From 8304cfdd95555bb4fe065528651083df4d2dde9c Mon Sep 17 00:00:00 2001 From: Philip Laine Date: Wed, 25 Sep 2024 12:51:58 +0200 Subject: [PATCH] refactor: creator Signed-off-by: Philip Laine --- src/internal/packager2/layout/create.go | 518 ++++++++++++++++++ src/internal/packager2/layout/create_test.go | 109 ++++ src/internal/packager2/layout/import.go | 416 ++++++++++++++ .../packager2/layout/testdata/cosign.key | 11 + .../packager2/layout/testdata/cosign.pub | 4 + .../layout/testdata/zarf-package/archive.tar | Bin 0 -> 20480 bytes .../testdata/zarf-package/chart/.helmignore | 21 + .../testdata/zarf-package/chart/Chart.yaml | 13 + .../testdata/zarf-package/chart/LICENSE | 201 +++++++ .../layout/testdata/zarf-package/chart/NOTICE | 1 + .../zarf-package/chart/templates/NOTES.txt | 20 + .../zarf-package/chart/templates/_helpers.tpl | 69 +++ .../chart/templates/deployment.yaml | 205 +++++++ .../zarf-package/chart/templates/hpa.yaml | 41 ++ .../zarf-package/chart/templates/ingress.yaml | 41 ++ .../zarf-package/chart/templates/service.yaml | 36 ++ .../chart/templates/serviceaccount.yaml | 12 + .../testdata/zarf-package/chart/values.yaml | 164 ++++++ .../layout/testdata/zarf-package/data.txt | 1 + .../testdata/zarf-package/deployment.yaml | 21 + .../testdata/zarf-package/injection/data.txt | 1 + .../zarf-package/kustomize/kustomization.yaml | 2 + .../zarf-package/kustomize/namespace.yaml | 4 + .../layout/testdata/zarf-package/values.yaml | 5 + .../layout/testdata/zarf-package/zarf.yaml | 41 ++ src/pkg/lint/schema.go | 18 + src/pkg/packager/publish.go | 44 +- 27 files changed, 2003 insertions(+), 16 deletions(-) create mode 100644 src/internal/packager2/layout/create.go create mode 100644 src/internal/packager2/layout/create_test.go create mode 100644 src/internal/packager2/layout/import.go create mode 100644 src/internal/packager2/layout/testdata/cosign.key create mode 100644 src/internal/packager2/layout/testdata/cosign.pub create mode 100644 src/internal/packager2/layout/testdata/zarf-package/archive.tar create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/.helmignore create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/Chart.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/LICENSE create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/NOTICE create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/templates/NOTES.txt create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/templates/_helpers.tpl create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/templates/deployment.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/templates/hpa.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/templates/ingress.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/templates/service.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/templates/serviceaccount.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/chart/values.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/data.txt create mode 100644 src/internal/packager2/layout/testdata/zarf-package/deployment.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/injection/data.txt create mode 100644 src/internal/packager2/layout/testdata/zarf-package/kustomize/kustomization.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/kustomize/namespace.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/values.yaml create mode 100644 src/internal/packager2/layout/testdata/zarf-package/zarf.yaml diff --git a/src/internal/packager2/layout/create.go b/src/internal/packager2/layout/create.go new file mode 100644 index 0000000000..f9665e1a60 --- /dev/null +++ b/src/internal/packager2/layout/create.go @@ -0,0 +1,518 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package layout + +import ( + "archive/tar" + "context" + "crypto/sha256" + "encoding/hex" + "fmt" + "io" + "io/fs" + "os" + "path/filepath" + "runtime" + "slices" + "strconv" + "strings" + "time" + + "github.com/defenseunicorns/pkg/helpers/v2" + goyaml "github.com/goccy/go-yaml" + "github.com/mholt/archiver/v3" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + + "github.com/zarf-dev/zarf/src/api/v1alpha1" + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/config/lang" + "github.com/zarf-dev/zarf/src/internal/packager/helm" + "github.com/zarf-dev/zarf/src/internal/packager/kustomize" + "github.com/zarf-dev/zarf/src/pkg/lint" + "github.com/zarf-dev/zarf/src/pkg/packager/composer" + "github.com/zarf-dev/zarf/src/pkg/packager/deprecated" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/pkg/zoci" +) + +// CreateOptions are the options for creating a skeleton package. +type CreateOptions struct { + Flavor string + RegistryOverrides map[string]string + SigningKeyPath string + SigningKeyPassword string + SetVariables map[string]string +} + +// CreateSkeleton creates a skeleton package and returns the path to the created package. +func CreateSkeleton(ctx context.Context, packagePath string, opt CreateOptions) (string, error) { + b, err := os.ReadFile(filepath.Join(packagePath, ZarfYAML)) + if err != nil { + return "", err + } + var pkg v1alpha1.ZarfPackage + err = goyaml.Unmarshal(b, &pkg) + if err != nil { + return "", err + } + buildPath, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return "", err + } + + pkg.Metadata.Architecture = config.GetArch() + + pkg, err = resolveImports(ctx, pkg, packagePath, pkg.Metadata.Architecture, opt.Flavor) + if err != nil { + return "", err + } + + pkg.Metadata.Architecture = zoci.SkeletonArch + + err = validate(pkg, packagePath, opt.SetVariables) + if err != nil { + return "", err + } + + for _, component := range pkg.Components { + err := assembleComponent(component, packagePath, buildPath) + if err != nil { + return "", err + } + } + + checksumContent, checksumSha, err := getChecksum(buildPath) + if err != nil { + return "", err + } + checksumPath := filepath.Join(buildPath, Checksums) + err = os.WriteFile(checksumPath, []byte(checksumContent), helpers.ReadWriteUser) + if err != nil { + return "", err + } + pkg.Metadata.AggregateChecksum = checksumSha + + pkg = recordPackageMetadata(pkg, opt.Flavor, opt.RegistryOverrides) + + b, err = goyaml.Marshal(pkg) + if err != nil { + return "", err + } + err = os.WriteFile(filepath.Join(buildPath, ZarfYAML), b, helpers.ReadUser) + if err != nil { + return "", err + } + + err = signPackage(buildPath, opt.SigningKeyPath, opt.SigningKeyPassword) + if err != nil { + return "", err + } + + return buildPath, nil +} + +func validate(pkg v1alpha1.ZarfPackage, packagePath string, setVariables map[string]string) error { + err := lint.ValidatePackage(pkg) + if err != nil { + return fmt.Errorf("package validation failed: %w", err) + } + findings, err := lint.ValidatePackageSchemaAtPath(packagePath, setVariables) + if err != nil { + return fmt.Errorf("unable to check schema: %w", err) + } + if len(findings) == 0 { + return nil + } + return &lint.LintError{ + BaseDir: packagePath, + PackageName: pkg.Metadata.Name, + Findings: findings, + } +} + +func composeComponents(ctx context.Context, pkg v1alpha1.ZarfPackage, flavor string) (v1alpha1.ZarfPackage, []string, error) { + components := []v1alpha1.ZarfComponent{} + warnings := []string{} + + pkgVars := pkg.Variables + pkgConsts := pkg.Constants + + arch := pkg.Metadata.Architecture + + for i, component := range pkg.Components { + // filter by architecture and flavor + if !composer.CompatibleComponent(component, arch, flavor) { + continue + } + + // if a match was found, strip flavor and architecture to reduce bloat in the package definition + component.Only.Cluster.Architecture = "" + component.Only.Flavor = "" + + // build the import chain + chain, err := composer.NewImportChain(ctx, component, i, pkg.Metadata.Name, arch, flavor) + if err != nil { + return v1alpha1.ZarfPackage{}, nil, err + } + + // migrate any deprecated component configurations now + warning := chain.Migrate(pkg.Build) + warnings = append(warnings, warning...) + + // get the composed component + composed, err := chain.Compose(ctx) + if err != nil { + return v1alpha1.ZarfPackage{}, nil, err + } + components = append(components, *composed) + + // merge variables and constants + pkgVars = chain.MergeVariables(pkgVars) + pkgConsts = chain.MergeConstants(pkgConsts) + } + + // set the filtered + composed components + pkg.Components = components + + pkg.Variables = pkgVars + pkg.Constants = pkgConsts + + return pkg, warnings, nil +} + +func assembleComponent(component v1alpha1.ZarfComponent, packagePath, buildPath string) error { + tmpBuildPath, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return err + } + defer os.RemoveAll(tmpBuildPath) + compBuildPath := filepath.Join(tmpBuildPath, component.Name) + err = os.MkdirAll(compBuildPath, 0o700) + if err != nil { + return err + } + + for chartIdx, chart := range component.Charts { + if chart.LocalPath != "" { + rel := filepath.Join(string(ChartsComponentDir), fmt.Sprintf("%s-%d", chart.Name, chartIdx)) + dst := filepath.Join(compBuildPath, rel) + + err := helpers.CreatePathAndCopy(filepath.Join(packagePath, chart.LocalPath), dst) + if err != nil { + return err + } + + component.Charts[chartIdx].LocalPath = rel + } + + for valuesIdx, path := range chart.ValuesFiles { + if helpers.IsURL(path) { + continue + } + + rel := fmt.Sprintf("%s-%d", helm.StandardName(string(ValuesComponentDir), chart), valuesIdx) + component.Charts[chartIdx].ValuesFiles[valuesIdx] = rel + + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, path), filepath.Join(compBuildPath, rel)); err != nil { + return fmt.Errorf("unable to copy chart values file %s: %w", path, err) + } + } + } + + for filesIdx, file := range component.Files { + if helpers.IsURL(file.Source) { + continue + } + + rel := filepath.Join(string(FilesComponentDir), strconv.Itoa(filesIdx), filepath.Base(file.Target)) + dst := filepath.Join(compBuildPath, rel) + destinationDir := filepath.Dir(dst) + + if file.ExtractPath != "" { + if err := archiver.Extract(filepath.Join(packagePath, file.Source), file.ExtractPath, destinationDir); err != nil { + return fmt.Errorf(lang.ErrFileExtract, file.ExtractPath, file.Source, err.Error()) + } + + // Make sure dst reflects the actual file or directory. + updatedExtractedFileOrDir := filepath.Join(destinationDir, file.ExtractPath) + if updatedExtractedFileOrDir != dst { + if err := os.Rename(updatedExtractedFileOrDir, dst); err != nil { + return fmt.Errorf(lang.ErrWritingFile, dst, err) + } + } + } else { + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, file.Source), dst); err != nil { + return fmt.Errorf("unable to copy file %s: %w", file.Source, err) + } + } + + // Change the source to the new relative source directory (any remote files will have been skipped above) + component.Files[filesIdx].Source = rel + + // Remove the extractPath from a skeleton since it will already extract it + component.Files[filesIdx].ExtractPath = "" + + // Abort packaging on invalid shasum (if one is specified). + if file.Shasum != "" { + if err := helpers.SHAsMatch(dst, file.Shasum); err != nil { + return err + } + } + + if file.Executable || helpers.IsDir(dst) { + err = os.Chmod(dst, helpers.ReadWriteExecuteUser) + if err != nil { + return err + } + } else { + err = os.Chmod(dst, helpers.ReadWriteUser) + if err != nil { + return err + } + } + } + + for dataIdx, data := range component.DataInjections { + rel := filepath.Join(string(DataComponentDir), strconv.Itoa(dataIdx), filepath.Base(data.Target.Path)) + dst := filepath.Join(compBuildPath, rel) + + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, data.Source), dst); err != nil { + return fmt.Errorf("unable to copy data injection %s: %s", data.Source, err.Error()) + } + + component.DataInjections[dataIdx].Source = rel + } + + // Iterate over all manifests. + for manifestIdx, manifest := range component.Manifests { + for fileIdx, path := range manifest.Files { + rel := filepath.Join(string(ManifestsComponentDir), fmt.Sprintf("%s-%d.yaml", manifest.Name, fileIdx)) + dst := filepath.Join(compBuildPath, rel) + + // Copy manifests without any processing. + if err := helpers.CreatePathAndCopy(filepath.Join(packagePath, path), dst); err != nil { + return fmt.Errorf("unable to copy manifest %s: %w", path, err) + } + + component.Manifests[manifestIdx].Files[fileIdx] = rel + } + + for kustomizeIdx, path := range manifest.Kustomizations { + // Generate manifests from kustomizations and place in the package. + kname := fmt.Sprintf("kustomization-%s-%d.yaml", manifest.Name, kustomizeIdx) + rel := filepath.Join(string(ManifestsComponentDir), kname) + dst := filepath.Join(compBuildPath, rel) + + if err := kustomize.Build(filepath.Join(packagePath, path), dst, manifest.KustomizeAllowAnyDirectory); err != nil { + return fmt.Errorf("unable to build kustomization %s: %w", path, err) + } + } + + // remove kustomizations + component.Manifests[manifestIdx].Kustomizations = nil + } + + // Write the tar component. + size, err := helpers.GetDirSize(compBuildPath) + if err != nil { + return err + } + if size == 0 { + return nil + } + err = os.MkdirAll(filepath.Join(compBuildPath, "temp"), 0o700) + if err != nil { + return err + } + tarPath := filepath.Join(buildPath, "components", fmt.Sprintf("%s.tar", component.Name)) + err = os.MkdirAll(filepath.Join(buildPath, "components"), 0o700) + if err != nil { + return err + } + err = createReproducibleTarballFromDir(compBuildPath, component.Name, tarPath) + if err != nil { + return err + } + return nil +} + +func recordPackageMetadata(pkg v1alpha1.ZarfPackage, flavor string, registryOverrides map[string]string) v1alpha1.ZarfPackage { + now := time.Now() + // Just use $USER env variable to avoid CGO issue. + // https://groups.google.com/g/golang-dev/c/ZFDDX3ZiJ84. + // Record the name of the user creating the package. + if runtime.GOOS == "windows" { + pkg.Build.User = os.Getenv("USERNAME") + } else { + pkg.Build.User = os.Getenv("USER") + } + + // Record the hostname of the package creation terminal. + // The error here is ignored because the hostname is not critical to the package creation. + hostname, _ := os.Hostname() + pkg.Build.Terminal = hostname + + if pkg.IsInitConfig() { + pkg.Metadata.Version = config.CLIVersion + } + + pkg.Build.Architecture = pkg.Metadata.Architecture + + // Record the Zarf Version the CLI was built with. + pkg.Build.Version = config.CLIVersion + + // Record the time of package creation. + pkg.Build.Timestamp = now.Format(time.RFC1123Z) + + // Record the migrations that will be ran on the package. + pkg.Build.Migrations = []string{ + deprecated.ScriptsToActionsMigrated, + deprecated.PluralizeSetVariable, + } + + // Record the flavor of Zarf used to build this package (if any). + pkg.Build.Flavor = flavor + + pkg.Build.RegistryOverrides = registryOverrides + + // Record the latest version of Zarf without breaking changes to the package structure. + pkg.Build.LastNonBreakingVersion = deprecated.LastNonBreakingVersion + + return pkg +} + +func getChecksum(dirPath string) (string, string, error) { + checksumData := []string{} + err := filepath.Walk(dirPath, func(path string, info fs.FileInfo, err error) error { + if err != nil { + return err + } + if info.IsDir() { + return nil + } + rel, err := filepath.Rel(dirPath, path) + if err != nil { + return err + } + if rel == ZarfYAML || rel == Checksums { + return nil + } + sum, err := helpers.GetSHA256OfFile(path) + if err != nil { + return err + } + checksumData = append(checksumData, fmt.Sprintf("%s %s", sum, filepath.ToSlash(rel))) + return nil + }) + if err != nil { + return "", "", err + } + slices.Sort(checksumData) + + checksumContent := strings.Join(checksumData, "\n") + "\n" + sha := sha256.Sum256([]byte(checksumContent)) + return checksumContent, hex.EncodeToString(sha[:]), nil +} + +func signPackage(dirPath, signingKeyPath, signingKeyPassword string) error { + if signingKeyPath == "" { + return nil + } + passFunc := func(_ bool) ([]byte, error) { + return []byte(signingKeyPassword), nil + } + keyOpts := options.KeyOpts{ + KeyRef: signingKeyPath, + PassFunc: passFunc, + } + rootOpts := &options.RootOptions{ + Verbose: false, + Timeout: options.DefaultTimeout, + } + _, err := sign.SignBlobCmd( + rootOpts, + keyOpts, + filepath.Join(dirPath, ZarfYAML), + true, + filepath.Join(dirPath, Signature), + "", + false) + if err != nil { + return err + } + return nil +} + +func createReproducibleTarballFromDir(dirPath, dirPrefix, tarballPath string) error { + tb, err := os.Create(tarballPath) + if err != nil { + return fmt.Errorf("error creating tarball: %w", err) + } + defer tb.Close() + + tw := tar.NewWriter(tb) + defer tw.Close() + + // Walk through the directory and process each file + return filepath.Walk(dirPath, func(filePath string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + link := "" + if info.Mode().Type() == os.ModeSymlink { + link, err = os.Readlink(filePath) + if err != nil { + return fmt.Errorf("error reading symlink: %w", err) + } + } + + // Create a new header + header, err := tar.FileInfoHeader(info, link) + if err != nil { + return fmt.Errorf("error creating tar header: %w", err) + } + + // Strip non-deterministic header data + header.ModTime = time.Time{} + header.AccessTime = time.Time{} + header.ChangeTime = time.Time{} + header.Uid = 0 + header.Gid = 0 + header.Uname = "" + header.Gname = "" + + header.Mode = header.Mode &^ 0o077 + + // Ensure the header's name is correctly set relative to the base directory + name, err := filepath.Rel(dirPath, filePath) + if err != nil { + return fmt.Errorf("error getting relative path: %w", err) + } + name = filepath.Join(dirPrefix, name) + name = filepath.ToSlash(name) + header.Name = name + + // Write the header to the tarball + if err := tw.WriteHeader(header); err != nil { + return fmt.Errorf("error writing header: %w", err) + } + + // If it's a file, write its content + if info.Mode().IsRegular() { + file, err := os.Open(filePath) + if err != nil { + return fmt.Errorf("error opening file: %w", err) + } + defer file.Close() + + if _, err := io.Copy(tw, file); err != nil { + return fmt.Errorf("error writing file to tarball: %w", err) + } + } + + return nil + }) +} diff --git a/src/internal/packager2/layout/create_test.go b/src/internal/packager2/layout/create_test.go new file mode 100644 index 0000000000..7e29bb875a --- /dev/null +++ b/src/internal/packager2/layout/create_test.go @@ -0,0 +1,109 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package layout + +import ( + "os" + "path/filepath" + "testing" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/stretchr/testify/require" + + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/lint" + "github.com/zarf-dev/zarf/src/test/testutil" +) + +func TestCreateSkeleton(t *testing.T) { + t.Parallel() + + ctx := testutil.TestContext(t) + + lint.ZarfSchema = testutil.LoadSchema(t, "../../../../zarf.schema.json") + + opt := CreateOptions{} + path, err := CreateSkeleton(ctx, "./testdata/zarf-package", opt) + require.NoError(t, err) + + pkgPath := layout.New(path) + _, warnings, err := pkgPath.ReadZarfYAML() + require.NoError(t, err) + require.Empty(t, warnings) + b, err := os.ReadFile(filepath.Join(pkgPath.Base, "checksums.txt")) + require.NoError(t, err) + expectedChecksum := `54f657b43323e1ebecb0758835b8d01a0113b61b7bab0f4a8156f031128d00f9 components/data-injections.tar +879bfe82d20f7bdcd60f9e876043cc4343af4177a6ee8b2660c304a5b6c70be7 components/files.tar +c497f1a56559ea0a9664160b32e4b377df630454ded6a3787924130c02f341a6 components/manifests.tar +fb7ebee94a4479bacddd71195030a483b0b0b96d4f73f7fcd2c2c8e0fce0c5c6 components/helm-charts.tar +` + require.Equal(t, expectedChecksum, string(b)) +} + +func TestGetChecksum(t *testing.T) { + t.Parallel() + + tmpDir := t.TempDir() + files := map[string]string{ + "empty.txt": "", + "foo": "bar", + "zarf.yaml": "Zarf Yaml Data", + "checksums.txt": "Old Checksum Data", + "nested/directory/file.md": "nested", + } + for k, v := range files { + err := os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(k)), 0o700) + require.NoError(t, err) + err = os.WriteFile(filepath.Join(tmpDir, k), []byte(v), 0o600) + require.NoError(t, err) + } + + checksumContent, checksumHash, err := getChecksum(tmpDir) + require.NoError(t, err) + + expectedContent := `233562de1a0288b139c4fa40b7d189f806e906eeb048517aeb67f34ac0e2faf1 nested/directory/file.md +e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 empty.txt +fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9 foo +` + require.Equal(t, expectedContent, checksumContent) + require.Equal(t, "7c554cf67e1c2b50a1b728299c368cd56d53588300c37479623f29a52812ca3f", checksumHash) +} + +func TestSignPackage(t *testing.T) { + t.Parallel() + + tmpDir := t.TempDir() + yamlPath := filepath.Join(tmpDir, "zarf.yaml") + signedPath := filepath.Join(tmpDir, "zarf.yaml.sig") + + err := os.WriteFile(yamlPath, []byte("foobar"), 0o644) + require.NoError(t, err) + + err = signPackage(tmpDir, "", "") + require.NoError(t, err) + require.NoFileExists(t, signedPath) + + err = signPackage(tmpDir, "./testdata/cosign.key", "wrongpassword") + require.EqualError(t, err, "reading key: decrypt: encrypted: decryption failed") + + err = signPackage(tmpDir, "./testdata/cosign.key", "test") + require.NoError(t, err) + require.FileExists(t, signedPath) +} + +func TestCreateReproducibleTarballFromDir(t *testing.T) { + t.Parallel() + + tmpDir := t.TempDir() + err := os.WriteFile(filepath.Join(tmpDir, "test.txt"), []byte("hello world"), 0o600) + require.NoError(t, err) + tarPath := filepath.Join(t.TempDir(), "data.tar") + + err = createReproducibleTarballFromDir(tmpDir, "", tarPath) + require.NoError(t, err) + + shaSum, err := helpers.GetSHA256OfFile(tarPath) + require.NoError(t, err) + require.Equal(t, "c09d17f612f241cdf549e5fb97c9e063a8ad18ae7a9f3af066332ed6b38556ad", shaSum) +} diff --git a/src/internal/packager2/layout/import.go b/src/internal/packager2/layout/import.go new file mode 100644 index 0000000000..6e62833ace --- /dev/null +++ b/src/internal/packager2/layout/import.go @@ -0,0 +1,416 @@ +package layout + +import ( + "context" + "crypto/sha256" + "errors" + "fmt" + "path/filepath" + "slices" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/defenseunicorns/pkg/oci" + "github.com/mholt/archiver/v3" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + ocistore "oras.land/oras-go/v2/content/oci" + + "github.com/zarf-dev/zarf/src/api/v1alpha1" + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/message" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/pkg/zoci" +) + +func resolveImports(ctx context.Context, pkg v1alpha1.ZarfPackage, packagePath, arch, flavor string) (v1alpha1.ZarfPackage, error) { + variables := pkg.Variables + constants := pkg.Constants + components := []v1alpha1.ZarfComponent{} + + for _, component := range pkg.Components { + if !compatibleComponent(component, pkg.Metadata.Architecture, flavor) { + continue + } + isLocal := component.Import.Path != "" + isRemote := component.Import.URL != "" + + // Skip as component does not have any imports. + if !isLocal && !isRemote { + components = append(components, component) + continue + } + + if err := validateComponentCompose(component); err != nil { + return v1alpha1.ZarfPackage{}, fmt.Errorf("invalid imported definition for %s: %w", component.Name, err) + } + + var importedPkg v1alpha1.ZarfPackage + if isLocal { + err := utils.ReadYaml(filepath.Join(packagePath, component.Import.Path, layout.ZarfYAML), &importedPkg) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + } else if isRemote { + remote, err := zoci.NewRemote(component.Import.URL, zoci.PlatformForSkeleton()) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + _, err = remote.ResolveRoot(ctx) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + importedPkg, err = remote.FetchZarfYAML(ctx) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + } + + name := component.Name + if component.Import.Name != "" { + name = component.Import.Name + } + found := []v1alpha1.ZarfComponent{} + for _, component := range pkg.Components { + if component.Name == name && compatibleComponent(component, arch, flavor) { + found = append(found, component) + } + } + if len(found) == 0 { + return v1alpha1.ZarfPackage{}, fmt.Errorf("component %s not found", name) + } else if len(found) > 1 { + return v1alpha1.ZarfPackage{}, fmt.Errorf("multiple components named %s found", name) + } + + err := fetchOCISkeleton(ctx, component) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + + importedComponent := found[0] + importedComponent = fixPaths(importedComponent, packagePath) + composed, err := overrideComponent(component, importedComponent) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + + components = append(components, composed) + variables = append(variables, importedPkg.Variables...) + constants = append(constants, importedPkg.Constants...) + } + + pkg.Components = components + pkg.Variables = slices.CompactFunc(variables, func(l, r v1alpha1.InteractiveVariable) bool { + return l.Name == r.Name + }) + pkg.Constants = slices.CompactFunc(constants, func(l, r v1alpha1.Constant) bool { + return l.Name == r.Name + }) + return pkg, nil +} + +func validateComponentCompose(c v1alpha1.ZarfComponent) error { + var err error + path := c.Import.Path + url := c.Import.URL + + // ensure path or url is provided + if path == "" && url == "" { + err = errors.Join(err, errors.New("neither a path nor a URL was provided")) + } + + // ensure path and url are not both provided + if path != "" && url != "" { + err = errors.Join(err, errors.New("both a path and a URL were provided")) + } + + // validation for path + if url == "" && path != "" { + // ensure path is not an absolute path + if filepath.IsAbs(path) { + err = errors.Join(err, errors.New("path cannot be an absolute path")) + } + } + + // validation for url + if url != "" && path == "" { + ok := helpers.IsOCIURL(url) + if !ok { + err = errors.Join(err, errors.New("URL is not a valid OCI URL")) + } + } + + return err +} + +func compatibleComponent(c v1alpha1.ZarfComponent, arch, flavor string) bool { + satisfiesArch := c.Only.Cluster.Architecture == "" || c.Only.Cluster.Architecture == arch + satisfiesFlavor := c.Only.Flavor == "" || c.Only.Flavor == flavor + return satisfiesArch && satisfiesFlavor +} + +func fetchOCISkeleton(ctx context.Context, component v1alpha1.ZarfComponent) error { + name := component.Name + if component.Import.Name != "" { + name = component.Import.Name + } + + absCachePath, err := config.GetAbsCachePath() + if err != nil { + return err + } + cache := filepath.Join(absCachePath, "oci") + if err := helpers.CreateDirectory(cache, helpers.ReadWriteExecuteUser); err != nil { + return err + } + + // Get the descriptor for the component. + remote, err := zoci.NewRemote(component.Import.URL, zoci.PlatformForSkeleton()) + if err != nil { + return err + } + _, err = remote.ResolveRoot(ctx) + if err != nil { + return fmt.Errorf("published skeleton package for %s does not exist: %w", component.Import.URL, err) + } + manifest, err := remote.FetchRoot(ctx) + if err != nil { + return err + } + componentDesc := manifest.Locate(filepath.Join(layout.ComponentsDir, fmt.Sprintf("%s.tar", name))) + + // If there is not a tarball to fetch, create a directory named based upon the import url and the component name. + var tb, dir string + if oci.IsEmptyDescriptor(componentDesc) { + h := sha256.New() + h.Write([]byte(component.Import.URL + name)) + id := fmt.Sprintf("%x", h.Sum(nil)) + dir = filepath.Join(cache, "dirs", id) + message.Debug("creating empty directory for remote component:", filepath.Join("", "oci", "dirs", id)) + } else { + tb = filepath.Join(cache, "blobs", "sha256", componentDesc.Digest.Encoded()) + dir = filepath.Join(cache, "dirs", componentDesc.Digest.Encoded()) + + store, err := ocistore.New(cache) + if err != nil { + return err + } + + // ensure the tarball is in the cache + exists, err := store.Exists(ctx, componentDesc) + if err != nil { + return err + } else if !exists { + doneSaving := make(chan error) + successText := fmt.Sprintf("Pulling %q", helpers.OCIURLPrefix+remote.Repo().Reference.String()) + go utils.RenderProgressBarForLocalDirWrite(cache, componentDesc.Size, doneSaving, "Pulling", successText) + err = remote.CopyToTarget(ctx, []ocispec.Descriptor{componentDesc}, store, remote.GetDefaultCopyOpts()) + doneSaving <- err + <-doneSaving + if err != nil { + return err + } + } + } + + if err := helpers.CreateDirectory(dir, helpers.ReadWriteExecuteUser); err != nil { + return err + } + if oci.IsEmptyDescriptor(componentDesc) { + // nothing was fetched, nothing to extract + return nil + } + tu := archiver.Tar{ + OverwriteExisting: true, + // removes // from the paths + StripComponents: 1, + } + return tu.Unarchive(tb, dir) +} +func overrideComponent(c v1alpha1.ZarfComponent, override v1alpha1.ZarfComponent) (v1alpha1.ZarfComponent, error) { + // Metadata + c.Name = override.Name + c.Default = override.Default + c.Required = override.Required + + // Override description if it was provided. + if override.Description != "" { + c.Description = override.Description + } + + if override.Only.LocalOS != "" { + if c.Only.LocalOS != "" { + return