Allow specifying the path for manifests updates

- Add optional `path` field to `spec.update`, defaults to the git repo root
- Restrict updates to the specified `spec.update.path`

Signed-off-by: Stefan Prodan <[email protected]>

Author: stefanprodan

api/v1alpha1/imageupdateautomation_types.go

@@ -30,15 +30,18 @@ type ImageUpdateAutomationSpec struct {
 	// ready to make changes.
 	// +required
 	Checkout GitCheckoutSpec `json:"checkout"`
+
 	// Interval gives an lower bound for how often the automation
 	// run should be attempted.
 	// +required
 	Interval metav1.Duration `json:"interval"`
+
 	// Update gives the specification for how to update the files in
 	// the repository. This can be left empty, to use the default
 	// value.
 	// +kubebuilder:default={"strategy":"Setters"}
 	Update *UpdateStrategy `json:"update,omitempty"`
+
 	// Commit specifies how to commit to the git repository.
 	// +required
 	Commit CommitSpec `json:"commit"`
@@ -87,6 +90,12 @@ type UpdateStrategy struct {
 	// +required
 	// +kubebuilder:default=Setters
 	Strategy UpdateStrategyName `json:"strategy"`
+
+	// Path to the directory containing the manifests to be updated.
+	// Defaults to 'None', which translates to the root path
+	// of the GitRepositoryRef.
+	// +optional
+	Path string `json:"path,omitempty"`
 }
 
 // CommitSpec specifies how to commit changes to the git repository

config/crd/bases/image.toolkit.fluxcd.io_imageupdateautomations.yaml

@@ -111,6 +111,11 @@ spec:
                   files in the repository. This can be left empty, to use the default
                   value.
                 properties:
+                  path:
+                    description: Path to the directory containing the manifests to
+                      be updated. Defaults to 'None', which translates to the root
+                      path of the GitRepositoryRef.
+                    type: string
                   strategy:
                     default: Setters
                     description: Strategy names the strategy to be used.

controllers/imageupdateautomation_controller.go

@@ -30,6 +30,7 @@ import (
 	gogit "github.com/go-git/go-git/v5"
 	libgit2 "github.com/libgit2/git2go/v31"
 
+	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/go-logr/logr"
@@ -196,7 +197,16 @@ func (r *ImageUpdateAutomationReconciler) Reconcile(ctx context.Context, req ctr
 			return failWithError(err)
 		}
 
-		if result, err := updateAccordingToSetters(ctx, tmp, policies.Items); err != nil {
+		manifestsPath := tmp
+		if auto.Spec.Update.Path != "" {
+			if p, err := securejoin.SecureJoin(tmp, auto.Spec.Update.Path); err != nil {
+				return failWithError(err)
+			} else {
+				manifestsPath = p
+			}
+		}
+
+		if result, err := updateAccordingToSetters(ctx, manifestsPath, policies.Items); err != nil {
 			return failWithError(err)
 		} else {
 			templateValues.Updated = result

docs/api/image-automation.md

@@ -88,8 +88,8 @@ into which will be interpolated the details of the change made.</p>
 <td>
 <code>gitRepositoryRef</code><br>
 <em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core">
-Kubernetes core/v1.LocalObjectReference
+<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 </a>
 </em>
 </td>
@@ -106,7 +106,9 @@ string
 </em>
 </td>
 <td>
-<p>Branch gives the branch to clone from the git repository.</p>
+<p>Branch gives the branch to clone from the git repository. If
+<code>.spec.push</code> is not supplied, commits will also be pushed to
+this branch.</p>
 </td>
 </tr>
 </tbody>
@@ -206,7 +208,23 @@ CommitSpec
 </em>
 </td>
 <td>
-<p>Commit specifies how to commit to the git repo</p>
+<p>Commit specifies how to commit to the git repository.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>push</code><br>
+<em>
+<a href="#image.toolkit.fluxcd.io/v1alpha1.PushSpec">
+PushSpec
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Push specifies how and where to push commits made by the
+automation. If missing, commits are pushed (back) to
+<code>.spec.checkout.branch</code>.</p>
 </td>
 </tr>
 <tr>
@@ -311,7 +329,23 @@ CommitSpec
 </em>
 </td>
 <td>
-<p>Commit specifies how to commit to the git repo</p>
+<p>Commit specifies how to commit to the git repository.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>push</code><br>
+<em>
+<a href="#image.toolkit.fluxcd.io/v1alpha1.PushSpec">
+PushSpec
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Push specifies how and where to push commits made by the
+automation. If missing, commits are pushed (back) to
+<code>.spec.checkout.branch</code>.</p>
 </td>
 </tr>
 <tr>
@@ -434,6 +468,40 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
 </table>
 </div>
 </div>
+<h3 id="image.toolkit.fluxcd.io/v1alpha1.PushSpec">PushSpec
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#image.toolkit.fluxcd.io/v1alpha1.ImageUpdateAutomationSpec">ImageUpdateAutomationSpec</a>)
+</p>
+<p>PushSpec specifies how and where to push commits.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>branch</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Branch specifies that commits should be pushed to the branch
+named. The branch is created using <code>.spec.checkout.branch</code> as the
+starting point, if it doesn&rsquo;t already exist.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="image.toolkit.fluxcd.io/v1alpha1.UpdateStrategy">UpdateStrategy
 </h3>
 <p>
@@ -466,6 +534,20 @@ UpdateStrategyName
 <p>Strategy names the strategy to be used.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>path</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Path to the directory containing the manifests to be updated.
+Defaults to &lsquo;None&rsquo;, which translates to the root path
+of the GitRepositoryRef.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

docs/spec/v1alpha1/imageupdateautomations.md

@@ -108,6 +108,11 @@ type UpdateStrategy struct {
 	// Strategy names the strategy to be used.
 	// +required
 	Strategy UpdateStrategyName `json:"strategy"`
+	// Path to the directory containing the manifests to be updated.
+	// Defaults to 'None', which translates to the root path
+	// of the GitRepositoryRef.
+	// +optional
+	Path string `json:"path,omitempty"`
 }
 ```
 

go.mod

@@ -8,6 +8,7 @@ replace github.com/fluxcd/image-automation-controller/api => ./api
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
 
 require (
+	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/fluxcd/image-automation-controller/api v0.6.1
 	github.com/fluxcd/image-reflector-controller/api v0.7.0
 	github.com/fluxcd/pkg/apis/meta v0.8.0

go.sum

@@ -252,6 +252,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=