From b4f3f72eb0b182bb4ab3e9d7854962c5b52fc575 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Wed, 3 Mar 2021 01:53:43 +0200 Subject: [PATCH 1/3] test/e2e/manifests: use go 1.16 --- tests/e2e/manifests/verify_manifest_lists.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/e2e/manifests/verify_manifest_lists.sh b/tests/e2e/manifests/verify_manifest_lists.sh index 12d5174d..4253d8ea 100755 --- a/tests/e2e/manifests/verify_manifest_lists.sh +++ b/tests/e2e/manifests/verify_manifest_lists.sh @@ -22,7 +22,7 @@ fi # install go if missing if ! `go version > /dev/null`; then - curl https://dl.google.com/go/go1.13.8.linux-amd64.tar.gz -o /tmp/go.tar.gz + curl https://golang.org/dl/go1.16.linux-amd64.tar.gz -o /tmp/go.tar.gz tar -C /usr/local -xzf /tmp/go.tar.gz export PATH="$PATH":/usr/local/go/bin rm /tmp/go.tar.gz @@ -42,6 +42,9 @@ cd "$LPATH" # use go modules. this forces using the latest k8s.io/apimachinery package. go mod init verify-manifest-lists +# add module requirements and sums (required in go 1.16) +go mod tidy + # run unit tests go test -v ./verify_manifest_lists.go ./verify_manifest_lists_test.go From 44de5f728e39b44a580ba8aec1e62c73bb685243 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Wed, 3 Mar 2021 01:53:26 +0200 Subject: [PATCH 2/3] test/e2e/manifests: remove testing for kube-dns kube-dns support in kubeadm was deprecated since 1.18 and is being removed in 1.21. --- tests/e2e/manifests/verify_manifest_lists.go | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/tests/e2e/manifests/verify_manifest_lists.go b/tests/e2e/manifests/verify_manifest_lists.go index 7a87bdbe..30766fc7 100644 --- a/tests/e2e/manifests/verify_manifest_lists.go +++ b/tests/e2e/manifests/verify_manifest_lists.go @@ -297,10 +297,6 @@ func getImageVersions(ver *version.Version, images map[string]string) error { images["kube-proxy"] = k8sVersionV images["etcd"] = "" images["pause"] = "" - // TODO(neolit123): kube-dns is being deprecated eventually [*]. - images["k8s-dns-kube-dns"] = "" - images["k8s-dns-sidecar"] = "" - images["k8s-dns-dnsmasq-nanny"] = "" // images outside the scope of kubeadm, but still using the k8s version @@ -343,13 +339,6 @@ func getImageVersions(ver *version.Version, images map[string]string) error { line = strings.Split(line, "PauseVersion = ")[1] line = strings.Replace(line, `"`, "", -1) images["pause"] = line - } else if strings.Contains(line, "KubeDNSVersion = ") { // [*] - line = strings.TrimSpace(line) - line = strings.Split(line, "KubeDNSVersion = ")[1] - line = strings.Replace(line, `"`, "", -1) - images["k8s-dns-kube-dns"] = line - images["k8s-dns-sidecar"] = line - images["k8s-dns-dnsmasq-nanny"] = line } } // hardcode the tag for pause as older k8s branches lack a constant. @@ -358,7 +347,7 @@ func getImageVersions(ver *version.Version, images map[string]string) error { } // verify. fmt.Printf("* getImageVersions(): [%s] %#v\n", ver.String(), images) - if images[coreDNSPath] == "" || images["etcd"] == "" || images["k8s-dns-kube-dns"] == "" { // [*] + if images[coreDNSPath] == "" || images["etcd"] == "" { return fmt.Errorf("at least one image version could not be set: %#v", images) } return nil From 916dfe6ad8a482da58103eaffe5198ec95d438e5 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Wed, 3 Mar 2021 02:16:44 +0200 Subject: [PATCH 3/3] test/e2e/manifests: verify the architecture in image config blobs --- tests/e2e/manifests/verify_manifest_lists.go | 25 ++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/tests/e2e/manifests/verify_manifest_lists.go b/tests/e2e/manifests/verify_manifest_lists.go index 30766fc7..3819dcf5 100644 --- a/tests/e2e/manifests/verify_manifest_lists.go +++ b/tests/e2e/manifests/verify_manifest_lists.go @@ -109,6 +109,10 @@ var ( // bellow are some types as per the docker specs. +type archContents struct { + Architecture string `json:"architecture"` +} + type imageLayer struct { MediaType string `json:"mediaType"` Size int `json:"size"` @@ -354,11 +358,11 @@ func getImageVersions(ver *version.Version, images map[string]string) error { } // verify an image manifest and it's layers. -func verifyArchImage(imageName, archImage string) error { +func verifyArchImage(arch, imageName, archImage string) error { // parse the arch image. image := manifestImage{} if err := json.Unmarshal([]byte(archImage), &image); err != nil { - return err + return fmt.Errorf("could not unmarshal arch image: %v", err) } if image.MediaType != typeManifest { @@ -371,7 +375,7 @@ func verifyArchImage(imageName, archImage string) error { return fmt.Errorf("no layers for image %#v", image) } - // verify config. + // download the config blob. if image.Config.Digest == "" { return fmt.Errorf("empty digest for image config: %#v", image.Config) } @@ -380,11 +384,24 @@ func verifyArchImage(imageName, archImage string) error { if err != nil { return fmt.Errorf("cannot download image blob for digest %q: %v", image.Config.Digest, err) } + + // verify the blob size. sz := len(configBlob) if image.Config.Size != sz { return fmt.Errorf("config size and image blob size differ for digest %q; wanted: %d, got: %d", image.Config.Digest, image.Config.Size, sz) } + // verify the architecture in the config blob + contents := archContents{} + if err := json.Unmarshal([]byte(configBlob), &contents); err != nil { + return fmt.Errorf("could not unmarshal config blob contents: %v", err) + } + if contents.Architecture != arch { + // TODO(neolit123): consider making this an error at some point + // https://github.com/kubernetes/kubernetes/issues/98908 + fmt.Printf("WARNING: in config digest %s: found architecture %q, expected %q\n", image.Config.Digest, contents.Architecture, arch) + } + // verify layers. for i, layer := range image.Layers { // only support the type defined in `typeLayer`? @@ -487,7 +504,7 @@ func verifyManifestList(manifest, imageName, tag string) error { } // verify the arch image. - err = verifyArchImage(imageName, archImageSrc) + err = verifyArchImage(m.Platform.Architecture, imageName, archImageSrc) if err != nil { return err }