Merge branch 'master' into fix-vulnerabilities

.github/workflows/build-push.yml

@@ -354,7 +354,7 @@ jobs:
   mac-build:
     needs: offset-build-number
 
-    runs-on: ${{ (matrix.architecture == 'amd64') && 'macos-12' || 'macos-14' }}
+    runs-on: ${{ (matrix.architecture == 'amd64') && 'macos-13' || 'macos-14' }}
 
     strategy:
       matrix:
@@ -450,7 +450,7 @@ jobs:
 
       # Upload created package to artifacts to be used in next job
       - name: Upload MacOS Package to Artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: macos-${{ matrix.architecture }}-package
           path: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}/pkg/mac/build/*.pkg
@@ -517,7 +517,7 @@ jobs:
 
         # Retrieve artifact from previous job
         - name: Download our MacOS Package Artifact
-          uses: actions/download-artifact@v3
+          uses: actions/download-artifact@v4
           with:
             name: macos-${{ matrix.architecture }}-package
             path: ${{ steps.workdir_setup.outputs.PKG_PATH }}

agent-install/agent-install.sh

@@ -2063,7 +2063,7 @@ function install_macos() {
         fi
 
         if [[ $AGENT_AUTO_UPGRADE != 'true' ]]; then
-            check_existing_exch_node_is_correct_type "device"
+            check_existing_exch_node_info "device"
         fi
 
         if is_agent_registered && (! is_horizon_defaults_correct || ! is_registration_correct); then
@@ -2311,7 +2311,7 @@ function install_debian() {
         check_and_set_anax_port   # sets ANAX_PORT
 
         if [[ $AGENT_AUTO_UPGRADE != 'true' ]]; then
-            check_existing_exch_node_is_correct_type "device"
+            check_existing_exch_node_info "device"
         fi
 
         if is_agent_registered && (! is_horizon_defaults_correct "$ANAX_PORT" || ! is_registration_correct); then
@@ -2573,7 +2573,7 @@ function install_redhat() {
     if [[ $AGENT_ONLY_CLI != 'true' ]]; then
         check_and_set_anax_port   # sets ANAX_PORT
         if [[ $AGENT_AUTO_UPGRADE != 'true' ]]; then
-            check_existing_exch_node_is_correct_type "device"
+            check_existing_exch_node_info "device"
         fi
 
         if is_agent_registered && (! is_horizon_defaults_correct "$ANAX_PORT" || ! is_registration_correct); then
@@ -3399,13 +3399,8 @@ function find_node_ip_address() {
     fi
 }
 
-# If node exist in management hub, verify it is correct type (device or cluster)
-function check_existing_exch_node_is_correct_type() {
-    log_debug "check_existing_exch_node_is_correct_type() begin"
-
-    local expected_type=$1
-
-    log_info "Verifying that node $NODE_ID in the exchange is type $expected_type (if it exists)..."
+# check the node with $NODE_ID in the exchange, return the output from the exchange
+function get_existing_exch_node() {
     local exch_creds cert_flag
     if [[ -n $HZN_EXCHANGE_USER_AUTH ]]; then exch_creds="$HZN_ORG_ID/$HZN_EXCHANGE_USER_AUTH"
     else exch_creds="$HZN_ORG_ID/$HZN_EXCHANGE_NODE_AUTH"   # input checking requires either user creds or node creds
@@ -3414,7 +3409,32 @@ function check_existing_exch_node_is_correct_type() {
     if [[ -n $AGENT_CERT_FILE && -f $AGENT_CERT_FILE ]]; then
         cert_flag="--cacert $AGENT_CERT_FILE"
     fi
-    local exch_output=$(curl -fsS ${CURL_RETRY_PARMS} $cert_flag $HZN_EXCHANGE_URL/orgs/$HZN_ORG_ID/nodes/$NODE_ID -u "$exch_creds" 2>/dev/null) || true
+    exch_output=$(curl -fsS ${CURL_RETRY_PARMS} $cert_flag $HZN_EXCHANGE_URL/orgs/$HZN_ORG_ID/nodes/$NODE_ID -u "$exch_creds" 2>/dev/null) || true
+    echo "$exch_output"
+}
+
+# check if the node with $NODE_ID exists in the exchange, and if public key of node is set
+function check_node_existing_and_active() {
+    log_debug "check_node_existing_and_active() begin"
+    local exch_output=$(get_existing_exch_node)
+    if [[ -n "$exch_output" ]]; then
+        local exch_node_public_key=$(echo $exch_output | jq -re '.nodes | .[].publicKey')
+        if [[ "$exch_node_public_key" != "" ]] ; then
+            log_fatal 2 "node $NODE_ID already exists in the exchange and encryption key is set. To continue, use a different node id or delete existing node from the exchange"
+        fi
+    fi
+    log_debug "check_node_existing_and_active() end"
+}
+
+# Check if the node exist in management hub, verify 1) it is correct type (device or cluster), 2) for cluster node, verify namespace
+function check_existing_exch_node_info() {
+    log_debug "check_existing_exch_node_info() begin"
+
+    local expected_type=$1
+    local expected_namespace=$2
+
+    log_info "Verifying that node $NODE_ID in the exchange is type $expected_type (if it exists)..."
+    local exch_output=$(get_existing_exch_node)
 
