First version of the controller command. (argoproj-labs#1127)

Signed-off-by: Denis Karpelevich <[email protected]>

Author: dkarpele

cmd/controller.go

@@ -0,0 +1,165 @@
+package main
+
+import (
+	"crypto/tls"
+
+	"github.com/argoproj-labs/argocd-image-updater/internal/controller"
+	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/log"
+	"github.com/bombsimon/logrusr/v2"
+	"github.com/spf13/cobra"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"time"
+)
+
+// newControllerCommand implements "controller" command
+func newControllerCommand() *cobra.Command {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var LogLevel string
+	var Interval time.Duration
+
+	var controllerCmd = &cobra.Command{
+		Use:   "controller",
+		Short: "Manages ArgoCD Image Updater Controller.",
+		Long: `The 'controller' command starts the Kubernetes controller responsible for managing
+ImageUpdater Custom Resources (CRs).
+
+This controller monitors ImageUpdater CRs and reconciles them by:
+  - Checking for new container image versions from specified registries.
+  - Applying updates to applications based on CR policies.
+  - Updating the status of the ImageUpdater CRs.
+
+It operates as a long-running manager process within the Kubernetes cluster.
+Flags can configure its metrics, health probes, and leader election.
+This enables a CRD-driven approach to automated image updates with Argo CD.
+`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := log.SetLogLevel(LogLevel); err != nil {
+				return err
+			}
+			logrLogger := logrusr.New(log.Log()) // log.Log() should return the *logrus.Logger
+			ctrl.SetLogger(logrLogger)
+			setupLog := ctrl.Log.WithName("controller-setup")
+			setupLog.Info("Controller runtime logger initialized.", "setAppLogLevel", LogLevel)
+
+			// if the enable-http2 flag is false (the default), http/2 should be disabled
+			// due to its vulnerabilities. More specifically, disabling http/2 will
+			// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+			// Rapid Reset CVEs. For more information see:
+			// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+			// - https://github.com/advisories/GHSA-4374-p667-p6c8
+			var tlsOpts []func(*tls.Config)
+			disableHTTP2 := func(c *tls.Config) {
+				setupLog.Info("disabling http/2")
+				c.NextProtos = []string{"http/1.1"}
+			}
+
+			if !enableHTTP2 {
+				tlsOpts = append(tlsOpts, disableHTTP2)
+			}
+
+			webhookServer := webhook.NewServer(webhook.Options{
+				TLSOpts: tlsOpts,
+			})
+
+			// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+			// More info:
+			// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server
+			// - https://book.kubebuilder.io/reference/metrics.html
+			metricsServerOptions := metricsserver.Options{
+				BindAddress:   metricsAddr,
+				SecureServing: secureMetrics,
+				// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
+				// not provided, self-signed certificates will be generated by default. This option is not recommended for
+				// production environments as self-signed certificates do not offer the same level of trust and security
+				// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
+				// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
+				// to provide certificates, ensuring the server communicates using trusted and secure certificates.
+				TLSOpts: tlsOpts,
+			}
+
+			if secureMetrics {
+				// FilterProvider is used to protect the metrics endpoint with authn/authz.
+				// These configurations ensure that only authorized users and service accounts
+				// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+				// https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization
+				metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+			}
+
+			mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+				Scheme:                 scheme,
+				Metrics:                metricsServerOptions,
+				WebhookServer:          webhookServer,
+				HealthProbeBindAddress: probeAddr,
+				LeaderElection:         enableLeaderElection,
+				LeaderElectionID:       "c21b75f2.argoproj.io",
+				// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+				// when the Manager ends. This requires the binary to immediately end when the
+				// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+				// speeds up voluntary leader transitions as the new leader don't have to wait
+				// LeaseDuration time first.
+				//
+				// In the default scaffold provided, the program ends immediately after
+				// the manager stops, so would be fine to enable this option. However,
+				// if you are doing or is intended to do any operation such as perform cleanups
+				// after the manager stops then its usage might be unsafe.
+				// LeaderElectionReleaseOnCancel: true,
+			})
+			if err != nil {
+				setupLog.Error(err, "unable to start manager")
+				return err
+			}
+
+			reconcilerLogger := ctrl.Log.WithName("reconciler").WithName("ImageUpdater")
+			if err = (&controller.ImageUpdaterReconciler{
+				Client:   mgr.GetClient(),
+				Scheme:   mgr.GetScheme(),
+				Interval: Interval,
+				Log:      reconcilerLogger,
+			}).SetupWithManager(mgr); err != nil {
+				setupLog.Error(err, "unable to create controller", "controller", "ImageUpdater")
+				return err
+			}
+			// +kubebuilder:scaffold:builder
+
+			if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+				setupLog.Error(err, "unable to set up health check")
+				return err
+			}
+			if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+				setupLog.Error(err, "unable to set up ready check")
+				return err
+			}
+
+			setupLog.Info("starting manager")
+			if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+				setupLog.Error(err, "problem running manager")
+				return err
+			}
+			return nil
+		},
+	}
+	controllerCmd.Flags().StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	controllerCmd.Flags().StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	controllerCmd.Flags().BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	controllerCmd.Flags().BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	controllerCmd.Flags().BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	controllerCmd.Flags().StringVar(&LogLevel, "loglevel", "info",
+		"set the loglevel to one of trace|debug|info|warn|error")
+	controllerCmd.Flags().DurationVar(&Interval, "interval", 2*time.Minute,
+		"interval for how often to check for updates")
+
+	return controllerCmd
+}

