Merge branch 'dev' into release-0.15

Makefile

@@ -25,7 +25,7 @@ ARCH ?= amd64
 OS ?= $(shell uname -s | tr A-Z a-z)
 K8S_LATEST_VER ?= $(shell curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)
 export CONTROLLER_IMG ?= $(REGISTRY)/$(IMAGE_NAME)
-TAG ?= v0.15.1
+TAG ?= v0.15.2
 
 # Get cluster-api version and build ldflags
 clusterapi := $(shell go list -m sigs.k8s.io/cluster-api)

config/default/manager_image_patch.yaml

@@ -8,5 +8,5 @@ spec:
     spec:
       containers:
       # Change the value of image field below to your controller image URL
-      - image: projectsveltos/addon-controller-amd64:v0.15.1
+      - image: projectsveltos/addon-controller-amd64:v0.15.2
         name: controller

controllers/handlers_helm.go

@@ -764,6 +764,10 @@ func installRelease(ctx context.Context, clusterSummary *configv1alpha1.ClusterS
 				if err != nil {
 					return err
 				}
+				// Reload the chart with the updated Chart.lock file.
+				if chartRequested, err = loader.Load(cp); err != nil {
+					return fmt.Errorf("%w: failed reloading chart after repo update", err)
+				}
 			} else {
 				return nil
 			}
@@ -1495,9 +1499,9 @@ func collectHelmContent(manifest string, logger logr.Logger) ([]*unstructured.Un
 			continue
 		}
 
-		policy, err := utils.GetUnstructured([]byte(section))
+		policy, err := utils.GetUnstructured([]byte(elements[i]))
 		if err != nil {
-			logger.Error(err, fmt.Sprintf("failed to get policy from Data %.100s", section))
+			logger.Error(err, fmt.Sprintf("failed to get policy from Data %.100s", elements[i]))
 			return nil, err
 		}
 
@@ -1529,6 +1533,21 @@ func validateInstallHelmResources(ctx context.Context, clusterSummary *configv1a
 	installObject *action.Install, chartRequested *chart.Chart, values map[string]interface{},
 	logger logr.Logger) error {
 
+	// If an Helm chart contains CRDs and also install instances of this CRD, dryRun mode won't work
+	// as CRDs are not really installed by DryRun mode and fetching resources will fail.
+	// "This chart or one of its subcharts contains CRDs. Rendering may fail or contain inaccuracies."
+	// This limitation (do not have any validation if installing such an Helm chart) is listed in the
+	// documentation.
+	// Workaround here is to skip running Run for Helm in DryRun mode if there are no validation.
+	openAPIValidations, luaValidations, err := getComplianceValidations(clusterSummary, logger)
+	if err != nil {
+		return err
+	}
+
+	if len(openAPIValidations) == 0 && len(luaValidations) == 0 {
+		return nil
+	}
+
 	installObject.DryRun = true
 
 	resources, err := installObject.Run(chartRequested, values)
@@ -1544,13 +1563,13 @@ func validateInstallHelmResources(ctx context.Context, clusterSummary *configv1a
 		return err
 	}
 
-	err = validateHelmResourcesAgainstOpenAPIPolicies(ctx, clusterSummary, policies, logger)
+	err = validateHelmResourcesAgainstOpenAPIPolicies(ctx, policies, openAPIValidations, logger)
 	if err != nil {
 		logger.V(logs.LogInfo).Info(fmt.Sprintf("failed to validate helm resources against openAPI policies %v", err))
 		return err
 	}
 
-	err = validateHelmResourcesAgainstLuaPolicies(ctx, clusterSummary, policies, logger)
+	err = validateHelmResourcesAgainstLuaPolicies(ctx, policies, luaValidations, logger)
 	if err != nil {
 		logger.V(logs.LogInfo).Info(fmt.Sprintf("failed to validate helm resources against lua policies %v", err))
 		return err
@@ -1563,6 +1582,21 @@ func validateUpgradeHelmResources(ctx context.Context, clusterSummary *configv1a
 	upgradeObject *action.Upgrade, releaseName string, chartRequested *chart.Chart,
 	values map[string]interface{}, logger logr.Logger) error {
 
