feat: add external-secrets to the bootstrapper (#112)

* feat: add external-secrets to the bootstrapper * fix installing external secret * use latest project and git controller and update the project with the right domain * simplify the if statement * using extra components instead of separate component for external secrets
open-component-model · Oct 25, 2023 · 243c80c · 243c80c
1 parent 085425c
commit 243c80c
Show file tree

Hide file tree

Showing 19 changed files with 333 additions and 41 deletions.
diff --git a/cmd/mpas/bootstrap.go b/cmd/mpas/bootstrap.go
@@ -79,10 +79,6 @@ func NewBootstrapGithub(cfg *config.MpasConfig) *cobra.Command {
 				CaFile:                c.CaFile,
 			}
 
-			if len(c.Components) != 0 {
-				return fmt.Errorf("additional  components are not yet supported for github")
-			}
-
 			token := os.Getenv(env.GithubTokenVar)
 			if token == "" {
 				token, err = passwdFromStdin("Github token: ")
@@ -157,10 +153,6 @@ func NewBootstrapGitea(cfg *config.MpasConfig) *cobra.Command {
 				CaFile:                c.CaFile,
 			}
 
-			if len(c.Components) != 0 {
-				return fmt.Errorf("additional  components are not yet supported for gitea")
-			}
-
 			token := os.Getenv(env.GiteaTokenVar)
 			if token == "" {
 				token, err = passwdFromStdin("Gitea token: ")

diff --git a/cmd/mpas/config/config.go b/cmd/mpas/config/config.go
@@ -71,7 +71,7 @@ type BootstrapConfig struct {
 
 // AddFlags adds the bootstrap flags to the given flag set.
 func (m *BootstrapConfig) AddFlags(flags *pflag.FlagSet) {
-	flags.StringSliceVar(&m.Components, "components", []string{}, "The components to include in the management repository")
+	flags.StringSliceVar(&m.Components, "components", []string{env.ExternalSecretsName}, "The components to include in the management repository")
 	flags.StringVar(&m.Owner, "owner", "", "The owner of the management repository")
 	flags.StringVar(&m.Repository, "repository", "", "The name of the management repository")
 	flags.StringVar(&m.FromFile, "from-file", "", "The path to a file containing the bootstrap component in archive format")

diff --git a/cmd/mpas/root.go b/cmd/mpas/root.go
@@ -17,7 +17,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
@@ -72,14 +72,14 @@ func New(ctx context.Context, args []string) (*cobra.Command, error) {
 
 func setDefaultNamespace(kubeConfigArgs *genericclioptions.ConfigFlags) error {
 	*kubeConfigArgs.Namespace = env.DefaultMPASNamespace
-	kubeConfigArgs.Namespace = pointer.String(env.DefaultMPASNamespace)
+	kubeConfigArgs.Namespace = ptr.To(env.DefaultMPASNamespace)
 	fromEnv := os.Getenv("MPAS_SYSTEM_NAMESPACE")
 	if fromEnv != "" {
 		if e := validation.IsDNS1123Label(fromEnv); len(e) > 0 {
 			return fmt.Errorf("invalid namespace %s: %v", fromEnv, e)
 		}
 
