diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index f8e112e29..b618e425a 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -10,7 +10,8 @@ on: permissions: id-token: write # Needed for OIDC-related operations. contents: read # Allows reading the content of the repository. - pull-requests: write # Allows writing pull request comments. + pull-requests: write # Allows writing pull request metadata. + packages: read # Allows reading the published GHCR packages # Default settings for all run commands in the workflow jobs. defaults: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index c7da09ef4..2cf5e7282 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -35,6 +35,7 @@ on: permissions: contents: read id-token: write # This is needed for OIDC federation. + packages: read # Allows reading the published GHCR packages jobs: test: diff --git a/package-lock.json b/package-lock.json index 60162a983..87677195e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,12 +8,12 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.32.6" + "pepr": "0.32.7" }, "devDependencies": { "@jest/globals": "29.7.0", "jest": "29.7.0", - "ts-jest": "29.2.0" + "ts-jest": "29.2.2" }, "engines": { "node": ">=20.0.0" @@ -1851,11 +1851,12 @@ } }, "node_modules/@types/ramda": { - "version": "0.30.0", - "resolved": "https://registry.npmjs.org/@types/ramda/-/ramda-0.30.0.tgz", - "integrity": "sha512-DQtfqUbSB18iM9NHbQ++kVUDuBWHMr6T2FpW1XTiksYRGjq4WnNPZLt712OEHEBJs7aMyJ68Mf2kGMOP1srVVw==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@types/ramda/-/ramda-0.30.1.tgz", + "integrity": "sha512-aoyF/ADPL6N+/NXXfhPWF+Qj6w1Cql59m9wX0Gi15uyF+bpzXeLd63HPdiTDE2bmLXfNcVufsDPKmbfOrOzTBA==", + "license": "MIT", "dependencies": { - "types-ramda": "^0.30.0" + "types-ramda": "^0.30.1" } }, "node_modules/@types/semver": { @@ -2251,6 +2252,13 @@ "node": ">=8" } }, + "node_modules/async": { + "version": "3.2.5", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.5.tgz", + "integrity": "sha512-baNZyqaaLhyLVKm/DlvdW051MSgO6b8eVfIezl9E5PqWxFgzLm/wQntEW4zOytVburDEr0JlALEpdOFwvErLsg==", + "dev": true, + "license": "MIT" + }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", @@ -2982,6 +2990,22 @@ "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" }, + "node_modules/ejs": { + "version": "3.1.10", + "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz", + "integrity": "sha512-UeJmFfOrAQS8OJWPZ4qtgHyWExa088/MtK5UEyoJGFH67cDEXkZSviOiKRCZ4Xij0zxI3JECgYs3oKx+AizQBA==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "jake": "^10.8.5" + }, + "bin": { + "ejs": "bin/cli.js" + }, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/electron-to-chromium": { "version": "1.4.815", "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.815.tgz", @@ -3491,6 +3515,39 @@ "node": "^10.12.0 || >=12.0.0" } }, + "node_modules/filelist": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/filelist/-/filelist-1.0.4.tgz", + "integrity": "sha512-w1cEuf3S+DrLCQL7ET6kz+gmlJdbq9J7yXCSjK/OZCPA+qEN1WyF4ZAf0YYJa4/shHJra2t/d/r8SV4Ji+x+8Q==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "minimatch": "^5.0.1" + } + }, + "node_modules/filelist/node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/filelist/node_modules/minimatch": { + "version": "5.1.6", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz", + "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==", + "dev": true, + "license": "ISC", + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/fill-range": { "version": "7.1.1", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", @@ -4182,6 +4239,25 @@ "@pkgjs/parseargs": "^0.11.0" } }, + "node_modules/jake": { + "version": "10.9.1", + "resolved": "https://registry.npmjs.org/jake/-/jake-10.9.1.tgz", + "integrity": "sha512-61btcOHNnLnsOdtLgA5efqQWjnSi/vow5HbI7HMdKKWqvrKR1bLK3BPlJn9gcSaP2ewuamUSMB5XEy76KUIS2w==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "async": "^3.2.3", + "chalk": "^4.0.2", + "filelist": "^1.0.4", + "minimatch": "^3.1.2" + }, + "bin": { + "jake": "bin/cli.js" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/jest": { "version": "29.7.0", "resolved": "https://registry.npmjs.org/jest/-/jest-29.7.0.tgz", @@ -4866,9 +4942,10 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "2.6.3", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-2.6.3.tgz", - "integrity": "sha512-JgOp2/Y1rNNPAYKek7wq4qL1DcF/3Bf2a39NRUL2QPhnONcrU1f/on1OPMAzz7vZ4zfH2rluMPE/nmxo5l7QAA==", + "version": "2.6.4", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-2.6.4.tgz", + "integrity": "sha512-aR8SQDRD4BZA8kjWHKoMghciTfmoQekLsBz7eQy8yY+BQuHzipYALyCINDCdDCbxUQx4LWtINIifRRBm7m57JA==", + "license": "Apache-2.0", "dependencies": { "@kubernetes/client-node": "1.0.0-rc6", "byline": "5.0.0", @@ -5562,14 +5639,15 @@ } }, "node_modules/pepr": { - "version": "0.32.6", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.32.6.tgz", - "integrity": "sha512-eX3Kb5ZDKpsG0QIEbXGaTrw+awC+TrajWOSRBc+RvoWtEz+I0c+L6VSRGckMSD9rfAVMqDkx3GsF+DuRDgcD6Q==", + "version": "0.32.7", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.32.7.tgz", + "integrity": "sha512-6bm8tx5nxBZ1N4PtH+BzekItIHxeEn21DPut7fWNiGUfFSq6TIe75zKojJ2ERRA1kgeXB3eWucf0K65rKewylg==", + "license": "Apache-2.0", "dependencies": { - "@types/ramda": "0.30.0", + "@types/ramda": "0.30.1", "express": "4.19.2", "fast-json-patch": "3.1.1", - "kubernetes-fluent-client": "2.6.3", + "kubernetes-fluent-client": "2.6.4", "pino": "9.2.0", "pino-pretty": "11.2.1", "prom-client": "15.1.3", @@ -6654,12 +6732,14 @@ } }, "node_modules/ts-jest": { - "version": "29.2.0", - "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.0.tgz", - "integrity": "sha512-eFmkE9MG0+oT6nqSOcUwL+2UUmK2IvhhUV8hFDsCHnc++v2WCCbQQZh5vvjsa8sgOY/g9T0325hmkEmi6rninA==", + "version": "29.2.2", + "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.2.tgz", + "integrity": "sha512-sSW7OooaKT34AAngP6k1VS669a0HdLxkQZnlC7T76sckGCokXFnvJ3yRlQZGRTAoV5K19HfSgCiSwWOSIfcYlg==", "dev": true, + "license": "MIT", "dependencies": { "bs-logger": "0.x", + "ejs": "^3.0.0", "fast-json-stable-stringify": "2.x", "jest-util": "^29.0.0", "json5": "^2.2.3", diff --git a/package.json b/package.json index 1b7e6beaf..01058fdb8 100644 --- a/package.json +++ b/package.json @@ -36,12 +36,12 @@ "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.32.6" + "pepr": "0.32.7" }, "devDependencies": { "@jest/globals": "29.7.0", "jest": "29.7.0", - "ts-jest": "29.2.0" + "ts-jest": "29.2.2" }, "jest": { "preset": "ts-jest", diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index bc614aa15..7107afc13 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -14,7 +14,7 @@ components: localPath: ../chart - name: grafana url: https://grafana.github.io/helm-charts/ - version: 8.3.2 + version: 8.3.5 namespace: grafana valuesFiles: - ../values/values.yaml diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index b32d33a08..c3a08b3ad 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -18,4 +18,4 @@ sidecar: image: registry: registry1.dso.mil repository: ironbank/kiwigrid/k8s-sidecar - tag: 1.27.4 + tag: 1.27.5 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 517e3e2a8..f0c8ee4fa 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -18,4 +18,4 @@ sidecar: image: registry: cgr.dev repository: du-uds-defenseunicorns/k8s-sidecar-fips - tag: 1.27.4 + tag: 1.27.5 diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index d711cae7b..171e51bcb 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -3,7 +3,7 @@ sidecar: # -- The Docker registry registry: ghcr.io repository: kiwigrid/k8s-sidecar - tag: 1.27.4 + tag: 1.27.5 image: registry: docker.io diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index b68fd6c43..0e96b2685 