Merge branch 'main' into K8SPSMDB-1445

Author: hors

.e2eignore

@@ -9,5 +9,4 @@ operator.png
 kubernetes.svg
 release_versions
 .github/**
-.snyk
 .e2eignore

.github/CODEOWNERS

@@ -1,4 +1,4 @@
-* @hors @egegunes @pooknull @nmarukovich @gkech
-/e2e-tests/ @jvpasinatto @eleo007 @valmiranogueira
-Jenkinsfile @jvpasinatto @eleo007 @valmiranogueira
+* @hors @egegunes @pooknull @nmarukovich @gkech @mayankshah1607 @oksana-grishchenko
+/e2e-tests/ @jvpasinatto @eleo007 @valmiranogueira @bogdanjeler-ev
+Jenkinsfile @jvpasinatto @eleo007 @valmiranogueira @bogdanjeler-ev
 

.github/workflows/scan.yml

@@ -30,27 +30,10 @@ jobs:
           export DOCKER_DEFAULT_PLATFORM='linux/arm64'
           ./e2e-tests/build
 
-      - name: Run Snyk vulnerability scanner image (linux/arm64)
-        uses: snyk/actions/docker@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64'
-          args: --platform=linux/arm64 --severity-threshold=high --exclude-base-image-vulns --file=./build/Dockerfile -fail-on=upgradable
-
       - name: Build an image from Dockerfile (linux/amd64)
         run: |
           export IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64
           export DOCKER_PUSH=0
           export DOCKER_SQUASH=0
           export DOCKER_DEFAULT_PLATFORM='linux/amd64'
           ./e2e-tests/build
-
-      - name: Run Snyk vulnerability scanner image (linux/amd64)
-        uses: snyk/actions/docker@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64'
-          args: --platform=linux/amd64 --severity-threshold=high --exclude-base-image-vulns --file=./build/Dockerfile -fail-on=upgradable
-

.snyk

@@ -92,7 +92,7 @@ void pushLogFile(String FILE_NAME) {
     def LOG_FILE_PATH="e2e-tests/logs/${FILE_NAME}.log"
     def LOG_FILE_NAME="${FILE_NAME}.log"
     echo "Push logfile $LOG_FILE_NAME file to S3!"
-    withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', accessKeyVariable: 'AWS_ACCESS_KEY_ID', credentialsId: 'AMI/OVF', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
+    withCredentials([aws(credentialsId: 'AMI/OVF', accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY')]) {
         sh """
             S3_PATH=s3://percona-jenkins-artifactory-public/\$JOB_NAME/\$(git rev-parse --short HEAD)
             aws s3 ls \$S3_PATH/${LOG_FILE_NAME} || :
@@ -104,7 +104,7 @@ void pushLogFile(String FILE_NAME) {
 void pushArtifactFile(String FILE_NAME) {
     echo "Push $FILE_NAME file to S3!"
 
-    withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', accessKeyVariable: 'AWS_ACCESS_KEY_ID', credentialsId: 'AMI/OVF', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
+    withCredentials([aws(credentialsId: 'AMI/OVF', accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY')]) {
         sh """
             touch ${FILE_NAME}
             S3_PATH=s3://percona-jenkins-artifactory/\$JOB_NAME/\$(git rev-parse --short HEAD)
@@ -129,7 +129,7 @@ void initTests() {
 void markPassedTests() {
     echo "Marking passed tests in the tests map!"
 
-    withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', accessKeyVariable: 'AWS_ACCESS_KEY_ID', credentialsId: 'AMI/OVF', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
+    withCredentials([aws(credentialsId: 'AMI/OVF', accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY')]) {
         sh """
             aws s3 ls "s3://percona-jenkins-artifactory/${JOB_NAME}/${env.GIT_SHORT_COMMIT}/" || :
         """
@@ -290,9 +290,9 @@ void prepareNode() {
         sudo curl -sLo /usr/local/bin/kubectl https://dl.k8s.io/release/\$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl && sudo chmod +x /usr/local/bin/kubectl
         kubectl version --client --output=yaml
 
