refactor: remove use of k8s secret (#2565)

## Description Removes use of k8s secret functions. ## Related Issue Relates to #2507 ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow) followed
zarf-dev · Jun 14, 2024 · f744036 · f744036
1 parent 7415967
commit f744036
Show file tree

Hide file tree

Showing 6 changed files with 190 additions and 169 deletions.
diff --git a/src/internal/packager/helm/post-render.go b/src/internal/packager/helm/post-render.go
@@ -159,24 +159,49 @@ func (r *renderer) adoptAndUpdateNamespaces(ctx context.Context) error {
 			continue
 		}
 
-		// Create the secret
-		validRegistrySecret := c.GenerateRegistryPullCreds(name, config.ZarfImagePullSecretName, r.state.RegistryInfo)
-
 		// Try to get a valid existing secret
-		currentRegistrySecret, _ := c.GetSecret(ctx, name, config.ZarfImagePullSecretName)
+		validRegistrySecret := c.GenerateRegistryPullCreds(name, config.ZarfImagePullSecretName, r.state.RegistryInfo)
+		// TODO: Refactor as error is not checked instead of checking for not found error.
+		currentRegistrySecret, _ := c.Clientset.CoreV1().Secrets(name).Get(ctx, config.ZarfImagePullSecretName, metav1.GetOptions{})
 		if currentRegistrySecret.Name != config.ZarfImagePullSecretName || !reflect.DeepEqual(currentRegistrySecret.Data, validRegistrySecret.Data) {
-			// Create or update the zarf registry secret
-			if _, err := c.CreateOrUpdateSecret(ctx, validRegistrySecret); err != nil {
+			err := func() error {
+				_, err := c.Clientset.CoreV1().Secrets(validRegistrySecret.Namespace).Create(ctx, validRegistrySecret, metav1.CreateOptions{})
+				if err != nil && !kerrors.IsAlreadyExists(err) {
+					return err
+				}
+				if err == nil {
+					return nil
+				}
+				_, err = c.Clientset.CoreV1().Secrets(validRegistrySecret.Namespace).Update(ctx, validRegistrySecret, metav1.UpdateOptions{})
+				if err != nil {
+					return err
+				}
+				return nil
+			}()
+			if err != nil {
 				message.WarnErrf(err, "Problem creating registry secret for the %s namespace", name)
 			}
 
-			// Generate the git server secret
-			gitServerSecret := c.GenerateGitPullCreds(name, config.ZarfGitServerSecretName, r.state.GitServer)
-
 			// Create or update the zarf git server secret
-			if _, err := c.CreateOrUpdateSecret(ctx, gitServerSecret); err != nil {
+			gitServerSecret := c.GenerateGitPullCreds(name, config.ZarfGitServerSecretName, r.state.GitServer)
+			err = func() error {
+				_, err := c.Clientset.CoreV1().Secrets(gitServerSecret.Namespace).Create(ctx, gitServerSecret, metav1.CreateOptions{})
+				if err != nil && !kerrors.IsAlreadyExists(err) {
+					return err
+				}
+				if err == nil {
+					return nil
+				}
+				_, err = c.Clientset.CoreV1().Secrets(gitServerSecret.Namespace).Update(ctx, gitServerSecret, metav1.UpdateOptions{})
+				if err != nil {
+					return err
+				}
+				return nil
+			}()
+			if err != nil {
 				message.WarnErrf(err, "Problem creating git server secret for the %s namespace", name)
 			}
+
 		}
 	}
 	return nil

diff --git a/src/pkg/cluster/secrets.go b/src/pkg/cluster/secrets.go
@@ -34,8 +34,6 @@ type DockerConfigEntryWithAuth struct {
 
