Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add validation for OS when using registry mirror InsecureSkipVerify #5314

Merged

Conversation

cxbrowne1207
Copy link
Member

@cxbrowne1207 cxbrowne1207 commented Mar 20, 2023

Issue #, if available:
#647 following up on the introduction of InsecureSkipVerify flag, and introducing it to the other providers. However, bottlerocket is not supported

Description of changes:
Adds a preflight validation that checks if the OS is valid for the provided registry mirror configuration with insecure skip verify enabled.

Testing (if applicable):
Unit tests
Manual testing

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@eks-distro-bot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@eks-distro-bot eks-distro-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 20, 2023
@cxbrowne1207 cxbrowne1207 changed the title Add validation that checks if the OS is valid for the provided registry mirror configuration Add validation checking valid OS for registry mirror InsecureSkipVerify Mar 20, 2023
@codecov
Copy link

codecov bot commented Mar 20, 2023

Codecov Report

Merging #5314 (e6a50f4) into main (756aba2) will increase coverage by 0.03%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #5314      +/-   ##
==========================================
+ Coverage   72.41%   72.44%   +0.03%     
==========================================
  Files         440      440              
  Lines       36152    36216      +64     
==========================================
+ Hits        26179    26238      +59     
- Misses       8408     8410       +2     
- Partials     1565     1568       +3     
Impacted Files Coverage Δ
pkg/api/v1alpha1/cluster.go 75.89% <ø> (-0.46%) ⬇️
pkg/api/v1alpha1/cluster_types.go 81.96% <ø> (+1.59%) ⬆️
pkg/registrymirror/registrymirror.go 100.00% <ø> (ø)
pkg/validations/cluster.go 96.20% <100.00%> (+0.81%) ⬆️
...idations/createvalidations/preflightvalidations.go 100.00% <100.00%> (ø)
...dations/upgradevalidations/preflightvalidations.go 100.00% <100.00%> (ø)

... and 8 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@cxbrowne1207 cxbrowne1207 changed the title Add validation checking valid OS for registry mirror InsecureSkipVerify Add validation for OS when using registry mirror InsecureSkipVerify Mar 20, 2023
@cxbrowne1207
Copy link
Member Author

/test all

1 similar comment
@cxbrowne1207
Copy link
Member Author

/test all

@cxbrowne1207 cxbrowne1207 marked this pull request as ready for review March 20, 2023 23:27
@@ -728,7 +733,7 @@ func validateMirrorConfig(clusterConfig *Cluster) error {
case DockerDatacenterKind, NutanixDatacenterKind, VSphereDatacenterKind, TinkerbellDatacenterKind, CloudStackDatacenterKind, SnowDatacenterKind:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this validation is needed. To me this should be a feature parity we support across providers -- any new provider added should support this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense. We can just remove it now

}

if osFamily == v1alpha1.Bottlerocket {
return fmt.Errorf("InsecureSkipVerify is not supported for bottlerocket")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return fmt.Errorf("InsecureSkipVerify is not supported for bottlerocket")
return errors.New("InsecureSkipVerify is not supported for bottlerocket")


switch cluster.Spec.DatacenterRef.Kind {
case v1alpha1.NutanixDatacenterKind:
osFamily = clusterSpec.NutanixMachineConfigs[cluster.Spec.ControlPlaneConfiguration.MachineGroupRef.Name].OSFamily()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we support each machine config to have different OS family?

Copy link
Member Author

@cxbrowne1207 cxbrowne1207 Mar 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, went through some testing to verify and it seems as though we do. I've updated the code to take that into account. The solution is cleaner now as well.

@cxbrowne1207 cxbrowne1207 requested a review from jiayiwang7 March 22, 2023 01:28
@cxbrowne1207 cxbrowne1207 force-pushed the insecure-skip-verify-os-validation branch from 9911dc6 to e6a50f4 Compare March 22, 2023 01:53
@cxbrowne1207
Copy link
Member Author

/approve

@eks-distro-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cxbrowne1207

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@eks-distro-bot eks-distro-bot merged commit feed2a9 into aws:main Mar 22, 2023
eks-distro-bot pushed a commit that referenced this pull request Mar 23, 2023
* Update branch name

* Update opencontainers/runc (#5306)

* Add Cilium skipUpgrade flag to v1alpha1 API (#5298)

* More 1.26 e2e tests (#5275)

* Changing logic for removing hardware from catalogue (#5296)

* Changing logic for removing hardware from catalogue to save list copy

* Adding more unit tests and moving out key create

* Revert "Update opencontainers/runc (#5306)" (#5309)

This reverts commit b1681d6.

* Validate Mgmt Cluster Bundles Version on Upgrade (#5263)

Validates that the management cluster's bundle is the same version or newer than the bundle version used to upgrade a workload cluster.

* change signaling method for FCL curated packages support (#5315)

Previously, the creation a of package bundle controller was executed via a
helm chart release. Now that helm chart will create a package instead. The end
result being the same, that the packages controller will notice the newly
created resource and do what it needs to support curated packages on the new
workload cluster.