-        curl -fsSL https://get.helm.sh/helm-v3.18.3-linux-amd64.tar.gz | sudo tar -C /usr/local/bin --strip-components 1 -xzf - linux-amd64/helm
+        curl -fsSL https://get.helm.sh/helm-v3.19.0-linux-amd64.tar.gz | sudo tar -C /usr/local/bin --strip-components 1 -xzf - linux-amd64/helm
 
-        sudo curl -fsSL https://github.com/mikefarah/yq/releases/download/v4.44.1/yq_linux_amd64 -o /usr/local/bin/yq && sudo chmod +x /usr/local/bin/yq
+        sudo curl -fsSL https://github.com/mikefarah/yq/releases/download/v4.48.1/yq_linux_amd64 -o /usr/local/bin/yq && sudo chmod +x /usr/local/bin/yq
         sudo curl -fsSL https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 -o /usr/local/bin/jq && sudo chmod +x /usr/local/bin/jq
 
         sudo tee /etc/yum.repos.d/google-cloud-sdk.repo << EOF
@@ -490,7 +490,7 @@ pipeline {
                         mkdir -p $(dirname ${docker_tag_file})
                         echo ${DOCKER_TAG} > "${docker_tag_file}"
                             sg docker -c "
-                                docker login -u '${USER}' -p '${PASS}'
+                                echo '\$PASS' | docker login -u '\$USER' --password-stdin
                                 export RELEASE=0
                                 export IMAGE=\$DOCKER_TAG
                                 ./e2e-tests/build
@@ -650,7 +650,7 @@ pipeline {
                             }
                         }
                         makeReport()
-                        step([$class: 'JUnitResultArchiver', testResults: '*.xml', healthScaleFactor: 1.0])
+                        junit testResults: '*.xml', healthScaleFactor: 1.0
                         archiveArtifacts '*.xml'
 
                         unstash 'IMAGE'

Jenkinsfile

@@ -1,21 +1,100 @@
-#!/bin/sh
+#!/bin/bash
 set -e
-set -o xtrace
 
-export PATH="$PATH":/opt/fluent-bit/bin
+export PATH="$PATH:/opt/fluent-bit/bin"
 
-if [ "$1" = 'logrotate' ]; then
+LOGROTATE_SCHEDULE="${LOGROTATE_SCHEDULE:-0 0 * * *}"
+
+is_logrotate_config_invalid() {
+	local config_file="$1"
+	if [ -z "$config_file" ] || [ ! -f "$config_file" ]; then
+		return 1
+	fi
+	# Specifying -d runs in debug mode, so even in case of errors, it will exit with 0.
+	# We need to check the output for "error" but skip those lines that are related to the missing logrotate.status file.
+	# Filter out logrotate.status lines first, then check for remaining errors
+	(
+		set +e
+		logrotate -d "$config_file" 2>&1 | grep -v "logrotate.status" | grep -qi "error"
+	)
+	return $?
+}
+
+run_logrotate() {
+	local logrotate_status_file="/data/db/logs/logrotate.status"
+	local logrotate_conf_file="/opt/percona/logcollector/logrotate/logrotate.conf"
+	local logrotate_additional_conf_files=()
+	local conf_d_dir="/opt/percona/logcollector/logrotate/conf.d"
+
+	# Check if mongodb.conf exists and validate it
+	if [ -f "$conf_d_dir/mongodb.conf" ]; then
+		logrotate_conf_file="$conf_d_dir/mongodb.conf"
+		if is_logrotate_config_invalid "$logrotate_conf_file"; then
+			echo "ERROR: Logrotate configuration is invalid, fallback to default configuration"
+			logrotate_conf_file="/opt/percona/logcollector/logrotate/logrotate.conf"
+		fi
+	fi
+
+	# Process all .conf files in conf.d directory (excluding mongodb.conf which is already handled)
+	if [ -d "$conf_d_dir" ]; then
+		for conf_file in "$conf_d_dir"/*.conf; do
+			# Check if glob matched any files (if no .conf files exist, the glob returns itself)
+			[ -f "$conf_file" ] || continue
+			# Skip mongodb.conf as it's already processed above
+			[ "$(basename "$conf_file")" = "mongodb.conf" ] && continue
+			if is_logrotate_config_invalid "$conf_file"; then
+				echo "ERROR: Logrotate configuration file $conf_file is invalid, it will be ignored"
+			else
+				logrotate_additional_conf_files+=("$conf_file")
+			fi
+		done
+	fi
+	# Ensure logrotate can run with current UID
 	if [[ $EUID != 1001 ]]; then
 		# logrotate requires UID in /etc/passwd
 		sed -e "s^x:1001:^x:$EUID:^" /etc/passwd >/tmp/passwd
 		cat /tmp/passwd >/etc/passwd
 		rm -rf /tmp/passwd
 	fi
-	exec go-cron "0 0 * * *" sh -c "logrotate -s /data/db/logs/logrotate.status /opt/percona/logcollector/logrotate/logrotate.conf;"
-else
-	if [ "$1" = 'fluent-bit' ]; then
-		fluentbit_opt+='-c /opt/percona/logcollector/fluentbit/fluentbit.conf'
-	fi
 