+	// If an Helm chart contains CRDs and also install instances of this CRD, dryRun mode won't work
+	// as CRDs are not really installed by DryRun mode and fetching resources will fail.
+	// "This chart or one of its subcharts contains CRDs. Rendering may fail or contain inaccuracies."
+	// This limitation (do not have any validation if installing such an Helm chart) is listed in the
+	// documentation.
+	// Workaround here is to skip running Run for Helm in DryRun mode if there are no validation.
+	openAPIValidations, luaValidations, err := getComplianceValidations(clusterSummary, logger)
+	if err != nil {
+		return err
+	}
+
+	if len(openAPIValidations) == 0 && len(luaValidations) == 0 {
+		return nil
+	}
+
 	upgradeObject.DryRun = true
 
 	resources, err := upgradeObject.Run(releaseName, chartRequested, values)
@@ -1577,13 +1611,13 @@ func validateUpgradeHelmResources(ctx context.Context, clusterSummary *configv1a
 		return err
 	}
 
-	err = validateHelmResourcesAgainstOpenAPIPolicies(ctx, clusterSummary, policies, logger)
+	err = validateHelmResourcesAgainstOpenAPIPolicies(ctx, policies, openAPIValidations, logger)
 	if err != nil {
 		logger.V(logs.LogInfo).Info(fmt.Sprintf("failed to validate helm resources against openAPI policies %v", err))
 		return err
 	}
 
-	err = validateHelmResourcesAgainstLuaPolicies(ctx, clusterSummary, policies, logger)
+	err = validateHelmResourcesAgainstLuaPolicies(ctx, policies, luaValidations, logger)
 	if err != nil {
 		logger.V(logs.LogInfo).Info(fmt.Sprintf("failed to validate helm resources against lua policies %v", err))
 		return err
@@ -1595,17 +1629,11 @@ func validateUpgradeHelmResources(ctx context.Context, clusterSummary *configv1a
 // validateHelmResourcesAgainstOpenAPIPolicies validates each individual resource against
 // all openAPI policies currently enforced for the managed cluster where resource need to be
 // applied
-func validateHelmResourcesAgainstOpenAPIPolicies(ctx context.Context, clusterSummary *configv1alpha1.ClusterSummary,
-	policies []*unstructured.Unstructured, logger logr.Logger) error {
-
-	openAPIPolicies, err := getOpenAPIValidations(clusterSummary.Spec.ClusterNamespace, clusterSummary.Spec.ClusterName,
-		&clusterSummary.Spec.ClusterType, logger)
-	if err != nil {
-		return err
-	}
+func validateHelmResourcesAgainstOpenAPIPolicies(ctx context.Context, policies []*unstructured.Unstructured,
+	openAPIPolicies map[string][]byte, logger logr.Logger) error {
 
 	for i := range policies {
-		err = runOpenAPIValidations(ctx, openAPIPolicies, policies[i], logger)
+		err := runOpenAPIValidations(ctx, openAPIPolicies, policies[i], logger)
 		if err != nil {
 			return err
 		}
@@ -1614,20 +1642,33 @@ func validateHelmResourcesAgainstOpenAPIPolicies(ctx context.Context, clusterSum
 	return nil
 }
 
-// validateHelmResourcesAgainstLuaPolicies validates all resources against all lua policies currently
-// enforced for the managed cluster where resources need to be applied.
-// Lua policies can be written to validate single resources (each deployment replica must be at least 3)
-// or combined resources (each deployment must be exposed by a service).
-func validateHelmResourcesAgainstLuaPolicies(ctx context.Context, clusterSummary *configv1alpha1.ClusterSummary,
-	policies []*unstructured.Unstructured, logger logr.Logger) error {
+// getComplianceValidations returns OpenAPI and Lua compliance policies for cluster
+func getComplianceValidations(clusterSummary *configv1alpha1.ClusterSummary, logger logr.Logger,
+) (openAPIValidations, luaValidations map[string][]byte, err error) {
+
+	openAPIValidations, err = getOpenAPIValidations(clusterSummary.Spec.ClusterNamespace,
+		clusterSummary.Spec.ClusterName, &clusterSummary.Spec.ClusterType, logger)
+	if err != nil {
+		return
+	}
 
-	luaPolicies, err := getLuaValidations(clusterSummary.Spec.ClusterNamespace, clusterSummary.Spec.ClusterName,
+	luaValidations, err = getLuaValidations(clusterSummary.Spec.ClusterNamespace, clusterSummary.Spec.ClusterName,
 		&clusterSummary.Spec.ClusterType, logger)
 	if err != nil {
-		return err
+		return
 	}
 
