resolve secret references in targets in deployer lib (gardener#629)

* add resolver interface and secret resolver implementation * change deployer definition to use resolved targets instead * refactor target types into own package * fix kubeconfig loading for helm and manifest deployers * add check for different namespace * make target available in container * fix tests * fix kubeconfig decoding * fix integration tests * increase timeouts for integration tests (run-int-tests) * fix target mount in container deployer * move ResolvedTarget definition to apis and make Target.Spec.Configuration a pointer (run-int-tests) * add documentation for container deployitems and targets * validate targets * use LocalSecretReference instead of SecretReference for Targets * fix nil pointer * rebase fix * fix webhook integration test (run-int-tests) * copy target to shared volume instead of mounting * add integration tests for target propagation in container deployitems * improve docs
enrico-kaack-comp · Nov 14, 2022 · 49fa8d3 · 49fa8d3
1 parent 599edb2
commit 49fa8d3
Show file tree

Hide file tree

Showing 81 changed files with 1,901 additions and 951 deletions.
diff --git a/.ci/int-test-helper/install-landscaper b/.ci/int-test-helper/install-landscaper
@@ -32,8 +32,8 @@ landscaper:
     - manifest
     - mock
     deployItemTimeouts:
-      pickup: 10s
-      abort: 10s
+      pickup: 30s
+      abort: 30s
 " > $TMP/values.yaml
 
 touch $TMP/registry-values.yaml

diff --git a/apis/core/types_shared.go b/apis/core/types_shared.go
@@ -85,6 +85,12 @@ func NewAnyJSON(data []byte) AnyJSON {
 	}
 }
 
+// NewAnyJSONPointer returns a pointer to a new any json object.
+func NewAnyJSONPointer(data []byte) *AnyJSON {
+	tmp := NewAnyJSON(data)
+	return &tmp
+}
+
 // MarshalJSON implements the json marshaling for a JSON
 func (s AnyJSON) MarshalJSON() ([]byte, error) {
 	return s.RawMessage.MarshalJSON()

diff --git a/apis/core/types_target.go b/apis/core/types_target.go
@@ -41,12 +41,12 @@ type TargetSpec struct {
 	// Configuration contains the target type specific configuration.
 	// Exactly one of the fields Configuration and SecretRef must be set
 	// +optional
-	Configuration AnyJSON `json:"config,omitempty"`
+	Configuration *AnyJSON `json:"config,omitempty"`
 
 	// Reference to a secret containing the target type specific configuration.
 	// Exactly one of the fields Configuration and SecretRef must be set
 	// +optional
-	SecretRef *SecretReference `json:"secretRef,omitempty"`
+	SecretRef *LocalSecretReference `json:"secretRef,omitempty"`
 }
 
 // TargetTemplate exposes specific parts of a target that are used in the exports
@@ -68,3 +68,14 @@ type TargetTemplate struct {
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
+
+// ResolvedTarget is a helper struct to store a target together with the content of its resolved secret reference.
+type ResolvedTarget struct {
+	// Target contains the original target.
+	*Target `json:"target"`
+
+	// Content contains the content of the target.
+	// If the target has a secret reference, this field should be filled by a TargetResolver.
+	// Otherwise, the inline configuration of the target is put here.
+	Content string `json:"content"`
+}
diff --git a/apis/core/v1alpha1/targettypes/kubernetes_cluster.go b/apis/core/v1alpha1/targettypes/kubernetes_cluster.go
@@ -0,0 +1,94 @@
+// SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and Gardener contributors.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package targettypes
+
+import (
+	"encoding/json"
+
+	"k8s.io/utils/pointer"
+
+	"github.com/gardener/landscaper/apis/core"
+	"github.com/gardener/landscaper/apis/core/v1alpha1"
+)
+
+// KubernetesClusterTargetType defines the landscaper kubernetes cluster target.
+const KubernetesClusterTargetType v1alpha1.TargetType = core.GroupName + "/kubernetes-cluster"
+
+// KubernetesClusterTargetConfig defines the landscaper kubernetes cluster target config.
+type KubernetesClusterTargetConfig struct {
+	// Kubeconfig defines kubeconfig as string.
+	Kubeconfig ValueRef `json:"kubeconfig"`
+}
+
+// DefaultKubeconfigKey is the default that is used to hold a kubeconfig.
+const DefaultKubeconfigKey = "kubeconfig"
+
+// ValueRef holds a value that can be either defined by string or by a secret ref.
+type ValueRef struct {
+	StrVal *string `json:"-"`
+
+	// deprecated
+	SecretRef *v1alpha1.SecretReference `json:"secretRef,omitempty"`
+}
+
+// kubeconfigJSON is a helper struct for decoding.
+type kubeconfigJSON struct {
+	Kubeconfig *ValueRef `json:"kubeconfig"`
+}
+
+// valueRefJSON is a helper struct to decode json into a secret ref object.
+type valueRefJSON struct {
+	SecretRef *v1alpha1.SecretReference `json:"secretRef,omitempty"`
+}
+
+// MarshalJSON implements the json marshaling for a JSON
+func (v ValueRef) MarshalJSON() ([]byte, error) {
+	if v.StrVal != nil {
+		return json.Marshal(v.StrVal)
+	}
+	ref := valueRefJSON{
+		SecretRef: v.SecretRef,
+	}
+	return json.Marshal(ref)
+}
+
+// UnmarshalJSON implements json unmarshaling for a JSON
+func (v *ValueRef) UnmarshalJSON(data []byte) error {
+	ref := &valueRefJSON{}
+	err := json.Unmarshal(data, ref)
+	if err == nil && ref.SecretRef != nil {
+		// parsing into secret reference was successful
+		v.SecretRef = ref.SecretRef
+		return nil
+	}
+	// parse into string instead
+	var strVal string
+	err = json.Unmarshal(data, &strVal)
+	if err == nil {
+		v.StrVal = &strVal
+		return nil
+	}
+	v.StrVal = pointer.String(string(data))
+	return nil
+}
+
+func (kc *KubernetesClusterTargetConfig) UnmarshalJSON(data []byte) error {
+	kj := &kubeconfigJSON{}
+	err := json.Unmarshal(data, kj)
+	if err == nil && kj.Kubeconfig != nil {
+		// parsing was successful
+		kc.Kubeconfig = *kj.Kubeconfig
+		return nil
+	}
+	return kc.Kubeconfig.UnmarshalJSON(data)
+}
+
+func (v ValueRef) OpenAPISchemaType() []string {
+	return []string{
+		"object",
+		"string",
+	}
+}
+func (v ValueRef) OpenAPISchemaFormat() string { return "" }
diff --git a/apis/core/v1alpha1/types_shared.go b/apis/core/v1alpha1/types_shared.go
@@ -87,6 +87,12 @@ func NewAnyJSON(data []byte) AnyJSON {
 	}
 }
 
+// NewAnyJSONPointer returns a pointer to a new any json object.
+func NewAnyJSONPointer(data []byte) *AnyJSON {
+	tmp := NewAnyJSON(data)
+	return &tmp
+}
+
 // MarshalJSON implements the json marshaling for a JSON
 func (s AnyJSON) MarshalJSON() ([]byte, error) {
 	return s.RawMessage.MarshalJSON()

diff --git a/apis/core/v1alpha1/types_target.go b/apis/core/v1alpha1/types_target.go
@@ -5,13 +5,9 @@
 package v1alpha1
 
 import (
-	"encoding/json"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	lsschema "github.com/gardener/landscaper/apis/schema"
-
-	"github.com/gardener/landscaper/apis/core"
 )
 
 // TargetType defines the type of the target.
@@ -86,12 +82,12 @@ type TargetSpec struct {
 	// Configuration contains the target type specific configuration.
 	// Exactly one of the fields Configuration and SecretRef must be set
 	// +optional
-	Configuration AnyJSON `json:"config,omitempty"`
+	Configuration *AnyJSON `json:"config,omitempty"`
 
 	// Reference to a secret containing the target type specific configuration.
 	// Exactly one of the fields Configuration and SecretRef must be set
 	// +optional
-	SecretRef *SecretReference `json:"secretRef,omitempty"`
+	SecretRef *LocalSecretReference `json:"secretRef,omitempty"`
 }
 
 // TargetTemplate exposes specific parts of a target that are used in the exports
@@ -114,69 +110,13 @@ type TargetTemplate struct {
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
-//////////////////////////////
-//     Target Types         //
-//////////////////////////////
-// todo: refactor to own package
-
-// KubernetesClusterTargetType defines the landscaper kubernetes cluster target.
-const KubernetesClusterTargetType TargetType = core.GroupName + "/kubernetes-cluster"
-
-// KubernetesClusterTargetConfig defines the landscaper kubernetes cluster target config.
-type KubernetesClusterTargetConfig struct {
-	// Kubeconfig defines kubeconfig as string.
-	Kubeconfig ValueRef `json:"kubeconfig"`
-}
-
-// DefaultKubeconfigKey is the default that is used to hold a kubeconfig.
-const DefaultKubeconfigKey = "kubeconfig"
-
-// ValueRef holds a value that can be either defined by string or by a secret ref.
-type ValueRef struct {
-	StrVal *string `json:"-"`
-
-	// deprecated
-	SecretRef *SecretReference `json:"secretRef,omitempty"`
-}
-
-// valueRefJSON is a helper struct to decode json into a secret ref object.
-type valueRefJSON struct {
-	SecretRef *SecretReference `json:"secretRef,omitempty"`
-}
-
-// MarshalJSON implements the json marshaling for a JSON
-func (v ValueRef) MarshalJSON() ([]byte, error) {
-	if v.StrVal != nil {
-		return json.Marshal(v.StrVal)
-	}
-	ref := valueRefJSON{
-		SecretRef: v.SecretRef,
-	}
-	return json.Marshal(ref)
-}
-
-// UnmarshalJSON implements json unmarshaling for a JSON
-func (v *ValueRef) UnmarshalJSON(data []byte) error {
-	if data[0] == '"' {
-		var strVal string
-		if err := json.Unmarshal(data, &strVal); err != nil {
-			return err
-		}
-		v.StrVal = &strVal
-		return nil
-	}
-	ref := &valueRefJSON{}
-	if err := json.Unmarshal(data, ref); err != nil {
-		return err
-	}
-	v.SecretRef = ref.SecretRef
-	return nil
-}
+// ResolvedTarget is a helper struct to store a target together with the content of its resolved secret reference.
+type ResolvedTarget struct {
+	// Target contains the original target.
+	*Target `json:"target"`
 
-func (v ValueRef) OpenAPISchemaType() []string {
-	return []string{
-		"object",
-		"string",
-	}
+	// Content contains the content of the target.
+	// If the target has a secret reference, this field should be filled by a TargetResolver.
+	// Otherwise, the inline configuration of the target is put here.
+	Content string `json:"content"`
 }
-func (v ValueRef) OpenAPISchemaFormat() string { return "" }
diff --git a/apis/core/v1alpha1/zz_generated.conversion.go b/apis/core/v1alpha1/zz_generated.conversion.go