Implement ExternalArtifact reconciliation

stefanprodan · stefanprodan · commit 405c8b8194d4 · 2025-09-05T00:00:27.000+03:00
Signed-off-by: Stefan Prodan &lt;stefan.prodan@gmail.com&gt;
diff --git a/api/v1/reference_types.go b/api/v1/reference_types.go
@@ -28,7 +28,7 @@ type CrossNamespaceSourceReference struct {
 	APIVersion string `json:"apiVersion,omitempty"`
 
 	// Kind of the referent.
-	// +kubebuilder:validation:Enum=OCIRepository;GitRepository;Bucket
+	// +kubebuilder:validation:Enum=OCIRepository;GitRepository;Bucket;ExternalArtifact
 	// +required
 	Kind string `json:"kind"`
 
diff --git a/config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml b/config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml
@@ -494,6 +494,7 @@ spec:
                     - OCIRepository
                     - GitRepository
                     - Bucket
+                    - ExternalArtifact
                     type: string
                   name:
                     description: Name of the referent.
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kustomize-system
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v1.7.0-rc.1/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v1.7.0-rc.1/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.7.0-rc.2/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.7.0-rc.2/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager
diff --git a/go.mod b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/fluxcd/pkg/ssa v0.53.0
 	github.com/fluxcd/pkg/tar v0.14.0
 	github.com/fluxcd/pkg/testserver v0.13.0
-	github.com/fluxcd/source-controller/api v1.7.0-rc.1
+	github.com/fluxcd/source-controller/api v1.7.0-rc.2
 	github.com/getsops/sops/v3 v3.10.2
 	github.com/google/cel-go v0.26.1
 	github.com/hashicorp/vault/api v1.20.0
diff --git a/go.sum b/go.sum
@@ -217,8 +217,8 @@ github.com/fluxcd/pkg/tar v0.14.0 h1:9Gku8FIvPt2bixKldZnzXJ/t+7SloxePlzyVGOK8GVQ
 github.com/fluxcd/pkg/tar v0.14.0/go.mod h1:+rOWYk93qLEJ8WwmkvJOkB8i0dna1mrwJFybE8i9Udo=
 github.com/fluxcd/pkg/testserver v0.13.0 h1:xEpBcEYtD7bwvZ+i0ZmChxKkDo/wfQEV3xmnzVybSSg=
 github.com/fluxcd/pkg/testserver v0.13.0/go.mod h1:akRYv3FLQUsme15na9ihECRG6hBuqni4XEY9W8kzs8E=
-github.com/fluxcd/source-controller/api v1.7.0-rc.1 h1:FPTZJqLFJQHjP53m1IXN1JzuE0s6KPAU2JepFuXAlDE=
-github.com/fluxcd/source-controller/api v1.7.0-rc.1/go.mod h1:sbJibK4Ik+2AuTRRLXPA+n2u6nLUIGaxC07ava+RqeM=
+github.com/fluxcd/source-controller/api v1.7.0-rc.2 h1:ny21QMsZ1Gs5t5Rx7Pd1s0xc5UT7B4hGySzX+mhWHnw=
+github.com/fluxcd/source-controller/api v1.7.0-rc.2/go.mod h1:sbJibK4Ik+2AuTRRLXPA+n2u6nLUIGaxC07ava+RqeM=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
diff --git a/internal/controller/kustomization_controller.go b/internal/controller/kustomization_controller.go
@@ -662,6 +662,16 @@ func (r *KustomizationReconciler) getSource(ctx context.Context,
 			return src, fmt.Errorf("unable to get source '%s': %w", namespacedName, err)
 		}
 		src = &bucket
+	case sourcev1.ExternalArtifactKind:
+		var ea sourcev1.ExternalArtifact
+		err := r.Client.Get(ctx, namespacedName, &ea)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				return src, err
+			}
+			return src, fmt.Errorf("unable to get source '%s': %w", namespacedName, err)
+		}
+		src = &ea
 	default:
 		return src, fmt.Errorf("source `%s` kind '%s' not supported",
 			obj.Spec.SourceRef.Name, obj.Spec.SourceRef.Kind)
diff --git a/internal/controller/kustomization_externalartifact_test.go b/internal/controller/kustomization_externalartifact_test.go
@@ -0,0 +1,208 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/testserver"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	. "github.com/onsi/gomega"
+	"github.com/opencontainers/go-digest"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+)
+
+func TestKustomizationReconciler_ExternalArtifact(t *testing.T) {
+	g := NewWithT(t)
+	id := "ea-" + randStringRunes(5)
+	revision := "v1.0.0"
+
+	err := createNamespace(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+	err = createKubeConfigSecret(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+	manifests := func(name string, data string) []testserver.File {
+		return []testserver.File{
+			{
+				Name: "secret.yaml",
+				Body: fmt.Sprintf(`---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: %[1]s
+stringData:
+  key: "%[2]s"
+`, name, data),
+			},
+		}
+	}
+
+	artifact, err := testServer.ArtifactFromFiles(manifests(id, randStringRunes(5)))
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create artifact from files")
+
+	sourceNamespace := fmt.Sprintf("source-%v", id)
+	err = createNamespace(sourceNamespace)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create source namespace")
+
+	eaName := types.NamespacedName{
+		Name:      randStringRunes(5),
+		Namespace: sourceNamespace,
+	}
+
+	err = applyExternalArtifact(eaName, artifact, revision)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	kustomizationKey := types.NamespacedName{
+		Name:      fmt.Sprintf("ea-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+	kustomization := &kustomizev1.Kustomization{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      kustomizationKey.Name,
+			Namespace: kustomizationKey.Namespace,
+		},
+		Spec: kustomizev1.KustomizationSpec{
+			Interval: metav1.Duration{Duration: reconciliationInterval},
+			Path:     "./",
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
+					Name: "kubeconfig",
+				},
+			},
+			SourceRef: kustomizev1.CrossNamespaceSourceReference{
+				Name:      eaName.Name,
+				Namespace: eaName.Namespace,
+				Kind:      sourcev1.ExternalArtifactKind,
+			},
+			TargetNamespace: id,
+			Wait:            true,
+		},
+	}
+
+	g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
+
+	resultK := &kustomizev1.Kustomization{}
+	readyCondition := &metav1.Condition{}
+
+	t.Run("reconciles from external artifact source", func(t *testing.T) {
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			readyCondition = apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
+			return resultK.Status.LastAppliedRevision == revision
+		}, timeout, time.Second).Should(BeTrue())
+
+		g.Expect(readyCondition.Reason).To(Equal(meta.ReconciliationSucceededReason))
+		g.Expect(resultK.Status.LastAppliedRevision).To(Equal(revision))
+
+		events := getEvents(resultK.GetName(), map[string]string{"kustomize.toolkit.fluxcd.io/revision": revision})
+		g.Expect(len(events) > 2).To(BeTrue())
+		g.Expect(events[0].Reason).To(BeIdenticalTo(meta.ProgressingReason))
+		g.Expect(events[0].Message).To(ContainSubstring("created"))
+		g.Expect(events[1].Reason).To(BeIdenticalTo(meta.ProgressingReason))
+		g.Expect(events[1].Message).To(ContainSubstring("check passed"))
+		g.Expect(events[2].Reason).To(BeIdenticalTo(meta.ReconciliationSucceededReason))
+		g.Expect(events[2].Message).To(ContainSubstring("finished"))
+	})
+
+	t.Run("watches for external artifact revision change", func(t *testing.T) {
+		newRev := "v2.0.0"
+		err = applyExternalArtifact(eaName, artifact, newRev)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return resultK.Status.LastAppliedRevision == newRev
+		}, timeout, time.Second).Should(BeTrue())
+
+		g.Expect(resultK.Status.History).To(HaveLen(1))
+		g.Expect(resultK.Status.History[0].TotalReconciliations).To(BeEquivalentTo(2))
+		g.Expect(resultK.Status.History[0].LastReconciledStatus).To(Equal(meta.ReconciliationSucceededReason))
+		g.Expect(resultK.Status.History[0].Metadata).To(ContainElements(newRev))
+	})
+}
+
+func applyExternalArtifact(objKey client.ObjectKey, artifactName string, revision string) error {
+	ea := &sourcev1.ExternalArtifact{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       sourcev1.ExternalArtifactKind,
+			APIVersion: sourcev1.GroupVersion.String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      objKey.Name,
+			Namespace: objKey.Namespace,
+		},
+	}
+
+	b, _ := os.ReadFile(filepath.Join(testServer.Root(), artifactName))
+	dig := digest.SHA256.FromBytes(b)
+
+	url := fmt.Sprintf("%s/%s", testServer.URL(), artifactName)
+
+	status := sourcev1.ExternalArtifactStatus{
+		Conditions: []metav1.Condition{
+			{
+				Type:               meta.ReadyCondition,
+				Status:             metav1.ConditionTrue,
+				LastTransitionTime: metav1.Now(),
+				Reason:             meta.SucceededReason,
+			},
+		},
+		Artifact: &meta.Artifact{
+			Path:           url,
+			URL:            url,
+			Revision:       revision,
+			Digest:         dig.String(),
+			LastUpdateTime: metav1.Now(),
+		},
+	}
+
+	patchOpts := []client.PatchOption{
+		client.ForceOwnership,
+		client.FieldOwner("kustomize-controller"),
+	}
+
+	if err := k8sClient.Patch(context.Background(), ea, client.Apply, patchOpts...); err != nil {
+		return err
+	}
+
+	ea.ManagedFields = nil
+	ea.Status = status
+
+	statusOpts := &client.SubResourcePatchOptions{
+		PatchOptions: client.PatchOptions{
+			FieldManager: "source-controller",
+		},
+	}
+
+	if err := k8sClient.Status().Patch(context.Background(), ea, client.Apply, statusOpts); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/internal/controller/kustomization_indexers.go b/internal/controller/kustomization_indexers.go
@@ -22,13 +22,12 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/conditions"
+	"github.com/fluxcd/pkg/runtime/dependency"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	"github.com/fluxcd/pkg/runtime/dependency"
-
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 
diff --git a/internal/controller/kustomization_manager.go b/internal/controller/kustomization_manager.go
@@ -49,13 +49,20 @@ type KustomizationReconcilerOptions struct {
 // changes in those sources, as well as for ConfigMaps and Secrets that the Kustomizations depend on.
 func (r *KustomizationReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opts KustomizationReconcilerOptions) error {
 	const (
-		indexOCIRepository = ".metadata.ociRepository"
-		indexGitRepository = ".metadata.gitRepository"
-		indexBucket        = ".metadata.bucket"
-		indexConfigMap     = ".metadata.configMap"
-		indexSecret        = ".metadata.secret"
+		indexExternalArtifact = ".metadata.externalArtifact"
+		indexOCIRepository    = ".metadata.ociRepository"
+		indexGitRepository    = ".metadata.gitRepository"
+		indexBucket           = ".metadata.bucket"
+		indexConfigMap        = ".metadata.configMap"
+		indexSecret           = ".metadata.secret"
 	)
 
+	// Index the Kustomizations by the ExternalArtifact references they (may) point at.
+	if err := mgr.GetCache().IndexField(ctx, &kustomizev1.Kustomization{}, indexExternalArtifact,
+		r.indexBy(sourcev1.ExternalArtifactKind)); err != nil {
+		return fmt.Errorf("failed creating index %s: %w", indexExternalArtifact, err)
+	}
+
 	// Index the Kustomizations by the OCIRepository references they (may) point at.
 	if err := mgr.GetCache().IndexField(ctx, &kustomizev1.Kustomization{}, indexOCIRepository,
 		r.indexBy(sourcev1.OCIRepositoryKind)); err != nil {
@@ -129,6 +136,11 @@ func (r *KustomizationReconciler) SetupWithManager(ctx context.Context, mgr ctrl
 		For(&kustomizev1.Kustomization{}, builder.WithPredicates(
 			predicate.Or(predicate.GenerationChangedPredicate{}, predicates.ReconcileRequestedPredicate{}),
 		)).
+		Watches(
+			&sourcev1.ExternalArtifact{},
+			handler.EnqueueRequestsFromMapFunc(r.requestsForRevisionChangeOf(indexExternalArtifact)),
+			builder.WithPredicates(SourceRevisionChangePredicate{}),
+		).
 		Watches(
 			&sourcev1.OCIRepository{},
 			handler.EnqueueRequestsFromMapFunc(r.requestsForRevisionChangeOf(indexOCIRepository)),
