for Kustomization %q to be reconciled", objKey.String())
|
|
|
|
expectRevision := fmt.Sprintf("%s/%s", options.Branch, head)
|
|
var k kustomizev1.Kustomization
|
|
if err := wait.PollImmediate(pollInterval, timeout, kustomizationReconciled(
|
|
ctx, b.kube, objKey, &k, expectRevision),
|
|
); err != nil {
|
|
b.logger.Failuref(err.Error())
|
|
return err
|
|
}
|
|
|
|
b.logger.Successf("Kustomization reconciled successfully")
|
|
return nil
|
|
}
|
|
|
|
func (b *PlainGitBootstrapper) ReportComponentsHealth(ctx context.Context, install install.Options, timeout time.Duration) error {
|
|
cfg, err := utils.KubeConfig(b.restClientGetter, b.restClientOptions)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
checker, err := status.NewStatusChecker(cfg, 5*time.Second, timeout, b.logger)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var components = install.Components
|
|
components = append(components, install.ComponentsExtra...)
|
|
|
|
var identifiers []object.ObjMetadata
|
|
for _, component := range components {
|
|
identifiers = append(identifiers, object.ObjMetadata{
|
|
Namespace: install.Namespace,
|
|
Name: component,
|
|
GroupKind: schema.GroupKind{Group: "apps", Kind: "Deployment"},
|
|
})
|
|
}
|
|
|
|
b.logger.Actionf("confirming components are healthy")
|
|
if err := checker.Assess(identifiers...); err != nil {
|
|
return err
|
|
}
|
|
b.logger.Successf("all components are healthy")
|
|
return nil
|
|
}
|
|
|
|
func getOpenPgpEntity(keyRing openpgp.EntityList, passphrase, keyID string) (*openpgp.Entity, error) {
|
|
if len(keyRing) == 0 {
|
|
return nil, fmt.Errorf("empty GPG key ring")
|
|
}
|
|
|
|
var entity *openpgp.Entity
|
|
if keyID != "" {
|
|
if strings.HasPrefix(keyID, "0x") {
|
|
keyID = strings.TrimPrefix(keyID, "0x")
|
|
}
|
|
if len(keyID) != 16 {
|
|
return nil, fmt.Errorf("invalid GPG key id length; expected %d, got %d", 16, len(keyID))
|
|
}
|
|
keyID = strings.ToUpper(keyID)
|
|
|
|
for _, ent := range keyRing {
|
|
if ent.PrimaryKey.KeyIdString() == keyID {
|
|
entity = ent
|
|
}
|
|
}
|
|
|
|
if entity == nil {
|
|
return nil, fmt.Errorf("no GPG keyring matching key id '%s' found", keyID)
|
|
}
|
|
if entity.PrivateKey == nil {
|
|
return nil, fmt.Errorf("keyring does not contain private key for key id '%s'", keyID)
|
|
}
|
|
} else {
|
|
entity = keyRing[0]
|
|
}
|
|
|
|
err := entity.PrivateKey.Decrypt([]byte(passphrase))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to decrypt GPG private key: %w", err)
|
|
}
|
|
|
|
return entity, nil
|
|
}
|