zarf-dev · Racer159 · Dec 19, 2023 · Oct 31, 2023 · Nov 1, 2023 · Nov 2, 2023
@@ -1,11 +1,12 @@
 persistence:
   storageClass: "###ZARF_STORAGE_CLASS###"
-  existingClaim: "###ZARF_VAR_GIT_SERVER_EXISTING_PVC###"
+  claimName: "###ZARF_VAR_GIT_SERVER_EXISTING_PVC###"
   size: "###ZARF_VAR_GIT_SERVER_PVC_SIZE###"
   accessModes:
     - "###ZARF_VAR_GIT_SERVER_PVC_ACCESS_MODE###"
+  create: ###ZARF_VAR_GIT_SERVER_CREATE_PVC###
 
-replicaCount: "###ZARF_VAR_GIT_SERVER_REPLICA_COUNT###"
+replicaCount: ###ZARF_VAR_GIT_SERVER_REPLICA_COUNT###
 
 gitea:
   admin:
@@ -29,6 +30,12 @@ gitea:
     repository:
       ENABLE_PUSH_CREATE_USER: true
       FORCE_PRIVATE: true
+    session:
+      PROVIDER: memory
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level
 resources:
   requests:
     cpu: "###ZARF_VAR_GIT_SERVER_CPU_REQ###"
@@ -37,13 +44,13 @@ resources:
     cpu: "###ZARF_VAR_GIT_SERVER_CPU_LIMIT###"
     memory: "###ZARF_VAR_GIT_SERVER_MEM_LIMIT###"
 
-memcached:
-  enabled: false
-
-postgresql:
-  enabled: false
-
 image:
   repository: "###ZARF_CONST_GITEA_IMAGE###"
   tag: "###ZARF_CONST_GITEA_SERVER_VERSION###"
   rootless: true
+
+postgresql-ha:
+  enabled: false
+
+redis-cluster:
+  enabled: false
@@ -5,7 +5,7 @@ metadata:
 variables:
   - name: GIT_SERVER_EXISTING_PVC
     description: "Optional: Use an existing PVC for the git server instead of creating a new one. If this is set, the GIT_SERVER_PVC_SIZE variable will be ignored."
-    default: ""
+    default: "data-zarf-gitea-0"
 
   - name: GIT_SERVER_PVC_SIZE
     description: The size of the persistent volume claim for the git server
@@ -61,12 +61,17 @@ components:
       - name: gitea
         releaseName: zarf-gitea
         url: https://dl.gitea.io/charts
-        version: 8.3.0
+        version: 9.5.1
         namespace: zarf
         valuesFiles:
           - gitea-values.yaml
     actions:
       onDeploy:
+        before:
+          - cmd: ./zarf internal update-gitea-pvc --no-progress 
+            setVariables:
+              - name: GIT_SERVER_CREATE_PVC
+            mute: true
         after:
           - cmd: ./zarf internal create-read-only-gitea-user --no-progress
             maxRetries: 3
@@ -82,3 +87,5 @@ components:
                 namespace: zarf
                 name: app=gitea
                 condition: Ready
+        onFailure:
+          - cmd: ./zarf internal update-gitea-pvc --rollback --no-progress
@@ -23,6 +23,10 @@ import (
 	"github.com/spf13/pflag"
 )
 
+var (
+	rollback bool
+)
+
 var internalCmd = &cobra.Command{
 	Use:    "internal",
 	Hidden: true,
@@ -196,6 +200,22 @@ var createPackageRegistryToken = &cobra.Command{
 	},
 }
 
