/* Copyright 2020 The Flux CD contributors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package controllers import ( "context" "fmt" "io/ioutil" "os" "github.com/blang/semver" "github.com/go-git/go-git/v5" "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/object" "github.com/go-git/go-git/v5/plumbing/transport" "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1" intgit "github.com/fluxcd/source-controller/internal/git" ) // GitRepositoryReconciler reconciles a GitRepository object type GitRepositoryReconciler struct { client.Client Log logr.Logger Scheme *runtime.Scheme Storage *Storage } // +kubebuilder:rbac:groups=source.fluxcd.io,resources=gitrepositories,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=source.fluxcd.io,resources=gitrepositories/status,verbs=get;update;patch func (r *GitRepositoryReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { ctx := context.Background() var repo sourcev1.GitRepository if err := r.Get(ctx, req.NamespacedName, &repo); err != nil { return ctrl.Result{}, client.IgnoreNotFound(err) } log := r.Log.WithValues(repo.Kind, req.NamespacedName) // set initial status if reset, status := r.shouldResetStatus(repo); reset { log.Info("Initializing Git repository") repo.Status = status if err := r.Status().Update(ctx, &repo); err != nil { log.Error(err, "unable to update GitRepository status") return ctrl.Result{Requeue: true}, err } } else { repo = sourcev1.GitRepositoryProgressing(repo) if err := r.Status().Update(ctx, &repo); err != nil { log.Error(err, "unable to update GitRepository status") return ctrl.Result{Requeue: true}, err } } // try to remove old artifacts if err := r.gc(repo); err != nil { log.Error(err, "artifacts GC failed") } // try git sync syncedRepo, err := r.sync(ctx, *repo.DeepCopy()) if err != nil { log.Error(err, "Git repository sync failed") if err := r.Status().Update(ctx, &syncedRepo); err != nil { log.Error(err, "unable to update GitRepository status") } return ctrl.Result{Requeue: true}, err } // update status if err := r.Status().Update(ctx, &syncedRepo); err != nil { log.Error(err, "unable to update GitRepository status") return ctrl.Result{Requeue: true}, err } log.Info("Git repository sync succeeded", "msg", sourcev1.GitRepositoryReadyMessage(syncedRepo)) // requeue repository return ctrl.Result{RequeueAfter: repo.GetInterval().Duration}, nil } type GitRepositoryReconcilerOptions struct { MaxConcurrentReconciles int } func (r *GitRepositoryReconciler) SetupWithManager(mgr ctrl.Manager) error { return r.SetupWithManagerAndOptions(mgr, GitRepositoryReconcilerOptions{}) } func (r *GitRepositoryReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager, opts GitRepositoryReconcilerOptions) error { return ctrl.NewControllerManagedBy(mgr). For(&sourcev1.GitRepository{}). WithEventFilter(SourceChangePredicate{}). WithEventFilter(GarbageCollectPredicate{Scheme: r.Scheme, Log: r.Log, Storage: r.Storage}). WithOptions(controller.Options{MaxConcurrentReconciles: opts.MaxConcurrentReconciles}). Complete(r) } func (r *GitRepositoryReconciler) sync(ctx context.Context, repository sourcev1.GitRepository) (sourcev1.GitRepository, error) { // set defaults: master branch, no tags fetching, max two commits branch := "master" revision := "" tagMode := git.NoTags depth := 2 // determine ref refName := plumbing.NewBranchReferenceName(branch) if repository.Spec.Reference != nil { if repository.Spec.Reference.Branch != "" { branch = repository.Spec.Reference.Branch refName = plumbing.NewBranchReferenceName(branch) } if repository.Spec.Reference.Commit != "" { depth = 0 } else { if repository.Spec.Reference.Tag != "" { refName = plumbing.NewTagReferenceName(repository.Spec.Reference.Tag) } if repository.Spec.Reference.SemVer != "" { tagMode = git.AllTags } } } // determine auth method strategy := intgit.AuthSecretStrategyForURL(repository.Spec.URL) var auth transport.AuthMethod if repository.Spec.SecretRef != nil { name := types.NamespacedName{ Namespace: repository.GetNamespace(), Name: repository.Spec.SecretRef.Name, } var secret corev1.Secret err := r.Client.Get(ctx, name, &secret) if err != nil { err = fmt.Errorf("auth secret error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err } auth, err = strategy.Method(secret) if err != nil { err = fmt.Errorf("auth error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err } } // create tmp dir for the Git clone tmpGit, err := ioutil.TempDir("", repository.Name) if err != nil { err = fmt.Errorf("tmp dir error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.StorageOperationFailedReason, err.Error()), err } defer os.RemoveAll(tmpGit) // clone to tmp gitCtx, cancel := context.WithTimeout(ctx, repository.GetTimeout()) repo, err := git.PlainCloneContext(gitCtx, tmpGit, false, &git.CloneOptions{ URL: repository.Spec.URL, Auth: auth, RemoteName: "origin", ReferenceName: refName, SingleBranch: true, NoCheckout: false, Depth: depth, RecurseSubmodules: 0, Progress: nil, Tags: tagMode, }) cancel() if err != nil { err = fmt.Errorf("git clone error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } // checkout commit or tag if repository.Spec.Reference != nil { if commit := repository.Spec.Reference.Commit; commit != "" { w, err := repo.Worktree() if err != nil { err = fmt.Errorf("git worktree error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } err = w.Checkout(&git.CheckoutOptions{ Hash: plumbing.NewHash(commit), Force: true, }) if err != nil { err = fmt.Errorf("git checkout '%s' for '%s' error: %w", commit, branch, err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } } else if exp := repository.Spec.Reference.SemVer; exp != "" { rng, err := semver.ParseRange(exp) if err != nil { err = fmt.Errorf("semver parse range error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } repoTags, err := repo.Tags() if err != nil { err = fmt.Errorf("git list tags error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } tags := make(map[string]string) _ = repoTags.ForEach(func(t *plumbing.Reference) error { tags[t.Name().Short()] = t.Strings()[1] return nil }) svTags := make(map[string]string) var svers []semver.Version for tag, _ := range tags { v, _ := semver.ParseTolerant(tag) if rng(v) { svers = append(svers, v) svTags[v.String()] = tag } } if len(svers) > 0 { semver.Sort(svers) v := svers[len(svers)-1] t := svTags[v.String()] commit := tags[t] revision = fmt.Sprintf("%s/%s", t, commit) w, err := repo.Worktree() if err != nil { err = fmt.Errorf("git worktree error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } err = w.Checkout(&git.CheckoutOptions{ Hash: plumbing.NewHash(commit), }) if err != nil { err = fmt.Errorf("git checkout error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } } else { err = fmt.Errorf("no match found for semver: %s", repository.Spec.Reference.SemVer) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } } } // read commit hash ref, err := repo.Head() if err != nil { err = fmt.Errorf("git resolve HEAD error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } commit, err := repo.CommitObject(ref.Hash()) if err != nil { err = fmt.Errorf("git resolve HEAD error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err } // verify PGP signature if repository.Spec.Verification != nil { err := r.verify(ctx, types.NamespacedName{ Namespace: repository.Namespace, Name: repository.Spec.Verification.SecretRef.Name, }, commit) if err != nil { return sourcev1.GitRepositoryNotReady(repository, sourcev1.VerificationFailedReason, err.Error()), err } } if revision == "" { revision = fmt.Sprintf("%s/%s", branch, ref.Hash().String()) if repository.Spec.Reference != nil && repository.Spec.Reference.Tag != "" { revision = fmt.Sprintf("%s/%s", repository.Spec.Reference.Tag, ref.Hash().String()) } } artifact := r.Storage.ArtifactFor(repository.Kind, repository.ObjectMeta.GetObjectMeta(), fmt.Sprintf("%s.tar.gz", ref.Hash().String()), revision) // create artifact dir err = r.Storage.MkdirAll(artifact) if err != nil { err = fmt.Errorf("mkdir dir error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.StorageOperationFailedReason, err.Error()), err } // acquire lock unlock, err := r.Storage.Lock(artifact) if err != nil { err = fmt.Errorf("unable to acquire lock: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.StorageOperationFailedReason, err.Error()), err } defer unlock() // archive artifact and check integrity err = r.Storage.Archive(artifact, tmpGit, "", true) if err != nil { err = fmt.Errorf("storage archive error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.StorageOperationFailedReason, err.Error()), err } // update latest symlink url, err := r.Storage.Symlink(artifact, "latest.tar.gz") if err != nil { err = fmt.Errorf("storage lock error: %w", err) return sourcev1.GitRepositoryNotReady(repository, sourcev1.StorageOperationFailedReason, err.Error()), err } message := fmt.Sprintf("Fetched revision: %s", artifact.Revision) return sourcev1.GitRepositoryReady(repository, artifact, url, sourcev1.GitOperationSucceedReason, message), nil } // shouldResetStatus returns a boolean indicating if the status of the // given repository should be reset and a reset HelmChartStatus. func (r *GitRepositoryReconciler) shouldResetStatus(repository sourcev1.GitRepository) (bool, sourcev1.GitRepositoryStatus) { resetStatus := false if repository.Status.Artifact != nil { if !r.Storage.ArtifactExist(*repository.Status.Artifact) { resetStatus = true } } if len(repository.Status.Conditions) == 0 || resetStatus { resetStatus = true } return resetStatus, sourcev1.GitRepositoryStatus{ Conditions: []sourcev1.SourceCondition{ { Type: sourcev1.ReadyCondition, Status: corev1.ConditionUnknown, Reason: sourcev1.InitializingReason, LastTransitionTime: metav1.Now(), }, }, } } func (r *GitRepositoryReconciler) verify(ctx context.Context, publicKeySecret types.NamespacedName, commit *object.Commit) error { if commit.PGPSignature == "" { return fmt.Errorf("no PGP signature found for commit: %s", commit.Hash) } var secret corev1.Secret if err := r.Client.Get(ctx, publicKeySecret, &secret); err != nil { return fmt.Errorf("PGP public keys secret error: %w", err) } var verified bool for _, bytes := range secret.Data { if _, err := commit.Verify(string(bytes)); err == nil { verified = true break } } if !verified { return fmt.Errorf("PGP signature '%s' of '%s' can't be verified", commit.PGPSignature, commit.Author) } return nil } // gc performs a garbage collection on all but current artifacts of // the given repository. func (r *GitRepositoryReconciler) gc(repository sourcev1.GitRepository) error { if repository.Status.Artifact != nil { return r.Storage.RemoveAllButCurrent(*repository.Status.Artifact) } return nil }