Merge commit '3992013d299a0e0006911dcc28336292a21f472e' into k0s-1-30

Author: diamonwiggins

.github/actions/scan-image/action.yml

@@ -51,17 +51,32 @@ runs:
       id: image_details
       shell: bash
       run: |
+        # Extract base image name and tag
         IMAGE_NAME=$(echo "${{ inputs.image-ref }}" | cut -d':' -f1)
         IMAGE_TAG=$(echo "${{ inputs.image-ref }}" | cut -d':' -f2 | cut -d'@' -f1)
+
+        # Default to latest tag if none specified
         [[ "$IMAGE_TAG" == "$IMAGE_NAME" ]] && IMAGE_TAG="latest"
-        SAFE_NAME=$(echo "${IMAGE_NAME}-${IMAGE_TAG}" | sed 's/[\/:]/-/g')
+
+        # Extract digest if present
+        IMAGE_DIGEST=$(echo "${{ inputs.image-ref }}" | grep -o 'sha256:[a-f0-9]*' || true)
+
+        # Create safe names for file paths and identifiers
+        if [[ -n "$IMAGE_DIGEST" ]]; then
+            DIGEST_SHORT=$(echo "$IMAGE_DIGEST" | cut -c1-15)
+            SAFE_NAME="${IMAGE_NAME}-${IMAGE_TAG}-${DIGEST_SHORT}"
+        else
+            SAFE_NAME="${IMAGE_NAME}-${IMAGE_TAG}"
+        fi
+        SAFE_NAME=$(echo "$SAFE_NAME" | sed 's/[\/:]/-/g')
         SAFE_IMAGE_NAME=$(echo "${IMAGE_NAME}" | sed 's/[\/:]/-/g')
-        {
-          echo "image_name=${IMAGE_NAME}"
-          echo "image_tag=${IMAGE_TAG}"
-          echo "safe_name=${SAFE_NAME}"
-          echo "safe_image_name=${SAFE_IMAGE_NAME}"
 
+        # Output variables for use in subsequent steps
+        {
+            echo "image_name=${IMAGE_NAME}"
+            echo "image_tag=${IMAGE_TAG}"
+            echo "safe_name=${SAFE_NAME}"
+            echo "safe_image_name=${SAFE_IMAGE_NAME}"
         } >> "$GITHUB_OUTPUT"
 
     - name: Scan image with Grype

.github/workflows/ci.yaml

@@ -910,6 +910,7 @@ jobs:
         test:
           - TestResetAndReinstallAirgap
           - TestSingleNodeAirgapUpgrade
+          - TestSingleNodeAirgapUpgradeSelinux
           - TestSingleNodeAirgapUpgradeConfigValues
           - TestSingleNodeAirgapUpgradeCustomCIDR
           - TestMultiNodeAirgapUpgrade

.github/workflows/image-scan.yaml

@@ -135,7 +135,8 @@ jobs:
         with:
           image-ref: '${{ matrix.image }}'
           upload-sarif: ${{ github.ref == 'refs/heads/main' }}
-          fail-build: 'true'
+          # TODO: set this to true once we are fully using securebuild images
+          fail-build: 'false'
           severity-cutoff: 'medium'
           output-file: 'results.sarif'
           retention-days: '90'

.github/workflows/release-prod.yaml

@@ -569,6 +569,7 @@ jobs:
         test:
           - TestResetAndReinstallAirgap
           - TestSingleNodeAirgapUpgrade
+          - TestSingleNodeAirgapUpgradeSelinux
           - TestSingleNodeAirgapUpgradeConfigValues
           - TestSingleNodeAirgapUpgradeCustomCIDR
           - TestMultiNodeAirgapUpgrade

