Merge branch 'master' into fix5712

kumahq · Jan 20, 2023 · cc1191e · cc1191e
2 parents 9fe8665 + 11015dc
commit cc1191e
Show file tree

Hide file tree

Showing 8 changed files with 100 additions and 64 deletions.
diff --git a/.github/workflows/update-insecure-dependencies.yaml b/.github/workflows/update-insecure-dependencies.yaml
@@ -4,9 +4,12 @@ on:
   workflow_dispatch: { }
   schedule:
     - cron: 0 8 * * *
+env:
+  IGNORE_PACKAGES: "github.com/aws/aws-sdk-go"
 jobs:
   update-insecure-dependencies:
     strategy:
+      fail-fast: false
       matrix:
         branch:
           - "release-2.0"
@@ -43,7 +46,7 @@ jobs:
       - name: "Update dependencies"
         id: update
         run: |
-          osv-scanner --lockfile=go.mod --json | jq '.results[].packages[].package.name' | xargs -I {} go get -u {}
+          osv-scanner --lockfile=go.mod --json | jq '.results[].packages[].package.name' | grep -Ev ${{ env.IGNORE_PACKAGES }} | xargs -I {} go get -u {}
           go mod tidy
       - name: "Prepare commit body - after"
         id: prepare_commit_body_after
@@ -66,6 +69,8 @@ jobs:
 
             After update:
             ${{ env.SCAN_OUTPUT_AFTER }}
+            
+            If a package is showing up in the scan but the script is not trying to update it then it might be in env.IGNORE_PACKAGES regex
           delete-branch: true
           title: "chore(deps): security update"
           draft: false

diff --git a/mk/generate.mk b/mk/generate.mk
@@ -8,6 +8,10 @@ POLICY_GEN := go run -mod=mod $(TOOLS_DIR)/policy-gen/generator/main.go
 GENERATE_TARGET ?= clean/proto generate/api protoc/pkg/config/app/kumactl/v1alpha1 protoc/plugins resources/type generate/policies
 GO_MODULE ?= github.com/kumahq/kuma
 
+HELM_VALUES_FILE ?= "deployments/charts/kuma/values.yaml"
+HELM_CRD_DIR ?= "deployments/charts/kuma/crds/"
+HELM_VALUES_FILE_POLICY_PATH ?= ".plugins.policies"
+
 .PHONY: clean/proto
 clean/proto: ## Dev: Remove auto-generated Protobuf files
 	find $(PROTO_DIRS) -name '*.pb.go' -delete
@@ -38,7 +42,8 @@ policies = $(foreach dir,$(shell find pkg/plugins/policies -maxdepth 1 -mindepth
 generate_policy_targets = $(addprefix generate/policy/,$(policies))
 cleanup_policy_targets = $(addprefix cleanup/policy/,$(policies))
 
-generate/policies: cleanup/crds cleanup/policies generate/deep-copy/common $(generate_policy_targets) generate/policy-import generate/policy-helm generate/builtin-crds generate/fix-embed
+GENERATE_POLICIES_TARGET ?= cleanup/crds cleanup/policies generate/deep-copy/common $(generate_policy_targets) generate/policy-import generate/policy-helm generate/builtin-crds generate/fix-embed
+generate/policies: $(GENERATE_POLICIES_TARGET)
 
 cleanup/crds:
 	rm -f ./deployments/charts/kuma/crds/*
@@ -65,10 +70,10 @@ generate/schema/%: generate/controller-gen/%
 	done
 
 generate/policy-import:
-	$(TOOLS_DIR)/policy-gen/generate-policy-import.sh $(policies)
+	$(TOOLS_DIR)/policy-gen/generate-policy-import.sh $(GO_MODULE) $(policies)
 
 generate/policy-helm:
-	PATH=$(CI_TOOLS_BIN_DIR):$$PATH $(TOOLS_DIR)/policy-gen/generate-policy-helm.sh $(policies)
+	PATH=$(CI_TOOLS_BIN_DIR):$$PATH $(TOOLS_DIR)/policy-gen/generate-policy-helm.sh $(HELM_VALUES_FILE) $(HELM_CRD_DIR) $(HELM_VALUES_FILE_POLICY_PATH) $(policies)
 
