Merge remote-tracking branch 'origin/main' into k0s-1-29

Author: sgalsaleh

cmd/buildtools/embeddedclusteroperator.go

@@ -21,6 +21,10 @@ var operatorImageComponents = map[string]addonComponent{
 	"docker.io/library/busybox": {
 		name: "utils",
 	},
+	"docker.io/bloomberg/goldpinger": {
+		name:             "goldpinger",
+		useUpstreamImage: true,
+	},
 }
 
 var updateOperatorAddonCommand = &cli.Command{
@@ -130,9 +134,9 @@ func updateOperatorAddonImages(ctx context.Context, hcli helm.Client, chartURL s
 		return fmt.Errorf("failed to get images from embedded cluster operator chart: %w", err)
 	}
 
-	// make sure we include the operator util image as it does not show up when rendering the helm
-	// chart.
+	// make sure we include the operator util and goldpinger images as they don't show up when rendering the helm chart.
 	images = append(images, "docker.io/library/busybox:latest")
+	images = append(images, "docker.io/bloomberg/goldpinger:latest")
 
 	metaImages, err := UpdateImages(ctx, operatorImageComponents, embeddedclusteroperator.Metadata.Images, images)
 	if err != nil {

cmd/installer/cli/install.go

@@ -976,7 +976,7 @@ func waitForNode(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("get hostname: %w", err)
 	}
-	if err := kubeutils.WaitForControllerNode(ctx, kcli, hostname); err != nil {
+	if err := kubeutils.WaitForNode(ctx, kcli, hostname, false); err != nil {
 		return fmt.Errorf("wait for node: %w", err)
 	}
 	return nil

cmd/installer/cli/join.go

@@ -182,16 +182,26 @@ func runJoin(ctx context.Context, name string, flags JoinCmdFlags, jcmd *kotsadm
 		return err
 	}
 
-	if isWorker {
-		logrus.Debugf("worker node join finished")
-		return nil
-	}
-
 	kcli, err := kubeutils.KubeClient()
 	if err != nil {
 		return fmt.Errorf("unable to get kube client: %w", err)
 	}
 
+	hostname, err := os.Hostname()
+	if err != nil {
+		return fmt.Errorf("unable to get hostname: %w", err)
+	}
+
+	logrus.Debugf("waiting for node to join cluster")
+	if err := waitForNodeToJoin(ctx, kcli, hostname, isWorker); err != nil {
+		return fmt.Errorf("unable to wait for node: %w", err)
+	}
+
+	if isWorker {
+		logrus.Debugf("worker node join finished")
+		return nil
+	}
+
 	airgapChartsPath := ""
 	if flags.isAirgap {
 		airgapChartsPath = runtimeconfig.EmbeddedClusterChartsSubDir()
@@ -207,15 +217,6 @@ func runJoin(ctx context.Context, name string, flags JoinCmdFlags, jcmd *kotsadm
 	}
 	defer hcli.Close()
 
-	hostname, err := os.Hostname()
-	if err != nil {
-		return fmt.Errorf("unable to get hostname: %w", err)
-	}
-
-	if err := waitForNodeToJoin(ctx, kcli, hostname); err != nil {
-		return fmt.Errorf("unable to wait for node: %w", err)
-	}
-
 	if flags.enableHighAvailability {
 		if err := maybeEnableHA(ctx, kcli, hcli, flags.isAirgap, cidrCfg.ServiceCIDR, jcmd.InstallationSpec.Proxy, jcmd.InstallationSpec.Config); err != nil {
 			return fmt.Errorf("unable to enable high availability: %w", err)
@@ -246,7 +247,12 @@ func runJoinVerifyAndPrompt(name string, flags JoinCmdFlags, jcmd *kotsadm.JoinC
 	}
 
 	runtimeconfig.Set(jcmd.InstallationSpec.RuntimeConfig)
-	os.Setenv("KUBECONFIG", runtimeconfig.PathToKubeConfig())
+	isWorker := !strings.Contains(jcmd.K0sJoinCommand, "controller")
+	if isWorker {
+		os.Setenv("KUBECONFIG", runtimeconfig.PathToKubeletConfig())
+	} else {
+		os.Setenv("KUBECONFIG", runtimeconfig.PathToKubeConfig())
+	}
 	os.Setenv("TMPDIR", runtimeconfig.EmbeddedClusterTmpSubDir())
 
 	if err := runtimeconfig.WriteToDisk(); err != nil {
@@ -476,11 +482,11 @@ func runK0sInstallCommand(networkInterface string, fullcmd string) error {
 	return nil
 }
 
