feat: support alternative temp directory to '/dev/shm', for generated manifests

jgwest · jgwest · commit d002f020c296 · 2024-07-17T04:44:55.000-04:00
Signed-off-by: Jonathan West &lt;jonwest@redhat.com&gt;
diff --git a/agent/main.go b/agent/main.go
@@ -14,6 +14,7 @@ import (
 	"text/tabwriter"
 	"time"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/io"
 	"github.com/argoproj/gitops-engine/pkg/utils/text"
 
 	"github.com/go-logr/logr"
@@ -148,6 +149,7 @@ func newCmd(log logr.Logger) *cobra.Command {
 
 			StartProfiler(log)
 			clusterCache := cache.NewClusterCache(config,
+				io.TempPathUseDevShmIfAvailable(),
 				cache.SetNamespaces(namespaces),
 				cache.SetLogr(log),
 				cache.SetPopulateResourceInfoHandler(func(un *unstructured.Unstructured, isRoot bool) (info interface{}, cacheManifest bool) {
@@ -159,7 +161,7 @@ func newCmd(log logr.Logger) *cobra.Command {
 					return
 				}),
 			)
-			gitOpsEngine := engine.NewEngine(config, clusterCache, engine.WithLogr(log))
+			gitOpsEngine := engine.NewEngine(config, clusterCache, io.TempPathUseDevShmIfAvailable(), engine.WithLogr(log))
 			checkError(err, log)
 
 			cleanup, err := gitOpsEngine.Run()
diff --git a/pkg/cache/cluster.go b/pkg/cache/cluster.go
@@ -143,7 +143,10 @@ type WeightedSemaphore interface {
 type ListRetryFunc func(err error) bool
 
 // NewClusterCache creates new instance of cluster cache
-func NewClusterCache(config *rest.Config, opts ...UpdateSettingsFunc) *clusterCache {
+// - config: cluster config configuration
+// - tmpManifestPath: path where files passed to kubectl code are stored, see 'pkg/utils/io/io.go' for details
+// - opts: additional configuration options.
+func NewClusterCache(config *rest.Config, tmpManifestPath string, opts ...UpdateSettingsFunc) *clusterCache {
 	log := textlogger.NewLogger(textlogger.NewConfig())
 	cache := &clusterCache{
 		settings:           Settings{ResourceHealthOverride: &noopSettings{}, ResourcesFilter: &noopSettings{}},
@@ -155,8 +158,9 @@ func NewClusterCache(config *rest.Config, opts ...UpdateSettingsFunc) *clusterCa
 		nsIndex:            make(map[string]map[kube.ResourceKey]*Resource),
 		config:             config,
 		kubectl: &kube.KubectlCmd{
-			Log:    log,
-			Tracer: tracing.NopTracer{},
+			Log:     log,
+			Tracer:  tracing.NopTracer{},
+			TmpPath: tmpManifestPath,
 		},
 		syncStatus: clusterCacheSync{
 			resyncTimeout: defaultClusterResyncTimeout,
diff --git a/pkg/cache/cluster_test.go b/pkg/cache/cluster_test.go
@@ -30,6 +30,7 @@ import (
 	testcore "k8s.io/client-go/testing"
 	"sigs.k8s.io/yaml"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/io"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest"
 )
@@ -119,7 +120,7 @@ func newClusterWithOptions(t *testing.T, opts []UpdateSettingsFunc, objs ...runt
 	}, opts...)
 
 	cache := NewClusterCache(
-		&rest.Config{Host: "https://test"},
+		&rest.Config{Host: "https://test"}, io.TempPathUseDevShmIfAvailable(),
 		opts...,
 	)
 	return cache
@@ -779,7 +780,7 @@ func ExampleNewClusterCache_resourceUpdatedEvents() {
 	// kubernetes cluster config here
 	config := &rest.Config{}
 
