Add sourcesecret and kustomization manifestgen

This includes a change to the `sync` generator to make the deploy secret name configurable. Signed-off-by: Hidde Beydals <[email protected]>
fluxcd · Feb 26, 2021 · c78a0be · c78a0be
1 parent ff2833c
commit c78a0be
Show file tree

Hide file tree

Showing 18 changed files with 666 additions and 474 deletions.
diff --git a/cmd/flux/bootstrap.go b/cmd/flux/bootstrap.go
@@ -19,13 +19,11 @@ package main
 import (
  "context"
  "fmt"
- "net/url"
  "path/filepath"
  "time"
 
  "github.com/spf13/cobra"
  corev1 "k8s.io/api/core/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/types"
  "k8s.io/apimachinery/pkg/util/wait"
  "sigs.k8s.io/controller-runtime/pkg/client"
@@ -36,6 +34,7 @@ import (
  "github.com/fluxcd/flux2/internal/flags"
  "github.com/fluxcd/flux2/internal/utils"
  "github.com/fluxcd/flux2/pkg/manifestgen/install"
+ kus "github.com/fluxcd/flux2/pkg/manifestgen/kustomization"
  "github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 
@@ -200,6 +199,7 @@ func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir stri
  URL: url,
  Branch: branch,
  Interval: interval,
+ Secret: namespace,
  TargetPath: targetPath,
  ManifestFile: sync.MakeDefaultOptions().ManifestFile,
  }
@@ -214,9 +214,19 @@ func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir stri
  return "", err
  }
  outputDir := filepath.Dir(output)
- if err := utils.GenerateKustomizationYaml(outputDir); err != nil {
+
+ kusOpts := kus.MakeDefaultOptions()
+ kusOpts.BaseDir = tmpDir
+ kusOpts.TargetPath = filepath.Dir(manifest.Path)
+
+ kustomization, err := kus.Generate(kusOpts)
+ if err != nil {
+ return "", err
+ }
+ if _, err = kustomization.WriteFile(tmpDir); err != nil {
  return "", err
  }
+
  return outputDir, nil
 }
 
@@ -269,35 +279,6 @@ func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namesp
  return false
 }
 
-func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
- pair, err := generateKeyPair(ctx, sourceGitArgs.keyAlgorithm, sourceGitArgs.keyRSABits, sourceGitArgs.keyECDSACurve)
- if err != nil {
- return "", err
- }
-
- hostKey, err := scanHostKey(ctx, url)
- if err != nil {
- return "", err
- }
-
- secret := corev1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: namespace,
- Namespace: namespace,
- },
- StringData: map[string]string{
- "identity": string(pair.PrivateKey),
- "identity.pub": string(pair.PublicKey),
- "known_hosts": string(hostKey),
- },
- }
- if err := upsertSecret(ctx, kubeClient, secret); err != nil {
- return "", err
- }
-
- return string(pair.PublicKey), nil
-}
-
 func checkIfBootstrapPathDiffers(ctx context.Context, kubeClient client.Client, namespace string, path string) (string, bool) {
  namespacedName := types.NamespacedName{
  Name: namespace,

diff --git a/cmd/flux/bootstrap_github.go b/cmd/flux/bootstrap_github.go
@@ -26,14 +26,14 @@ import (
  "path/filepath"
  "time"
 
+ "github.com/fluxcd/pkg/git"
  "github.com/spf13/cobra"
  corev1 "k8s.io/api/core/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
- "github.com/fluxcd/pkg/git"
+ "sigs.k8s.io/yaml"
 
  "github.com/fluxcd/flux2/internal/flags"
  "github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var bootstrapGitHubCmd = &cobra.Command{
@@ -244,44 +244,48 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
  logger.Successf("install completed")
  }
 
- repoURL := repository.GetURL()
-
+ repoURL := repository.GetSSH()
+ secretOpts := sourcesecret.Options{
+ Name: rootArgs.namespace,
+ Namespace: rootArgs.namespace,
+ }
  if bootstrapArgs.tokenAuth {
- // setup HTTPS token auth
- secret := corev1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: rootArgs.namespace,
- Namespace: rootArgs.namespace,
- },
- StringData: map[string]string{
- "username": "git",
- "password": ghToken,
- },
+ // Setup HTTPS token auth
+ repoURL = repository.GetURL()
+ secretOpts.Username = "git"
+ secretOpts.Password = ghToken
+ } else if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
+ // Setup SSH auth
+ u, err := url.Parse(repoURL)
+ if err != nil {
+ return fmt.Errorf("git URL parse failed: %w", err)
  }
- if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+ secretOpts.SSHHostname = u.Hostname()
+ secretOpts.PrivateKeyAlgorithm = sourcesecret.RSAPrivateKeyAlgorithm
+ secretOpts.RSAKeyBits = 2048
+ }
+
+ secret, err := sourcesecret.Generate(secretOpts)
+ if err != nil {
+ return err
+ }
+ var s corev1.Secret
+ if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+ return err
+ }
+ if len(s.StringData) > 0 {
+ logger.Actionf("configuring deploy key")
+ if err := upsertSecret(ctx, kubeClient, s); err != nil {
  return err
  }
- } else {
- // setup SSH deploy key
- repoURL = repository.GetSSH()
- if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
- logger.Actionf("configuring deploy key")
- u, err := url.Parse(repository.GetSSH())
- if err != nil {
- return fmt.Errorf("git URL parse failed: %w", err)
- }
-
- key, err := generateDeployKey(ctx, kubeClient, u, rootArgs.namespace)
- if err != nil {
- return fmt.Errorf("generating deploy key failed: %w", err)
- }
 