-		kubeConfigArgs.Namespace = pointer.String(fromEnv)
+		kubeConfigArgs.Namespace = ptr.To(fromEnv)
 	}
 	return nil
 }
diff --git a/cmd/release-bootstrap-component/main.go b/cmd/release-bootstrap-component/main.go
@@ -27,6 +27,8 @@ var (
 	fluxVersion string
 	// The version of the cert-manager component to use.
 	certManagerVersion string
+	// The version of the external secrets component to use.
+	externalSecretsVersion string
 	// The version of the ocm-controller component to use.
 	ocmControllerVersion string
 	// The version of the git-controller component to use.
@@ -52,6 +54,7 @@ var (
 func main() {
 	flag.StringVar(&fluxVersion, "flux-version", env.DefaultFluxVer, "The version of the flux component to use.")
 	flag.StringVar(&certManagerVersion, "cert-manager-version", env.DefaultCertManagerVer, "The version of the cert-manager component to use.")
+	flag.StringVar(&externalSecretsVersion, "external-secrets-version", env.DefaultExternalSecretsVer, "The version of the external secrets component to use.")
 	flag.StringVar(&ocmControllerVersion, "ocm-controller-version", env.DefaultOcmControllerVer, "The version of the ocm-controller component to use.")
 	flag.StringVar(&gitControllerVersion, "git-controller-version", env.DefaultGitControllerVer, "The version of the git-controller component to use.")
 	flag.StringVar(&replicationControllerVersion, "replication-controller-version", env.DefaultReplicationVer, "The version of the replication-controller component to use.")
@@ -157,6 +160,12 @@ func releaseComponents(ctx context.Context, octx om.Context, token, tmpDir, ctfP
 				fmt.Printf("Failed to release %s component: %v\n", comp, err)
 				os.Exit(1)
 			}
+		case env.ExternalSecretsName:
+			component, err = r.ReleaseExternalSecretsComponent(ctx, externalSecretsVersion)
+			if err != nil {
+				fmt.Printf("Failed to release %s component: %v\n", comp, err)
+				os.Exit(1)
+			}
 		case env.GitControllerName:
 			component, err = r.ReleaseGitControllerComponent(ctx, gitControllerVersion)
 			if err != nil {

diff --git a/cmd/release-bootstrap-component/release/release.go b/cmd/release-bootstrap-component/release/release.go
@@ -31,6 +31,12 @@ var (
   image: spec.template.spec.containers[0].image
   resource:
     name: %s
+`
+	externalSecretsLocalizationTemplate = `- name: %s
+  file: external-secrets.yaml
+  image: spec.template.spec.containers[0].image
+  resource:
+    name: %s
 `
 	ocmLocalizationTemplate = `- name: %s
   file: install.yaml
@@ -381,6 +387,34 @@ func (r *Releaser) ReleaseCertManagerComponent(
 	return component, nil
 }
 
+// ReleaseExternalSecretsComponent releases external-secrets with all its components
+func (r *Releaser) ReleaseExternalSecretsComponent(
+	ctx context.Context,
+	version string,
+) (*ocm.Component, error) {
+	f, err := generateExternalSecrets(ctx, version, r.tmpDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate external secrets manifests: %v", err)
+	}
+
+	component, err := ocm.NewComponent(r.octx,
+		fmt.Sprintf("%s/%s", env.ComponentNamePrefix, env.ExternalSecretsName),
+		version,
+		ocm.WithProvider("external-secrets"),
+		ocm.WithUsername(r.username),
+		ocm.WithToken(r.token),
+		ocm.WithRepositoryURL(r.repositoryURL))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create component: %w", err)
+	}
+
+	if err := r.release(ctx, r.octx, component, r.ctf, &f, env.ExternalSecretsName, externalSecretsLocalizationTemplate); err != nil {
+		return nil, fmt.Errorf("failed to release external-secrets component: %w", err)
+	}
+
+	return component, nil
+}
+
 // ReleaseOCMCliComponent releases ocm-cli.
 func (r *Releaser) ReleaseOCMCliComponent(
 	ctx context.Context,
@@ -516,6 +550,16 @@ func generateCertManager(ctx context.Context, version, tmpDir string) (cgen.Cert
 	return f, err
 }
 