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -24,7 +24,7 @@ components: - docker.io/grafana/grafana:11.1.0 - docker.io/curlimages/curl:8.8.0 - docker.io/library/busybox:1.36.1 - - ghcr.io/kiwigrid/k8s-sidecar:1.27.4 + - ghcr.io/kiwigrid/k8s-sidecar:1.27.5 - name: grafana required: true @@ -39,7 +39,7 @@ components: images: - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.1.0 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 - - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.4 + - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.5 - name: grafana required: true @@ -55,4 +55,4 @@ components: - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.1.0 - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 - cgr.dev/du-uds-defenseunicorns/curl-fips:8.8.0 - - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4 + - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.5 diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index da2042370..ddc17d264 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -4,7 +4,7 @@ import { UDSConfig } from "../../../config"; import { Component, setupLogger } from "../../../logger"; import { Store } from "../../common"; import { Sso, UDSPackage } from "../../crd"; -import { getOwnerRef } from "../utils"; +import { getOwnerRef, purgeOrphans } from "../utils"; import { Client } from "./types"; let apiURL = @@ -47,6 +47,7 @@ export async function keycloak(pkg: UDSPackage) { // Get the list of clients from the package const clientReqs = pkg.spec?.sso || []; const clients: Map = new Map(); + const generation = (pkg.metadata?.generation ?? 0).toString(); for (const clientReq of clientReqs) { const client = await syncClient(clientReq, pkg); @@ -54,6 +55,12 @@ export async function keycloak(pkg: UDSPackage) { } await purgeSSOClients(pkg, [...clients.keys()]); + // Purge orphaned SSO secrets + try { + await purgeOrphans(generation, pkg.metadata!.namespace!, pkg.metadata!.name!, kind.Secret, log); + } catch (e) { + log.error(e, `Failed to purge orphaned SSO secrets in for ${pkg.metadata!.name!}: ${e}`); + } return clients; } @@ -151,6 +158,7 @@ async function syncClient( } // Create or update the client secret + const generation = (pkg.metadata?.generation ?? 0).toString(); await K8s(kind.Secret).Apply({ metadata: { namespace: pkg.metadata!.namespace, @@ -158,6 +166,7 @@ async function syncClient( name: secretName || name, labels: { "uds/package": pkg.metadata!.name, + "uds/generation": generation, }, // Use the CR as the owner ref for each VirtualService diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index b9c6d0ca3..7bfd9e4cf 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -41,6 +41,17 @@ export function getOwnerRef(cr: GenericKind): V1OwnerReference[] { ]; } +/** + * Purges orphaned Kubernetes resources of a specified kind within a namespace that do not match the provided generation. + * + * @template T + * @param {string} generation - The generation label to retain. + * @param {string} namespace - The namespace to search for resources. + * @param {string} pkgName - The package name label to filter resources. + * @param {T} kind - The Kubernetes resource kind to purge. + * @param {Logger} log - Logger instance for logging debug messages. + * @returns {Promise} - A promise that resolves when the operation is complete. + */ export async function purgeOrphans( generation: string, namespace: string, diff --git a/tasks/create.yaml b/tasks/create.yaml index 93e8f198a..c027a0224 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,5 +1,5 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.7.1/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.8.0/tasks/create.yaml variables: - name: FLAVOR @@ -7,7 +7,7 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.32.6 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.32.7 tasks: - name: standard-package