cmd/controller_test.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+// TestNewControllerCommand tests various flags and their default values.
+func TestNewControllerCommand(t *testing.T) {
+	asser := assert.New(t)
+	controllerCommand := newControllerCommand()
+	asser.Contains(controllerCommand.Use, "controller")
+	asser.Equal(controllerCommand.Short, "Manages ArgoCD Image Updater Controller.")
+	asser.Greater(len(controllerCommand.Long), 100)
+	asser.NotNil(controllerCommand.RunE)
+	asser.Equal("0", controllerCommand.Flag("metrics-bind-address").Value.String())
+	asser.Equal(":8081", controllerCommand.Flag("health-probe-bind-address").Value.String())
+	asser.Equal("false", controllerCommand.Flag("leader-elect").Value.String())
+	asser.Equal("true", controllerCommand.Flag("metrics-secure").Value.String())
+	asser.Equal("false", controllerCommand.Flag("enable-http2").Value.String())
+	asser.Equal("2m0s", controllerCommand.Flag("interval").Value.String())
+	asser.Equal("info", controllerCommand.Flag("loglevel").Value.String())
+	asser.Nil(controllerCommand.Help())
+	asser.True(controllerCommand.HasFlags())
+	asser.True(controllerCommand.HasLocalFlags())
+	asser.False(controllerCommand.HasSubCommands())
+	asser.False(controllerCommand.HasHelpSubCommands())
+}

cmd/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"k8s.io/apimachinery/pkg/runtime"
 	"os"
 	"text/template"
 	"time"
@@ -27,32 +28,19 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"crypto/tls"
-	"flag"
-
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
-	"k8s.io/apimachinery/pkg/runtime"
+	argocdimageupdaterv1alpha1 "github.com/argoproj-labs/argocd-image-updater/api/v1alpha1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/healthz"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
-	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
-	"sigs.k8s.io/controller-runtime/pkg/webhook"
-
-	argocdimageupdaterv1alpha1 "github.com/argoproj-labs/argocd-image-updater/api/v1alpha1"
-	"github.com/argoproj-labs/argocd-image-updater/internal/controller"
 	// +kubebuilder:scaffold:imports
 )
 
 var (
-	lastRun  time.Time
-	scheme   = runtime.NewScheme()
-	setupLog = ctrl.Log.WithName("setup")
+	lastRun time.Time
+	scheme  = runtime.NewScheme()
 )
 
 // Default ArgoCD server address when running in same cluster as ArgoCD
@@ -103,6 +91,7 @@ func newRootCommand() error {
 	rootCmd.AddCommand(newVersionCommand())
 	rootCmd.AddCommand(newTestCommand())
 	rootCmd.AddCommand(newTemplateCommand())
+	rootCmd.AddCommand(newControllerCommand())
 	err := rootCmd.Execute()
 	return err
 }
@@ -133,120 +122,5 @@ func main() {
 		os.Exit(1)
 	}
 
