versions: add Kubernetes image patches to components

2024-10-01 01:36:09 -04:00 · 2023-12-14 14:51:10 +01:00 · 2023-12-14 14:51:10 +01:00 · 4ba483ec0e
commit 4ba483ec0e
parent b740a1a75b
7 changed files with 89 additions and 3 deletions
--- a/hack/go.sum
+++ b/hack/go.sum
@ -848,6 +848,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
+github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
+github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
 github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
 github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -106,6 +106,8 @@ const (
 	KubeadmPath = "/run/state/bin/kubeadm"
 	// KubeletPath install path for kubelet.
 	KubeletPath = "/run/state/bin/kubelet"
+	// KubeadmPatchDir directory for kubeadm patches .
+	KubeadmPatchDir = "/opt/kubernetes/patches"

 	//
 	// Filenames for Constellation's micro services.
--- a/internal/versions/BUILD.bazel
+++ b/internal/versions/BUILD.bazel
@ -18,5 +18,9 @@ go_test(
    name = "versions_test",
    srcs = ["versions_test.go"],
    embed = [":versions"],
-    deps = ["@com_github_stretchr_testify//assert"],
+    deps = [
+        "@com_github_stretchr_testify//assert",
+        "@com_github_stretchr_testify//require",
+        "@com_github_vincent_petithory_dataurl//:dataurl",
+    ],
 )
--- a/internal/versions/hash-generator/generate.go
+++ b/internal/versions/hash-generator/generate.go
@ -19,6 +19,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strings"

 	"golang.org/x/tools/go/ast/astutil"
 )
@ -147,8 +148,13 @@ func main() {
 				}
 			}

-			fmt.Println("Generating hash for", url.Value.(*ast.BasicLit).Value)
-			hash.Value.(*ast.BasicLit).Value = mustGetHash(url.Value.(*ast.BasicLit).Value)
+			urlValue := url.Value.(*ast.BasicLit).Value
+			if strings.HasPrefix(urlValue, `"data:`) {
+				// TODO(burgerdev): support patch generation
+				continue
+			}
+			fmt.Println("Generating hash for", urlValue)
+			hash.Value.(*ast.BasicLit).Value = mustGetHash(urlValue)
 		}

 		return true
--- a/internal/versions/versions.go
+++ b/internal/versions/versions.go
@ -13,6 +13,7 @@ package versions

 import (
 	"fmt"
+	"path"
 	"sort"
 	"strings"

@ -154,6 +155,12 @@ func hasPatchVersion(version string) bool {
 	return semver.MajorMinor(version) != version
 }

+// patchFilePath returns the canonical path for kubeadm patch files for the given component.
+// See https://pkg.go.dev/k8s.io/kubernetes@v1.27.7/cmd/kubeadm/app/apis/kubeadm/v1beta3#InitConfiguration.
+func patchFilePath(component string) string {
+	return path.Join(constants.KubeadmPatchDir, fmt.Sprintf("%s+json.json", component))
+}
+
 const (
 	//
 	// Constellation images.
@ -227,6 +234,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 				InstallPath: constants.KubectlPath,
 				Extract:     false,
 			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI2LjExQHNoYTI1NjozOTUzNWQwZWZlODk1YWU5MWI1NTExZmRhZGI1MmVjOTMyOWYzODk4NzYxMTYzYThjMGRlMjAzZTIzZTMzODUzIn1d",
+				InstallPath: patchFilePath("kube-apiserver"),
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI2LjExQHNoYTI1NjpjZGJlZmZmMTU0ZDRjY2I1ZDhlOGIxNmI4MDRjYmM2Y2M5MzI2YTc2MGI5ZjkxNDIyMjcwOGY5OTExOThkNTdjIn1d",
+				InstallPath: patchFilePath("kube-controller-manager"),
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI2LjExQHNoYTI1NjowNjg0ZTIzMTcyZDkyMDMxNDk3MTU4MGFiMTE1YTViNjc5YWMxZmFlMmNiOTRkODNlOTEwNWMwYjFlOTNhMWJjIn1d",
+				InstallPath: patchFilePath("kube-scheduler"),
+			},
 		},
 		// CloudControllerManagerImageAWS is the CCM image used on AWS.
 		CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.26.6@sha256:33445ab57f48938fe989ffe311dacee0044b82f2bd23cb7f7b563275926f0ce9", // renovate:container
@ -278,6 +297,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 				InstallPath: constants.KubectlPath,
 				Extract:     false,
 			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI3LjhAc2hhMjU2OjcwYjA1YjYxZDg0NmViYjY5YTkwN2ZlMjU1ZDM5YTZmNmMxMGQ1Y2E5NTA0ZjNkMmMwZGZmM2Y4NjQ2OTBkMzMifV0=",
+				InstallPath: patchFilePath("kube-apiserver"),
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI3LjhAc2hhMjU2OmU1OWM2MzczZDI2YjY4NGE5MWNmYTU5NDJjMGY3MzcxYmRhOWI0YmI3Njg5ZTNmOTBmN2VlNGY5NjUxZWUyMmIifV0=",
+				InstallPath: patchFilePath("kube-controller-manager"),
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI3LjhAc2hhMjU2OjYyMzdlNzEwMGNjZGJiZDVlMGU3Y2ZmNzc5NjgzMWMxODVhMzk0NzE5OTgyM2YzOTEyODNjNzlkMDBhZmYwNzAifV0=",
+				InstallPath: patchFilePath("kube-scheduler"),
+			},
 		},
 		// CloudControllerManagerImageAWS is the CCM image used on AWS.
 		CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.2@sha256:42be09a2b13b4e69b42905639d6b005ebe1ca490aabefad427256abf2cc892c7", // renovate:container
@ -329,6 +360,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 				InstallPath: constants.KubectlPath,
 				Extract:     false,
 			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI4LjRAc2hhMjU2OjViMjhhMzY0NDY3Y2Y3ZTEzNDM0M2JiM2VlMmM2ZDQwNjgyYjQ3M2E3NDNhNzIxNDJjN2JiZTI1NzY3ZDM2ZWIifV0=",
+				InstallPath: patchFilePath("kube-apiserver"),
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI4LjRAc2hhMjU2OjY1NDg2YzhjMzM4Zjk2ZGMwMjJkZDFhMGFiZTg3NjNlMzhmMzUwOTViODRiMjA4Yzc4ZjQ0ZDllOTk0NDdkMWMifV0=",
+				InstallPath: patchFilePath("kube-controller-manager"),
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI4LjRAc2hhMjU2OjMzNWJiYTllODYxYjg4ZmE4YjdiYjkyNTBiY2Q2OWI3YTMzZjgzZGE0ZmVlOTNmOWZjMGVlZGM2ZjM0ZTI4YmEifV0=",
+				InstallPath: patchFilePath("kube-scheduler"),
+			},
 		},
 		// CloudControllerManagerImageAWS is the CCM image used on AWS.
 		CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.1@sha256:79b423ac8bc52d00f932b40de11fc3047a5ed1cbec47cda23bcf8f45ef583ed1", // renovate:container
--- a/internal/versions/versions_test.go
+++ b/internal/versions/versions_test.go
@ -7,9 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-only
 package versions

 import (
+	"fmt"
+	"path"
+	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/vincent-petithory/dataurl"
 )

 func TestVersionFromDockerImage(t *testing.T) {
@ -44,3 +49,25 @@ func TestVersionFromDockerImage(t *testing.T) {
 		})
 	}
 }
+
+func TestKubernetesImagePatchCompatibility(t *testing.T) {
+	// This test ensures that pinned Kubernetes images correspond to the
+	// supported Kubernetes versions. It prevents automatic upgrades until
+	// a patch generator is added to the codebase.
+	// TODO(burgerdev): remove after patches are generated automatically.
+	for v, clusterConfig := range VersionConfigs {
+		t.Run(string(v), func(t *testing.T) {
+			for i, component := range clusterConfig.KubernetesComponents.GetUpgradableComponents() {
+				if !strings.HasPrefix(component.Url, "data:") {
+					continue
+				}
+				t.Run(fmt.Sprintf("%d-%s", i, path.Base(component.InstallPath)), func(t *testing.T) {
+					require := require.New(t)
+					dataURL, err := dataurl.DecodeString(component.Url)
+					require.NoError(err)
+					require.Contains(string(dataURL.Data), clusterConfig.ClusterVersion)
+				})
+			}
+		})
+	}
+}
--- a/terraform-provider-constellation/go.sum
+++ b/terraform-provider-constellation/go.sum
@ -871,6 +871,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
+github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
+github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=