feat: Add checksum to operator deployment (#45)

* Add checksum to operator deployment

This will force redeployment of the operator when deploy tokens rotate

* Add helm cli to dockerfile

We can't use helm natively in go unfortunately because of collisions w/ gitops engines deps (argo faces a similar issue apparently).  This modifies the dockerfile to add the helm cli

* make deploy operator syncs conditional when local flag is set

* use contains to check extensions for raw parser

Dockerfile

@@ -14,12 +14,19 @@ RUN go mod download
 COPY /cmd/main.go main.go
 COPY /pkg pkg/
 
+ENV HELM_VERSION=v3.10.3
+
+RUN apk add --update --no-cache curl ca-certificates unzip wget openssl build-base && \
+    curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz | tar xvz && \
+    mv linux-${TARGETARCH}/helm /usr/local/bin/helm
+
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-agent main.go
 
-FROM gcr.io/distroless/static:nonroot
-WORKDIR /
+FROM alpine:3.17
+WORKDIR /workspace
 
+COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm 
 COPY --from=builder /workspace/deployment-agent .
 USER 65532:65532
-ENTRYPOINT ["/deployment-agent"]
+ENTRYPOINT ["/workspace/deployment-agent"]

charts/deployment-operator/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: deployment-operator
 description: creates a new instance of the plural deployment operator
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "0.1.1"
 maintainers:
 - name: Plural

charts/deployment-operator/templates/deployment.yaml

@@ -11,8 +11,9 @@ spec:
       {{- include "deployment-operator.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

cmd/main.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/pluralsh/deployment-operator/pkg/agent"
+	"github.com/pluralsh/deployment-operator/pkg/sync"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog/v2/klogr"
@@ -59,6 +60,7 @@ func newCmd(log logr.Logger) *cobra.Command {
 	cmd.Flags().StringVar(&refreshInterval, "refresh-interval", "1m", "Refresh interval duration")
 	cmd.Flags().StringVar(&consoleUrl, "console-url", "", "the url of the console api to fetch services from")
 	cmd.Flags().StringVar(&deployToken, "deploy-token", "", "the deploy token to auth to console api with")
+	cmd.Flags().BoolVar(&sync.Local, "local", false, "whether you're running the agent locally (and should avoid recreating the deploy operator)")
 	return &cmd
 }
 

go.mod

@@ -37,7 +37,7 @@ require (
 	github.com/go-logr/logr v1.2.4
 	github.com/orcaman/concurrent-map/v2 v2.0.1
 	github.com/osteele/liquid v1.3.1
-	github.com/pluralsh/console-client-go v0.0.8
+	github.com/pluralsh/console-client-go v0.0.11
 	github.com/pluralsh/polly v0.1.4
 	github.com/samber/lo v1.38.1
 	github.com/spf13/cobra v1.7.0

go.sum

@@ -545,6 +545,8 @@ github.com/pluralsh/console-client-go v0.0.5 h1:+L7I3QLMWNBiuZlWe/YJfUMMZGnpKhEA
 github.com/pluralsh/console-client-go v0.0.5/go.mod h1:kZjk0pXAWnvyj+miXveCho4kKQaX1Tm3CGAM+iwurWU=
 github.com/pluralsh/console-client-go v0.0.8 h1:BwWOt1ggBX/fxzY2+01dk8sBTz1jqT57o2y1Iz9Zxzk=
 github.com/pluralsh/console-client-go v0.0.8/go.mod h1:kZjk0pXAWnvyj+miXveCho4kKQaX1Tm3CGAM+iwurWU=
+github.com/pluralsh/console-client-go v0.0.11 h1:2fchZE6qlSQmHTeuH54hAzJJpgKpx2Kbl8HhJNugbns=
+github.com/pluralsh/console-client-go v0.0.11/go.mod h1:kZjk0pXAWnvyj+miXveCho4kKQaX1Tm3CGAM+iwurWU=
 github.com/pluralsh/polly v0.1.4 h1:Kz90peCgvsfF3ERt8cujr5TR9z4wUlqQE60Eg09ZItY=
 github.com/pluralsh/polly v0.1.4/go.mod h1:Yo1/jcW+4xwhWG+ZJikZy4J4HJkMNPZ7sq5auL2c/tY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

pkg/manifests/template/raw.go

@@ -10,10 +10,12 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/osteele/liquid"
 	console "github.com/pluralsh/console-client-go"
+	"github.com/samber/lo"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 var (
+	extensions     = []string{".json", ".yaml", ".yml", ".yaml.liquid", ".yml.liquid", ".json.liquid"}
 	liquidEngine   = liquid.NewEngine()
 	sprigFunctions = map[string]string{
 		"toJson":        "to_json",
@@ -57,7 +59,7 @@ func (r *raw) Render(svc *console.ServiceDeploymentExtended) ([]*unstructured.Un
 		if info.IsDir() {
 			return nil
 		}
-		if ext := strings.ToLower(filepath.Ext(info.Name())); ext != ".json" && ext != ".yml" && ext != ".yaml" {
+		if ext := strings.ToLower(filepath.Ext(info.Name())); !lo.Contains(extensions, ext) {
 			return nil
 		}
 		rpath, err := filepath.Rel(r.dir, path)

pkg/sync/constants.go

@@ -1,7 +1,20 @@
 package sync
 
+import (
+	"time"
+
+	"k8s.io/klog/v2/klogr"
+)
+
 const (
 	SyncShaAnnotation = "deployments.plural.sh/sync-sha"
 	SyncAnnotation    = "deployments.plural.sh/service-id"
 	SSAManager        = "plural-deployment-agent"
+	OperatorService   = "deploy-operator"
+	syncDelay         = 5 * time.Second
+)
+
+var (
+	Local = false
+	log   = klogr.New()
 )

pkg/sync/loop.go

@@ -9,16 +9,6 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/sync"
 	"github.com/argoproj/gitops-engine/pkg/sync/common"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-
-	"k8s.io/klog/v2/klogr"
-)
-
-var (
-	log = klogr.New()
-)
-
-const (
-	syncDelay = 5 * time.Second
 )
 
 func (engine *Engine) ControlLoop() {
@@ -66,6 +56,11 @@ func (engine *Engine) processItem(item interface{}) error {
 		fmt.Printf("failed to fetch service from cache: %s, ignoring for now", err)
 		return err
 	}
+
+	if Local && svc.Name == OperatorService {
+		return nil
+	}
+
 	log.Info("syncing service", "name", svc.Name, "namespace", svc.Namespace)
 
 	var manErr error