Merge pull request #226 from /issues/225

markgoddard · web-flow · commit 30c45074c74e · 2025-05-14T10:43:22.000+01:00
fix: don't fail Helm chart check if cluster is unreachable
diff --git a/cmd/cofidectl/cmd/cluster/cluster.go b/cmd/cofidectl/cmd/cluster/cluster.go
@@ -97,6 +97,7 @@ This command will delete a cluster from the Cofide configuration state.
 
 type delOpts struct {
 	trustZone string
+	force     bool
 }
 
 func (c *ClusterCommand) getDelCommand() *cobra.Command {
@@ -111,17 +112,18 @@ func (c *ClusterCommand) getDelCommand() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			return c.deleteCluster(cmd.Context(), args[0], opts.trustZone, kubeConfig)
+			return c.deleteCluster(cmd.Context(), args[0], opts.trustZone, kubeConfig, opts.force)
 		},
 	}
 	f := cmd.Flags()
 	f.StringVar(&opts.trustZone, "trust-zone", "", "Name of the cluster's trust zone")
+	f.BoolVar(&opts.force, "force", false, "Skip pre-delete checks")
 
 	cobra.CheckErr(cmd.MarkFlagRequired("trust-zone"))
 	return cmd
 }
 
-func (c *ClusterCommand) deleteCluster(ctx context.Context, name, trustZoneName, kubeConfig string) error {
+func (c *ClusterCommand) deleteCluster(ctx context.Context, name, trustZoneName, kubeConfig string, force bool) error {
 	ds, err := c.cmdCtx.PluginManager.GetDataSource(ctx)
 	if err != nil {
 		return err
@@ -132,11 +134,13 @@ func (c *ClusterCommand) deleteCluster(ctx context.Context, name, trustZoneName,
 		return err
 	}
 
-	// Fail if the cluster is up.
-	if deployed, err := helmprovider.IsClusterDeployed(ctx, cluster, kubeConfig); err != nil {
-		return err
-	} else if deployed {
-		return fmt.Errorf("cluster %s in trust zone %s cannot be deleted while it is up", name, trustZoneName)
+	if !force {
+		// Fail if the cluster is reachable and SPIRE is deployed.
+		if deployed, err := helmprovider.IsClusterDeployed(ctx, cluster, kubeConfig); err != nil {
+			return err
+		} else if deployed {
+			return fmt.Errorf("cluster %s in trust zone %s cannot be deleted while it is up", name, trustZoneName)
+		}
 	}
 
 	return ds.DestroyCluster(name, trustZoneName)
diff --git a/cmd/cofidectl/cmd/federation/federation.go b/cmd/cofidectl/cmd/federation/federation.go
@@ -147,6 +147,10 @@ func checkFederationStatus(ctx context.Context, ds datasource.DataSource, kubeCo
 			return "", "", err
 		}
 
+		if err := helm.IsClusterReachable(ctx, cluster, kubeConfig); err != nil {
+			return "Unknown", err.Error(), nil
+		}
+
 		if deployed, err := helm.IsClusterDeployed(ctx, cluster, kubeConfig); err != nil {
 			return "", "", err
 		} else if !deployed {
diff --git a/cmd/cofidectl/cmd/trustzone/trustzone.go b/cmd/cofidectl/cmd/trustzone/trustzone.go
@@ -230,7 +230,12 @@ var trustZoneDelCmdDesc = `
 This command will delete a trust zone from the Cofide configuration state.
 `
 
+type delOpts struct {
+	force bool
+}
+
 func (c *TrustZoneCommand) GetDelCommand() *cobra.Command {
+	opts := &delOpts{}
 	cmd := &cobra.Command{
 		Use:   "del [NAME]",
 		Short: "Delete a trust zone",
@@ -247,21 +252,25 @@ func (c *TrustZoneCommand) GetDelCommand() *cobra.Command {
 				return err
 			}
 
-			return deleteTrustZone(cmd.Context(), args[0], ds, true, kubeConfig)
+			return deleteTrustZone(cmd.Context(), args[0], ds, kubeConfig, opts.force)
 		},
 	}
+
+	f := cmd.Flags()
+	f.BoolVar(&opts.force, "force", false, "Skip pre-delete checks")
+
 	return cmd
 }
 
-func deleteTrustZone(ctx context.Context, name string, ds datasource.DataSource, checkDeployed bool, kubeConfig string) error {
+func deleteTrustZone(ctx context.Context, name string, ds datasource.DataSource, kubeConfig string, force bool) error {
 	clusters, err := ds.ListClusters(name)
 	if err != nil {
 		return err
 	}
 
