411 lines
12 KiB
Go
411 lines
12 KiB
Go
/*
|
|
Copyright 2020 The Flux CD contributors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package controllers
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/blang/semver"
|
|
"github.com/go-git/go-git/v5"
|
|
"github.com/go-git/go-git/v5/plumbing"
|
|
"github.com/go-git/go-git/v5/plumbing/transport"
|
|
"github.com/go-git/go-git/v5/plumbing/transport/http"
|
|
"github.com/go-git/go-git/v5/plumbing/transport/ssh"
|
|
"github.com/go-logr/logr"
|
|
corev1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
ctrl "sigs.k8s.io/controller-runtime"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/controller-runtime/pkg/event"
|
|
"sigs.k8s.io/controller-runtime/pkg/predicate"
|
|
|
|
sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1"
|
|
)
|
|
|
|
// GitRepositoryReconciler reconciles a GitRepository object
|
|
type GitRepositoryReconciler struct {
|
|
client.Client
|
|
Log logr.Logger
|
|
Scheme *runtime.Scheme
|
|
Storage *Storage
|
|
Kind string
|
|
}
|
|
|
|
// +kubebuilder:rbac:groups=source.fluxcd.io,resources=gitrepositories,verbs=get;list;watch;create;update;patch;delete
|
|
// +kubebuilder:rbac:groups=source.fluxcd.io,resources=gitrepositories/status,verbs=get;update;patch
|
|
|
|
func (r *GitRepositoryReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
|
|
defer cancel()
|
|
|
|
log := r.Log.WithValues(r.Kind, req.NamespacedName)
|
|
|
|
var repo sourcev1.GitRepository
|
|
if err := r.Get(ctx, req.NamespacedName, &repo); err != nil {
|
|
return ctrl.Result{}, client.IgnoreNotFound(err)
|
|
}
|
|
|
|
result := ctrl.Result{RequeueAfter: repo.Spec.Interval.Duration}
|
|
|
|
// set initial status
|
|
if reset, status := r.shouldResetStatus(repo); reset {
|
|
log.Info("Initializing repository")
|
|
repo.Status = status
|
|
if err := r.Status().Update(ctx, &repo); err != nil {
|
|
log.Error(err, "unable to update GitRepository status")
|
|
return result, err
|
|
}
|
|
}
|
|
|
|
// try to remove old artifacts
|
|
r.gc(repo)
|
|
|
|
// try git clone
|
|
readyCondition, artifacts, err := r.sync(repo)
|
|
if err != nil {
|
|
log.Info("Repository sync failed", "error", err.Error())
|
|
} else {
|
|
// update artifacts if commit hash changed
|
|
if repo.Status.Artifact != artifacts {
|
|
timeNew := metav1.Now()
|
|
repo.Status.LastUpdateTime = &timeNew
|
|
repo.Status.Artifact = artifacts
|
|
}
|
|
log.Info("Repository sync succeeded", "msg", readyCondition.Message)
|
|
}
|
|
|
|
// update status
|
|
readyCondition.LastTransitionTime = metav1.Now()
|
|
repo.Status.Conditions = []sourcev1.SourceCondition{readyCondition}
|
|
|
|
if err := r.Status().Update(ctx, &repo); err != nil {
|
|
log.Error(err, "unable to update GitRepository status")
|
|
return result, err
|
|
}
|
|
|
|
// requeue repository
|
|
return result, nil
|
|
}
|
|
|
|
func (r *GitRepositoryReconciler) SetupWithManager(mgr ctrl.Manager) error {
|
|
return ctrl.NewControllerManagedBy(mgr).
|
|
For(&sourcev1.GitRepository{}).
|
|
WithEventFilter(RepositoryChangePredicate{}).
|
|
WithEventFilter(predicate.Funcs{
|
|
DeleteFunc: func(e event.DeleteEvent) bool {
|
|
// delete artifacts
|
|
artifact := r.Storage.ArtifactFor(r.Kind, e.Meta, "dummy")
|
|
if err := r.Storage.RemoveAll(artifact); err != nil {
|
|
r.Log.Error(err, "unable to delete artifacts",
|
|
r.Kind, fmt.Sprintf("%s/%s", e.Meta.GetNamespace(), e.Meta.GetName()))
|
|
} else {
|
|
r.Log.Info("Repository artifacts deleted",
|
|
r.Kind, fmt.Sprintf("%s/%s", e.Meta.GetNamespace(), e.Meta.GetName()))
|
|
}
|
|
return false
|
|
},
|
|
}).
|
|
Complete(r)
|
|
}
|
|
|
|
func (r *GitRepositoryReconciler) sync(repository sourcev1.GitRepository) (sourcev1.SourceCondition, string, error) {
|
|
// set defaults: master branch, no tags fetching, max two commits
|
|
branch := "master"
|
|
tagMode := git.NoTags
|
|
depth := 2
|
|
|
|
// determine ref
|
|
refName := plumbing.NewBranchReferenceName(branch)
|
|
if repository.Spec.Reference != nil {
|
|
if repository.Spec.Reference.Branch != "" {
|
|
branch = repository.Spec.Reference.Branch
|
|
refName = plumbing.NewBranchReferenceName(branch)
|
|
}
|
|
if repository.Spec.Reference.Commit != "" {
|
|
depth = 0
|
|
} else {
|
|
if repository.Spec.Reference.Tag != "" {
|
|
refName = plumbing.NewTagReferenceName(repository.Spec.Reference.Tag)
|
|
}
|
|
if repository.Spec.Reference.SemVer != "" {
|
|
tagMode = git.AllTags
|
|
}
|
|
}
|
|
}
|
|
|
|
// create tmp dir for SSH known_hosts
|
|
tmpSSH, err := ioutil.TempDir("", repository.Name)
|
|
if err != nil {
|
|
err = fmt.Errorf("tmp dir error %w", err)
|
|
return NotReadyCondition(sourcev1.StorageOperationFailedReason, err.Error()), "", err
|
|
}
|
|
defer os.RemoveAll(tmpSSH)
|
|
|
|
auth, err := r.auth(repository, tmpSSH)
|
|
if err != nil {
|
|
err = fmt.Errorf("auth error %w", err)
|
|
return NotReadyCondition(sourcev1.AuthenticationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
// create tmp dir for the Git clone
|
|
tmpGit, err := ioutil.TempDir("", repository.Name)
|
|
if err != nil {
|
|
err = fmt.Errorf("tmp dir error %w", err)
|
|
return NotReadyCondition(sourcev1.StorageOperationFailedReason, err.Error()), "", err
|
|
}
|
|
defer os.RemoveAll(tmpGit)
|
|
|
|
// clone to tmp
|
|
repo, err := git.PlainClone(tmpGit, false, &git.CloneOptions{
|
|
URL: repository.Spec.URL,
|
|
Auth: auth,
|
|
RemoteName: "origin",
|
|
ReferenceName: refName,
|
|
SingleBranch: true,
|
|
NoCheckout: false,
|
|
Depth: depth,
|
|
RecurseSubmodules: 0,
|
|
Progress: nil,
|
|
Tags: tagMode,
|
|
})
|
|
if err != nil {
|
|
err = fmt.Errorf("git clone error %w", err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
// checkout commit or tag
|
|
if repository.Spec.Reference != nil {
|
|
if commit := repository.Spec.Reference.Commit; commit != "" {
|
|
w, err := repo.Worktree()
|
|
if err != nil {
|
|
err = fmt.Errorf("git worktree error %w", err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
err = w.Checkout(&git.CheckoutOptions{
|
|
Hash: plumbing.NewHash(commit),
|
|
Force: true,
|
|
})
|
|
if err != nil {
|
|
err = fmt.Errorf("git checkout %s for %s error %w", commit, branch, err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
} else if exp := repository.Spec.Reference.SemVer; exp != "" {
|
|
rng, err := semver.ParseRange(exp)
|
|
if err != nil {
|
|
err = fmt.Errorf("semver parse range error %w", err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
repoTags, err := repo.Tags()
|
|
if err != nil {
|
|
err = fmt.Errorf("git list tags error %w", err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
tags := make(map[string]string)
|
|
_ = repoTags.ForEach(func(t *plumbing.Reference) error {
|
|
tags[t.Name().Short()] = t.Strings()[1]
|
|
return nil
|
|
})
|
|
|
|
svTags := make(map[string]string)
|
|
svers := []semver.Version{}
|
|
for tag, _ := range tags {
|
|
v, _ := semver.ParseTolerant(tag)
|
|
if rng(v) {
|
|
svers = append(svers, v)
|
|
svTags[v.String()] = tag
|
|
}
|
|
}
|
|
|
|
if len(svers) > 0 {
|
|
semver.Sort(svers)
|
|
v := svers[len(svers)-1]
|
|
t := svTags[v.String()]
|
|
commit := tags[t]
|
|
|
|
w, err := repo.Worktree()
|
|
if err != nil {
|
|
err = fmt.Errorf("git worktree error %w", err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
err = w.Checkout(&git.CheckoutOptions{
|
|
Hash: plumbing.NewHash(commit),
|
|
})
|
|
if err != nil {
|
|
err = fmt.Errorf("git checkout error %w", err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
} else {
|
|
err = fmt.Errorf("no match found for semver %s", repository.Spec.Reference.SemVer)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
}
|
|
}
|
|
|
|
// read commit hash
|
|
ref, err := repo.Head()
|
|
if err != nil {
|
|
err = fmt.Errorf("git resolve HEAD error %w", err)
|
|
return NotReadyCondition(sourcev1.GitOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
