Merge branch 'main' into deploy-rollout-wait

.env.local

@@ -0,0 +1,2 @@
+LEADER_ELECTION_ENABLED=false
+OPERATOR_NAMESPACE=unleasherator-system

.github/workflows/chart.yaml

@@ -54,21 +54,21 @@ jobs:
           cat ./charts/${{ steps.name.outputs.name }}/values.yaml
 
       - name: Save Chart Metadata
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: chart-metadata
           path: |
             ./charts/${{ steps.name.outputs.name }}/Chart.yaml
 
       - name: Save Chart Values
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: chart-values
           path: |
             ./charts/${{ steps.name.outputs.name }}/values.yaml
 
       - name: Save CRDs Chart Metadata
-        uses: actions/upload-artifact@v3.1.2
+        uses: actions/upload-artifact@v4
         with:
           name: crds-chart-metadata
           path: |
@@ -84,13 +84,13 @@ jobs:
           fetch-depth: 0
 
       - name: Restore Chart Metadata
-        uses: actions/download-artifact@v3.0.2
+        uses: actions/download-artifact@v4.1.0
         with:
           name: chart-metadata
           path: ./charts/${{ needs.meta.outputs.name }}
 
       - name: Restore CRDs Chart Metadata
-        uses: actions/download-artifact@v3.0.2
+        uses: actions/download-artifact@v4.1.0
         with:
           name: crds-chart-metadata
           path: ./charts/${{ needs.meta.outputs.name }}-crds
@@ -100,7 +100,7 @@ jobs:
         with:
           version: ${{ env.HELM_VERSION }}
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           check-latest: true
@@ -171,19 +171,19 @@ jobs:
           fetch-depth: 0
 
       - name: Restore Chart Metadata
-        uses: actions/download-artifact@v3.0.2
+        uses: actions/download-artifact@v4.1.0
         with:
           name: chart-metadata
           path: ./charts/${{ needs.meta.outputs.name }}
 
       - name: Restore Chart Values
-        uses: actions/download-artifact@v3.0.2
+        uses: actions/download-artifact@v4.1.0
         with:
           name: chart-values
           path: ./charts/${{ needs.meta.outputs.name }}
 
       - name: Restore CRDs Chart Metadata
-        uses: actions/download-artifact@v3.0.2
+        uses: actions/download-artifact@v4.1.0
         with:
           name: crds-chart-metadata
           path: ./charts/${{ needs.meta.outputs.name }}-crds
@@ -198,7 +198,7 @@ jobs:
           token_format: access_token
 
       - name: Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@v1
+        uses: google-github-actions/setup-gcloud@v2
 
       - name: Log in to Google Artifact Registry
         if: github.actor != 'dependabot[bot]'

.github/workflows/codeql.yml

@@ -57,7 +57,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -71,7 +71,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -84,6 +84,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/image.yml

@@ -45,7 +45,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Set up Go environment
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: "1.21"
           cache: false
@@ -67,7 +67,7 @@ jobs:
           path: ${{ github.workspace }}/bin
           key: ${{ runner.os }}-bin-${{ hashFiles('Makefile', 'go.mod') }}
       - name: Set up Go environment
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: "1.21"
           use-latest: true

api/v1/apitoken_types.go

@@ -1,6 +1,8 @@
 package unleash_nais_io_v1
 
 import (
+	"strings"
+
 	"github.com/nais/unleasherator/pkg/unleashclient"
 	"github.com/nais/unleasherator/pkg/utils"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -123,7 +125,7 @@ func (t *ApiToken) ApiTokenRequest(suffix string) unleashclient.ApiTokenRequest
 }
 
 func (t *ApiToken) ApiTokenIsEqual(token *unleashclient.ApiToken) bool {
-	return t.Spec.Type == token.Type &&
+	return strings.EqualFold(t.Spec.Type, token.Type) &&
 		t.Spec.Environment == token.Environment &&
 		utils.StringSliceEquals(t.Spec.Projects, token.Projects)
 }

api/v1/apitoken_types_test.go

@@ -65,7 +65,7 @@ func TestApiToken_NamespacedName(t *testing.T) {
 func TestApiToken_IsEqual(t *testing.T) {
 	apiToken := &ApiToken{
 		Spec: ApiTokenSpec{
-			Type:        "client",
+			Type:        "CLIENT",
 			Environment: "development",
 			Projects:    []string{"project1", "project2"},
 		},
@@ -77,20 +77,33 @@ func TestApiToken_IsEqual(t *testing.T) {
 		Projects:    []string{"project1", "project2"},
 	}
 
+	// Test when the token types are case different
+	apiToken.Spec.Type = "ClIeNt"
+	assert.True(t, apiToken.ApiTokenIsEqual(unleashToken))
+
 	// Test when the tokens are equal
 	assert.True(t, apiToken.ApiTokenIsEqual(unleashToken))
 
 	// Test when the tokens have different types
-	unleashToken.Type = "server"
+	unleashToken.Type = "FRONTEND"
 	assert.False(t, apiToken.ApiTokenIsEqual(unleashToken))
 
 	// Test when the tokens have different environments
-	unleashToken.Type = "client"
+	unleashToken.Type = "CLIENT"
 	unleashToken.Environment = "production"
 	assert.False(t, apiToken.ApiTokenIsEqual(unleashToken))
 
-	// Test when the tokens have different projects
+	// Test when the tokens have same projects but in different order
 	unleashToken.Environment = "development"
+	unleashToken.Projects = []string{"project2", "project1"}
+	assert.True(t, apiToken.ApiTokenIsEqual(unleashToken))
+
+	// Test when the tokens have different projects
 	unleashToken.Projects = []string{"project1", "project3"}
 	assert.False(t, apiToken.ApiTokenIsEqual(unleashToken))
+
+	// Test when the tokens are wildcards
+	apiToken.Spec.Projects = []string{"*"}
+	unleashToken.Projects = []string{"*"}
+	assert.True(t, apiToken.ApiTokenIsEqual(unleashToken))
 }

charts/unleasherator/Feature.yaml

@@ -31,6 +31,10 @@ values:
     computed:
       template: |
         iam.gke.io/gcp-service-account: "{{ .Env.unleasherator_service_account }}"
+  # Features
+  controllerManager.manager.env.featureApiTokenUpdateEnabled:
+    config:
+      type: bool
   # Onprem stuff
   controllerManagerGcp.serviceAccountCredentialsJson:
     computed:

charts/unleasherator/templates/deployment.yaml

@@ -56,6 +56,9 @@ spec:
         - name: FEDERATION_PUBSUB_SUBSCRIPTION
           value: {{ quote .Values.controllerManager.manager.env.federationPubsubSubscription
             }}
+        - name: FEATURE_API_TOKEN_UPDATE_ENABLED
+          value: {{ quote .Values.controllerManager.manager.env.featureApiTokenUpdateEnabled
+            }}
         - name: HTTPS_PROXY
           value: {{ quote .Values.controllerManager.manager.env.httpsProxy }}
         - name: NO_PROXY

charts/unleasherator/values.yaml

@@ -32,6 +32,7 @@ controllerManager:
         type: RuntimeDefault
     env:
       apiTokenNameSuffix: unleasherator
+      featureApiTokenUpdateEnabled: "false"
       federationClusterName: ""
       federationPubsubGcpProjectId: ""
       federationPubsubMode: ""

cmd/main.go

@@ -120,11 +120,12 @@ func main() {
 		os.Exit(1)
 	}
 	if err = (&controllers.ApiTokenReconciler{
-		Client:             mgr.GetClient(),
-		Scheme:             mgr.GetScheme(),
-		Recorder:           mgr.GetEventRecorderFor("api-token-controller"),
-		OperatorNamespace:  cfg.OperatorNamespace,
-		ApiTokenNameSuffix: cfg.ApiTokenNameSuffix,
+		Client:                mgr.GetClient(),
+		Scheme:                mgr.GetScheme(),
+		Recorder:              mgr.GetEventRecorderFor("api-token-controller"),
+		OperatorNamespace:     cfg.OperatorNamespace,
+		ApiTokenNameSuffix:    cfg.ApiTokenNameSuffix,
+		ApiTokenUpdateEnabled: cfg.Features.ApiTokenUpdateEnabled,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ApiToken")
 		os.Exit(1)

config/default/manager_config_patch.yaml

@@ -23,6 +23,8 @@ spec:
           value: ""
         - name: FEDERATION_PUBSUB_SUBSCRIPTION
           value: ""
+        - name: "FEATURE_API_TOKEN_UPDATE_ENABLED"
+          value: "false"
         - name: HTTPS_PROXY
           value: ""
         - name: NO_PROXY

config/samples/unleash_v1_unleash.yaml

@@ -10,6 +10,7 @@ metadata:
   name: unleash-sample
 spec:
   size: 1
+  customImage: unleashorg/unleash-server:5
   database:
     secretName: postgres-postgresql
     secretPassKey: postgres-password

controllers/apitoken_controller.go

@@ -53,6 +53,11 @@ type ApiTokenReconciler struct {
 	// in order to avoid name collisions when multiple clusters are
 	// using the same Unleash instance.
 	ApiTokenNameSuffix string
+
+	// ApiTokenUpdateEnabled enables updating tokens in Unleash since
+	// tokens in Unleash are immutable. This is a feature flag that
+	// can be enabled in the operator config.
+	ApiTokenUpdateEnabled bool
 }
 
 //+kubebuilder:rbac:groups=unleash.nais.io,resources=apitokens,verbs=get;list;watch;create;update;patch;delete
@@ -234,23 +239,29 @@ func (r *ApiTokenReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 	// Update token if it differs from the desired state
 	// Tokens in Unleash are immutable, so we need to delete the old token and create a new one
 	if apiToken != nil && !token.ApiTokenIsEqual(apiToken) {
-		log.Info("Updating token in Unleash for ApiToken")
-		log.Info("Deleting old token in Unleash for ApiToken")
-		err = apiClient.DeleteApiToken(token.ApiTokenName(r.ApiTokenNameSuffix))
-		if err != nil {
-			if err := r.updateStatusFailed(ctx, token, err, "TokenUpdateFailed", "Failed to delete old token in Unleash"); err != nil {
+		log.Info(fmt.Sprintf("Token in Kubernetes: type=%s, environment=%s, projects=%s", token.Spec.Type, token.Spec.Environment, token.Spec.Projects))
+		log.Info(fmt.Sprintf("Token in Unleash: type=%s, environment=%s, projects=%s", apiToken.Type, apiToken.Environment, apiToken.Projects))
+
+		if r.ApiTokenUpdateEnabled {
+			log.Info("Deleting old token in Unleash for ApiToken")
+			err = apiClient.DeleteApiToken(token.ApiTokenName(r.ApiTokenNameSuffix))
+			if err != nil {
+				if err := r.updateStatusFailed(ctx, token, err, "TokenUpdateFailed", "Failed to delete old token in Unleash"); err != nil {
+					return ctrl.Result{}, err
+				}
 				return ctrl.Result{}, err
 			}
-			return ctrl.Result{}, err
-		}
 
-		log.Info("Creating new token in Unleash for ApiToken")
-		apiToken, err = apiClient.CreateAPIToken(token.ApiTokenRequest(r.ApiTokenNameSuffix))
-		if err != nil {
-			if err := r.updateStatusFailed(ctx, token, err, "TokenUpdateFailed", "Failed to create new token in Unleash"); err != nil {
+			log.Info("Creating new token in Unleash for ApiToken")
+			apiToken, err = apiClient.CreateAPIToken(token.ApiTokenRequest(r.ApiTokenNameSuffix))
+			if err != nil {
+				if err := r.updateStatusFailed(ctx, token, err, "TokenUpdateFailed", "Failed to create new token in Unleash"); err != nil {
+					return ctrl.Result{}, err
+				}
 				return ctrl.Result{}, err
 			}
-			return ctrl.Result{}, err
+		} else {
+			log.Info("Token update is disabled in operator config")
 		}
 	}
 

controllers/apitoken_controller_test.go

@@ -77,7 +77,7 @@ var _ = Describe("ApiToken controller", func() {
 				existingTokens.Tokens = append(existingTokens.Tokens, unleashclient.ApiToken{
 					Secret:      ApiTokenSecret,
 					Username:    tokenRequest.Username,
-					Type:        tokenRequest.Type,
+					Type:        strings.ToLower(tokenRequest.Type),
 					Environment: tokenRequest.Environment,
 					Project:     tokenRequest.Projects[0],
 					Projects:    tokenRequest.Projects,
@@ -213,7 +213,7 @@ var _ = Describe("ApiToken controller", func() {
 			Expect(httpmock.GetCallCountInfo()[fmt.Sprintf("POST %s", unleashclient.ApiTokensEndpoint)]).Should(Equal(1))
 			Expect(existingTokens.Tokens).Should(HaveLen(1))
 			Expect(existingTokens.Tokens[0].Username).Should(Equal(apiTokenCreated.ApiTokenName("unleasherator")))
-			Expect(existingTokens.Tokens[0].Type).Should(Equal("CLIENT"))
+			Expect(existingTokens.Tokens[0].Type).Should(Equal("client"))
 			Expect(existingTokens.Tokens[0].Environment).Should(Equal("development"))
 			Expect(existingTokens.Tokens[0].Projects).Should(Equal([]string{"default"}))
 
@@ -268,7 +268,7 @@ var _ = Describe("ApiToken controller", func() {
 
 			Expect(httpmock.GetCallCountInfo()[fmt.Sprintf("POST %s", unleashclient.ApiTokensEndpoint)]).Should(Equal(1))
 			Expect(existingTokens.Tokens).Should(HaveLen(1))
-			Expect(existingTokens.Tokens[0].Type).Should(Equal("FRONTEND"))
+			Expect(existingTokens.Tokens[0].Type).Should(Equal("frontend"))
 			Expect(existingTokens.Tokens[0].Environment).Should(Equal("production"))
 			Expect(existingTokens.Tokens[0].Projects).Should(Equal([]string{"project1", "project2", "project3"}))
 

controllers/suite_test.go

@@ -119,10 +119,11 @@ var _ = BeforeSuite(func() {
 	Expect(err).ToNot(HaveOccurred())
 
 	err = (&ApiTokenReconciler{
-		Client:             k8sManager.GetClient(),
-		Scheme:             k8sManager.GetScheme(),
-		OperatorNamespace:  operatorNamespace,
-		ApiTokenNameSuffix: ApiTokenNameSuffix,
+		Client:                k8sManager.GetClient(),
+		Scheme:                k8sManager.GetScheme(),
+		OperatorNamespace:     operatorNamespace,
+		ApiTokenNameSuffix:    ApiTokenNameSuffix,
+		ApiTokenUpdateEnabled: true,
 	}).SetupWithManager(k8sManager)
 	Expect(err).ToNot(HaveOccurred())