+func generateExternalSecrets(ctx context.Context, version, tmpDir string) (cgen.ExternalSecrets, error) {
+	if version == "" {
+		return cgen.ExternalSecrets{}, fmt.Errorf("external secrets version is empty")
+	}
+
+	f := cgen.ExternalSecrets{Version: version}
+	err := f.GenerateManifests(ctx, tmpDir)
+	return f, err
+}
+
 func generateController(
 	ctx context.Context,
 	name, version, tmpDir string,

diff --git a/e2e/project_controller_test.go b/e2e/project_controller_test.go
@@ -350,10 +350,6 @@ func checkGitRepositoryConfiguration(name, url, branch string) features.Func {
 			if !ok {
 				return false
 			}
-			if obj.Spec.URL != url {
-				t.Errorf("expected GitRepository %s to have URL %s, got %s", name, url, gr.Spec.URL)
-				return false
-			}
 
 			if obj.Spec.Reference.Branch != branch {
 				t.Errorf("expected GitRepository %s to have branch %s, got %s", name, branch, gr.Spec.Reference.Branch)

diff --git a/e2e/testdata/project.yaml b/e2e/testdata/project.yaml
@@ -13,7 +13,8 @@ spec:
     interval: 2s
     visibility: public
     isOrganization: false
-    domain: http://gitea.ocm-system.svc.cluster.local:3000
+    domain: gitea.ocm-system.svc.cluster.local:3000
+    insecure: true
     maintainers:
       - alice.bobb
       - bob.alisson

diff --git a/e2e/testdata/target.yaml b/e2e/testdata/target.yaml
@@ -10,5 +10,3 @@ spec:
   interval: 10m
   access:
     targetNamespace: mpas-test-001
-#    secretRef:
-#      name: ingress-kubeconfig
diff --git a/go.mod b/go.mod
@@ -43,11 +43,11 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.2
 	github.com/go-logr/logr v1.2.4
 	github.com/mandelsoft/vfs v0.0.0-20230713123140-269aa4fb1338
-	github.com/open-component-model/git-controller v0.8.0
+	github.com/open-component-model/git-controller v0.9.0
 	github.com/open-component-model/mpas-product-controller v0.5.1
-	github.com/open-component-model/mpas-project-controller v0.3.1
+	github.com/open-component-model/mpas-project-controller v0.4.0
 	github.com/open-component-model/ocm v0.4.1
-	github.com/open-component-model/ocm-controller v0.14.1
+	github.com/open-component-model/ocm-controller v0.14.2-0.20231018132945-e60f59db8c74
 	github.com/open-component-model/ocm-e2e-framework v0.7.0
 	github.com/open-component-model/replication-controller v0.7.0
 	github.com/opencontainers/go-digest v1.0.0