 	// TODO: Add IsClusterDeployed to ProvisionPlugin interface and mock in tests.
-	if checkDeployed {
-		// Fail if any clusters in the trust zone are up.
+	if !force {
+		// Fail if any clusters in the trust zone are reachable and SPIRE is deployed.
 		for _, cluster := range clusters {
 			if deployed, err := helmprovider.IsClusterDeployed(ctx, cluster, kubeConfig); err != nil {
 				return err
diff --git a/cmd/cofidectl/cmd/trustzone/trustzone_test.go b/cmd/cofidectl/cmd/trustzone/trustzone_test.go
@@ -141,7 +141,7 @@ func TestTrustZoneCommand_deleteTrustZone(t *testing.T) {
 			if tt.injectFailure {
 				ds = &failingDS{LocalDataSource: ds.(*local.LocalDataSource)}
 			}
-			err := deleteTrustZone(context.Background(), tt.trustZoneName, ds, false, "")
+			err := deleteTrustZone(context.Background(), tt.trustZoneName, ds, "", true)
 			if tt.wantErr {
 				require.Error(t, err)
 				assert.ErrorContains(t, err, tt.wantErrMessage)
diff --git a/cmd/cofidectl/cmd/workload/workload.go b/cmd/cofidectl/cmd/workload/workload.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log/slog"
 	"os"
 
 	provisionpb "github.com/cofide/cofide-api-sdk/gen/go/proto/provision_plugin/v1alpha1"
@@ -203,6 +204,11 @@ func renderRegisteredWorkloads(ctx context.Context, ds datasource.DataSource, ku
 			return err
 		}
 
+		if err := helm.IsClusterReachable(ctx, cluster, kubeConfig); err != nil {
+			slog.Warn("Cluster is unreachable", "cluster", cluster.GetName(), "error", err)
+			continue
+		}
+
 		if deployed, err := helm.IsClusterDeployed(ctx, cluster, kubeConfig); err != nil {
 			return err
 		} else if !deployed {
@@ -324,6 +330,11 @@ func renderUnregisteredWorkloads(ctx context.Context, ds datasource.DataSource,
 			return err
 		}
 
+		if err := helm.IsClusterReachable(ctx, cluster, kubeConfig); err != nil {
+			slog.Warn("Cluster is unreachable", "cluster", cluster.GetName(), "error", err)
+			continue
+		}
+
 		deployed, err := helm.IsClusterDeployed(ctx, cluster, kubeConfig)
 		if err != nil {
 			return err
diff --git a/pkg/provider/helm/helm.go b/pkg/provider/helm/helm.go
@@ -241,6 +241,11 @@ func (h *HelmSPIREProvider) ExecuteUninstall(statusCh chan<- *provisionpb.Status
 	return nil
 }
 
+// CheckIfReachable returns no error if a Kubernetes cluster is reachable.
+func (h *HelmSPIREProvider) CheckIfReachable() error {
+	return h.cfg.KubeClient.IsReachable()
+}
+
 // CheckIfAlreadyInstalled returns true if the SPIRE chart has previously been installed.
 func (h *HelmSPIREProvider) CheckIfAlreadyInstalled() (bool, error) {
 	return checkIfAlreadyInstalled(h.cfg, SPIREChartName)
@@ -414,6 +419,15 @@ func checkIfAlreadyInstalled(cfg *action.Configuration, chartName string) (bool,
 	return len(ledger) > 0, nil
 }
 
+// IsClusterDeployed returns whether a Kubernetes cluster is reachable.
+func IsClusterReachable(ctx context.Context, cluster *clusterpb.Cluster, kubeConfig string) error {
+	prov, err := NewHelmSPIREProvider(ctx, cluster, nil, nil, kubeConfig)
+	if err != nil {
+		return err
+	}
+	return prov.CheckIfReachable()
+}
+
 // IsClusterDeployed returns whether a cluster has been deployed, i.e. whether a SPIRE Helm release has been installed.
 func IsClusterDeployed(ctx context.Context, cluster *clusterpb.Cluster, kubeConfig string) (bool, error) {
 	prov, err := NewHelmSPIREProvider(ctx, cluster, nil, nil, kubeConfig)

Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,7 @@ func TestTrustZoneCommand_deleteTrustZone(t *testing.T) {`
`141`	`141`	`if tt.injectFailure {`
`142`	`142`	`ds = &failingDS{LocalDataSource: ds.(*local.LocalDataSource)}`
`143`	`143`	`}`
`144`		`- err := deleteTrustZone(context.Background(), tt.trustZoneName, ds, false, "")`
	`144`	`+ err := deleteTrustZone(context.Background(), tt.trustZoneName, ds, "", true)`
`145`	`145`	`if tt.wantErr {`
`146`	`146`	`require.Error(t, err)`
`147`	`147`	`assert.ErrorContains(t, err, tt.wantErrMessage)`