Added certificate owner ref field #5158
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jetstack-bot
added
release-note
Contributor
|
Hi @RomanenkoDenys. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
needs-ok-to-test
RomanenkoDenys
force-pushed
the
certificate-owner-ref
branch
from
be271d9 to
0717496
Compare
egegunes
added a commit
to percona/percona-xtradb-cluster-operator
that referenced
this pull request
Jun 1, 2022
We shouldn't set owner references to cert-manager objects if we don't want to delete secrets too. This way, after the PXC cluster is deleted issuers, certificates and their secrets will remain intact in the cluster. If users want to cleanup objects created for SSL, we introduce a new finalizer: `delete-ssl`. If this finalizer is set, the operator will delete secrets, certificates and issuers. Unfortunately, cert-manager doesn't set owner reference to the secret it created and this behaviour can only configured by command line flag in the controller. Since we can't control how users deploy cert-manager to their clusters, we shouldn't rely on this feature and cleanup certificates and secrets altogether. Hopefully, cert-manager/cert-manager#5158 will merged and we can configure this behaviour on certificate level.
egegunes
added a commit
to percona/percona-xtradb-cluster-operator
that referenced
this pull request
Jun 1, 2022
We shouldn't set owner references to cert-manager objects if we don't want to delete secrets too. This way, after the PXC cluster is deleted issuers, certificates and their secrets will remain intact in the cluster. If users want to cleanup objects created for SSL, we introduce a new finalizer: `delete-ssl`. If this finalizer is set, the operator will delete secrets, certificates and issuers. Unfortunately, cert-manager doesn't set owner reference to the secret it created and this behaviour can only configured by command line flag in the controller. Since we can't control how users deploy cert-manager to their clusters, we shouldn't rely on this feature and cleanup certificates and secrets altogether. Hopefully, cert-manager/cert-manager#5158 will merged and we can configure this behaviour on certificate level.
Contributor
|
Hi thank you for the PR. I haven't looked at the contents yet, a couple thoughts:
|
Contributor
Author
|
Hi, thank you for reply.
We use Corresponding secret - Let's change certificate if i restore
Yes, wi will discuss on the next biweekly meet.
Yes, let's discuss later. Thank you ! |
RomanenkoDenys
force-pushed
the
certificate-owner-ref
branch
from
0717496 to
1ac262c
Compare
jetstack-bot
added
dco-signoff: no
RomanenkoDenys
force-pushed
the
certificate-owner-ref
branch
from
1ac262c to
cc830e4
Compare
jetstack-bot
added
dco-signoff: yes
hors
added a commit
to percona/percona-xtradb-cluster-operator
that referenced
this pull request
Jul 19, 2022
* K8SPXC-1030: Don't delete cert-manager certs by default We shouldn't set owner references to cert-manager objects if we don't want to delete secrets too. This way, after the PXC cluster is deleted issuers, certificates and their secrets will remain intact in the cluster. If users want to cleanup objects created for SSL, we introduce a new finalizer: `delete-ssl`. If this finalizer is set, the operator will delete secrets, certificates and issuers. Unfortunately, cert-manager doesn't set owner reference to the secret it created and this behaviour can only configured by command line flag in the controller. Since we can't control how users deploy cert-manager to their clusters, we shouldn't rely on this feature and cleanup certificates and secrets altogether. Hopefully, cert-manager/cert-manager#5158 will merged and we can configure this behaviour on certificate level. * fix tests Co-authored-by: Viacheslav Sarzhan <[email protected]>
Member
|
I'd also like to discuss the API surface for this - I think something more like |
Member
|
I have created the design document 20220720-per-certificate-owner-ref.md with the aim to continue the discussion about the API surface. Update: I will be on vacation from 30 July to 15 August 2022. |
egegunes
added a commit
to percona/percona-xtradb-cluster-operator
that referenced
this pull request
Aug 1, 2022
* K8SPXC-1030: Don't delete cert-manager certs by default We shouldn't set owner references to cert-manager objects if we don't want to delete secrets too. This way, after the PXC cluster is deleted issuers, certificates and their secrets will remain intact in the cluster. If users want to cleanup objects created for SSL, we introduce a new finalizer: `delete-ssl`. If this finalizer is set, the operator will delete secrets, certificates and issuers. Unfortunately, cert-manager doesn't set owner reference to the secret it created and this behaviour can only configured by command line flag in the controller. Since we can't control how users deploy cert-manager to their clusters, we shouldn't rely on this feature and cleanup certificates and secrets altogether. Hopefully, cert-manager/cert-manager#5158 will merged and we can configure this behaviour on certificate level. * fix tests Co-authored-by: Viacheslav Sarzhan <[email protected]>
nmarukovich
pushed a commit
to percona/percona-xtradb-cluster-operator
that referenced
this pull request
Aug 1, 2022
* K8SPXC-1030: Don't delete cert-manager certs by default We shouldn't set owner references to cert-manager objects if we don't want to delete secrets too. This way, after the PXC cluster is deleted issuers, certificates and their secrets will remain intact in the cluster. If users want to cleanup objects created for SSL, we introduce a new finalizer: `delete-ssl`. If this finalizer is set, the operator will delete secrets, certificates and issuers. Unfortunately, cert-manager doesn't set owner reference to the secret it created and this behaviour can only configured by command line flag in the controller. Since we can't control how users deploy cert-manager to their clusters, we shouldn't rely on this feature and cleanup certificates and secrets altogether. Hopefully, cert-manager/cert-manager#5158 will merged and we can configure this behaviour on certificate level. * fix tests Co-authored-by: Viacheslav Sarzhan <[email protected]>
jetstack-bot
added
dco-signoff: no
RomanenkoDenys
force-pushed
the
certificate-owner-ref
branch
from
3ecbc69 to
eabb20a
Compare
Signed-off-by: Denis Romanenko <[email protected]>
RomanenkoDenys
force-pushed
the
certificate-owner-ref
branch
from
6694245 to
e571a9e
Compare
jetstack-bot
added
size/XXL
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maelvls The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Contributor
|
@RomanenkoDenys: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
jetstack-bot
added
the
needs-rebase
Contributor
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
Contributor
|
Stale issues rot after 30d of inactivity. |
jetstack-bot
added
lifecycle/rotten
Member
|
/remove-lifecycle rotten |
jetstack-bot
removed
the
lifecycle/rotten
|
This looks to solve: #7041 |
Contributor
|
Issues go stale after 90d of inactivity. |
cert-manager-prow
bot
added
the
lifecycle/stale
Contributor
|
@RomanenkoDenys: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Contributor
|
Stale issues rot after 30d of inactivity. |
cert-manager-prow
bot
added
lifecycle/rotten
Contributor
|
Rotten issues close after 30d of inactivity. |
Contributor
|
@cert-manager-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
juev
pushed a commit
to deckhouse/deckhouse
that referenced
this pull request
Mar 17, 2025
