Fix OCI cache reconstruction (#1076)

* fix(oci): systematically reconstruct cache whenever required

* fix(tests): define replicas as numbers

* chore(deps): update Go to latest version

* fix(tests): replicas as integers

* fix(tests): redefine Pulumi default values in auto config+secrets for non-plaintext-strings config

* fix(deps): update Go deps

Author: pandatix

api/v1/challenge/delete.go

@@ -18,6 +18,7 @@ import (
 	"github.com/ctfer-io/chall-manager/pkg/fs"
 	"github.com/ctfer-io/chall-manager/pkg/iac"
 	"github.com/ctfer-io/chall-manager/pkg/lock"
+	"github.com/ctfer-io/chall-manager/pkg/scenario"
 )
 
 func (store *Store) DeleteChallenge(ctx context.Context, req *DeleteChallengeRequest) (*emptypb.Empty, error) {
@@ -93,6 +94,21 @@ func (store *Store) DeleteChallenge(ctx context.Context, req *DeleteChallengeReq
 		return nil, err
 	}
 
+	// Reload cache if necessary
+	if _, err := scenario.DecodeOCI(ctx,
+		fschall.ID, fschall.Scenario, fschall.Additional,
+		global.Conf.OCI.Insecure, global.Conf.OCI.Username, global.Conf.OCI.Password,
+	); err != nil {
+		logger.Error(ctx, "decoding scenario",
+			zap.String("reference", fschall.Scenario),
+			zap.Error(multierr.Combine(
+				clock.RWUnlock(ctx),
+				err,
+			)),
+		)
+		return nil, errs.ErrInternalNoSub
+	}
+
 	// 5. Create "relock" and "work" wait groups for all instances, and for each
 	ists, err := fs.ListInstances(req.Id)
 	if err != nil {

api/v1/challenge/update.go

@@ -106,6 +106,18 @@ func (store *Store) UpdateChallenge(ctx context.Context, req *UpdateChallengeReq
 		return nil, err
 	}
 
+	// Reload cache if necessary
+	if _, err := scenario.DecodeOCI(ctx,
+		fschall.ID, fschall.Scenario, req.Additional,
+		global.Conf.OCI.Insecure, global.Conf.OCI.Username, global.Conf.OCI.Password,
+	); err != nil {
+		logger.Error(ctx, "decoding scenario",
+			zap.String("reference", fschall.Scenario),
+			zap.Error(err),
+		)
+		return nil, errs.ErrInternalNoSub
+	}
+
 	// 5. Update challenge until/timeout, pooler, or scenario on filesystem
 	updateScenario := false
 	updateAdditional := false

api/v1/instance/create.go

@@ -17,6 +17,7 @@ import (
 	"github.com/ctfer-io/chall-manager/pkg/fs"
 	"github.com/ctfer-io/chall-manager/pkg/iac"
 	"github.com/ctfer-io/chall-manager/pkg/identity"
+	"github.com/ctfer-io/chall-manager/pkg/scenario"
 )
 
 func (man *Manager) CreateInstance(ctx context.Context, req *CreateInstanceRequest) (*Instance, error) {
@@ -87,6 +88,17 @@ func (man *Manager) CreateInstance(ctx context.Context, req *CreateInstanceReque
 		}
 		return nil, err
 	}
+	// Reload cache if necessary
+	if _, err := scenario.DecodeOCI(ctx,
+		fschall.ID, fschall.Scenario, req.Additional,
+		global.Conf.OCI.Insecure, global.Conf.OCI.Username, global.Conf.OCI.Password,
+	); err != nil {
+		logger.Error(ctx, "decoding scenario",
+			zap.String("reference", fschall.Scenario),
+			zap.Error(err),
+		)
+		return nil, errs.ErrInternalNoSub
+	}
 	if fschall.Until != nil && time.Now().After(*fschall.Until) {
 		if err := clock.RUnlock(ctx); err != nil {
 			logger.Error(ctx, "unlocking R challenge", zap.Error(err))

api/v1/instance/delete.go

@@ -17,6 +17,7 @@ import (
 	"github.com/ctfer-io/chall-manager/pkg/fs"
 	"github.com/ctfer-io/chall-manager/pkg/iac"
 	"github.com/ctfer-io/chall-manager/pkg/lock"
+	"github.com/ctfer-io/chall-manager/pkg/scenario"
 )
 
 func (man *Manager) DeleteInstance(ctx context.Context, req *DeleteInstanceRequest) (*emptypb.Empty, error) {
@@ -176,6 +177,18 @@ func (man *Manager) DeleteInstance(ctx context.Context, req *DeleteInstanceReque
 		return nil, err
 	}
 
+	// Reload cache if necessary
+	if _, err := scenario.DecodeOCI(ctx,
+		fschall.ID, fschall.Scenario, fschall.Additional,
+		global.Conf.OCI.Insecure, global.Conf.OCI.Username, global.Conf.OCI.Password,
+	); err != nil {
+		logger.Error(ctx, "decoding scenario",
+			zap.String("reference", fschall.Scenario),
+			zap.Error(err),
+		)
+		return nil, errs.ErrInternalNoSub
+	}
+
 	stack, err := iac.LoadStack(ctx, fschall.Directory, id)
 	if err != nil {
 		if err, ok := err.(*errs.ErrInternal); ok {

api/v1/instance/spin.go

@@ -10,6 +10,7 @@ import (
 	"github.com/ctfer-io/chall-manager/pkg/fs"
 	"github.com/ctfer-io/chall-manager/pkg/iac"
 	"github.com/ctfer-io/chall-manager/pkg/identity"
+	"github.com/ctfer-io/chall-manager/pkg/scenario"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
 	"go.opentelemetry.io/otel/trace"
@@ -108,6 +109,18 @@ func SpinUp(ctx context.Context, challengeID string) {
 	id := identity.New()
 	ctx = global.WithIdentity(ctx, id)
 
+	// Reload cache if necessary
+	if _, err := scenario.DecodeOCI(ctx,
+		fschall.ID, fschall.Scenario, fschall.Additional,
+		global.Conf.OCI.Insecure, global.Conf.OCI.Username, global.Conf.OCI.Password,
+	); err != nil {
+		logger.Error(ctx, "decoding scenario",
+			zap.String("reference", fschall.Scenario),
+			zap.Error(err),
+		)
+		return
+	}
+
 	// 10. Spin up instance
 	stack, err := iac.NewStack(ctx, id, fschall)
 	if err != nil {

deploy/go.mod

@@ -1,16 +1,16 @@
 module github.com/ctfer-io/chall-manager/deploy
 
-go 1.24.3
+go 1.25.4
 
 require (
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/ctfer-io/chall-manager v0.6.0
 	github.com/ctfer-io/monitoring v0.1.0
 	github.com/pkg/errors v0.9.1
-	github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.23.0
+	github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.24.0
 	github.com/pulumi/pulumi-random/sdk/v4 v4.18.4
-	github.com/pulumi/pulumi/pkg/v3 v3.201.0
-	github.com/pulumi/pulumi/sdk/v3 v3.203.0
+	github.com/pulumi/pulumi/pkg/v3 v3.208.0
+	github.com/pulumi/pulumi/sdk/v3 v3.208.0
 	github.com/stretchr/testify v1.11.1
 	go.opentelemetry.io/collector/pdata v1.44.0
 	go.uber.org/multierr v1.11.0
@@ -96,7 +96,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/go-test/deep v1.0.3 // indirect
+	github.com/go-test/deep v1.1.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -181,13 +181,13 @@ require (
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/segmentio/encoding v0.5.3 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.7 // indirect
+	github.com/spf13/cobra v1.10.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect

deploy/go.sum

@@ -220,6 +220,7 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -447,14 +448,18 @@ github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
 github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
 github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
-github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.23.0 h1:TZ/XhzF+3/jRiGsjlJHCWhXcU5E5tbXU8O0DKnPmFic=
-github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.23.0/go.mod h1:jOdpeNeRvY4iN+W8aDP5+HyqrM7hXsxa9paPsmjQFfY=
+github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.24.0 h1:dlDJvsugKow8tCaD0yJngc7PXdv8WT2YwPEUmj48tF4=
+github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.24.0/go.mod h1:8HDO923pZUokTAEMgS7XepoUIDCazm2WAwX6s4HUDtc=
 github.com/pulumi/pulumi-random/sdk/v4 v4.18.4 h1:mkZ3nB3xLTFZ8Fbh50bXTxiroGpjSyonTFcKovLxWME=
 github.com/pulumi/pulumi-random/sdk/v4 v4.18.4/go.mod h1:BBVUyqFkhCbwvUSnDjubH5b+SeJeoMQH4COGNKaaoUI=
-github.com/pulumi/pulumi/pkg/v3 v3.201.0 h1:Vu36u/Hv+kGJr5ryPP40fYABDKuvWcKQKm5hYMw/gU4=
-github.com/pulumi/pulumi/pkg/v3 v3.201.0/go.mod h1:dwXMnuziQF0d66p6cfB4//gsS3qRoXdqWIMKKyNNx1I=
-github.com/pulumi/pulumi/sdk/v3 v3.203.0 h1:naNpZOkGf1QaIcfB47MAh2UHW7DUh37Tg1zOdDmxx5I=
-github.com/pulumi/pulumi/sdk/v3 v3.203.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
+github.com/pulumi/pulumi/pkg/v3 v3.205.0 h1:gSsJr4opU+rfx0CJEvk2f+kf6mNA6qIdACdfrDwd4HE=
+github.com/pulumi/pulumi/pkg/v3 v3.205.0/go.mod h1:DwMi4+xkHvw6aazISQd4nWzhDHtMGQxl2w5WJtUl6mA=
+github.com/pulumi/pulumi/pkg/v3 v3.208.0 h1:MBnkg2QCXE+nssylAgYRWiOGaTi2ynBbSgjGeaaktAk=
+github.com/pulumi/pulumi/pkg/v3 v3.208.0/go.mod h1:7SMtVWWoCTPQHQNBpDjaZrqo8tBFygDv50rTCmGjEds=
+github.com/pulumi/pulumi/sdk/v3 v3.205.0 h1:Cuev0D3nBUqnFnFzWsO6M5XtOdGCe7lpgSds80yROyQ=
+github.com/pulumi/pulumi/sdk/v3 v3.205.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
+github.com/pulumi/pulumi/sdk/v3 v3.208.0 h1:AUBoh7zw67NZVo1IkapOog1WBMz46DXco/7YsKBNK1s=
+github.com/pulumi/pulumi/sdk/v3 v3.208.0/go.mod h1:UsBMdaUQ+WoKoQtF2PYbQIbo8ZRJuAo1axkyit9IQVE=
 github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
 github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -474,8 +479,8 @@ github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
 github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQccx6w=
 github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
+github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
@@ -485,11 +490,10 @@ github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0
 github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
-github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

deploy/integration/cluster_test.go

@@ -36,6 +36,13 @@ func Test_I_Cluster(t *testing.T) {
 			"replicas":         "1",             // no need to replicate, we test proper deployments
 			"etcd-replicas":    "1",             // no need to replicate, we test proper deployment
 			"expose":           "true",          // make API externally reachable
+			// Following config values are defined, seems like due to a bug in Pulumi loading config
+			"etcd.replicas": "1",
+			"oci.insecure":  "true",
+			"otel.insecure": "true",
+		},
+		Secrets: map[string]string{
+			"kubeconfig": "",
 		},
 		ExtraRuntimeValidation: func(t *testing.T, stack integration.RuntimeValidationStackInfo) {
 			cli := grpcClient(t, stack.Outputs)

deploy/integration/examples_test.go

@@ -54,6 +54,13 @@ func Test_I_Examples(t *testing.T) {
 			"oci-insecure":     "true",          // don't mind HTTPS on the CI registry
 			"pvc-access-mode":  "ReadWriteOnce", // don't need to scale (+ not possible with kind in CI)
 			"expose":           "true",          // make API externally reachable
+			// Following config values are defined, seems like due to a bug in Pulumi loading config
+			"etcd.replicas": "1",
+			"oci.insecure":  "true",
+			"otel.insecure": "true",
+		},
+		Secrets: map[string]string{
+			"kubeconfig": "",
 		},
 		ExtraRuntimeValidation: func(t *testing.T, stack integration.RuntimeValidationStackInfo) {
 			cli := grpcClient(t, stack.Outputs)

deploy/integration/monitoring_test.go

@@ -60,6 +60,13 @@ func Test_I_Monitoring(t *testing.T) {
 			"registry":         os.Getenv("REGISTRY"),
 			"tag":              os.Getenv("TAG"),
 			"romeo-claim-name": os.Getenv("ROMEO_CLAIM_NAME"),
+			// Following config values are defined, seems like due to a bug in Pulumi loading config
+			"etcd.replicas": "0",
+			"oci.insecure":  "true",
+			"otel.insecure": "true",
+		},
+		Secrets: map[string]string{
+			"kubeconfig": "",
 		},
 		Env: []string{
 			"CHALL_MANAGER_TEST_INTEGRATION_MONITORING=pouet",