api/controllers/app/install/apppreflight.go

@@ -0,0 +1,126 @@
+package install
+
+import (
+	"context"
+	"fmt"
+	"runtime/debug"
+
+	apppreflightmanager "github.com/replicatedhq/embedded-cluster/api/internal/managers/app/preflight"
+	"github.com/replicatedhq/embedded-cluster/api/internal/statemachine"
+	states "github.com/replicatedhq/embedded-cluster/api/internal/states/install"
+	"github.com/replicatedhq/embedded-cluster/api/types"
+	ecv1beta1 "github.com/replicatedhq/embedded-cluster/kinds/apis/v1beta1"
+	"github.com/replicatedhq/embedded-cluster/pkg-new/preflights"
+)
+
+type RunAppPreflightOptions struct {
+	ConfigValues        types.AppConfigValues
+	PreflightBinaryPath string
+	ProxySpec           *ecv1beta1.ProxySpec
+	ExtraPaths          []string
+}
+
+func (c *InstallController) RunAppPreflights(ctx context.Context, opts RunAppPreflightOptions) (finalErr error) {
+	lock, err := c.stateMachine.AcquireLock()
+	if err != nil {
+		return types.NewConflictError(err)
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			finalErr = fmt.Errorf("panic: %v: %s", r, string(debug.Stack()))
+		}
+		if finalErr != nil {
+			lock.Release()
+		}
+	}()
+
+	if err := c.stateMachine.ValidateTransition(lock, states.StateAppPreflightsRunning); err != nil {
+		return types.NewConflictError(err)
+	}
+
+	// Extract app preflight spec from Helm charts
+	appPreflightSpec, err := c.appReleaseManager.ExtractAppPreflightSpec(ctx, opts.ConfigValues)
+	if err != nil {
+		return fmt.Errorf("extract app preflight spec: %w", err)
+	}
+
+	err = c.stateMachine.Transition(lock, states.StateAppPreflightsRunning)
+	if err != nil {
+		return fmt.Errorf("transition states: %w", err)
+	}
+
+	go func() (finalErr error) {
+		// Background context is used to avoid canceling the operation if the context is canceled
+		ctx := context.Background()
+
+		defer lock.Release()
+
+		defer func() {
+			if r := recover(); r != nil {
+				finalErr = fmt.Errorf("panic running app preflights: %v: %s", r, string(debug.Stack()))
+			}
+			// Handle errors from preflight execution
+			if finalErr != nil {
+				c.logger.Error(finalErr)
+
+				if err := c.stateMachine.Transition(lock, states.StateAppPreflightsExecutionFailed); err != nil {
+					c.logger.Errorf("failed to transition states: %w", err)
+				}
+				return
+			}
+
+			// Get the state from the preflights output
+			state := c.getStateFromAppPreflightsOutput(ctx)
+			// Transition to the appropriate state based on preflight results
+			if err := c.stateMachine.Transition(lock, state); err != nil {
+				c.logger.Errorf("failed to transition states: %w", err)
+			}
+		}()
+
+		// Create RunOptions from the provided options
+		runOpts := preflights.RunOptions{
+			PreflightBinaryPath: opts.PreflightBinaryPath,
+			ProxySpec:           opts.ProxySpec,
+			ExtraPaths:          opts.ExtraPaths,
+		}
+
+		err := c.appPreflightManager.RunAppPreflights(ctx, apppreflightmanager.RunAppPreflightOptions{
+			AppPreflightSpec: appPreflightSpec,
+			RunOptions:       runOpts,
+		})
+		if err != nil {
+			return fmt.Errorf("run app preflights: %w", err)
+		}
+
+		return nil
+	}()
+
+	return nil
+}
+
+func (c *InstallController) getStateFromAppPreflightsOutput(ctx context.Context) statemachine.State {
+	output, err := c.GetAppPreflightOutput(ctx)
+	// If there was an error getting the state we assume preflight execution failed
+	if err != nil {
+		c.logger.WithError(err).Error("error getting app preflight output")
+		return states.StateAppPreflightsExecutionFailed
+	}
+	// If there is no output, we assume preflights succeeded
+	if output == nil || !output.HasFail() {
+		return states.StateAppPreflightsSucceeded
+	}
+	return states.StateAppPreflightsFailed
+}
+
+func (c *InstallController) GetAppPreflightStatus(ctx context.Context) (types.Status, error) {
+	return c.appPreflightManager.GetAppPreflightStatus(ctx)
+}
+
+func (c *InstallController) GetAppPreflightOutput(ctx context.Context) (*types.PreflightsOutput, error) {
+	return c.appPreflightManager.GetAppPreflightOutput(ctx)
+}
+
+func (c *InstallController) GetAppPreflightTitles(ctx context.Context) ([]string, error) {
+	return c.appPreflightManager.GetAppPreflightTitles(ctx)
+}

api/controllers/app/install/config.go

@@ -57,7 +57,7 @@ func (c *InstallController) PatchAppConfigValues(ctx context.Context, values typ
 }
 
 func (c *InstallController) TemplateAppConfig(ctx context.Context, values types.AppConfigValues, maskPasswords bool) (types.AppConfig, error) {
-	return c.appConfigManager.TemplateConfig(values, maskPasswords)
+	return c.appConfigManager.TemplateConfig(values, maskPasswords, true)
 }
 
 func (c *InstallController) GetAppConfigValues(ctx context.Context) (types.AppConfigValues, error) {