 generate/controller-gen/%: generate/kumapolicy-gen/%
 	for version in $(foreach dir,$(wildcard $(POLICIES_DIR)/$*/api/*),$(notdir $(dir))); do \

diff --git a/pkg/core/xds/merge.go b/pkg/core/xds/merge.go
@@ -189,6 +189,12 @@ func clearAppendSlices(val reflect.Value) {
 			if valField.Elem().Kind() == reflect.Struct {
 				clearAppendSlices(valField)
 			}
+			if valField.Elem().Kind() == reflect.Slice {
+				mergeByKey := strings.Contains(field.Tag.Get(policyMergeTag), mergeValuesByKey)
+				if strings.HasPrefix(field.Name, appendSlicesPrefix) || mergeByKey {
+					valField.Elem().Set(reflect.Zero(valField.Elem().Type()))
+				}
+			}
 		}
 	}
 }
@@ -218,6 +224,13 @@ func appendSlices(dst reflect.Value, src reflect.Value) {
 			if dstField.Elem().Kind() == reflect.Struct {
 				appendSlices(dstField, srcField)
 			}
+			if dstField.Elem().Kind() == reflect.Slice {
+				mergeByKey := strings.Contains(field.Tag.Get(policyMergeTag), mergeValuesByKey)
+				if strings.HasPrefix(field.Name, appendSlicesPrefix) || mergeByKey {
+					s := reflect.AppendSlice(dstField.Elem(), srcField.Elem())
+					dstField.Elem().Set(s)
+				}
+			}
 		}
 	}
 }

diff --git a/pkg/core/xds/merge_test.go b/pkg/core/xds/merge_test.go
@@ -14,11 +14,12 @@ var _ = Describe("MergeConfs", func() {
 		AppendInts []int
 	}
 	type policy struct {
-		FieldString   string `json:"fieldString,omitempty"`
-		Strings       []string
-		AppendStrings []string
-		Sub           subPolicy
-		SubPtr        *subPolicy `json:"subPtr,omitempty"`
+		FieldString            string `json:"fieldString,omitempty"`
+		Strings                []string
+		AppendStrings          []string
+		AppendPointerToStrings *[]string
+		Sub                    subPolicy
+		SubPtr                 *subPolicy `json:"subPtr,omitempty"`
 	}
 
 	type testCase struct {
@@ -44,9 +45,10 @@ var _ = Describe("MergeConfs", func() {
 		Entry("should replace slices by default but append slices that start with append", testCase{
 			policies: []policy{
 				{
-					FieldString:   "p1",
-					Strings:       []string{"p1"},
-					AppendStrings: []string{"p1"},
+					FieldString:            "p1",
+					Strings:                []string{"p1"},
+					AppendStrings:          []string{"p1"},
+					AppendPointerToStrings: &[]string{"p1"},
 					Sub: subPolicy{
 						Ints:       []int{1},
 						AppendInts: []int{1},
@@ -57,9 +59,10 @@ var _ = Describe("MergeConfs", func() {
 					},
 				},
 				{
-					FieldString:   "p2",
-					Strings:       []string{"p2"},
-					AppendStrings: []string{"p2"},
+					FieldString:            "p2",
+					Strings:                []string{"p2"},
+					AppendStrings:          []string{"p2"},
+					AppendPointerToStrings: &[]string{"p2"},
 					Sub: subPolicy{
 						Ints:       []int{2},
 						AppendInts: []int{2},
@@ -70,8 +73,9 @@ var _ = Describe("MergeConfs", func() {
 					},
 				},
 				{
-					Strings:       []string{"p3"},
-					AppendStrings: []string{"p3"},
+					Strings:                []string{"p3"},
+					AppendStrings:          []string{"p3"},
+					AppendPointerToStrings: &[]string{"p3"},
 					Sub: subPolicy{
 						Ints:       []int{3},
 						AppendInts: []int{3},
@@ -83,9 +87,10 @@ var _ = Describe("MergeConfs", func() {
 				},
 			},
 			expected: policy{
-				FieldString:   "p2",
-				Strings:       []string{"p3"},
-				AppendStrings: []string{"p1", "p2", "p3"},
+				FieldString:            "p2",
+				Strings:                []string{"p3"},
+				AppendStrings:          []string{"p1", "p2", "p3"},
+				AppendPointerToStrings: &[]string{"p1", "p2", "p3"},
 				Sub: subPolicy{
 					Ints:       []int{3},
 					AppendInts: []int{1, 2, 3},

diff --git a/test/e2e/cni/old_cni_race_condition.go b/test/e2e/cni/old_cni_race_condition.go
@@ -5,32 +5,22 @@ import (
 	"strings"
 	"time"
 