 // GenerateRegistryPullCreds generates a secret containing the registry credentials.
 func (c *Cluster) GenerateRegistryPullCreds(namespace, name string, registryInfo types.RegistryInfo) *corev1.Secret {
-	secretDockerConfig := c.GenerateSecret(namespace, name, corev1.SecretTypeDockerConfigJson)
-
 	// Auth field must be username:password and base64 encoded
 	fieldValue := registryInfo.PullUsername + ":" + registryInfo.PullPassword
 	authEncodedValue := base64.StdEncoding.EncodeToString([]byte(fieldValue))
@@ -56,22 +54,49 @@ func (c *Cluster) GenerateRegistryPullCreds(namespace, name string, registryInfo
 		message.WarnErrf(err, "Unable to marshal the .dockerconfigjson secret data for the image pull secret")
 	}
 
-	// Add to the secret data
-	secretDockerConfig.Data[".dockerconfigjson"] = dockerConfigData
-
+	secretDockerConfig := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: corev1.SchemeGroupVersion.String(),
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels: map[string]string{
+				ZarfManagedByLabel: "zarf",
+			},
+		},
+		Type: corev1.SecretTypeDockerConfigJson,
+		Data: map[string][]byte{
+			".dockerconfigjson": dockerConfigData,
+		},
+	}
 	return secretDockerConfig
 }
 
 // GenerateGitPullCreds generates a secret containing the git credentials.
 func (c *Cluster) GenerateGitPullCreds(namespace, name string, gitServerInfo types.GitServerInfo) *corev1.Secret {
 	message.Debugf("k8s.GenerateGitPullCreds(%s, %s, gitServerInfo)", namespace, name)
 
-	gitServerSecret := c.GenerateSecret(namespace, name, corev1.SecretTypeOpaque)
-	gitServerSecret.StringData = map[string]string{
-		"username": gitServerInfo.PullUsername,
-		"password": gitServerInfo.PullPassword,
+	gitServerSecret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: corev1.SchemeGroupVersion.String(),
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels: map[string]string{
+				ZarfManagedByLabel: "zarf",
+			},
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{},
+		StringData: map[string]string{
+			"username": gitServerInfo.PullUsername,
+			"password": gitServerInfo.PullPassword,
+		},
 	}
-
 	return gitServerSecret
 }
 
@@ -87,7 +112,7 @@ func (c *Cluster) UpdateZarfManagedImageSecrets(ctx context.Context, state *type
 	} else {
 		// Update all image pull secrets
 		for _, namespace := range namespaceList.Items {
-			currentRegistrySecret, err := c.GetSecret(ctx, namespace.Name, config.ZarfImagePullSecretName)
+			currentRegistrySecret, err := c.Clientset.CoreV1().Secrets(namespace.Name).Get(ctx, config.ZarfImagePullSecretName, metav1.GetOptions{})
 			if err != nil {
 				continue
 			}
@@ -97,11 +122,10 @@ func (c *Cluster) UpdateZarfManagedImageSecrets(ctx context.Context, state *type
 				(namespace.Labels[k8s.AgentLabel] != "skip" && namespace.Labels[k8s.AgentLabel] != "ignore") {
 				spinner.Updatef("Updating existing Zarf-managed image secret for namespace: '%s'", namespace.Name)
 
-				// Create the secret
 				newRegistrySecret := c.GenerateRegistryPullCreds(namespace.Name, config.ZarfImagePullSecretName, state.RegistryInfo)
 				if !reflect.DeepEqual(currentRegistrySecret.Data, newRegistrySecret.Data) {
-					// Create or update the zarf registry secret
-					if _, err := c.CreateOrUpdateSecret(ctx, newRegistrySecret); err != nil {
+					_, err := c.Clientset.CoreV1().Secrets(newRegistrySecret.Namespace).Update(ctx, newRegistrySecret, metav1.UpdateOptions{})
+					if err != nil {
 						message.WarnErrf(err, "Problem creating registry secret for the %s namespace", namespace.Name)
 					}
 				}
@@ -123,7 +147,7 @@ func (c *Cluster) UpdateZarfManagedGitSecrets(ctx context.Context, state *types.
 	} else {
 		// Update all git pull secrets
 		for _, namespace := range namespaceList.Items {
-			currentGitSecret, err := c.GetSecret(ctx, namespace.Name, config.ZarfGitServerSecretName)
+			currentGitSecret, err := c.Clientset.CoreV1().Secrets(namespace.Name).Get(ctx, config.ZarfGitServerSecretName, metav1.GetOptions{})
 			if err != nil {
 				continue
 			}
@@ -136,8 +160,8 @@ func (c *Cluster) UpdateZarfManagedGitSecrets(ctx context.Context, state *types.
 				// Create the secret
 				newGitSecret := c.GenerateGitPullCreds(namespace.Name, config.ZarfGitServerSecretName, state.GitServer)
 				if !reflect.DeepEqual(currentGitSecret.StringData, newGitSecret.StringData) {
-					// Create or update the zarf git secret
-					if _, err := c.CreateOrUpdateSecret(ctx, newGitSecret); err != nil {
+					_, err := c.Clientset.CoreV1().Secrets(newGitSecret.Namespace).Update(ctx, newGitSecret, metav1.UpdateOptions{})
+					if err != nil {
 						message.WarnErrf(err, "Problem creating git server secret for the %s namespace", namespace.Name)
 					}
 				}