v1alpha1.ZarfComponent{}, fmt.Errorf("component %q: \"only.localOS\" %q cannot be redefined as %q during compose", c.Name, c.Only.LocalOS, override.Only.LocalOS) + } + c.Only.LocalOS = override.Only.LocalOS + } + + // Deprecated + // Override cosign key path if it was provided. + if override.DeprecatedCosignKeyPath != "" { + c.DeprecatedCosignKeyPath = override.DeprecatedCosignKeyPath + } + + c.DeprecatedGroup = override.DeprecatedGroup + + // Merge deprecated scripts for backwards compatibility with older zarf binaries. + c.DeprecatedScripts.Before = append(c.DeprecatedScripts.Before, override.DeprecatedScripts.Before...) + c.DeprecatedScripts.After = append(c.DeprecatedScripts.After, override.DeprecatedScripts.After...) + + if override.DeprecatedScripts.Retry { + c.DeprecatedScripts.Retry = true + } + if override.DeprecatedScripts.ShowOutput { + c.DeprecatedScripts.ShowOutput = true + } + if override.DeprecatedScripts.TimeoutSeconds > 0 { + c.DeprecatedScripts.TimeoutSeconds = override.DeprecatedScripts.TimeoutSeconds + } + + // Actions + // Merge create actions. + c.Actions.OnCreate.Defaults = override.Actions.OnCreate.Defaults + c.Actions.OnCreate.Before = append(c.Actions.OnCreate.Before, override.Actions.OnCreate.Before...) + c.Actions.OnCreate.After = append(c.Actions.OnCreate.After, override.Actions.OnCreate.After...) + c.Actions.OnCreate.OnFailure = append(c.Actions.OnCreate.OnFailure, override.Actions.OnCreate.OnFailure...) + c.Actions.OnCreate.OnSuccess = append(c.Actions.OnCreate.OnSuccess, override.Actions.OnCreate.OnSuccess...) + + // Merge deploy actions. + c.Actions.OnDeploy.Defaults = override.Actions.OnDeploy.Defaults + c.Actions.OnDeploy.Before = append(c.Actions.OnDeploy.Before, override.Actions.OnDeploy.Before...) + c.Actions.OnDeploy.After = append(c.Actions.OnDeploy.After, override.Actions.OnDeploy.After...) + c.Actions.OnDeploy.OnFailure = append(c.Actions.OnDeploy.OnFailure, override.Actions.OnDeploy.OnFailure...) + c.Actions.OnDeploy.OnSuccess = append(c.Actions.OnDeploy.OnSuccess, override.Actions.OnDeploy.OnSuccess...) + + // Merge remove actions. + c.Actions.OnRemove.Defaults = override.Actions.OnRemove.Defaults + c.Actions.OnRemove.Before = append(c.Actions.OnRemove.Before, override.Actions.OnRemove.Before...) + c.Actions.OnRemove.After = append(c.Actions.OnRemove.After, override.Actions.OnRemove.After...) + c.Actions.OnRemove.OnFailure = append(c.Actions.OnRemove.OnFailure, override.Actions.OnRemove.OnFailure...) + c.Actions.OnRemove.OnSuccess = append(c.Actions.OnRemove.OnSuccess, override.Actions.OnRemove.OnSuccess...) + + // Resources + c.DataInjections = append(c.DataInjections, override.DataInjections...) + c.Files = append(c.Files, override.Files...) + c.Images = append(c.Images, override.Images...) + c.Repos = append(c.Repos, override.Repos...) + + // Merge charts with the same name to keep them unique + for _, overrideChart := range override.Charts { + existing := false + for idx := range c.Charts { + if c.Charts[idx].Name == overrideChart.Name { + if overrideChart.Namespace != "" { + c.Charts[idx].Namespace = overrideChart.Namespace + } + if overrideChart.ReleaseName != "" { + c.Charts[idx].ReleaseName = overrideChart.ReleaseName + } + c.Charts[idx].ValuesFiles = append(c.Charts[idx].ValuesFiles, overrideChart.ValuesFiles...) + c.Charts[idx].Variables = append(c.Charts[idx].Variables, overrideChart.Variables...) + existing = true + } + } + + if !existing { + c.Charts = append(c.Charts, overrideChart) + } + } + + // Merge manifests with the same name to keep them unique + for _, overrideManifest := range override.Manifests { + existing := false + for idx := range c.Manifests { + if c.Manifests[idx].Name == overrideManifest.Name { + if overrideManifest.Namespace != "" { + c.Manifests[idx].Namespace = overrideManifest.Namespace + } + c.Manifests[idx].Files = append(c.Manifests[idx].Files, overrideManifest.Files...) + c.Manifests[idx].Kustomizations = append(c.Manifests[idx].Kustomizations, overrideManifest.Kustomizations...) + + existing = true + } + } + + if !existing { + c.Manifests = append(c.Manifests, overrideManifest) + } + } + + c.HealthChecks = append(c.HealthChecks, override.HealthChecks...) + + return c, nil +} + +func makePathRelativeTo(path, relativeTo string) string { + if helpers.IsURL(path) { + return path + } + return filepath.Join(relativeTo, path) +} + +func fixPaths(child v1alpha1.ZarfComponent, relativeToHead string) v1alpha1.ZarfComponent { + for fileIdx, file := range child.Files { + composed := makePathRelativeTo(file.Source, relativeToHead) + child.Files[fileIdx].Source = composed + } + + for chartIdx, chart := range child.Charts { + for valuesIdx, valuesFile := range chart.ValuesFiles { + composed := makePathRelativeTo(valuesFile, relativeToHead) + child.Charts[chartIdx].ValuesFiles[valuesIdx] = composed + } + if child.Charts[chartIdx].LocalPath != "" { + composed := makePathRelativeTo(chart.LocalPath, relativeToHead) + child.Charts[chartIdx].LocalPath = composed + } + } + + for manifestIdx, manifest := range child.Manifests { + for fileIdx, file := range manifest.Files { + composed := makePathRelativeTo(file, relativeToHead) + child.Manifests[manifestIdx].Files[fileIdx] = composed + } + for kustomizeIdx, kustomization := range manifest.Kustomizations { + composed := makePathRelativeTo(kustomization, relativeToHead) + // kustomizations can use non-standard urls, so we need to check if the composed path exists on the local filesystem + abs, _ := filepath.Abs(composed) + invalid := helpers.InvalidPath(abs) + if !invalid { + child.Manifests[manifestIdx].Kustomizations[kustomizeIdx] = composed + } + } + } + + for dataInjectionsIdx, dataInjection := range child.DataInjections { + composed := makePathRelativeTo(dataInjection.Source, relativeToHead) + child.DataInjections[dataInjectionsIdx].Source = composed + } + + defaultDir := child.Actions.OnCreate.Defaults.Dir + child.Actions.OnCreate.Before = fixActionPaths(child.Actions.OnCreate.Before, defaultDir, relativeToHead) + child.Actions.OnCreate.After = fixActionPaths(child.Actions.OnCreate.After, defaultDir, relativeToHead) + child.Actions.OnCreate.OnFailure = fixActionPaths(child.Actions.OnCreate.OnFailure, defaultDir, relativeToHead) + child.Actions.OnCreate.OnSuccess = fixActionPaths(child.Actions.OnCreate.OnSuccess, defaultDir, relativeToHead) + + // deprecated + if child.DeprecatedCosignKeyPath != "" { + composed := makePathRelativeTo(child.DeprecatedCosignKeyPath, relativeToHead) + child.DeprecatedCosignKeyPath = composed + } + + return child +} + +// fixActionPaths takes a slice of actions and mutates the Dir to be relative to the head node +func fixActionPaths(actions []v1alpha1.ZarfComponentAction, defaultDir, relativeToHead string) []v1alpha1.ZarfComponentAction { + for actionIdx, action := range actions { + var composed string + if action.Dir != nil { + composed = makePathRelativeTo(*action.Dir, relativeToHead) + } else { + composed = makePathRelativeTo(defaultDir, relativeToHead) + } + actions[actionIdx].Dir = &composed + } + return actions +} diff --git a/src/internal/packager2/layout/testdata/cosign.key b/src/internal/packager2/layout/testdata/cosign.key new file mode 100644 index 0000000000..90fe1f9dfb --- /dev/null +++ b/src/internal/packager2/layout/testdata/cosign.