diff --git a/Dockerfile b/Dockerfile index 313a3081..790690cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,7 +58,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ -o manager ${package} # Production image -FROM gcr.io/ +FROM gcr.io/distroless/static:nonroot WORKDIR / COPY --from=builder /workspace/manager . # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies diff --git a/pkg/ck8s/workload_cluster.go b/pkg/ck8s/workload_cluster.go index 1933f591..31ac57e4 100644 --- a/pkg/ck8s/workload_cluster.go +++ b/pkg/ck8s/workload_cluster.go @@ -193,7 +193,7 @@ func (w *Workload) GetK8sdProxyForControlPlane(ctx context.Context, options k8sd continue } - proxy, err := w.K8sdClientGenerator.forNode(ctx, &node) + proxy, err := w.K8sdClientGenerator.forNode(ctx, &node) // #nosec G601 if err != nil { continue } diff --git a/pkg/ck8s/workload_cluster_k8sd.go b/pkg/ck8s/workload_cluster_k8sd.go index af58e4b3..8b0b312d 100644 --- a/pkg/ck8s/workload_cluster_k8sd.go +++ b/pkg/ck8s/workload_cluster_k8sd.go @@ -8,12 +8,13 @@ import ( "net/http" "time" - "github.com/canonical/cluster-api-k8s/pkg/proxy" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" + + "github.com/canonical/cluster-api-k8s/pkg/proxy" ) type K8sdClient struct { @@ -40,15 +41,6 @@ func NewK8sdClientGenerator(restConfig *rest.Config, proxyClientTimeout time.Dur }, nil } -func (g *k8sdClientGenerator) forNodeName(ctx context.Context, nodeName string) (*K8sdClient, error) { - node, err := g.clientset.CoreV1().Nodes().Get(ctx, nodeName, metav1.GetOptions{}) - if err != nil { - return nil, errors.Wrap(err, "unable to get node in target cluster") - } - - return g.forNode(ctx, node) -} - func (g *k8sdClientGenerator) forNode(ctx context.Context, node *corev1.Node) (*K8sdClient, error) { podmap, err := g.getProxyPods(ctx) if err != nil { @@ -121,7 +113,7 @@ func (g *k8sdClientGenerator) NewHTTPClient(ctx context.Context, podName string) ExpectContinueTimeout: http.DefaultTransport.(*http.Transport).ExpectContinueTimeout, // TODO: Workaround for now, address later on // get the certificate fingerprint from the matching node through a resource in the cluster (TBD), and validate it in the TLSClientConfig - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec G402 }, Timeout: g.proxyClientTimeout, }, nil diff --git a/test/e2e/cluster_upgrade.go b/test/e2e/cluster_upgrade.go index 790dc649..0a9ce02b 100644 --- a/test/e2e/cluster_upgrade.go +++ b/test/e2e/cluster_upgrade.go @@ -27,10 +27,8 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" "k8s.io/utils/ptr" - "sigs.k8s.io/cluster-api/test/framework" "sigs.k8s.io/cluster-api/test/framework/clusterctl" "sigs.k8s.io/cluster-api/util" diff --git a/test/e2e/common.go b/test/e2e/common.go index 6e8668e4..ced12240 100644 --- a/test/e2e/common.go +++ b/test/e2e/common.go @@ -25,7 +25,6 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1" "sigs.k8s.io/cluster-api/test/framework" diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go index 10707f0a..81dd2b8f 100644 --- a/test/e2e/create_test.go +++ b/test/e2e/create_test.go @@ -26,10 +26,8 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" "k8s.io/utils/pointer" - "sigs.k8s.io/cluster-api/test/framework/clusterctl" "sigs.k8s.io/cluster-api/util" ) diff --git a/test/e2e/data/infrastructure-docker/cluster-template-kcp-remediation.yaml b/test/e2e/data/infrastructure-docker/cluster-template-kcp-remediation.yaml index 99497a09..fee3ad57 100644 --- a/test/e2e/data/infrastructure-docker/cluster-template-kcp-remediation.yaml +++ b/test/e2e/data/infrastructure-docker/cluster-template-kcp-remediation.yaml @@ -40,6 +40,10 @@ spec: replicas: ${CONTROL_PLANE_MACHINE_COUNT} version: ${KUBERNETES_VERSION} spec: + airGapped: true + controlPlane: + extraKubeAPIServerArgs: + --anonymous-auth: "true" files: - path: /wait-signal.sh content: | diff --git a/test/e2e/data/infrastructure-docker/cluster-template-md-remediation.yaml b/test/e2e/data/infrastructure-docker/cluster-template-md-remediation.yaml index 0a7c2245..e2895a31 100644 --- a/test/e2e/data/infrastructure-docker/cluster-template-md-remediation.yaml +++ b/test/e2e/data/infrastructure-docker/cluster-template-md-remediation.yaml @@ -40,6 +40,11 @@ spec: apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 kind: DockerMachineTemplate name: ${CLUSTER_NAME}-control-plane + spec: + airGapped: true + controlPlane: + extraKubeAPIServerArgs: + --anonymous-auth: "true" replicas: ${CONTROL_PLANE_MACHINE_COUNT} version: ${KUBERNETES_VERSION} --- diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go index b702308f..9dd78e93 100644 --- a/test/e2e/e2e_suite_test.go +++ b/test/e2e/e2e_suite_test.go @@ -33,17 +33,16 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/klog/v2" - ctrl "sigs.k8s.io/controller-runtime" - clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1" "sigs.k8s.io/cluster-api/test/framework" "sigs.k8s.io/cluster-api/test/framework/bootstrap" "sigs.k8s.io/cluster-api/test/framework/clusterctl" "sigs.k8s.io/cluster-api/test/framework/ginkgoextensions" + dockerinfrav1 "sigs.k8s.io/cluster-api/test/infrastructure/docker/api/v1beta1" + ctrl "sigs.k8s.io/controller-runtime" bootstrapv1 "github.com/canonical/cluster-api-k8s/bootstrap/api/v1beta2" controlplanev1 "github.com/canonical/cluster-api-k8s/controlplane/api/v1beta2" - dockerinfrav1 "sigs.k8s.io/cluster-api/test/infrastructure/docker/api/v1beta1" ) // Test suite flags. diff --git a/test/e2e/helpers.go b/test/e2e/helpers.go index 442c246c..24e8dec1 100644 --- a/test/e2e/helpers.go +++ b/test/e2e/helpers.go @@ -27,18 +27,17 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/pkg/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" - + clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1" + expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1" "sigs.k8s.io/cluster-api/test/framework" "sigs.k8s.io/cluster-api/test/framework/clusterctl" "sigs.k8s.io/cluster-api/util/patch" "sigs.k8s.io/controller-runtime/pkg/client" controlplanev1 "github.com/canonical/cluster-api-k8s/controlplane/api/v1beta2" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/sets" - clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1" - expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1" ) // NOTE: the code in this file is largely copied from the cluster-api test framework. diff --git a/test/e2e/md_remediation_test.go b/test/e2e/md_remediation_test.go index ebe06d61..9b2c9d4f 100644 --- a/test/e2e/md_remediation_test.go +++ b/test/e2e/md_remediation_test.go @@ -26,10 +26,8 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" "k8s.io/utils/pointer" - "sigs.k8s.io/cluster-api/test/framework" "sigs.k8s.io/cluster-api/test/framework/clusterctl" "sigs.k8s.io/cluster-api/util" diff --git a/test/e2e/node_scale_test.go b/test/e2e/node_scale_test.go index 8de028b1..7845c891 100644 --- a/test/e2e/node_scale_test.go +++ b/test/e2e/node_scale_test.go @@ -26,10 +26,8 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" "k8s.io/utils/pointer" - "sigs.k8s.io/cluster-api/test/framework/clusterctl" "sigs.k8s.io/cluster-api/util" )