constellation/internal/constellation/helm.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package constellation

import (
	"context"
	"errors"
	"fmt"

	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
	"github.com/edgelesssys/constellation/v2/internal/constellation/state"
	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
	k8serrors "k8s.io/apimachinery/pkg/api/errors"
	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apimachinery/pkg/types"
)

var patch = []byte(fmt.Sprintf(`{"metadata": {"labels": {%q: %q}, "annotations": {%q: %q, %q: %q}}}`,
	"app.kubernetes.io/managed-by", "Helm",
	"meta.helm.sh/release-name", "coredns",
	"meta.helm.sh/release-namespace", "kube-system"))

var namespacedCoreDNSResources = map[schema.GroupVersionResource]string{
	{Group: "apps", Version: "v1", Resource: "deployments"}:  "coredns",
	{Group: "", Version: "v1", Resource: "services"}:         "kube-dns",
	{Group: "", Version: "v1", Resource: "configmaps"}:       "coredns",
	{Group: "", Version: "v1", Resource: "serviceaccounts"}:  "coredns",
	{Group: "apps", Version: "v1", Resource: "statefulsets"}: "foobarbax",
}

var coreDNSResources = map[schema.GroupVersionResource]string{
	{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"}:        "system:coredns",
	{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterrolebindings"}: "system:coredns",
}

// AnnotateCoreDNSResources imports existing CoreDNS resources into the Helm release.
//
// This is only required when CoreDNS was installed by kubeadm directly.
// TODO(burgerdev): remove after v2.19 is released.
func (a *Applier) AnnotateCoreDNSResources(ctx context.Context) error {
	for gvk, name := range coreDNSResources {
		_, err := a.dynamicClient.Resource(gvk).Patch(ctx, name, types.StrategicMergePatchType, patch, v1.PatchOptions{})
		if err != nil && !k8serrors.IsNotFound(err) {
			return err
		}
	}

	for gvk, name := range namespacedCoreDNSResources {
		_, err := a.dynamicClient.Resource(gvk).Namespace("kube-system").Patch(ctx, name, types.StrategicMergePatchType, patch, v1.PatchOptions{})
		if err != nil && !k8serrors.IsNotFound(err) {
			return err
		}
	}

	return nil
}

// CleanupCoreDNSResources removes CoreDNS resources that are not managed by Helm.
//
// This is only required when CoreDNS was installed by kubeadm directly.
// TODO(burgerdev): remove after v2.19 is released.
func (a *Applier) CleanupCoreDNSResources(ctx context.Context) error {
	err := a.dynamicClient.
		Resource(schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}).
		Namespace("kube-system").
		Delete(ctx, "coredns", v1.DeleteOptions{})
	if !k8serrors.IsNotFound(err) {
		return err
	}
	return nil
}

// PrepareHelmCharts loads Helm charts for Constellation and returns an executor to apply them.
func (a *Applier) PrepareHelmCharts(
	flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret,
) (helm.Applier, bool, error) {
	if a.helmClient == nil {
		return nil, false, errors.New("helm client not initialized")
	}

	return a.helmClient.PrepareApply(flags, state, serviceAccURI, masterSecret)
}

type helmApplier interface {
	PrepareApply(
		flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret,
	) (
		helm.Applier, bool, error)
}
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`package constellation`

			`import (`
cli: annotate CoreDNS resources for Helm (#3236) 2024-07-03 19:37:51 +02:00			`"context"`
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`"errors"`
cli: annotate CoreDNS resources for Helm (#3236) 2024-07-03 19:37:51 +02:00			`"fmt"`
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00
			`"github.com/edgelesssys/constellation/v2/internal/constellation/helm"`
constellation-lib: move state and featureset packages (#2682) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-08 16:27:04 +01:00			`"github.com/edgelesssys/constellation/v2/internal/constellation/state"`
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`"github.com/edgelesssys/constellation/v2/internal/kms/uri"`
cli: annotate CoreDNS resources for Helm (#3236) 2024-07-03 19:37:51 +02:00			`k8serrors "k8s.io/apimachinery/pkg/api/errors"`
			`v1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/runtime/schema"`
			`"k8s.io/apimachinery/pkg/types"`
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`)`

cli: annotate CoreDNS resources for Helm (#3236) 2024-07-03 19:37:51 +02:00			var patch = []byte(fmt.Sprintf(`{"metadata": {"labels": {%q: %q}, "annotations": {%q: %q, %q: %q}}}`,
			`"app.kubernetes.io/managed-by", "Helm",`
			`"meta.helm.sh/release-name", "coredns",`
			`"meta.helm.sh/release-namespace", "kube-system"))`

