diff --git a/packages/zarf-agent/chart/Chart.yaml b/packages/zarf-agent/chart/Chart.yaml new file mode 100644 index 0000000000..df6ad8c7f2 --- /dev/null +++ b/packages/zarf-agent/chart/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +description: Zarf agent +name: raw-init-zarf-agent-zarf-agent +version: 0.1.0 + +maintainers: + - name: The Zarf Authors + url: https://zarf.dev diff --git a/packages/zarf-agent/chart/templates/clusterrole.yaml b/packages/zarf-agent/chart/templates/clusterrole.yaml new file mode 100644 index 0000000000..7eefae6411 --- /dev/null +++ b/packages/zarf-agent/chart/templates/clusterrole.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.clusterRole.name }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list diff --git a/packages/zarf-agent/chart/templates/clusterrolebinding.yaml b/packages/zarf-agent/chart/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..169bf4d1ed --- /dev/null +++ b/packages/zarf-agent/chart/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.clusterRoleBinding.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.clusterRole.name }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} diff --git a/packages/zarf-agent/manifests/deployment.yaml b/packages/zarf-agent/chart/templates/deployment.yaml similarity index 65% rename from packages/zarf-agent/manifests/deployment.yaml rename to packages/zarf-agent/chart/templates/deployment.yaml index bc6781071a..980ce5c747 100644 --- a/packages/zarf-agent/manifests/deployment.yaml +++ b/packages/zarf-agent/chart/templates/deployment.yaml @@ -1,12 +1,12 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: agent-hook - namespace: zarf + name: {{ .Values.deployment.name }} + namespace: {{ .Release.Namespace }} labels: app: agent-hook spec: - replicas: 2 + replicas: {{ .Values.deployment.replicaCount }} selector: matchLabels: app: agent-hook @@ -14,23 +14,23 @@ spec: metadata: labels: app: agent-hook - # Don't mutate this pod, that would be sad times zarf.dev/agent: ignore spec: imagePullSecrets: - - name: private-registry + - name: {{ .Values.image.pullSecret }} priorityClassName: system-node-critical - serviceAccountName: zarf - # Security context to comply with restricted PSS + serviceAccountName: {{ .Values.serviceAccount.name }} securityContext: runAsUser: 65532 fsGroup: 65532 runAsGroup: 65532 seccompProfile: type: "RuntimeDefault" + affinity: {{- toYaml .Values.affinity | nindent 8 }} + tolerations: {{- toYaml .Values.tolerations | nindent 8 }} containers: - name: server - image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -47,16 +47,15 @@ spec: drop: ["ALL"] resources: requests: - memory: "32Mi" - cpu: "100m" + memory: {{ .Values.resources.requests.memory }} + cpu: {{ .Values.resources.requests.cpu }} limits: - memory: "128Mi" - cpu: "500m" + memory: {{ .Values.resources.limits.memory }} + cpu: {{ .Values.resources.limits.cpu }} volumeMounts: - name: tls-certs mountPath: /etc/certs readOnly: true - # Required for OpenShift to mount k9s vendored directories - name: config mountPath: /.config - name: xdg @@ -64,8 +63,7 @@ spec: volumes: - name: tls-certs secret: - secretName: agent-hook-tls - # Required for OpenShift to mount k9s vendored directories + secretName: {{ .Values.secret.name }} - name: config emptyDir: {} - name: xdg diff --git a/packages/zarf-agent/chart/templates/role.yaml b/packages/zarf-agent/chart/templates/role.yaml new file mode 100644 index 0000000000..60e544663e --- /dev/null +++ b/packages/zarf-agent/chart/templates/role.