Signed-off-by: Evsyukov Denis <[email protected]> # Conflicts: # modules/150-user-authn/images/dex/patches/0005-gitlab-refresh-context.patch # modules/150-user-authn/images/dex/patches/0006-static-user-groups.patch # modules/150-user-authn/images/dex/patches/001-go-mod.patch # modules/150-user-authn/images/dex/patches/002-bytes-and-string-certificates.patch # modules/150-user-authn/images/dex/patches/003-client-filters.patch # modules/150-user-authn/images/dex/patches/003-gitlab-refresh-context.patch # modules/150-user-authn/images/dex/patches/004-fix-offline-session-updates.patch # modules/150-user-authn/images/dex/patches/004-static-user-groups.patch # modules/150-user-authn/images/dex/patches/005-gitlab-refresh-context.patch # modules/150-user-authn/images/dex/patches/006-static-user-groups.patch # modules/150-user-authn/images/dex/patches/README.md # modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/001-go-mod.patch # modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/002-fix-kube_pod_tolerations-deduplicate.patch # modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/README.md # modules/500-openvpn/images/ovpn-admin/patches/001-go-mod.patch # modules/500-openvpn/images/ovpn-admin/patches/001-go_mod.patch # modules/500-openvpn/images/ovpn-admin/patches/go_mod.patch diff --git c/modules/015-admission-policy-engine/images/gatekeeper/patches/README.md i/modules/015-admission-policy-engine/images/gatekeeper/patches/README.md index 8fb3293486..5815ee3f28 100644 --- c/modules/015-admission-policy-engine/images/gatekeeper/patches/README.md +++ i/modules/015-admission-policy-engine/images/gatekeeper/patches/README.md @@ -1,4 +1,4 @@ ## Patches -### Go mod +### 001-go-mod.patch This patch updates dependencies' versions to meet security concerns. diff --git c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.28/README.md i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.28/README.md index c7a54deabd..6994d01068 100644 --- c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.28/README.md +++ i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.28/README.md @@ -12,3 +12,7 @@ Ability to create LoadBalancer with type `none`. LoadBalancer with this type wil ## 003-dont-delete-ingress-sg-rules-elb.patch We shouldn't delete Ingress SG rule, if it allows access from configured "ElbSecurityGroup", so that we won't disrupt access to Nodes from other ELBs. + +## 004-bump-deps.patch + +Update dependencies diff --git c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.29/README.md i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.29/README.md index c7a54deabd..6994d01068 100644 --- c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.29/README.md +++ i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.29/README.md @@ -12,3 +12,7 @@ Ability to create LoadBalancer with type `none`. LoadBalancer with this type wil ## 003-dont-delete-ingress-sg-rules-elb.patch We shouldn't delete Ingress SG rule, if it allows access from configured "ElbSecurityGroup", so that we won't disrupt access to Nodes from other ELBs. + +## 004-bump-deps.patch + +Update dependencies diff --git c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.30/README.md i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.30/README.md index c7a54deabd..6994d01068 100644 --- c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.30/README.md +++ i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.30/README.md @@ -12,3 +12,7 @@ Ability to create LoadBalancer with type `none`. LoadBalancer with this type wil ## 003-dont-delete-ingress-sg-rules-elb.patch We shouldn't delete Ingress SG rule, if it allows access from configured "ElbSecurityGroup", so that we won't disrupt access to Nodes from other ELBs. + +## 004-bump-deps.patch + +Update dependencies diff --git c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.31/README.md i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.31/README.md index c7a54deabd..6994d01068 100644 --- c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.31/README.md +++ i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.31/README.md @@ -12,3 +12,7 @@ Ability to create LoadBalancer with type `none`. LoadBalancer with this type wil ## 003-dont-delete-ingress-sg-rules-elb.patch We shouldn't delete Ingress SG rule, if it allows access from configured "ElbSecurityGroup", so that we won't disrupt access to Nodes from other ELBs. + +## 004-bump-deps.patch + +Update dependencies diff --git c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.32/README.md i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.32/README.md index c7a54deabd..6994d01068 100644 --- c/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.32/README.md +++ i/modules/030-cloud-provider-aws/images/cloud-controller-manager/patches/1.32/README.md @@ -12,3 +12,7 @@ Ability to create LoadBalancer with type `none`. LoadBalancer with this type wil ## 003-dont-delete-ingress-sg-rules-elb.patch We shouldn't delete Ingress SG rule, if it allows access from configured "ElbSecurityGroup", so that we won't disrupt access to Nodes from other ELBs. + +## 004-bump-deps.patch + +Update dependencies diff --git c/modules/030-cloud-provider-aws/images/ebs-csi-plugin/patches/v1.34.0/README.md i/modules/030-cloud-provider-aws/images/ebs-csi-plugin/patches/v1.34.0/README.md new file mode 100644 index 0000000000..6a495afd8c --- /dev/null +++ i/modules/030-cloud-provider-aws/images/ebs-csi-plugin/patches/v1.34.0/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-bump-deps.patch + +Update dependencies diff --git c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.28/README.md i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.28/README.md index f15cb70ffe..aa1178f0aa 100644 --- c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.28/README.md +++ i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.28/README.md @@ -1,4 +1,4 @@ -### options.patch +### 001-options.patch This patch add NodeController options to main context object CloudControllerManager from package "k8s.io/cloud-provider/options" witch return flag "node controller". diff --git c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.29/README.md i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.29/README.md index f15cb70ffe..aa1178f0aa 100644 --- c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.29/README.md +++ i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.29/README.md @@ -1,4 +1,4 @@ -### options.patch +### 001-options.patch This patch add NodeController options to main context object CloudControllerManager from package "k8s.io/cloud-provider/options" witch return flag "node controller". diff --git c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.30/README.md i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.30/README.md index f15cb70ffe..aa1178f0aa 100644 --- c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.30/README.md +++ i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.30/README.md @@ -1,4 +1,4 @@ -### options.patch +### 001-options.patch This patch add NodeController options to main context object CloudControllerManager from package "k8s.io/cloud-provider/options" witch return flag "node controller". diff --git c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.31/README.md i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.31/README.md index f15cb70ffe..aa1178f0aa 100644 --- c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.31/README.md +++ i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.31/README.md @@ -1,4 +1,4 @@ -### options.patch +### 001-options.patch This patch add NodeController options to main context object CloudControllerManager from package "k8s.io/cloud-provider/options" witch return flag "node controller". diff --git c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.32/README.md i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.32/README.md index f15cb70ffe..970b9e844e 100644 --- c/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.32/README.md +++ i/modules/030-cloud-provider-azure/images/cloud-controller-manager/patches/1.32/README.md @@ -1,7 +1,3 @@ -### options.patch +### 001-options.patch This patch add NodeController options to main context object CloudControllerManager from package "k8s.io/cloud-provider/options" witch return flag "node controller". - -### 002-bump-deps.patch - -Fixes CVEs (bumps go mod) diff --git c/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v28.10.0/README.md i/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v28.10.0/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v28.10.0/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v29.5.1/README.md i/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v29.5.1/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v29.5.1/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v30.1.4/README.md i/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v30.1.4/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/030-cloud-provider-gcp/images/cloud-controller-manager/patches/ccm-v30.1.4/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/030-cloud-provider-gcp/images/pd-csi-plugin/patches/v1.12.13/README.md i/modules/030-cloud-provider-gcp/images/pd-csi-plugin/patches/v1.12.13/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/030-cloud-provider-gcp/images/pd-csi-plugin/patches/v1.12.13/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/030-cloud-provider-gcp/images/pd-csi-plugin/patches/v1.15.4/README.md i/modules/030-cloud-provider-gcp/images/pd-csi-plugin/patches/v1.15.4/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/030-cloud-provider-gcp/images/pd-csi-plugin/patches/v1.15.4/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/031-ceph-csi/images/cephcsi/patches/go_mod.patch i/modules/031-ceph-csi/images/cephcsi/patches/001-go_mod.patch similarity index 100% rename from modules/031-ceph-csi/images/cephcsi/patches/go_mod.patch rename to modules/031-ceph-csi/images/cephcsi/patches/001-go_mod.patch diff --git c/modules/031-ceph-csi/images/cephcsi/patches/README.md i/modules/031-ceph-csi/images/cephcsi/patches/README.md index 6260f1b625..263baad779 100644 --- c/modules/031-ceph-csi/images/cephcsi/patches/README.md +++ i/modules/031-ceph-csi/images/cephcsi/patches/README.md @@ -1,6 +1,6 @@ ## Patches -### Go mod +### 001-go_mod.patch To create this patch run commands: @@ -16,6 +16,6 @@ go get k8s.io/[email protected] #replase all in k8s.io v0.24.4 -> v0.24.17 go mod tidy -git diff > patches/go_mod.patch -#git apply patches/go_mod.patch +git diff > patches/001-go_mod.patch +#git apply patches/001-go_mod.patch ``` diff --git c/modules/031-local-path-provisioner/images/local-path-provisioner/patches/README.md i/modules/031-local-path-provisioner/images/local-path-provisioner/patches/README.md index 6ed4a2ea96..305abd3085 100644 --- c/modules/031-local-path-provisioner/images/local-path-provisioner/patches/README.md +++ i/modules/031-local-path-provisioner/images/local-path-provisioner/patches/README.md @@ -1,6 +1,10 @@ ## Patches -### Fix DirectoryOrCreate +### 001-go-mod.patch + +Update dependencies + +### 002-fix-directory-or-create.patch Use `type: Directory` instead of `type: DirectoryOrCreate` for created PVs to avoid the situations when initial storage is broken and unmounted. diff --git c/modules/040-control-plane-manager/images/etcd/patches/README.md i/modules/040-control-plane-manager/images/etcd/patches/README.md new file mode 100644 index 0000000000..8cc491644f --- /dev/null +++ i/modules/040-control-plane-manager/images/etcd/patches/README.md @@ -0,0 +1,9 @@ +## Patches + +### 001-go-mod.patch + +Update dependencies + +### 002-etcdctl-snapshot-pipe.patch + +feature: support for piping snapshot to stdout \ No newline at end of file diff --git c/modules/040-node-manager/images/capi-controller-manager/patches/README.MD i/modules/040-node-manager/images/capi-controller-manager/patches/README.MD index 16fc2379ad..1b60d06349 100644 --- c/modules/040-node-manager/images/capi-controller-manager/patches/README.MD +++ i/modules/040-node-manager/images/capi-controller-manager/patches/README.MD @@ -1,5 +1,5 @@ ## Patches -### Fix go.mod +### 001-go-mod.patch Bump libraries versions to resolve CVE diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/go_mod.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/001-go_mod.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.28/go_mod.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.28/001-go_mod.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/kruise-ads.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/002-kruise-ads.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.28/kruise-ads.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.28/002-kruise-ads.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/scale-from-zero.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/003-scale-from-zero.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.28/scale-from-zero.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.28/003-scale-from-zero.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/README.md i/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/README.md index 43fb9b68d5..ea6a423297 100644 --- c/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/README.md +++ i/modules/040-node-manager/images/cluster-autoscaler/patches/1.28/README.md @@ -1,6 +1,6 @@ ## Patches -### Go mod +### 001-go_mod.patch To create this patch run commands: @@ -17,7 +17,14 @@ go get k8s.io/[email protected] go get k8s.io/[email protected] #replase all in k8s.io v0.28.0 -> v0.28.15 go mod tidy -git diff > patches/go_mod.patch -#git apply patches/go_mod.patch +git diff > patches/001-go_mod.patch +#git apply patches/001-go_mod.patch ``` +### 002-kruise-ads.patch + +TODO: add description + +### 003-scale-from-zero.patch + +TODO: add description diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/go_mod.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/001-go_mod.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.29/go_mod.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.29/001-go_mod.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/kruise-ads.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/002-kruise-ads.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.29/kruise-ads.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.29/002-kruise-ads.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/scale-from-zero.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/003-scale-from-zero.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.29/scale-from-zero.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.29/003-scale-from-zero.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/README.md i/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/README.md index 7710945910..703777d601 100644 --- c/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/README.md +++ i/modules/040-node-manager/images/cluster-autoscaler/patches/1.29/README.md @@ -1,6 +1,6 @@ ## Patches -### Go mod +### 001-go_mod.patch To create this patch run commands: @@ -16,7 +16,14 @@ go get k8s.io/[email protected] go get k8s.io/[email protected] #replase all in k8s.io v0.29.6 -> v0.29.12 go mod tidy -git diff > patches/go_mod.patch -#git apply patches/go_mod.patch +git diff > patches/001-go_mod.patch +#git apply patches/001-go_mod.patch ``` +### 002-kruise-ads.patch + +TODO: add description + +### 003-scale-from-zero.patch + +TODO: add description diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/go_mod.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/001-go_mod.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.30/go_mod.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.30/001-go_mod.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/kruise-ads.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/002-kruise-ads.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.30/kruise-ads.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.30/002-kruise-ads.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/scale-from-zero.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/003-scale-from-zero.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.30/scale-from-zero.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.30/003-scale-from-zero.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/README.md i/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/README.md index 84ea5ddaae..b2464f8d8b 100644 --- c/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/README.md +++ i/modules/040-node-manager/images/cluster-autoscaler/patches/1.30/README.md @@ -1,6 +1,6 @@ ## Patches -### Go mod +### 001-go_mod.patch To create this patch run commands: @@ -19,7 +19,14 @@ cd apis go get golang.org/x/[email protected] cd .. go mod tidy -git diff > patches/go_mod.patch -#git apply patches/go_mod.patch +git diff > patches/001-go_mod.patch +#git apply patches/001-go_mod.patch ``` +### 002-kruise-ads.patch + +TODO: add description + +### 003-scale-from-zero.patch + +TODO: add description diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/go_mod.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/001-go_mod.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.31/go_mod.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.31/001-go_mod.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/kruise-ads.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/002-kruise-ads.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.31/kruise-ads.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.31/002-kruise-ads.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/scale-from-zero.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/003-scale-from-zero.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.31/scale-from-zero.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.31/003-scale-from-zero.