Skip to content

Commit

Permalink
Fix embedded mirror blocked by SAR RBAC and re-enable test
Browse files Browse the repository at this point in the history
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
  • Loading branch information
brandond committed May 30, 2024
1 parent 5c08c33 commit 0495a0b
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 4 deletions.
5 changes: 2 additions & 3 deletions .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,7 @@ jobs:
strategy:
fail-fast: false
matrix:
# TODO fix embeddedmirror and add it to the matrix
etest: [startup, s3, btrfs, externalip, privateregistry, wasm]
etest: [startup, s3, btrfs, externalip, privateregistry, embeddedmirror, wasm]
max-parallel: 3
steps:
- name: "Checkout"
Expand Down Expand Up @@ -116,4 +115,4 @@ jobs:
chmod +x ./dist/artifacts/k3s
. ./tests/docker/test-helpers
. ./tests/docker/test-run-${{ matrix.dtest }}
echo "Did test-run-${{ matrix.dtest }} pass $?"
echo "Did test-run-${{ matrix.dtest }} pass $?"
6 changes: 5 additions & 1 deletion pkg/agent/https/https.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,11 @@ func Start(ctx context.Context, nodeConfig *config.Node, runtime *config.Control
}

authz := options.NewDelegatingAuthorizationOptions()
authz.AlwaysAllowPaths = []string{"/v2", "/debug/pprof", "/v1-" + version.Program + "/p2p"}
authz.AlwaysAllowPaths = []string{ // skip authz for paths that should not use SubjectAccessReview; basically everything that will use this router other than metrics
"/v1-" + version.Program + "/p2p", // spegel libp2p peer discovery
"/v2/*", // spegel registry mirror
"/debug/pprof/*", // profiling
}
authz.RemoteKubeConfigFile = nodeConfig.AgentConfig.KubeConfigKubelet
if applyErr := authz.ApplyTo(&config.Authorization); applyErr != nil {
err = applyErr
Expand Down
6 changes: 6 additions & 0 deletions tests/e2e/embeddedmirror/Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ def provision(vm, role, role_num, node_num)

if role.include?("server") && role_num == 0
vm.provision "private-registry", type: "shell", inline: writePrivateRegistry
vm.provision "create-images-dir", type: "shell", inline: "mkdir -p -m 777 /tmp/images /var/lib/rancher/k3s/agent/images"
vm.provision "copy-images-file", type: "file", source: "../../../scripts/airgap/image-list.txt", destination: "/tmp/images/image-list.txt"
vm.provision "move-images-file", type: "shell", inline: "mv /tmp/images/image-list.txt /var/lib/rancher/k3s/agent/images/image-list.txt"

vm.provision 'k3s-primary-server', type: 'k3s', run: 'once' do |k3s|
k3s.args = "server "
Expand All @@ -54,6 +57,9 @@ def provision(vm, role, role_num, node_num)

elsif role.include?("server") && role_num != 0
vm.provision "shell", inline: writePrivateRegistry
vm.provision "create-images-dir", type: "shell", inline: "mkdir -p -m 777 /tmp/images /var/lib/rancher/k3s/agent/images"
vm.provision "copy-images-file", type: "file", source: "../../../scripts/airgap/image-list.txt", destination: "/tmp/images/image-list.txt"
vm.provision "move-images-file", type: "shell", inline: "mv /tmp/images/image-list.txt /var/lib/rancher/k3s/agent/images/image-list.txt"

vm.provision 'k3s-secondary-server', type: 'k3s', run: 'once' do |k3s|
k3s.args = "server"
Expand Down

0 comments on commit 0495a0b

Please sign in to comment.