     if [[ -n "$exch_output" ]]; then
         local exch_node_type=$(echo $exch_output | jq -re '.nodes | .[].nodeType')
@@ -3423,9 +3443,17 @@ function check_existing_exch_node_is_correct_type() {
         elif [[ "$exch_node_type" == "cluster" ]] && [[ "$expected_type" != "cluster" ]]; then
             log_fatal 2 "Node id ${NODE_ID} has already been created as nodeType cluster. Remove the node from the exchange and run this script again."
         fi
+
+        local exch_node_namespace=$(echo $exch_output | jq -re '.nodes | .[].clusterNamespace')
+        local exch_node_public_key=$(echo $exch_output | jq -re '.nodes | .[].publicKey')
+        if [[ "$exch_node_type" == "cluster" ]] && [[ "$exch_node_public_key" != "" ]] && [[ "$expected_namespace" != "$exch_node_namespace" ]]; then
+            log_fatal 2 "Cluster node: $NODE_ID already exists in namespace $exch_node_namespace. To continue, use a different node id or delete existing node from the exchange"
+        elif [[ "$exch_node_type" == "cluster" ]] && [[ "$exch_node_public_key" == "" ]]; then
+            log_info "The node in the exchange ($exch_node_namespace) has empty encryption key, continue on cluster install/update"
+        fi
     fi
 
-    log_debug "check_existing_exch_node_is_correct_type() end"
+    log_debug "check_existing_exch_node_info() end"
 }
 
 # make sure the new exchange url and cert are good.
@@ -4516,7 +4544,7 @@ function install_update_cluster() {
 
     confirmCmds jq
 
-    check_existing_exch_node_is_correct_type "cluster"
+    check_existing_exch_node_info "cluster" $AGENT_NAMESPACE
 
     check_cluster_agent_scope   # sets AGENT_DEPLOYMENT_EXIST_IN_SAME_NAMESPACE
 
@@ -4562,6 +4590,8 @@ function install_update_cluster() {
 function install_cluster() {
     log_debug "install_cluster() begin"
 
+    check_node_existing_and_active
+
     # generate files based on templates
     generate_installation_files
 
@@ -4724,3 +4754,4 @@ elif is_cluster; then
 else
     log_fatal 1 "AGENT_DEPLOY_TYPE must be 'device' or 'cluster'"
 fi
+

agent-install/agent-uninstall.sh

@@ -19,10 +19,6 @@ SKIP_DELETE_AGENT_NAMESPACE=false
 USE_DELETE_FORCE=false
 DELETE_TIMEOUT=10 # Default delete timeout
 
