fix(deps): update module github.com/defenseunicorns/pkg/helpers to v1

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/anchore/clio v0.0.0-20240307182142-fb5fc4c9db3c
 	github.com/anchore/stereoscope v0.0.1
 	github.com/anchore/syft v0.100.0
-	github.com/defenseunicorns/pkg/helpers v0.0.2
+	github.com/defenseunicorns/pkg/helpers v1.0.0
 	github.com/defenseunicorns/pkg/oci v0.0.1
 	github.com/derailed/k9s v0.31.7
 	github.com/distribution/reference v0.5.0

go.sum

@@ -593,8 +593,8 @@ github.com/daviddengcn/go-colortext v1.0.0 h1:ANqDyC0ys6qCSvuEK7l3g5RaehL/Xck9EX
 github.com/daviddengcn/go-colortext v1.0.0/go.mod h1:zDqEI5NVUop5QPpVJUxE9UO10hRnmkD5G4Pmri9+m4c=
 github.com/defenseunicorns/gojsonschema v0.0.0-20231116163348-e00f069122d6 h1:gwevOZ0fxT2nzM9hrtdPbsiOHjFqDRIYMzJHba3/G6Q=
 github.com/defenseunicorns/gojsonschema v0.0.0-20231116163348-e00f069122d6/go.mod h1:StKLYMmPj1R5yIs6CK49EkcW1TvUYuw5Vri+LRk7Dy8=
-github.com/defenseunicorns/pkg/helpers v0.0.2 h1:Axfk96vWkYQpya7E/JkghzwITu2F4GocpGm+mqEVcEg=
-github.com/defenseunicorns/pkg/helpers v0.0.2/go.mod h1:F4S5VZLDrlNWQKklzv4v9tFWjjZNhxJ1gT79j4XiLwk=
+github.com/defenseunicorns/pkg/helpers v1.0.0 h1:0o3Rs+J/g0UemZHcENBS1Z2Qw2y4FIUUrGs75iEyPb4=
+github.com/defenseunicorns/pkg/helpers v1.0.0/go.mod h1:F4S5VZLDrlNWQKklzv4v9tFWjjZNhxJ1gT79j4XiLwk=
 github.com/defenseunicorns/pkg/oci v0.0.1 h1:EFRp3NeiwzhOWKpQ6mAxi0l9chnrAvDcIgjMr0o0fkM=
 github.com/defenseunicorns/pkg/oci v0.0.1/go.mod h1:zVBgRjckEAhfdvbnQrnfOP/3M/GYJkIgWtJtY7pjYdo=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=

src/pkg/k8s/common.go

@@ -20,6 +20,9 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 )
 
+// cannot import config.ZarfManagedByLabel due to import cycle
+const zarfManagedByLabel = "app.kubernetes.io/managed-by"
+
 // New creates a new K8s client.
 func New(logger Log, defaultLabels Labels) (*K8s, error) {
 	klog.SetLogger(funcr.New(func(_, args string) {

src/pkg/k8s/configmap.go

@@ -8,7 +8,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/defenseunicorns/pkg/helpers"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,13 +28,11 @@ func (k *K8s) CreateConfigmap(namespace, name string, data map[string][]byte) (*
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
+			Labels:    make(Labels),
 		},
 		BinaryData: data,
 	}
 
-	// Merge in common labels so that later modifications to the namespace can't mutate them
-	configMap.ObjectMeta.Labels = helpers.MergeMap[string](k.Labels, configMap.ObjectMeta.Labels)
-
 	createOptions := metav1.CreateOptions{}
 	return k.Clientset.CoreV1().ConfigMaps(namespace).Create(context.TODO(), configMap, createOptions)
 }

src/pkg/k8s/namespace.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"cuelang.org/go/pkg/strings"
-	"github.com/defenseunicorns/pkg/helpers"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -64,20 +63,18 @@ func (k *K8s) DeleteNamespace(ctx context.Context, name string) error {
 
 // NewZarfManagedNamespace returns a corev1.Namespace with Zarf-managed labels
 func (k *K8s) NewZarfManagedNamespace(name string) *corev1.Namespace {
-	namespace := &corev1.Namespace{
+	return &corev1.Namespace{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: corev1.SchemeGroupVersion.String(),
 			Kind:       "Namespace",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
+			Labels: map[string]string{
+				zarfManagedByLabel: "zarf",
+			},
 		},
 	}
-
-	// Merge in common labels so that later modifications to the namespace can't mutate them
-	namespace.ObjectMeta.Labels = helpers.MergeMap[string](k.Labels, namespace.ObjectMeta.Labels)
-
-	return namespace
 }
 
 // IsInitialNamespace returns true if the given namespace name is an initial k8s namespace: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#initial-namespaces

src/pkg/k8s/pods.go

@@ -9,7 +9,6 @@ import (
 	"sort"
 	"time"
 
-	"github.com/defenseunicorns/pkg/helpers"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -27,12 +26,10 @@ func (k *K8s) GeneratePod(name, namespace string) *corev1.Pod {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
+			Labels:    make(Labels),
 		},
 	}
 
-	// Merge in common labels so that later modifications to the pod can't mutate them
-	pod.ObjectMeta.Labels = helpers.MergeMap[string](k.Labels, pod.ObjectMeta.Labels)
-
 	return pod
 }
 

src/pkg/k8s/secrets.go

@@ -9,7 +9,6 @@ import (
 	"crypto/tls"
 	"fmt"
 
-	"github.com/defenseunicorns/pkg/helpers"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -28,23 +27,21 @@ func (k *K8s) GetSecretsWithLabel(namespace, labelSelector string) (*corev1.Secr
 
 // GenerateSecret returns a Kubernetes secret object without applying it to the cluster.
 func (k *K8s) GenerateSecret(namespace, name string, secretType corev1.SecretType) *corev1.Secret {
-	secret := &corev1.Secret{
+	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: corev1.SchemeGroupVersion.String(),
 			Kind:       "Secret",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
+			Labels: map[string]string{
+				zarfManagedByLabel: "zarf",
+			},
 		},
 		Type: secretType,
 		Data: map[string][]byte{},
 	}
-
-	// Merge in common labels so that later modifications to the secret can't mutate them
-	secret.ObjectMeta.Labels = helpers.MergeMap[string](k.Labels, secret.ObjectMeta.Labels)
-
-	return secret
 }
 
 // GenerateTLSSecret returns a Kubernetes secret object without applying it to the cluster.

src/pkg/k8s/services.go

@@ -46,12 +46,10 @@ func (k *K8s) GenerateService(namespace, name string) *corev1.Service {
 			Name:        name,
 			Namespace:   namespace,
 			Annotations: make(Labels),
+			Labels:      make(Labels),
 		},
 	}
 
-	// Merge in common labels so that later modifications to the service can't mutate them
-	service.ObjectMeta.Labels = helpers.MergeMap[string](k.Labels, service.ObjectMeta.Labels)
-
 	return service
 }
 

src/test/e2e/20_zarf_init_test.go

@@ -105,12 +105,19 @@ func TestZarfInit(t *testing.T) {
 	require.NoError(t, err)
 	require.Contains(t, stdOut, "Min")
 
+	verifyZarfNamespaceLabels(t)
+	verifyZarfSecretLabels(t)
+	verifyZarfPodLabels(t)
+	verifyZarfServiceLabels(t)
+
 	// Special sizing-hacking for reducing resources where Kind + CI eats a lot of free cycles (ignore errors)
 	_, _, _ = e2e.Kubectl("scale", "deploy", "-n", "kube-system", "coredns", "--replicas=1")
 	_, _, _ = e2e.Kubectl("scale", "deploy", "-n", "zarf", "agent-hook", "--replicas=1")
 }
 
 func checkLogForSensitiveState(t *testing.T, logText string, zarfState types.ZarfState) {
+	t.Helper()
+
 	require.NotContains(t, logText, zarfState.AgentTLS.CA)
 	require.NotContains(t, logText, string(zarfState.AgentTLS.CA))
 	require.NotContains(t, logText, zarfState.AgentTLS.Cert)
@@ -125,3 +132,105 @@ func checkLogForSensitiveState(t *testing.T, logText string, zarfState types.Zar
 	require.NotContains(t, logText, zarfState.RegistryInfo.Secret)
 	require.NotContains(t, logText, zarfState.LoggingSecret)
 }
+
+func verifyZarfNamespaceLabels(t *testing.T) {
+	t.Helper()
+
+	expectedLabels := `'{"app.kubernetes.io/managed-by":"zarf","kubernetes.io/metadata.name":"zarf"}'`
+	actualLabels, _, err := e2e.Kubectl("get", "ns", "zarf", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+}
+
+func verifyZarfSecretLabels(t *testing.T) {
+	t.Helper()
+
+	// zarf state
+	expectedLabels := `'{"app.kubernetes.io/managed-by":"zarf"}'`
+	actualLabels, _, err := e2e.Kubectl("get", "-n=zarf", "secret", "zarf-state", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// init package secret
+	expectedLabels = `'{"app.kubernetes.io/managed-by":"zarf","package-deploy-info":"init"}'`
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "secret", "zarf-package-init", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// registry
+	expectedLabels = `'{"app.kubernetes.io/managed-by":"zarf"}'`
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "secret", "private-registry", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// agent hook TLS
+	//
+	// this secret does not have the managed by zarf label
+	// because it is deployed as a helm chart rather than generated in Go code.
+	expectedLabels = `'{"app.kubernetes.io/managed-by":"Helm"}'`
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "secret", "agent-hook-tls", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// git server
+	expectedLabels = `'{"app.kubernetes.io/managed-by":"zarf"}'`
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "secret", "private-git-server", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+}
+
+func verifyZarfPodLabels(t *testing.T) {
+	t.Helper()
+
+	// registry
+	podHash, _, err := e2e.Kubectl("get", "-n=zarf", "--selector=app=docker-registry", "pods", `-o=jsonpath="{.items[0].metadata.labels['pod-template-hash']}"`)
+	require.NoError(t, err)
+	expectedLabels := fmt.Sprintf(`'{"app":"docker-registry","pod-template-hash":%s,"release":"zarf-docker-registry","zarf.dev/agent":"ignore"}'`, podHash)
+	actualLabels, _, err := e2e.Kubectl("get", "-n=zarf", "--selector=app=docker-registry", "pods", "-o=jsonpath='{.items[0].metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// agent
+	podHash, _, err = e2e.Kubectl("get", "-n=zarf", "--selector=app=agent-hook", "pods", `-o=jsonpath="{.items[0].metadata.labels['pod-template-hash']}"`)
+	require.NoError(t, err)
+	expectedLabels = fmt.Sprintf(`'{"app":"agent-hook","pod-template-hash":%s,"zarf.dev/agent":"ignore"}'`, podHash)
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "--selector=app=agent-hook", "pods", "-o=jsonpath='{.items[0].metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// logging and git server pods should have the `zarf-agent=patched` label
+	// since they should have been mutated by the agent
+	patchedLabel := `"zarf-agent":"patched"`
+
+	// logging
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "--selector=app.kubernetes.io/instance=zarf-loki-stack", "pods", "-o=jsonpath='{.items[0].metadata.labels}'")
+	require.NoError(t, err)
+	require.Contains(t, actualLabels, patchedLabel)
+
+	// git server
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "--selector=app.kubernetes.io/instance=zarf-gitea  ", "pods", "-o=jsonpath='{.items[0].metadata.labels}'")
+	require.NoError(t, err)
+	require.Contains(t, actualLabels, patchedLabel)
+}
+
+func verifyZarfServiceLabels(t *testing.T) {
+	t.Helper()
+
+	// registry
+	expectedLabels := `'{"app.kubernetes.io/managed-by":"Helm","zarf.dev/connect-name":"registry"}'`
+	actualLabels, _, err := e2e.Kubectl("get", "-n=zarf", "service", "zarf-connect-registry", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// logging
+	expectedLabels = `'{"app.kubernetes.io/managed-by":"Helm","zarf.dev/connect-name":"logging"}'`
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "service", "zarf-connect-logging", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+
+	// git server
+	expectedLabels = `'{"app.kubernetes.io/managed-by":"Helm","zarf.dev/connect-name":"git"}'`
+	actualLabels, _, err = e2e.Kubectl("get", "-n=zarf", "service", "zarf-connect-git", "-o=jsonpath='{.metadata.labels}'")
+	require.NoError(t, err)
+	require.Equal(t, expectedLabels, actualLabels)
+}