Factor various bits out of reconciler

This commit moves various generic bits out of the reconciler into separate modules, while adding more test coverage. Some of the logic around merging chart values from references has been improved to work with `client.Object`, instead of two separate maps. In addition, the option to override the hostname of an Artifact has been removed. It was undocumented and for testing purposes only, which these days can be better achieved by e.g. configuring the `--storage-adv-addr`. Signed-off-by: Hidde Beydals <[email protected]>
fluxcd · May 6, 2022 · 2612d17 · 2612d17
1 parent 6c02bf5
commit 2612d17
Show file tree

Hide file tree

Showing 19 changed files with 1,733 additions and 891 deletions.
diff --git a/controllers/helmrelease_controller.go b/controllers/helmrelease_controller.go
@@ -20,16 +20,13 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/hashicorp/go-retryablehttp"
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chartutil"
 	"helm.sh/helm/v3/pkg/storage/driver"
-	"helm.sh/helm/v3/pkg/strvals"
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -56,11 +53,12 @@ import (
 	"github.com/fluxcd/pkg/runtime/events"
 	"github.com/fluxcd/pkg/runtime/metrics"
 	"github.com/fluxcd/pkg/runtime/predicates"
-	"github.com/fluxcd/pkg/runtime/transform"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	v2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	intchartutil "github.com/fluxcd/helm-controller/internal/chartutil"
 	"github.com/fluxcd/helm-controller/internal/kube"
+	"github.com/fluxcd/helm-controller/internal/loader"
 	"github.com/fluxcd/helm-controller/internal/runner"
 	"github.com/fluxcd/helm-controller/internal/util"
 )
@@ -75,15 +73,21 @@ import (
 // HelmReleaseReconciler reconciles a HelmRelease object
 type HelmReleaseReconciler struct {
 	client.Client
-	httpClient            *retryablehttp.Client
-	Config                *rest.Config
-	Scheme                *runtime.Scheme
-	requeueDependency     time.Duration
-	EventRecorder         kuberecorder.EventRecorder
-	MetricsRecorder       *metrics.Recorder
-	DefaultServiceAccount string
-	NoCrossNamespaceRef   bool
-	KubeConfigOpts        fluxClient.KubeConfigOptions
+	httpClient          *retryablehttp.Client
+	Config              *rest.Config
+	Scheme              *runtime.Scheme
+	requeueDependency   time.Duration
+	EventRecorder       kuberecorder.EventRecorder
+	MetricsRecorder     *metrics.Recorder
+	NoCrossNamespaceRef bool
+	KubeConfigOpts      fluxClient.KubeConfigOptions
+}
+
+type HelmReleaseReconcilerOptions struct {
+	MaxConcurrentReconciles   int
+	HTTPRetry                 int
+	DependencyRequeueInterval time.Duration
+	RateLimiter               ratelimiter.RateLimiter
 }
 
 func (r *HelmReleaseReconciler) SetupWithManager(mgr ctrl.Manager, opts HelmReleaseReconcilerOptions) error {
@@ -261,14 +265,14 @@ func (r *HelmReleaseReconciler) reconcile(ctx context.Context, hr v2.HelmRelease
 	}
 
 	// Compose values
-	values, err := r.composeValues(ctx, hr)
+	values, err := intchartutil.ChartValuesFromReferences(ctx, r.Client, hr.Namespace, hr.GetValues(), hr.Spec.ValuesFrom...)
 	if err != nil {
 		r.event(ctx, hr, hr.Status.LastAttemptedRevision, events.EventSeverityError, err.Error())
 		return v2.HelmReleaseNotReady(hr, v2.InitFailedReason, err.Error()), ctrl.Result{Requeue: true}, nil
 	}
 
