chore: sync upstream v0.13.2

.drone.yml

@@ -8,7 +8,7 @@ platform:
 
 steps:
 - name: build
-  image: rancher/dapper:v0.5.8
+  image: rancher/dapper:v0.6.0
   commands:
   - dapper ci
   - dapper e2e-sonobuoy
@@ -101,7 +101,7 @@ node:
 
 steps:
 - name: build
-  image: rancher/dapper:v0.5.8
+  image: rancher/dapper:v0.6.0
   commands:
   - dapper ci
   volumes:
@@ -169,7 +169,7 @@ platform:
 
 steps:
 - name: build
-  image: rancher/dapper:v0.5.8
+  image: rancher/dapper:v0.6.0
   commands:
   - dapper ci
   volumes:

Dockerfile.dapper

@@ -1,33 +1,25 @@
-ARG KUBECTL=rancher/kubectl:v1.21.9
+ARG KUBECTL=rancher/kubectl:v1.25.4
 FROM ${KUBECTL} AS kubectl
 
-FROM golang:1.19-alpine
+FROM registry.suse.com/bci/golang:1.20
 
 COPY --from=kubectl /bin/kubectl /usr/local/bin/kubectl
-# COPY --from=sonobuoy /sonobuoy /usr/local/bin/sonobuoy
 
 ARG DAPPER_HOST_ARCH
 ENV ARCH $DAPPER_HOST_ARCH
+ARG SONOBUOY_VERSION=0.56.16
 
-RUN apk -U add coreutils bash expect git gcc jq musl-dev docker docker-compose vim less file curl wget ca-certificates iproute2
-RUN go install github.com/mgechev/[email protected] && \
-    rm -rf /go/src /go/pkg
-RUN go install golang.org/x/tools/cmd/goimports@latest && \
-    rm -rf /go/src /go/pkg
-RUN if [ "$(go env GOARCH)" = "amd64" ]; then \
-        curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.41.1; \
+RUN zypper -n install expect git jq  docker vim less file curl wget iproute2 gawk
+RUN if [ "${ARCH:-$(go env GOARCH)}" = "amd64" ]; then \
+        curl -sL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.51.2; \
+        curl -sL "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.0.3/kustomize_v5.0.3_linux_amd64.tar.gz" | tar -xz -C /usr/local/bin; \
+        curl -sL "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_${ARCH}.tar.gz" | tar -xz -C /usr/local/bin; \
+        curl -sL "https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose && \
+        chmod +x /usr/local/bin/docker-compose; \
     fi
-RUN if [ "${ARCH}" = "amd64" ]; then \
-        go install sigs.k8s.io/kustomize/kustomize/v5@latest; \
-    fi
-ARG SONOBUOY_VERSION=0.56.2
-RUN if [ "${ARCH}" != "arm" ] && [ "${ARCH}" != "s390x" ]; then \
-        set -x; \
-        curl -sL "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_${ARCH}.tar.gz" \
-        | tar -xz -C /usr/local/bin; \
-        chmod +x /usr/local/bin/sonobuoy; \
-    fi
-# ENV DAPPER_RUN_ARGS --privileged
+RUN mkdir -p /usr/local/lib/docker/cli-plugins; \
+    curl -o /usr/local/lib/docker/cli-plugins/docker-buildx -fsSL "https://github.com/docker/buildx/releases/download/v0.11.2/buildx-v0.11.2.linux-${ARCH}"; \
+    chmod +x /usr/local/lib/docker/cli-plugins/docker-buildx
 ENV DAPPER_ENV REPO TAG DRONE_TAG
 ENV DAPPER_SOURCE /go/src/github.com/spectrocloud/system-upgrade-controller/
 ENV DAPPER_OUTPUT ./bin ./dist

Makefile

@@ -13,7 +13,7 @@ IMG_PATH ?= gcr.io/spectro-dev-public/release
 ifeq ($(FIPS_ENABLE),yes)
 	IMG_PATH = gcr.io/spectro-dev-public/release-fips
 endif
-IMG_TAG ?= v0.11.4_spectro
+IMG_TAG ?= v0.13.2_spectro
 IMG_SERVICE_URL ?= ${IMG_PATH}/
 SUC_IMG ?= ${IMG_SERVICE_URL}system-upgrade-controller:${IMG_TAG}
 

README.md

@@ -119,7 +119,7 @@ spec:
   # Shares the same format as the `upgrade` container.
   prepare:
     # If not present, the tag portion of the image will be the value from `.status.latestVersion` a.k.a. the resolved version for this plan.
-    image: alpine:3.11
+    image: alpine:3.18
     command: [sh, -c]
     args: ["echo '### ENV ###'; env | sort; echo '### RUN ###'; find /run/system-upgrade | sort"]
 

e2e/cluster/local/docker-compose.yaml

@@ -6,17 +6,17 @@ volumes:
 
 services:
 
-  leader:
-    container_name: local-leader
+  server:
+    container_name: k3s-server-1
     image: "e2e/cluster/local/k3s"
     build:
       context: ./images/k3s/.
       args:
         - ARCH=${ARCH}
-    command: server --no-deploy=traefik,metrics-server
+    command: server --disable=traefik,metrics-server --disable-helm-controller
     environment:
       - K3S_TOKEN=e2e
-    hostname: local-leader
+    hostname: k3s-server-1
     privileged: true
     ports:
       - "6443:6443" # k3s
@@ -25,17 +25,13 @@ services:
         target: /etc/rancher/k3s
         type: volume
 
-  worker:
+  agent:
     depends_on:
-      - leader
-    container_name: local-worker
+      - server
+    container_name: k3s-agent-1
     image: "e2e/cluster/local/k3s"
-#    build:
-#      context: ./images/k3s/.
-#      args:
-#        - ARCH=${ARCH}
-    command: agent --server https://local-leader:6443
+    command: agent --server https://k3s-server-1:6443
     environment:
       - K3S_TOKEN=e2e
-    hostname: local-worker
+    hostname: k3s-agent-1
     privileged: true

e2e/cluster/local/images/k3s/Dockerfile

@@ -1,9 +1,9 @@
 # Install the all-in-one binary so we can copy our run-time images into the image
 # which helps avoid pulling them when running e2e tests.
-ARG SLES="registry.suse.com/suse/sle15:15.3"
-FROM ${SLES} AS k3s
+ARG BCI="registry.suse.com/bci/bci-base:15.5"
+FROM ${BCI} AS k3s
 ARG ARCH
-ARG K3S_VERSION="v1.21.9+k3s1"
+ARG K3S_VERSION="v1.25.9+k3s1"
 RUN set -x \
  && zypper -n in \
     ca-certificates \

e2e/cluster/local/scripts/cluster-get-kubeconfig

@@ -5,5 +5,4 @@ set -e -o pipefail
 cd $(dirname $0)/..
 
 mkdir -vp "$(dirname ${KUBECONFIG:="${HOME}/.kube/config"})"
-docker exec local-leader kubectl config view --raw | sed -e "s/127.0.0.1/${KUBEHOST:=127.0.0.1}/g" > "${KUBECONFIG}"
-#echo "${KUBECONFIG}" >&2
+docker exec k3s-server-1 kubectl config view --raw | sed -e "s/127.0.0.1/${KUBEHOST:=127.0.0.1}/g" > "${KUBECONFIG}"

e2e/cluster/local/scripts/cluster-prepare

@@ -4,9 +4,9 @@ set -e
 
 : "${ARCH?required}"
 : "${DIST?required}"
-: "${SLES_TAG:=15.3}"
-: "${KUBECTL_TAG:=v1.21.9}"
-: "${SONOBUOY_TAG:=v0.56.2}"
+: "${BCI_TAG:=15.4}"
+: "${KUBECTL_TAG:=v1.25.4}"
+: "${SONOBUOY_TAG:=v0.56.16}"
 
 docker-image-save() {
   echo "Pulling '$1:$2' ..."
@@ -24,6 +24,6 @@ rm -rf $(dirname $0)/../images/*/scratch/*
 cp -vf "${DIST}/system-upgrade-controller-${ARCH}.tar" $(dirname $0)/../images/k3s/scratch/
 cp -vf "${DIST}/system-upgrade-controller-e2e-tests-${ARCH}.tar" $(dirname $0)/../images/k3s/scratch/
 
-docker-image-save "registry.suse.com/suse/sle15"    "${SLES_TAG}"
+docker-image-save "registry.suse.com/bci/bci-base"    "${BCI_TAG}"
 docker-image-save "rancher/kubectl"   "${KUBECTL_TAG}"
 docker-image-save "sonobuoy/sonobuoy" "${SONOBUOY_TAG}"

e2e/framework/controller/deployment.go

@@ -12,6 +12,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	e2eframework "k8s.io/kubernetes/test/e2e/framework"
 	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
+	"k8s.io/utils/pointer"
 )
 
