Extract unrelated code fixes/features out of k8s native apply work

[jeff-mccoy]

Breaking Changes:

• localhost is no longer a valid option for cluster ingress when initializing a zarf cluster. Instead you have to use a 127.0.0.1 or some other local ip found via ifconfig

Fixes:

• No longer depends on 127.0.0.1 local bindings for the registry / gitops service
  • should fix Bug: (or docs issue): Games Example doesn't work on zarf 0.13.3 when using cert imported from Lets Encrypt Free CA #193
• Resolve outstanding issues with image hostname swapping and
  • fixes Remove Containerd direct-dependency #18
  • fixes Unable to use "short" version of docker repo in "remote:" section of zarf.yaml #44
  • fixes Feature/Doc Request: zarf.yaml currently requires docker.io/ prefix to be specified for images from docker hub #194

Features:

• Adds before and after script options when defining a zarf.yaml with an optional retry flag
• Add symlink to ZarfFile for creating links to places files
• Add template boolean to ZarfFile to allow injection of zarf variables into text files
• Adds a new zarf tool command to print out config schema and commit the output to the repo (will need to make a git hook or something later on)
• Changes zarf destroy command to run any script that starts with zarf-clean instead of only running the k3s-remove script
• Add new ZarfState and .zarf-state.yaml for persisting host information from zarf init to zarf package deploy
• Remove all hard-coded logic for k3s install, now uses only standard zarf component features like everything else

Misc:

• Upgrades k3s from v1.21.2 to v1.21.6
• Adds optional regex filter for when performing RecursiveFileList()
• Adds more description to the components in zarf.yaml
• Renames type ZarfConfig to ZarfPackage in the config pkg
• Handful of general code organizing changes (moving yaml related functions to the ...../utils/yaml.go, etc.)
• Expose execCommand() with stdout control
• Move traefik to standalone component and drop the internal k3s install of traefik
• Use the airgap tarball of K3s instead of manually listing images

[RothAndrew]

I think we do need to add in blocking the user from using localhost as the host. When I try it I get this error:

zarf tools registry catalog localhost gives me this:

If we do need to block the user from using localhost, we should also add a "tooltip" or some other kind of help text. Something like:

Enter a host DNS entry or IP Address for the cluster ingress.
Note: Due to <InsertReasonHere> you can't use "localhost" or "127.0.0.1".
Here are some suggestions that I've determined might work for you: [10.0.2.15]

[YrrepNoj]

I think we do need to add in blocking the user from using localhost as the host. When I try it I get this error:

zarf tools registry catalog localhost gives me this:

If we do need to block the user from using localhost, we should also add a "tooltip" or some other kind of help text. Something like:

Enter a host DNS entry or IP Address for the cluster ingress.
Note: Due to <InsertReasonHere> you can't use "localhost" or "127.0.0.1".
Here are some suggestions that I've determined might work for you: [10.0.2.15]

There's a chance you might have been using a different zarf version. I believe this PR prevents you from using localhost as the ingress.

EDIT: Nope.. I didn't realize Jeff pushed a new commit out a few hours ago specifically allowing localhost again. I agree with Andy, maybe should probably consider just disallowing it.

[jeff-mccoy]

So on the localhost thing, nothing should be changing behavior now that would break that. But it's very important we understand you can't use localhosts and 127.0.0.1 interchangeably due to the certs not auto-magically adding those SAN values. Can you show me your .zarf-state.yaml when you're having this issue? Also I do think there might be some issues using localhost vs 127.0.0.1 that we've encountered before--we probably should block the actual DNS localhost. Thoughts?

[RothAndrew]

@jeff-mccoy You're right that 127.0.0.1 works, but localhost doesn't.

When I use --host localhost here's my .zarf-state.yaml, with the errors already mentioned above

kind: ZarfState
tls:
  certPublicPath: zarf-pki/zarf-server.crt
  certPrivatePath: zarf-pki/zarf-server.key
  host: localhost

[jeff-mccoy]

Yeah this was an issue we ran into before if I recall, why we switched everything to hard-coded 127.0.0.1 vs localhost. How do you feel about just blocking localhost for now so we don't totally change how you use this version of zarf?

[RothAndrew]

I'm okay with allowing 127.0.0.1 and blocking localhost. Let's do that.

Question: Once the rest of the native apply stuff is in, are we going to have to block 127.0.0.1 also?

[jeff-mccoy]

as of today yes, there may be some clever workaround, but I haven't found it yet. 😢

[jeff-mccoy]

@RothAndrew made that change in the last commit

[RothAndrew]

For some reason, in the Big Bang example, the flux_generated.yaml manifest is not being deployed. I can see it there in the /var/lib/rancher/k3s/server/manifests folder, but it doesn't deploy.

Deploying the file with kubectl apply -f flux_generated.yaml works fine, and that unblocks the rest of the process from continuing. Need to figure out why it's not deploying automatically.

[RothAndrew]

I changed the name of the file from flux_generated.yaml to abc.yaml and it deployed fine, so it must be something about the name of the file. I'll push a commit that changes the name of the generated file to something else that works.

[jeff-mccoy]

that's super odd....

[RothAndrew]

flux_generated.yaml: doesn't work

flux-generated.yaml: works

🤯 🤯 🤯

[RothAndrew]

/test all

[RothAndrew]

/test all

[jeff-mccoy]

/test all

[jeff-mccoy]

hmm I thought we resolved these terraform versions issues already...also why do they keep popping up? I've never seen so many issues with terraform versions before. 😭

[RothAndrew]

We can loosen up the version constraint. It is very restrictive right now.

[RothAndrew]

/test all

[RothAndrew]

As soon a Jeff pushes up the fix to remove --generate and not need it I think I'll be ready to approve and merge

[RothAndrew]

I'm not sure how it's possible that the E2E tests are passing if we aren't using --generate but Jeff's fix hasn't been pushed up yet. They should be stuck waiting for a nonexistent user to hit the enter key

[jeff-mccoy]

/test all

[RothAndrew]

I'm still being prompted to choose whether to generate the CA or to import one when running ./zarf init --confirm --components management,gitops-service --host 127.0.0.1. I'm completely at a loss why I'm seeing it on my machine but the E2E test isn't.

[jeff-mccoy]

I'm still being prompted to choose whether to generate the CA or to import one when running ./zarf init --confirm --components management,gitops-service --host 127.0.0.1. I'm completely at a loss why I'm seeing it on my machine but the E2E test isn't.

Okay let me look at this

[RothAndrew]

I thought maybe I was still on an older commit somehow but there's the "press tab to see your valid values" stuff...

[jeff-mccoy]

oh weird its a race condition

[jeff-mccoy]

If you let it sit there it will keep running

[jeff-mccoy]

crap I remember now, I was supposed to put a top-level confirm box but forgot to.... ugh

[jeff-mccoy]

/test all

[jeff-mccoy]

/test all

[jeff-mccoy]

........and now registry1 auth is down lol

[RothAndrew]

Yep, that was my signal to quit for the night :D

[jeff-mccoy]

Okay I'm done with the PR now, all tests pass and I set it to squash/automerge whenever you guys get back to work. I'm going to pick back up my other work later tonight and reconcile against this branch even if it doesn't get merged until next week. Thanks for all the coordination, #teamworkMakesTheDreamWork.