 	// Load chart from artifact
-	chart, err := r.loadHelmChart(hc)
+	chart, err := loader.SecureLoadChartFromURL(r.httpClient, hc.GetArtifact().URL, hc.GetArtifact().Checksum)
 	if err != nil {
 		r.event(ctx, hr, hr.Status.LastAttemptedRevision, events.EventSeverityError, err.Error())
 		return v2.HelmReleaseNotReady(hr, v2.ArtifactFailedReason, err.Error()), ctrl.Result{Requeue: true}, nil
@@ -283,19 +287,12 @@ func (r *HelmReleaseReconciler) reconcile(ctx context.Context, hr v2.HelmRelease
 	return reconciledHr, ctrl.Result{RequeueAfter: hr.Spec.Interval.Duration}, reconcileErr
 }
 
-type HelmReleaseReconcilerOptions struct {
-	MaxConcurrentReconciles   int
-	HTTPRetry                 int
-	DependencyRequeueInterval time.Duration
-	RateLimiter               ratelimiter.RateLimiter
-}
-
 func (r *HelmReleaseReconciler) reconcileRelease(ctx context.Context,
 	hr v2.HelmRelease, chart *chart.Chart, values chartutil.Values) (v2.HelmRelease, error) {
 	log := ctrl.LoggerFrom(ctx)
 
 	// Initialize Helm action runner
-	getter, err := r.getRESTClientGetter(ctx, hr)
+	getter, err := r.buildRESTClientGetter(ctx, hr)
 	if err != nil {
 		return v2.HelmReleaseNotReady(hr, v2.InitFailedReason, err.Error()), err
 	}
@@ -472,23 +469,11 @@ func (r *HelmReleaseReconciler) checkDependencies(hr v2.HelmRelease) error {
 	return nil
 }
 
-func (r *HelmReleaseReconciler) setImpersonationConfig(restConfig *rest.Config, hr v2.HelmRelease) string {
-	name := r.DefaultServiceAccount
-	if sa := hr.Spec.ServiceAccountName; sa != "" {
-		name = sa
+func (r *HelmReleaseReconciler) buildRESTClientGetter(ctx context.Context, hr v2.HelmRelease) (genericclioptions.RESTClientGetter, error) {
+	var opts []kube.ClientGetterOption
+	if hr.Spec.ServiceAccountName != "" {
+		opts = append(opts, kube.WithImpersonate(hr.Spec.ServiceAccountName))
 	}
-	if name != "" {
-		username := fmt.Sprintf("system:serviceaccount:%s:%s", hr.GetNamespace(), name)
-		restConfig.Impersonate = rest.ImpersonationConfig{UserName: username}
-		return username
-	}
-	return ""
-}
-
-func (r *HelmReleaseReconciler) getRESTClientGetter(ctx context.Context, hr v2.HelmRelease) (genericclioptions.RESTClientGetter, error) {
-	config := *r.Config
-	impersonateAccount := r.setImpersonationConfig(&config, hr)
-
 	if hr.Spec.KubeConfig != nil {
 		secretName := types.NamespacedName{
 			Namespace: hr.GetNamespace(),
@@ -498,147 +483,34 @@ func (r *HelmReleaseReconciler) getRESTClientGetter(ctx context.Context, hr v2.H
 		if err := r.Get(ctx, secretName, &secret); err != nil {
 			return nil, fmt.Errorf("could not find KubeConfig secret '%s': %w", secretName, err)
 		}
-
-		var kubeConfig []byte
-		switch {
-		case hr.Spec.KubeConfig.SecretRef.Key != "":
-			key := hr.Spec.KubeConfig.SecretRef.Key
-			kubeConfig = secret.Data[key]
-			if kubeConfig == nil {
-				return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a '%s' key with a kubeconfig", secretName, key)
-			}
-		case secret.Data["value"] != nil:
-			kubeConfig = secret.Data["value"]
-		case secret.Data["value.yaml"] != nil:
-			kubeConfig = secret.Data["value.yaml"]
-		default:
-			// User did not specify a key, and the 'value' key was not defined.
-			return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a 'value' key with a kubeconfig", secretName)
+		kubeConfig, err := kube.ConfigFromSecret(&secret, hr.Spec.KubeConfig.SecretRef.Key)
+		if err != nil {
+			return nil, err
 		}
-
-		return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace(), impersonateAccount, r.Config.QPS, r.Config.Burst, r.KubeConfigOpts), nil
+		opts = append(opts, kube.WithKubeConfig(kubeConfig, r.Config.QPS, r.Config.Burst, r.KubeConfigOpts))
 	}
-
-	if r.DefaultServiceAccount != "" || hr.Spec.ServiceAccountName != "" {
-		return kube.NewInClusterRESTClientGetter(&config, hr.GetReleaseNamespace()), nil
-	}
-
-	return kube.NewInClusterRESTClientGetter(r.Config, hr.GetReleaseNamespace()), nil
+	return kube.BuildClientGetter(r.Config, hr.GetReleaseNamespace(), opts...), nil
 