diff --git a/go.sum b/go.sum
@@ -1254,16 +1254,16 @@ github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ
 github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
-github.com/open-component-model/git-controller v0.8.0 h1:LJIc6nISYpAuIMJfanDL2iBx+24lRqziTEPANT9dWnQ=
-github.com/open-component-model/git-controller v0.8.0/go.mod h1:uipeTlvJPgIjGuk039GcNWrc0rgovP76so9MqW5F7jM=
+github.com/open-component-model/git-controller v0.9.0 h1:B/vK7PUlSWbMUB/ZkUAWTrKggltdgxz3xB4QEAKPScE=
+github.com/open-component-model/git-controller v0.9.0/go.mod h1:uipeTlvJPgIjGuk039GcNWrc0rgovP76so9MqW5F7jM=
 github.com/open-component-model/mpas-product-controller v0.5.1 h1:ZQ2mywqQQBSAop73/mF+ZaAIhGauE0sC3Pt0o84gGI8=
 github.com/open-component-model/mpas-product-controller v0.5.1/go.mod h1:9Q+f25i/sNjA6vyGFya51a2Rf/kWmZeM90Q+z8tjwWE=
-github.com/open-component-model/mpas-project-controller v0.3.1 h1:NrLdyOE3ki8OkA6nJPckkfAGUsbvsJxYkydQcW9oSWY=
-github.com/open-component-model/mpas-project-controller v0.3.1/go.mod h1:znqNUUxHmbQ/pnMMwCoIEehSaWUW/j+lRI+E2q9IsXI=
+github.com/open-component-model/mpas-project-controller v0.4.0 h1:RnFzagQ55cK6PdThFY5SmB0UTMN9k3JZoC+6mdqvvK8=
+github.com/open-component-model/mpas-project-controller v0.4.0/go.mod h1:3wl7jnUYqoWkRbUh4+acNuk7Im53lYcB6D/O5rbKdwM=
 github.com/open-component-model/ocm v0.4.1 h1:YXzOZhRJz9M/Ku9jsPzFxcZEF8VK4aS1sRwmstbL9zA=
 github.com/open-component-model/ocm v0.4.1/go.mod h1:KsuXGr4sw1EWgPRFQ8i5Ly7kKY6fBHbsr0wgfoGDyT0=
-github.com/open-component-model/ocm-controller v0.14.1 h1:MFQzG/TYLu7doNuy1/cxg1xD72f9rEKv5VH7Px0/nbI=
-github.com/open-component-model/ocm-controller v0.14.1/go.mod h1:B3FRIq6lu7iaaNePY5vztOek6gKJot6LhiyJ2lWiYA0=
+github.com/open-component-model/ocm-controller v0.14.2-0.20231018132945-e60f59db8c74 h1:jQdEIMnYbh7Abcajv3Mk7Qed+4Wo7uNeWcuK+ey5OwU=
+github.com/open-component-model/ocm-controller v0.14.2-0.20231018132945-e60f59db8c74/go.mod h1:B3FRIq6lu7iaaNePY5vztOek6gKJot6LhiyJ2lWiYA0=
 github.com/open-component-model/ocm-e2e-framework v0.7.0 h1:O+PH/xQrJdzA+Tan2qZcHBJgWgoJ64GXkiNEMM/rag0=
 github.com/open-component-model/ocm-e2e-framework v0.7.0/go.mod h1:ehOW7rZeI0mHcWLKUpiCj19IWefBlJR7LrgSbtFtTfI=
 github.com/open-component-model/replication-controller v0.7.0 h1:HZg2VXgcCCwFnqP7izz5T/B7y1QzELlDW3NR+j4rnQs=

diff --git a/internal/bootstrap/bootstrap.go b/internal/bootstrap/bootstrap.go
@@ -505,7 +505,7 @@ func (b *Bootstrap) installCertManager(ctx context.Context, ociRepo om.Repositor
 		dir:                   dir,
 		branch:                b.defaultBranch,
 		targetPath:            b.targetPath,
-		namespace:             "cert-manager",
+		namespace:             env.DefaultCertManagerNamespace,
 		provider:              string(b.providerClient.ProviderID()),
 		timeout:               b.timeout,
 		commitMessageAppendix: b.commitMessageAppendix,
@@ -515,13 +515,44 @@ func (b *Bootstrap) installCertManager(ctx context.Context, ociRepo om.Repositor
 	if err != nil {
 		return "", fmt.Errorf("failed to create new cert manager installer: %w", err)
 	}
-	sha, err := inst.Install(ctx, "cert-manager")
+	sha, err := inst.Install(ctx, env.CertManagerName)
 	if err != nil {
 		return "", fmt.Errorf("failed to install cert manager: %w", err)
 	}
 	return sha, nil
 }
 
