Zarf agent mutating webhook

.github/workflows/build-rust-injector.yml

@@ -26,7 +26,6 @@ jobs:
       - name: "Install cosign"
         uses: sigstore/[email protected]
 
-
       - name: "Install Rust And Build"
         uses: gmiam/[email protected]
         with:

.github/workflows/build-zarf-agent.yml

@@ -12,29 +12,50 @@ on:
         default: "master"
 
 jobs:
-  build-injector:
+  build-agent:
     runs-on: ubuntu-latest
     steps:
+      - name: "Install GoLang"
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18.x
+
       - name: "Checkout Repo"
         uses: actions/checkout@v2
         with:
           ref: ${{ github.event.inputs.branchName }}
+
+      - name: "Setup caching"
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
 
       - name: "Install cosign"
         uses: sigstore/[email protected]
 
-      - name: Set up Docker Buildx
+      - name: "Set up Docker Buildx"
         id: buildx
         uses: docker/setup-buildx-action@v2
 
-      - name: Login to Docker Hub
+      - name: "Login to Docker Hub"
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: "Build zarf binaries"
+        run: make build-cli-linux
+
+      - name: "Rename binaries for packaging"
+        run: mv build/zarf build/zarf-linux-amd64 && mv build/zarf-arm build/zarf-linux-arm64
+
       - name: "Build and Publish the Image"
-        run: buildx build --push --platform linux/arm64/v8,linux/amd64 --tag defenseunicorns/zarf-agent:${{ github.event.inputs.versionTag }} .
+        run: docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag defenseunicorns/zarf-agent:${{ github.event.inputs.versionTag }} .
 
       - name: "Sign the Image"
         run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-agent:${{ github.event.inputs.versionTag }}

.github/workflows/release.yml

@@ -13,18 +13,33 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.18.x
+
       - name: Checkout Repo
         uses: actions/checkout@v2
+
+      - name: "Setup caching"
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-        
+
       - name: Build Things For Release
         run: make build-cli init-package
+
       - name: Set AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
           aws-region: us-gov-west-1
+
       - name: Push Release Artifacts to S3 Bucket
         run: aws s3 cp build s3://zarf-public/release/${{ github.ref_name }} --region us-gov-west-1 --recursive
+
       - name: Create a Release For This Tag
         uses: softprops/action-gh-release@v1
         if: startsWith(github.ref, 'refs/tags/')

.github/workflows/test-k3d.yml

@@ -10,12 +10,26 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.18.x
+
       - name: "Checkout Repo"
         uses: actions/checkout@v2
+
+      - name: "Setup caching"
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-        
+
       - name: "Build CLI"
         run: make build-cli-linux
+
       - name: "Make Packages"
         run: make init-package package-example-game package-example-data-injection package-example-gitops-data package-example-compose
+
       - name: "Run Tests"
         # NOTE: This test run will create its own K3d cluster. A single cluster will be used throughout the test run.
         run: TESTDISTRO=k3d make test-e2e

.github/workflows/test-k3s.yml

@@ -10,12 +10,26 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.18.x
+
       - name: "Checkout Repo"
         uses: actions/checkout@v2
+
+      - name: "Setup caching"
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
       - name: "Build CLI"
         run: make build-cli-linux
+
       - name: "Make Packages"
         run: make init-package package-example-game package-example-data-injection package-example-gitops-data package-example-compose
+
       - name: "Run Tests"
         # NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of go installed
         #       in a previous step. This test run will use Zarf to create a K3s cluster, and a brand new cluster will be

.github/workflows/test-kind.yml

@@ -10,14 +10,29 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.18.x
+
       - name: "Checkout Repo"
         uses: actions/checkout@v2
+
       - name: "Create k8s Kind Cluster"
         uses: helm/[email protected]
+
+      - name: "Setup caching"
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
       - name: "Build CLI"
         run: make build-cli-linux
+
       - name: "Make Packages"
         run: make init-package package-example-game package-example-data-injection package-example-gitops-data package-example-compose
+
       - name: "Run Tests"
         # NOTE: We want to test providing a cluster to the test framework so this one creates its own KinD cluster
         #       rather than having the test suite do it. The K3d tests do a self-provisioned cluster and the K3s tests

.gitignore

@@ -22,6 +22,7 @@ test/tf/public-ec2-instance/.terraform
 terraform.tfstate
 terraform.tfstate.backup
 .terraform.lock.hcl
+cosign.key
 .zarf*
 zarf-pki
 .scratch/

