.github/workflows/e2e.yaml

@@ -28,6 +28,14 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        id: cache
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-ghcache-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-ghcache-
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
@@ -53,7 +61,18 @@ jobs:
             exit 1
           fi
       - name: Build container image
-        run: make docker-build IMG=test/kustomize-controller:latest BUILD_PLATFORMS=linux/amd64 BUILD_ARGS=--load
+        run: |
+          make docker-build IMG=test/kustomize-controller:latest \
+            BUILD_PLATFORMS=linux/amd64 \
+            BUILD_ARGS="--cache-from=type=local,src=/tmp/.buildx-cache \
+              --cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max"
+      - # Temp fix
+        # https://github.com/docker/build-push-action/issues/252
+        # https://github.com/moby/buildkit/issues/1896
+        name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
       - name: Load test image
         run: kind load docker-image test/kustomize-controller:latest
       - name: Install CRDs

CHANGELOG.md

@@ -2,6 +2,22 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.16.0
+
+**Release date:** 2021-10-19
+
+This prerelease comes with support for SOPS encrypted `.env` files used in kustomize secret generator.
+
+Improvements:
+* SOPS: Decrypt dotenv files used in kustomize secret generator
+  [#463](https://github.com/fluxcd/kustomize-controller/pull/463)
+* SOPS: Document dotenv secret generator
+  [#469](https://github.com/fluxcd/kustomize-controller/pull/469)
+
+Fixes:
+* Fix cluster scope detection of applied objects
+  [#465](https://github.com/fluxcd/kustomize-controller/pull/465)
+
 ## 0.15.5
 
 **Release date:** 2021-10-13

Makefile

@@ -14,18 +14,18 @@ endif
 # Allows for defining additional Docker buildx arguments, e.g. '--push'.
 BUILD_ARGS ?=
 # Architectures to build images for.
-BUILD_PLATFORMS ?= linux/amd64,linux/arm64,linux/arm/v7
+BUILD_PLATFORMS ?= linux/amd64
 
 all: manager
 
 # Download the envtest binaries to testbin
 ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
-ENVTEST_AKUBERNETES_VERSION=latest
+ENVTEST_KUBERNETES_VERSION?=latest
 install-envtest: setup-envtest
-	$(SETUP_ENVTEST) use $(ENVTEST_AKUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR)
+	$(SETUP_ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR)
 
 # Run controller tests
-KUBEBUILDER_ASSETS?="$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_AKUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
+KUBEBUILDER_ASSETS?="$(shell $(SETUP_ENVTEST) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
 test: generate fmt vet manifests api-docs download-crd-deps install-envtest
 	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./controllers/...  -v -coverprofile cover.out
 

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/kustomize-controller
     newName: fluxcd/kustomize-controller
-    newTag: v0.15.5
+    newTag: v0.16.0

config/testdata/impersonation/test.yaml

@@ -44,7 +44,7 @@ spec:
   ref:
     tag: "5.0.3"
 ---
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
   name: podinfo
@@ -58,10 +58,15 @@ spec:
   sourceRef:
     kind: GitRepository
     name: podinfo
-  validation: client
-  healthChecks:
-    - kind: Service
-      apiVersion: v1
-      name: podinfo
-      namespace: impersonation
-  timeout: 2m
+  patches:
+    - patch: |
+        apiVersion: autoscaling/v2beta2
+        kind: HorizontalPodAutoscaler
+        metadata:
+          name: podinfo
+        spec:
+          minReplicas: 1
+      target:
+        kind: HorizontalPodAutoscaler
+  wait: true
+  timeout: 1m

controllers/kustomization_controller.go

@@ -40,6 +40,7 @@ import (
 	kuberecorder "k8s.io/client-go/tools/record"
 	"k8s.io/client-go/tools/reference"
 	"sigs.k8s.io/cli-utils/pkg/kstatus/polling"
+	"sigs.k8s.io/cli-utils/pkg/object"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -326,7 +327,7 @@ func (r *KustomizationReconciler) reconcile(
 		), err
 	}
 
-	// create any necessary kube-clients for impersonation
+	// setup the Kubernetes client for impersonation
 	impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, dirPath)
 	kubeClient, statusPoller, err := impersonation.GetClient(ctx)
 	if err != nil {
@@ -360,6 +361,7 @@ func (r *KustomizationReconciler) reconcile(
 		), err
 	}
 
+	// convert the build result into Kubernetes unstructured objects
 	objects, err := ssa.ReadObjects(bytes.NewReader(resources))
 	if err != nil {
 		return kustomizev1.KustomizationNotReady(
@@ -370,29 +372,43 @@ func (r *KustomizationReconciler) reconcile(
 		), err
 	}
 
+	// create a snapshot of the current inventory
+	oldStatus := kustomization.Status.DeepCopy()
+
+	// create the server-side apply manager
 	resourceManager := ssa.NewResourceManager(kubeClient, statusPoller, ssa.Owner{
 		Field: r.ControllerName,
 		Group: kustomizev1.GroupVersion.Group,
 	})
 	resourceManager.SetOwnerLabels(objects, kustomization.GetName(), kustomization.GetNamespace())
 
+	// validate and apply resources in stages
+	drifted, changeSet, err := r.apply(ctx, resourceManager, kustomization, revision, objects)
+	if err != nil {
+		return kustomizev1.KustomizationNotReady(
+			kustomization,
+			revision,
+			meta.ReconciliationFailedReason,
+			err.Error(),
+		), err
+	}
+
 	// create an inventory of objects to be reconciled
 	newInventory := NewInventory()
-	err = AddObjectsToInventory(newInventory, objects)
+	err = AddObjectsToInventory(newInventory, changeSet)
 	if err != nil {
 		return kustomizev1.KustomizationNotReady(
 			kustomization,
 			revision,
-			kustomizev1.BuildFailedReason,
+			meta.ReconciliationFailedReason,
 			err.Error(),
 		), err
 	}
 
 	// detect stale objects which are subject to garbage collection
 	var staleObjects []*unstructured.Unstructured
-	oldInventory := kustomization.Status.Inventory
-	if oldInventory != nil {
-		staleObjects, err = DiffInventory(oldInventory, newInventory)
+	if oldStatus.Inventory != nil {
+		diffObjects, err := DiffInventory(oldStatus.Inventory, newInventory)
 		if err != nil {
 			return kustomizev1.KustomizationNotReady(
 				kustomization,
@@ -401,17 +417,28 @@ func (r *KustomizationReconciler) reconcile(
 				err.Error(),
 			), err
 		}
-	}
 
-	// validate and apply resources in stages
-	drifted, err := r.apply(ctx, resourceManager, kustomization, revision, objects)
-	if err != nil {
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			revision,
-			meta.ReconciliationFailedReason,
-			err.Error(),
-		), err
+		// TODO: remove this workaround after kustomize-controller 0.18 release
+		// skip objects that were wrongly marked as namespaced
+		// https://github.com/fluxcd/kustomize-controller/issues/466
+		newObjects, _ := ListObjectsInInventory(newInventory)
+		for _, obj := range diffObjects {
+			preserve := false
+			if obj.GetNamespace() != "" {
+				for _, newObj := range newObjects {
+					if newObj.GetNamespace() == "" &&
+						obj.GetKind() == newObj.GetKind() &&
+						obj.GetAPIVersion() == newObj.GetAPIVersion() &&
+						obj.GetName() == newObj.GetName() {
+						preserve = true
+						break
+					}
+				}
+			}
+			if !preserve {
+				staleObjects = append(staleObjects, obj)
+			}
+		}
 	}
 
 	// run garbage collection for stale objects that do not have pruning disabled
@@ -426,7 +453,7 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// health assessment
-	if err := r.checkHealth(ctx, resourceManager, kustomization, revision, drifted, objects); err != nil {
+	if err := r.checkHealth(ctx, resourceManager, kustomization, revision, drifted, changeSet.ToObjMetadataSet()); err != nil {
 		return kustomizev1.KustomizationNotReadyInventory(
 			kustomization,
 			newInventory,
@@ -563,6 +590,12 @@ func (r *KustomizationReconciler) build(ctx context.Context, kustomization kusto
 	}
 
 	fs := filesys.MakeFsOnDisk()
+	// decrypt .env files before building kustomization
+	if kustomization.Spec.Decryption != nil {
+		if err = dec.decryptDotEnvFiles(dirPath); err != nil {
+			return nil, fmt.Errorf("error decrypting .env file: %w", err)
+		}
+	}
 	m, err := buildKustomization(fs, dirPath)
 	if err != nil {
 		return nil, fmt.Errorf("kustomize build failed: %w", err)
@@ -608,11 +641,11 @@ func (r *KustomizationReconciler) build(ctx context.Context, kustomization kusto
 	return resources, nil
 }
 