-	var metricsAddr string
-	var enableLeaderElection bool
-	var probeAddr string
-	var secureMetrics bool
-	var enableHTTP2 bool
-	var tlsOpts []func(*tls.Config)
-	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
-		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
-	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
-		"Enable leader election for controller manager. "+
-			"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&secureMetrics, "metrics-secure", true,
-		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
-	flag.BoolVar(&enableHTTP2, "enable-http2", false,
-		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
-	opts := zap.Options{
-		Development: true,
-	}
-	opts.BindFlags(flag.CommandLine)
-	flag.Parse()
-
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
-
-	// if the enable-http2 flag is false (the default), http/2 should be disabled
-	// due to its vulnerabilities. More specifically, disabling http/2 will
-	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
-	// Rapid Reset CVEs. For more information see:
-	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
-	// - https://github.com/advisories/GHSA-4374-p667-p6c8
-	disableHTTP2 := func(c *tls.Config) {
-		setupLog.Info("disabling http/2")
-		c.NextProtos = []string{"http/1.1"}
-	}
-
-	if !enableHTTP2 {
-		tlsOpts = append(tlsOpts, disableHTTP2)
-	}
-
-	webhookServer := webhook.NewServer(webhook.Options{
-		TLSOpts: tlsOpts,
-	})
-
-	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
-	// More info:
-	// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server
-	// - https://book.kubebuilder.io/reference/metrics.html
-	metricsServerOptions := metricsserver.Options{
-		BindAddress:   metricsAddr,
-		SecureServing: secureMetrics,
-		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are
-		// not provided, self-signed certificates will be generated by default. This option is not recommended for
-		// production environments as self-signed certificates do not offer the same level of trust and security
-		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing
-		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName
-		// to provide certificates, ensuring the server communicates using trusted and secure certificates.
-		TLSOpts: tlsOpts,
-	}
-
-	if secureMetrics {
-		// FilterProvider is used to protect the metrics endpoint with authn/authz.
-		// These configurations ensure that only authorized users and service accounts
-		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-		// https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization
-		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
-	}
-
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                 scheme,
-		Metrics:                metricsServerOptions,
-		WebhookServer:          webhookServer,
-		HealthProbeBindAddress: probeAddr,
-		LeaderElection:         enableLeaderElection,
-		LeaderElectionID:       "c21b75f2.argoproj.io",
-		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
-		// when the Manager ends. This requires the binary to immediately end when the
-		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
-		// speeds up voluntary leader transitions as the new leader don't have to wait
-		// LeaseDuration time first.
-		//
-		// In the default scaffold provided, the program ends immediately after
-		// the manager stops, so would be fine to enable this option. However,
-		// if you are doing or is intended to do any operation such as perform cleanups
-		// after the manager stops then its usage might be unsafe.
-		// LeaderElectionReleaseOnCancel: true,
-	})
-	if err != nil {
-		setupLog.Error(err, "unable to start manager")
-		os.Exit(1)
-	}
-
-	if err = (&controller.ImageUpdaterReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "ImageUpdater")
-		os.Exit(1)
-	}
-	// +kubebuilder:scaffold:builder
-
-	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up health check")
-		os.Exit(1)
-	}
-	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up ready check")
-		os.Exit(1)
-	}
-
-	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
-		setupLog.Error(err, "problem running manager")
-		os.Exit(1)
-	}
-
 	os.Exit(0)
 }

internal/controller/imageupdater_controller.go

@@ -18,11 +18,10 @@ package controller
 
 import (
 	"context"
-
+	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"time"
 
 	argocdimageupdaterv1alpha1 "github.com/argoproj-labs/argocd-image-updater/api/v1alpha1"
@@ -33,6 +32,7 @@ type ImageUpdaterReconciler struct {
 	client.Client
 	Scheme   *runtime.Scheme
 	Interval time.Duration
+	Log      logr.Logger
 }
 
 // +kubebuilder:rbac:groups=argocd-image-updater.argoproj.io,resources=imageupdaters,verbs=get;list;watch;create;update;patch;delete
@@ -76,8 +76,7 @@ type ImageUpdaterReconciler struct {
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *ImageUpdaterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	log := logf.FromContext(ctx)
-	log = log.WithValues("imageupdater", req.NamespacedName) // Add context to logs
+	log := r.Log.WithValues("imageupdater", req.NamespacedName) // Add context to logs
 	log.Info("Reconciling ImageUpdater")
 
 	// TODO: Implement the full reconciliation logic as described in the docstring: