Skip to content

Use generic HMAC flux receiver

Hristiyan Ivanov requested to merge gitlab-community/cluster-integration/gitlab-agent:use-generic-hmac-flux-receiver-secret into master

What does this MR do and why?

The MR is related to #407 and changes the current generic receiver to a generic-hmac receiver. The implementation was done by following - the flux documentation.

Manual test

The test was performed against GDK and the agent as well as KAS were set up by following doc/developing.md.

Reconciliation is successfully triggered after making changes to the kubernetes manifests:

{"level":"debug","time":"2024-03-27T23:28:02.264+0200","msg":"Applying configuration","commit_id":"56ecd191e9fdeac239118c3ccc7e311f0e5420db","agent_config":"{\"observability\":{\"logging\":{\"level\":\"debug\"}}, \"agentId\":\"2\", \"projectId\":\"19\", \"projectPath\":\"root/k8s-agent-new\", \"flux\":{\"webhook_receiver_url\":\"/api/v1/namespaces/flux-system/services/http:webhook-receiver:http/proxy\"}, \"gitlabExternalUrl\":\"https://gdk.test:3443\"}","agent_id":2}
{"level":"debug","time":"2024-03-27T23:28:02.297+0200","msg":"Ignoring updated GitRepository because there are no changes in the spec","mod_name":"flux","namespaced_name":"flux-system/flux-system","agent_id":2}
{"level":"debug","time":"2024-03-27T23:28:02.308+0200","msg":"Ignoring updated GitRepository because there are no changes in the spec","mod_name":"flux","namespaced_name":"flux-system/flux-system","agent_id":2}
{"level":"debug","time":"2024-03-27T23:28:02.661+0200","msg":"Ignoring updated GitRepository because there are no changes in the spec","mod_name":"flux","namespaced_name":"flux-system/flux-system","agent_id":2}
{"level":"debug","time":"2024-03-27T23:28:02.691+0200","msg":"Ignoring updated GitRepository because there are no changes in the spec","mod_name":"flux","namespaced_name":"flux-system/flux-system","agent_id":2}
{"level":"debug","time":"2024-03-27T23:28:02.709+0200","msg":"Ignoring updated GitRepository because there are no changes in the spec","mod_name":"flux","namespaced_name":"flux-system/flux-system","agent_id":2}

A false request can be manually tested by changing the kubernetes secret value using kubectl edit and making a change to any kubernetes manifest:

{"level":"error","time":"2024-03-27T23:31:01.427+0200","msg":"Unable to trigger Receiver","mod_name":"flux","project_id":"root/k8s-agent-new","error":"trigger to \"https://0.0.0.0:51470/api/v1/namespaces/flux-system/services/http:webhook-receiver:http/proxy/hook/42cc30573595281ddbf2b02079d6d3450d4057aba54a7d9733c89dd4b5b17cea\" returned status \"400 Bad Request\"","agent_id":2}
{"level":"debug","time":"2024-03-27T23:31:01.471+0200","msg":"Applying configuration","commit_id":"5825a20753b6314c3bc5773f24a35a08e51a4686","agent_config":"{\"observability\":{\"logging\":{\"level\":\"debug\"}}, \"agentId\":\"2\", \"projectId\":\"19\", \"projectPath\":\"root/k8s-agent-new\", \"flux\":{\"webhook_receiver_url\":\"/api/v1/namespaces/flux-system/services/http:webhook-receiver:http/proxy\"}, \"gitlabExternalUrl\":\"https://gdk.test:3443\"}","agent_id":2}

The Receiver is not triggered successfully and the resources are not reconciled.

Manually testing a false request and receiving a "400 Bad Request" response is no longer possible. The agent always reads the value of the HMAC key from the secret (see !1395 (comment 1861876879)), thus manually changing the secret will have no effect.

MR acceptance checklist

  • Use generic HMAC receiver for flux reconciliation
  • Manually test behaviour
  • Add unit tests
Edited by Hristiyan Ivanov

Merge request reports