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6 +OCwicCI6MX0sInNhbHQiOiJEM1h4S3huclZqU3JjSkdvYTZIcTVWYkEwYUhwUldW +akJKR3F2L0pHZDMwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJSOGZWZzlIczVIdFZKWENDVmJnODhwVFFObTRsQnh0RCJ9LCJj +aXBoZXJ0ZXh0IjoiclNHS3A0RGpMQzdnd0RnU0F6SnIwQXhVbmxxeG1EVVZ2ci9p +MzRHTk8vaGRCblRTVEpQYU5YRWJiZDd3R1hDMlVUeU9QOS92Q2NBUUI0dVBFNnZD +V3ZzSFVwOWYyZlJoazY1TXVFQkFLWStVaE1uQ0QzcGlueWhGNktOUmxEaG1tZCtZ +SnI4ZW4rczBMZnFQREJWRkRFb2lLVlJENEMxYVF5eTdveGJJOEZDWG9FSStTd284 +WnpsK2F1anpxdlYxTlg0NHJaeU9sZVRyV3c9PSJ9 +-----END ENCRYPTED SIGSTORE PRIVATE KEY----- diff --git a/src/internal/packager2/layout/testdata/cosign.pub b/src/internal/packager2/layout/testdata/cosign.pub new file mode 100644 index 0000000000..da98deb626 --- /dev/null +++ b/src/internal/packager2/layout/testdata/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWa56xczL+HvqDx5tUg9ThYzIAGcc +Geic52+Ajs65OgUKePRK49fki3cSZpqV1yCfqHUPnU+SaQjAiCPK3SAW9g== +-----END PUBLIC KEY----- diff --git a/src/internal/packager2/layout/testdata/zarf-package/archive.tar b/src/internal/packager2/layout/testdata/zarf-package/archive.tar new file mode 100644 index 0000000000000000000000000000000000000000..cbbd80680cd84b59686c8b82b86a1b1e1ea4b20f GIT binary patch literal 20480 zcmeIu!3x4K3;@u6%6>p;-PV0iQDFlQV@~n&?P&-*c-rmdkd!2Z^2%}@r}zDID{DEg zpEVp1u}1E?P)i#6_*-l1($y4Fmxun6V{TK3sqIq=O+4T)yOXcyT9&2>^Ef@Gc{kn~ z|K{7G2LS>E2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk u1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBn=3w#07z!#MO literal 0 HcmV?d00001 diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/.helmignore b/src/internal/packager2/layout/testdata/zarf-package/chart/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/Chart.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/Chart.yaml new file mode 100644 index 0000000000..0ae3bfd45f --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +version: 6.4.0 +appVersion: 6.4.0 +name: podinfo +engine: gotpl +description: Podinfo Helm chart for Kubernetes +home: https://github.com/stefanprodan/podinfo +maintainers: +- email: stefanprodan@users.noreply.github.com + name: stefanprodan +sources: +- https://github.com/stefanprodan/podinfo +kubeVersion: ">=1.23.0-0" diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/LICENSE b/src/internal/packager2/layout/testdata/zarf-package/chart/LICENSE new file mode 100644 index 0000000000..1b92ec15f9 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2018 Stefan Prodan. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/NOTICE b/src/internal/packager2/layout/testdata/zarf-package/chart/NOTICE new file mode 100644 index 0000000000..5b0414f8c2 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/NOTICE @@ -0,0 +1 @@ +All files from this chart are from https://github.com/stefanprodan/podinfo/tree/6.4.0/charts/podinfo. diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/NOTES.txt b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/NOTES.txt new file mode 100644 index 0000000000..d8329725ef --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/NOTES.txt @@ -0,0 +1,20 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "podinfo.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "podinfo.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl -n {{ .Release.Namespace }} port-forward deploy/{{ template "podinfo.fullname" . }} 8080:{{ .Values.service.externalPort }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/_helpers.tpl b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/_helpers.tpl new file mode 100644 index 0000000000..1f5a052871 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/_helpers.tpl @@ -0,0 +1,69 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "podinfo.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "podinfo.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "podinfo.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "podinfo.labels" -}} +helm.sh/chart: {{ include "podinfo.chart" . }} +{{ include "podinfo.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "podinfo.selectorLabels" -}} +app.kubernetes.io/name: {{ include "podinfo.fullname" . }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "podinfo.serviceAccountName" -}} +{{- if .Values.serviceAccount.enabled }} +{{- default (include "podinfo.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the tls secret for secure port +*/}} +{{- define "podinfo.tlsSecretName" -}} +{{- $fullname := include "podinfo.fullname" . -}} +{{- default (printf "%s-tls" $fullname) .Values.tls.secretName }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/deployment.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/deployment.yaml new file mode 100644 index 0000000000..87ed373534 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/deployment.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + {{- if not .Values.hpa.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "podinfo.selectorLabels" . | nindent 8 }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.service.httpPort }}" + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + terminationGracePeriodSeconds: 30 + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ template "podinfo.serviceAccountName" . }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- else if (or .Values.service.hostPort .Values.tls.hostPort) }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- end }} + command: + - ./podinfo + - --port={{ .Values.service.httpPort | default 9898 }} + {{- if .Values.host }} + - --host={{ .Values.host }} + {{- end }} + {{- if .Values.tls.enabled }} + - --secure-port={{ .Values.tls.port }} + {{- end }} + {{- if .Values.tls.certPath }} + - --cert-path={{ .Values.tls.certPath }} + {{- end }} + {{- if .Values.service.metricsPort }} + - --port-metrics={{ .Values.service.metricsPort }} + {{- end }} + {{- if .Values.service.grpcPort }} + - --grpc-port={{ .Values.service.grpcPort }} + {{- end }} + {{- if .Values.service.grpcService }} + - --grpc-service-name={{ .Values.service.grpcService }} + {{- end }} + {{- range .Values.backends }} + - --backend-url={{ . }} + {{- end }} + {{- if .Values.cache }} + - --cache-server={{ .Values.cache }} + {{- else if .Values.redis.enabled }} + - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379 + {{- end }} + - --level={{ .Values.logLevel }} + - --random-delay={{ .Values.faults.delay }} + - --random-error={{ .Values.faults.error }} + {{- if .Values.faults.unhealthy }} + - --unhealthy + {{- end }} + {{- if .Values.faults.unready }} + - --unready + {{- end }} + {{- if .Values.h2c.enabled }} + - --h2c + {{- end }} + env: + {{- if .Values.ui.message }} + - name: PODINFO_UI_MESSAGE + value: {{ quote .Values.ui.message }} + {{- end }} + {{- if .Values.ui.logo }} + - name: PODINFO_UI_LOGO + value: {{ .Values.ui.logo }} + {{- end }} + {{- if .Values.ui.color }} + - name: PODINFO_UI_COLOR + value: {{ quote .Values.ui.color }} + {{- end }} + {{- if .Values.backend }} + - name: PODINFO_BACKEND_URL + value: {{ .Values.backend }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.service.httpPort | default 9898 }} + protocol: TCP + {{- if .Values.service.hostPort }} + hostPort: {{ .Values.service.hostPort }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: https + containerPort: {{ .Values.tls.port | default 9899 }} + protocol: TCP + {{- if .Values.tls.hostPort }} + hostPort: {{ .Values.tls.hostPort }} + {{- end }} + {{- end }} + {{- if .Values.service.metricsPort }} + - name: http-metrics + containerPort: {{ .Values.service.metricsPort }} + protocol: TCP + {{- end }} + {{- if .Values.service.grpcPort }} + - name: grpc + containerPort: {{ .Values.service.grpcPort }} + protocol: TCP + {{- end }} + {{- if .Values.probes.startup.enable }} + startupProbe: + exec: + command: + - podcli + - check + - http + - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz + {{- with .Values.probes.startup }} + initialDelaySeconds: {{ .initialDelaySeconds | default 1 }} + timeoutSeconds: {{ .timeoutSeconds | default 5 }} + failureThreshold: {{ .failureThreshold | default 3 }} + successThreshold: {{ .successThreshold | default 1 }} + periodSeconds: {{ .periodSeconds | default 10 }} + {{- end }} + {{- end }} + livenessProbe: + exec: + command: + - podcli + - check + - http + - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz + {{- with .Values.probes.liveness }} + initialDelaySeconds: {{ .initialDelaySeconds | default 1 }} + timeoutSeconds: {{ .timeoutSeconds | default 5 }} + failureThreshold: {{ .failureThreshold | default 3 }} + successThreshold: {{ .successThreshold | default 1 }} + periodSeconds: {{ .periodSeconds | default 10 }} + {{- end }} + readinessProbe: + exec: + command: + - podcli + - check + - http + - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz + {{- with .Values.probes.readiness }} + initialDelaySeconds: {{ .initialDelaySeconds | default 1 }} + timeoutSeconds: {{ .timeoutSeconds | default 5 }} + failureThreshold: {{ .failureThreshold | default 3 }} + successThreshold: {{ .successThreshold | default 1 }} + periodSeconds: {{ .periodSeconds | default 10 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /data + {{- if .Values.tls.enabled }} + - name: tls + mountPath: {{ .Values.tls.certPath | default "/data/cert" }} + readOnly: true + {{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: data + emptyDir: {} + {{- if .Values.tls.enabled }} + - name: tls + secret: + secretName: {{ template "podinfo.tlsSecretName" . }} + {{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/hpa.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/hpa.yaml new file mode 100644 index 0000000000..f2fb8df1b8 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/hpa.yaml @@ -0,0 +1,41 @@ +{{- if .Values.hpa.enabled -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "podinfo.fullname" . }} + minReplicas: {{ .Values.replicaCount }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + metrics: + {{- if .Values.hpa.cpu }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.hpa.cpu }} + {{- end }} + {{- if .Values.hpa.memory }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ .Values.hpa.memory }} + {{- end }} + {{- if .Values.hpa.requests }} + - type: Pods + pods: + metric: + name: http_requests + target: + type: AverageValue + averageValue: {{ .Values.hpa.requests }} + {{- end }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/ingress.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/ingress.yaml new file mode 100644 index 0000000000..93f9ae437a --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "podinfo.fullname" . -}} +{{- $svcPort := .Values.service.externalPort -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} + {{- end }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/service.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/service.yaml new file mode 100644 index 0000000000..6014e78853 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/service.yaml @@ -0,0 +1,36 @@ +{{- if .Values.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +{{- with .Values.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: http + protocol: TCP + name: http + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + {{- if .Values.tls.enabled }} + - port: {{ .Values.tls.port | default 9899 }} + targetPort: https + protocol: TCP + name: https + {{- end }} + {{- if .Values.service.grpcPort }} + - port: {{ .Values.service.grpcPort }} + targetPort: grpc + protocol: TCP + name: grpc + {{- end }} + selector: + {{- include "podinfo.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/templates/serviceaccount.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/serviceaccount.yaml new file mode 100644 index 0000000000..d39b798967 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "podinfo.serviceAccountName" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end -}} +{{- end -}} diff --git a/src/internal/packager2/layout/testdata/zarf-package/chart/values.yaml b/src/internal/packager2/layout/testdata/zarf-package/chart/values.yaml new file mode 100644 index 0000000000..89b2bd9129 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/chart/values.yaml @@ -0,0 +1,164 @@ +# Default values for podinfo. + +replicaCount: 1 +logLevel: info +host: #0.0.0.0 +backend: #http://backend-podinfo:9898/echo +backends: [] + +image: + repository: ghcr.io/stefanprodan/podinfo + tag: 6.4.0 + pullPolicy: IfNotPresent + +ui: + color: "#34577c" + message: "" + logo: "" + +# failure conditions +faults: + delay: false + error: false + unhealthy: false + unready: false + testFail: false + testTimeout: false + +# Kubernetes Service settings +service: + enabled: true + annotations: {} + type: ClusterIP + metricsPort: 9797 + httpPort: 9898 + externalPort: 9898 + grpcPort: 9999 + grpcService: podinfo + nodePort: 31198 + # the port used to bind the http port to the host + # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing + # in local clusters such as kind without port forwarding + hostPort: + +# enable h2c protocol (non-TLS version of HTTP/2) +h2c: + enabled: false + +# enable tls on the podinfo service +tls: + enabled: false + # the name of the secret used to mount the certificate key pair + secretName: + # the path where the certificate key pair will be mounted + certPath: /data/cert + # the port used to host the tls endpoint on the service + port: 9899 + # the port used to bind the tls port to the host + # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing + # in local clusters such as kind without port forwarding + hostPort: + +# create a certificate manager certificate (cert-manager required) +certificate: + create: false + # the issuer used to issue the certificate + issuerRef: + kind: ClusterIssuer + name: self-signed + # the hostname / subject alternative names for the certificate + dnsNames: + - podinfo + +# metrics-server add-on required +hpa: + enabled: false + maxReplicas: 10 + # average total CPU usage per pod (1-100) + cpu: + # average memory usage per pod (100Mi-1Gi) + memory: + # average http requests per second per pod (k8s-prometheus-adapter) + requests: + +# Redis address in the format tcp://: +cache: "" +# Redis deployment +redis: + enabled: false + repository: redis + tag: 7.0.7 + +serviceAccount: + # Specifies whether a service account should be created + enabled: false + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + # List of image pull secrets if pulling from private registries + imagePullSecrets: [] + +# set container security context +securityContext: {} + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: podinfo.