merge main into feature branch 458_lula-integration-istio

defenseunicorns · Jul 18, 2024 · b99457f · b99457f
2 parents ce87762 + 5a6b9ef
commit b99457f
Show file tree

Hide file tree

Showing 12 changed files with 132 additions and 30 deletions.
diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml
@@ -10,7 +10,8 @@ on:
 permissions:
   id-token: write # Needed for OIDC-related operations.
   contents: read # Allows reading the content of the repository.
-  pull-requests: write # Allows writing pull request comments.
+  pull-requests: write # Allows writing pull request metadata.
+  packages: read # Allows reading the published GHCR packages
 
 # Default settings for all run commands in the workflow jobs.
 defaults:

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -35,6 +35,7 @@ on:
 permissions:
   contents: read
   id-token: write  # This is needed for OIDC federation.
+  packages: read # Allows reading the published GHCR packages
 
 jobs:
   test:

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -36,12 +36,12 @@
     "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'"
   },
   "dependencies": {
-    "pepr": "0.32.6"
+    "pepr": "0.32.7"
   },
   "devDependencies": {
     "@jest/globals": "29.7.0",
     "jest": "29.7.0",
-    "ts-jest": "29.2.0"
+    "ts-jest": "29.2.2"
   },
   "jest": {
     "preset": "ts-jest",

diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml
@@ -14,7 +14,7 @@ components:
         localPath: ../chart
       - name: grafana
         url: https://grafana.github.io/helm-charts/
-        version: 8.3.2
+        version: 8.3.5
         namespace: grafana
         valuesFiles:
           - ../values/values.yaml

diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml
@@ -18,4 +18,4 @@ sidecar:
   image:
     registry: registry1.dso.mil
     repository: ironbank/kiwigrid/k8s-sidecar
-    tag: 1.27.4
+    tag: 1.27.5
diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml
@@ -18,4 +18,4 @@ sidecar:
   image:
     registry: cgr.dev
     repository: du-uds-defenseunicorns/k8s-sidecar-fips
-    tag: 1.27.4
+    tag: 1.27.5
diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml
@@ -3,7 +3,7 @@ sidecar:
     # -- The Docker registry
     registry: ghcr.io
     repository: kiwigrid/k8s-sidecar
-    tag: 1.27.4
+    tag: 1.27.5
 
 image:
   registry: docker.io

diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml
@@ -24,7 +24,7 @@ components:
       - docker.io/grafana/grafana:11.1.0
       - docker.io/curlimages/curl:8.8.0
       - docker.io/library/busybox:1.36.1
-      - ghcr.io/kiwigrid/k8s-sidecar:1.27.4
+      - ghcr.io/kiwigrid/k8s-sidecar:1.27.5
 
   - name: grafana
     required: true
@@ -39,7 +39,7 @@ components:
     images:
       - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.1.0
       - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
-      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.4
+      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.5
 
   - name: grafana
     required: true
@@ -55,4 +55,4 @@ components:
       - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.1.0
       - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1
       - cgr.dev/du-uds-defenseunicorns/curl-fips:8.8.0
-      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4
+      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.5
diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts
@@ -4,7 +4,7 @@ import { UDSConfig } from "../../../config";
 import { Component, setupLogger } from "../../../logger";
 import { Store } from "../../common";
 import { Sso, UDSPackage } from "../../crd";
-import { getOwnerRef } from "../utils";
+import { getOwnerRef, purgeOrphans } from "../utils";
 import { Client } from "./types";
 
 let apiURL =
@@ -47,13 +47,20 @@ export async function keycloak(pkg: UDSPackage) {
   // Get the list of clients from the package
   const clientReqs = pkg.spec?.sso || [];
   const clients: Map<string, Client> = new Map();
+  const generation = (pkg.metadata?.generation ?? 0).toString();
 
   for (const clientReq of clientReqs) {
     const client = await syncClient(clientReq, pkg);
     clients.set(client.clientId, client);
   }
 
   await purgeSSOClients(pkg, [...clients.keys()]);
+  // Purge orphaned SSO secrets
+  try {
+    await purgeOrphans(generation, pkg.metadata!.namespace!, pkg.metadata!.name!, kind.Secret, log);
+  } catch (e) {
+    log.error(e, `Failed to purge orphaned SSO secrets in for ${pkg.metadata!.name!}: ${e}`);
+  }
 
   return clients;
 }
@@ -151,13 +158,15 @@ async function syncClient(
   }
 
   // Create or update the client secret
+  const generation = (pkg.metadata?.generation ?? 0).toString();
   await K8s(kind.Secret).Apply({
     metadata: {
       namespace: pkg.metadata!.namespace,
       // Use the CR secret name if provided, otherwise use the client name
       name: secretName || name,
       labels: {
         "uds/package": pkg.metadata!.name,
+        "uds/generation": generation,
       },
 
       // Use the CR as the owner ref for each VirtualService

diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts
@@ -41,6 +41,17 @@ export function getOwnerRef(cr: GenericKind): V1OwnerReference[] {
   ];
 }
 
+/**
+ * Purges orphaned Kubernetes resources of a specified kind within a namespace that do not match the provided generation.
+ *
+ * @template T
+ * @param {string} generation - The generation label to retain.
+ * @param {string} namespace - The namespace to search for resources.
+ * @param {string} pkgName - The package name label to filter resources.
+ * @param {T} kind - The Kubernetes resource kind to purge.
+ * @param {Logger} log - Logger instance for logging debug messages.
+ * @returns {Promise<void>} - A promise that resolves when the operation is complete.
+ */
 export async function purgeOrphans<T extends GenericClass>(
   generation: string,
   namespace: string,

diff --git a/tasks/create.yaml b/tasks/create.yaml
@@ -1,13 +1,13 @@
 includes:
-  - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.7.1/tasks/create.yaml
+  - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.8.0/tasks/create.yaml
 
 variables:
   - name: FLAVOR
     default: upstream
 
   - name: REGISTRY1_PEPR_IMAGE
     # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver
-    default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.32.6
+    default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.32.7
 
 tasks:
   - name: standard-package