fix: kustomize components + monorepos

With #21674 the ability to ignore Kustomize component directories if they
do not exist got introduced. This generally works fine, but the
`securejoin` check is a bit too strict - we want to ensure that no-one
can break out of the repo, but the current implementation doesn't allow
for breaking outside the kustomization folder. This breaks the usage of
this feature when using it for a monorepo.

This PR loosens the check to allow for traversals up to the repo root. We
use the new `os.Root` functionality to ensure that users can't break
outside the repo. Path traversals are still relative from the kustomize
repo.

Signed-off-by: Blake Pettersson <[email protected]>

Author: blakepettersson

util/kustomize/kustomize.go

@@ -24,8 +24,6 @@ import (
 	executil "github.com/argoproj/argo-cd/v3/util/exec"
 	"github.com/argoproj/argo-cd/v3/util/git"
 	"github.com/argoproj/argo-cd/v3/util/proxy"
-
-	securejoin "github.com/cyphar/filepath-securejoin"
 )
 
 // Image represents a Docker image in the format NAME[:TAG].
@@ -346,12 +344,18 @@ func (k *kustomize) Build(opts *v1alpha1.ApplicationSourceKustomize, kustomizeOp
 			foundComponents := opts.Components
 			if opts.IgnoreMissingComponents {
 				foundComponents = make([]string, 0)
+				root, err := os.OpenRoot(k.repoRoot)
+				if err != nil {
+					return nil, nil, nil, fmt.Errorf("failed to open the repo folder: %w", err)
+				}
+
 				for _, c := range opts.Components {
-					resolvedPath, err := securejoin.SecureJoin(k.path, c)
+					resolvedPath, err := filepath.Rel(k.repoRoot, filepath.Join(k.path, c))
 					if err != nil {
-						return nil, nil, nil, fmt.Errorf("Kustomize components path failed: %w", err)
+						log.Debugf("failed to relativize path: %s", err)
+						continue
 					}
-					_, err = os.Stat(resolvedPath)
+					_, err = root.Stat(resolvedPath)
 					if err != nil {
 						log.Debugf("%s component directory does not exist", resolvedPath)
 						continue

util/kustomize/kustomize_test.go

@@ -25,6 +25,7 @@ const (
 	kustomization6 = "kustomization_yaml_components"
 	kustomization7 = "label_without_selector"
 	kustomization8 = "kustomization_yaml_patches_empty"
+	kustomization9 = "kustomization_yaml_components_monorepo"
 )
 
 func testDataDir(tb testing.TB, testData string) (string, error) {
@@ -512,6 +513,31 @@ func TestKustomizeBuildComponents(t *testing.T) {
 	assert.Equal(t, int64(3), replicas)
 }
 
+func TestKustomizeBuildComponentsMonoRepo(t *testing.T) {
+	rootPath, err := testDataDir(t, kustomization9)
+	require.NoError(t, err)
+	appPath := path.Join(rootPath, "envs/inseng-pdx-egert-sandbox/namespaces/inst-system/apps/hello-world")
+	kustomize := NewKustomizeApp(rootPath, appPath, git.NopCreds{}, "", "", "", "")
+	kustomizeSource := v1alpha1.ApplicationSourceKustomize{
+		Components:              []string{"../../../../../../kustomize/components/all"},
+		IgnoreMissingComponents: true,
+	}
+	objs, _, _, err := kustomize.Build(&kustomizeSource, nil, nil, nil)
+	require.NoError(t, err)
+	obj := objs[2]
+	require.Equal(t, "hello-world-kustomize", obj.GetName())
+	require.Equal(t, map[string]string{
+		"app.kubernetes.io/name":  "hello-world-kustomize",
+		"app.kubernetes.io/owner": "fire-team",
+	}, obj.GetLabels())
+	replicas, ok, err := unstructured.NestedSlice(obj.Object, "spec", "template", "spec", "tolerations")
+	require.NoError(t, err)
+	require.True(t, ok)
+	require.Equal(t, 1, len(replicas))
+	require.Equal(t, "my-special-toleration", replicas[0].(map[string]any)["key"])
+	require.Equal(t, "Exists", replicas[0].(map[string]any)["operator"])
+}
+
 func TestKustomizeBuildPatches(t *testing.T) {
 	appPath, err := testDataDir(t, kustomization5)
 	require.NoError(t, err)

util/kustomize/testdata/kustomization_yaml_components_monorepo/kustomize/apps/hello-world/base/deployment.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-world
+  labels:
+    app.kubernetes.io/name: hello-world
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: hello-world
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: hello-world
+    spec:
+      serviceAccountName: hello-world
+      containers:
+        - name: hello-world
+          image: "nginx:1.16.0"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+      tolerations: []

util/kustomize/testdata/kustomization_yaml_components_monorepo/kustomize/apps/hello-world/base/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- deployment.yaml
+- service.yaml
+- serviceaccount.yaml

util/kustomize/testdata/kustomization_yaml_components_monorepo/kustomize/apps/hello-world/base/service.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-world
+  labels:
+    app.kubernetes.io/name: hello-world
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: hello-world

util/kustomize/testdata/kustomization_yaml_components_monorepo/kustomize/apps/hello-world/base/serviceaccount.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hello-world
+  labels:
+    app.kubernetes.io/name: hello-world

util/kustomize/testdata/kustomization_yaml_components_monorepo/kustomize/components/all/kustomization.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+labels:
+  - pairs:
+      app.kubernetes.io/owner: fire-team
+    includeSelectors: false
+    includeTemplates: false
+
+patches:
+  - target:
+      kind: Deployment
+    patch: |-
+      - op: add
+        path: /spec/template/spec/tolerations/-
+        value:
+          key: my-special-toleration
+          operator: Exists