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +linkerd: + profile: + enabled: false + +# create Prometheus Operator monitor +serviceMonitor: + enabled: false + interval: 15s + additionalLabels: {} + +resources: + limits: + requests: + cpu: 1m + memory: 16Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +podAnnotations: {} + +# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes +probes: + readiness: + initialDelaySeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + periodSeconds: 10 + liveness: + initialDelaySeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + periodSeconds: 10 + startup: + enable: false + initialDelaySeconds: 10 + timeoutSeconds: 5 + failureThreshold: 20 + successThreshold: 1 + periodSeconds: 10 diff --git a/src/internal/packager2/layout/testdata/zarf-package/data.txt b/src/internal/packager2/layout/testdata/zarf-package/data.txt new file mode 100644 index 0000000000..557db03de9 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/data.txt @@ -0,0 +1 @@ +Hello World diff --git a/src/internal/packager2/layout/testdata/zarf-package/deployment.yaml b/src/internal/packager2/layout/testdata/zarf-package/deployment.yaml new file mode 100644 index 0000000000..685c17aa68 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/src/internal/packager2/layout/testdata/zarf-package/injection/data.txt b/src/internal/packager2/layout/testdata/zarf-package/injection/data.txt new file mode 100644 index 0000000000..1269488f7f --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/injection/data.txt @@ -0,0 +1 @@ +data diff --git a/src/internal/packager2/layout/testdata/zarf-package/kustomize/kustomization.yaml b/src/internal/packager2/layout/testdata/zarf-package/kustomize/kustomization.yaml new file mode 100644 index 0000000000..736967b1a3 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/kustomize/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - namespace.yaml diff --git a/src/internal/packager2/layout/testdata/zarf-package/kustomize/namespace.yaml b/src/internal/packager2/layout/testdata/zarf-package/kustomize/namespace.yaml new file mode 100644 index 0000000000..7c265c0193 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/kustomize/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test diff --git a/src/internal/packager2/layout/testdata/zarf-package/values.yaml b/src/internal/packager2/layout/testdata/zarf-package/values.yaml new file mode 100644 index 0000000000..f86a45afe7 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/values.yaml @@ -0,0 +1,5 @@ +ui: + color: "#0d133d" + message: "greetings from podinfo (as deployed by Zarf)" + # Replace the githubusercontent URL for the airgap + logo: "" diff --git a/src/internal/packager2/layout/testdata/zarf-package/zarf.yaml b/src/internal/packager2/layout/testdata/zarf-package/zarf.yaml new file mode 100644 index 0000000000..695ac11604 --- /dev/null +++ b/src/internal/packager2/layout/testdata/zarf-package/zarf.yaml @@ -0,0 +1,41 @@ +kind: ZarfPackageConfig +metadata: + name: test + version: v0.0.1 +components: + - name: helm-charts + required: true + charts: + - name: podinfo-local + version: 6.4.0 + namespace: podinfo-from-local-chart + localPath: chart + valuesFiles: + - values.yaml + - name: files + required: true + files: + - source: data.txt + target: data.txt + - source: archive.tar + extractPath: archive-data.txt + target: archive-data.txt + - name: data-injections + required: true + dataInjections: + - source: injection + target: + namespace: test + selector: app=test + container: test + path: /test + compress: true + - name: manifests + required: true + manifests: + - name: deployment + namespace: httpd + files: + - deployment.yaml + kustomizations: + - kustomize diff --git a/src/pkg/lint/schema.go b/src/pkg/lint/schema.go index b6cb5f6e3e..a5f9009dc9 100644 --- a/src/pkg/lint/schema.go +++ b/src/pkg/lint/schema.go @@ -7,6 +7,7 @@ package lint import ( "fmt" "io/fs" + "path/filepath" "regexp" "github.com/xeipuuv/gojsonschema" @@ -17,6 +18,23 @@ import ( // ZarfSchema is exported so main.go can embed the schema file var ZarfSchema fs.ReadFileFS +// ValidatePackageSchemaAtPath checks the Zarf package in the current directory against the Zarf schema +func ValidatePackageSchemaAtPath(path string, setVariables map[string]string) ([]PackageFinding, error) { + var untypedZarfPackage interface{} + if err := utils.ReadYaml(filepath.Join(path, layout.ZarfYAML), &untypedZarfPackage); err != nil { + return nil, err + } + jsonSchema, err := ZarfSchema.ReadFile("zarf.schema.json") + if err != nil { + return nil, err + } + _, err = templateZarfObj(&untypedZarfPackage, setVariables) + if err != nil { + return nil, err + } + return getSchemaFindings(jsonSchema, untypedZarfPackage) +} + // ValidatePackageSchema checks the Zarf package in the current directory against the Zarf schema func ValidatePackageSchema(setVariables map[string]string) ([]PackageFinding, error) { var untypedZarfPackage interface{} diff --git a/src/pkg/packager/publish.go b/src/pkg/packager/publish.go index 6e421efd1f..684a42b177 100644 --- a/src/pkg/packager/publish.go +++ b/src/pkg/packager/publish.go @@ -7,17 +7,19 @@ package packager import ( "context" "fmt" - "os" + "io/fs" + "path/filepath" "strings" "github.com/defenseunicorns/pkg/helpers/v2" "github.com/defenseunicorns/pkg/oci" ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/zarf-dev/zarf/src/api/v1alpha1" "github.com/zarf-dev/zarf/src/config" + layout2 "github.com/zarf-dev/zarf/src/internal/packager2/layout" "github.com/zarf-dev/zarf/src/pkg/layout" "github.com/zarf-dev/zarf/src/pkg/message" - "github.com/zarf-dev/zarf/src/pkg/packager/creator" "github.com/zarf-dev/zarf/src/pkg/packager/filters" "github.com/zarf-dev/zarf/src/pkg/packager/sources" "github.com/zarf-dev/zarf/src/pkg/utils" @@ -48,26 +50,36 @@ func (p *Packager) Publish(ctx context.Context) (err error) { } if p.cfg.CreateOpts.IsSkeleton { - if err := os.Chdir(p.cfg.CreateOpts.BaseDir); err != nil { - return fmt.Errorf("unable to access directory %q: %w", p.cfg.CreateOpts.BaseDir, err) - } - - sc := creator.NewSkeletonCreator(p.cfg.CreateOpts, p.cfg.PublishOpts) - - if err := helpers.CreatePathAndCopy(layout.ZarfYAML, p.layout.ZarfYAML); err != nil { - return err + skeletonOpt := layout2.CreateOptions{ + Flavor: p.cfg.CreateOpts.Flavor, + RegistryOverrides: p.cfg.CreateOpts.RegistryOverrides, + SigningKeyPath: p.cfg.CreateOpts.SigningKeyPath, + SigningKeyPassword: p.cfg.CreateOpts.SigningKeyPassword, + SetVariables: p.cfg.CreateOpts.SetVariables, } - - p.cfg.Pkg, _, err = sc.LoadPackageDefinition(ctx, p.layout) + skeletonPath, err := layout2.CreateSkeleton(ctx, p.cfg.CreateOpts.BaseDir, skeletonOpt) if err != nil { return err } - - if err := sc.Assemble(ctx, p.layout, p.cfg.Pkg.Components, ""); err != nil { + p.layout = layout.New(skeletonPath) + layoutPaths := []string{} + err = filepath.Walk(skeletonPath, func(path string, _ fs.FileInfo, err error) error { + if err != nil { + return err + } + rel, err := filepath.Rel(skeletonPath, path) + if err != nil { + return err + } + layoutPaths = append(layoutPaths, rel) + return nil + }) + if err != nil { return err } - - if err := sc.Output(ctx, p.layout, &p.cfg.Pkg); err != nil { + p.layout.SetFromPaths(layoutPaths) + p.cfg.Pkg, _, err = p.layout.ReadZarfYAML() + if err != nil { return err } } else {