diff --git a/README.md b/README.md index 5940c171..4d6f3ea4 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Vitess Operator Version | Recommended Vitess Versions | Recommended Kubernetes V `v2.7.*` | `v14.0.*` | `v1.20.*`, `v1.21.*`, or `v1.22.*` `v2.8.*` | `v15.0.*` | `v1.22.*`, `v1.23.*`, or `v1.24.*` `v2.9.*` | `v16.0.*` | `v1.22.*`, `v1.23.*`, or `v1.24.*` -`latest` | `latest` | `v1.22.*`, `v1.23.*`, or `v1.24.*` +`latest` | `latest` | `v1.22.*`, `v1.23.*`, `v1.24.*`, or `v1.25.*` If for some reason you must attempt to use versions outside the recommend window, we still welcome bug reports since a workaround might be possible. diff --git a/pkg/controller/etcdlockserver/etcdlockserver_controller.go b/pkg/controller/etcdlockserver/etcdlockserver_controller.go index 1b6afd71..1073f445 100644 --- a/pkg/controller/etcdlockserver/etcdlockserver_controller.go +++ b/pkg/controller/etcdlockserver/etcdlockserver_controller.go @@ -23,7 +23,7 @@ import ( "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" - policyv1beta1 "k8s.io/api/policy/v1beta1" + policyv1 "k8s.io/api/policy/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/errors" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -58,7 +58,7 @@ var watchResources = []client.Object{ &corev1.Pod{}, &corev1.Service{}, &corev1.PersistentVolumeClaim{}, - &policyv1beta1.PodDisruptionBudget{}, + &policyv1.PodDisruptionBudget{}, } // Add creates a new EtcdLockserver Controller and adds it to the Manager. The Manager will set fields on the Controller diff --git a/pkg/controller/etcdlockserver/reconcile_pdb.go b/pkg/controller/etcdlockserver/reconcile_pdb.go index c8260649..be201a85 100644 --- a/pkg/controller/etcdlockserver/reconcile_pdb.go +++ b/pkg/controller/etcdlockserver/reconcile_pdb.go @@ -19,7 +19,7 @@ package etcdlockserver import ( "context" - policyv1beta1 "k8s.io/api/policy/v1beta1" + policyv1 "k8s.io/api/policy/v1" "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/reconcile" @@ -50,13 +50,13 @@ func (r *ReconcileEtcdLockserver) reconcilePodDisruptionBudget(ctx context.Conte Name: etcd.PDBName(lockserverName), } err := r.reconciler.ReconcileObject(ctx, ls, key, labels, true, reconciler.Strategy{ - Kind: &policyv1beta1.PodDisruptionBudget{}, + Kind: &policyv1.PodDisruptionBudget{}, New: func(key client.ObjectKey) runtime.Object { return etcd.NewPDB(key, labels) }, UpdateInPlace: func(key client.ObjectKey, obj runtime.Object) { - curObj := obj.(*policyv1beta1.PodDisruptionBudget) + curObj := obj.(*policyv1.PodDisruptionBudget) etcd.UpdatePDBInPlace(curObj, labels) }, }) diff --git a/pkg/operator/etcd/pdb.go b/pkg/operator/etcd/pdb.go index 7773ceec..4aea2f5b 100644 --- a/pkg/operator/etcd/pdb.go +++ b/pkg/operator/etcd/pdb.go @@ -17,7 +17,7 @@ limitations under the License. package etcd import ( - policyv1beta1 "k8s.io/api/policy/v1beta1" + policyv1 "k8s.io/api/policy/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" "sigs.k8s.io/controller-runtime/pkg/client" @@ -37,18 +37,18 @@ func PDBName(lockserverName string) string { } // NewPDB creates a new PDB. -func NewPDB(key client.ObjectKey, labels map[string]string) *policyv1beta1.PodDisruptionBudget { +func NewPDB(key client.ObjectKey, labels map[string]string) *policyv1.PodDisruptionBudget { // This tells `kubectl drain` not to delete one of the members unless the // number of remaining members will still be at least QuorumSize. minAvailable := intstr.FromInt(QuorumSize) - return &policyv1beta1.PodDisruptionBudget{ + return &policyv1.PodDisruptionBudget{ ObjectMeta: metav1.ObjectMeta{ Namespace: key.Namespace, Name: key.Name, Labels: labels, }, - Spec: policyv1beta1.PodDisruptionBudgetSpec{ + Spec: policyv1.PodDisruptionBudgetSpec{ Selector: &metav1.LabelSelector{ MatchLabels: labels, }, @@ -58,7 +58,7 @@ func NewPDB(key client.ObjectKey, labels map[string]string) *policyv1beta1.PodDi } // UpdatePDBInPlace updates an existing PDB in-place. -func UpdatePDBInPlace(obj *policyv1beta1.PodDisruptionBudget, labels map[string]string) { +func UpdatePDBInPlace(obj *policyv1.PodDisruptionBudget, labels map[string]string) { // Update labels, but ignore existing ones we don't set. update.Labels(&obj.Labels, labels) } diff --git a/test/integration/framework/apiserver.go b/test/integration/framework/apiserver.go index 112ac1da..8a5bdb23 100644 --- a/test/integration/framework/apiserver.go +++ b/test/integration/framework/apiserver.go @@ -26,11 +26,14 @@ import ( "os/exec" "strconv" + "github.com/google/uuid" "k8s.io/client-go/rest" "k8s.io/klog" ) var apiserverURL = "" +var apiserverToken = uuid.New().String() +var apiserverDatadir = "" const installApiserver = ` Cannot find kube-apiserver, cannot run integration tests @@ -57,25 +60,38 @@ func startApiserver() (func(), error) { if err != nil { return nil, fmt.Errorf("could not get a port: %v", err) } - apiserverURL = fmt.Sprintf("http://127.0.0.1:%d", apiserverPort) + apiserverURL = fmt.Sprintf("https://127.0.0.1:%d", apiserverPort) klog.Infof("starting kube-apiserver on %s", apiserverURL) apiserverDataDir, err := ioutil.TempDir(os.TempDir(), "integration_test_apiserver_data") if err != nil { return nil, fmt.Errorf("unable to make temp kube-apiserver data dir: %v", err) } - klog.Infof("storing kube-apiserver data in: %v", apiserverDataDir) + apiserverDatadir = apiserverDataDir + klog.Infof("storing kube-apiserver data in: %v", apiserverDatadir) + + // create token auth file + os.WriteFile(fmt.Sprintf("%s/token.csv", apiserverDatadir), []byte(fmt.Sprintf("%s,testrunner,1", apiserverToken)), 0644) + + // create authorization policy file + abac1 := "{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"user\": \"testrunner\", \"namespace\": \"*\", \"resource\": \"*\", \"apiGroup\": \"*\"}}" + abac2 := "{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"group\": \"system:authenticated\", \"readonly\": true, \"nonResourcePath\": \"*\"}}" + os.WriteFile(fmt.Sprintf("%s/auth-policy.json", apiserverDatadir), []byte(fmt.Sprintf("%s\n%s", abac1, abac2)), 0644) + ctx, cancel := context.WithCancel(context.Background()) cmd := exec.CommandContext( ctx, apiserverPath, - "--cert-dir", apiserverDataDir, - "--insecure-port", strconv.Itoa(apiserverPort), - // We don't use the secure port, but we need to pick something that - // doesn't conflict with other test apiservers. - "--secure-port", strconv.Itoa(apiserverPort+1), + "--authorization-policy-file", fmt.Sprintf("%s/auth-policy.json", apiserverDatadir), + "--authorization-mode", "ABAC", + "--cert-dir", apiserverDatadir, "--etcd-servers", etcdURL, + "--secure-port", strconv.Itoa(apiserverPort), + "--service-account-issuer", "api", + "--service-account-key-file", fmt.Sprintf("%s/apiserver.key", apiserverDatadir), + "--service-account-signing-key-file", fmt.Sprintf("%s/apiserver.key", apiserverDatadir), + "--token-auth-file", fmt.Sprintf("%s/token.csv", apiserverDatadir), ) // Uncomment these to see kube-apiserver output in test logs. @@ -87,7 +103,7 @@ func startApiserver() (func(), error) { cancel() err := cmd.Wait() klog.Infof("kube-apiserver exit status: %v", err) - err = os.RemoveAll(apiserverDataDir) + err = os.RemoveAll(apiserverDatadir) if err != nil { klog.Warningf("error during kube-apiserver cleanup: %v", err) } @@ -99,14 +115,28 @@ func startApiserver() (func(), error) { return stop, nil } -// ApiserverURL returns the URL of the kube-apiserver instance started by TestMain. -func ApiserverURL() string { - return apiserverURL -} - // ApiserverConfig returns a rest.Config to connect to the test instance. func ApiserverConfig() *rest.Config { return &rest.Config{ Host: ApiserverURL(), + BearerToken: apiserverToken, + TLSClientConfig: rest.TLSClientConfig{ + Insecure: true, + }, } } + +// ApiserverCert returns the generated kube-apiserver certificate authority +func ApiserverCert() string { + return fmt.Sprintf("%s/apiserver.crt", apiserverDatadir) +} + +// ApiserverToken returns the token used for authentication +func ApiserverToken() string { + return apiserverToken +} + +// ApiserverURL returns the URL of the kube-apiserver instance started by TestMain. +func ApiserverURL() string { + return apiserverURL +} diff --git a/test/integration/framework/main.go b/test/integration/framework/main.go index 2d8aac42..0e305246 100644 --- a/test/integration/framework/main.go +++ b/test/integration/framework/main.go @@ -241,7 +241,13 @@ func execKubectlStdin(stdin io.Reader, args ...string) ([]byte, error) { if err != nil { return nil, fmt.Errorf("cannot exec kubectl: %v", err) } - cmdline := append([]string{"--server", ApiserverURL()}, args...) + cmdline := append([]string{ + "--server", ApiserverURL(), + "--tls-server-name", "10.0.0.1", + "--certificate-authority", ApiserverCert(), + "--token", ApiserverToken(), + }, args...) + cmd := exec.Command(execPath, cmdline...) cmd.Stdin = stdin return cmd.CombinedOutput() diff --git a/tools/get-kube-binaries.sh b/tools/get-kube-binaries.sh index 1e11e297..3742a041 100755 --- a/tools/get-kube-binaries.sh +++ b/tools/get-kube-binaries.sh @@ -9,7 +9,7 @@ set -euo pipefail # The integration test framework expects these binaries to be found in the PATH. # This is the kube-apiserver version to test against. -KUBE_VERSION="${KUBE_VERSION:-v1.19.1}" +KUBE_VERSION="${KUBE_VERSION:-v1.25.8}" KUBERNETES_RELEASE_URL="${KUBERNETES_RELEASE_URL:-https://dl.k8s.io}" # This should be the etcd version downloaded by kubernetes/hack/lib/etcd.sh