Dockerfile

@@ -0,0 +1,9 @@
+FROM scratch
+ARG TARGETARCH
+
+ADD "build/zarf-linux-$TARGETARCH" /zarf
+EXPOSE 8443
+
+ENV USER=zarf
+
+CMD ["/zarf", "agent", "-l=trace"]

Makefile

@@ -49,6 +49,16 @@ build-cli: build-injector-registry build-cli-linux build-cli-mac ## Build the CL
 build-injector-registry:
 	cd src/injector/stage2 && $(MAKE) build-bootstrap-registry
 
+# Should have an existing deploying already running used to build and update a new image in the cluster
+# kind load docker-image zarf-agent:$(tag)
+dev-agent-image:
+	$(eval tag := defenseunicorns/dev-zarf-agent:$(shell date +%s))
+	$(eval arch := $(shell uname -m))
+	CGO_ENABLED=0 GOOS=linux go build -o build/zarf-linux-$(arch) src/main.go
+	DOCKER_BUILDKIT=1 docker build --tag $(tag) --build-arg TARGETARCH=$(arch) . && \
+	k3d image import $(tag) && \
+	kubectl -n zarf set image deployment/agent-hook server=$(tag)
+
 init-package: ## Create the zarf init package, macos "brew install coreutils" first
 	$(ZARF_BIN) package create --confirm --architecture amd64
 	$(ZARF_BIN) package create --confirm --architecture arm64

README.md

@@ -287,7 +287,7 @@ Zarf is written entirely in [go](https://go.dev/), except for a single 400Kb bin
 - The OCI Registries used are both from [Docker](https://github.com/distribution/distribution)
 - Currently, the Registry and Git servers _are not HA_, see [#375](https://github.com/defenseunicorns/zarf/issues/376) and [#376](https://github.com/defenseunicorns/zarf/issues/376) for discussion on this
 - To avoid TLS issues, Zarf binds to `127.0.0.1:31999` on each node as a [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) to allow all nodes to access the pod(s) in the cluster
-- Until [#306](https://github.com/defenseunicorns/zarf/pull/306) is merged, during helm install/upgrade a [Helm PostRender](https://helm.sh/docs/topics/advanced/#post-rendering) function is called to mutate images and [ImagePullSecrets](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) so the deployed resources use the NodePort binding
+- A [mutating webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) we call the Zarf Agent handles updating pod's [ImagePullSecrets](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) so the deployed resources use the NodePort binding
 - Zarf uses a custom injector system to bootstrap a new cluster. See the PR [#329](https://github.com/defenseunicorns/zarf/pull/329) and [ADR](docs/adr/0003-image-injection-into-remote-clusters-without-native-support.md) for more details on how we came to this solution.  The general steps are listed below:
   - Get a list of images in the cluster
   - Attempt to create an ephemeral pod using an image from the list
@@ -301,5 +301,4 @@ Zarf is written entirely in [go](https://go.dev/), except for a single 400Kb bin
 ### Zarf Architecture
 ![Architecture Diagram](./docs/architecture.drawio.svg)
 
-
 [Source DrawIO](docs/architecture.drawio.svg)

docs/components.md

@@ -18,7 +18,7 @@ Zarf's work necessitates that some components are "always on" (a.k.a. required &
 |                         | Description                                                                                                          |
 | ----------------------- | -------------------------------------------------------------------------------------------------------------------- |
 | container-seed-registry | Adds a container registry so Zarf can bootstrap itself into the cluster.                                             |
-| container-registry      | Adds a container registry service—[docker registry](https://docs.docker.com/registry/)—into the cluster. |
+| zarf-registry      | Adds a container registry service—[docker registry](https://docs.docker.com/registry/)—into the cluster. |
 
  
 

examples/big-bang/kustomization/kustomization.yaml

@@ -1,24 +1,9 @@
 bases:
-  - git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git/base?ref=tags/1.28.0
+  - git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git/base?ref=tags/1.33.0
 
 configMapGenerator:
   - name: common
     namespace: bigbang
     behavior: merge
     files:
       - values.yaml
-
-resources:
-  - git-secret.yaml
-
-patchesStrategicMerge:
-  - |-
-    apiVersion: source.toolkit.fluxcd.io/v1beta1
-    kind: GitRepository
-    metadata:
-      name: bigbang
-      namespace: bigbang
-    spec:
-      url: http://zarf-gitea-http.zarf.svc.cluster.local:3000/zarf-git-user/mirror__repo1.dso.mil__platform-one__big-bang__bigbang.git
-      secretRef:
-        name: zarf-git-secret