diff --git a/src/pkg/cluster/state.go b/src/pkg/cluster/state.go
@@ -27,6 +27,7 @@ import (
 
 // Zarf Cluster Constants.
 const (
+	ZarfManagedByLabel      = "app.kubernetes.io/managed-by"
 	ZarfNamespaceName       = "zarf"
 	ZarfStateSecretName     = "zarf-state"
 	ZarfStateDataKey        = "state"
@@ -214,7 +215,7 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO
 // LoadZarfState returns the current zarf/zarf-state secret data or an empty ZarfState.
 func (c *Cluster) LoadZarfState(ctx context.Context) (state *types.ZarfState, err error) {
 	// Set up the API connection
-	secret, err := c.GetSecret(ctx, ZarfNamespaceName, ZarfStateSecretName)
+	secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, ZarfStateSecretName, metav1.GetOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("%w. %s", err, message.ColorWrap("Did you remember to zarf init?", color.Bold))
 	}
@@ -267,17 +268,10 @@ func (c *Cluster) debugPrintZarfState(state *types.ZarfState) {
 func (c *Cluster) SaveZarfState(ctx context.Context, state *types.ZarfState) error {
 	c.debugPrintZarfState(state)
 
-	// Convert the data back to JSON.
 	data, err := json.Marshal(&state)
 	if err != nil {
 		return err
 	}
-
-	// Set up the data wrapper.
-	dataWrapper := make(map[string][]byte)
-	dataWrapper[ZarfStateDataKey] = data
-
-	// The secret object.
 	secret := &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: corev1.SchemeGroupVersion.String(),
@@ -291,14 +285,23 @@ func (c *Cluster) SaveZarfState(ctx context.Context, state *types.ZarfState) err
 			},
 		},
 		Type: corev1.SecretTypeOpaque,
-		Data: dataWrapper,
+		Data: map[string][]byte{
+			ZarfStateDataKey: data,
+		},
 	}
 
 	// Attempt to create or update the secret and return.
-	if _, err := c.CreateOrUpdateSecret(ctx, secret); err != nil {
-		return fmt.Errorf("unable to create the zarf state secret")
+	_, err = c.Clientset.CoreV1().Secrets(secret.Namespace).Create(ctx, secret, metav1.CreateOptions{})
+	if err != nil && !kerrors.IsAlreadyExists(err) {
+		return fmt.Errorf("unable to create the zarf state secret: %w", err)
+	}
+	if err == nil {
+		return nil
+	}
+	_, err = c.Clientset.CoreV1().Secrets(secret.Namespace).Update(ctx, secret, metav1.UpdateOptions{})
+	if err != nil {
+		return fmt.Errorf("unable to update the zarf state secret: %w", err)
 	}
-
 	return nil
 }
 

diff --git a/src/pkg/cluster/zarf.go b/src/pkg/cluster/zarf.go
@@ -12,21 +12,24 @@ import (
 	"strings"
 	"time"
 
