From 8a1c10b638b9a91e9b3bfd0b8653b39fc92f2c5a Mon Sep 17 00:00:00 2001 From: Tristan Holaday <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 19 Dec 2023 15:17:36 -0700 Subject: [PATCH] chore(deps): update gitea chart from 8.3.0 to 10.0.0 (#2123) ## Description We would like to update the helm chart version of Gitea from 8.3.0 to 10.0.0. This will allow users to use the latest IB gitea image (v1.20.5), which is currently the only IB gitea image that received the necessary fix for working with the gitea helm chart (https://repo1.dso.mil/dsop/opensource/go-gitea/gitea/-/issues/98). We tested the v1.20.5 IB image with the 8.3.0 chart and the Gitea pod fails because of a breaking change in the init-app-ini initContainer, which passes a flag (that no longer exists) to the environment-to-ini command. This error is resolved by using the 9.5.1 chart (or later). This update requires several changes to the gitea values, which you can read more about in the [gitea chart upgrading docs](https://gitea.com/gitea/helm-chart#upgrading). ### Manual Testing * created zarf init with chart and values updates (with upstream gitea image and with IB gitea image) * deployed new init pkg on local k3d cluster * deployed DUBBD 0.11.1 on top successfully ## Related Issue TBD... ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr --- .../8-custom-init-packages.md | 5 +- packages/gitea/gitea-values.yaml | 24 ++- packages/gitea/zarf.yaml | 28 +-- src/cmd/internal.go | 23 +++ src/cmd/tools/zarf.go | 3 +- src/config/lang/english.go | 6 + src/internal/packager/git/gitea.go | 161 ++++++++++++------ src/internal/packager/helm/zarf.go | 31 ---- src/pkg/k8s/dynamic.go | 22 ++- src/test/e2e/06_create_sbom_test.go | 4 +- src/test/e2e/22_git_and_gitops_test.go | 6 +- zarf-config.toml | 3 +- 12 files changed, 197 insertions(+), 119 deletions(-) diff --git a/docs/5-zarf-tutorials/8-custom-init-packages.md b/docs/5-zarf-tutorials/8-custom-init-packages.md index 6f2e455b68..a99ebc1b59 100644 --- a/docs/5-zarf-tutorials/8-custom-init-packages.md +++ b/docs/5-zarf-tutorials/8-custom-init-packages.md @@ -91,11 +91,10 @@ $ zarf package create . \ --set REGISTRY_IMAGE_TAG=2.8.3 \ --set REGISTRY_IMAGE="opensource/registry" \ --set REGISTRY_IMAGE_DOMAIN="custom.enterprise.corp" \ ---set GITEA_IMAGE="custom.enterprise.corp/opensource/gitea" \ ---set GITEA_SERVER_VERSION="v1.19.3" +--set GITEA_IMAGE="custom.enterprise.corp/opensource/gitea:v1.21.0-rootless" ``` -⚠️ - The Gitea image and version are different than the Agent and Registry in that Zarf will always prefer the `rootless` version of a given server image. This means that the above reference would template out to be `custom.enterprise.corp/opensource/gitea:v1.19.3-rootless`. If you need to change this, edit the `packages/gitea` package. +⚠️ - The Gitea image is different from the Agent and Registry in that Zarf will always prefer the `rootless` version of a given server image. The image no longer must be tagged with `-rootless`, but it still needs to implement the [Gitea configuration of a rootless image](https://github.com/go-gitea/gitea/blob/main/Dockerfile.rootless). If you need to change this, edit the `packages/gitea` package. You can find all of the `--set` configurations by looking at the `zarf-config.toml` in the root of the repository. diff --git a/packages/gitea/gitea-values.yaml b/packages/gitea/gitea-values.yaml index d8b4aa8c22..4a780198b3 100644 --- a/packages/gitea/gitea-values.yaml +++ b/packages/gitea/gitea-values.yaml @@ -1,11 +1,12 @@ persistence: storageClass: "###ZARF_STORAGE_CLASS###" - existingClaim: "###ZARF_VAR_GIT_SERVER_EXISTING_PVC###" + claimName: "###ZARF_VAR_GIT_SERVER_EXISTING_PVC###" size: "###ZARF_VAR_GIT_SERVER_PVC_SIZE###" accessModes: - "###ZARF_VAR_GIT_SERVER_PVC_ACCESS_MODE###" + create: ###ZARF_VAR_GIT_SERVER_CREATE_PVC### -replicaCount: "###ZARF_VAR_GIT_SERVER_REPLICA_COUNT###" +replicaCount: ###ZARF_VAR_GIT_SERVER_REPLICA_COUNT### gitea: admin: @@ -29,6 +30,12 @@ gitea: repository: ENABLE_PUSH_CREATE_USER: true FORCE_PRIVATE: true + session: + PROVIDER: memory + cache: + ADAPTER: memory + queue: + TYPE: level resources: requests: cpu: "###ZARF_VAR_GIT_SERVER_CPU_REQ###" @@ -37,13 +44,12 @@ resources: cpu: "###ZARF_VAR_GIT_SERVER_CPU_LIMIT###" memory: "###ZARF_VAR_GIT_SERVER_MEM_LIMIT###" -memcached: - enabled: false +image: + fullOverride: "###ZARF_CONST_GITEA_IMAGE###" + rootless: true -postgresql: +postgresql-ha: enabled: false -image: - repository: "###ZARF_CONST_GITEA_IMAGE###" - tag: "###ZARF_CONST_GITEA_SERVER_VERSION###" - rootless: true +redis-cluster: + enabled: false diff --git a/packages/gitea/zarf.yaml b/packages/gitea/zarf.yaml index 62ab2b0497..8fb37939eb 100644 --- a/packages/gitea/zarf.yaml +++ b/packages/gitea/zarf.yaml @@ -5,7 +5,7 @@ metadata: variables: - name: GIT_SERVER_EXISTING_PVC description: "Optional: Use an existing PVC for the git server instead of creating a new one. If this is set, the GIT_SERVER_PVC_SIZE variable will be ignored." - default: "" + default: "data-zarf-gitea-0" - name: GIT_SERVER_PVC_SIZE description: The size of the persistent volume claim for the git server @@ -42,8 +42,6 @@ variables: constants: - name: GITEA_IMAGE value: "###ZARF_PKG_TMPL_GITEA_IMAGE###" - - name: GITEA_SERVER_VERSION - value: "###ZARF_PKG_TMPL_GITEA_SERVER_VERSION###" components: - name: git-server @@ -51,7 +49,7 @@ components: Deploys Gitea to provide git repositories for Kubernetes configurations. Required for GitOps deployments if no other git server is available. images: - - "###ZARF_PKG_TMPL_GITEA_IMAGE###:###ZARF_PKG_TMPL_GITEA_SERVER_VERSION###-rootless" + - "###ZARF_PKG_TMPL_GITEA_IMAGE###" manifests: - name: git-connect namespace: zarf @@ -61,13 +59,24 @@ components: - name: gitea releaseName: zarf-gitea url: https://dl.gitea.io/charts - version: 8.3.0 + version: 10.0.0 namespace: zarf valuesFiles: - gitea-values.yaml actions: onDeploy: + before: + - cmd: ./zarf internal update-gitea-pvc --no-progress + setVariables: + - name: GIT_SERVER_CREATE_PVC + mute: true after: + - wait: + cluster: + kind: pod + namespace: zarf + name: app=gitea + condition: Ready - cmd: ./zarf internal create-read-only-gitea-user --no-progress maxRetries: 3 maxTotalSeconds: 60 @@ -76,9 +85,6 @@ components: maxRetries: 3 maxTotalSeconds: 60 description: Create an artifact registry token - - wait: - cluster: - kind: pod - namespace: zarf - name: app=gitea - condition: Ready + + onFailure: + - cmd: ./zarf internal update-gitea-pvc --rollback --no-progress diff --git a/src/cmd/internal.go b/src/cmd/internal.go index bb2981d13e..a10067398c 100644 --- a/src/cmd/internal.go +++ b/src/cmd/internal.go @@ -23,6 +23,10 @@ import ( "github.com/spf13/pflag" ) +var ( + rollback bool +) + var internalCmd = &cobra.Command{ Use: "internal", Hidden: true, @@ -196,6 +200,22 @@ var createPackageRegistryToken = &cobra.Command{ }, } +var updateGiteaPVC = &cobra.Command{ + Use: "update-gitea-pvc", + Short: lang.CmdInternalUpdateGiteaPVCShort, + Long: lang.CmdInternalUpdateGiteaPVCLong, + Run: func(cmd *cobra.Command, args []string) { + + // There is a possibility that the pvc does not yet exist and Gitea helm chart should create it + helmShouldCreate, err := git.UpdateGiteaPVC(rollback) + if err != nil { + message.WarnErr(err, lang.CmdInternalUpdateGiteaPVCErr) + } + + fmt.Print(helmShouldCreate) + }, +} + var isValidHostname = &cobra.Command{ Use: "is-valid-hostname", Short: lang.CmdInternalIsValidHostnameShort, @@ -229,8 +249,11 @@ func init() { internalCmd.AddCommand(genTypesSchemaCmd) internalCmd.AddCommand(createReadOnlyGiteaUser) internalCmd.AddCommand(createPackageRegistryToken) + internalCmd.AddCommand(updateGiteaPVC) internalCmd.AddCommand(isValidHostname) internalCmd.AddCommand(computeCrc32) + + updateGiteaPVC.Flags().BoolVarP(&rollback, "rollback", "r", false, lang.CmdInternalFlagUpdateGiteaPVCRollback) } func addHiddenDummyFlag(cmd *cobra.Command, flagDummy string) { diff --git a/src/cmd/tools/zarf.go b/src/cmd/tools/zarf.go index 6cb2d0d2eb..d835674ed6 100644 --- a/src/cmd/tools/zarf.go +++ b/src/cmd/tools/zarf.go @@ -146,7 +146,8 @@ var updateCredsCmd = &cobra.Command{ } } if slices.Contains(args, message.GitKey) && newState.GitServer.InternalServer { - err = h.UpdateZarfGiteaValues() + g := git.New(newState.GitServer) + err = g.UpdateZarfGiteaUsers(oldState) if err != nil { // Warn if we couldn't actually update the git server (it might not be installed and we should try to continue) message.Warnf(lang.CmdToolsUpdateCredsUnableUpdateGit, err.Error()) diff --git a/src/config/lang/english.go b/src/config/lang/english.go index 0f095411d8..3a9346dab7 100644 --- a/src/config/lang/english.go +++ b/src/config/lang/english.go @@ -217,6 +217,12 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA "This is called internally by the supported Gitea package component." CmdInternalArtifactRegistryGiteaTokenErr = "Unable to create an artifact registry token for the Gitea service." + CmdInternalUpdateGiteaPVCShort = "Updates an existing Gitea persistent volume claim" + CmdInternalUpdateGiteaPVCLong = "Updates an existing Gitea persistent volume claim by assessing if claim is a custom user provided claim or default." + + "This is called internally by the supported Gitea package component." + CmdInternalUpdateGiteaPVCErr = "Unable to update the existing Gitea persistent volume claim." + CmdInternalFlagUpdateGiteaPVCRollback = "Roll back previous Gitea persistent volume claim updates." + CmdInternalIsValidHostnameShort = "Checks if the current machine's hostname is RFC1123 compliant" CmdInternalIsValidHostnameErr = "The hostname '%s' is not valid. Ensure the hostname meets RFC1123 requirements https://www.rfc-editor.org/rfc/rfc1123.html." diff --git a/src/internal/packager/git/gitea.go b/src/internal/packager/git/gitea.go index 1eede33a7d..222ce3c5e6 100644 --- a/src/internal/packager/git/gitea.go +++ b/src/internal/packager/git/gitea.go @@ -9,6 +9,7 @@ import ( "encoding/json" "fmt" "io" + "os" "time" netHttp "net/http" @@ -17,6 +18,8 @@ import ( "github.com/defenseunicorns/zarf/src/pkg/cluster" "github.com/defenseunicorns/zarf/src/pkg/k8s" "github.com/defenseunicorns/zarf/src/pkg/message" + "github.com/defenseunicorns/zarf/src/types" + "k8s.io/apimachinery/pkg/runtime/schema" ) // CreateTokenResponse is the response given from creating a token in Gitea @@ -49,50 +52,6 @@ func (g *Git) CreateReadOnlyUser() error { tunnelURL := tunnel.HTTPEndpoint() - var out []byte - - // Determine if the read only user already exists - getUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users", tunnelURL) - getUserRequest, _ := netHttp.NewRequest("GET", getUserEndpoint, nil) - err = tunnel.Wrap(func() error { - out, err = g.DoHTTPThings(getUserRequest, g.Server.PushUsername, g.Server.PushPassword) - return err - }) - message.Debugf("GET %s:\n%s", getUserEndpoint, string(out)) - if err != nil { - return err - } - - hasReadOnlyUser := false - var users []map[string]interface{} - err = json.Unmarshal(out, &users) - if err != nil { - return err - } - - for _, user := range users { - if user["login"] == g.Server.PullUsername { - hasReadOnlyUser = true - } - } - - if hasReadOnlyUser { - // Update the existing user's password - updateUserBody := map[string]interface{}{ - "login_name": g.Server.PullUsername, - "password": g.Server.PullPassword, - } - updateUserData, _ := json.Marshal(updateUserBody) - updateUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users/%s", tunnelURL, g.Server.PullUsername) - updateUserRequest, _ := netHttp.NewRequest("PATCH", updateUserEndpoint, bytes.NewBuffer(updateUserData)) - err = tunnel.Wrap(func() error { - out, err = g.DoHTTPThings(updateUserRequest, g.Server.PushUsername, g.Server.PushPassword) - return err - }) - message.Debugf("PATCH %s:\n%s", updateUserEndpoint, string(out)) - return err - } - // Create json representation of the create-user request body createUserBody := map[string]interface{}{ "username": g.Server.PullUsername, @@ -105,15 +64,23 @@ func (g *Git) CreateReadOnlyUser() error { return err } + var out []byte + var statusCode int + // Send API request to create the user createUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users", tunnelURL) createUserRequest, _ := netHttp.NewRequest("POST", createUserEndpoint, bytes.NewBuffer(createUserData)) err = tunnel.Wrap(func() error { - out, err = g.DoHTTPThings(createUserRequest, g.Server.PushUsername, g.Server.PushPassword) + out, statusCode, err = g.DoHTTPThings(createUserRequest, g.Server.PushUsername, g.Server.PushPassword) return err }) message.Debugf("POST %s:\n%s", createUserEndpoint, string(out)) if err != nil { + if statusCode == 422 { + message.Debugf("Read-only git user already exists. Skipping...") + return nil + } + return err } @@ -127,7 +94,62 @@ func (g *Git) CreateReadOnlyUser() error { updateUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users/%s", tunnelURL, g.Server.PullUsername) updateUserRequest, _ := netHttp.NewRequest("PATCH", updateUserEndpoint, bytes.NewBuffer(updateUserData)) err = tunnel.Wrap(func() error { - out, err = g.DoHTTPThings(updateUserRequest, g.Server.PushUsername, g.Server.PushPassword) + out, _, err = g.DoHTTPThings(updateUserRequest, g.Server.PushUsername, g.Server.PushPassword) + return err + }) + message.Debugf("PATCH %s:\n%s", updateUserEndpoint, string(out)) + return err +} + +// UpdateZarfGiteaUsers updates Zarf gitea users +func (g *Git) UpdateZarfGiteaUsers(oldState *types.ZarfState) error { + + //Update git read only user password + err := g.UpdateGitUser(oldState.GitServer.PushPassword, g.Server.PullUsername, g.Server.PullPassword) + if err != nil { + return fmt.Errorf("unable