-	exec "$@" $fluentbit_opt
-fi
+	local logrotate_cmd="logrotate -s \"$logrotate_status_file\" \"$logrotate_conf_file\""
+	for additional_conf in "${logrotate_additional_conf_files[@]}"; do
+		logrotate_cmd="$logrotate_cmd \"$additional_conf\""
+	done
+
+	set -o xtrace
+	exec go-cron "$LOGROTATE_SCHEDULE" sh -c "$logrotate_cmd"
+}
+
+run_fluentbit() {
+	local fluentbit_opt=(-c /opt/percona/logcollector/fluentbit/fluentbit.conf)
+	mkdir -p /tmp/fluentbit/custom
+	set +e
+	local fluentbit_conf_dir="/opt/percona/logcollector/fluentbit/custom"
+	for conf_file in $fluentbit_conf_dir/*.conf; do
+		[ -f "$conf_file" ] || continue
+		if ! fluent-bit --dry-run -c "$conf_file" >/dev/null 2>&1; then
+			echo "ERROR: Fluentbit configuration file $conf_file is invalid, it will be ignored"
+		else
+			cp "$conf_file" /tmp/fluentbit/custom/
+		fi
+	done
+	touch /tmp/fluentbit/custom/default.conf || true
+
+	set -e
+	set -o xtrace
+	exec "$@" "${fluentbit_opt[@]}"
+}
+
+case "$1" in
+	logrotate)
+		run_logrotate
+		;;
+	fluent-bit)
+		run_fluentbit "$@"
+		;;
+	*)
+		echo "Invalid argument: $1"
+		exit 1
+		;;
+esac

build/logcollector/entrypoint.sh

@@ -1,2 +1,2 @@
 @INCLUDE fluentbit_*.conf
-@INCLUDE custom/*.conf
+@INCLUDE /tmp/fluentbit/custom/*.conf

build/logcollector/fluentbit/fluentbit.conf

@@ -7,4 +7,7 @@ if [[ -z ${PBM_AGENT_TLS_ENABLED} ]] || [[ ${PBM_AGENT_TLS_ENABLED} == "true" ]]
 	fi
 fi
 
+# shellcheck disable=SC1091
+test -e /opt/percona/pbm-hookscript/hook.sh && source /opt/percona/pbm-hookscript/hook.sh
+
 exec "$@"

build/pbm-entry.sh

@@ -68,9 +68,9 @@ _mongod_hack_have_arg() {
 	local arg
 	for arg; do
 		case "$arg" in
-		"$checkArg" | "$checkArg"=*)
-			return 0
-			;;
+			"$checkArg" | "$checkArg"=*)
+				return 0
+				;;
 		esac
 	done
 	return 1
@@ -83,14 +83,14 @@ _mongod_hack_get_arg_val() {
 		local arg="$1"
 		shift
 		case "$arg" in
-		"$checkArg")
-			echo "$1"
-			return 0
-			;;
-		"$checkArg"=*)
-			echo "${arg#"$checkArg"=}"
-			return 0
-			;;
+			"$checkArg")
+				echo "$1"
+				return 0
+				;;
+			"$checkArg"=*)
+				echo "${arg#"$checkArg"=}"
+				return 0
+				;;
 		esac
 	done
 	return 1
@@ -131,14 +131,14 @@ _mongod_hack_ensure_no_arg_val() {
 		local arg="$1"
 		shift
 		case "$arg" in
-		"$ensureNoArg")
-			shift # also skip the value
-			continue
-			;;
-		"$ensureNoArg"=*)
-			# value is already included
-			continue
-			;;
+			"$ensureNoArg")
+				shift # also skip the value
+				continue
+				;;
+			"$ensureNoArg"=*)
+				# value is already included
+				continue
+				;;
 		esac
 		mongodHackedArgs+=("$arg")
 	done
@@ -174,7 +174,7 @@ _mongod_hack_rename_arg_save_val() {
 			val="$1"
 			shift
 			continue
-		elif [[ $arg =~ "$oldArg"=(.*) ]]; then
+		elif [[ $arg =~ ^${oldArg}=(.*)$ ]]; then
 			val=${BASH_REMATCH[1]}
 			continue
 		fi
@@ -282,10 +282,10 @@ if [ "$originalArgOne" = 'mongod' ]; then
 		# if we've got any /docker-entrypoint-initdb.d/* files to parse later, we should initdb
 		for f in /docker-entrypoint-initdb.d/*; do
 			case "$f" in
-			*.sh | *.js) # this should match the set of files we check for below
-				shouldPerformInitdb="$f"
-				break
-				;;
+				*.sh | *.js) # this should match the set of files we check for below
+					shouldPerformInitdb="$f"
+					break
+					;;
 			esac
 		done
 	fi
@@ -387,17 +387,17 @@ if [ "$originalArgOne" = 'mongod' ]; then
 		echo
 		for f in /docker-entrypoint-initdb.d/*; do
 			case "$f" in
-			*.sh)
-				echo "$0: running $f"
-				# shellcheck source=/dev/null
-				. "$f"
-				;;
-			*.js)
-				echo "$0: running $f"
-				"${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f"
-				echo
-				;;
-			*) echo "$0: ignoring $f" ;;
+				*.sh)
+					echo "$0: running $f"
+					# shellcheck source=/dev/null
+					. "$f"
+					;;
+				*.js)
+					echo "$0: running $f"
+					"${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f"
+					echo
+					;;
+				*) echo "$0: ignoring $f" ;;
 			esac
 			echo
 		done
@@ -509,5 +509,8 @@ fi
 
 rm -f "$jsonConfigFile" "$tempConfigFile"
 
+# shellcheck disable=SC1091
+test -e /opt/percona/hookscript/hook.sh && source /opt/percona/hookscript/hook.sh
+
 set -o xtrace
 exec "$@"

build/ps-entry.sh

@@ -29,25 +29,27 @@ var (
 )
 
 func Dial(ctx context.Context, conf *Config) (mongo.Client, error) {
-	if err := conf.configureTLS(); err != nil {
+	log := logf.FromContext(ctx).WithName("Dial")
+	ctx = logf.IntoContext(ctx, log)
+
+	if err := conf.configureTLS(ctx); err != nil {
 		return nil, errors.Wrap(err, "configure TLS")
 	}
 
-	log := logf.FromContext(ctx)
 	log.V(1).Info("Connecting to mongodb", "hosts", conf.Hosts, "ssl", conf.SSL.Enabled, "ssl_insecure", conf.SSL.Insecure)
 
 	if conf.Username != "" && conf.Password != "" {
 		log.V(1).Info("Enabling authentication for session", "user", conf.Username)
 	}
 
-	cl, err := mongo.Dial(&conf.Config)
+	cl, err := mongo.Dial(ctx, &conf.Config)
 	if err != nil {
 		cfg := conf.Config
 		cfg.Direct = true
 		cfg.ReplSetName = ""
-		cl, err = mongo.Dial(&cfg)
+		cl, err = mongo.Dial(ctx, &cfg)
 		if err != nil {
-			return nil, errors.Wrap(err, "filed to dial mongo")
+			return nil, errors.Wrap(err, "failed to dial mongo")
 		}
 	}