 }
 
-// composeValues attempts to resolve all v2beta1.ValuesReference resources
-// and merges them as defined. Referenced resources are only retrieved once
-// to ensure a single version is taken into account during the merge.
-func (r *HelmReleaseReconciler) composeValues(ctx context.Context, hr v2.HelmRelease) (chartutil.Values, error) {
-	result := chartutil.Values{}
-
-	configMaps := make(map[string]*corev1.ConfigMap)
-	secrets := make(map[string]*corev1.Secret)
-
-	for _, v := range hr.Spec.ValuesFrom {
-		namespacedName := types.NamespacedName{Namespace: hr.Namespace, Name: v.Name}
-		var valuesData []byte
-
-		switch v.Kind {
-		case "ConfigMap":
-			resource, ok := configMaps[namespacedName.String()]
-			if !ok {
-				// The resource may not exist, but we want to act on a single version
-				// of the resource in case the values reference is marked as optional.
-				configMaps[namespacedName.String()] = nil
-
-				resource = &corev1.ConfigMap{}
-				if err := r.Get(ctx, namespacedName, resource); err != nil {
-					if apierrors.IsNotFound(err) {
-						if v.Optional {
-							(ctrl.LoggerFrom(ctx)).
-								Info(fmt.Sprintf("could not find optional %s '%s'", v.Kind, namespacedName))
-							continue
-						}
-						return nil, fmt.Errorf("could not find %s '%s'", v.Kind, namespacedName)
-					}
-					return nil, err
-				}
-				configMaps[namespacedName.String()] = resource
-			}
-			if resource == nil {
-				if v.Optional {
-					(ctrl.LoggerFrom(ctx)).Info(fmt.Sprintf("could not find optional %s '%s'", v.Kind, namespacedName))
-					continue
-				}
-				return nil, fmt.Errorf("could not find %s '%s'", v.Kind, namespacedName)
-			}
-			if data, ok := resource.Data[v.GetValuesKey()]; !ok {
-				return nil, fmt.Errorf("missing key '%s' in %s '%s'", v.GetValuesKey(), v.Kind, namespacedName)
-			} else {
-				valuesData = []byte(data)
-			}
-		case "Secret":
-			resource, ok := secrets[namespacedName.String()]
-			if !ok {
-				// The resource may not exist, but we want to act on a single version
-				// of the resource in case the values reference is marked as optional.
-				secrets[namespacedName.String()] = nil
-
-				resource = &corev1.Secret{}
-				if err := r.Get(ctx, namespacedName, resource); err != nil {
-					if apierrors.IsNotFound(err) {
-						if v.Optional {
-							(ctrl.LoggerFrom(ctx)).
-								Info(fmt.Sprintf("could not find optional %s '%s'", v.Kind, namespacedName))
-							continue
-						}
-						return nil, fmt.Errorf("could not find %s '%s'", v.Kind, namespacedName)
-					}
-					return nil, err
-				}
-				secrets[namespacedName.String()] = resource
-			}
-			if resource == nil {
-				if v.Optional {
-					(ctrl.LoggerFrom(ctx)).Info(fmt.Sprintf("could not find optional %s '%s'", v.Kind, namespacedName))
-					continue
-				}
-				return nil, fmt.Errorf("could not find %s '%s'", v.Kind, namespacedName)
-			}
-			if data, ok := resource.Data[v.GetValuesKey()]; !ok {
-				return nil, fmt.Errorf("missing key '%s' in %s '%s'", v.GetValuesKey(), v.Kind, namespacedName)
-			} else {
-				valuesData = data
-			}
-		default:
-			return nil, fmt.Errorf("unsupported ValuesReference kind '%s'", v.Kind)
-		}
-		switch v.TargetPath {
-		case "":
-			values, err := chartutil.ReadValues(valuesData)
-			if err != nil {
-				return nil, fmt.Errorf("unable to read values from key '%s' in %s '%s': %w", v.GetValuesKey(), v.Kind, namespacedName, err)
-			}
-			result = transform.MergeMaps(result, values)
-		default:
-			// TODO(hidde): this is a bit of hack, as it mimics the way the option string is passed
-			// 	to Helm from a CLI perspective. Given the parser is however not publicly accessible
-			// 	while it contains all logic around parsing the target path, it is a fair trade-off.
-			stringValuesData := string(valuesData)
-			const singleQuote = "'"
-			const doubleQuote = "\""
-			var err error
-			if (strings.HasPrefix(stringValuesData, singleQuote) && strings.HasSuffix(stringValuesData, singleQuote)) || (strings.HasPrefix(stringValuesData, doubleQuote) && strings.HasSuffix(stringValuesData, doubleQuote)) {
-				stringValuesData = strings.Trim(stringValuesData, singleQuote+doubleQuote)
-				singleValue := v.TargetPath + "=" + stringValuesData
-				err = strvals.ParseIntoString(singleValue, result)
-			} else {
-				singleValue := v.TargetPath + "=" + stringValuesData
-				err = strvals.ParseInto(singleValue, result)
-			}
-			if err != nil {
-				return nil, fmt.Errorf("unable to merge value from key '%s' in %s '%s' into target path '%s': %w", v.GetValuesKey(), v.Kind, namespacedName, v.TargetPath, err)
-			}
-		}
-	}
-	return transform.MergeMaps(result, hr.GetValues()), nil
+// getHelmChart retrieves the v1beta2.HelmChart for the given
+// v2beta1.HelmRelease using the name that is advertised in the status
+// object. It returns the v1beta2.HelmChart, or an error.
+func (r *HelmReleaseReconciler) getHelmChart(ctx context.Context, hr *v2.HelmRelease) (*sourcev1.HelmChart, error) {
+	namespace, name := hr.Status.GetHelmChart()
+	chartName := types.NamespacedName{Namespace: namespace, Name: name}
+	if r.NoCrossNamespaceRef && chartName.Namespace != hr.Namespace {
+		return nil, acl.AccessDeniedError(fmt.Sprintf("can't access '%s/%s', cross-namespace references have been blocked",
+			hr.Spec.Chart.Spec.SourceRef.Kind, types.NamespacedName{
+				Namespace: hr.Spec.Chart.Spec.SourceRef.Namespace,
+				Name:      hr.Spec.Chart.Spec.SourceRef.Name,
+			}))
+	}
+	hc := sourcev1.HelmChart{}
+	if err := r.Client.Get(ctx, chartName, &hc); err != nil {
+		return nil, err
+	}
+	return &hc, nil
 }
 
 // reconcileDelete deletes the v1beta2.HelmChart of the v2beta1.HelmRelease,
@@ -648,7 +520,7 @@ func (r *HelmReleaseReconciler) reconcileDelete(ctx context.Context, hr v2.HelmR
 
 	// Only uninstall the Helm Release if the resource is not suspended.
 	if !hr.Spec.Suspend {
-		getter, err := r.getRESTClientGetter(ctx, hr)
+		getter, err := r.buildRESTClientGetter(ctx, hr)
 		if err != nil {
 			return ctrl.Result{}, err
 		}