-function now() {
-	echo `date '+%Y-%m-%d %H:%M:%S'`
-}
-
 # Exit handling
 function quit(){
   case $1 in
@@ -216,7 +212,7 @@ function get_agent_pod_id() {
     fi
 
     if [ "$AGENT_POD_READY" == "true" ]; then
-    	POD_ID=$($KUBECTL get pod -n ${AGENT_NAMESPACE} 2> /dev/null | grep "agent-" | cut -d " " -f1 2> /dev/null)
+    	POD_ID=$($KUBECTL get pod -n ${AGENT_NAMESPACE} -l app=agent,type!=auto-upgrade-cronjob 2> /dev/null | grep "agent-" | cut -d " " -f1 2> /dev/null)
     	if [ -n "${POD_ID}" ]; then
         	log_info "get pod: ${POD_ID}"
     	else
@@ -231,7 +227,7 @@ function removeNodeFromLocalAndManagementHub() {
     log_debug "removeNodeFromLocalAndManagementHub() begin"
     log_info "Check node status for agent pod: ${POD_ID}"
 
-    NODE_INFO=$($KUBECTL exec -it ${POD_ID} -n ${AGENT_NAMESPACE} -- bash -c "hzn node list")
+    NODE_INFO=$($KUBECTL exec ${POD_ID} -n ${AGENT_NAMESPACE} -c "anax" -- bash -c "hzn node list")
     NODE_STATE=$(echo $NODE_INFO | jq -r .configstate.state | sed 's/[^a-z]*//g')
     NODE_ID=$(echo $NODE_INFO | jq -r .id | sed 's/\r//g')
     log_debug "NODE config state for ${NODE_ID} is ${NODE_STATE}"
@@ -274,11 +270,11 @@ function unregister() {
     fi
 
     set +e
-    $KUBECTL exec -it ${POD_ID} -n ${AGENT_NAMESPACE} -- bash -c "${HZN_UNREGISTER_CMD}"
+    $KUBECTL exec ${POD_ID} -n ${AGENT_NAMESPACE} -c "anax" -- bash -c "${HZN_UNREGISTER_CMD}"
     set -e
 
     # verify the node is unregistered
-    NODE_STATE=$($KUBECTL exec -it ${POD_ID} -n ${AGENT_NAMESPACE} -- bash -c "hzn node list | jq -r .configstate.state" | sed 's/[^a-z]*//g')
+    NODE_STATE=$($KUBECTL exec ${POD_ID} -n ${AGENT_NAMESPACE} -c "anax" -- bash -c "hzn node list | jq -r .configstate.state" | sed 's/[^a-z]*//g')
     log_debug "NODE config state is ${NODE_STATE}"
 
     if [[ "$NODE_STATE" != "unconfigured" ]] && [[ "$NODE_STATE" != "unconfiguring" ]]; then
@@ -288,8 +284,9 @@ function unregister() {
     log_debug "unregister() end"
 }
 
+# escape: ;, $, &, |, (, )
 function getEscapedExchangeUserAuth() {
-	local escaped_auth=$( echo "${HZN_EXCHANGE_USER_AUTH}" | sed 's/;/\\;/g;s/\$/\\$/g;s/\&/\\&/g;s/|/\\|/g' )
+	local escaped_auth=$( echo "${HZN_EXCHANGE_USER_AUTH}" | sed 's/;/\\;/g;s/\$/\\$/g;s/\&/\\&/g;s/|/\\|/g;s/(/\\(/g;s/)/\\)/g' )
 	echo "${escaped_auth}"
 }
 
@@ -303,7 +300,7 @@ function deleteNodeFromManagementHub() {
     log_info "Deleting node ${node_id} from the management hub..."
 
     set +e
-    $KUBECTL exec -it ${POD_ID} -n ${AGENT_NAMESPACE} -- bash -c "${EXPORT_EX_USER_AUTH_CMD}; hzn exchange node remove ${node_id} -f"
+    $KUBECTL exec ${POD_ID} -n ${AGENT_NAMESPACE} -c "anax" -- bash -c "${EXPORT_EX_USER_AUTH_CMD}; hzn exchange node remove ${node_id} -f"
     set -e
 
     log_debug "deleteNodeFromManagementHub() end"
@@ -319,7 +316,7 @@ function verifyNodeRemovedFromManagementHub() {
     log_info "Verifying node ${node_id} is removed from the management hub..."
 