+var updateGiteaPVC = &cobra.Command{
+	Use:   "update-gitea-pvc",
+	Short: lang.CmdInternalUpdateGiteaPVCShort,
+	Long:  lang.CmdInternalUpdateGiteaPVCLong,
+	Run: func(cmd *cobra.Command, args []string) {
+
+		// There is a possibility that the pvc does not yet exist and Gitea helm chart should create it
+		helmShouldCreate, err := git.UpdateGiteaPVC(rollback)
+		if err != nil {
+			message.WarnErr(err, lang.CmdInternalUpdateGiteaPVCErr)
+		}
+
+		fmt.Print(helmShouldCreate)
+	},
+}
+
 var isValidHostname = &cobra.Command{
 	Use:   "is-valid-hostname",
 	Short: lang.CmdInternalIsValidHostnameShort,
@@ -229,8 +249,11 @@ func init() {
 	internalCmd.AddCommand(genTypesSchemaCmd)
 	internalCmd.AddCommand(createReadOnlyGiteaUser)
 	internalCmd.AddCommand(createPackageRegistryToken)
+	internalCmd.AddCommand(updateGiteaPVC)
 	internalCmd.AddCommand(isValidHostname)
 	internalCmd.AddCommand(computeCrc32)
+
+	updateGiteaPVC.Flags().BoolVarP(&rollback, "rollback", "r", false, lang.CmdInternalFlagUpdateGiteaPVCRollback)
 }
 
 func addHiddenDummyFlag(cmd *cobra.Command, flagDummy string) {

@@ -144,7 +144,8 @@ var updateCredsCmd = &cobra.Command{
 				}
 			}
 			if slices.Contains(args, message.GitKey) && newState.GitServer.InternalServer {
-				err = h.UpdateZarfGiteaValues()
+				g := git.New(newState.GitServer)
+				err = g.UpdateZarfGiteaUsers(oldState)
 				if err != nil {
 					// Warn if we couldn't actually update the git server (it might not be installed and we should try to continue)
 					message.Warnf(lang.CmdToolsUpdateCredsUnableUpdateGit, err.Error())

@@ -211,6 +211,12 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA
 		"This is called internally by the supported Gitea package component."
 	CmdInternalArtifactRegistryGiteaTokenErr = "Unable to create an artifact registry token for the Gitea service."
 
+	CmdInternalUpdateGiteaPVCShort = "Updates an existing Gitea persistent volume claim"
+	CmdInternalUpdateGiteaPVCLong  = "Updates an existing Gitea persistent volume claim by assessing if claim is a custom user provided claim or default." +
+		"This is called internally by the supported Gitea package component."
+	CmdInternalUpdateGiteaPVCErr          = "Unable to update the existing Gitea persistent volume claim."
+	CmdInternalFlagUpdateGiteaPVCRollback = "Roll back previous Gitea persistent volume claim updates."
+
 	CmdInternalIsValidHostnameShort = "Checks if the current machine's hostname is RFC1123 compliant"
 	CmdInternalIsValidHostnameErr   = "The hostname '%s' is not valid. Ensure the hostname meets RFC1123 requirements https://www.rfc-editor.org/rfc/rfc1123.html."
 

@@ -9,6 +9,7 @@
 	"encoding/json"
 	"fmt"
 	"io"
+	"os"
 	"time"
 
 	netHttp "net/http"
@@ -17,6 +18,8 @@
 	"github.com/defenseunicorns/zarf/src/pkg/cluster"
 	"github.com/defenseunicorns/zarf/src/pkg/k8s"
 	"github.com/defenseunicorns/zarf/src/pkg/message"
+	"github.com/defenseunicorns/zarf/src/types"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
 // CreateTokenResponse is the response given from creating a token in Gitea
@@ -49,50 +52,6 @@
 
 	tunnelURL := tunnel.HTTPEndpoint()
 
-	var out []byte
-
-	// Determine if the read only user already exists
-	getUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users", tunnelURL)
-	getUserRequest, _ := netHttp.NewRequest("GET", getUserEndpoint, nil)
-	err = tunnel.Wrap(func() error {
-		out, err = g.DoHTTPThings(getUserRequest, g.Server.PushUsername, g.Server.PushPassword)
-		return err
-	})
-	message.Debugf("GET %s:\n%s", getUserEndpoint, string(out))
-	if err != nil {
-		return err
-	}
-
-	hasReadOnlyUser := false
-	var users []map[string]interface{}
-	err = json.Unmarshal(out, &users)
-	if err != nil {
-		return err
-	}
-
-	for _, user := range users {
-		if user["login"] == g.Server.PullUsername {
-			hasReadOnlyUser = true
-		}
-	}
-
-	if hasReadOnlyUser {
-		// Update the existing user's password
-		updateUserBody := map[string]interface{}{
-			"login_name": g.Server.PullUsername,
-			"password":   g.Server.PullPassword,
-		}
-		updateUserData, _ := json.Marshal(updateUserBody)
-		updateUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users/%s", tunnelURL, g.Server.PullUsername)
-		updateUserRequest, _ := netHttp.NewRequest("PATCH", updateUserEndpoint, bytes.NewBuffer(updateUserData))
-		err = tunnel.Wrap(func() error {
-			out, err = g.DoHTTPThings(updateUserRequest, g.Server.PushUsername, g.Server.PushPassword)
-			return err
-		})
-		message.Debugf("PATCH %s:\n%s", updateUserEndpoint, string(out))
-		return err
-	}
-
 	// Create json representation of the create-user request body
 	createUserBody := map[string]interface{}{
 		"username":             g.Server.PullUsername,
@@ -105,6 +64,8 @@
 		return err
 	}
 
+	var out []byte
+
 	// Send API request to create the user
 	createUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users", tunnelURL)
 	createUserRequest, _ := netHttp.NewRequest("POST", createUserEndpoint, bytes.NewBuffer(createUserData))
@@ -134,6 +95,61 @@
 	return err
 }
 
+// UpdateZarfGiteaUsers updates Zarf gitea users
+func (g *Git) UpdateZarfGiteaUsers(oldState *types.ZarfState) error {
+
+	//Update git read only user password
+	err := g.UpdateGitUser(oldState.GitServer.PushPassword, g.Server.PullUsername, g.Server.PullPassword)
+	if err != nil {
+		return fmt.Errorf("unable to update gitea read only user password: %w", err)
+	}
+
+	// Update Git admin password
+	err = g.UpdateGitUser(oldState.GitServer.PushPassword, g.Server.PushUsername, g.Server.PushPassword)
+	if err != nil {
+		return fmt.Errorf("unable to update gitea admin user password: %w", err)
+	}
+	return nil
+}
+
+// UpdateGitUser updates Zarf git server users
+func (g *Git) UpdateGitUser(oldAdminPass string, username string, userpass string) error {
+	message.Debugf("git.UpdateGitUser()")
+
+	c, err := cluster.NewCluster()
+	if err != nil {
+		return err
+	}
+	// Establish a git tunnel to send the repo
+	tunnel, err := c.NewTunnel(cluster.ZarfNamespaceName, k8s.SvcResource, cluster.ZarfGitServerName, "", 0, cluster.ZarfGitServerPort)
+	if err != nil {
+		return err
+	}
+	_, err = tunnel.Connect()
+	if err != nil {
+		return err
+	}
+	defer tunnel.Close()
+	tunnelURL := tunnel.HTTPEndpoint()
+
+	var out []byte
+
+	// Update the existing user's password
+	updateUserBody := map[string]interface{}{
+		"login_name": username,
+		"password":   userpass,
+	}
+	updateUserData, _ := json.Marshal(updateUserBody)
+	updateUserEndpoint := fmt.Sprintf("%s/api/v1/admin/users/%s", tunnelURL, username)
+	updateUserRequest, _ := netHttp.NewRequest("PATCH", updateUserEndpoint, bytes.NewBuffer(updateUserData))
+	err = tunnel.Wrap(func() error {
+		out, err = g.DoHTTPThings(updateUserRequest, g.Server.PushUsername, oldAdminPass)
+		return err
+	})
+	message.Debugf("PATCH %s:\n%s", updateUserEndpoint, string(out))
+	return err
+}
+
 // CreatePackageRegistryToken uses the Gitea API to create a package registry token.
 func (g *Git) CreatePackageRegistryToken() (CreateTokenResponse, error) {
 	message.Debugf("git.CreatePackageRegistryToken()")
@@ -199,7 +215,8 @@
 