One additional value is passed to the helm invocation to help the packages
controller take the appropriate actions.

* Make image-builder OS support and prerequisites section more clear (#5317)

* Autogenerate eksctl anywhere command doc from code (#5299)

* fix field to adapt to new schema (#5323)

* Fix kubectl get call to point to full API name (#5326)

* Fix providers to point to full API name

* Fix

* Fix unit-test

* Fixing tink reconcile worker template omit and logs (#5246)

* Implement unmanaged CNI for CLI based clusters (#5305)

* Remove hardcoded artifact links in docs (#5320)

* added insecure skip verify e2e test for 1.26 (#5322)

* Validate Mgmt Cluster Bundles Version on Create (#5321)

Validates that the management cluster's bundle is the same version or newer than the bundle version used to create a workload cluster.

* Add doc for Nutanix projects and Terraform support (#5330)

* Enable full lifecycle support for Tinkerbell (#5327)

* Fix ECR endpoint URL in Harbor use-case doc (#5233)

* add validation that checks if the OS is valid for the provided registry mirror configuration (#5314)

* set management cluster name helm value (#5331)

Passes the management cluster's name when installing curated packages on a
workload cluster. Removes the workloadOnly flag, as it's no longer needed in
this case, as the FCL/CLI curated packages installation for workload clusters
is now triggered from the workloadPackageOnly flag.

* Add insecureSkipVerify in registry mirror doc (#5339)

* Expand all kubectl calls to fully qualified names (#5332)

* Expand all kubectl calls to fully qualified names

* Fix unit-test

* Fix CAPI Machines

* Add uncovered unit-tests - 1

* Fix harbor endpoint URL in docs (#5340)

* Fix harbor endpoint URL in docs

* Restored previous image

* Add doc for harbor v2.7.1 (#5346)

* add doc for harbor v2.7.1

* more updates

* Add cluster lifecycle information to docs (#5302)

* Add cluster lifecycle information to docs

* Fixes from review comments

* Add wording about upgrade and delete

* Use default credential names if credential names are not set (#5324)

Use `nutanix-credentials` as NutanixDatacenterConfig credentialRef name
if it is not present. This ensures we don't get a nil-pointer dereference
during upgrade and upgrade can happen smoothly.

* Update e2e pkg metallb && Wait for pkg controller installation (#5351)

* MetalLB tests for multiple k8s versions

* Add e2e validation for package controller package installation

* Packages e2e cluster spec (#5221)

* Packages e2e tests for cluster spec

* Packages e2e cluster spec

* lint

* Fix nutanix bad rebase

* [PR BOT] Generate release test file (#5303)

* skipping tink tests due to lack of resources (#5357)

* [PR BOT] Update ATTRIBUTION.txt file (#5255)

* add kernel settings for BR (#5304)

* Bump Homebrew version for EKS-A v0.14.5 (#5355)

* Backport v0.14.5 changelog to main (#5354)

---------

Co-authored-by: Xu Deng <xudeng@amazon.com>
Co-authored-by: Chris Doherty <chris.doherty4@gmail.com>
Co-authored-by: Taylor Neyland <57606775+taneyland@users.noreply.github.com>
Co-authored-by: Aravind Ramalingam <60027164+pokearu@users.noreply.github.com>
Co-authored-by: Jonathan Meier <jonathanmeier5@users.noreply.github.com>
Co-authored-by: Eric Wollesen <169516+ewollesen@users.noreply.github.com>
Co-authored-by: Abhay Krishna <arnchlm@amazon.com>
Co-authored-by: Joey Wang <jiayiwang7@yahoo.com>
Co-authored-by: Vincent Ni <vincentni@users.noreply.github.com>
Co-authored-by: Vignesh Goutham Ganesh <72776369+vignesh-goutham@users.noreply.github.com>
Co-authored-by: Yannick Struyf <yannick.struyf@nutanix.com>
Co-authored-by: Mitali Paygude <mitalipaygude@gmail.com>
Co-authored-by: Hendry Anwar <hendry.anwar@live.com>
Co-authored-by: Chris Negus <striker57@gmail.com>
Co-authored-by: Sid Shukla <6081171+thunderboltsid@users.noreply.github.com>
Co-authored-by: Lewis Diamond <git@lewisdiamond.com>
Co-authored-by: Terry Howe <terrylhowe@gmail.com>
Co-authored-by: EKS Distro PR Bot <75336432+eks-distro-pr-bot@users.noreply.github.com>
Co-authored-by: ahreehong <46465244+ahreehong@users.noreply.github.com>
eks-distro-bot pushed a commit that referenced this pull request Mar 24, 2023
* Update opencontainers/runc (#5306)

* Add Cilium skipUpgrade flag to v1alpha1 API (#5298)

* More 1.26 e2e tests (#5275)

* Changing logic for removing hardware from catalogue (#5296)

* Changing logic for removing hardware from catalogue to save list copy

* Adding more unit tests and moving out key create

* Revert "Update opencontainers/runc (#5306)" (#5309)

This reverts commit b1681d6.

* Validate Mgmt Cluster Bundles Version on Upgrade (#5263)

Validates that the management cluster's bundle is the same version or newer than the bundle version used to upgrade a workload cluster.

* change signaling method for FCL curated packages support (#5315)

Previously, the creation a of package bundle controller was executed via a
helm chart release. Now that helm chart will create a package instead. The end
result being the same, that the packages controller will notice the newly
created resource and do what it needs to support curated packages on the new
workload cluster.

One additional value is passed to the helm invocation to help the packages
controller take the appropriate actions.

* Make image-builder OS support and prerequisites section more clear (#5317)

* Autogenerate eksctl anywhere command doc from code (#5299)

* fix field to adapt to new schema (#5323)

* Fix kubectl get call to point to full API name (#5326)

* Fix providers to point to full API name

* Fix

* Fix unit-test

* Fixing tink reconcile worker template omit and logs (#5246)

* Implement unmanaged CNI for CLI based clusters (#5305)

* Remove hardcoded artifact links in docs (#5320)

* added insecure skip verify e2e test for 1.26 (#5322)

* Validate Mgmt Cluster Bundles Version on Create (#5321)

Validates that the management cluster's bundle is the same version or newer than the bundle version used to create a workload cluster.

* Add doc for Nutanix projects and Terraform support (#5330)

* Enable full lifecycle support for Tinkerbell (#5327)

* Fix ECR endpoint URL in Harbor use-case doc (#5233)

* add validation that checks if the OS is valid for the provided registry mirror configuration (#5314)

* set management cluster name helm value (#5331)

Passes the management cluster's name when installing curated packages on a
workload cluster. Removes the workloadOnly flag, as it's no longer needed in
this case, as the FCL/CLI curated packages installation for workload clusters
is now triggered from the workloadPackageOnly flag.

* Add insecureSkipVerify in registry mirror doc (#5339)

* Expand all kubectl calls to fully qualified names (#5332)

* Expand all kubectl calls to fully qualified names

* Fix unit-test

* Fix CAPI Machines

* Add uncovered unit-tests - 1

* Fix harbor endpoint URL in docs (#5340)

* Fix harbor endpoint URL in docs

* Restored previous image

* Add doc for harbor v2.7.1 (#5346)

* add doc for harbor v2.7.1

* more updates

* Add cluster lifecycle information to docs (#5302)

* Add cluster lifecycle information to docs

* Fixes from review comments

* Add wording about upgrade and delete

* Use default credential names if credential names are not set (#5324)

Use `nutanix-credentials` as NutanixDatacenterConfig credentialRef name
if it is not present. This ensures we don't get a nil-pointer dereference
during upgrade and upgrade can happen smoothly.

* Update e2e pkg metallb && Wait for pkg controller installation (#5351)

* MetalLB tests for multiple k8s versions

* Add e2e validation for package controller package installation

* Packages e2e cluster spec (#5221)

* Packages e2e tests for cluster spec

* Packages e2e cluster spec

* lint

* Fix nutanix bad rebase

* [PR BOT] Generate release test file (#5303)

* skipping tink tests due to lack of resources (#5357)

* [PR BOT] Update ATTRIBUTION.txt file (#5255)

* add kernel settings for BR (#5304)

* Bump Homebrew version for EKS-A v0.14.5 (#5355)

* Backport v0.14.5 changelog to main (#5354)

* [PR BOT] Generate release testdata files (#5362)

---------

Co-authored-by: Xu Deng <xudeng@amazon.com>
Co-authored-by: Chris Doherty <chris.doherty4@gmail.com>
Co-authored-by: Taylor Neyland <57606775+taneyland@users.noreply.github.com>
Co-authored-by: Aravind Ramalingam <60027164+pokearu@users.noreply.github.com>
Co-authored-by: Jonathan Meier <jonathanmeier5@users.noreply.github.com>
Co-authored-by: Eric Wollesen <169516+ewollesen@users.noreply.github.com>
Co-authored-by: Abhay Krishna <arnchlm@amazon.com>
Co-authored-by: Joey Wang <jiayiwang7@yahoo.com>
Co-authored-by: Vincent Ni <vincentni@users.noreply.github.com>
Co-authored-by: Vignesh Goutham Ganesh <72776369+vignesh-goutham@users.noreply.github.com>
Co-authored-by: Yannick Struyf <yannick.struyf@nutanix.com>
Co-authored-by: Mitali Paygude <mitalipaygude@gmail.com>
Co-authored-by: Hendry Anwar <hendry.anwar@live.com>
Co-authored-by: Chris Negus <striker57@gmail.com>
Co-authored-by: Sid Shukla <6081171+thunderboltsid@users.noreply.github.com>
Co-authored-by: Lewis Diamond <git@lewisdiamond.com>
Co-authored-by: Terry Howe <terrylhowe@gmail.com>
Co-authored-by: EKS Distro PR Bot <75336432+eks-distro-pr-bot@users.noreply.github.com>
Co-authored-by: ahreehong <46465244+ahreehong@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved lgtm size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants