feat: private-mode as plugin + extends sugar (#472)

SocialGouv · Apr 23, 2024 · 230203a · 230203a
1 parent 18cad4c
commit 230203a
Show file tree

Hide file tree

Showing 8 changed files with 317 additions and 1 deletion.
diff --git a/packages/common/config/load-config.js b/packages/common/config/load-config.js
@@ -680,7 +680,7 @@ const loadConfig = async (
     },
     deployKeySecretName: {
       env: "KS_DEPLOY_KEY_SECRET_NAME",
-      default: null,
+      default: "deploy-key",
     },
     gitDiffEnabled: {
       option: "gitDiffEnabled",

diff --git a/packages/kontinuous/tests/__snapshots__/private-mode.dev.yaml b/packages/kontinuous/tests/__snapshots__/private-mode.dev.yaml
@@ -0,0 +1,258 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`test build manifests with snapshots private-mode.dev 1`] = `
+"apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    field.cattle.io/projectId: \\"1234\\"
+    kontinuous/gitBranch: feature-branch-1
+    kontinuous/mainNamespace: \\"true\\"
+    kapp.k14s.io/exists: \\"\\"
+    kontinuous/chartPath: project.fabrique.contrib.rancher-namespace
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+  labels:
+    application: test-private-mode
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    kontinuous/deployment.env: test-private-mode-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: namespace-test-private-mode-feature-branch-1-1cukadqi
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+    cert: wildcard
+  name: test-private-mode-feature-branch-1
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: netpol-ingress
+  namespace: test-private-mode-feature-branch-1
+  annotations:
+    kontinuous/chartPath: project.fabrique.contrib.security-policies
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+  labels:
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    kontinuous/deployment.env: test-private-mode-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+spec:
+  ingress:
+    - from:
+        - podSelector: {}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              network-policy/source: ingress-controller
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              network-policy/source: monitoring
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  annotations:
+    kontinuous/chartPath: project.fabrique.contrib.security-policies
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+  labels:
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    kontinuous/deployment.env: test-private-mode-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: serviceaccount-default-2g5dmk74
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+  namespace: test-private-mode-feature-branch-1
+automountServiceAccountToken: false
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    component: app
+    application: test-private-mode
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    kontinuous/deployment.env: test-private-mode-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: deployment-app-55fzcjih
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+  name: app
+  namespace: test-private-mode-feature-branch-1
+  annotations:
+    kontinuous/chartPath: project.fabrique.contrib.app
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/app/templates/deployment.yaml
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    kontinuous/depname.full: project.fabrique.contrib.app.deployment.app
+    kontinuous/depname.chartResource: app.deployment.app
+    kontinuous/depname.chartName: app
+    kontinuous/depname.chartPath: project.fabrique.contrib.app
+    kontinuous/depname.resourcePath: deployment.app
+    kontinuous/depname.resourceName: app
+    kontinuous/depname.chartNameTopFull: app
+    kontinuous/depname.chartNameTop: app
+    kontinuous/plugin.log: \\"false\\"
+    reloader.stakater.com/auto: \\"true\\"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      component: app
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        component: app
+        application: test-private-mode
+        namespace: test-private-mode-feature-branch-1
+        kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+        kontinuous/deployment.env: test-private-mode-feature-branch-1
+        kontinuous/ref: feature-branch-1
+        kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+        kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+        kontinuous/resourceName: deployment-app-55fzcjih
+        app.kubernetes.io/manifest-managed-by: kontinuous
+        app.kubernetes.io/manifest-created-by: kontinuous
+      annotations:
+        kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: namespace
+                      operator: In
+                      values:
+                        - test-private-mode-feature-branch-1
+                    - key: component
+                      operator: In
+                      values:
+                        - app
+                topologyKey: kubernetes.io/hostname
+      containers:
+        - image: harbor.fabrique.social.gouv.fr/test-private-mode/app:sha-ffac537e6cbbf934b08745a378932722df287a53
+          name: app
+          ports:
+            - containerPort: 3000
+              name: http
+          livenessProbe:
+            failureThreshold: 15
+            httpGet:
+              path: /index.html
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 5
+            timeoutSeconds: 5
+          readinessProbe:
+            failureThreshold: 15
+            httpGet:
+              path: /index.html
+              port: http
+            initialDelaySeconds: 1
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 1
+          startupProbe:
+            failureThreshold: 12
+            httpGet:
+              path: /index.html
+              port: http
+            periodSeconds: 5
+          resources:
+            limits:
+              cpu: 1
+              memory: 1Gi
+            requests:
+              cpu: 41m
+              memory: 121Mi
+      imagePullSecrets:
+        - name: harbor-pull-secret
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    component: app
+    application: test-private-mode
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    kontinuous/deployment.env: test-private-mode-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: service-app-46z2o1vv
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+  name: app
+  namespace: test-private-mode-feature-branch-1
+  annotations:
+    kontinuous/chartPath: project.fabrique.contrib.app
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/app/templates/service.yaml
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 3000
+  selector:
+    component: app
+  type: ClusterIP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    kontinuous/chartPath: project.fabrique.contrib.app
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/app/templates/ingress.yaml
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+  labels:
+    component: app
+    application: test-private-mode
+    kontinuous/deployment: test-private-mode-feature-branch-1-ffac537e6cbbf934b0-kai8ppzf
+    kontinuous/deployment.env: test-private-mode-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: ingress-app-b4kcj2bx
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+  name: app
+  namespace: test-private-mode-feature-branch-1
+spec:
+  rules:
+    - host: test-private-mode-feature-branch-1.dev.fabrique.social.gouv.fr
+      http:
+        paths:
+          - backend:
+              service:
+                name: app
+                port:
+                  name: http
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - test-private-mode-feature-branch-1.dev.fabrique.social.gouv.fr
+      secretName: wildcard-crt
+"
+`;
diff --git a/packages/kontinuous/tests/samples/private-mode/config.yaml b/packages/kontinuous/tests/samples/private-mode/config.yaml
@@ -0,0 +1,5 @@
+dependencies:
+  fabrique:
+    import: socialgouv/kontinuous/plugins/fabrique
+    extends:
+      - name: private-mode
diff --git a/packages/kontinuous/tests/samples/private-mode/values.yaml b/packages/kontinuous/tests/samples/private-mode/values.yaml
@@ -0,0 +1,2 @@
+app:
+  enabled: true
diff --git a/plugins/contrib/kontinuous.yaml b/plugins/contrib/kontinuous.yaml
@@ -31,6 +31,8 @@ patches:
     enabled: true
   addJobsAffinityAndTolerations:
     enabled: false
+  privateImages:
+    enabled: false
 
 validators:
   rancherProjectId:

diff --git a/plugins/contrib/patches/60-private-images.js b/plugins/contrib/patches/60-private-images.js
@@ -0,0 +1,35 @@
+module.exports = (manifests, options) => {
+  const {
+    kinds = ["Deployment", "StatefulSet", "DaemonSet"],
+    imagePrefixes = [],
+  } = options
+  manifests.forEach((manifest) => {
+    if (kinds.includes(manifest.kind)) {
+      // Iterate through each container in the spec
+      manifest.spec.template.spec.containers.forEach((container) => {
+        if (
+          imagePrefixes.some((imagePrefix) =>
+            container.image.startsWith(imagePrefix)
+          )
+        ) {
+          // Ensure imagePullSecrets array exists
+          if (!manifest.spec.template.spec.imagePullSecrets) {
+            manifest.spec.template.spec.imagePullSecrets = []
+          }
+
+          // Check if the secret is already added to avoid duplicates
+          const secretExists =
+            manifest.spec.template.spec.imagePullSecrets.some(
+              (secret) => secret.name === "harbor-pull-secret"
+            )
+          if (!secretExists) {
+            // Add the harbor-pull-secret
+            manifest.spec.template.spec.imagePullSecrets.push({
+              name: "harbor-pull-secret",
+            })
+          }
+        }
+      })
+    }
+  })
+}
diff --git a/plugins/fabrique/extends/private-mode.yaml b/plugins/fabrique/extends/private-mode.yaml
@@ -0,0 +1,9 @@
+config:
+  private: true
+
+dependencies:
+  contrib:
+    patches:
+      privateImages:
+        enabled: true
+
diff --git a/plugins/fabrique/kontinuous.yaml b/plugins/fabrique/kontinuous.yaml
@@ -73,6 +73,11 @@ dependencies:
               operator: Equal
               value: ci
               effect: NoSchedule
+      privateImages:
+        enabled: false
+        options:
+          imagePrefixes:
+          - "harbor.fabrique.social.gouv.fr"
 
     validators:
       rancherProjectId: