From ad038f4046ec8183426c87807bd475376967ed7e Mon Sep 17 00:00:00 2001 From: Andrew Lytvynov Date: Thu, 8 Aug 2024 13:21:28 -0500 Subject: [PATCH] cmd/gitops-pusher: add --fail-on-manual-edits flag (#13066) For cases where users want to be extra careful about not overwriting manual changes, add a flag to hard-fail. This is only useful if the etag cache is persistent or otherwise reliable. This flag should not be used in ephemeral CI workers that won't persist the cache. Updates https://github.com/tailscale/corp/issues/22177 Signed-off-by: Andrew Lytvynov --- cmd/gitops-pusher/gitops-pusher.go | 35 ++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/cmd/gitops-pusher/gitops-pusher.go b/cmd/gitops-pusher/gitops-pusher.go index 60bee6064..1abf36a3b 100644 --- a/cmd/gitops-pusher/gitops-pusher.go +++ b/cmd/gitops-pusher/gitops-pusher.go @@ -28,19 +28,20 @@ import ( ) var ( - rootFlagSet = flag.NewFlagSet("gitops-pusher", flag.ExitOnError) - policyFname = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file") - cacheFname = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash") - timeout = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run") - githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)") - apiServer = rootFlagSet.String("api-server", "api.tailscale.com", "API server to contact") + rootFlagSet = flag.NewFlagSet("gitops-pusher", flag.ExitOnError) + policyFname = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file") + cacheFname = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash") + timeout = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run") + githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)") + apiServer = rootFlagSet.String("api-server", "api.tailscale.com", "API server to contact") + failOnManualEdits = rootFlagSet.Bool("fail-on-manual-edits", false, "fail if manual edits to the ACLs in the admin panel are detected; when set to false (the default) only a warning is printed") ) -func modifiedExternallyError() { +func modifiedExternallyError() error { if *githubSyntax { - fmt.Printf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname) + return fmt.Errorf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.", *policyFname) } else { - fmt.Printf("The policy file was modified externally in the admin console.\n") + return fmt.Errorf("The policy file was modified externally in the admin console.") } } @@ -66,7 +67,13 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte log.Printf("cache: %s", cache.PrevETag) if cache.PrevETag != controlEtag { - modifiedExternallyError() + if err := modifiedExternallyError(); err != nil { + if *failOnManualEdits { + return err + } else { + fmt.Println(err) + } + } } if controlEtag == localEtag { @@ -107,7 +114,13 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex log.Printf("cache: %s", cache.PrevETag) if cache.PrevETag != controlEtag { - modifiedExternallyError() + if err := modifiedExternallyError(); err != nil { + if *failOnManualEdits { + return err + } else { + fmt.Println(err) + } + } } if controlEtag == localEtag {