diff --git a/Makefile b/Makefile index aac890ec9..48f2d0188 100644 --- a/Makefile +++ b/Makefile @@ -41,6 +41,7 @@ DOCKER_VER ?= 19.03.12 # we currently use our own flannel fork: gravitational/flannel FLANNEL_VER := v0.10.3-gravitational HELM_VER := 2.16.12 +HELM3_VER := 3.3.4 COREDNS_VER := 1.7.0 NODE_PROBLEM_DETECTOR_VER := v0.6.4 CNI_VER := 0.8.6 diff --git a/build.assets/docker/os-rootfs/etc/planet/orbit.manifest.json b/build.assets/docker/os-rootfs/etc/planet/orbit.manifest.json index 67ad14c44..e02eb4135 100644 --- a/build.assets/docker/os-rootfs/etc/planet/orbit.manifest.json +++ b/build.assets/docker/os-rootfs/etc/planet/orbit.manifest.json @@ -25,6 +25,10 @@ "name": "version-helm", "value": "REPLACE_HELM_LATEST_VERSION" }, + { + "name": "version-helm3", + "value": "REPLACE_HELM3_LATEST_VERSION" + }, { "name": "version-coredns", "value": "REPLACE_COREDNS_LATEST_VERSION" @@ -497,4 +501,4 @@ } ] } -} \ No newline at end of file +} diff --git a/build.assets/docker/os-rootfs/usr/local/bin/helm3 b/build.assets/docker/os-rootfs/usr/local/bin/helm3 new file mode 100755 index 000000000..5f5fe5d13 --- /dev/null +++ b/build.assets/docker/os-rootfs/usr/local/bin/helm3 @@ -0,0 +1,19 @@ +#!/bin/bash +set -eu + +# find out the real absolute path to this script, it may include the planet rootfs path +if [ -L $0 ]; then + # invoked from host via a helm symlink set up during installation + DIR=$(dirname $(readlink $0)) + KUBE_CONFIG=/etc/kubernetes/kubectl-host.kubeconfig +else + # invoked directly, e.g. from inside the planet + DIR=$(dirname $0) + KUBE_CONFIG=/etc/kubernetes/kubectl.kubeconfig +fi + +# determine the absolute path to the planet rootfs +PLANET_ROOT=$(realpath ${DIR}/../../../) + +# invoke the real helm binary with a proper config and propagate all arguments as-is +KUBECONFIG=${PLANET_ROOT}${KUBE_CONFIG} ${PLANET_ROOT}/usr/bin/helm3 "$@" diff --git a/build.assets/makefiles/buildbox.mk b/build.assets/makefiles/buildbox.mk index 8d4d6867c..58d61ff2e 100644 --- a/build.assets/makefiles/buildbox.mk +++ b/build.assets/makefiles/buildbox.mk @@ -10,7 +10,7 @@ BUILDBOX_NAME ?= planet/buildbox BUILDBOX_IMAGE ?= $(BUILDBOX_NAME):$(PLANET_BUILD_TAG) export TMPFS_SIZE ?= 900m -VER_UPDATES = ETCD_LATEST_VER KUBE_VER FLANNEL_VER DOCKER_VER HELM_VER COREDNS_VER NODE_PROBLEM_DETECTOR_VER +VER_UPDATES = ETCD_LATEST_VER KUBE_VER FLANNEL_VER DOCKER_VER HELM_VER HELM3_VER COREDNS_VER NODE_PROBLEM_DETECTOR_VER .PHONY: all all: $(ROOTFS)/bin/bash build planet-image @@ -35,6 +35,7 @@ build: | $(ASSETDIR) dumb-init make -e \ KUBE_VER=$(KUBE_VER) \ HELM_VER=$(HELM_VER) \ + HELM3_VER=$(HELM3_VER) \ COREDNS_VER=$(COREDNS_VER) \ CNI_VER=$(CNI_VER) \ FLANNEL_VER=$(FLANNEL_VER) \ @@ -58,6 +59,7 @@ planet-image: sed -i "s/REPLACE_FLANNEL_LATEST_VERSION/$(FLANNEL_VER)/g" $(TARGETDIR)/orbit.manifest.json sed -i "s/REPLACE_DOCKER_LATEST_VERSION/$(DOCKER_VER)/g" $(TARGETDIR)/orbit.manifest.json sed -i "s/REPLACE_HELM_LATEST_VERSION/$(HELM_VER)/g" $(TARGETDIR)/orbit.manifest.json + sed -i "s/REPLACE_HELM3_LATEST_VERSION/$(HELM3_VER)/g" $(TARGETDIR)/orbit.manifest.json sed -i "s/REPLACE_COREDNS_LATEST_VERSION/$(COREDNS_VER)/g" $(TARGETDIR)/orbit.manifest.json sed -i "s/REPLACE_NODE_PROBLEM_DETECTOR_LATEST_VERSION/$(NODE_PROBLEM_DETECTOR_VER)/g" $(TARGETDIR)/orbit.manifest.json cp $(TARGETDIR)/orbit.manifest.json $(ROOTFS)/etc/planet/ diff --git a/build.assets/makefiles/kubernetes/kubernetes.mk b/build.assets/makefiles/kubernetes/kubernetes.mk index 4e031ddda..2344045fc 100644 --- a/build.assets/makefiles/kubernetes/kubernetes.mk +++ b/build.assets/makefiles/kubernetes/kubernetes.mk @@ -5,6 +5,7 @@ DOWNLOAD_URL := https://storage.googleapis.com/kubernetes-release/release/$(KUBE REPODIR := $(GOPATH)/src/github.com/kubernetes/kubernetes OUTPUTDIR := $(ASSETDIR)/k8s-$(KUBE_VER) HELM_TARBALL:= $(ASSETDIR)/helm-$(HELM_VER).tgz +HELM3_TARBALL:= $(ASSETDIR)/helm-$(HELM3_VER).tgz COREDNS_TARBALL := $(ASSETDIR)/coredns-$(COREDNS_VER).tgz BINARIES := kube-apiserver \ kube-controller-manager \ @@ -13,11 +14,12 @@ BINARIES := kube-apiserver \ kube-proxy \ kubelet KUBE_OUTPUTS := $(addprefix $(OUTPUTDIR)/, $(BINARIES)) -OUTPUTS := $(KUBE_OUTPUTS) $(HELM_TARBALL) $(COREDNS_TARBALL) +OUTPUTS := $(KUBE_OUTPUTS) $(HELM_TARBALL) $(HELM3_TARBALL) $(COREDNS_TARBALL) all: kubernetes.mk $(OUTPUTS) tar xvzf $(COREDNS_TARBALL) -C $(ROOTFS)/usr/bin coredns tar xvzf $(HELM_TARBALL) --strip-components=1 -C $(ROOTFS)/usr/bin linux-amd64/helm + tar --transform='flags=r;s|helm|helm3|' -xvzf $(HELM3_TARBALL) --strip-components=1 -C $(ROOTFS)/usr/bin linux-amd64/helm $(OUTPUTDIR): mkdir -p $@ @@ -28,7 +30,11 @@ $(KUBE_OUTPUTS): | $(OUTPUTDIR) chmod +x $@ $(HELM_TARBALL): - curl https://kubernetes-helm.storage.googleapis.com/helm-v$(HELM_VER)-linux-amd64.tar.gz \ + curl https://get.helm.sh/helm-v$(HELM_VER)-linux-amd64.tar.gz \ + -o $@ + +$(HELM3_TARBALL): + curl https://get.helm.sh/helm-v$(HELM3_VER)-linux-amd64.tar.gz \ -o $@ $(COREDNS_TARBALL): diff --git a/lib/constants/constants.go b/lib/constants/constants.go index 538216c59..35164f355 100644 --- a/lib/constants/constants.go +++ b/lib/constants/constants.go @@ -56,6 +56,9 @@ const ( // GroupReadWriteMask is a file mask for owder/group read/write GroupReadWriteMask = 0660 + // OwnerReadMask is a file mask for owner read-only + OwnerReadMask = 0400 + // DeviceReadWritePerms specifies the read/write permissions for a device DeviceReadWritePerms = "rwm" diff --git a/tool/planet/start.go b/tool/planet/start.go index 31a9e6ac4..1b758883f 100644 --- a/tool/planet/start.go +++ b/tool/planet/start.go @@ -617,7 +617,9 @@ func addKubeConfig(config *Config) error { if err != nil { return trace.Wrap(err) } - err = utils.SafeWriteFile(path, kubeConfig, constants.SharedReadMask) + // set read-only permissions for kubectl.kubeconfig to avoid annoying warning from Helm 3 + // 'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /etc/kubernetes/kubectl.kubeconfig' + err = utils.SafeWriteFile(path, kubeConfig, constants.OwnerReadMask) if err != nil { return trace.Wrap(err) }