From 1c7233775a89bf155cb1d0fc767ad213cdfbc369 Mon Sep 17 00:00:00 2001 From: "alexey.ponomarev" Date: Wed, 18 Sep 2024 11:56:56 +0600 Subject: [PATCH 1/5] NODE-5762 Release 5.0.2 --- helm/Chart.yaml | 8 ++++---- helm/values.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 505dea4..8be6d42 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: wallarm-sidecar -version: 5.0.1 -appVersion: 5.0.1 +version: 5.0.2 +appVersion: 5.0.2 description: Sidecar controller for Kubernetes. Injects sidecar proxy based on NGINX with Wallarm module and helper services. home: https://github.com/wallarm/sidecar icon: https://static.wallarm.com/wallarm-logo.svg @@ -21,8 +21,8 @@ kubeVersion: ">=1.19.16-0" annotations: artifacthub.io/images: | - name: sidecar - image: wallarm/sidecar:5.0.1-1 + image: wallarm/sidecar:5.0.2-1 - name: sidecar-controller image: wallarm/sidecar-controller:1.3.9 - name: node-helpers - image: wallarm/node-helpers:5.0.1-1 + image: wallarm/node-helpers:5.0.2-1 diff --git a/helm/values.yaml b/helm/values.yaml index a1902f7..a5a0f6f 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -191,7 +191,7 @@ config: image: registry: docker.io image: wallarm/sidecar - tag: 5.0.1-1 + tag: 5.0.2-1 pullPolicy: IfNotPresent ### Shared security context for all (init and regular) containers in sidecar schema except `iptables` container. ### For `iptables` container it is described in `sidecar.initContainers.iptables.securityContext` value @@ -394,7 +394,7 @@ helper: image: registry: docker.io image: wallarm/node-helpers - tag: 5.0.1-1 + tag: 5.0.2-1 pullPolicy: IfNotPresent ### Configuration for post-analytics module From c36e91dc27471536783480372ae14173e2b7de87 Mon Sep 17 00:00:00 2001 From: "alexey.ponomarev" Date: Thu, 22 Aug 2024 18:10:44 +0600 Subject: [PATCH 2/5] NODE-5655 add docker auth to tests --- .github/workflows/test.yaml | 22 ++++++++++++++++++++-- helm/test/run_chart_tests.sh | 22 +++++++++++++++++++++- helm/values.test.yaml | 4 +++- kind/docker/manifests/init/pytest.yaml | 2 ++ 4 files changed, 46 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index b8b060b..543a2c0 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -153,7 +153,10 @@ jobs: role: ${{ secrets.VAULT_ROLE }} method: kubernetes path: kubernetes-ci - secrets: kv-gitlab-ci/data/github/sidecar api_token + secrets: | + kv-gitlab-ci/data/github/sidecar api_token ; + kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; + kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; - name: Checkout uses: actions/checkout@v3 @@ -162,6 +165,7 @@ jobs: - name: Create cluster run: | + echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin kind create cluster \ --config ${GITHUB_WORKSPACE}/helm/test/kind/kind.yaml \ --image kindest/node:v${{ matrix.kubeVersion }} \ @@ -170,6 +174,11 @@ jobs: kubectl cluster-info kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system echo "current-context:" $(kubectl config current-context) + echo "[test-env] creating secret docker-registry ..." + kubectl create secret docker-registry dockerhub-secret \ + --docker-username="${DOCKERHUB_USER}" \ + --docker-password="${DOCKERHUB_PASSWORD}" \ + --docker-email=docker-pull@unexists.unexists - name: Load cache if: ${{ inputs.load_artifact }} @@ -227,7 +236,10 @@ jobs: role: ${{ secrets.VAULT_ROLE }} method: kubernetes path: kubernetes-ci - secrets: kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN + secrets: | + kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ; + kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; + kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; - name: Checkout uses: actions/checkout@v3 @@ -236,8 +248,14 @@ jobs: - name: Create cluster run: | + echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin kind create cluster --image kindest/node:v1.28.7 kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system + echo "[test-env] creating secret docker-registry ..." + kubectl create secret docker-registry dockerhub-secret \ + --docker-username="${DOCKERHUB_USER}" \ + --docker-password="${DOCKERHUB_PASSWORD}" \ + --docker-email=docker-pull@unexists.unexists - name: Load cache if: ${{ inputs.load_artifact }} diff --git a/helm/test/run_chart_tests.sh b/helm/test/run_chart_tests.sh index 326d1c0..722a802 100755 --- a/helm/test/run_chart_tests.sh +++ b/helm/test/run_chart_tests.sh @@ -23,8 +23,20 @@ CT_NAMESPACE="ct" SECRET_NAME="wallarm-api-token" SECRET_KEY="token" + +# This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set. +if [ "${DOCKERHUB_USER:-false}" = "false" ]; then + DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server" +fi + +DOCKERHUB_SECRET_NAME="dockerhub-secret" +DOCKERHUB_USER="${DOCKERHUB_USER:-fake_user}" +DOCKERHUB_PASSWORD="${DOCKERHUB_PASSWORD:-fake_password}" + HELM_EXTRA_ARGS="--timeout 180s" -HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} ${HELM_ARGS:-}" +HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} \ + --set imagePullSecrets[0].name=${DOCKERHUB_SECRET_NAME} \ + ${HELM_ARGS:-}" # Handle the case when we run chart testing with '--upgrade' option if [[ "${CT_MODE:-}" == "upgrade" ]]; then @@ -43,6 +55,14 @@ if ! kubectl -n ${CT_NAMESPACE} get secret "${SECRET_NAME}" &> /dev/null; then kubectl -n ${CT_NAMESPACE} create secret generic "${SECRET_NAME}" --from-literal="${SECRET_KEY}"="${WALLARM_API_TOKEN}" fi +if ! kubectl -n ${CT_NAMESPACE} get secret "${DOCKERHUB_SECRET_NAME}" &> /dev/null; then + echo "Creating secret ${DOCKERHUB_SECRET_NAME}..." + kubectl -n ${CT_NAMESPACE} create secret docker-registry "${DOCKERHUB_SECRET_NAME}" \ + --docker-username="${DOCKERHUB_USER}" \ + --docker-password="${DOCKERHUB_PASSWORD}" \ + --docker-email=docker-pull@unexists.unexists +fi + cat < ct.sh #!/bin/bash set -e diff --git a/helm/values.test.yaml b/helm/values.test.yaml index 82513d7..de75e36 100644 --- a/helm/values.test.yaml +++ b/helm/values.test.yaml @@ -8,4 +8,6 @@ config: fallback: "off" controller: - replicaCount: 1 \ No newline at end of file + replicaCount: 1 +imagePullSecrets: + - name: dockerhub-secret diff --git a/kind/docker/manifests/init/pytest.yaml b/kind/docker/manifests/init/pytest.yaml index 7717e2b..26fcb67 100644 --- a/kind/docker/manifests/init/pytest.yaml +++ b/kind/docker/manifests/init/pytest.yaml @@ -21,6 +21,8 @@ spec: labels: app.kubernetes.io/name: pytest spec: + imagePullSecrets: + - name: dockerhub-secret serviceAccountName: pytest containers: - name: pytest From a1b42015e83b15018e84598a4e5333d27f5f874e Mon Sep 17 00:00:00 2001 From: "alexey.ponomarev" Date: Thu, 22 Aug 2024 23:11:24 +0600 Subject: [PATCH 3/5] NODE-5762 Release 5.0.2 --- .github/workflows/ci.yaml | 2 ++ .github/workflows/test.yaml | 24 +++++++++---------- TAG | 2 +- .../ci/deployment-existing-secret-values.yaml | 4 +++- .../deployment-external-tarantool-values.yaml | 4 +++- helm/ci/deployment-values.yaml | 2 ++ test/smoke/run.sh | 5 ++-- test/smoke/workload.yaml | 1 + 8 files changed, 27 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index be9ce5a..e438595 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -5,6 +5,8 @@ on: branches: ['main'] types: ['opened', 'reopened', 'synchronize'] paths: + - '.github/workflows/ci.yaml' + - '.github/workflows/test.yaml' - 'helm/**' - 'files/**' - 'cmd/**' diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 543a2c0..86c7a60 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -154,9 +154,9 @@ jobs: method: kubernetes path: kubernetes-ci secrets: | - kv-gitlab-ci/data/github/sidecar api_token ; kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; + kv-gitlab-ci/data/github/sidecar api_token ; - name: Checkout uses: actions/checkout@v3 @@ -174,11 +174,6 @@ jobs: kubectl cluster-info kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system echo "current-context:" $(kubectl config current-context) - echo "[test-env] creating secret docker-registry ..." - kubectl create secret docker-registry dockerhub-secret \ - --docker-username="${DOCKERHUB_USER}" \ - --docker-password="${DOCKERHUB_PASSWORD}" \ - --docker-email=docker-pull@unexists.unexists - name: Load cache if: ${{ inputs.load_artifact }} @@ -193,6 +188,11 @@ jobs: - name: Install Helm chart run: | unset KUBERNETES_SERVICE_HOST + echo "[test-env] creating secret docker-registry ..." + kubectl create secret docker-registry dockerhub-secret \ + --docker-username="${DOCKERHUB_USER}" \ + --docker-password="${DOCKERHUB_PASSWORD}" \ + --docker-email=docker-pull@unexists.unexists helm install wallarm-sidecar ./helm -f helm/values.test.yaml \ --set config.wallarm.api.token=${API_TOKEN} \ --debug \ @@ -209,6 +209,11 @@ jobs: - name: Deploy pytest run: | unset KUBERNETES_SERVICE_HOST + kubectl create namespace pytest + kubectl -n pytest create secret docker-registry dockerhub-secret \ + --docker-username="${DOCKERHUB_USER}" \ + --docker-password="${DOCKERHUB_PASSWORD}" \ + --docker-email=docker-pull@unexists.unexists kubectl apply -f kind/docker/manifests/init/pytest.yaml while [[ -z $(kubectl -n pytest get pods -o name) ]]; do sleep 1 @@ -237,9 +242,9 @@ jobs: method: kubernetes path: kubernetes-ci secrets: | - kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ; kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; + kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ; - name: Checkout uses: actions/checkout@v3 @@ -251,11 +256,6 @@ jobs: echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin kind create cluster --image kindest/node:v1.28.7 kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system - echo "[test-env] creating secret docker-registry ..." - kubectl create secret docker-registry dockerhub-secret \ - --docker-username="${DOCKERHUB_USER}" \ - --docker-password="${DOCKERHUB_PASSWORD}" \ - --docker-email=docker-pull@unexists.unexists - name: Load cache if: ${{ inputs.load_artifact }} diff --git a/TAG b/TAG index 2fe9589..0c00f61 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -1.3.9 \ No newline at end of file +1.3.10 diff --git a/helm/ci/deployment-existing-secret-values.yaml b/helm/ci/deployment-existing-secret-values.yaml index 4db69d5..92ffe6e 100644 --- a/helm/ci/deployment-existing-secret-values.yaml +++ b/helm/ci/deployment-existing-secret-values.yaml @@ -1,5 +1,7 @@ +imagePullSecrets: + - name: dockerhub-secret config: wallarm: api: existingSecret: - enabled: true \ No newline at end of file + enabled: true diff --git a/helm/ci/deployment-external-tarantool-values.yaml b/helm/ci/deployment-external-tarantool-values.yaml index 2ae1562..fad5b72 100644 --- a/helm/ci/deployment-external-tarantool-values.yaml +++ b/helm/ci/deployment-external-tarantool-values.yaml @@ -1,4 +1,6 @@ +imagePullSecrets: + - name: dockerhub-secret postanalytics: external: enabled: true - host: tarantool.domain.internal \ No newline at end of file + host: tarantool.domain.internal diff --git a/helm/ci/deployment-values.yaml b/helm/ci/deployment-values.yaml index e69de29..b44f879 100644 --- a/helm/ci/deployment-values.yaml +++ b/helm/ci/deployment-values.yaml @@ -0,0 +1,2 @@ +imagePullSecrets: + - name: dockerhub-secret diff --git a/test/smoke/run.sh b/test/smoke/run.sh index 91c35ce..cb67f60 100755 --- a/test/smoke/run.sh +++ b/test/smoke/run.sh @@ -27,9 +27,10 @@ export INJECTION_STRATEGY="${INJECTION_STRATEGY:-single}" K8S_VERSION=${K8S_VERSION:-1.28.7} -DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/" # This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set. +DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/" + if [ "${DOCKERHUB_USER:-false}" = "false" ]; then DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server" fi @@ -152,7 +153,7 @@ sleep 10 echo "[test-env] deploying test workload ..." kubectl apply -f "${DIR}"/workload.yaml --wait -kubectl wait --for=condition=Ready pods --all --timeout=140s +kubectl wait --for=condition=Ready pods --all --timeout=140s || (kubectl describe po -l "app.kubernetes.io/component=workload" && exit 1) echo "[test-env] running smoke tests suite ..." make -C "${DIR}"/../../ smoke-test diff --git a/test/smoke/workload.yaml b/test/smoke/workload.yaml index 838bdf3..3bfd1d4 100644 --- a/test/smoke/workload.yaml +++ b/test/smoke/workload.yaml @@ -112,6 +112,7 @@ spec: labels: app: workload wallarm-sidecar: enabled + app.kubernetes.io/component: workload annotations: sidecar.wallarm.io/wallarm-mode: "block" sidecar.wallarm.io/proxy-extra-volumes: '[{"name": "nginx-http-extra-config", "configMap": {"name": "sidecar-config"}}]' From 650b8a8d79666dd971deb3233f1a035452804485 Mon Sep 17 00:00:00 2001 From: "alexey.ponomarev" Date: Wed, 18 Sep 2024 11:56:56 +0600 Subject: [PATCH 4/5] NODE-5762 Release 5.0.2 --- helm/Chart.yaml | 8 ++++---- helm/values.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 505dea4..8be6d42 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: wallarm-sidecar -version: 5.0.1 -appVersion: 5.0.1 +version: 5.0.2 +appVersion: 5.0.2 description: Sidecar controller for Kubernetes. Injects sidecar proxy based on NGINX with Wallarm module and helper services. home: https://github.com/wallarm/sidecar icon: https://static.wallarm.com/wallarm-logo.svg @@ -21,8 +21,8 @@ kubeVersion: ">=1.19.16-0" annotations: artifacthub.io/images: | - name: sidecar - image: wallarm/sidecar:5.0.1-1 + image: wallarm/sidecar:5.0.2-1 - name: sidecar-controller image: wallarm/sidecar-controller:1.3.9 - name: node-helpers - image: wallarm/node-helpers:5.0.1-1 + image: wallarm/node-helpers:5.0.2-1 diff --git a/helm/values.yaml b/helm/values.yaml index a1902f7..a5a0f6f 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -191,7 +191,7 @@ config: image: registry: docker.io image: wallarm/sidecar - tag: 5.0.1-1 + tag: 5.0.2-1 pullPolicy: IfNotPresent ### Shared security context for all (init and regular) containers in sidecar schema except `iptables` container. ### For `iptables` container it is described in `sidecar.initContainers.iptables.securityContext` value @@ -394,7 +394,7 @@ helper: image: registry: docker.io image: wallarm/node-helpers - tag: 5.0.1-1 + tag: 5.0.2-1 pullPolicy: IfNotPresent ### Configuration for post-analytics module From 48d216c9c75f2357225e38e4ec83231e2b6f8502 Mon Sep 17 00:00:00 2001 From: "alexey.ponomarev" Date: Thu, 22 Aug 2024 23:11:24 +0600 Subject: [PATCH 5/5] NODE-5762 Release 5.0.2 --- TAG | 2 +- test/smoke/run.sh | 2 +- test/smoke/workload.yaml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/TAG b/TAG index 2fe9589..0c00f61 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -1.3.9 \ No newline at end of file +1.3.10 diff --git a/test/smoke/run.sh b/test/smoke/run.sh index fd0889f..cb67f60 100755 --- a/test/smoke/run.sh +++ b/test/smoke/run.sh @@ -153,7 +153,7 @@ sleep 10 echo "[test-env] deploying test workload ..." kubectl apply -f "${DIR}"/workload.yaml --wait -kubectl wait --for=condition=Ready pods --all --timeout=140s +kubectl wait --for=condition=Ready pods --all --timeout=140s || (kubectl describe po -l "app.kubernetes.io/component=workload" && exit 1) echo "[test-env] running smoke tests suite ..." make -C "${DIR}"/../../ smoke-test diff --git a/test/smoke/workload.yaml b/test/smoke/workload.yaml index 838bdf3..3bfd1d4 100644 --- a/test/smoke/workload.yaml +++ b/test/smoke/workload.yaml @@ -112,6 +112,7 @@ spec: labels: app: workload wallarm-sidecar: enabled + app.kubernetes.io/component: workload annotations: sidecar.wallarm.io/wallarm-mode: "block" sidecar.wallarm.io/proxy-extra-volumes: '[{"name": "nginx-http-extra-config", "configMap": {"name": "sidecar-config"}}]'