+	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
-	"github.com/gruntwork-io/terratest/modules/retry"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
 	"github.com/kumahq/kuma/pkg/config/core"
+	util_k8s "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/util"
 	. "github.com/kumahq/kuma/test/framework"
 	"github.com/kumahq/kuma/test/framework/deployments/testserver"
 )
 
 func AppDeploymentWithCniAndNoTaintController() {
-	defaultMesh := `
-apiVersion: kuma.io/v1alpha1
-kind: Mesh
-metadata:
-  name: default
-`
-
 	var cluster Cluster
 	var k8sCluster *K8sCluster
-	nodeName := fmt.Sprintf(
-		"second-%s",
-		strings.ToLower(random.UniqueId()),
-	)
 
-	var setup = func() {
+	BeforeEach(func() {
 		k8sCluster = NewK8sCluster(NewTestingT(), Kuma1, Silent)
 		cluster = k8sCluster.
 			WithTimeout(6 * time.Second).
@@ -45,49 +35,53 @@ metadata:
 			Install(Kuma(core.Standalone,
 				WithInstallationMode(HelmInstallationMode),
 				WithHelmReleaseName(releaseName),
-				WithSkipDefaultMesh(true), // it's common case for HELM deployments that Mesh is also managed by HELM therefore it's not created by default
-				WithHelmOpt("cni.delayStartupSeconds", "40"),
+				WithHelmOpt("cni.delayStartupSeconds", "40000"),
 				WithHelmOpt("experimental.cni", "false"),
 				WithCNI(),
 			)).
-			Install(YamlK8s(defaultMesh)).
 			Setup(cluster)
 		// here we could patch the "command" of the CNI, kubectl patch ...
 		Expect(err).ToNot(HaveOccurred())
-	}
+	})
 
 	E2EAfterEach(func() {
 		Expect(cluster.DeleteNamespace(TestNamespace)).To(Succeed())
 		Expect(cluster.DeleteKuma()).To(Succeed())
 		Expect(cluster.DismissCluster()).To(Succeed())
-		Expect(k8sCluster.DeleteNode("k3d-" + nodeName + "-0")).To(Succeed())
 	})
 
 	It(
 		"is susceptible to the race condition",
 		func() {
-			setup()
+			// given a non-healthy CNI
 
-			// k3s1 v1.19.16 hangs if the name is the same in the previous test
-			err := k8sCluster.CreateNode(nodeName, "second=true")
-			Expect(err).ToNot(HaveOccurred())
+			// when test server is deployed without working CNI
+			err := NewClusterSetup().
+				Install(NamespaceWithSidecarInjection(TestNamespace)).
+				Install(testserver.Install(testserver.WithoutWaitingToBeReady())).
+				Setup(cluster)
 
-			err = k8sCluster.LoadImages("kuma-dp", "kuma-universal")
+			// then
+			Expect(err).ShouldNot(HaveOccurred())
+			podName, err := PodNameOfApp(k8sCluster, "test-server", TestNamespace)
 			Expect(err).ToNot(HaveOccurred())
 
-			err = NewClusterSetup().
-				Install(NamespaceWithSidecarInjection(TestNamespace)).
-				Install(testserver.Install(func(opts *testserver.DeploymentOpts) {
-					opts.NodeSelector = map[string]string{
-						"second": "true",
-					}
-				})).
-				Setup(cluster)
+			// and DP received config
+			Eventually(func(g Gomega) {
+				received, err := DataplaneReceivedConfig(k8sCluster, "default", fmt.Sprintf("%s.%s", podName, TestNamespace))
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(received).To(BeTrue())
+			}, "30s", "1s").Should(Succeed())
+
+			// and test-server container in the pod is unhealthy (probe fail without iptables rules applied)
+			Consistently(func(g Gomega) {
+				pod, err := k8s.GetPodE(cluster.GetTesting(), cluster.GetKubectlOptions(TestNamespace), podName)
 