to update gitea read only user password: %w", err) + } + + // Update Git admin password + err = g.UpdateGitUser(oldState.GitServer.PushPassword, g.Server.PushUsername, g.Server.PushPassword) + if err != nil { + return fmt.Errorf("unable to update gitea admin user password: %w", err) + } + return nil +} + +// UpdateGitUser updates Zarf git server users +func (g *Git) UpdateGitUser(oldAdminPass string, username string, userpass string) error { + message.Debugf("git.UpdateGitUser()") + + c, err := cluster.NewCluster() + if err != nil { + return err + } + // Establish a git tunnel to send the repo + tunnel, err := c.NewTunnel(cluster.ZarfNamespaceName, k8s.SvcResource, cluster.ZarfGitServerName, "", 0, cluster.ZarfGitServerPort) + if err != nil { + return err + } + _, err = tunnel.Connect() + if err != nil { + return err + } + defer tunnel.Close() + tunnelURL := tunnel.HTTPEndpoint() + + var out []byte + + // Update the existing user's password + updateUserBody := map[string]interface{}{ + "login_name": username, + "password": userpass, + } + updateUserData, _ := json.Marshal(updateUserBody) + updateUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users/%s", tunnelURL, username) + updateUserRequest, _ := netHttp.NewRequest("PATCH", updateUserEndpoint, bytes.NewBuffer(updateUserData)) + err = tunnel.Wrap(func() error { + out, _, err = g.DoHTTPThings(updateUserRequest, g.Server.PushUsername, oldAdminPass) return err }) message.Debugf("PATCH %s:\n%s", updateUserEndpoint, string(out)) @@ -162,7 +184,7 @@ func (g *Git) CreatePackageRegistryToken() (CreateTokenResponse, error) { getTokensEndpoint := fmt.Sprintf("http://%s/api/v1/users/%s/tokens", tunnelURL, g.Server.PushUsername) getTokensRequest, _ := netHttp.NewRequest("GET", getTokensEndpoint, nil) err = tunnel.Wrap(func() error { - out, err = g.DoHTTPThings(getTokensRequest, g.Server.PushUsername, g.Server.PushPassword) + out, _, err = g.DoHTTPThings(getTokensRequest, g.Server.PushUsername, g.Server.PushPassword) return err }) message.Debugf("GET %s:\n%s", getTokensEndpoint, string(out)) @@ -188,7 +210,7 @@ func (g *Git) CreatePackageRegistryToken() (CreateTokenResponse, error) { deleteTokensEndpoint := fmt.Sprintf("http://%s/api/v1/users/%s/tokens/%s", tunnelURL, g.Server.PushUsername, config.ZarfArtifactTokenName) deleteTokensRequest, _ := netHttp.NewRequest("DELETE", deleteTokensEndpoint, nil) err = tunnel.Wrap(func() error { - out, err = g.DoHTTPThings(deleteTokensRequest, g.Server.PushUsername, g.Server.PushPassword) + out, _, err = g.DoHTTPThings(deleteTokensRequest, g.Server.PushUsername, g.Server.PushPassword) return err }) message.Debugf("DELETE %s:\n%s", deleteTokensEndpoint, string(out)) @@ -199,12 +221,13 @@ func (g *Git) CreatePackageRegistryToken() (CreateTokenResponse, error) { createTokensEndpoint := fmt.Sprintf("http://%s/api/v1/users/%s/tokens", tunnelURL, g.Server.PushUsername) createTokensBody := map[string]interface{}{ - "name": config.ZarfArtifactTokenName, + "name": config.ZarfArtifactTokenName, + "scopes": []string{"read:user", "read:package", "write:package"}, } createTokensData, _ := json.Marshal(createTokensBody) createTokensRequest, _ := netHttp.NewRequest("POST", createTokensEndpoint, bytes.NewBuffer(createTokensData)) err = tunnel.Wrap(func() error { - out, err = g.DoHTTPThings(createTokensRequest, g.Server.PushUsername, g.Server.PushPassword) + out, _, err = g.DoHTTPThings(createTokensRequest, g.Server.PushUsername, g.Server.PushPassword) return err }) message.Debugf("POST %s:\n%s", createTokensEndpoint, string(out)) @@ -221,8 +244,36 @@ func (g *Git) CreatePackageRegistryToken() (CreateTokenResponse, error) { return createTokenResponse, nil } +// UpdateGiteaPVC updates the existing Gitea persistent volume claim and tells Gitea whether to create or not. +func UpdateGiteaPVC(shouldRollBack bool) (string, error) { + c, err := cluster.NewCluster() + if err != nil { + return "false", err + } + + pvcName := os.Getenv("ZARF_VAR_GIT_SERVER_EXISTING_PVC") + groupKind := schema.GroupKind{ + Group: "", + Kind: "PersistentVolumeClaim", + } + labels := map[string]string{"app.kubernetes.io/managed-by": "Helm"} + annotations := map[string]string{"meta.helm.sh/release-name": "zarf-gitea", "meta.helm.sh/release-namespace": "zarf"} + + if shouldRollBack { + err = c.K8s.RemoveLabelsAndAnnotations(cluster.ZarfNamespaceName, pvcName, groupKind, labels, annotations) + return "false", err + } + + if pvcName == "data-zarf-gitea-0" { + err = c.K8s.AddLabelsAndAnnotations(cluster.ZarfNamespaceName, pvcName, groupKind, labels, annotations) + return "true", err + } + + return "false", err +} + // DoHTTPThings adds http request boilerplate and perform the request, checking for a successful response. -func (g *Git) DoHTTPThings(request *netHttp.Request, username, secret string) ([]byte, error) { +func (g *Git) DoHTTPThings(request *netHttp.Request, username, secret string) ([]byte, int, error) { message.Debugf("git.DoHttpThings()") // Prep the request with boilerplate @@ -234,17 +285,17 @@ func (g *Git) DoHTTPThings(request *netHttp.Request, username, secret string) ([ // Perform the request and get the response response, err := client.Do(request) if err != nil { - return []byte{}, err + return []byte{}, 0, err } responseBody, _ := io.ReadAll(response.Body) // If we get a 'bad' status code we will have no error, create a useful one to return if response.StatusCode < 200 || response.StatusCode >= 300 { err = fmt.Errorf("got status code of %d during http request with body of: %s", response.StatusCode, string(responseBody)) - return []byte{}, err + return []byte{}, response.StatusCode, err } - return responseBody, nil + return responseBody, response.StatusCode, nil } func (g *Git) addReadOnlyUserToRepo(tunnelURL, repo string) error { @@ -262,7 +313,7 @@ func (g *Git) addReadOnlyUserToRepo(tunnelURL, repo string) error { // Send API request to add a user as a read-only collaborator to a repo addColabEndpoint := fmt.Sprintf("%s/api/v1/repos/%s/%s/collaborators/%s", tunnelURL, g.Server.PushUsername, repo, g.Server.PullUsername) addColabRequest, _ := netHttp.NewRequest("PUT", addColabEndpoint, bytes.NewBuffer(addColabData)) - out, err := g.DoHTTPThings(addColabRequest, g.Server.PushUsername, g.Server.PushPassword) + out, _, err := g.DoHTTPThings(addColabRequest, g.Server.PushUsername, g.Server.PushPassword) message.Debugf("PUT %s:\n%s", addColabEndpoint, string(out)) return err } diff --git a/src/internal/packager/helm/zarf.go b/src/internal/packager/helm/zarf.go index 889468fdce..b8d42c3f84 100644 --- a/src/internal/packager/helm/zarf.go +++ b/src/internal/packager/helm/zarf.go @@ -7,7 +7,6 @@ package helm import ( "fmt" - "github.com/defenseunicorns/zarf/src/internal/packager/git" "github.com/defenseunicorns/zarf/src/pkg/cluster" "github.com/defenseunicorns/zarf/src/pkg/k8s" "github.com/defenseunicorns/zarf/src/pkg/message" @@ -48,36 +47,6 @@ func (h *Helm) UpdateZarfRegistryValues() error { return nil } -// UpdateZarfGiteaValues updates the Zarf git server deployment with the new state values -func (h *Helm) UpdateZarfGiteaValues() error { - giteaValues := map[string]interface{}{ - "gitea": map[string]interface{}{ - "admin": map[string]interface{}{ - "username": h.cfg.State.GitServer.PushUsername, - "password": h.cfg.State.GitServer.PushPassword, - }, - }, - } - - h.chart = types.ZarfChart{ - Namespace: "zarf", - ReleaseName: "zarf-gitea", - } - - err := h.UpdateReleaseValues(giteaValues) - if err != nil { - return fmt.Errorf("error updating the release values: %w", err) - } - - g := git.New(h.cfg.State.GitServer) - err = g.CreateReadOnlyUser() - if err != nil { - return fmt.Errorf("unable to create the new Gitea read only user: %w", err) - } - - return nil -} - // UpdateZarfAgentValues updates the Zarf agent deployment with the new state values func (h *Helm) UpdateZarfAgentValues() error { spinner := message.NewProgressSpinner("Gathering information to update Zarf Agent TLS") diff --git a/src/pkg/k8s/dynamic.go b/src/pkg/k8s/dynamic.go index 51a1a29e90..daf87c7a1a 100644 --- a/src/pkg/k8s/dynamic.go +++ b/src/pkg/k8s/dynamic.go @@ -16,6 +16,16 @@ import ( // AddLabelsAndAnnotations adds the provided labels and annotations to the specified K8s resource func (k *K8s) AddLabelsAndAnnotations(resourceNamespace string, resourceName string, groupKind schema.GroupKind, labels map[string]string, annotations map[string]string) error { + return k.updateLabelsAndAnnotations(resourceNamespace, resourceName, groupKind, labels, annotations, false) +} + +// RemoveLabelsAndAnnotations removes the provided labels and annotations to the specified K8s resource +func (k *K8s) RemoveLabelsAndAnnotations(resourceNamespace string, resourceName string, groupKind schema.GroupKind, labels map[string]string, annotations map[string]string) error { + return k.updateLabelsAndAnnotations(resourceNamespace, resourceName, groupKind, labels, annotations, true) +} + +// updateLabelsAndAnnotations updates the provided labels and annotations to the specified K8s resource +func (k *K8s) updateLabelsAndAnnotations(resourceNamespace string, resourceName string, groupKind schema.GroupKind, labels map[string]string, annotations map[string]string, isRemove bool) error { dynamicClient := dynamic.NewForConfigOrDie(k.RestConfig) discoveryClient := discovery.NewDiscoveryClientForConfigOrDie(k.RestConfig) @@ -43,7 +53,11 @@ func (k *K8s) AddLabelsAndAnnotations(resourceNamespace string, resourceName str deployedLabels = make(map[string]string) } for key, value := range labels { - deployedLabels[key] = value + if isRemove { + delete(deployedLabels, key) + } else { + deployedLabels[key] = value + } } deployedResource.SetLabels(deployedLabels) @@ -55,7 +69,11 @@ func (k *K8s) AddLabelsAndAnnotations(resourceNamespace string, resourceName str deployedAnnotations = make(map[string]string) } for key, value := range annotations { - deployedAnnotations[key] = value + if isRemove { + delete(deployedAnnotations, key) + } else { + deployedAnnotations[key] = value + } } deployedResource.SetAnnotations(deployedAnnotations) diff --git a/src/test/e2e/06_create_sbom_test.go b/src/test/e2e/06_create_sbom_test.go index 1af4adf739..88e153860b 100644 --- a/src/test/e2e/06_create_sbom_test.go +++ b/src/test/e2e/06_create_sbom_test.go @@ -54,9 +54,9 @@ func TestCreateSBOM(t *testing.T) { _, err = os.ReadFile(filepath.Join(sbomPath, "dos-games", "sbom-viewer-docker.io_defenseunicorns_zarf-game_multi-tile-dark.html")) require.NoError(t, err) // Test that the init package generates the SBOMs we expect (images + component files) - _, err = os.ReadFile(filepath.Join(sbomPath, "init", "sbom-viewer-docker.io_gitea_gitea_1.19.3-rootless.html")) + _, err = os.ReadFile(filepath.Join(sbomPath, "init", "sbom-viewer-docker.io_gitea_gitea_1.21.2-rootless.html")) require.NoError(t, err) - _, err = os.ReadFile(filepath.Join(sbomPath, "init", "docker.io_gitea_gitea_1.19.3-rootless.json")) + _, err = os.ReadFile(filepath.Join(sbomPath, "init", "docker.io_gitea_gitea_1.21.2-rootless.json")) require.NoError(t, err) _, err = os.ReadFile(filepath.Join(sbomPath, "init", "sbom-viewer-zarf-component-k3s.html")) require.NoError(t, err) diff --git a/src/test/e2e/22_git_and_gitops_test.go b/src/test/e2e/22_git_and_gitops_test.go index 6f0e7efc55..d9c4b572d4 100644 --- a/src/test/e2e/22_git_and_gitops_test.go +++ b/src/test/e2e/22_git_and_gitops_test.go @@ -77,7 +77,7 @@ func testGitServerReadOnly(t *testing.T, gitURL string) { // Get the repo as the readonly user repoName := "zarf-public-test-2469062884" getRepoRequest, _ := http.NewRequest("GET", fmt.Sprintf("%s/api/v1/repos/%s/%s", gitURL, state.GitServer.PushUsername, repoName), nil) - getRepoResponseBody, err := gitCfg.DoHTTPThings(getRepoRequest, config.ZarfGitReadUser, state.GitServer.PullPassword) + getRepoResponseBody, _, err := gitCfg.DoHTTPThings(getRepoRequest, config.ZarfGitReadUser, state.GitServer.PullPassword) require.NoError(t, err) // Make sure the only permissions are pull (read) @@ -100,7 +100,7 @@ func testGitServerTagAndHash(t *testing.T, gitURL string) { // Get the Zarf repo tag repoTag := "v0.0.1" getRepoTagsRequest, _ := http.NewRequest("GET", fmt.Sprintf("%s/api/v1/repos/%s/%s/tags/%s", gitURL, config.ZarfGitPushUser, repoName, repoTag), nil) - getRepoTagsResponseBody, err := gitCfg.DoHTTPThings(getRepoTagsRequest, config.ZarfGitReadUser, state.GitServer.PullPassword) + getRepoTagsResponseBody, _, err := gitCfg.DoHTTPThings(getRepoTagsRequest, config.ZarfGitReadUser, state.GitServer.PullPassword) require.NoError(t, err) // Make sure the pushed tag exists @@ -111,7 +111,7 @@ func testGitServerTagAndHash(t *testing.T, gitURL string) { // Get the Zarf repo commit repoHash := "01a23218923f24194133b5eb11268cf8d73ff1bb" getRepoCommitsRequest, _ := http.NewRequest("GET", fmt.Sprintf("%s/api/v1/repos/%s/%s/git/commits/%s", gitURL, config.ZarfGitPushUser, repoName, repoHash), nil) - getRepoCommitsResponseBody, err := gitCfg.DoHTTPThings(getRepoCommitsRequest, config.ZarfGitReadUser, state.GitServer.PullPassword) + getRepoCommitsResponseBody, _, err := gitCfg.DoHTTPThings(getRepoCommitsRequest, config.ZarfGitReadUser, state.GitServer.PullPassword) require.NoError(t, err) require.Contains(t, string(getRepoCommitsResponseBody), repoHash) } diff --git a/zarf-config.toml b/zarf-config.toml index 5f0f1b5357..2010031c92 100644 --- a/zarf-config.toml +++ b/zarf-config.toml @@ -15,5 +15,4 @@ registry_image = 'library/registry' registry_image_tag = '2.8.3' # The image reference to use for the optional git-server Zarf deploys -gitea_image = 'gitea/gitea' -gitea_server_version = '1.19.3' +gitea_image = 'gitea/gitea:1.21.2-rootless'