			`var namespacedCoreDNSResources = map[schema.GroupVersionResource]string{`
			`{Group: "apps", Version: "v1", Resource: "deployments"}: "coredns",`
			`{Group: "", Version: "v1", Resource: "services"}: "kube-dns",`
			`{Group: "", Version: "v1", Resource: "configmaps"}: "coredns",`
			`{Group: "", Version: "v1", Resource: "serviceaccounts"}: "coredns",`
			`{Group: "apps", Version: "v1", Resource: "statefulsets"}: "foobarbax",`
			`}`

			`var coreDNSResources = map[schema.GroupVersionResource]string{`
			`{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"}: "system:coredns",`
			`{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterrolebindings"}: "system:coredns",`
			`}`

			`// AnnotateCoreDNSResources imports existing CoreDNS resources into the Helm release.`
			`//`
			`// This is only required when CoreDNS was installed by kubeadm directly.`
			`// TODO(burgerdev): remove after v2.19 is released.`
			`func (a *Applier) AnnotateCoreDNSResources(ctx context.Context) error {`
			`for gvk, name := range coreDNSResources {`
			`_, err := a.dynamicClient.Resource(gvk).Patch(ctx, name, types.StrategicMergePatchType, patch, v1.PatchOptions{})`
			`if err != nil && !k8serrors.IsNotFound(err) {`
			`return err`
			`}`
			`}`

			`for gvk, name := range namespacedCoreDNSResources {`
			`_, err := a.dynamicClient.Resource(gvk).Namespace("kube-system").Patch(ctx, name, types.StrategicMergePatchType, patch, v1.PatchOptions{})`
			`if err != nil && !k8serrors.IsNotFound(err) {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

helm: manage CoreDNS addon as Helm chart (#3388) * Reapply "helm: manage CoreDNS addon as Helm chart (#3236)" This reverts commit 4a9422d288ef42f5ebf0dd878dc9aff26ed082dd. * Reapply "helm: fix kubeadm bugs caused by CoreDNS installation (#3353)" This reverts commit 9ecfc3fa19780b8b4972872b0a505d377ec70601. 2024-10-07 10:51:37 +02:00			`// CleanupCoreDNSResources removes CoreDNS resources that are not managed by Helm.`
			`//`
			`// This is only required when CoreDNS was installed by kubeadm directly.`
			`// TODO(burgerdev): remove after v2.19 is released.`
			`func (a *Applier) CleanupCoreDNSResources(ctx context.Context) error {`
			`err := a.dynamicClient.`
			`Resource(schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}).`
			`Namespace("kube-system").`
			`Delete(ctx, "coredns", v1.DeleteOptions{})`
			`if !k8serrors.IsNotFound(err) {`
			`return err`
			`}`
			`return nil`
			`}`

constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`// PrepareHelmCharts loads Helm charts for Constellation and returns an executor to apply them.`
			`func (a *Applier) PrepareHelmCharts(`
terraform-provider: Add support for STACKIT / OpenStack 2024-03-06 20:48:40 +01:00			`flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret,`
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`) (helm.Applier, bool, error) {`
			`if a.helmClient == nil {`
			`return nil, false, errors.New("helm client not initialized")`
			`}`

terraform-provider: Add support for STACKIT / OpenStack 2024-03-06 20:48:40 +01:00			`return a.helmClient.PrepareApply(flags, state, serviceAccURI, masterSecret)`
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`}`

			`type helmApplier interface {`
			`PrepareApply(`
terraform-provider: Add support for STACKIT / OpenStack 2024-03-06 20:48:40 +01:00			`flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret,`
constellation-lib: add Helm wrapper (#2680) * Add Helm wrapper to constellation-lib * Move helm package to constellation-lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-06 10:01:39 +01:00			`) (`
			`helm.Applier, bool, error)`
			`}`