-			// test-server probe will fail without iptables rules applied
-			Expect(err).Should(HaveOccurred())
-			_, errorIsOfTypeMaxRetriesExceeded := err.(retry.MaxRetriesExceeded)
-			Expect(errorIsOfTypeMaxRetriesExceeded).To(Equal(true))
+				g.Expect(err).ToNot(HaveOccurred())
+				status := util_k8s.FindContainerStatus(pod, "test-server")
+				g.Expect(status).ToNot(BeNil())
+				g.Expect(status.Ready).To(BeFalse())
+			}, "10s", "1s").Should(Succeed())
 		},
 	)
 }
diff --git a/test/framework/dataplane.go b/test/framework/dataplane.go
@@ -16,3 +16,11 @@ func IsDataplaneOnline(cluster Cluster, mesh, name string) (bool, bool, error) {
 	}
 	return false, false, nil
 }
+
+func DataplaneReceivedConfig(cluster Cluster, mesh, name string) (bool, error) {
+	out, err := cluster.GetKumactlOptions().RunKumactlAndGetOutput("inspect", "dataplanes", "--mesh", mesh, "-o", "yaml", name)
+	if err != nil {
+		return false, err
+	}
+	return strings.Contains(out, `responsesAcknowledged`), nil
+}
diff --git a/tools/policy-gen/generate-policy-helm.sh b/tools/policy-gen/generate-policy-helm.sh
@@ -4,12 +4,13 @@ set -o pipefail
 set -o nounset
 set -x
 
-HELM_VALUES_FILE="deployments/charts/kuma/values.yaml"
-HELM_CRD_DIR="deployments/charts/kuma/crds/"
+HELM_VALUES_FILE=$1
+HELM_CRD_DIR=$2
+VALUES_FILE_POLICY_PATH=$3
 
 policies=""
 
-for policy in "$@"; do
+for policy in "${@:4}"; do
 
   policy_dir="pkg/plugins/policies/${policy}"
   policy_crd_dir="${policy_dir}/k8s/crd"
@@ -31,16 +32,19 @@ for policy in "$@"; do
 
   plural=$(yq e '.spec.names.plural' "${policy_crd_file}")
 
-  policies="${policies}${policies:+, }\"${plural}\": {}"
+  policies=${policies}$plural" "
 
 done
 
 # yq_patch preserves indentation and blank lines of the original file
 function yq_patch() {
-  yq '.' "$2" > "$2.noblank"
-  yq eval "$1" "$2" | diff -B "$2.noblank" - | patch -f --no-backup-if-mismatch "$2" -
+  cat "$2" > "$2.noblank"
+  yq eval "$1" "$2" | diff -w -B "$2.noblank" - | patch -f --no-backup-if-mismatch "$2" -
   rm "$2.noblank"
 }
 
-yq_patch '.plugins.policies = {}' "${HELM_VALUES_FILE}"
-yq_patch '.plugins.policies = { '"${policies}"' }' "${HELM_VALUES_FILE}"
+yq_patch "${VALUES_FILE_POLICY_PATH}"' = {}' "${HELM_VALUES_FILE}"
+
+for policy in $policies; do
+  yq_patch "${VALUES_FILE_POLICY_PATH}.${policy}"' = {}' "${HELM_VALUES_FILE}"
+done
diff --git a/tools/policy-gen/generate-policy-import.sh b/tools/policy-gen/generate-policy-import.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
 
+GO_MODULE=$1
+
 IMPORTS_FILE="pkg/plugins/policies/imports.go"
 
-imports=$(for i in "$@"; do [[ -f pkg/plugins/policies/${i}/zz_generated.plugin.go ]] && echo "_ \"github.com/kumahq/kuma/pkg/plugins/policies/${i}\""; done)
+imports=$(for i in "${@:2}"; do [[ -f pkg/plugins/policies/${i}/zz_generated.plugin.go ]] && echo "_ \"${GO_MODULE}/pkg/plugins/policies/${i}\""; done)
 if [[ $imports == "" ]]; then
   rm -f "${IMPORTS_FILE}"
   exit 0