 type DeploymentOption func(*appsv1.Deployment)
@@ -20,6 +21,18 @@ func NewDeployment(name string, opt ...DeploymentOption) *appsv1.Deployment {
 	labels := map[string]string{
 		upgradeapi.LabelController: name,
 	}
+	securityContext := &corev1.SecurityContext{
+		AllowPrivilegeEscalation: pointer.Bool(false),
+		RunAsNonRoot:             pointer.Bool(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		RunAsUser:  pointer.Int64(65534),
+		RunAsGroup: pointer.Int64(65534),
+	}
 	deployment := e2edeployment.NewDeployment(name, 1, labels, "system-upgrade-controller", "rancher/system-upgrade-controller:latest", appsv1.RecreateDeploymentStrategyType)
 	deployment.Spec.Template.Spec.Volumes = []corev1.Volume{{
 		Name: "tmp",
@@ -29,6 +42,7 @@ func NewDeployment(name string, opt ...DeploymentOption) *appsv1.Deployment {
 	}
 	for i := range deployment.Spec.Template.Spec.Containers {
 		container := &deployment.Spec.Template.Spec.Containers[i]
+		container.SecurityContext = securityContext
 		container.Env = []corev1.EnvVar{{
 			Name:  "SYSTEM_UPGRADE_CONTROLLER_NAME",
 			Value: name,

e2e/framework/framework.go

@@ -2,11 +2,10 @@ package framework
 
 import (
 	"context"
-	"fmt"
 	"strings"
 	"time"
 
-	"github.com/onsi/ginkgo"
+	"github.com/onsi/ginkgo/v2"
 	"github.com/rancher/system-upgrade-controller/e2e/framework/controller"
 	"github.com/rancher/system-upgrade-controller/pkg/apis/condition"
 	upgradeapi "github.com/rancher/system-upgrade-controller/pkg/apis/upgrade.cattle.io"
@@ -32,6 +31,7 @@ import (
 	"k8s.io/client-go/scale"
 	"k8s.io/kubernetes/test/e2e/framework"
 	frameworkauth "k8s.io/kubernetes/test/e2e/framework/auth"
+	admissionapi "k8s.io/pod-security-admission/api"
 )
 
 type Option func(*Options)
@@ -61,9 +61,10 @@ func New(name string, opt ...Option) *Client {
 	}
 	client := &Client{
 		Framework: framework.Framework{
-			BaseName:                 name,
-			AddonResourceConstraints: make(map[string]framework.ResourceConstraint),
-			Options:                  options.Options,
+			BaseName:                         name,
+			AddonResourceConstraints:         make(map[string]framework.ResourceConstraint),
+			NamespacePodSecurityEnforceLevel: admissionapi.LevelPrivileged,
+			Options:                          options.Options,
 		},
 	}
 	ginkgo.BeforeEach(client.BeforeEach)
@@ -121,6 +122,14 @@ func (c *Client) DeletePlans(options metav1.DeleteOptions, listOpts metav1.ListO
 	return c.UpgradeClientSet.UpgradeV1().Plans(c.Namespace.Name).DeleteCollection(context.TODO(), options, listOpts)
 }
 
+func (c *Client) CreateSecret(secret *corev1.Secret) (*corev1.Secret, error) {
+	return c.ClientSet.CoreV1().Secrets(c.Namespace.Name).Create(context.TODO(), secret, metav1.CreateOptions{})
+}
+
+func (c *Client) UpdateSecret(secret *corev1.Secret) (*corev1.Secret, error) {
+	return c.ClientSet.CoreV1().Secrets(c.Namespace.Name).Update(context.TODO(), secret, metav1.UpdateOptions{})
+}
+
 func (c *Client) WaitForPlanCondition(name string, cond condition.Cond, timeout time.Duration) (plan *upgradeapiv1.Plan, err error) {
 	return plan, wait.Poll(time.Second, timeout, func() (bool, error) {
 		plan, err = c.GetPlan(name, metav1.GetOptions{})
@@ -195,15 +204,6 @@ func (c *Client) beforeFramework() {
 	ginkgo.By("Creating a kubernetes client")
 	config, err := framework.LoadConfig()
 	framework.ExpectNoError(err)
-	testDesc := ginkgo.CurrentGinkgoTestDescription()
-	if len(testDesc.ComponentTexts) > 0 {
-		componentTexts := strings.Join(testDesc.ComponentTexts, " ")
-		config.UserAgent = fmt.Sprintf(
-			"%v -- %v",
-			rest.DefaultKubernetesUserAgent(),
-			componentTexts)
-	}
-
 	config.QPS = c.Framework.Options.ClientQPS
 	config.Burst = c.Framework.Options.ClientBurst
 	if c.Framework.Options.GroupVersion != nil {

e2e/framework/logging.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/onsi/ginkgo"
+	"github.com/onsi/ginkgo/v2"
 	"k8s.io/kubernetes/test/e2e/framework/ginkgowrapper"
 )
 

e2e/plugin/run.sh

@@ -1,23 +1,27 @@
 #!/bin/bash
 
+set -x
+
 # This is the entrypoint for the image and meant to wrap the
 # logic of gathering/reporting results to the Sonobuoy worker.
 
 results_dir="${RESULTS_DIR:-/tmp/results}"
 
-# save_results prepares the results for handoff to the Sonobuoy worker.
-# See: https://github.com/vmware-tanzu/sonobuoy/blob/master/docs/plugins.md
-save_results() {
+mkdir -p ${results_dir}
+
+# saveResults prepares the results for handoff to the Sonobuoy worker.
+# See: https://github.com/vmware-tanzu/sonobuoy/blob/main/site/content/docs/main/plugins.md
+saveResults() {
     cd ${results_dir}
 
     # Sonobuoy worker expects a tar file.
-	tar czf results.tar.gz *
+    tar czf results.tar.gz *
 
-	# Signal to the worker that we are done and where to find the results.
-	printf ${results_dir}/results.tar.gz > ${results_dir}/done
+    # Signal to the worker that we are done and where to find the results.
+    printf ${results_dir}/results.tar.gz > ${results_dir}/done
 }
 
 # Ensure that we tell the Sonobuoy worker we are done regardless of results.
-trap save_results EXIT
+trap saveResults EXIT
 
-ginkgo -p "${SUITE_EXE:-/bin/system-upgrade-controller.test}"
+ginkgo run --output-dir=${results_dir} --junit-report=junit.xml -p "${SUITE_EXE:-/bin/system-upgrade-controller.test}" -- --provider=local &>${results_dir}/out

e2e/suite/channel_resolve_test.go

@@ -5,6 +5,8 @@ import (
 	"net/http"
 	"net/http/httptest"
 
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	"github.com/rancher/system-upgrade-controller/e2e/framework"
 	upgradeapiv1 "github.com/rancher/system-upgrade-controller/pkg/apis/upgrade.cattle.io/v1"
 	upgradeplan "github.com/rancher/system-upgrade-controller/pkg/upgrade/plan"
@@ -18,17 +20,20 @@ var _ = Describe("Resolve channel", func() {
 			err        error
 			plan       *upgradeapiv1.Plan
 			ctx        context.Context
+			cancel     context.CancelFunc
 			channelSrv *httptest.Server
 			clusterID  string
 			latest     string
 		)
 		BeforeEach(func() {
+			ctx, cancel = context.WithCancel(context.Background())
 			plan = e2e.NewPlan("channel-", "", nil)
 		})
 		AfterEach(func() {
 			if channelSrv != nil {
 				channelSrv.Close()
 			}
+			cancel()
 		})
 		It("channel server is up with correct address", func() {
 			channelSrv = framework.ChannelServer("/local", http.StatusFound)
@@ -37,8 +42,8 @@ var _ = Describe("Resolve channel", func() {
 			plan, err = e2e.CreatePlan(plan)
 			Expect(err).ToNot(HaveOccurred())
 			latest, err = upgradeplan.ResolveChannel(ctx, plan.Spec.Channel, plan.Status.LatestVersion, clusterID)
-			Expect(latest).NotTo(BeEmpty())
 			Expect(err).ToNot(HaveOccurred())
+			Expect(latest).NotTo(BeEmpty())
 		})
 		It("channel server is up but url not found", func() {
 			channelSrv = framework.ChannelServer("/local", http.StatusNotFound)
@@ -47,8 +52,8 @@ var _ = Describe("Resolve channel", func() {
 			plan, err = e2e.CreatePlan(plan)
 			Expect(err).ToNot(HaveOccurred())
 			latest, err = upgradeplan.ResolveChannel(ctx, plan.Spec.Channel, plan.Status.LatestVersion, clusterID)
-			Expect(latest).To(BeEmpty())
 			Expect(err).To(HaveOccurred())
+			Expect(latest).To(BeEmpty())
 		})
 		It("Service Unavailable", func() {
 			channelSrv = framework.ChannelServer("/local", http.StatusServiceUnavailable)
@@ -57,8 +62,8 @@ var _ = Describe("Resolve channel", func() {
 			plan, err = e2e.CreatePlan(plan)
 			Expect(err).ToNot(HaveOccurred())
 			latest, err = upgradeplan.ResolveChannel(ctx, plan.Spec.Channel, plan.Status.LatestVersion, clusterID)
-			Expect(latest).To(BeEmpty())
 			Expect(err).To(HaveOccurred())
+			Expect(latest).To(BeEmpty())
 		})
 	})
 })