api/controllers/app/install/controller.go

@@ -5,6 +5,8 @@ import (
 	"errors"
 
 	appconfig "github.com/replicatedhq/embedded-cluster/api/internal/managers/app/config"
+	apppreflightmanager "github.com/replicatedhq/embedded-cluster/api/internal/managers/app/preflight"
+	appreleasemanager "github.com/replicatedhq/embedded-cluster/api/internal/managers/app/release"
 	"github.com/replicatedhq/embedded-cluster/api/internal/statemachine"
 	"github.com/replicatedhq/embedded-cluster/api/pkg/logger"
 	"github.com/replicatedhq/embedded-cluster/api/types"
@@ -15,14 +17,20 @@ type Controller interface {
 	TemplateAppConfig(ctx context.Context, values types.AppConfigValues, maskPasswords bool) (types.AppConfig, error)
 	PatchAppConfigValues(ctx context.Context, values types.AppConfigValues) error
 	GetAppConfigValues(ctx context.Context) (types.AppConfigValues, error)
+	RunAppPreflights(ctx context.Context, opts RunAppPreflightOptions) error
+	GetAppPreflightStatus(ctx context.Context) (types.Status, error)
+	GetAppPreflightOutput(ctx context.Context) (*types.PreflightsOutput, error)
+	GetAppPreflightTitles(ctx context.Context) ([]string, error)
 }
 
 var _ Controller = (*InstallController)(nil)
 
 type InstallController struct {
-	appConfigManager appconfig.AppConfigManager
-	stateMachine     statemachine.Interface
-	logger           logrus.FieldLogger
+	appConfigManager    appconfig.AppConfigManager
+	appPreflightManager apppreflightmanager.AppPreflightManager
+	appReleaseManager   appreleasemanager.AppReleaseManager
+	stateMachine        statemachine.Interface
+	logger              logrus.FieldLogger
 }
 
 type InstallControllerOption func(*InstallController)
@@ -45,6 +53,18 @@ func WithStateMachine(stateMachine statemachine.Interface) InstallControllerOpti
 	}
 }
 
+func WithAppPreflightManager(appPreflightManager apppreflightmanager.AppPreflightManager) InstallControllerOption {
+	return func(c *InstallController) {
+		c.appPreflightManager = appPreflightManager
+	}
+}
+
+func WithAppReleaseManager(appReleaseManager appreleasemanager.AppReleaseManager) InstallControllerOption {
+	return func(c *InstallController) {
+		c.appReleaseManager = appReleaseManager
+	}
+}
+
 func NewInstallController(opts ...InstallControllerOption) (*InstallController, error) {
 	controller := &InstallController{
 		logger: logger.NewDiscardLogger(),
@@ -68,5 +88,11 @@ func (c *InstallController) validateInit() error {
 	if c.stateMachine == nil {
 		return errors.New("stateMachine is required for App Install Controller")
 	}
+	if c.appPreflightManager == nil {
+		return errors.New("appPreflightManager is required for App Install Controller")
+	}
+	if c.appReleaseManager == nil {
+		return errors.New("appReleaseManager is required for App Install Controller")
+	}
 	return nil
 }

api/controllers/app/install/controller_mock.go

@@ -34,3 +34,36 @@ func (m *MockController) GetAppConfigValues(ctx context.Context) (types.AppConfi
 	}
 	return args.Get(0).(types.AppConfigValues), args.Error(1)
 }
+
+// RunAppPreflights mocks the RunAppPreflights method
+func (m *MockController) RunAppPreflights(ctx context.Context, opts RunAppPreflightOptions) error {
+	args := m.Called(ctx, opts)
+	return args.Error(0)
+}
+
+// GetAppPreflightStatus mocks the GetAppPreflightStatus method
+func (m *MockController) GetAppPreflightStatus(ctx context.Context) (types.Status, error) {
+	args := m.Called(ctx)
+	if args.Get(0) == nil {
+		return types.Status{}, args.Error(1)
+	}
+	return args.Get(0).(types.Status), args.Error(1)
+}
+
+// GetAppPreflightOutput mocks the GetAppPreflightOutput method
+func (m *MockController) GetAppPreflightOutput(ctx context.Context) (*types.PreflightsOutput, error) {
+	args := m.Called(ctx)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*types.PreflightsOutput), args.Error(1)
+}
+
+// GetAppPreflightTitles mocks the GetAppPreflightTitles method
+func (m *MockController) GetAppPreflightTitles(ctx context.Context) ([]string, error) {
+	args := m.Called(ctx)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]string), args.Error(1)
+}