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.role.name }} + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/packages/zarf-agent/chart/templates/rolebinding.yaml b/packages/zarf-agent/chart/templates/rolebinding.yaml new file mode 100644 index 0000000000..2992cb6c77 --- /dev/null +++ b/packages/zarf-agent/chart/templates/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.roleBinding.name }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.role.name }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} diff --git a/packages/zarf-agent/chart/templates/secret.yaml b/packages/zarf-agent/chart/templates/secret.yaml new file mode 100644 index 0000000000..6e410db512 --- /dev/null +++ b/packages/zarf-agent/chart/templates/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret.name }} + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.secret.tlsCrt | quote }} + tls.key: {{ .Values.secret.tlsKey | quote }} diff --git a/packages/zarf-agent/manifests/service.yaml b/packages/zarf-agent/chart/templates/service.yaml similarity index 63% rename from packages/zarf-agent/manifests/service.yaml rename to packages/zarf-agent/chart/templates/service.yaml index 2b9240be52..5385ca2af7 100644 --- a/packages/zarf-agent/manifests/service.yaml +++ b/packages/zarf-agent/chart/templates/service.yaml @@ -1,8 +1,8 @@ apiVersion: v1 kind: Service metadata: - name: agent-hook - namespace: zarf + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} spec: selector: app: agent-hook diff --git a/packages/zarf-agent/chart/templates/serviceaccount.yaml b/packages/zarf-agent/chart/templates/serviceaccount.yaml new file mode 100644 index 0000000000..06f2ba7803 --- /dev/null +++ b/packages/zarf-agent/chart/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} diff --git a/packages/zarf-agent/manifests/webhook.yaml b/packages/zarf-agent/chart/templates/webhook.yaml similarity index 93% rename from packages/zarf-agent/manifests/webhook.yaml rename to packages/zarf-agent/chart/templates/webhook.yaml index 359cc92ccb..5a62aa2bef 100644 --- a/packages/zarf-agent/manifests/webhook.yaml +++ b/packages/zarf-agent/chart/templates/webhook.yaml @@ -30,8 +30,8 @@ webhooks: operator: DoesNotExist clientConfig: service: - name: agent-hook - namespace: zarf + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} path: "/mutate/pod" caBundle: "###ZARF_AGENT_CA###" rules: @@ -73,8 +73,8 @@ webhooks: - "ignore" clientConfig: service: - name: agent-hook - namespace: zarf + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} path: "/mutate/flux-ocirepository" caBundle: "###ZARF_AGENT_CA###" rules: @@ -115,8 +115,8 @@ webhooks: - "ignore" clientConfig: service: - name: agent-hook - namespace: zarf + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} path: "/mutate/flux-helmrepository" caBundle: "###ZARF_AGENT_CA###" rules: @@ -159,8 +159,8 @@ webhooks: - "ignore" clientConfig: service: - name: agent-hook - namespace: zarf + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} path: "/mutate/flux-gitrepository" caBundle: "###ZARF_AGENT_CA###" rules: @@ -203,8 +203,8 @@ webhooks: - "ignore" clientConfig: service: - name: agent-hook - namespace: zarf + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} path: "/mutate/argocd-application" caBundle: "###ZARF_AGENT_CA###" rules: @@ -249,8 +249,8 @@ webhooks: - repository clientConfig: service: - name: agent-hook - namespace: zarf + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} path: "/mutate/argocd-repository" caBundle: "###ZARF_AGENT_CA###" rules: diff --git a/packages/zarf-agent/chart/values.yaml b/packages/zarf-agent/chart/values.yaml new file mode 100644 index 0000000000..15b84f214d --- /dev/null +++ b/packages/zarf-agent/chart/values.yaml @@ -0,0 +1,42 @@ +serviceAccount: + name: zarf + +clusterRole: + name: service-viewer + +clusterRoleBinding: + name: service-viewer-binding + +role: + name: zarf-agent + +roleBinding: + name: zarf-agent-binding + +secret: + name: agent-hook-tls + tlsCrt: "###ZARF_AGENT_CRT###" + tlsKey: "###ZARF_AGENT_KEY###" + +service: + name: agent-hook + +deployment: + name: agent-hook + replicaCount: 2 + +image: + repository: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###" + tag: "###ZARF_CONST_AGENT_IMAGE_TAG###" + pullSecret: private-registry + +resources: + requests: + memory: "32Mi" + cpu: "100m" + limits: + memory: "128Mi" + cpu: "500m" + +affinity: {} +tolerations: [] diff --git a/packages/zarf-agent/manifests/clusterrole.yaml b/packages/zarf-agent/manifests/clusterrole.yaml deleted file mode 100644 index d28365447a..0000000000 --- a/packages/zarf-agent/manifests/clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: service-viewer -rules: -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list diff --git a/packages/zarf-agent/manifests/clusterrolebinding.yaml b/packages/zarf-agent/manifests/clusterrolebinding.yaml deleted file mode 100644 index fbfb53e3b0..0000000000 --- a/packages/zarf-agent/manifests/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: service-viewer-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: service-viewer -subjects: -- kind: ServiceAccount - name: zarf - namespace: zarf diff --git a/packages/zarf-agent/manifests/role.yaml b/packages/zarf-agent/manifests/role.yaml deleted file mode 100644 index c310ca19b1..0000000000 --- a/packages/zarf-agent/manifests/role.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: zarf-agent - namespace: zarf -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get diff --git a/packages/zarf-agent/manifests/rolebinding.yaml b/packages/zarf-agent/manifests/rolebinding.yaml deleted file mode 100644 index c46cae1b72..0000000000 --- a/packages/zarf-agent/manifests/rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: zarf-agent-binding - namespace: zarf -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: zarf-agent -subjects: -- kind: ServiceAccount - name: zarf - namespace: zarf diff --git a/packages/zarf-agent/manifests/secret.yaml b/packages/zarf-agent/manifests/secret.yaml deleted file mode 100644 index d3fbb9d76c..0000000000 --- a/packages/zarf-agent/manifests/secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: agent-hook-tls - namespace: zarf -type: kubernetes.io/tls -data: - tls.crt: "###ZARF_AGENT_CRT###" - tls.key: "###ZARF_AGENT_KEY###" diff --git a/packages/zarf-agent/manifests/serviceaccount.yaml b/packages/zarf-agent/manifests/serviceaccount.yaml deleted file mode 100644 index 2f9b060094..0000000000 --- a/packages/zarf-agent/manifests/serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: zarf - namespace: zarf diff --git a/packages/zarf-agent/zarf.yaml b/packages/zarf-agent/zarf.yaml index 1e1dac492f..d6de4da674 100644 --- a/packages/zarf-agent/zarf.yaml +++ b/packages/zarf-agent/zarf.yaml @@ -19,19 +19,12 @@ components: required: true images: - "###ZARF_PKG_TMPL_AGENT_IMAGE_DOMAIN######ZARF_PKG_TMPL_AGENT_IMAGE###:###ZARF_PKG_TMPL_AGENT_IMAGE_TAG###" - manifests: + charts: - name: zarf-agent + releaseName: zarf-d2db14ef40305397791454e883b26fc94ad9615d + localPath: chart + version: 0.1.0 namespace: zarf - files: - - manifests/service.yaml - - manifests/secret.yaml - - manifests/deployment.yaml - - manifests/webhook.yaml - - manifests/role.yaml - - manifests/rolebinding.yaml - - manifests/clusterrole.yaml - - manifests/clusterrolebinding.yaml - - manifests/serviceaccount.yaml actions: onCreate: before: diff --git a/src/internal/packager/helm/zarf.go b/src/internal/packager/helm/zarf.go index d4bc8333b2..aaf23b4503 100644 --- a/src/internal/packager/helm/zarf.go +++ b/src/internal/packager/helm/zarf.go @@ -94,9 +94,13 @@ func UpdateZarfAgentValues(ctx context.Context, opts InstallUpgradeOptions) erro return fmt.Errorf("unable to list helm releases: %w", err) } + // Ensure we find the release - otherwise this can return without an error and not do anything + found := false for _, release := range releases { // Update the Zarf Agent release with the new values + // Maintaining the "raw-init" release name for backwards compatibility if release.Chart.Name() == "raw-init-zarf-agent-zarf-agent" { + found = true chart := v1alpha1.ZarfChart{ Namespace: "zarf", ReleaseName: release.Name, @@ -124,6 +128,10 @@ func UpdateZarfAgentValues(ctx context.Context, opts InstallUpgradeOptions) erro } } + if !found { + return fmt.Errorf("unable to find the Zarf Agent release") + } + // Trigger a rolling update for the TLS secret update to take effect. // https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment l.Info("performing a rolling update for the Zarf Agent deployment")