+	autoscalingV2 "k8s.io/api/autoscaling/v2"
+	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/defenseunicorns/zarf/src/config"
 	"github.com/defenseunicorns/zarf/src/pkg/k8s"
 	"github.com/defenseunicorns/zarf/src/pkg/message"
 	"github.com/defenseunicorns/zarf/src/types"
-	autoscalingV2 "k8s.io/api/autoscaling/v2"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // GetDeployedZarfPackages gets metadata information about packages that have been deployed to the cluster.
 // We determine what packages have been deployed to the cluster by looking for specific secrets in the Zarf namespace.
 // Returns a list of DeployedPackage structs and a list of errors.
 func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.DeployedPackage, error) {
 	// Get the secrets that describe the deployed packages
-	secrets, err := c.GetSecretsWithLabel(ctx, ZarfNamespaceName, ZarfPackageInfoLabel)
+	listOpts := metav1.ListOptions{LabelSelector: ZarfPackageInfoLabel}
+	secrets, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).List(ctx, listOpts)
 	if err != nil {
 		return nil, err
 	}
@@ -54,7 +57,7 @@ func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.Deployed
 // We determine what packages have been deployed to the cluster by looking for specific secrets in the Zarf namespace.
 func (c *Cluster) GetDeployedPackage(ctx context.Context, packageName string) (deployedPackage *types.DeployedPackage, err error) {
 	// Get the secret that describes the deployed package
-	secret, err := c.GetSecret(ctx, ZarfNamespaceName, config.ZarfPackagePrefix+packageName)
+	secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, config.ZarfPackagePrefix+packageName, metav1.GetOptions{})
 	if err != nil {
 		return deployedPackage, err
 	}
@@ -178,11 +181,6 @@ func (c *Cluster) RecordPackageDeploymentAndWait(ctx context.Context, pkg types.
 func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg types.ZarfPackage, components []types.DeployedComponent, connectStrings types.ConnectStrings, generation int) (deployedPackage *types.DeployedPackage, err error) {
 	packageName := pkg.Metadata.Name
 
-	// Generate a secret that describes the package that is being deployed
-	secretName := config.ZarfPackagePrefix + packageName
-	deployedPackageSecret := c.GenerateSecret(ZarfNamespaceName, secretName, corev1.SecretTypeOpaque)
-	deployedPackageSecret.Labels[ZarfPackageInfoLabel] = packageName
-
 	// Attempt to load information about webhooks for the package
 	var componentWebhooks map[string]map[string]types.Webhook
 	existingPackageSecret, err := c.GetDeployedPackage(ctx, packageName)
@@ -209,16 +207,44 @@ func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg types.ZarfPac
 	}
 
 	// Update the package secret
-	deployedPackageSecret.Data = map[string][]byte{"data": packageData}
-	var updatedSecret *corev1.Secret
-	if updatedSecret, err = c.CreateOrUpdateSecret(ctx, deployedPackageSecret); err != nil {
+	deployedPackageSecret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: corev1.SchemeGroupVersion.String(),
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      config.ZarfPackagePrefix + packageName,
+			Namespace: ZarfNamespaceName,
+			Labels: map[string]string{
+				ZarfManagedByLabel:   "zarf",
+				ZarfPackageInfoLabel: packageName,
+			},
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"data": packageData,
+		},
+	}
+	updatedSecret, err := func() (*corev1.Secret, error) {
+		secret, err := c.Clientset.CoreV1().Secrets(deployedPackageSecret.Namespace).Create(ctx, deployedPackageSecret, metav1.CreateOptions{})
+		if err != nil && !kerrors.IsAlreadyExists(err) {
+			return nil, err
+		}
+		if err == nil {
+			return secret, nil
+		}
+		secret, err = c.Clientset.CoreV1().Secrets(deployedPackageSecret.Namespace).Update(ctx, deployedPackageSecret, metav1.UpdateOptions{})
+		if err != nil {
+			return nil, err
+		}
+		return secret, nil
+	}()
+	if err != nil {
 		return nil, fmt.Errorf("failed to record package deployment in secret '%s'", deployedPackageSecret.Name)
 	}
-
 	if err := json.Unmarshal(updatedSecret.Data["data"], &deployedPackage); err != nil {
 		return nil, err
 	}
-
 	return deployedPackage, nil
 }