-	err = runLuaValidations(ctx, luaPolicies, policies, logger)
+	return
+}
+
+// validateHelmResourcesAgainstLuaPolicies validates all resources against all lua policies currently
+// enforced for the managed cluster where resources need to be applied.
+// Lua policies can be written to validate single resources (each deployment replica must be at least 3)
+// or combined resources (each deployment must be exposed by a service).
+func validateHelmResourcesAgainstLuaPolicies(ctx context.Context, policies []*unstructured.Unstructured,
+	luaPolicies map[string][]byte, logger logr.Logger) error {
+
+	err := runLuaValidations(ctx, luaPolicies, policies, logger)
 	if err != nil {
 		return err
 	}

controllers/handlers_utils.go

@@ -422,6 +422,8 @@ func collectContent(ctx context.Context, clusterSummary *configv1alpha1.ClusterS
 				continue
 			}
 
+			section = elements[i]
+
 			if instantiateTemplate {
 				instance, err := instantiateTemplateValues(ctx, getManagementClusterConfig(), getManagementClusterClient(),
 					clusterSummary.Spec.ClusterType, clusterSummary.Spec.ClusterNamespace, clusterSummary.Spec.ClusterName,
@@ -461,6 +463,8 @@ func getUnstructured(section []byte, logger logr.Logger) ([]*unstructured.Unstru
 			continue
 		}
 
+		section = elements[i]
+
 		policy, err := utils.GetUnstructured([]byte(section))
 		if err != nil {
 			logger.Error(err, fmt.Sprintf("failed to get policy from Data %.100s", section))

examples/prometheus-grafana.yaml

@@ -0,0 +1,22 @@
+apiVersion: config.projectsveltos.io/v1alpha1
+kind: ClusterProfile
+metadata:
+  name: prometheus-grafana
+spec:
+  clusterSelector: env=fv
+  syncMode: Continuous
+  helmCharts:
+  - repositoryURL:    https://prometheus-community.github.io/helm-charts
+    repositoryName:   prometheus-community
+    chartName:        prometheus-community/prometheus
+    chartVersion:     23.4.0
+    releaseName:      prometheus
+    releaseNamespace: prometheus
+    helmChartAction:  Install
+  - repositoryURL:    https://grafana.github.io/helm-charts
+    repositoryName:   grafana
+    chartName:        grafana/grafana
+    chartVersion:     6.58.9
+    releaseName:      grafana
+    releaseNamespace: grafana
+    helmChartAction:  Install

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.11.0
 	github.com/onsi/gomega v1.27.8
 	github.com/pkg/errors v0.9.1
-	github.com/projectsveltos/libsveltos v0.15.1
+	github.com/projectsveltos/libsveltos v0.15.2
 	github.com/prometheus/client_golang v1.16.0
 	github.com/spf13/pflag v1.0.5
 	github.com/yuin/gopher-lua v1.1.0

go.sum

@@ -557,8 +557,8 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg
 github.com/poy/onpar v0.0.0-20200406201722-06f95a1c68e8/go.mod h1:nSbFQvMj97ZyhFRSJYtut+msi4sOY6zJDGCdSc+/rZU=
 github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
 github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
-github.com/projectsveltos/libsveltos v0.15.1 h1:Rp7lbcjwODJmuhupTWHG9DMs0mrKt4wneiaIeWLaQI8=
-github.com/projectsveltos/libsveltos v0.15.1/go.mod h1:7PaqLwqxsnsG+lV07m4RO4rOg2gKhlmpJVanWcB84JQ=
+github.com/projectsveltos/libsveltos v0.15.2 h1:5xdj4S6gLPY+40zvtqsKeiYvcEl3xQJ/lTSKWxElrlM=
+github.com/projectsveltos/libsveltos v0.15.2/go.mod h1:7PaqLwqxsnsG+lV07m4RO4rOg2gKhlmpJVanWcB84JQ=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=

manifest/manifest.yaml

@@ -1861,7 +1861,7 @@ spec:
         - --v=5
         command:
         - /manager
-        image: projectsveltos/addon-controller-amd64:v0.15.1
+        image: projectsveltos/addon-controller-amd64:v0.15.2
         livenessProbe:
           httpGet:
             path: /healthz

pkg/drift-detection/drift-detection-manager.go

@@ -259,7 +259,7 @@ spec:
         - --run-mode=do-not-send-updates
         command:
         - /manager
-        image: projectsveltos/drift-detection-manager-amd64:v0.15.1
+        image: projectsveltos/drift-detection-manager-amd64:v0.15.2
         livenessProbe:
           httpGet:
             path: /healthz

pkg/drift-detection/drift-detection-manager.yaml

@@ -241,7 +241,7 @@ spec:
         - --run-mode=do-not-send-updates
         command:
         - /manager
-        image: projectsveltos/drift-detection-manager-amd64:v0.15.1
+        image: projectsveltos/drift-detection-manager-amd64:v0.15.2
         livenessProbe:
           httpGet:
             path: /healthz