Merge branch 'canonical:main' into navigation

canonical · Nov 8, 2024 · ae5c4f3 · ae5c4f3
2 parents 369d13b + 92828c5
commit ae5c4f3
Show file tree

Hide file tree

Showing 36 changed files with 232 additions and 131 deletions.
diff --git a/.github/workflows/integration-informing.yaml b/.github/workflows/integration-informing.yaml
@@ -92,10 +92,6 @@ jobs:
           TEST_FLAVOR: ${{ matrix.patch }}
           TEST_INSPECTION_REPORTS_DIR: ${{ github.workspace }}/inspection-reports
         run: |
-          # IPv6-only is only supported on moonray
-          if [[ "${{ matrix.patch }}" == "moonray" ]]; then
-            export TEST_IPV6_ONLY="true"
-          fi
           cd tests/integration && sg lxd -c 'tox -e integration'
       - name: Prepare inspection reports
         if: failure()

diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -102,6 +102,11 @@ jobs:
           TEST_SUBSTRATE: lxd
           TEST_LXD_IMAGE: ${{ matrix.os }}
           TEST_INSPECTION_REPORTS_DIR: ${{ github.workspace }}/inspection-reports
+          # Test the latest (up to) 6 releases for the flavour
+          # TODO(ben): upgrade nightly to run all flavours
+          TEST_VERSION_UPGRADE_CHANNELS: "recent 6 classic"
+          # Upgrading from 1.30 is not supported.
+          TEST_VERSION_UPGRADE_MIN_RELEASE: "1.31"
         run: |
           cd tests/integration && sg lxd -c 'tox -e integration'
       - name: Prepare inspection reports

diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml
@@ -45,6 +45,8 @@ jobs:
           # Test the latest (up to) 6 releases for the flavour
           # TODO(ben): upgrade nightly to run all flavours
           TEST_VERSION_UPGRADE_CHANNELS: "recent 6 classic"
+          # Upgrading from 1.30 is not supported.
+          TEST_VERSION_UPGRADE_MIN_RELEASE: "1.31"
           TEST_STRICT_INTERFACE_CHANNELS: "recent 6 strict"
         run: |
           export PATH="/home/runner/.local/bin:$PATH"

diff --git a/build-scripts/hack/generate-sbom.py b/build-scripts/hack/generate-sbom.py
@@ -190,9 +190,10 @@ def rock_coredns(manifest, extra_files):
 
     with util.git_repo(COREDNS_ROCK_REPO, COREDNS_ROCK_TAG) as d:
         rock_repo_commit = util.parse_output(["git", "rev-parse", "HEAD"], cwd=d)
-        rockcraft = (d / "rockcraft.yaml").read_text()
+        # TODO(ben): This should not be hard coded.
+        rockcraft = (d / "1.11.1/rockcraft.yaml").read_text()
 
-        extra_files["coredns/rockcraft.yaml"] = rockcraft
+        extra_files["coredns/1.11.1/rockcraft.yaml"] = rockcraft
 
         rockcraft_yaml = yaml.safe_load(rockcraft)
         repo_url = rockcraft_yaml["parts"]["coredns"]["source"]
@@ -211,7 +212,7 @@ def rock_coredns(manifest, extra_files):
             "revision": rock_repo_commit,
         },
         "language": "go",
-        "details": ["coredns/rockcraft.yaml", "coredns/go.mod", "coredns/go.sum"],
+        "details": ["coredns/1.11.1/rockcraft.yaml", "coredns/go.mod", "coredns/go.sum"],
         "source": {
             "type": "git",
             "repo": repo_url,

diff --git a/docs/canonicalk8s/.sphinx/requirements.txt b/docs/canonicalk8s/.sphinx/requirements.txt
@@ -18,6 +18,5 @@ sphinx-notfound-page
 sphinx-tabs
 sphinxcontrib-jquery
 sphinxcontrib-svg2pdfconverter[CairoSVG]
-sphinxcontrib.kroki
 sphinxext-opengraph
 watchfiles
diff --git a/docs/canonicalk8s/custom_conf.py b/docs/canonicalk8s/custom_conf.py
@@ -167,7 +167,6 @@
     'canonical.terminal-output',
     'notfound.extension',
     'sphinxcontrib.cairosvgconverter', 
-    'sphinxcontrib.kroki',
     ]
 
 # Add custom required Python modules that must be added to the
@@ -179,7 +178,6 @@
 # sphinxext-opengraph
 custom_required_modules = [
     'sphinxcontrib-svg2pdfconverter[CairoSVG]',
-    'sphinxcontrib.kroki'
 ]
 
 # Add files or directories that should be excluded from processing.

diff --git a/docs/src/_parts/template-explanation b/docs/src/_parts/template-explanation
@@ -15,11 +15,6 @@ The documentation also supports various diagrams-as-code options. We
 prefer to use UML-style diagrams, but you can also use Mermaid or many
 other types.
 
-Diagrams like this are processed using the 'kroki' directive:
-
-```{kroki} ../../assets/ck-cluster.puml
-```
-
 ## Links
 
 Explanations frequently include links to other documents. In particular, please

diff --git a/docs/src/snap/explanation/clustering.md b/docs/src/snap/explanation/clustering.md
@@ -18,8 +18,7 @@ and scheduling of workloads.
 
 This is the overview of a {{product}} cluster:
 
-```{kroki} ../../assets/ck-cluster.puml
-```
+![cluster6][]
 
 ## The Role of `k8sd` in Kubernetes Clustering
 
@@ -69,6 +68,10 @@ entire life-cycle. Their components include:
 - **Container Runtime**: The software responsible for running containers. In
     {{product}} the runtime is `containerd`.
 
+<!-- IMAGES -->
+
+[cluster6]: https://assets.ubuntu.com/v1/e6d02e9c-cluster6.svg
+
 <!-- LINKS -->
 
 [Kubernetes Components]: https://kubernetes.io/docs/concepts/overview/components/

diff --git a/docs/src/snap/explanation/ingress.md b/docs/src/snap/explanation/ingress.md
@@ -54,8 +54,7 @@ that routes traffic from outside of your cluster to services inside of your clus
 Please do not confuse this with the Kubernetes Service LoadBalancer type
 which operates at layer 4 and routes traffic directly to individual pods.
 
-```{kroki} ../../assets/ingress.puml
-```
+![cluster6][]
 
 With {{product}}, enabling Ingress is easy:
 See the [default Ingress guide][Ingress].
@@ -73,6 +72,10 @@ the responsibility of implementation falls upon you.
 You will need to create the Ingress resource,
 outlining rules that direct traffic to your application's Kubernetes service.
 
+<!-- IMAGES -->
+
+[cluster6]: https://assets.ubuntu.com/v1/e6d02e9c-cluster6.svg
+
 <!-- LINKS -->
 
 [Ingress]: /snap/howto/networking/default-ingress

diff --git a/docs/src/snap/reference/architecture.md b/docs/src/snap/reference/architecture.md
@@ -10,8 +10,7 @@ current design of {{product}}, following the [C4 model].
 This overview of {{product}} demonstrates the interactions of
 Kubernetes with users and with other systems.
 
-```{kroki} ../../assets/overview.puml
-```
+![cluster2][]
 
 Two actors interact with the Kubernetes snap:
 
@@ -52,8 +51,7 @@ distribution. We have identified the following:
 
 Looking more closely at what is contained within the K8s snap itself:
 
-```{kroki} ../../assets/k8s-container.puml
-```
+![cluster3][]
 
 The `k8s` snap distribution includes the following:
 
@@ -74,8 +72,7 @@ The `k8s` snap distribution includes the following:
 K8sd is the component that implements and exposes the operations functionality
 needed for managing the Kubernetes cluster.
 
-```{kroki} ../../assets/k8sd-component.puml
-```
+![cluster4][]
 
 At the core of the `k8sd` functionality we have the cluster manager that is
 responsible for configuring the services, workload and features we deem
@@ -107,8 +104,7 @@ This functionality is exposed via the following interfaces:
 Canonical `k8s` Charms encompass two primary components: the [`k8s` charm][K8s
 charm] and the [`k8s-worker` charm][K8s-worker charm].
 
-```{kroki} ../../assets/charms-architecture.puml
-```
+![cluster1][]
 
 Charms are instantiated on a machine as a Juju unit, and a collection of units
 constitutes an application. Both `k8s` and `k8s-worker` units are responsible
@@ -140,6 +136,12 @@ and the sharing of observability data with the [`Canonical Observability Stack
 (COS)`][COS docs]. This modular and integrated approach facilitates a robust
 and flexible {{product}} deployment managed through Juju.
 
+<!-- IMAGES -->
+
+[cluster1]: https://assets.ubuntu.com/v1/dfc43753-cluster1.svg
+[cluster2]: https://assets.ubuntu.com/v1/0e486a5d-cluster2.svg
+[cluster3]: https://assets.ubuntu.com/v1/24fd1773-cluster3.svg
+[cluster4]: https://assets.ubuntu.com/v1/24fd1773-cluster4.svg
 
 <!-- LINKS -->
 [C4 model]:           https://c4model.com/

diff --git a/docs/tools/custom_conf.py b/docs/tools/custom_conf.py
@@ -145,7 +145,7 @@
 ## Use them to extend the default features.
 
 # Add extensions
-custom_extensions = ['sphinxcontrib.kroki',  ]
+custom_extensions = [ ]
 
 # Add MyST extensions
 custom_myst_extensions = []

diff --git a/src/k8s/cmd/k8s/k8s_bootstrap_test.go b/src/k8s/cmd/k8s/k8s_bootstrap_test.go
@@ -3,7 +3,6 @@ package k8s
 import (
 	"bytes"
 	_ "embed"
-	"os"
 	"path/filepath"
 	"testing"
 
@@ -109,7 +108,7 @@ var testCases = []testCase{
 func mustAddConfigToTestDir(t *testing.T, configPath string, data string) {
 	t.Helper()
 	// Create the cluster bootstrap config file
-	err := os.WriteFile(configPath, []byte(data), 0o644)
+	err := utils.WriteFile(configPath, []byte(data), 0o644)
 	if err != nil {
 		t.Fatal(err)
 	}

diff --git a/src/k8s/cmd/k8s/k8s_x_capi.go b/src/k8s/cmd/k8s/k8s_x_capi.go
@@ -1,10 +1,9 @@
 package k8s
 
 import (
-	"os"
-
 	apiv1 "github.com/canonical/k8s-snap-api/api/v1"
 	cmdutil "github.com/canonical/k8s/cmd/util"
+	"github.com/canonical/k8s/pkg/utils"
 	"github.com/spf13/cobra"
 )
 
@@ -48,7 +47,7 @@ func newXCAPICmd(env cmdutil.ExecutionEnvironment) *cobra.Command {
 				return
 			}
 
-			if err := os.WriteFile(env.Snap.NodeTokenFile(), []byte(token), 0o600); err != nil {
+			if err := utils.WriteFile(env.Snap.NodeTokenFile(), []byte(token), 0o600); err != nil {
 				cmd.PrintErrf("Error: Failed to write the node token to file.\n\nThe error was: %v\n", err)
 				env.Exit(1)
 				return

diff --git a/src/k8s/cmd/k8sd/k8sd_cluster_recover.go b/src/k8s/cmd/k8sd/k8sd_cluster_recover.go
@@ -346,7 +346,7 @@ func yamlEditorGuide(
 	newContent = removeEmptyLines(newContent)
 
 	if applyChanges {
-		err = os.WriteFile(path, newContent, os.FileMode(0o644))
+		err = utils.WriteFile(path, newContent, os.FileMode(0o644))
 		if err != nil {
 			return nil, fmt.Errorf("could not write file: %s, error: %w", path, err)
 		}

diff --git a/src/k8s/pkg/docgen/json_struct.go b/src/k8s/pkg/docgen/json_struct.go
@@ -5,6 +5,8 @@ import (
 	"os"
 	"reflect"
 	"strings"
+
+	"github.com/canonical/k8s/pkg/utils"
 )
 
 type JsonTag struct {
@@ -55,7 +57,7 @@ func MarkdownFromJsonStructToFile(i any, outFilePath string, projectDir string)
 		return err
 	}
 
-	err = os.WriteFile(outFilePath, []byte(content), 0o644)
+	err = utils.WriteFile(outFilePath, []byte(content), 0o644)
 	if err != nil {
 		return fmt.Errorf("failed to write markdown documentation to %s: %w", outFilePath, err)
 	}

diff --git a/src/k8s/pkg/k8sd/setup/certificates.go b/src/k8s/pkg/k8sd/setup/certificates.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/canonical/k8s/pkg/k8sd/pki"
 	"github.com/canonical/k8s/pkg/snap"
+	"github.com/canonical/k8s/pkg/utils"
 )
 
 // ensureFile creates fname with the specified contents, mode and owner bits.
@@ -39,7 +40,7 @@ func ensureFile(fname string, contents string, uid, gid int, mode fs.FileMode) (
 	var contentChanged bool
 
 	if contents != string(origContent) {
-		if err := os.WriteFile(fname, []byte(contents), mode); err != nil {
+		if err := utils.WriteFile(fname, []byte(contents), mode); err != nil {
 			return false, fmt.Errorf("failed to write: %w", err)
 		}
 		contentChanged = true

diff --git a/src/k8s/pkg/k8sd/setup/containerd.go b/src/k8s/pkg/k8sd/setup/containerd.go
@@ -108,7 +108,7 @@ func Containerd(snap snap.Snap, extraContainerdConfig map[string]any, extraArgs
 		return fmt.Errorf("failed to render containerd config.toml: %w", err)
 	}
 
-	if err := os.WriteFile(filepath.Join(snap.ContainerdConfigDir(), "config.toml"), b, 0o600); err != nil {
+	if err := utils.WriteFile(filepath.Join(snap.ContainerdConfigDir(), "config.toml"), b, 0o600); err != nil {
 		return fmt.Errorf("failed to write config.toml: %w", err)
 	}
 

diff --git a/src/k8s/pkg/k8sd/setup/containerd_test.go b/src/k8s/pkg/k8sd/setup/containerd_test.go
@@ -20,7 +20,7 @@ func TestContainerd(t *testing.T) {
 
 	dir := t.TempDir()
 
-	g.Expect(os.WriteFile(filepath.Join(dir, "mockcni"), []byte("echo hi"), 0o600)).To(Succeed())
+	g.Expect(utils.WriteFile(filepath.Join(dir, "mockcni"), []byte("echo hi"), 0o600)).To(Succeed())
 
 	s := &mock.Snap{
 		Mock: mock.Mock{

diff --git a/src/k8s/pkg/k8sd/setup/k8s_dqlite.go b/src/k8s/pkg/k8sd/setup/k8s_dqlite.go
@@ -32,7 +32,7 @@ func K8sDqlite(snap snap.Snap, address string, cluster []string, extraArgs map[s
 		return fmt.Errorf("failed to create init.yaml file for address=%s cluster=%v: %w", address, cluster, err)
 	}
 
-	if err := os.WriteFile(filepath.Join(snap.K8sDqliteStateDir(), "init.yaml"), b, 0o600); err != nil {
+	if err := utils.WriteFile(filepath.Join(snap.K8sDqliteStateDir(), "init.yaml"), b, 0o600); err != nil {
 		return fmt.Errorf("failed to write init.yaml: %w", err)
 	}
 

diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go
@@ -85,6 +85,7 @@ func KubeAPIServer(snap snap.Snap, securePort int, nodeIP net.IP, serviceCIDR st
 		"--service-cluster-ip-range":                 serviceCIDR,
 		"--tls-cert-file":                            filepath.Join(snap.KubernetesPKIDir(), "apiserver.crt"),
 		"--tls-cipher-suites":                        strings.Join(apiserverTLSCipherSuites, ","),
+		"--tls-min-version":                          "VersionTLS12",
 		"--tls-private-key-file":                     filepath.Join(snap.KubernetesPKIDir(), "apiserver.key"),
 	}
 

diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go
@@ -63,6 +63,7 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--service-cluster-ip-range", expectedVal: "10.0.0.0/24"},
 			{key: "--tls-cert-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")},
 			{key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 			{key: "--tls-private-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "apiserver.key")},
 			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", filepath.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
 			{key: "--request-timeout", expectedVal: "300s"},
@@ -123,6 +124,7 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--service-cluster-ip-range", expectedVal: "10.0.0.0/24"},
 			{key: "--tls-cert-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")},
 			{key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 			{key: "--tls-private-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "apiserver.key")},
 			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", filepath.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
 		}
@@ -178,6 +180,7 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--service-cluster-ip-range", expectedVal: "10.0.0.0/24"},
 			{key: "--tls-cert-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")},
 			{key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 			{key: "--tls-private-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "apiserver.key")},
 			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", filepath.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
 			{key: "--request-timeout", expectedVal: "300s"},

diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go
@@ -22,6 +22,7 @@ func KubeControllerManager(snap snap.Snap, extraArgs map[string]*string) error {
 		"--root-ca-file":                     filepath.Join(snap.KubernetesPKIDir(), "ca.crt"),
 		"--service-account-private-key-file": filepath.Join(snap.KubernetesPKIDir(), "serviceaccount.key"),
 		"--terminated-pod-gc-threshold":      "12500",
+		"--tls-min-version":                  "VersionTLS12",
 		"--use-service-account-credentials":  "true",
 	}
 	// enable cluster-signing if certificates are available

diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go
@@ -47,6 +47,7 @@ func TestKubeControllerManager(t *testing.T) {
 			{key: "--root-ca-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--service-account-private-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
 			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 			{key: "--use-service-account-credentials", expectedVal: "true"},
 			{key: "--cluster-signing-cert-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--cluster-signing-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "ca.key")},
@@ -95,6 +96,7 @@ func TestKubeControllerManager(t *testing.T) {
 			{key: "--root-ca-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--service-account-private-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
 			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 			{key: "--use-service-account-credentials", expectedVal: "true"},
 		}
 		for _, tc := range tests {
@@ -148,6 +150,7 @@ func TestKubeControllerManager(t *testing.T) {
 			{key: "--root-ca-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--service-account-private-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
 			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 			{key: "--use-service-account-credentials", expectedVal: "true"},
 			{key: "--cluster-signing-cert-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--cluster-signing-key-file", expectedVal: filepath.Join(s.Mock.KubernetesPKIDir, "ca.key")},

diff --git a/src/k8s/pkg/k8sd/setup/kube_scheduler.go b/src/k8s/pkg/k8sd/setup/kube_scheduler.go
@@ -18,6 +18,7 @@ func KubeScheduler(snap snap.Snap, extraArgs map[string]*string) error {
 		"--leader-elect-lease-duration": "30s",
 		"--leader-elect-renew-deadline": "15s",
 		"--profiling":                   "false",
+		"--tls-min-version":             "VersionTLS12",
 	}, nil); err != nil {
 		return fmt.Errorf("failed to render arguments file: %w", err)
 	}

diff --git a/src/k8s/pkg/k8sd/setup/kube_scheduler_test.go b/src/k8s/pkg/k8sd/setup/kube_scheduler_test.go
@@ -39,6 +39,7 @@ func TestKubeScheduler(t *testing.T) {
 			{key: "--leader-elect-lease-duration", expectedVal: "30s"},
 			{key: "--leader-elect-renew-deadline", expectedVal: "15s"},
 			{key: "--profiling", expectedVal: "false"},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -79,6 +80,7 @@ func TestKubeScheduler(t *testing.T) {
 			{key: "--kubeconfig", expectedVal: filepath.Join(s.Mock.KubernetesConfigDir, "scheduler.conf")},
 			{key: "--leader-elect-renew-deadline", expectedVal: "15s"},
 			{key: "--profiling", expectedVal: "true"},
+			{key: "--tls-min-version", expectedVal: "VersionTLS12"},
 			{key: "--my-extra-arg", expectedVal: "my-extra-val"},
 		}
 		for _, tc := range tests {