cli: annotate CoreDNS resources for Helm (#3236)

2025-01-11 07:29:29 -05:00 · 2024-07-03 19:37:51 +02:00 · 2024-07-03 19:37:51 +02:00 · 807bbbfd16
commit 807bbbfd16
parent b872fbdfe8
8 changed files with 81 additions and 0 deletions
--- a/cli/internal/cmd/apply.go
+++ b/cli/internal/cmd/apply.go
@ -422,6 +422,9 @@ func (a *applyCmd) apply(

 	// Apply Helm Charts
 	if !a.flags.skipPhases.contains(skipHelmPhase) {
+		if err := a.applier.AnnotateCoreDNSResources(cmd.Context()); err != nil {
+			return fmt.Errorf("annotating CoreDNS: %w", err)
+		}
 		if err := a.runHelmApply(cmd, conf, stateFile, upgradeDir); err != nil {
 			return err
 		}
@ -843,6 +846,7 @@ type applier interface {

 	// methods required to install/upgrade Helm charts

+	AnnotateCoreDNSResources(context.Context) error
 	PrepareHelmCharts(
 		flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret,
 	) (helm.Applier, bool, error)
--- a/cli/internal/cmd/apply_test.go
+++ b/cli/internal/cmd/apply_test.go
@ -553,6 +553,7 @@ func (s *stubConstellApplier) Init(context.Context, atls.Validator, *state.State
 }

 type helmApplier interface {
+	AnnotateCoreDNSResources(context.Context) error
 	PrepareHelmCharts(
 		flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret,
 	) (
--- a/cli/internal/cmd/init_test.go
+++ b/cli/internal/cmd/init_test.go
@ -278,6 +278,10 @@ type stubHelmApplier struct {
 	err error
 }

+func (s stubHelmApplier) AnnotateCoreDNSResources(_ context.Context) error {
+	return nil
+}
+
 func (s stubHelmApplier) PrepareHelmCharts(
 	_ helm.Options, _ *state.State, _ string, _ uri.MasterSecret,
 ) (helm.Applier, bool, error) {
--- a/cli/internal/cmd/upgradeapply_test.go
+++ b/cli/internal/cmd/upgradeapply_test.go
@ -375,6 +375,10 @@ type mockApplier struct {
 	mock.Mock
 }

+func (m *mockApplier) AnnotateCoreDNSResources(_ context.Context) error {
+	return nil
+}
+
 func (m *mockApplier) PrepareHelmCharts(
 	helmOpts helm.Options, stateFile *state.State, str string, masterSecret uri.MasterSecret,
 ) (helm.Applier, bool, error) {
--- a/internal/constellation/BUILD.bazel
+++ b/internal/constellation/BUILD.bazel
@ -37,6 +37,11 @@ go_library(
        "//internal/semver",
        "//internal/versions",
        "@io_k8s_apiextensions_apiserver//pkg/apis/apiextensions/v1:apiextensions",
+        "@io_k8s_apimachinery//pkg/api/errors",
+        "@io_k8s_apimachinery//pkg/apis/meta/v1:meta",
+        "@io_k8s_apimachinery//pkg/runtime/schema",
+        "@io_k8s_apimachinery//pkg/types",
+        "@io_k8s_client_go//dynamic",
        "@io_k8s_client_go//tools/clientcmd",
        "@org_golang_google_grpc//:grpc",
    ],
--- a/internal/constellation/apply.go
+++ b/internal/constellation/apply.go
@ -18,6 +18,8 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/license"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/tools/clientcmd"
 )

 // ApplyContext denotes the context in which the apply command is run.
@ -44,6 +46,7 @@ type Applier struct {
 	newDialer     func(validator atls.Validator) *dialer.Dialer
 	kubecmdClient kubecmdClient
 	helmClient    helmApplier
+	dynamicClient dynamic.Interface
 }

 type licenseChecker interface {
@ -79,8 +82,17 @@ func (a *Applier) SetKubeConfig(kubeConfig []byte) error {
 	if err != nil {
 		return err
 	}
+	restConfig, err := clientcmd.RESTConfigFromKubeConfig(kubeConfig)
+	if err != nil {
+		return err
+	}
+	dynamicClient, err := dynamic.NewForConfig(restConfig)
+	if err != nil {
+		return err
+	}
 	a.kubecmdClient = kubecmdClient
 	a.helmClient = helmClient
+	a.dynamicClient = dynamicClient
 	return nil
 }

--- a/internal/constellation/helm.go
+++ b/internal/constellation/helm.go
@ -7,13 +7,59 @@ SPDX-License-Identifier: AGPL-3.0-only
 package constellation

 import (
+	"context"
 	"errors"
+	"fmt"

 	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/constellation/state"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 )

+var patch = []byte(fmt.Sprintf(`{"metadata": {"labels": {%q: %q}, "annotations": {%q: %q, %q: %q}}}`,
+	"app.kubernetes.io/managed-by", "Helm",
+	"meta.helm.sh/release-name", "coredns",
+	"meta.helm.sh/release-namespace", "kube-system"))
+
+var namespacedCoreDNSResources = map[schema.GroupVersionResource]string{
+	{Group: "apps", Version: "v1", Resource: "deployments"}:  "coredns",
+	{Group: "", Version: "v1", Resource: "services"}:         "kube-dns",
+	{Group: "", Version: "v1", Resource: "configmaps"}:       "coredns",
+	{Group: "", Version: "v1", Resource: "serviceaccounts"}:  "coredns",
+	{Group: "apps", Version: "v1", Resource: "statefulsets"}: "foobarbax",
+}
+
+var coreDNSResources = map[schema.GroupVersionResource]string{
+	{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"}:        "system:coredns",
+	{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterrolebindings"}: "system:coredns",
+}
+
+// AnnotateCoreDNSResources imports existing CoreDNS resources into the Helm release.
+//
+// This is only required when CoreDNS was installed by kubeadm directly.
+// TODO(burgerdev): remove after v2.19 is released.
+func (a *Applier) AnnotateCoreDNSResources(ctx context.Context) error {
+	for gvk, name := range coreDNSResources {
+		_, err := a.dynamicClient.Resource(gvk).Patch(ctx, name, types.StrategicMergePatchType, patch, v1.PatchOptions{})
+		if err != nil && !k8serrors.IsNotFound(err) {
+			return err
+		}
+	}
+
+	for gvk, name := range namespacedCoreDNSResources {
+		_, err := a.dynamicClient.Resource(gvk).Namespace("kube-system").Patch(ctx, name, types.StrategicMergePatchType, patch, v1.PatchOptions{})
+		if err != nil && !k8serrors.IsNotFound(err) {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // PrepareHelmCharts loads Helm charts for Constellation and returns an executor to apply them.
 func (a *Applier) PrepareHelmCharts(
 	flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret,
--- a/terraform-provider-constellation/internal/provider/cluster_resource.go
+++ b/terraform-provider-constellation/internal/provider/cluster_resource.go
@ -1211,6 +1211,11 @@ func (r *ClusterResource) applyHelmCharts(ctx context.Context, applier *constell
 		OpenStackValues:  payload.openStackHelmValues,
 	}

+	if err := applier.AnnotateCoreDNSResources(ctx); err != nil {
+		diags.AddError("Annotating CoreDNS resources", err.Error())
+		return diags
+	}
+
 	executor, _, err := applier.PrepareHelmCharts(options, state,
 		payload.serviceAccURI, payload.masterSecret)
 	var upgradeErr *compatibility.InvalidUpgradeError