Merge branch 'main' into integration-remove-unused-pytest-mark

.licenserc.yaml

@@ -19,6 +19,7 @@ header:
       - 'charms/worker/k8s/lib/charms/k8s/**'
     paths-ignore:
       - 'charms/worker/k8s/lib/charms/**'
+      - 'tests/integration/data/*.tar.gz'
       - '.github/**'
       - '**/.gitkeep'
       - '**/*.cfg'

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+To report a security issue, please follow the steps below:
+
+Using GitHub, file a [Private Security Report](https://github.com/canonical/k8s-operator/security/advisories/new) with:
+- A description of the issue
+- Steps to reproduce the issue
+- Affected versions of the `k8s-operator` package
+- Any known mitigations for the issue
+
+The [Ubuntu Security disclosure and embargo policy](https://ubuntu.com/security/disclosure-policy) contains more information about what to expect during this process and our requirements for responsible disclosure.
+
+Thank you for contributing to the security and integrity of the `k8s-operator`!

charms/worker/build-snap-installation.sh

@@ -0,0 +1 @@
+k8s/build-snap-installation.sh

charms/worker/charmcraft.yaml

@@ -57,9 +57,10 @@ bases:
     - name: ubuntu
       channel: "24.04"
       architectures: [arm64]
+
 config:
   options:
-    labels:
+    node-labels:
       default: ""
       type: string
       description: |
@@ -68,6 +69,22 @@ config:
         
         Note: Due to NodeRestriction, workers are limited to how they can label themselves
         https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction
+
+resources:
+  snap-installation:
+    type: file
+    filename: snap-installation.tar.gz
+    description: |
+      Override charm defined snap installation script
+
+      This charm is designed to operate with a specific revision of snaps, overriding 
+      with anything will indicate that the charm is running an unsupported configuration.
+
+      Content Options:
+      0-byte resource (Default) -- Use the charm defined snap installation script
+      ./snap-installation.yaml  -- Overrides the charm defined snap-installation.yaml
+      ./k8s_XXXX.snap           -- Overrides the charm with a specific snap file installed dangerously
+
 parts:
   charm:
     plugin: charm
@@ -97,6 +114,7 @@ peers:
 provides:
   cos-agent:
     interface: cos_agent
+
 requires:
   aws:
     interface: aws-integration

charms/worker/k8s/build-snap-installation.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2024 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+# Create an empty tarball to be used as a placeholder for the snap installation override
+echo "Creating empty tarball at $1"
+touch "${1}"

charms/worker/k8s/charmcraft.yaml

@@ -81,7 +81,59 @@ config:
 
         Example:
           e.g.: key1=value1 key2=value2
-    containerd_custom_registries:
+    bootstrap-datastore:
+      default: dqlite
+      type: string
+      description: |
+        The datastore to use in Canonical Kubernetes. This cannot be changed
+        after deployment. Allowed values are "dqlite" and "etcd". If "etcd" is
+        chosen, the charm should be integrated with the etcd charm.
+    bootstrap-node-taints:
+      type: string
+      default: ""
+      description: |
+        Space-separated list of taints to apply to this node at registration time.
+
+        This config is only used at bootstrap time when Kubelet first registers the
+        node with Kubernetes. To change node taints after deploy time, use kubectl
+        instead.
+
+        For more information, see the upstream Kubernetes documentation about
+        taints:
+        https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+    bootstrap-pod-cidr:
+      type: string
+      default: "10.1.0.0/16"
+      description: |
+        Comma-separated CIDR blocks for IP addresses that can be assigned
+        to pods within the cluster. Can contain at most 2 blocks, one for IPv4
+        and one for IPv6.
+
+        After deployment it is not possible to change the size of
+        the IP range.
+
+        Examples:
+          - "192.0.2.0/24"
+          - "2001:db8::/32"
+          - "192.0.2.0/24,2001:db8::/32"
+          - "2001:db8::/32,192.0.2.0/24"
+    bootstrap-service-cidr:
+      type: string
+      default: 10.152.183.0/24
+      description: |
+        Comma-separated CIDR blocks for IP addresses that can be assigned
+        to services within the cluster. Can contain at most 2 blocks, one for IPv4
+        and one for IPv6.
+
+        After deployment it is not possible to change the size of
+        the IP range.
+
+        Examples:
+          - "192.0.2.0/24"
+          - "2001:db8::/32"
+          - "192.0.2.0/24,2001:db8::/32"
+          - "2001:db8::/32,192.0.2.0/24"
+    containerd-custom-registries:
       type: string
       default: "[]"
       description: |
@@ -127,40 +179,85 @@ config:
             "cert_file": "'"$(base64 -w 0 < ~/my.custom.cert.pem)"'",
             "key_file": "'"$(base64 -w 0 < ~/my.custom.key.pem)"'",
         }]'
-
-    datastore:
-      default: dqlite
+    dns-enabled:
+      type: boolean
+      default: true
+      description: |
+        Enable/Disable the DNS feature on the cluster.
+    dns-cluster-domain:
       type: string
+      default: "cluster.local"
       description: |
-        The datastore to use in Canonical Kubernetes. This cannot be changed
-        after deployment. Allowed values are "dqlite" and "etcd". If "etcd" is
-        chosen, the charm should be integrated with the etcd charm.
-    labels:
+        Sets the local domain of the cluster
+    dns-service-ip:
+      type: string
       default: ""
+      description: |
+        Sets the IP address of the dns service. If omitted defaults to the IP address
+        of the Kubernetes service created by the feature.
+        
+        Can be used to point to an external dns server when feature is disabled.
+    dns-upstream-nameservers:
       type: string
+      default: ""
       description: |
-        Labels can be used to organize and to select subsets of nodes in the
-        cluster. Declare node labels in key=value format, separated by spaces.
-    register-with-taints:
+        Space-separated list of upstream nameservers used to forward queries for out-of-cluster
+        endpoints.
+        
+        If omitted defaults to `/etc/resolv.conf` and uses the nameservers on each node.
+    gateway-enabled:
+      type: boolean
+      default: false
+      description: |
+        Enable/Disable the gateway feature on the cluster.
+    load-balancer-enabled:
+      type: boolean
+      default: false
+      description: |
+        Enable/Disable the load balancer feature on the cluster.
+    load-balancer-cidrs:
       type: string
       default: ""
       description: |
-        Space-separated list of taints to apply to this node at registration time.
-
-        This config is only used at deploy time when Kubelet first registers the
-        node with Kubernetes. To change node taints after deploy time, use kubectl
-        instead.
-
-        For more information, see the upstream Kubernetes documentation about
-        taints:
-        https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
-    service-cidr:
+        Space-separated list of CIDRs to use for the load balancer. This is
+        only used if load-balancer-enabled is set to true.
+    load-balancer-l2-mode:
+      type: boolean
+      default: false
+      description: |
+        Enable/Disable L2 mode for the load balancer. This is only used if
+        load-balancer-enabled is set to true.
+    load-balancer-l2-interfaces:
       type: string
-      default: 10.152.183.0/24
+      default: ""
+      description: |
+        Space-separated list of interfaces to use for the load balancer. This
+        is only used if load-balancer-l2-mode is set to true. if unset, all
+        interfaces will be used.
+    load-balancer-bgp-mode:
+      type: boolean
+      default: false
+      description: |
+        Enable/Disable BGP mode for the load balancer. This is only used if
+        load-balancer-enabled is set to true.
+    load-balancer-bgp-local-asn:
+      type: int
+      default: 64512
+      description: |
+        Local ASN for the load balancer. This is only used if load-balancer-bgp-mode
+        is set to true.
+    load-balancer-bgp-peer-address:
+      type: string
+      default: ""
+      description: |
+        Address of the BGP peer for the load balancer. This is only used if
+        load-balancer-bgp-mode is set to true.
+    load-balancer-bgp-peer-port:
+      type: int
+      default: 179
       description: |
-        CIDR to use for Kubernetes services. After deployment it is
-        only possible to increase the size of the IP range. It is not possible to
-        change or shrink the address range after deployment.
+        Port of the BGP peer for the load balancer. This is only used if
+        load-balancer-bgp-mode is set to true.
     local-storage-enabled:
       type: boolean
       default: true
@@ -184,11 +281,47 @@ config:
         "Retain". If set to "Delete", the storage will be deleted when the
         PersistentVolumeClaim is deleted. If set to "Retain", the storage will
         be retained when the PersistentVolumeClaim is deleted.
-    gateway-enabled:
+    metrics-server-enabled:
+      type: boolean
+      default: true
+      description: |
+        Enable/Disable the metrics-server feature on the cluster.
+    network-enabled:
+      type: boolean
+      default: true
+      description: |
+        Enables or disables the network feature.
+    ingress-enabled:
       type: boolean
       default: false
       description: |
-        Enable/Disable the gateway feature on the cluster.
+        Determines if the ingress feature should be enabled.
+    ingress-enable-proxy-protocol:
+      type: boolean
+      default: false
+      description: |
+        Determines if the proxy protocol should be enabled for ingresses.
+    node-labels:
+      default: ""
+      type: string
+      description: |
+        Labels can be used to organize and to select subsets of nodes in the
+        cluster. Declare node labels in key=value format, separated by spaces.      
+
+resources:
+  snap-installation:
+    type: file
+    filename: snap-installation.tar.gz
+    description: |
+      Override charm defined snap installation script
+
+      This charm is designed to operate with a specific revision of snaps, overriding 
+      with anything will indicate that the charm is running an unsupported configuration.
+
+      Content Options:
+      0-byte resource (Default) -- Use the charm defined snap installation script
+      ./snap-installation.yaml  -- Overrides the charm defined snap-installation.yaml
+      ./k8s_XXXX.snap           -- Overrides the charm with a specific snap file installed dangerously
 
 actions:
   get-kubeconfig:

charms/worker/k8s/lib/charms/k8s/v0/k8sd_api_manager.py

@@ -230,9 +230,9 @@ class LoadBalancerConfig(BaseModel, allow_population_by_field_name=True):
     Attributes:
         enabled: Optional flag which represents the status of LoadBalancer.
         cidrs: List of CIDR blocks for the load balancer.
-        l2_enabled: Optional flag to enable or disable layer 2 functionality.
+        l2_mode: Optional flag to enable or disable layer 2 mode.
         l2_interfaces: List of layer 2 interfaces for the load balancer.
-        bgp_enabled: Optional flag to enable or disable BGP.
+        bgp_mode: Optional flag to enable or disable BGP.
         bgp_local_asn: The local ASN for BGP configuration.
         bgp_peer_address: The peer address for BGP configuration.
         bgp_peer_asn: The peer ASN for BGP configuration.
@@ -241,9 +241,9 @@ class LoadBalancerConfig(BaseModel, allow_population_by_field_name=True):
 
     enabled: Optional[bool] = Field(default=None)
     cidrs: Optional[List[str]] = Field(default=None)
-    l2_enabled: Optional[bool] = Field(default=None, alias="l2-enabled")
+    l2_mode: Optional[bool] = Field(default=None, alias="l2-mode")
     l2_interfaces: Optional[List[str]] = Field(default=None, alias="l2-interfaces")
-    bgp_enabled: Optional[bool] = Field(default=None, alias="bgp-enabled")
+    bgp_mode: Optional[bool] = Field(default=None, alias="bgp-mode")
     bgp_local_asn: Optional[int] = Field(default=None, alias="bgp-local-asn")
     bgp_peer_address: Optional[str] = Field(default=None, alias="bgp-peer-address")
     bgp_peer_asn: Optional[int] = Field(default=None, alias="bgp-peer-asn")

charms/worker/k8s/requirements.txt

@@ -1,12 +1,12 @@
 charm-lib-contextual-status @ git+https://github.com/charmed-kubernetes/charm-lib-contextual-status@255dd4a23defc16dcdac832306e5f460a0f1200c
 charm-lib-interface-external-cloud-provider @ git+https://github.com/charmed-kubernetes/charm-lib-interface-external-cloud-provider@e1c5fc69e98100a7d43c0ad5a7969bba1ecbcd40
-charm-lib-node-base @ git+https://github.com/charmed-kubernetes/layer-kubernetes-node-base@9b212854e768f13c26cc907bed51444e97e51b50#subdirectory=ops
+charm-lib-node-base @ git+https://github.com/charmed-kubernetes/layer-kubernetes-node-base@a14d685237302711113ac651920476437b3b9785#subdirectory=ops
 charm-lib-reconciler @ git+https://github.com/charmed-kubernetes/charm-lib-reconciler@f818cc30d1a22be43ffdfecf7fbd9c3fd2967502
 ops-interface-kube-control @ git+https://github.com/charmed-kubernetes/interface-kube-control.git@main#subdirectory=ops
 ops.interface_aws @ git+https://github.com/charmed-kubernetes/interface-aws-integration@main#subdirectory=ops
 ops.interface_gcp @ git+https://github.com/charmed-kubernetes/interface-gcp-integration@main#subdirectory=ops
 ops.interface_azure @ git+https://github.com/charmed-kubernetes/interface-azure-integration@main#subdirectory=ops
-cosl==0.0.42
+cosl==0.0.43
 ops==2.17.0
 pydantic==1.10.19
 PyYAML==6.0.2