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/README.md i/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/README.md index 84ea5ddaae..b2464f8d8b 100644 --- c/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/README.md +++ i/modules/040-node-manager/images/cluster-autoscaler/patches/1.31/README.md @@ -1,6 +1,6 @@ ## Patches -### Go mod +### 001-go_mod.patch To create this patch run commands: @@ -19,7 +19,14 @@ cd apis go get golang.org/x/[email protected] cd .. go mod tidy -git diff > patches/go_mod.patch -#git apply patches/go_mod.patch +git diff > patches/001-go_mod.patch +#git apply patches/001-go_mod.patch ``` +### 002-kruise-ads.patch + +TODO: add description + +### 003-scale-from-zero.patch + +TODO: add description diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/go_mod.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/001-go_mod.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.32/go_mod.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.32/001-go_mod.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/kruise-ads.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/002-kruise-ads.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.32/kruise-ads.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.32/002-kruise-ads.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/scale-from-zero.patch i/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/003-scale-from-zero.patch similarity index 100% rename from modules/040-node-manager/images/cluster-autoscaler/patches/1.32/scale-from-zero.patch rename to modules/040-node-manager/images/cluster-autoscaler/patches/1.32/003-scale-from-zero.patch diff --git c/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/README.md i/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/README.md index 84ea5ddaae..b2464f8d8b 100644 --- c/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/README.md +++ i/modules/040-node-manager/images/cluster-autoscaler/patches/1.32/README.md @@ -1,6 +1,6 @@ ## Patches -### Go mod +### 001-go_mod.patch To create this patch run commands: @@ -19,7 +19,14 @@ cd apis go get golang.org/x/[email protected] cd .. go mod tidy -git diff > patches/go_mod.patch -#git apply patches/go_mod.patch +git diff > patches/001-go_mod.patch +#git apply patches/001-go_mod.patch ``` +### 002-kruise-ads.patch + +TODO: add description + +### 003-scale-from-zero.patch + +TODO: add description diff --git c/modules/040-terraform-manager/images/terraform-manager-aws/patches/gomod_update.patch i/modules/040-terraform-manager/images/terraform-manager-aws/patches/001-gomod_update.patch similarity index 100% rename from modules/040-terraform-manager/images/terraform-manager-aws/patches/gomod_update.patch rename to modules/040-terraform-manager/images/terraform-manager-aws/patches/001-gomod_update.patch diff --git c/modules/040-terraform-manager/images/terraform-manager-aws/patches/README.md i/modules/040-terraform-manager/images/terraform-manager-aws/patches/README.md new file mode 100644 index 0000000000..b29fe33570 --- /dev/null +++ i/modules/040-terraform-manager/images/terraform-manager-aws/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-gomod_update.patch + +Update dependencies diff --git c/modules/040-terraform-manager/images/terraform-manager-gcp/patches/go_mod.patch i/modules/040-terraform-manager/images/terraform-manager-gcp/patches/001-go_mod.patch similarity index 100% rename from modules/040-terraform-manager/images/terraform-manager-gcp/patches/go_mod.patch rename to modules/040-terraform-manager/images/terraform-manager-gcp/patches/001-go_mod.patch diff --git c/modules/040-terraform-manager/images/terraform-manager-gcp/patches/remove_routes_on_deletion.patch i/modules/040-terraform-manager/images/terraform-manager-gcp/patches/002-remove_routes_on_deletion.patch similarity index 100% rename from modules/040-terraform-manager/images/terraform-manager-gcp/patches/remove_routes_on_deletion.patch rename to modules/040-terraform-manager/images/terraform-manager-gcp/patches/002-remove_routes_on_deletion.patch diff --git c/modules/040-terraform-manager/images/terraform-manager-gcp/patches/README.md i/modules/040-terraform-manager/images/terraform-manager-gcp/patches/README.md index 6247d5216d..2a61665823 100644 --- c/modules/040-terraform-manager/images/terraform-manager-gcp/patches/README.md +++ i/modules/040-terraform-manager/images/terraform-manager-gcp/patches/README.md @@ -1,9 +1,10 @@ ## Patches -### remove_routes_on_deletion +### 002-remove_routes_on_deletion.patch + https://github.com/flant/terraform-provider-google/compare/v3.48.0...v3.48.0-flant.1 -### Go mod +### 001-go_mod.patch To create this patch run commands: diff --git c/modules/040-terraform-manager/images/terraform-manager-yandex/patches/bump_packages_version.patch i/modules/040-terraform-manager/images/terraform-manager-yandex/patches/001-bump_packages_version.patch similarity index 100% rename from modules/040-terraform-manager/images/terraform-manager-yandex/patches/bump_packages_version.patch rename to modules/040-terraform-manager/images/terraform-manager-yandex/patches/001-bump_packages_version.patch diff --git c/modules/040-terraform-manager/images/terraform-manager-yandex/patches/readme.md i/modules/040-terraform-manager/images/terraform-manager-yandex/patches/readme.md index 9590fbc2ed..6d3675834a 100644 --- c/modules/040-terraform-manager/images/terraform-manager-yandex/patches/readme.md +++ i/modules/040-terraform-manager/images/terraform-manager-yandex/patches/readme.md @@ -1 +1,5 @@ +# Patches + +## 001-bump_packages_version.patch + bump_packages_version.patch - bump packages version for fix cve diff --git c/modules/101-cert-manager/images/cert-manager-controller/patches/README.md i/modules/101-cert-manager/images/cert-manager-controller/patches/README.md index a111bf8986..13c12d3296 100644 --- c/modules/101-cert-manager/images/cert-manager-controller/patches/README.md +++ i/modules/101-cert-manager/images/cert-manager-controller/patches/README.md @@ -1,10 +1,10 @@ ## Patches -### go-mod.patch +### 001-go-mod.patch Bump libraries versions to fix security errors. -### Certificate owner ref +### 002-certificate_owner_ref.patch Adds `CertificateOwnerRef` flag to Certificate CRD. `CertificateOwnerRef` flag is whether to set the certificate resource as an owner of a secret where the TLS certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. https://github.com/cert-manager/cert-manager/pull/5158 diff --git c/modules/110-istio/images/common-v1x19x7/patches/istio-001-apply_go.patch i/modules/110-istio/images/common-v1x19x7/patches/001-istio-apply_go.patch similarity index 100% rename from modules/110-istio/images/common-v1x19x7/patches/istio-001-apply_go.patch rename to modules/110-istio/images/common-v1x19x7/patches/001-istio-apply_go.patch diff --git c/modules/110-istio/images/common-v1x19x7/patches/kiali-001-node.patch i/modules/110-istio/images/common-v1x19x7/patches/001-kiali-node.patch similarity index 100% rename from modules/110-istio/images/common-v1x19x7/patches/kiali-001-node.patch rename to modules/110-istio/images/common-v1x19x7/patches/001-kiali-node.patch diff --git c/modules/110-istio/images/common-v1x19x7/patches/istio-002-go-mod.patch i/modules/110-istio/images/common-v1x19x7/patches/002-istio-go-mod.patch similarity index 100% rename from modules/110-istio/images/common-v1x19x7/patches/istio-002-go-mod.patch rename to modules/110-istio/images/common-v1x19x7/patches/002-istio-go-mod.patch diff --git c/modules/110-istio/images/common-v1x19x7/patches/kiali-002-go-mod.patch i/modules/110-istio/images/common-v1x19x7/patches/002-kiali-go-mod.patch similarity index 100% rename from modules/110-istio/images/common-v1x19x7/patches/kiali-002-go-mod.patch rename to modules/110-istio/images/common-v1x19x7/patches/002-kiali-go-mod.patch diff --git c/modules/110-istio/images/common-v1x19x7/patches/README.md i/modules/110-istio/images/common-v1x19x7/patches/README.md index d545ac79b0..5ac24412be 100644 --- c/modules/110-istio/images/common-v1x19x7/patches/README.md +++ i/modules/110-istio/images/common-v1x19x7/patches/README.md @@ -1,17 +1,17 @@ # Patches -## istio-001-apply_go.patch +## 001-istio-apply_go.patch Fix Istio Operator healt status -## istio-002-gomod_gosum.patch +## 002-istio-go-mod.patch Fix CVE -## kiali-001-node.patch +## 001-kiali-node.patch Update node version for build frontend -## kiali-002-go-mod.patch +## 002-kiali-go-mod.patch Fix CVE diff --git c/modules/110-istio/images/common-v1x21x6/patches/istio-001-apply_go.patch i/modules/110-istio/images/common-v1x21x6/patches/001-istio-apply_go.patch similarity index 100% rename from modules/110-istio/images/common-v1x21x6/patches/istio-001-apply_go.patch rename to modules/110-istio/images/common-v1x21x6/patches/001-istio-apply_go.patch diff --git c/modules/110-istio/images/common-v1x21x6/patches/kiali-001-go-mod.patch i/modules/110-istio/images/common-v1x21x6/patches/001-kiali-go-mod.patch similarity index 100% rename from modules/110-istio/images/common-v1x21x6/patches/kiali-001-go-mod.patch rename to modules/110-istio/images/common-v1x21x6/patches/001-kiali-go-mod.patch diff --git c/modules/110-istio/images/common-v1x21x6/patches/istio-002-gomod_gosum.patch i/modules/110-istio/images/common-v1x21x6/patches/002-istio-gomod_gosum.patch similarity index 100% rename from modules/110-istio/images/common-v1x21x6/patches/istio-002-gomod_gosum.patch rename to modules/110-istio/images/common-v1x21x6/patches/002-istio-gomod_gosum.patch diff --git c/modules/110-istio/images/common-v1x21x6/patches/istio-003-server_fmtText.patch i/modules/110-istio/images/common-v1x21x6/patches/003-istio-server_fmtText.patch similarity index 100% rename from modules/110-istio/images/common-v1x21x6/patches/istio-003-server_fmtText.patch rename to modules/110-istio/images/common-v1x21x6/patches/003-istio-server_fmtText.patch diff --git c/modules/110-istio/images/common-v1x21x6/patches/README.md i/modules/110-istio/images/common-v1x21x6/patches/README.md index 5c6852a9cd..f8f7192230 100644 --- c/modules/110-istio/images/common-v1x21x6/patches/README.md +++ i/modules/110-istio/images/common-v1x21x6/patches/README.md @@ -1,20 +1,20 @@ # Patches -## istio-001-apply_go.patch +## 001-istio-apply_go.patch Fix Istio Operator healt status -## istio-002-gomod_gosum.patch +## 002-istio-gomod_gosum.patch Fix CVE -## istio-003-server_fmtText.patch +## 003-istio-server_fmtText.patch Fix use expfmt library in pilot-agent. This library used for format metrics. > [!WARNING] > **After update istio to version 1.22.X and above need delete this patch!** -## kiali-001-go-mod.patch +## 001-kiali-go-mod.patch Fix CVE diff --git c/modules/150-user-authn/images/dex/patches/001-go-mod.patch i/modules/150-user-authn/images/dex/patches/001-go-mod.patch index c1360a2d48..2afc8c6ebb 100644 --- c/modules/150-user-authn/images/dex/patches/001-go-mod.patch +++ i/modules/150-user-authn/images/dex/patches/001-go-mod.patch @@ -4,15 +4,15 @@ index 8404620f..c2ab1e8c 100644 +++ w/go.mod @@ -1,6 +1,6 @@ module github.com/dexidp/dex - + -go 1.24 +go 1.23 - + require ( cloud.google.com/go/compute/metadata v0.6.0 @@ -111,5 +111,3 @@ require ( ) - + replace github.com/dexidp/dex/api/v2 => ./api/v2 - -tool entgo.io/ent/cmd/ent diff --git c/modules/150-user-authn/images/dex/patches/002-bytes-and-string-certificates.patch i/modules/150-user-authn/images/dex/patches/002-bytes-and-string-certificates.patch new file mode 100644 index 0000000000..e69de29bb2 diff --git c/modules/150-user-authn/images/dex/patches/003-client-filters.patch i/modules/150-user-authn/images/dex/patches/003-client-filters.patch new file mode 100644 index 0000000000..e69de29bb2 diff --git c/modules/150-user-authn/images/dex/patches/003-gitlab-refresh-context.patch i/modules/150-user-authn/images/dex/patches/003-gitlab-refresh-context.patch index eab66dbaff..e69de29bb2 100644 --- c/modules/150-user-authn/images/dex/patches/003-gitlab-refresh-context.patch +++ i/modules/150-user-authn/images/dex/patches/003-gitlab-refresh-context.patch @@ -1,16 +0,0 @@ -diff --git i/connector/gitlab/gitlab.go w/connector/gitlab/gitlab.go -index 7aa44398..43294fb1 100644 ---- i/connector/gitlab/gitlab.go -+++ w/connector/gitlab/gitlab.go -@@ -190,7 +190,10 @@ func (c *gitlabConnector) identity(ctx context.Context, s connector.Scopes, toke - return identity, nil - } - --func (c *gitlabConnector) Refresh(ctx context.Context, s connector.Scopes, ident connector.Identity) (connector.Identity, error) { -+func (c *gitlabConnector) Refresh(_ context.Context, s connector.Scopes, ident connector.Identity) (connector.Identity, error) { -+ ctx, cancel := context.WithTimeout(context.Background(), 45*time.Second) -+ defer cancel() -+ - var data connectorData - if err := json.Unmarshal(ident.ConnectorData, &data); err != nil { - return ident, fmt.Errorf("gitlab: unmarshal connector data: %v", err) diff --git c/modules/150-user-authn/images/dex/patches/004-fix-offline-session-updates.patch i/modules/150-user-authn/images/dex/patches/004-fix-offline-session-updates.patch new file mode 100644 index 0000000000..e69de29bb2 diff --git c/modules/150-user-authn/images/dex/patches/004-static-user-groups.patch i/modules/150-user-authn/images/dex/patches/004-static-user-groups.patch index 6ce1f48d41..e69de29bb2 100644 --- c/modules/150-user-authn/images/dex/patches/004-static-user-groups.patch +++ i/modules/150-user-authn/images/dex/patches/004-static-user-groups.patch @@ -1,160 +0,0 @@ -diff --git i/cmd/dex/config.go w/cmd/dex/config.go -index aa49a181..527d0754 100644 ---- i/cmd/dex/config.go -+++ w/cmd/dex/config.go -@@ -95,11 +95,12 @@ type password storage.Password - - func (p *password) UnmarshalJSON(b []byte) error { - var data struct { -- Email string `json:"email"` -- Username string `json:"username"` -- UserID string `json:"userID"` -- Hash string `json:"hash"` -- HashFromEnv string `json:"hashFromEnv"` -+ Email string `json:"email"` -+ Username string `json:"username"` -+ UserID string `json:"userID"` -+ Hash string `json:"hash"` -+ HashFromEnv string `json:"hashFromEnv"` -+ Groups []string `json:"groups"` - } - if err := json.Unmarshal(b, &data); err != nil { - return err -@@ -108,6 +109,7 @@ func (p *password) UnmarshalJSON(b []byte) error { - Email: data.Email, - Username: data.Username, - UserID: data.UserID, -+ Groups: data.Groups, - }) - if len(data.Hash) == 0 && len(data.HashFromEnv) > 0 { - data.Hash = os.Getenv(data.HashFromEnv) -diff --git i/server/server.go w/server/server.go -index 8c046296..72f68510 100644 ---- i/server/server.go -+++ w/server/server.go -@@ -555,6 +555,7 @@ func (db passwordDB) Login(ctx context.Context, s connector.Scopes, email, passw - Username: p.Username, - Email: p.Email, - EmailVerified: true, -+ Groups: p.Groups, - }, true, nil - } - -@@ -579,6 +580,7 @@ func (db passwordDB) Refresh(ctx context.Context, s connector.Scopes, identity c - // No other fields are expected to be refreshable as email is effectively used - // as an ID and this implementation doesn't deal with groups. - identity.Username = p.Username -+ identity.Groups = p.Groups - - return identity, nil - } -diff --git i/storage/kubernetes/types.go w/storage/kubernetes/types.go -index c126ddc0..38c910b5 100644 ---- i/storage/kubernetes/types.go -+++ w/storage/kubernetes/types.go -@@ -431,9 +431,10 @@ type Password struct { - // This field is IMMUTABLE. Do not change. - Email string `json:"email,omitempty"` - -- Hash []byte `json:"hash,omitempty"` -- Username string `json:"username,omitempty"` -- UserID string `json:"userID,omitempty"` -+ Hash []byte `json:"hash,omitempty"` -+ Username string `json:"username,omitempty"` -+ UserID string `json:"userID,omitempty"` -+ Groups []string `json:"groups,omitempty"` - } - - // PasswordList is a list of Passwords. -@@ -458,6 +459,7 @@ func (cli *client) fromStoragePassword(p storage.Password) Password { - Hash: p.Hash, - Username: p.Username, - UserID: p.UserID, -+ Groups: p.Groups, - } - } - -@@ -467,6 +469,7 @@ func toStoragePassword(p Password) storage.Password { - Hash: p.Hash, - Username: p.Username, - UserID: p.UserID, -+ Groups: p.Groups, - } - } - -diff --git i/storage/sql/crud.go w/storage/sql/crud.go -index a9ca3816..10a737b8 100644 ---- i/storage/sql/crud.go -+++ w/storage/sql/crud.go -@@ -598,13 +598,13 @@ func (c *conn) CreatePassword(ctx context.Context, p storage.Password) error { - p.Email = strings.ToLower(p.Email) - _, err := c.Exec(` - insert into password ( -- email, hash, username, user_id -+ email, hash, username, user_id, groups - ) - values ( -- $1, $2, $3, $4 -+ $1, $2, $3, $4, $5 - ); - `, -- p.Email, p.Hash, p.Username, p.UserID, -+ p.Email, p.Hash, p.Username, p.UserID, encoder(p.Groups), - ) - if err != nil { - if c.alreadyExistsCheck(err) { -@@ -629,10 +629,10 @@ func (c *conn) UpdatePassword(ctx context.Context, email string, updater func(p - _, err = tx.Exec(` - update password - set -- hash = $1, username = $2, user_id = $3 -- where email = $4; -+ hash = $1, username = $2, user_id = $3, groups = $4 -+ where email = $5; - `, -- np.Hash, np.Username, np.UserID, p.Email, -+ np.Hash, np.Username, np.UserID, encoder(p.Groups), p.Email, - ) - if err != nil { - return fmt.Errorf("update password: %v", err) -@@ -648,7 +648,7 @@ func (c *conn) GetPassword(ctx context.Context, email string) (storage.Password, - func getPassword(ctx context.Context, q querier, email string) (p storage.Password, err error) { - return scanPassword(q.QueryRow(` - select -- email, hash, username, user_id -+ email, hash, username, user_id, groups - from password where email = $1; - `, strings.ToLower(email))) - } -@@ -656,7 +656,7 @@ func getPassword(ctx context.Context, q querier, email string) (p storage.Passwo - func (c *conn) ListPasswords(ctx context.Context) ([]storage.Password, error) { - rows, err := c.Query(` - select -- email, hash, username, user_id -+ email, hash, username, user_id, groups - from password; - `) - if err != nil { -@@ -680,7 +680,7 @@ func (c *conn) ListPasswords(ctx context.Context) ([]storage.Password, error) { - - func scanPassword(s scanner) (p storage.Password, err error) { - err = s.Scan( -- &p.Email, &p.Hash, &p.Username, &p.UserID, -+ &p.Email, &p.Hash, &p.Username, &p.UserID, decoder(&p.Groups), - ) - if err != nil { - if err == sql.ErrNoRows { -diff --git i/storage/storage.go w/storage/storage.go -index 574b0a5a..fb93d027 100644 ---- i/storage/storage.go -+++ w/storage/storage.go -@@ -354,6 +354,9 @@ type Password struct { - - // Randomly generated user ID. This is NOT the primary ID of the Password object. - UserID string `json:"userID"` -+ -+ // Groups assigned to the user -+ Groups []string `json:"groups"` - } - - // Connector is an object that contains the metadata about connectors used to login to Dex. diff --git c/modules/150-user-authn/images/dex/patches/005-gitlab-refresh-context.patch i/modules/150-user-authn/images/dex/patches/005-gitlab-refresh-context.patch new file mode 100644 index 0000000000..e69de29bb2 diff --git c/modules/150-user-authn/images/dex/patches/006-static-user-groups.patch i/modules/150-user-authn/images/dex/patches/006-static-user-groups.patch new file mode 100644 index 0000000000..e69de29bb2 diff --git c/modules/150-user-authn/images/dex/patches/README.md i/modules/150-user-authn/images/dex/patches/README.md index 61e9d10acc..7789ba5325 100644 --- c/modules/150-user-authn/images/dex/patches/README.md +++ i/modules/150-user-authn/images/dex/patches/README.md @@ -20,3 +20,15 @@ To avoid this, this patch makes refresh requests to declare and utilize their ow ### 004-static-user-groups.patch Adding group entity to kubernetes authentication. + +### 005-gitlab-refresh-context.patch + +Refresh can be called only one. By propagating a context of the user request, refresh can accidentally canceled. + +To avoid this, this patch makes refresh requests to declare and utilize their own contexts. + +### 006-static-user-groups.patch + +Allows setting groups for the `User` kind. It makes convenient authenticating as user alongside having another IdP. + +This problem is not solved in upstream, and our patch will not be accepted. diff --git c/modules/150-user-authn/images/kubeconfig-generator/patches/deps.patch i/modules/150-user-authn/images/kubeconfig-generator/patches/001-deps.patch similarity index 100% rename from modules/150-user-authn/images/kubeconfig-generator/patches/deps.patch rename to modules/150-user-authn/images/kubeconfig-generator/patches/001-deps.patch diff --git c/modules/150-user-authn/images/kubeconfig-generator/patches/already_logged.patch i/modules/150-user-authn/images/kubeconfig-generator/patches/002-already_logged.patch similarity index 100% rename from modules/150-user-authn/images/kubeconfig-generator/patches/already_logged.patch rename to modules/150-user-authn/images/kubeconfig-generator/patches/002-already_logged.patch diff --git c/modules/150-user-authn/images/kubeconfig-generator/patches/README.md i/modules/150-user-authn/images/kubeconfig-generator/patches/README.md new file mode 100644 index 0000000000..928fc233a1 --- /dev/null +++ i/modules/150-user-authn/images/kubeconfig-generator/patches/README.md @@ -0,0 +1,9 @@ +# Patches + +## 001-deps.patch + +Update dependencies + +## 002-already_logged.patch + +patch diff --git c/modules/200-operator-prometheus/images/prometheus-operator/patches/001_endpointslices.patch i/modules/200-operator-prometheus/images/prometheus-operator/patches/001-endpointslices.patch similarity index 100% rename from modules/200-operator-prometheus/images/prometheus-operator/patches/001_endpointslices.patch rename to modules/200-operator-prometheus/images/prometheus-operator/patches/001-endpointslices.patch diff --git c/modules/200-operator-prometheus/images/prometheus-operator/patches/002_endpointslices_fallback.patch i/modules/200-operator-prometheus/images/prometheus-operator/patches/002-endpointslices_fallback.patch similarity index 100% rename from modules/200-operator-prometheus/images/prometheus-operator/patches/002_endpointslices_fallback.patch rename to modules/200-operator-prometheus/images/prometheus-operator/patches/002-endpointslices_fallback.patch diff --git c/modules/200-operator-prometheus/images/prometheus-operator/patches/003_alertmanager_tls_assets.patch i/modules/200-operator-prometheus/images/prometheus-operator/patches/003-alertmanager_tls_assets.patch similarity index 100% rename from modules/200-operator-prometheus/images/prometheus-operator/patches/003_alertmanager_tls_assets.patch rename to modules/200-operator-prometheus/images/prometheus-operator/patches/003-alertmanager_tls_assets.patch diff --git c/modules/200-operator-prometheus/images/prometheus-operator/patches/004_fix_cve.patch i/modules/200-operator-prometheus/images/prometheus-operator/patches/004-fix_cve.patch similarity index 100% rename from modules/200-operator-prometheus/images/prometheus-operator/patches/004_fix_cve.patch rename to modules/200-operator-prometheus/images/prometheus-operator/patches/004-fix_cve.patch diff --git c/modules/200-operator-prometheus/images/prometheus-operator/patches/README.md i/modules/200-operator-prometheus/images/prometheus-operator/patches/README.md index bc32a6e0ee..0eac3b80b2 100644 --- c/modules/200-operator-prometheus/images/prometheus-operator/patches/README.md +++ i/modules/200-operator-prometheus/images/prometheus-operator/patches/README.md @@ -1,7 +1,7 @@ # Patches +## 001-endpointslices.patch -### 001-endpointslices EndpointSlices support for ServiceMonitor in the prometheus-operator is disabled by default. We enable it by checking EndpointSlice API in a Kubernetes cluster. It's enabled from version 1.21 so it should work always. Also add Alertmanager support via EndpointSlice. @@ -9,8 +9,8 @@ Upstream has 2 issues, why it's not enabled by default: - https://github.com/prometheus-operator/prometheus-operator/pull/5291 - https://github.com/prometheus-operator/prometheus-operator/issues/3862#issuecomment-1068260430 +## 002-endpointslices_fallback.patch -### 002-endpointslices_fallback Client ServiceMonitors could have labels based on `__meta_kubernetes_endpoints_` metric. So, we add labels mapping from `__meta_kubernetes_endpointslice_XXX` to `__meta_kubernetes_endpoints_XXX` and fire an alert for those ServiceMonitors @@ -29,11 +29,11 @@ __meta_kubernetes_endpoint_address_target_kind - __meta_kubernetes_endpointslice __meta_kubernetes_endpoint_address_target_name - __meta_kubernetes_endpointslice_address_target_name ``` -### 003_alertmanager_tls_assets +## 003-alertmanager_tls_assets.patch + Prometheus operator does not save TLS assets for alertmanager Webhook and Email recievers in the secret which mounted in alert manager pod. This patch fix it. - -### 004_fix_cve +## 004-fix_cve.patch Fixes several CVEs. diff --git c/modules/300-prometheus/images/alertmanager/patches/README.md i/modules/300-prometheus/images/alertmanager/patches/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/300-prometheus/images/alertmanager/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/300-prometheus/images/grafana-v10/patches/security.patch i/modules/300-prometheus/images/grafana-v10/patches/001-security.patch similarity index 100% rename from modules/300-prometheus/images/grafana-v10/patches/security.patch rename to modules/300-prometheus/images/grafana-v10/patches/001-security.patch diff --git c/modules/300-prometheus/images/grafana-v10/patches/README.md i/modules/300-prometheus/images/grafana-v10/patches/README.md new file mode 100644 index 0000000000..b88718a2ef --- /dev/null +++ i/modules/300-prometheus/images/grafana-v10/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-security.patch + +Update dependencies diff --git c/modules/300-prometheus/images/memcached/patches/README.md i/modules/300-prometheus/images/memcached/patches/README.md new file mode 100644 index 0000000000..2d27c27690 --- /dev/null +++ i/modules/300-prometheus/images/memcached/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependensies diff --git c/modules/300-prometheus/images/mimir/patches/0001-Update-golang.org-x-net-v0.32.0-v0.33.0.patch i/modules/300-prometheus/images/mimir/patches/001-Update-golang.org-x-net-v0.32.0-v0.33.0.patch similarity index 100% rename from modules/300-prometheus/images/mimir/patches/0001-Update-golang.org-x-net-v0.32.0-v0.33.0.patch rename to modules/300-prometheus/images/mimir/patches/001-Update-golang.org-x-net-v0.32.0-v0.33.0.patch diff --git c/modules/300-prometheus/images/mimir/patches/README.md i/modules/300-prometheus/images/mimir/patches/README.md index c667ce4a4c..5aea8376d3 100644 --- c/modules/300-prometheus/images/mimir/patches/README.md +++ i/modules/300-prometheus/images/mimir/patches/README.md @@ -1,5 +1,5 @@ # Patches -## 001-Update-golang.org-x-net-v0.32.0-v.33.0.patch +## 001-Update-golang.org-x-net-v0.32.0-v0.33.0.patch Updates net package to fix CVE-2024-45338 diff --git c/modules/300-prometheus/images/prometheus/patches/sample_limit_annotation.patch i/modules/300-prometheus/images/prometheus/patches/001-sample_limit_annotation.patch similarity index 100% rename from modules/300-prometheus/images/prometheus/patches/sample_limit_annotation.patch rename to modules/300-prometheus/images/prometheus/patches/001-sample_limit_annotation.patch diff --git c/modules/300-prometheus/images/prometheus/patches/successfully_sent_metric.patch i/modules/300-prometheus/images/prometheus/patches/002-successfully_sent_metric.patch similarity index 100% rename from modules/300-prometheus/images/prometheus/patches/successfully_sent_metric.patch rename to modules/300-prometheus/images/prometheus/patches/002-successfully_sent_metric.patch diff --git c/modules/300-prometheus/images/prometheus/patches/fix-cve.patch i/modules/300-prometheus/images/prometheus/patches/003-fix-cve.patch similarity index 100% rename from modules/300-prometheus/images/prometheus/patches/fix-cve.patch rename to modules/300-prometheus/images/prometheus/patches/003-fix-cve.patch diff --git c/modules/300-prometheus/images/prometheus/patches/README.md i/modules/300-prometheus/images/prometheus/patches/README.md index 9390667cd5..126f75867e 100644 --- c/modules/300-prometheus/images/prometheus/patches/README.md +++ i/modules/300-prometheus/images/prometheus/patches/README.md @@ -1,6 +1,6 @@ ## Patches -### Sample limit annotation +### 001-sample_limit_annotation.patch Limit the number of metrics which Prometheus scrapes from a target. @@ -10,7 +10,10 @@ metadata: prometheus.deckhouse.io/sample-limit: "5000" ``` -### Successfully sent metric +### 002-successfully_sent_metric.patch Exports gauge metric with the count of successfully sent alerts. +### 003-fix-cve.patch + +Update dependencies diff --git c/modules/300-prometheus/images/promxy/patches/0001-update-crypto-net-cve.patch i/modules/300-prometheus/images/promxy/patches/001-update-crypto-net-cve.patch similarity index 100% rename from modules/300-prometheus/images/promxy/patches/0001-update-crypto-net-cve.patch rename to modules/300-prometheus/images/promxy/patches/001-update-crypto-net-cve.patch diff --git c/modules/300-prometheus/images/promxy/patches/README.md i/modules/300-prometheus/images/promxy/patches/README.md index 29bc016534..b79367a4e6 100644 --- c/modules/300-prometheus/images/promxy/patches/README.md +++ i/modules/300-prometheus/images/promxy/patches/README.md @@ -1,5 +1,5 @@ # Patches -## 0001 Update crypto/net packages +## 001-update-crypto-net-cve.patch Updates crypto/net packages to fix CVEs in them. diff --git c/modules/300-prometheus/images/trickster/patches/README.md i/modules/300-prometheus/images/trickster/patches/README.md new file mode 100644 index 0000000000..ab29e40894 --- /dev/null +++ i/modules/300-prometheus/images/trickster/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +## 001-fix-cve.patch + +Update dependencies diff --git c/modules/301-prometheus-metrics-adapter/images/k8s-prometheus-adapter/patches/README.md i/modules/301-prometheus-metrics-adapter/images/k8s-prometheus-adapter/patches/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/301-prometheus-metrics-adapter/images/k8s-prometheus-adapter/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/302-vertical-pod-autoscaler/images/vertical-pod-autoscaler/patches/README.md i/modules/302-vertical-pod-autoscaler/images/vertical-pod-autoscaler/patches/README.md new file mode 100644 index 0000000000..a755b8291a --- /dev/null +++ i/modules/302-vertical-pod-autoscaler/images/vertical-pod-autoscaler/patches/README.md @@ -0,0 +1,13 @@ +# Patches + +## 001-go-mod.patch + +Update dependencies + +## 002-openkruise-daemonset-apiversion.patch + +TODO + +## 003-recommender.patch + +TODO diff --git c/modules/303-prometheus-pushgateway/images/pushgateway/patches/001_fix_cve.patch i/modules/303-prometheus-pushgateway/images/pushgateway/patches/001-fix_cve.patch similarity index 100% rename from modules/303-prometheus-pushgateway/images/pushgateway/patches/001_fix_cve.patch rename to modules/303-prometheus-pushgateway/images/pushgateway/patches/001-fix_cve.patch diff --git c/modules/303-prometheus-pushgateway/images/pushgateway/patches/README.md i/modules/303-prometheus-pushgateway/images/pushgateway/patches/README.md index 5c9337ae67..ba9724430c 100644 --- c/modules/303-prometheus-pushgateway/images/pushgateway/patches/README.md +++ i/modules/303-prometheus-pushgateway/images/pushgateway/patches/README.md @@ -1,6 +1,6 @@ # Patches -### 001_fix_cve +## 001-fix_cve.patch Fixes several CVEs. @@ -11,5 +11,3 @@ go get google.golang.org/[email protected] go mod tidy git diff ``` - -` diff --git c/modules/340-extended-monitoring/images/events-exporter/patches/README.md i/modules/340-extended-monitoring/images/events-exporter/patches/README.md new file mode 100644 index 0000000000..18d6d247bc --- /dev/null +++ i/modules/340-extended-monitoring/images/events-exporter/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-fix-cve.patch + +Update dependencies diff --git c/modules/340-monitoring-kubernetes/images/ebpf-exporter/patches/go-mod.patch i/modules/340-monitoring-kubernetes/images/ebpf-exporter/patches/001-go-mod.patch similarity index 100% rename from modules/340-monitoring-kubernetes/images/ebpf-exporter/patches/go-mod.patch rename to modules/340-monitoring-kubernetes/images/ebpf-exporter/patches/001-go-mod.patch diff --git c/modules/340-monitoring-kubernetes/images/ebpf-exporter/patches/README.md i/modules/340-monitoring-kubernetes/images/ebpf-exporter/patches/README.md new file mode 100644 index 0000000000..0b849756e5 --- /dev/null +++ i/modules/340-monitoring-kubernetes/images/ebpf-exporter/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-go-mod.patch + +Update dependencies diff --git c/modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/001-go-mod.patch i/modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/001-go-mod.patch new file mode 100644 index 0000000000..e69de29bb2 diff --git c/modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/002-fix-kube_pod_tolerations-deduplicate.patch i/modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/002-fix-kube_pod_tolerations-deduplicate.patch new file mode 100644 index 0000000000..e69de29bb2 diff --git c/modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/README.md i/modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/README.md new file mode 100644 index 0000000000..c98ef992c5 --- /dev/null +++ i/modules/340-monitoring-kubernetes/images/kube-state-metrics/patches/README.md @@ -0,0 +1,9 @@ +## Patches + +### 001-go-mod.patch + +Fix CVEs + +### 002-fix-kube_pod_tolerations-deduplicate.patch + +Fixes issues related to duplicated [samples](https://github.com/kubernetes/kube-state-metrics/issues/2390). Must be removed after [fix](https://github.com/kubernetes/kube-state-metrics/pull/2559/files) lands into release version. diff --git c/modules/340-monitoring-kubernetes/images/node-exporter/patches/go-mod.patch i/modules/340-monitoring-kubernetes/images/node-exporter/patches/001-go-mod.patch similarity index 100% rename from modules/340-monitoring-kubernetes/images/node-exporter/patches/go-mod.patch rename to modules/340-monitoring-kubernetes/images/node-exporter/patches/001-go-mod.patch diff --git c/modules/340-monitoring-kubernetes/images/node-exporter/patches/README.md i/modules/340-monitoring-kubernetes/images/node-exporter/patches/README.md new file mode 100644 index 0000000000..0b849756e5 --- /dev/null +++ i/modules/340-monitoring-kubernetes/images/node-exporter/patches/README.md @@ -0,0 +1,5 @@ +## Patches + +### 001-go-mod.patch + +Update dependencies diff --git c/modules/400-descheduler/images/descheduler/patches/README.md i/modules/400-descheduler/images/descheduler/patches/README.md index 58ef5ab7c5..98c3dfd124 100644 --- c/modules/400-descheduler/images/descheduler/patches/README.md +++ i/modules/400-descheduler/images/descheduler/patches/README.md @@ -1,9 +1,13 @@ # Patches -## 001-pod-namespace-selector +## 001-go-mod.patch -Adds support of the namespaceSelector in DefaultEvictor plugin. +Update dependencies -## 002-filter-pods-in-deckhouse-namespaces +## 002-filter-pods-in-deckhouse-namespaces.patch This patch removes pods in `d8-` and `kube-system` namespaces from processing. + +## 003-pod-namespace-selector.patch + +Adds support of the namespaceSelector in DefaultEvictor plugin. diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/01-gomod.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/001-gomod.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/01-gomod.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/001-gomod.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/healthcheck.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/002-healthcheck.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/healthcheck.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/002-healthcheck.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/nginx-tmpl.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/003-nginx-tmpl.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/nginx-tmpl.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/003-nginx-tmpl.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/lua-info.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/004-lua-info.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/lua-info.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/004-lua-info.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/makefile.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/005-makefile.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/makefile.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/005-makefile.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/metrics-SetSSLExpireTime.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/006-metrics-SetSSLExpireTime.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/metrics-SetSSLExpireTime.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/006-metrics-SetSSLExpireTime.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/auth-cookie-always.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/007-auth-cookie-always.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/auth-cookie-always.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/007-auth-cookie-always.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/util.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/008-util.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/util.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/008-util.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/fix-cleanup.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/009-fix-cleanup.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/fix-cleanup.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/009-fix-cleanup.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/nginx-build.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/010-nginx-build.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/nginx-build.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/010-nginx-build.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/add-http3.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/011-add-http3.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/add-http3.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/011-add-http3.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/new-metrics.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/012-new-metrics.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/new-metrics.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/012-new-metrics.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/default-backend-fix.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/013-default-backend-fix.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/default-backend-fix.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/013-default-backend-fix.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/balancer-lua.patch i/modules/402-ingress-nginx/images/controller-1-10/patches/014-balancer-lua.patch similarity index 100% rename from modules/402-ingress-nginx/images/controller-1-10/patches/balancer-lua.patch rename to modules/402-ingress-nginx/images/controller-1-10/patches/014-balancer-lua.patch diff --git c/modules/402-ingress-nginx/images/controller-1-10/patches/README.md i/modules/402-ingress-nginx/images/controller-1-10/patches/README.md index d97261d047..7af9635666 100644 --- c/modules/402-ingress-nginx/images/controller-1-10/patches/README.md +++ i/modules/402-ingress-nginx/images/controller-1-10/patches/README.md @@ -1,11 +1,11 @@ ## Patches -### gomod +### 001-gomod.patch Go mod patches for ingress-nginx-controller Collected with -### Healthcheck +### 002-healthcheck.patch After catching SIGTERM, ingress stops responding to the readiness probe. The combination of this patch and the `EndpointSliceTerminatingCondition` feature gate for kube-proxy helps us avoid @@ -15,7 +15,7 @@ Update: for external load balancers it's advisable to get 5xx if a SIGTERM was s Backport of the behavior of the later versions of ingress nginx controller. The `sleep` is needed to gracefully shut down ingress controllers behind a cloud load balancer. -### Nginx TPL +### 003-nginx-tmpl.patch * Enable our metrics collector instead of the default one. * Enable pcre_jit. @@ -26,54 +26,58 @@ The `sleep` is needed to gracefully shut down ingress controllers behind a cloud We do not intend to make a PR to the upstream with these changes, because there are only our custom features. -### Ingress information +### 004-lua-info.patch There are two patches to fix the problem with ingress names in logs and metrics. Unfortunately, the PR was declined in the upstream. https://github.com/kubernetes/ingress-nginx/pull/4367 -### Makefile +### 005-makefile.patch Run the build locally, not inside the container. -### metrics SetSSLExpireTime +### 006-metrics-SetSSLExpireTime.patch Fixes namespace which is given by metric nginx_ingress_controller_ssl_expire_time_seconds. https://github.com/kubernetes/ingress-nginx/pull/10274 -### Always set auth cookie +### 007-auth-cookie-always.patch Without always option toggled, ingress-nginx does not set the cookie in case if backend returns >=400 code, which may lead to dex refresh token invalidation. Annotation `nginx.ingress.kubernetes.io/auth-always-set-cookie` does not work. Anyway, we can't use it, because we need this behavior for all ingresses. https://github.com/kubernetes/ingress-nginx/pull/8213 -### Util patch +### 008-util.patch Adds "-e /dev/null" flags to the "nginx -t" invocations so that "nginx -t" logs aren't got saved to /var/log/nginx/error.log file, preventing fs bloating. -### Fix cleanup +### 009-fix-cleanup.patch Fix tmpDir path for the cleanup procedure. https://github.com/kubernetes/ingress-nginx/pull/10797 -### …
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Motivation
The cert-manager has the ability to set the owner reference field in generated secrets. We can enable this option globally by setting the
--enable-certificate-owner-refcli flag.We want to configure it in more detail, at the certificate level. So we add a new field to the certificate CRD,
cleanupPolicy.When this field is set to
Delete, the owner reference is always created on the Secret resource and the secret will be automatically removed when the certificate resource is deleted.When this field is set to
Never, the owner reference is never created on the Secret resource and the secret will not be automatically removed when the certificate resource is deleted.Also, we add cli flag
--default-secret-cleanup-policyto set default policy for certificates if certificate CRD fieldcleanupPolicyis not set.--enable-certificate-owner-refcli flag is declared as deprecated but takes precedence over--default-secret-cleanup-policyfor backward compatibility.This option is useful if the cluster contains both prod environments, where secrets should not be deleted, and development environments, where secrets should be deleted all the time.
Kind
Release Note