Update Pepr to 0.14.1

Replace Patch with Force Apply to update package secret in webhook Ensure Pepr module is rebuilt in the build job
defenseunicorns · Oct 13, 2023 · 1646e74 · 1646e74
1 parent cabee9d
commit 1646e74
Show file tree

Hide file tree

Showing 8 changed files with 238 additions and 110 deletions.
diff --git a/.github/workflows/test-aws-init-package.yml b/.github/workflows/test-aws-init-package.yml
@@ -42,6 +42,19 @@ jobs:
       - name: Install latest version of Zarf
         uses: defenseunicorns/setup-zarf@main
 
+      - name: Setup NodeJS
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: 18
+          cache: "npm"
+          cache-dependency-path: "package-lock.json"
+
+      - name: Install Node dependencies
+        run: npm ci
+
+      - name: Build ECR Pepr module
+        run: make build-module
+
       - name: Build AWS init package
         run: make aws-init-package
 

diff --git a/capabilities/webhook.ts b/capabilities/webhook.ts
@@ -1,5 +1,4 @@
 import { Capability, Log, a, K8s, kind } from "pepr";
-import { Operation } from "fast-json-patch";
 import { isECRregistry, getAccountId, getRepositoryNames } from "./lib/utils";
 import { ECRPublic, publicECRURLPattern } from "./ecr-public";
 import { ECRPrivate, privateECRURLPattern } from "./ecr-private";
@@ -234,20 +233,21 @@ async function updateWebhookStatus(
     secret.data.data = JSON.stringify(deployedPackage);
   }
 
-  // Clear managedFields to allow Pepr to take ownership of the secret data.data field and update webhook status
-  // For more information on clearing managedFields to take ownership of an object's field(s): https://kubernetes.io/docs/reference/using-api/server-side-apply/#clearing-managedfields
-  // TODO: Update to use Server-Side force apply when available in Pepr: https://github.com/defenseunicorns/kubernetes-fluent-client/issues/9
-  const patchOps: Operation[] = [
-    { op: "replace", path: "/metadata/managedFields", value: [{}] },
-    { op: "replace", path: "/data/data", value: secret.data.data },
-  ];
-
-  const kube = K8s(kind.Secret, { namespace: ns, name: secretName });
-
+  // Use Server-Side force apply to forcefully take ownership of the package secret data.data field
+  // Doing a Server-Side apply without the force option will result in a FieldManagerConflict error due to Zarf owning the object.
+  // See the following PR for more information: https://github.com/defenseunicorns/kubernetes-fluent-client/pull/20
   try {
-    await kube.Patch(patchOps);
-    Log.debug(
-      `Successfully updated package secret '${secretName}' in namespace '${ns}'`,
+    await K8s(kind.Secret).Apply(
+      {
+        metadata: {
+          name: secretName,
+          namespace: ns,
+        },
+        data: {
+          data: secret.data.data,
+        },
+      },
+      { force: true },
     );
   } catch (err) {
     Log.error(
@@ -256,22 +256,4 @@ async function updateWebhookStatus(
       )}`,
     );
   }
-
-  // try {
-  //   await K8s(kind.Secret).Apply({
-  //     metadata: {
-  //       name: secretName,
-  //       namespace: ns,
-  //     },
-  //     data: {
-  //       data: secret.data.data,
-  //     },
-  //   });
-  // } catch (err) {
-  //   Log.error(
-  //     `Error: Failed to update package secret '${secretName}' in namespace '${ns}': ${JSON.stringify(
-  //       err,
-  //     )}`,
-  //   );
-  // }
 }
diff --git a/iam/index.ts b/iam/index.ts
@@ -15,11 +15,17 @@ const credentialHelperRoleName = "ecr-credential-helper-role";
 const credentialHelperPolicyName = "ecr-credential-helper-policy";
 
 // File names for IAM resources
-const jsonFilesDir = join(__dirname, "json")
+const jsonFilesDir = join(__dirname, "json");
 const webhookPolicyPath = join(jsonFilesDir, "ecr-webhook-policy.json");
 const webhookRolePath = join(jsonFilesDir, "ecr-webhook-role.json");
-const credentialHelperPolicyPath = join(jsonFilesDir, "ecr-credential-helper-policy.json");
-const credentialHelperRolePath = join(jsonFilesDir, "ecr-credential-helper-role.json");
+const credentialHelperPolicyPath = join(
+  jsonFilesDir,
+  "ecr-credential-helper-policy.json",
+);
+const credentialHelperRolePath = join(
+  jsonFilesDir,
+  "ecr-credential-helper-role.json",
+);
 
 const main = async () => {
   const clusterId = await getClusterId();

diff --git a/iam/utils.ts b/iam/utils.ts
@@ -5,7 +5,7 @@ import { readFileSync } from "fs";
 export function createPolicy(file: string, policyName: string) {
   const policy = readFile(file);
   return new iam.Policy(policyName, {
-    policy: policy
+    policy: policy,
   });
 }
 

diff --git a/manifests/pepr-module-b95dbd80-e078-5eb9-aaf3-bcb9567417d0.yaml b/manifests/pepr-module-b95dbd80-e078-5eb9-aaf3-bcb9567417d0.yaml