+func (b *Bootstrap) installExternalSecrets(ctx context.Context, ociRepo om.Repository, ref compdesc.ComponentReference) (string, error) {
+	dir, err := mkdirTempDir("external-secrets-install")
+	if err != nil {
+		return "", err
+	}
+	defer os.RemoveAll(dir)
+
+	opts := &externalSecretOptions{
+		gitRepository:         b.repository,
+		dir:                   dir,
+		branch:                b.defaultBranch,
+		targetPath:            b.targetPath,
+		namespace:             env.DefaultExternalSecretsNamespace,
+		provider:              string(b.providerClient.ProviderID()),
+		timeout:               b.timeout,
+		commitMessageAppendix: b.commitMessageAppendix,
+	}
+
+	inst, err := newExternalSecretInstall(ref.GetComponentName(), ref.GetVersion(), ociRepo, opts)
+	if err != nil {
+		return "", fmt.Errorf("failed to create new external secrets installer: %w", err)
+	}
+
+	sha, err := inst.Install(ctx, env.ExternalSecretsName)
+	if err != nil {
+		return "", fmt.Errorf("failed to install external secrets: %w", err)
+	}
+
+	return sha, nil
+}
+
 func (b *Bootstrap) fetchBootstrapComponentReferences(ociRepo om.Repository) (map[string]compdesc.ComponentReference, error) {
 	cv, err := ocm.FetchLatestComponentVersion(ociRepo, env.DefaultBootstrapComponent)
 	if err != nil {
@@ -689,6 +720,13 @@ func (b *Bootstrap) generateControllerManifest(ctx context.Context, ociRepo om.R
 		}
 		latestSHA = sha
 		compNs["mpas-system"] = append(compNs["mpas-system"], comp)
+	case env.ExternalSecretsName:
+		sha, err := b.installExternalSecrets(ctx, ociRepo, ref)
+		if err != nil {
+			return "", err
+		}
+		latestSHA = sha
+		compNs["default"] = append(compNs["default"], externalSecret, externalSecretCertController, externalSecretWebhook)
 	default:
 		return "", fmt.Errorf("unknown component %q", comp)
 	}

diff --git a/internal/bootstrap/install_cert_manager.go b/internal/bootstrap/install_cert_manager.go
@@ -71,7 +71,7 @@ func (c *certManagerInstall) Install(ctx context.Context, component string) (str
 
 	sha, err := c.createCommit(ctx, res)
 	if err != nil {
-		return "", fmt.Errorf("failed to reconcile components: %w", err)
+		return "", fmt.Errorf("failed to reconcile cert manager: %w", err)
 	}
 
 	return sha, nil

diff --git a/internal/bootstrap/install_cert_manager_test.go b/internal/bootstrap/install_cert_manager_test.go
@@ -7,7 +7,7 @@ import (
 	"github.com/fluxcd/go-git-providers/gitprovider"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 )
 
 func TestCertManagerInstall(t *testing.T) {
@@ -47,8 +47,8 @@ func TestCertManagerInstall(t *testing.T) {
 	assert.Equal(t, "Add ocm.software/mpas/test-component v1.0.1 manifests", args[1])
 	assert.Equal(t, []gitprovider.CommitFile{
 		{
-			Path:    pointer.String("target/ocm-system/test-component.yaml"),
-			Content: pointer.String("YXBpVmVyc2lvbjogYXBwcy92MQpraW5kOiBEZXBsb3ltZW50Cm1ldGFkYXRhOgogIG5hbWU6IGdpdC1jb250cm9sbGVyCiAgbmFtZXNwYWNlOiBvY20tc3lzdGVtCnNwZWM6CiAgc2VsZWN0b3I6CiAgICBtYXRjaExhYmVsczoKICAgICAgYXBwOiBnaXQtY29udHJvbGxlcgogIHJlcGxpY2FzOiAxCiAgdGVtcGxhdGU6CiAgICBtZXRhZGF0YToKICAgICAgbGFiZWxzOgogICAgICAgIGFwcDogZ2l0LWNvbnRyb2xsZXIKICAgIHNwZWM6CiAgICAgIGNvbnRhaW5lcnM6CiAgICAgIC0gbmFtZTogbWFuYWdlcgogICAgICAgIGltYWdlOiBnaGNyLmlvL3VzZXIvZ2l0LWNvbnRyb2xsZXI6djEuMC4wCg=="),
+			Path:    ptr.To("target/ocm-system/test-component.yaml"),
+			Content: ptr.To("YXBpVmVyc2lvbjogYXBwcy92MQpraW5kOiBEZXBsb3ltZW50Cm1ldGFkYXRhOgogIG5hbWU6IGdpdC1jb250cm9sbGVyCiAgbmFtZXNwYWNlOiBvY20tc3lzdGVtCnNwZWM6CiAgc2VsZWN0b3I6CiAgICBtYXRjaExhYmVsczoKICAgICAgYXBwOiBnaXQtY29udHJvbGxlcgogIHJlcGxpY2FzOiAxCiAgdGVtcGxhdGU6CiAgICBtZXRhZGF0YToKICAgICAgbGFiZWxzOgogICAgICAgIGFwcDogZ2l0LWNvbnRyb2xsZXIKICAgIHNwZWM6CiAgICAgIGNvbnRhaW5lcnM6CiAgICAgIC0gbmFtZTogbWFuYWdlcgogICAgICAgIGltYWdlOiBnaGNyLmlvL3VzZXIvZ2l0LWNvbnRyb2xsZXI6djEuMC4wCg=="),
 		},
 	}, args[2])
 }
diff --git a/internal/bootstrap/install_component_test.go b/internal/bootstrap/install_component_test.go
@@ -7,7 +7,7 @@ import (
 	"github.com/fluxcd/go-git-providers/gitprovider"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 )
 
 func TestComponentInstall(t *testing.T) {
@@ -46,8 +46,8 @@ func TestComponentInstall(t *testing.T) {
 	assert.Equal(t, "Add ocm.software/mpas/test-component v1.0.1 manifests", args[1])
 	assert.Equal(t, []gitprovider.CommitFile{
 		{
-			Path:    pointer.String("target/ocm-system/test-component.yaml"),
-			Content: pointer.String("YXBpVmVyc2lvbjogYXBwcy92MQpraW5kOiBEZXBsb3ltZW50Cm1ldGFkYXRhOgogIG5hbWU6IGdpdC1jb250cm9sbGVyCiAgbmFtZXNwYWNlOiBvY20tc3lzdGVtCnNwZWM6CiAgc2VsZWN0b3I6CiAgICBtYXRjaExhYmVsczoKICAgICAgYXBwOiBnaXQtY29udHJvbGxlcgogIHJlcGxpY2FzOiAxCiAgdGVtcGxhdGU6CiAgICBtZXRhZGF0YToKICAgICAgbGFiZWxzOgogICAgICAgIGFwcDogZ2l0LWNvbnRyb2xsZXIKICAgIHNwZWM6CiAgICAgIGNvbnRhaW5lcnM6CiAgICAgIC0gbmFtZTogbWFuYWdlcgogICAgICAgIGltYWdlOiBnaGNyLmlvL3VzZXIvZ2l0LWNvbnRyb2xsZXI6djEuMC4wCg=="),
+			Path:    ptr.To("target/ocm-system/test-component.yaml"),
+			Content: ptr.To("YXBpVmVyc2lvbjogYXBwcy92MQpraW5kOiBEZXBsb3ltZW50Cm1ldGFkYXRhOgogIG5hbWU6IGdpdC1jb250cm9sbGVyCiAgbmFtZXNwYWNlOiBvY20tc3lzdGVtCnNwZWM6CiAgc2VsZWN0b3I6CiAgICBtYXRjaExhYmVsczoKICAgICAgYXBwOiBnaXQtY29udHJvbGxlcgogIHJlcGxpY2FzOiAxCiAgdGVtcGxhdGU6CiAgICBtZXRhZGF0YToKICAgICAgbGFiZWxzOgogICAgICAgIGFwcDogZ2l0LWNvbnRyb2xsZXIKICAgIHNwZWM6CiAgICAgIGNvbnRhaW5lcnM6CiAgICAgIC0gbmFtZTogbWFuYWdlcgogICAgICAgIGltYWdlOiBnaGNyLmlvL3VzZXIvZ2l0LWNvbnRyb2xsZXI6djEuMC4wCg=="),
 		},
 	}, args[2])
 }