Merge pull request #593 from pjbgf/new-kube-flag

Add kubeconfig flags

.github/workflows/e2e.yaml

@@ -52,8 +52,6 @@ jobs:
  uses: fluxcd/pkg/actions/kubectl@main
  with:
  version: 1.21.2
- - name: Setup SOPS
- uses: fluxcd/pkg/actions/sops@main
  - name: Enable integration tests
  # Only run integration tests for main branch
  if: github.ref == 'refs/heads/main'

DEVELOPMENT.md

@@ -18,6 +18,7 @@ In addition to the above, the following dependencies are also used by some of th
 - `controller-gen` (v0.7.0)
 - `gen-crd-api-reference-docs` (v0.3.0)
 - `setup-envtest` (latest)
+- `sops` (v3.7.2)
 
 If any of the above dependencies are not present on your system, the first invocation of a `make` target that requires them will install them.
 

Makefile

@@ -4,12 +4,20 @@ IMG ?= fluxcd/kustomize-controller:latest
 CRD_OPTIONS ?= crd:crdVersions=v1
 SOURCE_VER ?= v0.22.3
 
-# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+# Use the same version of SOPS already referenced on go.mod
+SOPS_VER := $(shell go list -m all | grep go.mozilla.org/sops | awk '{print $$2}')
+
+# Repository root based on Git metadata
+REPOSITORY_ROOT := $(shell git rev-parse --show-toplevel)
+BUILD_DIR := $(REPOSITORY_ROOT)/build
+
+# If gobin not set, create one on ./build and add to path.
 ifeq (,$(shell go env GOBIN))
-GOBIN=$(shell go env GOPATH)/bin
+GOBIN=$(BUILD_DIR)/gobin
 else
 GOBIN=$(shell go env GOBIN)
 endif
+export PATH:=$(GOBIN):${PATH}
 
 # Allows for defining additional Go test args, e.g. '-tags integration'.
 GO_TEST_ARGS ?=
@@ -25,20 +33,24 @@ ENVTEST_ARCH ?= amd64
 all: manager
 
 # Download the envtest binaries to testbin
-ENVTEST_ASSETS_DIR=$(shell pwd)/build/testbin
+ENVTEST_ASSETS_DIR=$(BUILD_DIR)/testbin
 ENVTEST_KUBERNETES_VERSION?=latest
 install-envtest: setup-envtest
  mkdir -p ${ENVTEST_ASSETS_DIR}
  $(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
 
+SOPS = $(GOBIN)/sops
+$(SOPS): ## Download latest sops binary if none is found.
+ $(call go-install-tool,$(SOPS),go.mozilla.org/sops/v3/cmd/sops@$(SOPS_VER))
+
 # Run controller tests
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
-test: tidy generate fmt vet manifests api-docs download-crd-deps install-envtest
+test: tidy generate fmt vet manifests api-docs download-crd-deps install-envtest $(SOPS)
  KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./... $(GO_TEST_ARGS) -v -coverprofile cover.out
 
 # Build manager binary
 manager: generate fmt vet
- go build -o bin/manager main.go
+ go build -o $(BUILD_DIR)/bin/manager main.go
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
@@ -120,18 +132,18 @@ docker-deploy:
  kubectl -n flux-system set image deployment/kustomize-controller manager=${IMG}
 
 # Find or download controller-gen
-CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
+CONTROLLER_GEN = $(GOBIN)/controller-gen
 .PHONY: controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
  $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/[email protected])
 
 # Find or download gen-crd-api-reference-docs
-GEN_CRD_API_REFERENCE_DOCS = $(shell pwd)/bin/gen-crd-api-reference-docs
+GEN_CRD_API_REFERENCE_DOCS = $(GOBIN)/gen-crd-api-reference-docs
 .PHONY: gen-crd-api-reference-docs
 gen-crd-api-reference-docs:
  $(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/[email protected])
 
-ENVTEST = $(shell pwd)/bin/setup-envtest
+ENVTEST = $(GOBIN)/setup-envtest
 .PHONY: envtest
 setup-envtest: ## Download envtest-setup locally if necessary.
  $(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
@@ -145,26 +157,26 @@ TMP_DIR=$$(mktemp -d) ;\
 cd $$TMP_DIR ;\
 go mod init tmp ;\
 echo "Downloading $(2)" ;\
-GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+GOBIN=$(GOBIN) go install $(2) ;\
 rm -rf $$TMP_DIR ;\
 }
 endef
 