 	createTokensEndpoint := fmt.Sprintf("http://%s/api/v1/users/%s/tokens", tunnelURL, g.Server.PushUsername)
 	createTokensBody := map[string]interface{}{
-		"name": config.ZarfArtifactTokenName,
+		"name":   config.ZarfArtifactTokenName,
+		"scopes": []string{"read:user", "read:package", "write:package"},
 	}
 	createTokensData, _ := json.Marshal(createTokensBody)
 	createTokensRequest, _ := netHttp.NewRequest("POST", createTokensEndpoint, bytes.NewBuffer(createTokensData))
@@ -221,6 +238,35 @@
 	return createTokenResponse, nil
 }
 
+// UpdateGiteaPVC updates the existing Gitea persistent volume claim and tells Gitea whether to create or not.
+func UpdateGiteaPVC(shouldRollBack bool) (string, error) {
+	c, err := cluster.NewCluster()
+	if err != nil {
+		return "false", err
+	}
+
+	pvcName := os.Getenv("ZARF_VAR_GIT_SERVER_EXISTING_PVC")
+	groupKind := schema.GroupKind{
+		Group: "",
+		Kind:  "PersistentVolumeClaim",
+	}
+	labels := map[string]string{"app.kubernetes.io/managed-by": "Helm"}
+	annotations := map[string]string{"meta.helm.sh/release-name": "zarf-gitea", "meta.helm.sh/release-namespace": "zarf"}
+
+	if shouldRollBack {
+		err = c.K8s.RemoveLabelsAndAnnotations(cluster.ZarfNamespaceName, pvcName, groupKind, labels, annotations)
+		return "false", err
+	} else {
+		if pvcName == "data-zarf-gitea-0" {
+			err = c.K8s.AddLabelsAndAnnotations(cluster.ZarfNamespaceName, pvcName, groupKind, labels, annotations)
+			return "true", err
+		} else {
+			return "false", err
+		}
+	}
+
+}
+
 // DoHTTPThings adds http request boilerplate and perform the request, checking for a successful response.
 func (g *Git) DoHTTPThings(request *netHttp.Request, username, secret string) ([]byte, error) {
 	message.Debugf("git.DoHttpThings()")

@@ -7,7 +7,6 @@ package helm
 import (
 	"fmt"
 
-	"github.com/defenseunicorns/zarf/src/internal/packager/git"
 	"github.com/defenseunicorns/zarf/src/pkg/cluster"
 	"github.com/defenseunicorns/zarf/src/pkg/k8s"
 	"github.com/defenseunicorns/zarf/src/pkg/message"
@@ -48,36 +47,6 @@ func (h *Helm) UpdateZarfRegistryValues() error {
 	return nil
 }
 
-// UpdateZarfGiteaValues updates the Zarf git server deployment with the new state values
-func (h *Helm) UpdateZarfGiteaValues() error {
-	giteaValues := map[string]interface{}{
-		"gitea": map[string]interface{}{
-			"admin": map[string]interface{}{
-				"username": h.cfg.State.GitServer.PushUsername,
-				"password": h.cfg.State.GitServer.PushPassword,
-			},
-		},
-	}
-
-	h.chart = types.ZarfChart{
-		Namespace:   "zarf",
-		ReleaseName: "zarf-gitea",
-	}
-
-	err := h.UpdateReleaseValues(giteaValues)
-	if err != nil {
-		return fmt.Errorf("error updating the release values: %w", err)
-	}
-
-	g := git.New(h.cfg.State.GitServer)
-	err = g.CreateReadOnlyUser()
-	if err != nil {
-		return fmt.Errorf("unable to create the new Gitea read only user: %w", err)
-	}
-
-	return nil
-}
-
 // UpdateZarfAgentValues updates the Zarf agent deployment with the new state values
 func (h *Helm) UpdateZarfAgentValues() error {
 	spinner := message.NewProgressSpinner("Gathering information to update Zarf Agent TLS")