-func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.ResourceManager, kustomization kustomizev1.Kustomization, revision string, objects []*unstructured.Unstructured) (bool, error) {
+func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.ResourceManager, kustomization kustomizev1.Kustomization, revision string, objects []*unstructured.Unstructured) (bool, *ssa.ChangeSet, error) {
 	log := logr.FromContext(ctx)
 
 	if err := ssa.SetNativeKindsDefaults(objects); err != nil {
-		return false, err
+		return false, nil, err
 	}
 
 	// contains only CRDs and Namespaces
@@ -621,6 +654,9 @@ func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.Resour
 	// contains all objects except for CRDs and Namespaces
 	var stageTwo []*unstructured.Unstructured
 
+	// contains the objects' metadata after apply
+	resultSet := ssa.NewChangeSet()
+
 	for _, u := range objects {
 		if ssa.IsClusterDefinition(u) {
 			stageOne = append(stageOne, u)
@@ -635,8 +671,9 @@ func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.Resour
 	if len(stageOne) > 0 {
 		changeSet, err := manager.ApplyAll(ctx, stageOne, kustomization.Spec.Force)
 		if err != nil {
-			return false, err
+			return false, nil, err
 		}
+		resultSet.Append(changeSet.Entries)
 
 		if changeSet != nil && len(changeSet.Entries) > 0 {
 			log.Info("server-side apply completed", "output", changeSet.ToMap())
@@ -648,7 +685,7 @@ func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.Resour
 		}
 
 		if err := manager.Wait(stageOne, 2*time.Second, kustomization.GetTimeout()); err != nil {
-			return false, err
+			return false, nil, err
 		}
 	}
 
@@ -657,8 +694,9 @@ func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.Resour
 	if len(stageTwo) > 0 {
 		changeSet, err := manager.ApplyAll(ctx, stageTwo, kustomization.Spec.Force)
 		if err != nil {
-			return false, fmt.Errorf("%w\n%s", err, changeSetLog.String())
+			return false, nil, fmt.Errorf("%w\n%s", err, changeSetLog.String())
 		}
+		resultSet.Append(changeSet.Entries)
 
 		if changeSet != nil && len(changeSet.Entries) > 0 {
 			log.Info("server-side apply completed", "output", changeSet.ToMap())
@@ -676,18 +714,18 @@ func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.Resour
 		r.event(ctx, kustomization, revision, events.EventSeverityInfo, applyLog, nil)
 	}
 
-	return applyLog != "", nil
+	return applyLog != "", resultSet, nil
 }
 
-func (r *KustomizationReconciler) checkHealth(ctx context.Context, manager *ssa.ResourceManager, kustomization kustomizev1.Kustomization, revision string, drifted bool, objects []*unstructured.Unstructured) error {
+func (r *KustomizationReconciler) checkHealth(ctx context.Context, manager *ssa.ResourceManager, kustomization kustomizev1.Kustomization, revision string, drifted bool, objects object.ObjMetadataSet) error {
 	if len(kustomization.Spec.HealthChecks) == 0 && !kustomization.Spec.Wait {
 		return nil
 	}
 
 	checkStart := time.Now()
 	var err error
 	if !kustomization.Spec.Wait {
-		objects, err = referenceToUnstructured(kustomization.Spec.HealthChecks)
+		objects, err = referenceToObjMetadataSet(kustomization.Spec.HealthChecks)
 		if err != nil {
 			return err
 		}
@@ -698,11 +736,11 @@ func (r *KustomizationReconciler) checkHealth(ctx context.Context, manager *ssa.
 	}
 
 	// guard against deadlock (waiting on itself)
-	var toCheck []*unstructured.Unstructured
+	var toCheck []object.ObjMetadata
 	for _, object := range objects {
-		if object.GetKind() == kustomizev1.KustomizationKind &&
-			object.GetName() == kustomization.GetName() &&
-			object.GetNamespace() == kustomization.GetNamespace() {
+		if object.GroupKind.Kind == kustomizev1.KustomizationKind &&
+			object.Name == kustomization.GetName() &&
+			object.Namespace == kustomization.GetNamespace() {
 			continue
 		}
 		toCheck = append(toCheck, object)
@@ -720,7 +758,7 @@ func (r *KustomizationReconciler) checkHealth(ctx context.Context, manager *ssa.
 	}
 
 	// check the health with a default timeout of 30sec shorter than the reconciliation interval
-	if err := manager.Wait(toCheck, time.Second, kustomization.GetTimeout()); err != nil {
+	if err := manager.WaitForSet(toCheck, time.Second, kustomization.GetTimeout()); err != nil {
 		return fmt.Errorf("Health check failed after %s, %w", time.Now().Sub(checkStart).String(), err)
 	}