+ if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
  keyName := "flux"
  if githubArgs.path != "" {
  keyName = fmt.Sprintf("flux-%s", githubArgs.path)
  }
 
- if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
+ if changed, err := provider.AddDeployKey(ctx, repository, ppk, keyName); err != nil {
  return err
  } else if changed {
  logger.Successf("deploy key configured")

diff --git a/cmd/flux/bootstrap_gitlab.go b/cmd/flux/bootstrap_gitlab.go
@@ -29,12 +29,13 @@ import (
 
  "github.com/spf13/cobra"
  corev1 "k8s.io/api/core/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "sigs.k8s.io/yaml"
 
  "github.com/fluxcd/pkg/git"
 
  "github.com/fluxcd/flux2/internal/flags"
  "github.com/fluxcd/flux2/internal/utils"
+ "github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var bootstrapGitLabCmd = &cobra.Command{
@@ -218,44 +219,48 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
  logger.Successf("install completed")
  }
 
- repoURL := repository.GetURL()
-
+ repoURL := repository.GetSSH()
+ secretOpts := sourcesecret.Options{
+ Name: rootArgs.namespace,
+ Namespace: rootArgs.namespace,
+ }
  if bootstrapArgs.tokenAuth {
- // setup HTTPS token auth
- secret := corev1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: rootArgs.namespace,
- Namespace: rootArgs.namespace,
- },
- StringData: map[string]string{
- "username": "git",
- "password": glToken,
- },
+ // Setup HTTPS token auth
+ repoURL = repository.GetURL()
+ secretOpts.Username = "git"
+ secretOpts.Password = glToken
+ } else if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
+ // Setup SSH auth
+ u, err := url.Parse(repoURL)
+ if err != nil {
+ return fmt.Errorf("git URL parse failed: %w", err)
  }
- if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+ secretOpts.SSHHostname = u.Hostname()
+ secretOpts.PrivateKeyAlgorithm = sourcesecret.RSAPrivateKeyAlgorithm
+ secretOpts.RSAKeyBits = 2048
+ }
+
+ secret, err := sourcesecret.Generate(secretOpts)
+ if err != nil {
+ return err
+ }
+ var s corev1.Secret
+ if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+ return err
+ }
+ if len(s.StringData) > 0 {
+ logger.Actionf("configuring deploy key")
+ if err := upsertSecret(ctx, kubeClient, s); err != nil {
  return err
  }
- } else {
- // setup SSH deploy key
- repoURL = repository.GetSSH()
- if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
- logger.Actionf("configuring deploy key")
- u, err := url.Parse(repoURL)
- if err != nil {
- return fmt.Errorf("git URL parse failed: %w", err)
- }
-
- key, err := generateDeployKey(ctx, kubeClient, u, rootArgs.namespace)
- if err != nil {
- return fmt.Errorf("generating deploy key failed: %w", err)
- }
 
+ if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
  keyName := "flux"
  if gitlabArgs.path != "" {
  keyName = fmt.Sprintf("flux-%s", gitlabArgs.path)
  }
 
- if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
+ if changed, err := provider.AddDeployKey(ctx, repository, ppk, keyName); err != nil {
  return err
  } else if changed {
  logger.Successf("deploy key configured")

diff --git a/cmd/flux/create_secret.go b/cmd/flux/create_secret.go
@@ -18,15 +18,12 @@ package main
 
 import (
  "context"
- "fmt"
 
  "github.com/spf13/cobra"
  corev1 "k8s.io/api/core/v1"
  "k8s.io/apimachinery/pkg/api/errors"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/types"
  "sigs.k8s.io/controller-runtime/pkg/client"
- "sigs.k8s.io/yaml"
 )
 
 var createSecretCmd = &cobra.Command{
@@ -39,23 +36,6 @@ func init() {
  createCmd.AddCommand(createSecretCmd)
 }
 
-func makeSecret(name string) (corev1.Secret, error) {
- secretLabels, err := parseLabels()
- if err != nil {
- return corev1.Secret{}, err
- }
-
- return corev1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: name,
- Namespace: rootArgs.namespace,
- Labels: secretLabels,
- },
- StringData: map[string]string{},
- Data: nil,
- }, nil
-}
-
 func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
  namespacedName := types.NamespacedName{
  Namespace: secret.GetNamespace(),
@@ -81,19 +61,3 @@ func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.S
  }
  return nil
 }
-
-func exportSecret(secret corev1.Secret) error {
- secret.TypeMeta = metav1.TypeMeta{
- APIVersion: "v1",
- Kind: "Secret",
- }
-
- data, err := yaml.Marshal(secret)
- if err != nil {
- return err
- }
-
- fmt.Println("---")
- fmt.Println(resourceToString(data))
- return nil
-}