artifact := r.Storage.ArtifactFor(r.Kind, repository.ObjectMeta.GetObjectMeta(),
|
|
fmt.Sprintf("%s.tar.gz", ref.Hash().String()))
|
|
|
|
// create artifact dir
|
|
err = r.Storage.MkdirAll(artifact)
|
|
if err != nil {
|
|
err = fmt.Errorf("mkdir dir error %w", err)
|
|
return NotReadyCondition(sourcev1.StorageOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
// acquire lock
|
|
unlock, err := r.Storage.Lock(artifact)
|
|
if err != nil {
|
|
err = fmt.Errorf("unable to acquire lock: %w", err)
|
|
return NotReadyCondition(sourcev1.StorageOperationFailedReason, err.Error()), "", err
|
|
}
|
|
defer unlock()
|
|
|
|
// archive artifact
|
|
err = r.Storage.Archive(artifact, tmpGit, "")
|
|
if err != nil {
|
|
err = fmt.Errorf("storage error %w", err)
|
|
return NotReadyCondition(sourcev1.StorageOperationFailedReason, err.Error()), "", err
|
|
}
|
|
|
|
message := fmt.Sprintf("Artifact is available at %s", artifact.Path)
|
|
return ReadyCondition(sourcev1.GitOperationSucceedReason, message), artifact.URL, nil
|
|
}
|
|
|
|
func (r *GitRepositoryReconciler) shouldResetStatus(repository sourcev1.GitRepository) (bool, sourcev1.GitRepositoryStatus) {
|
|
resetStatus := false
|
|
if repository.Status.Artifact != "" {
|
|
parts := strings.Split(repository.Status.Artifact, "/")
|
|
artifact := r.Storage.ArtifactFor(r.Kind, repository.ObjectMeta.GetObjectMeta(), parts[len(parts)-1])
|
|
if !r.Storage.ArtifactExist(artifact) {
|
|
resetStatus = true
|
|
}
|
|
}
|
|
|
|
// set initial status
|
|
if len(repository.Status.Conditions) == 0 || resetStatus {
|
|
resetStatus = true
|
|
}
|
|
|
|
return resetStatus, sourcev1.GitRepositoryStatus{
|
|
Conditions: []sourcev1.SourceCondition{
|
|
{
|
|
Type: sourcev1.ReadyCondition,
|
|
Status: corev1.ConditionUnknown,
|
|
Reason: sourcev1.InitializingReason,
|
|
LastTransitionTime: metav1.Now(),
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func (r *GitRepositoryReconciler) gc(repository sourcev1.GitRepository) {
|
|
if repository.Status.Artifact != "" {
|
|
parts := strings.Split(repository.Status.Artifact, "/")
|
|
artifact := r.Storage.ArtifactFor(r.Kind, repository.ObjectMeta.GetObjectMeta(), parts[len(parts)-1])
|
|
if err := r.Storage.RemoveAllButCurrent(artifact); err != nil {
|
|
r.Log.Info("Artifacts GC failed", "error", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (r *GitRepositoryReconciler) auth(repository sourcev1.GitRepository, tmp string) (transport.AuthMethod, error) {
|
|
if repository.Spec.SecretRef == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
name := types.NamespacedName{
|
|
Namespace: repository.GetNamespace(),
|
|
Name: repository.Spec.SecretRef.Name,
|
|
}
|
|
|
|
var secret corev1.Secret
|
|
err := r.Client.Get(context.TODO(), name, &secret)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
credentials := secret.Data
|
|
|
|
// HTTP auth
|
|
if strings.HasPrefix(repository.Spec.URL, "http") {
|
|
auth := &http.BasicAuth{}
|
|
if username, ok := credentials["username"]; ok {
|
|
auth.Username = string(username)
|
|
} else {
|
|
return nil, fmt.Errorf("%s secret does not contain username", repository.Spec.SecretRef.Name)
|
|
}
|
|
if password, ok := credentials["password"]; ok {
|
|
auth.Password = string(password)
|
|
} else {
|
|
return nil, fmt.Errorf("%s secret does not contain password", repository.Spec.SecretRef.Name)
|
|
}
|
|
return auth, nil
|
|
}
|
|
|
|
// SSH auth
|
|
if strings.HasPrefix(repository.Spec.URL, "ssh") {
|
|
var privateKey []byte
|
|
if identity, ok := credentials["identity"]; ok {
|
|
privateKey = identity
|
|
} else {
|
|
return nil, fmt.Errorf("%s secret does not contain identity", repository.Spec.SecretRef.Name)
|
|
}
|
|
|
|
pk, err := ssh.NewPublicKeys("git", privateKey, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
known_hosts := filepath.Join(tmp, "known_hosts")
|
|
if kh, ok := credentials["known_hosts"]; ok {
|
|
if err := ioutil.WriteFile(filepath.Join(tmp, "known_hosts"), kh, 0644); err != nil {
|
|
return nil, err
|
|
}
|
|
} else {
|
|
return nil, fmt.Errorf("%s secret does not contain known_hosts", repository.Spec.SecretRef.Name)
|
|
}
|
|
|
|
callback, err := ssh.NewKnownHostsCallback(known_hosts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
pk.HostKeyCallback = callback
|
|
|
|
return pk, nil
|
|
}
|
|
|
|
return nil, nil
|
|
}
|