-	clusterCache := NewClusterCache(config)
+	clusterCache := NewClusterCache(config, io.TempPathUseDevShmIfAvailable())
 	// Ensure cluster is synced before using it
 	if err := clusterCache.EnsureSynced(); err != nil {
 		panic(err)
diff --git a/pkg/cache/predicates_test.go b/pkg/cache/predicates_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/io"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 
 	"github.com/stretchr/testify/assert"
@@ -96,6 +97,7 @@ func ExampleNewClusterCache_inspectNamespaceResources() {
 
 	clusterCache := NewClusterCache(config,
 		// cache default namespace only
+		io.TempPathUseDevShmIfAvailable(),
 		SetNamespaces([]string{"default", "kube-system"}),
 		// configure custom logic to cache resources manifest and additional metadata
 		SetPopulateResourceInfoHandler(func(un *unstructured.Unstructured, isRoot bool) (info interface{}, cacheManifest bool) {
diff --git a/pkg/cache/resource_test.go b/pkg/cache/resource_test.go
@@ -3,11 +3,12 @@ package cache
 import (
 	"testing"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/io"
 	"github.com/stretchr/testify/assert"
 	"k8s.io/client-go/rest"
 )
 
-var cacheTest = NewClusterCache(&rest.Config{})
+var cacheTest = NewClusterCache(&rest.Config{}, io.TempPathUseDevShmIfAvailable())
 
 func TestIsParentOf(t *testing.T) {
 	child := cacheTest.newResource(mustToUnstructured(testPod()))
diff --git a/pkg/cache/settings_test.go b/pkg/cache/settings_test.go
@@ -7,11 +7,12 @@ import (
 	"github.com/stretchr/testify/assert"
 	"k8s.io/client-go/rest"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/io"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest"
 )
 
 func TestSetSettings(t *testing.T) {
-	cache := NewClusterCache(&rest.Config{}, SetKubectl(&kubetest.MockKubectlCmd{}))
+	cache := NewClusterCache(&rest.Config{}, io.TempPathUseDevShmIfAvailable(), SetKubectl(&kubetest.MockKubectlCmd{}))
 	updatedHealth := &noopSettings{}
 	updatedFilter := &noopSettings{}
 	cache.Invalidate(SetSettings(Settings{ResourceHealthOverride: updatedHealth, ResourcesFilter: updatedFilter}))
@@ -21,15 +22,15 @@ func TestSetSettings(t *testing.T) {
 }
 
 func TestSetConfig(t *testing.T) {
-	cache := NewClusterCache(&rest.Config{}, SetKubectl(&kubetest.MockKubectlCmd{}))
+	cache := NewClusterCache(&rest.Config{}, io.TempPathUseDevShmIfAvailable(), SetKubectl(&kubetest.MockKubectlCmd{}))
 	updatedConfig := &rest.Config{Host: "http://newhost"}
 	cache.Invalidate(SetConfig(updatedConfig))
 
 	assert.Equal(t, updatedConfig, cache.config)
 }
 
 func TestSetNamespaces(t *testing.T) {
-	cache := NewClusterCache(&rest.Config{}, SetKubectl(&kubetest.MockKubectlCmd{}), SetNamespaces([]string{"default"}))
+	cache := NewClusterCache(&rest.Config{}, io.TempPathUseDevShmIfAvailable(), SetKubectl(&kubetest.MockKubectlCmd{}), SetNamespaces([]string{"default"}))
 
 	updatedNamespaces := []string{"updated"}
 	cache.Invalidate(SetNamespaces(updatedNamespaces))
@@ -38,7 +39,7 @@ func TestSetNamespaces(t *testing.T) {
 }
 
 func TestSetResyncTimeout(t *testing.T) {
-	cache := NewClusterCache(&rest.Config{})
+	cache := NewClusterCache(&rest.Config{}, io.TempPathUseDevShmIfAvailable())
 	assert.Equal(t, defaultClusterResyncTimeout, cache.syncStatus.resyncTimeout)
 
 	timeout := 1 * time.Hour
@@ -48,10 +49,10 @@ func TestSetResyncTimeout(t *testing.T) {
 }
 
 func TestSetWatchResyncTimeout(t *testing.T) {
-	cache := NewClusterCache(&rest.Config{})
+	cache := NewClusterCache(&rest.Config{}, io.TempPathUseDevShmIfAvailable())
 	assert.Equal(t, defaultWatchResyncTimeout, cache.watchResyncTimeout)
 
 	timeout := 30 * time.Minute
-	cache = NewClusterCache(&rest.Config{}, SetWatchResyncTimeout(timeout))
+	cache = NewClusterCache(&rest.Config{}, io.TempPathUseDevShmIfAvailable(), SetWatchResyncTimeout(timeout))
 	assert.Equal(t, timeout, cache.watchResyncTimeout)
 }
diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go
@@ -46,8 +46,9 @@ type gitOpsEngine struct {
 }
 
 // NewEngine creates new instances of the GitOps engine
-func NewEngine(config *rest.Config, clusterCache cache.ClusterCache, opts ...Option) GitOpsEngine {
-	o := applyOptions(opts)
+// - tmpPath: path where files passed to kubectl code are stored, see 'pkg/utils/io/io.go' for details
+func NewEngine(config *rest.Config, clusterCache cache.ClusterCache, tmpPath string, opts ...Option) GitOpsEngine {
+	o := applyOptions(opts, tmpPath)
 	return &gitOpsEngine{
 		config:  config,
 		cache:   clusterCache,
diff --git a/pkg/engine/engine_options.go b/pkg/engine/engine_options.go
@@ -15,13 +15,14 @@ type options struct {
 	kubectl kube.Kubectl
 }
 
-func applyOptions(opts []Option) options {
+func applyOptions(opts []Option, tmpPath string) options {
 	log := textlogger.NewLogger(textlogger.NewConfig())
 	o := options{
 		log: log,
 		kubectl: &kube.KubectlCmd{
-			Log:    log,
-			Tracer: tracing.NopTracer{},
+			Log:     log,
+			Tracer:  tracing.NopTracer{},
+			TmpPath: tmpPath,
 		},
 	}
 	for _, opt := range opts {
diff --git a/pkg/utils/io/io.go b/pkg/utils/io/io.go
@@ -1,21 +1,31 @@
 package io
 
-import (
-	"os"
-)
+import "os"
 
 var (
-	// TempDir is set to '/dev/shm' if exists, otherwise is "", which defaults to os.TempDir() when passed to os.CreateTemp()
-	TempDir string
+	// TempDir is set to '/dev/shm' if it exists, otherwise is "", which defaults to os.TempDir() when passed to os.CreateTemp()
+	devShmTempPath string
 )
 
 func init() {
 	fileInfo, err := os.Stat("/dev/shm")
 	if err == nil && fileInfo.IsDir() {
-		TempDir = "/dev/shm"
+		devShmTempPath = "/dev/shm"
 	}
 }
 
+// TempPathUseDevShmIfAvailable will return '/dev/shm' if it is available on the system, otherwise it will return "", which defaults to os.TempDir() when passed to os.CreateTemp()
+//
+// The result of this function is used to store temporary files that are passed to kubectl code. These temporary files are usually cluster credentials or kubernetes manifests.
+//
+// NOTE: There are tradeoffs to using this function: '/dev/shm' is backed by RAM, and thus has limited size.
+// - Since it is backed by RAM, this has the advantage of ensuring that sensitive data (such as credentials) are kept off disk (absent disk caching of memory)
+// - However, due to the limited size, '/dev/shm' may run out of disk space, and/or is more vulnerable to slow leaks of files over time.
+// You may instead consider using a disk-backed storage path like "", which os.CreateTemp() will default to e.g. '/tmp'.
+func TempPathUseDevShmIfAvailable() string {
+	return devShmTempPath
+}
+
 // DeleteFile is best effort deletion of a file
 func DeleteFile(path string) {
 	if _, err := os.Stat(path); os.IsNotExist(err) {
diff --git a/pkg/utils/kube/ctl.go b/pkg/utils/kube/ctl.go
@@ -45,6 +45,8 @@ type KubectlCmd struct {
 	Log          logr.Logger
 	Tracer       tracing.Tracer
 	OnKubectlRun OnKubectlRunFunc
+	// TmpPath is used to store temporary files that are passed to kubectl code. These temporary files are usually cluster credentials or kubernetes manifests. See 'utils/io/io.go' for details.
+	TmpPath string
 }
 
 type APIResourceInfo struct {
@@ -272,7 +274,7 @@ func (k *KubectlCmd) DeleteResource(ctx context.Context, config *rest.Config, gv
 }
 
 func (k *KubectlCmd) ManageResources(config *rest.Config, openAPISchema openapi.Resources) (ResourceOperations, func(), error) {
-	f, err := os.CreateTemp(utils.TempDir, "")
+	f, err := os.CreateTemp(k.TmpPath, "")
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to generate temp file for kubeconfig: %v", err)
 	}
@@ -293,6 +295,7 @@ func (k *KubectlCmd) ManageResources(config *rest.Config, openAPISchema openapi.
 		tracer:        k.Tracer,
 		log:           k.Log,
 		onKubectlRun:  k.OnKubectlRun,
+		tmpPath:       k.TmpPath,
 	}, cleanup, nil
 }
 
diff --git a/pkg/utils/kube/ctl_test.go b/pkg/utils/kube/ctl_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"k8s.io/klog/v2/textlogger"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/io"
 	testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing"
 	"github.com/argoproj/gitops-engine/pkg/utils/tracing"
 )
@@ -20,8 +21,9 @@ var (
 
 func TestConvertToVersion(t *testing.T) {
 	kubectl := KubectlCmd{
-		Log:    textlogger.NewLogger(textlogger.NewConfig()),
-		Tracer: tracing.NopTracer{},
+		Log:     textlogger.NewLogger(textlogger.NewConfig()),
+		Tracer:  tracing.NopTracer{},
+		TmpPath: io.TempPathUseDevShmIfAvailable(),
 	}
 	t.Run("AppsDeployment", func(t *testing.T) {
 		newObj, err := kubectl.ConvertToVersion(testingutils.UnstructuredFromFile("testdata/appsdeployment.yaml"), "apps", "v1")
diff --git a/pkg/utils/kube/resource_ops.go b/pkg/utils/kube/resource_ops.go
@@ -52,6 +52,8 @@ type kubectlResourceOperations struct {
 	onKubectlRun  OnKubectlRunFunc
 	fact          cmdutil.Factory
 	openAPISchema openapi.Resources
+	// tmpPath is used to store temporary files that are passed to kubectl code. These temporary files are usually cluster credentials or kubernetes manifests. See 'utils/io/io.go' for details.
+	tmpPath string
 }
 
 type commandExecutor func(f cmdutil.Factory, ioStreams genericclioptions.IOStreams, fileName string) error
@@ -61,16 +63,16 @@ func (k *kubectlResourceOperations) runResourceCommand(ctx context.Context, obj
 	if err != nil {
 		return "", err
 	}
-	manifestFile, err := os.CreateTemp(io.TempDir, "")
+	manifestFile, err := os.CreateTemp(k.tmpPath, "")
 	if err != nil {
-		return "", fmt.Errorf("Failed to generate temp file for manifest: %v", err)
+		return "", fmt.Errorf("failed to generate temp file for manifest: %v", err)
 	}
 	defer io.DeleteFile(manifestFile.Name())
 	if _, err = manifestFile.Write(manifestBytes); err != nil {
-		return "", fmt.Errorf("Failed to write manifest: %v", err)
+		return "", fmt.Errorf("failed to write manifest: %v", err)
 	}
 	if err = manifestFile.Close(); err != nil {
-		return "", fmt.Errorf("Failed to close manifest: %v", err)
+		return "", fmt.Errorf("failed to close manifest: %v", err)
 	}
 
 	// log manifest

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ type KubectlCmd struct {`
`45`	`45`	`Log logr.Logger`
`46`	`46`	`Tracer tracing.Tracer`
`47`	`47`	`OnKubectlRun OnKubectlRunFunc`
	`48`	`+ // TmpPath is used to store temporary files that are passed to kubectl code. These temporary files are usually cluster credentials or kubernetes manifests. See 'utils/io/io.go' for details.`
	`49`	`+ TmpPath string`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`type APIResourceInfo struct {`
`@@ -272,7 +274,7 @@ func (k KubectlCmd) DeleteResource(ctx context.Context, config rest.Config, gv`
`272`	`274`	`}`
`273`	`275`
`274`	`276`	`func (k KubectlCmd) ManageResources(config rest.Config, openAPISchema openapi.Resources) (ResourceOperations, func(), error) {`
`275`		`- f, err := os.CreateTemp(utils.TempDir, "")`
	`277`	`+ f, err := os.CreateTemp(k.TmpPath, "")`
`276`	`278`	`if err != nil {`
`277`	`279`	`return nil, nil, fmt.Errorf("failed to generate temp file for kubeconfig: %v", err)`
`278`	`280`	`}`
`@@ -293,6 +295,7 @@ func (k KubectlCmd) ManageResources(config rest.Config, openAPISchema openapi.`
`293`	`295`	`tracer: k.Tracer,`
`294`	`296`	`log: k.Log,`
`295`	`297`	`onKubectlRun: k.OnKubectlRun,`
	`298`	`+ tmpPath: k.TmpPath,`
`296`	`299`	`}, cleanup, nil`
`297`	`300`	`}`
`298`	`301`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,8 @@ type kubectlResourceOperations struct {`
`52`	`52`	`onKubectlRun OnKubectlRunFunc`
`53`	`53`	`fact cmdutil.Factory`
`54`	`54`	`openAPISchema openapi.Resources`
	`55`	`+ // tmpPath is used to store temporary files that are passed to kubectl code. These temporary files are usually cluster credentials or kubernetes manifests. See 'utils/io/io.go' for details.`
	`56`	`+ tmpPath string`
`55`	`57`	`}`
`56`	`58`
`57`	`59`	`type commandExecutor func(f cmdutil.Factory, ioStreams genericclioptions.IOStreams, fileName string) error`
`@@ -61,16 +63,16 @@ func (k *kubectlResourceOperations) runResourceCommand(ctx context.Context, obj`
`61`	`63`	`if err != nil {`
`62`	`64`	`return "", err`
`63`	`65`	`}`
`64`		`- manifestFile, err := os.CreateTemp(io.TempDir, "")`
	`66`	`+ manifestFile, err := os.CreateTemp(k.tmpPath, "")`
`65`	`67`	`if err != nil {`
`66`		`- return "", fmt.Errorf("Failed to generate temp file for manifest: %v", err)`
	`68`	`+ return "", fmt.Errorf("failed to generate temp file for manifest: %v", err)`
`67`	`69`	`}`
`68`	`70`	`defer io.DeleteFile(manifestFile.Name())`
`69`	`71`	`if _, err = manifestFile.Write(manifestBytes); err != nil {`
`70`		`- return "", fmt.Errorf("Failed to write manifest: %v", err)`
	`72`	`+ return "", fmt.Errorf("failed to write manifest: %v", err)`
`71`	`73`	`}`
`72`	`74`	`if err = manifestFile.Close(); err != nil {`
`73`		`- return "", fmt.Errorf("Failed to close manifest: %v", err)`
	`75`	`+ return "", fmt.Errorf("failed to close manifest: %v", err)`
`74`	`76`	`}`
`75`	`77`
`76`	`78`	`// log manifest`