 # Build fuzzers
 fuzz-build:
- rm -rf $(shell pwd)/build/fuzz/
- mkdir -p $(shell pwd)/build/fuzz/out/
+ rm -rf $(BUILD_DIR)/fuzz/
+ mkdir -p $(BUILD_DIR)/fuzz/out/
 
  docker build . --tag local-fuzzing:latest -f tests/fuzz/Dockerfile.builder
  docker run --rm \
  -e FUZZING_LANGUAGE=go -e SANITIZER=address \
  -e CIFUZZ_DEBUG='True' -e OSS_FUZZ_PROJECT_NAME=fluxcd \
- -v "$(shell pwd)/build/fuzz/out":/out \
+ -v "$(BUILD_DIR)/fuzz/out":/out \
  local-fuzzing:latest
 
 fuzz-smoketest: fuzz-build
  docker run --rm \
- -v "$(shell pwd)/build/fuzz/out":/out \
+ -v "$(BUILD_DIR)/fuzz/out":/out \
  -v "$(shell pwd)/tests/fuzz/oss_fuzz_run.sh":/runner.sh \
  local-fuzzing:latest \
  bash -c "/runner.sh"

controllers/kustomization_controller.go

@@ -57,6 +57,7 @@ import (
  apiacl "github.com/fluxcd/pkg/apis/acl"
  "github.com/fluxcd/pkg/apis/meta"
  "github.com/fluxcd/pkg/runtime/acl"
+ runtimeClient "github.com/fluxcd/pkg/runtime/client"
  "github.com/fluxcd/pkg/runtime/events"
  "github.com/fluxcd/pkg/runtime/metrics"
  "github.com/fluxcd/pkg/runtime/predicates"
@@ -88,6 +89,7 @@ type KustomizationReconciler struct {
  statusManager string
  NoCrossNamespaceRefs bool
  DefaultServiceAccount string
+ KubeConfigOpts runtimeClient.KubeConfigOptions
 }
 
 // KustomizationReconcilerOptions contains options for the KustomizationReconciler.
@@ -343,7 +345,7 @@ func (r *KustomizationReconciler) reconcile(
  }
 
  // setup the Kubernetes client for impersonation
- impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+ impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts)
  kubeClient, statusPoller, err := impersonation.GetClient(ctx)
  if err != nil {
  return kustomizev1.KustomizationNotReady(
@@ -926,7 +928,7 @@ func (r *KustomizationReconciler) finalize(ctx context.Context, kustomization ku
  kustomization.Status.Inventory.Entries != nil {
  objects, _ := ListObjectsInInventory(kustomization.Status.Inventory)
 
- impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+ impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts)
  if impersonation.CanFinalize(ctx) {
  kubeClient, _, err := impersonation.GetClient(ctx)
  if err != nil {

controllers/kustomization_impersonation.go

@@ -31,6 +31,8 @@ import (
  "sigs.k8s.io/controller-runtime/pkg/client/config"
 
  kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+
+ runtimeClient "github.com/fluxcd/pkg/runtime/client"
 )
 
 // KustomizeImpersonation holds the state for impersonating a service account.
@@ -39,19 +41,22 @@ type KustomizeImpersonation struct {
  kustomization kustomizev1.Kustomization
  statusPoller *polling.StatusPoller
  defaultServiceAccount string
+ kubeConfigOpts runtimeClient.KubeConfigOptions
 }
 
 // NewKustomizeImpersonation creates a new KustomizeImpersonation.
 func NewKustomizeImpersonation(
  kustomization kustomizev1.Kustomization,
  kubeClient client.Client,
  statusPoller *polling.StatusPoller,
- defaultServiceAccount string) *KustomizeImpersonation {
+ defaultServiceAccount string,
+ kubeConfigOpts runtimeClient.KubeConfigOptions) *KustomizeImpersonation {
  return &KustomizeImpersonation{
  defaultServiceAccount: defaultServiceAccount,
  kustomization: kustomization,
  statusPoller: statusPoller,
  Client: kubeClient,
+ kubeConfigOpts: kubeConfigOpts,
  }
 }
 
@@ -141,6 +146,8 @@ func (ki *KustomizeImpersonation) clientForKubeConfig(ctx context.Context) (clie
  if err != nil {
  return nil, nil, err
  }
+
+ restConfig = runtimeClient.KubeConfig(restConfig, ki.kubeConfigOpts)
  ki.setImpersonationConfig(restConfig)
 
  restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)

go.mod

@@ -17,7 +17,7 @@ require (
  github.com/fluxcd/pkg/apis/acl v0.0.3
  github.com/fluxcd/pkg/apis/kustomize v0.3.2
  github.com/fluxcd/pkg/apis/meta v0.12.1
- github.com/fluxcd/pkg/runtime v0.13.2
+ github.com/fluxcd/pkg/runtime v0.13.3
  github.com/fluxcd/pkg/ssa v0.15.1
  github.com/fluxcd/pkg/testserver v0.2.0
  github.com/fluxcd/pkg/untar v0.1.0

go.sum

@@ -278,8 +278,8 @@ github.com/fluxcd/pkg/apis/kustomize v0.3.2 h1:ULoAwOOekHf5cy6mYIwL+K6v8/cfcNVVb
 github.com/fluxcd/pkg/apis/kustomize v0.3.2/go.mod h1:p8iAH5TeqMBnnxkkpCNNDvWYfKlNRx89a6WKOo+hJHA=
 github.com/fluxcd/pkg/apis/meta v0.12.1 h1:m5PfKAqbqWBvGp9+JRj1sv+xNkGsHwUVf+3rJ8wm6SE=
 github.com/fluxcd/pkg/apis/meta v0.12.1/go.mod h1:f8YVt70/KAhqzZ7xxhjvqyzKubOYx2pAbakb/FfCEg8=
-github.com/fluxcd/pkg/runtime v0.13.2 h1:6jkQQUbp17WxHsbozlJFCvHmOS4JIB+yB20CdCd8duE=
-github.com/fluxcd/pkg/runtime v0.13.2/go.mod h1:dzWNKqFzFXeittbpFcJzR3cdC9CWlbzw+pNOgaVvF/0=
+github.com/fluxcd/pkg/runtime v0.13.3 h1:k0Xun+RoEC/F6iuAPTA6rQb+I4B4oecBx6pOcodX11A=
+github.com/fluxcd/pkg/runtime v0.13.3/go.mod h1:dzWNKqFzFXeittbpFcJzR3cdC9CWlbzw+pNOgaVvF/0=
 github.com/fluxcd/pkg/ssa v0.15.1 h1:HXAT+K6c9Yy8Evxdyk3DU0KTk3yZ+fwgTEEzU1W/1V8=
 github.com/fluxcd/pkg/ssa v0.15.1/go.mod h1:OSXVu/uKPbhzBRljA359+WYxbXtMUNbkADlrS3Rm+gE=
 github.com/fluxcd/pkg/testserver v0.2.0 h1:Mj0TapmKaywI6Fi5wvt1LAZpakUHmtzWQpJNKQ0Krt4=

internal/sops/azkv/keysource_integration_test.go

@@ -1,4 +1,5 @@
-// +tag integration
+//go:build integration
+// +build integration
 
 /*
 Copyright 2022 The Flux authors

main.go

@@ -68,6 +68,7 @@ func main() {
  concurrent int
  requeueDependency time.Duration
  clientOptions client.Options
+ kubeConfigOpts client.KubeConfigOptions
  logOptions logger.Options
  leaderElectionOptions leaderelection.Options
  aclOptions acl.Options
@@ -89,6 +90,7 @@ func main() {
  logOptions.BindFlags(flag.CommandLine)
  leaderElectionOptions.BindFlags(flag.CommandLine)
  aclOptions.BindFlags(flag.CommandLine)
+ kubeConfigOpts.BindFlags(flag.CommandLine)
  flag.Parse()
 
  ctrl.SetLogger(logger.NewLogger(logOptions))
@@ -139,6 +141,7 @@ func main() {
  MetricsRecorder: metricsRecorder,
  StatusPoller: polling.NewStatusPoller(mgr.GetClient(), mgr.GetRESTMapper(), polling.Options{}),
  NoCrossNamespaceRefs: aclOptions.NoCrossNamespaceRefs,
+ KubeConfigOpts: kubeConfigOpts,
  }).SetupWithManager(mgr, controllers.KustomizationReconcilerOptions{
  MaxConcurrentReconciles: concurrent,
  DependencyRequeueInterval: requeueDependency,