Merge branch 'main' into warn-on-helm-fail

zarf-dev · Aug 22, 2024 · 3e8ce90 · 3e8ce90
2 parents 51214ab + db367cd
commit 3e8ce90
Show file tree

Hide file tree

Showing 7 changed files with 137 additions and 64 deletions.
diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml
@@ -53,7 +53,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/init@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yaml
@@ -62,6 +62,6 @@ jobs:
         run: make build-cli-linux-amd
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/analyze@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -44,6 +44,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4
         with:
           sarif_file: results.sarif
diff --git a/src/cmd/tools/zarf.go b/src/cmd/tools/zarf.go
@@ -21,7 +21,6 @@ import (
 	"github.com/zarf-dev/zarf/src/cmd/common"
 	"github.com/zarf-dev/zarf/src/config"
 	"github.com/zarf-dev/zarf/src/config/lang"
-	"github.com/zarf-dev/zarf/src/internal/gitea"
 	"github.com/zarf-dev/zarf/src/internal/packager/helm"
 	"github.com/zarf-dev/zarf/src/internal/packager/template"
 	"github.com/zarf-dev/zarf/src/pkg/cluster"
@@ -70,7 +69,7 @@ var getCredsCmd = &cobra.Command{
 		}
 		// TODO: Determine if this is actually needed.
 		if state.Distro == "" {
-			return errors.New("Zarf state secret did not load properly")
+			return errors.New("zarf state secret did not load properly")
 		}
 
 		if len(args) > 0 {
@@ -97,7 +96,7 @@ var updateCredsCmd = &cobra.Command{
 		} else {
 			if !slices.Contains(validKeys, args[0]) {
 				cmd.Help()
-				return fmt.Errorf("invalid service key specified, valid keys are: %s, %s, and %s", message.RegistryKey, message.GitKey, message.ArtifactKey)
+				return fmt.Errorf("invalid service key specified, valid key choices are: %v", validKeys)
 			}
 		}
 
@@ -116,7 +115,7 @@ var updateCredsCmd = &cobra.Command{
 		}
 		// TODO: Determine if this is actually needed.
 		if oldState.Distro == "" {
-			return errors.New("Zarf state secret did not load properly")
+			return errors.New("zarf state secret did not load properly")
 		}
 		newState, err := cluster.MergeZarfState(oldState, updateCredsInitOpts, args)
 		if err != nil {
@@ -152,34 +151,18 @@ var updateCredsCmd = &cobra.Command{
 					return err
 				}
 			}
+			// TODO once Zarf is changed so the default state is empty for a service when it is not deployed
+			// and sufficient time has passed for users state to get updated we can remove this check
+			internalGitServerExists, err := c.InternalGitServerExists(cmd.Context())
+			if err != nil {
+				return err
+			}
 
 			// Update artifact token (if internal)
-			if slices.Contains(args, message.ArtifactKey) && newState.ArtifactServer.PushToken == "" && newState.ArtifactServer.IsInternal() {
-				tunnel, err := c.NewTunnel(cluster.ZarfNamespaceName, cluster.SvcResource, cluster.ZarfGitServerName, "", 0, cluster.ZarfGitServerPort)
+			if slices.Contains(args, message.ArtifactKey) && newState.ArtifactServer.PushToken == "" && newState.ArtifactServer.IsInternal() && internalGitServerExists {
+				newState.ArtifactServer.PushToken, err = c.UpdateInternalArtifactServerToken(ctx, oldState.GitServer)
 				if err != nil {
-					return err
-				}
-				_, err = tunnel.Connect(cmd.Context())
-				if err != nil {
-					return err
-				}
-				defer tunnel.Close()
-				tunnelURL := tunnel.HTTPEndpoint()
-				giteaClient, err := gitea.NewClient(tunnelURL, oldState.GitServer.PushUsername, oldState.GitServer.PushPassword)
-				if err != nil {
-					return err
-				}
-				err = tunnel.Wrap(func() error {
-					tokenSha1, err := giteaClient.CreatePackageRegistryToken(ctx)
-					if err != nil {
-						return err
-					}
-					newState.ArtifactServer.PushToken = tokenSha1
-					return nil
-				})
-				if err != nil {
-					// Warn if we couldn't actually update the git server (it might not be installed and we should try to continue)
-					message.Warnf(lang.CmdToolsUpdateCredsUnableCreateToken, err.Error())
+					return fmt.Errorf("unable to create the new Gitea artifact token: %w", err)
 				}
 			}
 
@@ -199,35 +182,10 @@ var updateCredsCmd = &cobra.Command{
 					message.Warnf(lang.CmdToolsUpdateCredsUnableUpdateRegistry, err.Error())
 				}
 			}
-			if slices.Contains(args, message.GitKey) && newState.GitServer.IsInternal() {
-				tunnel, err := c.NewTunnel(cluster.ZarfNamespaceName, cluster.SvcResource, cluster.ZarfGitServerName, "", 0, cluster.ZarfGitServerPort)
-				if err != nil {
-					return err
-				}
-				_, err = tunnel.Connect(cmd.Context())
-				if err != nil {
-					return err
-				}
-				defer tunnel.Close()
-				tunnelURL := tunnel.HTTPEndpoint()
-				giteaClient, err := gitea.NewClient(tunnelURL, oldState.GitServer.PushUsername, oldState.GitServer.PushPassword)
-				if err != nil {
-					return err
-				}
-				err = tunnel.Wrap(func() error {
-					err := giteaClient.UpdateGitUser(ctx, newState.GitServer.PullUsername, newState.GitServer.PullPassword)
-					if err != nil {
-						return err
-					}
-					err = giteaClient.UpdateGitUser(ctx, newState.GitServer.PushUsername, newState.GitServer.PushPassword)
-					if err != nil {
-						return err
-					}
-					return nil
-				})
+			if slices.Contains(args, message.GitKey) && newState.GitServer.IsInternal() && internalGitServerExists {
+				err := c.UpdateInternalGitServerSecret(cmd.Context(), oldState.GitServer, newState.GitServer)
 				if err != nil {
-					// Warn if we couldn't actually update the git server (it might not be installed and we should try to continue)
-					message.Warnf(lang.CmdToolsUpdateCredsUnableUpdateGit, err.Error())
+					return fmt.Errorf("unable to update Zarf Git Server values: %w", err)
 				}
 			}
 			if slices.Contains(args, message.AgentKey) {

diff --git a/src/config/lang/english.go b/src/config/lang/english.go
@@ -576,9 +576,7 @@ $ zarf tools update-creds artifact --artifact-push-username={USERNAME} --artifac
 	CmdToolsUpdateCredsConfirmFlag          = "Confirm updating credentials without prompting"
 	CmdToolsUpdateCredsConfirmProvided      = "Confirm flag specified, continuing without prompting."
 	CmdToolsUpdateCredsConfirmContinue      = "Continue with these changes?"
-	CmdToolsUpdateCredsUnableCreateToken    = "Unable to create the new Gitea artifact token: %s"
 	CmdToolsUpdateCredsUnableUpdateRegistry = "Unable to update Zarf Registry values: %s"
-	CmdToolsUpdateCredsUnableUpdateGit      = "Unable to update Zarf Git Server values: %s"
 	CmdToolsUpdateCredsUnableUpdateAgent    = "Unable to update Zarf Agent TLS secrets: %s"
 	CmdToolsUpdateCredsUnableUpdateCreds    = "Unable to update Zarf credentials"
 

diff --git a/src/pkg/cluster/zarf.go b/src/pkg/cluster/zarf.go
@@ -20,6 +20,7 @@ import (
 	"github.com/avast/retry-go/v4"
 	"github.com/zarf-dev/zarf/src/api/v1alpha1"
 	"github.com/zarf-dev/zarf/src/config"
+	"github.com/zarf-dev/zarf/src/internal/gitea"
 	"github.com/zarf-dev/zarf/src/pkg/message"
 	"github.com/zarf-dev/zarf/src/types"
 )
@@ -288,3 +289,72 @@ func (c *Cluster) GetInstalledChartsForComponent(ctx context.Context, packageNam
 
 	return installedCharts, nil
 }
+
+// UpdateInternalArtifactServerToken updates the the artifact server token on the internal gitea server and returns it
+func (c *Cluster) UpdateInternalArtifactServerToken(ctx context.Context, oldGitServer types.GitServerInfo) (string, error) {
+	tunnel, err := c.NewTunnel(ZarfNamespaceName, SvcResource, ZarfGitServerName, "", 0, ZarfGitServerPort)
+	if err != nil {
+		return "", err
+	}
+	_, err = tunnel.Connect(ctx)
+	if err != nil {
+		return "", err
+	}
+	defer tunnel.Close()
+	tunnelURL := tunnel.HTTPEndpoint()
+	giteaClient, err := gitea.NewClient(tunnelURL, oldGitServer.PushUsername, oldGitServer.PushPassword)
+	if err != nil {
+		return "", err
+	}
+	var newToken string
+	err = tunnel.Wrap(func() error {
+		newToken, err = giteaClient.CreatePackageRegistryToken(ctx)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+	return newToken, err
+}
+
+// UpdateInternalGitServerSecret updates the internal gitea server secrets with the new git server info
+func (c *Cluster) UpdateInternalGitServerSecret(ctx context.Context, oldGitServer types.GitServerInfo, newGitServer types.GitServerInfo) error {
+	tunnel, err := c.NewTunnel(ZarfNamespaceName, SvcResource, ZarfGitServerName, "", 0, ZarfGitServerPort)
+	if err != nil {
+		return err
+	}
+	_, err = tunnel.Connect(ctx)
+	if err != nil {
+		return err
+	}
+	defer tunnel.Close()
+	tunnelURL := tunnel.HTTPEndpoint()
+	giteaClient, err := gitea.NewClient(tunnelURL, oldGitServer.PushUsername, oldGitServer.PushPassword)
+	if err != nil {
+		return err
+	}
+	err = tunnel.Wrap(func() error {
+		err := giteaClient.UpdateGitUser(ctx, newGitServer.PullUsername, newGitServer.PullPassword)
+		if err != nil {
+			return err
+		}
+		err = giteaClient.UpdateGitUser(ctx, newGitServer.PushUsername, newGitServer.PushPassword)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// InternalGitServerExists checks if the Zarf internal git server exists in the cluster.
+func (c *Cluster) InternalGitServerExists(ctx context.Context) (bool, error) {
+	_, err := c.Clientset.CoreV1().Services(ZarfNamespaceName).Get(ctx, ZarfGitServerName, metav1.GetOptions{})
+	if err != nil && !kerrors.IsNotFound(err) {
+		return false, err
+	}
+	return !kerrors.IsNotFound(err), nil
+}
diff --git a/src/pkg/cluster/zarf_test.go b/src/pkg/cluster/zarf_test.go
@@ -285,3 +285,41 @@ func TestRegistryHPA(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, autoscalingv2.DisabledPolicySelect, *disableHpa.Spec.Behavior.ScaleDown.SelectPolicy)
 }
+
+func TestInternalGitServerExists(t *testing.T) {
+	tests := []struct {
+		name          string
+		svc           *corev1.Service
+		expectedExist bool
+		expectedErr   error
+	}{
+		{
+			name:          "Git server exists",
+			svc:           &corev1.Service{ObjectMeta: metav1.ObjectMeta{Name: ZarfGitServerName, Namespace: ZarfNamespaceName}},
+			expectedExist: true,
+			expectedErr:   nil,
+		},
+		{
+			name:          "Git server does not exist",
+			svc:           nil,
+			expectedExist: false,
+			expectedErr:   nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cs := fake.NewSimpleClientset()
+			cluster := &Cluster{Clientset: cs}
+			ctx := context.Background()
+			if tt.svc != nil {
+				_, err := cs.CoreV1().Services(tt.svc.Namespace).Create(ctx, tt.svc, metav1.CreateOptions{})
+				require.NoError(t, err)
+			}
+
+			exists, err := cluster.InternalGitServerExists(ctx)
+			require.Equal(t, tt.expectedExist, exists)
+			require.Equal(t, tt.expectedErr, err)
+		})
+	}
+}
diff --git a/src/test/e2e/21_connect_creds_test.go b/src/test/e2e/21_connect_creds_test.go
@@ -23,11 +23,16 @@ type RegistryResponse struct {
 
 func TestConnectAndCreds(t *testing.T) {
 	t.Log("E2E: Connect")
+	ctx := context.Background()
 
 	prevAgentSecretData, _, err := e2e.Kubectl(t, "get", "secret", "agent-hook-tls", "-n", "zarf", "-o", "jsonpath={.data}")
 	require.NoError(t, err)
 
-	ctx := context.Background()
+	c, err := cluster.NewCluster()
+	require.NoError(t, err)
+	// Init the state variable
+	oldState, err := c.LoadZarfState(ctx)
+	require.NoError(t, err)
 
 	connectToZarfServices(ctx, t)
 
@@ -36,7 +41,11 @@ func TestConnectAndCreds(t *testing.T) {
 
 	newAgentSecretData, _, err := e2e.Kubectl(t, "get", "secret", "agent-hook-tls", "-n", "zarf", "-o", "jsonpath={.data}")
 	require.NoError(t, err)
-	require.NotEqual(t, prevAgentSecretData, newAgentSecretData, "agent secrets should not be the same")
+	newState, err := c.LoadZarfState(ctx)
+	require.NoError(t, err)
+	require.NotEqual(t, prevAgentSecretData, newAgentSecretData)
+	require.NotEqual(t, oldState.ArtifactServer.PushToken, newState.ArtifactServer.PushToken)
+	require.NotEqual(t, oldState.GitServer.PushPassword, newState.GitServer.PushPassword)
 
 	connectToZarfServices(ctx, t)
 }