-func waitForNodeToJoin(ctx context.Context, kcli client.Client, hostname string) error {
+func waitForNodeToJoin(ctx context.Context, kcli client.Client, hostname string, isWorker bool) error {
 	loading := spinner.Start()
 	defer loading.Close()
 	loading.Infof("Waiting for node to join the cluster")
-	if err := kubeutils.WaitForControllerNode(ctx, kcli, hostname); err != nil {
+	if err := kubeutils.WaitForNode(ctx, kcli, hostname, isWorker); err != nil {
 		return fmt.Errorf("unable to wait for node: %w", err)
 	}
 	loading.Infof("Node has joined the cluster!")

e2e/scripts/enable-squid-whitelist.sh

@@ -76,7 +76,7 @@ function main() {
     maybe_install curl curl
 
     # update the squid config to disable allow access from local networks
-    sed -i 's/http_access allow localnet/# http_access allow localnet/' /etc/squid/conf.d/ec.conf
+    sed -i 's/^http_access allow localnet$/http_access allow localnet whitelist/' /etc/squid/conf.d/ec.conf
 
     # restart the squid service
     squid -k reconfigure

e2e/scripts/install-and-configure-squid.sh

@@ -9,10 +9,13 @@ acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump bump all
 
+acl whitelist dstdomain \"/etc/squid/sites.whitelist.txt\"
+
+# this will allow all access to the internet from local IPs
 http_access allow localnet
 
-acl whitelist dstdomain \"/etc/squid/sites.whitelist.txt\"
-http_access allow whitelist
+# to restrict access so only local IPs can access the internet and only sites on the whitelist, instead use
+# http_access allow localnet whitelist
 "
 
 whitelist_txt="

operator/charts/embedded-cluster-operator/templates/embedded-cluster-lam-service-config.yaml

@@ -23,7 +23,7 @@ data:
             podSpec:
               containers:
               - image: {{ .Values.utilsImage }}
-                imagePullPolicy: Always
+                imagePullPolicy: IfNotPresent
                 args: ["chroot","/host","cat","/etc/systemd/system/local-artifact-mirror.service.d/embedded-cluster.conf"]
                 name: debugger
                 resources: {}

operator/charts/embedded-cluster-operator/templates/embedded-cluster-logs-collector.yaml

@@ -23,7 +23,7 @@ data:
             podSpec:
               containers:
               - image: {{ .Values.utilsImage }}
-                imagePullPolicy: Always
+                imagePullPolicy: IfNotPresent
                 args: ["chroot","/host","journalctl","-u","k0scontroller","--no-pager","--since","2 days ago"]
                 name: debugger
                 resources: {}
@@ -52,7 +52,7 @@ data:
             podSpec:
               containers:
               - image: {{ .Values.utilsImage }}
-                imagePullPolicy: Always
+                imagePullPolicy: IfNotPresent
                 args: ["chroot","/host","journalctl","-u","k0sworker","--no-pager","--since","2 days ago"]
                 name: debugger
                 resources: {}
@@ -81,7 +81,7 @@ data:
             podSpec:
               containers:
               - image: {{ .Values.utilsImage }}
-                imagePullPolicy: Always
+                imagePullPolicy: IfNotPresent
                 args: ["chroot","/host","journalctl","-u","local-artifact-mirror","--no-pager","--since","2 days ago"]
                 name: debugger
                 resources: {}

operator/charts/embedded-cluster-operator/templates/embedded-cluster-troubleshoot-goldpinger.yaml

@@ -19,9 +19,9 @@ data:
       collectors:
       - goldpinger:
           namespace: goldpinger
-          image: proxy.replicated.com/anonymous/bloomberg/goldpinger@sha256:70416f19f1cbeedd344d37b08e64114779976b99905e0d018e71c437cde750dc
+          image: {{ .Values.goldpingerImage }}
           podLaunchOptions:
-            image: proxy.replicated.com/anonymous/library/busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83
+            image: {{ .Values.utilsImage }}
           exclude: {{ .Values.isAirgap }}
       analyzers:
       - goldpinger:

operator/charts/embedded-cluster-operator/values.yaml.tmpl

@@ -13,6 +13,7 @@ image:
   pullPolicy: IfNotPresent
 
 utilsImage: busybox:latest
+goldpingerImage: bloomberg/goldpinger:latest
 
 extraEnv: []
 #  - name: HTTP_PROXY

pkg/addons/embeddedclusteroperator/static/metadata.yaml

@@ -13,6 +13,11 @@ images:
         tag:
             amd64: v1.19.0-k8s-1.30
             arm64: v1.19.0-k8s-1.30
+    goldpinger:
+        repo: proxy.replicated.com/anonymous/bloomberg/goldpinger
+        tag:
+            amd64: latest
+            arm64: latest
     utils:
         repo: proxy.replicated.com/anonymous/replicated/ec-utils
         tag: