diff --git a/hack/go.sum b/hack/go.sum index a49e35fca..aa08f25d5 100644 --- a/hack/go.sum +++ b/hack/go.sum @@ -848,6 +848,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= +github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI= +github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U= github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU= github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc= github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 40b194d2d..68d0fd6e2 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -106,6 +106,8 @@ const ( KubeadmPath = "/run/state/bin/kubeadm" // KubeletPath install path for kubelet. KubeletPath = "/run/state/bin/kubelet" + // KubeadmPatchDir directory for kubeadm patches . + KubeadmPatchDir = "/opt/kubernetes/patches" // // Filenames for Constellation's micro services. diff --git a/internal/versions/BUILD.bazel b/internal/versions/BUILD.bazel index 288641071..1a9beb428 100644 --- a/internal/versions/BUILD.bazel +++ b/internal/versions/BUILD.bazel @@ -18,5 +18,9 @@ go_test( name = "versions_test", srcs = ["versions_test.go"], embed = [":versions"], - deps = ["@com_github_stretchr_testify//assert"], + deps = [ + "@com_github_stretchr_testify//assert", + "@com_github_stretchr_testify//require", + "@com_github_vincent_petithory_dataurl//:dataurl", + ], ) diff --git a/internal/versions/hash-generator/generate.go b/internal/versions/hash-generator/generate.go index b3701c4e0..fcc5b27eb 100644 --- a/internal/versions/hash-generator/generate.go +++ b/internal/versions/hash-generator/generate.go @@ -19,6 +19,7 @@ import ( "log" "net/http" "os" + "strings" "golang.org/x/tools/go/ast/astutil" ) @@ -147,8 +148,13 @@ func main() { } } - fmt.Println("Generating hash for", url.Value.(*ast.BasicLit).Value) - hash.Value.(*ast.BasicLit).Value = mustGetHash(url.Value.(*ast.BasicLit).Value) + urlValue := url.Value.(*ast.BasicLit).Value + if strings.HasPrefix(urlValue, `"data:`) { + // TODO(burgerdev): support patch generation + continue + } + fmt.Println("Generating hash for", urlValue) + hash.Value.(*ast.BasicLit).Value = mustGetHash(urlValue) } return true diff --git a/internal/versions/versions.go b/internal/versions/versions.go index 5a1a6ce51..bf13a2b73 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -13,6 +13,7 @@ package versions import ( "fmt" + "path" "sort" "strings" @@ -154,6 +155,12 @@ func hasPatchVersion(version string) bool { return semver.MajorMinor(version) != version } +// patchFilePath returns the canonical path for kubeadm patch files for the given component. +// See https://pkg.go.dev/k8s.io/kubernetes@v1.27.7/cmd/kubeadm/app/apis/kubeadm/v1beta3#InitConfiguration. +func patchFilePath(component string) string { + return path.Join(constants.KubeadmPatchDir, fmt.Sprintf("%s+json.json", component)) +} + const ( // // Constellation images. @@ -227,6 +234,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ InstallPath: constants.KubectlPath, Extract: false, }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI2LjExQHNoYTI1NjozOTUzNWQwZWZlODk1YWU5MWI1NTExZmRhZGI1MmVjOTMyOWYzODk4NzYxMTYzYThjMGRlMjAzZTIzZTMzODUzIn1d", + InstallPath: patchFilePath("kube-apiserver"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI2LjExQHNoYTI1NjpjZGJlZmZmMTU0ZDRjY2I1ZDhlOGIxNmI4MDRjYmM2Y2M5MzI2YTc2MGI5ZjkxNDIyMjcwOGY5OTExOThkNTdjIn1d", + InstallPath: patchFilePath("kube-controller-manager"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI2LjExQHNoYTI1NjowNjg0ZTIzMTcyZDkyMDMxNDk3MTU4MGFiMTE1YTViNjc5YWMxZmFlMmNiOTRkODNlOTEwNWMwYjFlOTNhMWJjIn1d", + InstallPath: patchFilePath("kube-scheduler"), + }, }, // CloudControllerManagerImageAWS is the CCM image used on AWS. CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.26.6@sha256:33445ab57f48938fe989ffe311dacee0044b82f2bd23cb7f7b563275926f0ce9", // renovate:container @@ -278,6 +297,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ InstallPath: constants.KubectlPath, Extract: false, }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI3LjhAc2hhMjU2OjcwYjA1YjYxZDg0NmViYjY5YTkwN2ZlMjU1ZDM5YTZmNmMxMGQ1Y2E5NTA0ZjNkMmMwZGZmM2Y4NjQ2OTBkMzMifV0=", + InstallPath: patchFilePath("kube-apiserver"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI3LjhAc2hhMjU2OmU1OWM2MzczZDI2YjY4NGE5MWNmYTU5NDJjMGY3MzcxYmRhOWI0YmI3Njg5ZTNmOTBmN2VlNGY5NjUxZWUyMmIifV0=", + InstallPath: patchFilePath("kube-controller-manager"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI3LjhAc2hhMjU2OjYyMzdlNzEwMGNjZGJiZDVlMGU3Y2ZmNzc5NjgzMWMxODVhMzk0NzE5OTgyM2YzOTEyODNjNzlkMDBhZmYwNzAifV0=", + InstallPath: patchFilePath("kube-scheduler"), + }, }, // CloudControllerManagerImageAWS is the CCM image used on AWS. CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.2@sha256:42be09a2b13b4e69b42905639d6b005ebe1ca490aabefad427256abf2cc892c7", // renovate:container @@ -329,6 +360,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ InstallPath: constants.KubectlPath, Extract: false, }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI4LjRAc2hhMjU2OjViMjhhMzY0NDY3Y2Y3ZTEzNDM0M2JiM2VlMmM2ZDQwNjgyYjQ3M2E3NDNhNzIxNDJjN2JiZTI1NzY3ZDM2ZWIifV0=", + InstallPath: patchFilePath("kube-apiserver"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI4LjRAc2hhMjU2OjY1NDg2YzhjMzM4Zjk2ZGMwMjJkZDFhMGFiZTg3NjNlMzhmMzUwOTViODRiMjA4Yzc4ZjQ0ZDllOTk0NDdkMWMifV0=", + InstallPath: patchFilePath("kube-controller-manager"), + }, + { + Url: "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI4LjRAc2hhMjU2OjMzNWJiYTllODYxYjg4ZmE4YjdiYjkyNTBiY2Q2OWI3YTMzZjgzZGE0ZmVlOTNmOWZjMGVlZGM2ZjM0ZTI4YmEifV0=", + InstallPath: patchFilePath("kube-scheduler"), + }, }, // CloudControllerManagerImageAWS is the CCM image used on AWS. CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.1@sha256:79b423ac8bc52d00f932b40de11fc3047a5ed1cbec47cda23bcf8f45ef583ed1", // renovate:container diff --git a/internal/versions/versions_test.go b/internal/versions/versions_test.go index a4781697a..dbab7107b 100644 --- a/internal/versions/versions_test.go +++ b/internal/versions/versions_test.go @@ -7,9 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-only package versions import ( + "fmt" + "path" + "strings" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/vincent-petithory/dataurl" ) func TestVersionFromDockerImage(t *testing.T) { @@ -44,3 +49,25 @@ func TestVersionFromDockerImage(t *testing.T) { }) } } + +func TestKubernetesImagePatchCompatibility(t *testing.T) { + // This test ensures that pinned Kubernetes images correspond to the + // supported Kubernetes versions. It prevents automatic upgrades until + // a patch generator is added to the codebase. + // TODO(burgerdev): remove after patches are generated automatically. + for v, clusterConfig := range VersionConfigs { + t.Run(string(v), func(t *testing.T) { + for i, component := range clusterConfig.KubernetesComponents.GetUpgradableComponents() { + if !strings.HasPrefix(component.Url, "data:") { + continue + } + t.Run(fmt.Sprintf("%d-%s", i, path.Base(component.InstallPath)), func(t *testing.T) { + require := require.New(t) + dataURL, err := dataurl.DecodeString(component.Url) + require.NoError(err) + require.Contains(string(dataURL.Data), clusterConfig.ClusterVersion) + }) + } + }) + } +} diff --git a/terraform-provider-constellation/go.sum b/terraform-provider-constellation/go.sum index d1f2d7ac1..99c858fa3 100644 --- a/terraform-provider-constellation/go.sum +++ b/terraform-provider-constellation/go.sum @@ -871,6 +871,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= +github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI= +github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U= github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI= github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=