feat: wg-easy add preflights

[nvanthao]

Add Preflight Checks to WireGuard Easy (wg-easy)

Overview

This PR adds preflight checks to the wg-easy chart.

Implementation Details

• Each chart-specific preflight is defined as a Kubernetes Secret with label troubleshoot.sh/kind: preflight

• Preflight specs are stored in each chart's templates directory:

  cert-manager/templates/secret-preflights.yaml
  wg-easy/templates/secret-preflights.yaml

• Added new task helm-preflight to streamline verification

• Updated container image to include the preflight binary

Current Status

• The PR is based on In container only #55 and will be rebased once that PR is merged
• The cert-manager preflight is currently a placeholder to demonstrate multiple preflight specs merging, not the final preflight content
• The wg-easy preflight has been implemented with actual checks relevant to the chart

Testing

Locally verify preflight specs with:

helm template <chart-dir> | preflight - --dry-run

Next Steps

• Finalize cert-manager preflights with actual checks
• Consider adding preflights to additional charts

[chris-sanders]

I was trying to do a review and then I realized you've based this on another active development branch but targeted the PR against main.

The problem is that means I'm not reviewing both PR's and I can't tell what you've changed and what the other PR is chaning.

If you base a PR on top of another existing branch I think we need to review against that other PR until it's merged so that the review is only of your current changes not everything from both branches.

[chris-sanders]

Just watching the asciinema and again I don't know for sure if this is feedback from your PR or the branch you're building on top of but I'll note what I see either way.

1. You ran a command 'ag' which I'm guessing is an alias or shortcut you've setup yourself? If so you shouldn't do that in a demo I don't know what that command does, hence I can't understand what you're trying to show us by running it.
2. You've exposed your REPLICATED_API_TOKEN please rotate it and be more careful in the future about recording sensitive values.
3. The output here is far to verbose, that's part of the cause of item 2 above, slim it down we shouldn't be showing task commands like you show here. Especially when they have API TOKENS in them. That goes for both the green and the white text, it's noisy look at the Embedded Cluster CLI outputs for a target of what good looks like. I think just disable all of the verbose output would be a good start.
4. As I mentioned in yesterdays' standup, you shouldn't need cluster-create and setup-kubeconfig in your dependencies. As far as I can tell just setup-kubeconfig is sufficient because it already includes creating a cluster. We need to be careful not to unnecessarily re-run and steps for no reason.
5. This is the biggest one, you're using a bash loop to make this work which is fine for development purposes however how do you see this working in a real install? An end user won't be using Taskfile or this repository, the preflight needs to work through Enterprise Portal and Embedded Cluster installs. Are you addressing that next? I'm fine with this implementation for developers but before we land anything we need to know what this means for end users.

[nvanthao]

many thanks @chris-sanders

1. I use ag as a drop-in replacement for grep as it is faster
2. many thanks I have rotated the token for the demo
3. I removed -v=5 flag
4. I removed dep cluster-create
5. In real install, let me do a quick record of what I am seeing and share the thoughts with us in a Loom

[nvanthao]

This is the biggest one, you're using a bash loop to make this work which is fine for development purposes however how do you see this working in a real install? An end user won't be using Taskfile or this repository, the preflight needs to work through Enterprise Portal and Embedded Cluster installs. Are you addressing that next? I'm fine with this implementation for developers but before we land anything we need to know what this means for end users.

I've shared the Loom in our Slack channel, tldr;

• for KOTS install in existing cluster, the preflights will run during kots install
• for EC install, the preflight will happen in KOTS Admin Console UI
• for helm install, Vendor Portal contains the instructions to run helm template | preflight per chart
• for helm install, Enterprise Portal is missing preflights run instructions as of now

[chris-sanders]

I just realized this is still targeting main and not the other PR.
I'm assuming all changes in this PR are yours since you asked for another review, is that accurate?

[chris-sanders]

Let's not use any 'dummy' values. Cert-manager has a list of prerequisites documented. Use real requirements.

[nvanthao]

I just realized this is still targeting main and not the other PR. I'm assuming all changes in this PR are yours since you asked for another review, is that accurate?

Hi @chris-sanders, I can't target the other PR branch as the branch is in a forked repo. As mentioned earlier, I will wait for that PR to be merged to main and rebase this PR.

I've updated the preflights for cert-manager accordingly. I can only find the k8s version as the only prerequisite here

[chris-sanders]

I didn't realize the other PR was in a forked repo, I'll mention to the team to work out of this repo in the future.