     set +e
-    $KUBECTL exec -it ${POD_ID} -n ${AGENT_NAMESPACE} -- bash -c "${EXPORT_EX_USER_AUTH_CMD}; hzn exchange node list ${node_id}" >/dev/null 2>&1
+    $KUBECTL exec ${POD_ID} -n ${AGENT_NAMESPACE} -c "anax" -- bash -c "${EXPORT_EX_USER_AUTH_CMD}; hzn exchange node list ${node_id}" >/dev/null 2>&1
     if [ $? -ne 8 ]; then
 	    log_warning "Node was not removed from the management hub"
     fi
@@ -380,26 +377,26 @@ function deleteAgentResources() {
     fi
 
     log_info "Deleting agent service..."
-    $KUBECTL delete svc $SERVICE_NAME -n $AGENT_NAMESPACE
+    $KUBECTL delete svc $SERVICE_NAME -n $AGENT_NAMESPACE --ignore-not-found
 
     log_info "Deleting configmap..."
-    $KUBECTL delete configmap $CONFIGMAP_NAME -n $AGENT_NAMESPACE
-    $KUBECTL delete configmap ${CONFIGMAP_NAME}-backup -n $AGENT_NAMESPACE
+    $KUBECTL delete configmap $CONFIGMAP_NAME -n $AGENT_NAMESPACE --ignore-not-found
+    $KUBECTL delete configmap ${CONFIGMAP_NAME}-backup -n $AGENT_NAMESPACE --ignore-not-found
 
     log_info "Deleting secret..."
-    $KUBECTL delete secret $SECRET_NAME -n $AGENT_NAMESPACE
-    $KUBECTL delete secret $IMAGE_REGISTRY_SECRET_NAME -n $AGENT_NAMESPACE
-    $KUBECTL delete secret $IMAGE_PULL_SECRET_NAME -n $AGENT_NAMESPACE
-    $KUBECTL delete secret ${SECRET_NAME}-backup -n $AGENT_NAMESPACE
+    $KUBECTL delete secret $SECRET_NAME -n $AGENT_NAMESPACE --ignore-not-found
+    $KUBECTL delete secret $IMAGE_REGISTRY_SECRET_NAME -n $AGENT_NAMESPACE --ignore-not-found
+    $KUBECTL delete secret $IMAGE_PULL_SECRET_NAME -n $AGENT_NAMESPACE --ignore-not-found
+    $KUBECTL delete secret ${SECRET_NAME}-backup -n $AGENT_NAMESPACE --ignore-not-found
 
     log_info "Deleting persistent volume..."
-    $KUBECTL delete pvc $PVC_NAME -n $AGENT_NAMESPACE
+    $KUBECTL delete pvc $PVC_NAME -n $AGENT_NAMESPACE --ignore-not-found
 
     log_info "Deleting clusterrolebinding..."
-    $KUBECTL delete clusterrolebinding ${AGENT_NAMESPACE}-${CLUSTER_ROLE_BINDING_NAME}
+    $KUBECTL delete clusterrolebinding ${AGENT_NAMESPACE}-${CLUSTER_ROLE_BINDING_NAME} --ignore-not-found
 
     log_info "Deleting serviceaccount..."
-    $KUBECTL delete serviceaccount $SERVICE_ACCOUNT_NAME -n $AGENT_NAMESPACE
+    $KUBECTL delete serviceaccount $SERVICE_ACCOUNT_NAME -n $AGENT_NAMESPACE --ignore-not-found
 
     if [[ "$SKIP_DELETE_AGENT_NAMESPACE" != "true" ]]; then
         log_info "Checking deployment and statefulset under namespace $AGENT_NAMESPACE"
@@ -416,7 +413,7 @@ function deleteAgentResources() {
     fi
 
     log_info "Deleting cert file from /etc/default/cert ..."
-    rm /etc/default/cert/agent-install.crt
+    rm -f /etc/default/cert/agent-install.crt
     set -e
 
     log_debug "deleteAgentResources() end"

anax-in-container/Dockerfile_agbot.ubi

@@ -13,6 +13,7 @@ LABEL description="The Agbot scans all the edge nodes in the system initiating d
 ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal psmisc procps-ng gettext"
 RUN  microdnf update  -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \
   && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \
+  && microdnf upgrade -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager krb5-libs \
   && microdnf clean all --disableplugin=subscription-manager \
   && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \
   && mkdir -p /licenses /usr/horizon/bin /usr/horizon/web /var/horizon/msgKey \