Merge remote-tracking branch 'origin/main' into evansmungai/sc-111576…

…/preflight-collect-results-should-be-saved

.github/workflows/build-test.yaml

@@ -4209,6 +4209,120 @@ jobs:
           api-token: ${{ secrets.C11Y_MATRIX_TOKEN }}
           cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
 
+  validate-custom-cas:
+    runs-on: ubuntu-20.04
+    needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ]
+    strategy:
+      fail-fast: false
+      matrix:
+        cluster: [
+          {distribution: kind, version: v1.28.0}
+        ]
+    env:
+      APP_SLUG: get-set-config
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create Cluster
+        id: create-cluster
+        uses: replicatedhq/replicated-actions/create-cluster@v1
+        with:
+          api-token: ${{ secrets.C11Y_MATRIX_TOKEN }}
+          kubernetes-distribution: ${{ matrix.cluster.distribution }}
+          kubernetes-version: ${{ matrix.cluster.version }}
+          cluster-name: automated-kots-${{ github.run_id }}-${{ matrix.cluster.distribution }}-${{ matrix.cluster.version }}
+          timeout-minutes: '120'
+          ttl: 2h
+          export-kubeconfig: true
+
+      - name: download kots binary
+        uses: actions/download-artifact@v4
+        with:
+          name: kots
+          path: bin/
+
+      - run: chmod +x bin/kots
+
+      - name: create namespace and dockerhub secret
+        run: |
+          kubectl create ns "$APP_SLUG"
+          kubectl create secret docker-registry kotsadm-dockerhub --docker-server index.docker.io --docker-username "${{ secrets.E2E_DOCKERHUB_USERNAME }}" --docker-password "${{ secrets.E2E_DOCKERHUB_PASSWORD }}" --namespace "$APP_SLUG"
+
+      - name: install yq
+        run: |
+          sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
+          sudo chmod +x /usr/bin/yq
+
+      - name: run the test
+        run: |
+          set -e
+          echo ${{ secrets.GET_SET_CONFIG_LICENSE }} | base64 -d > license.yaml
+
+          echo "test value" > ./ca.crt
+          kubectl create configmap -n "$APP_SLUG" custom-cas --from-file=ca.crt=./ca.crt
+
+          ./bin/kots \
+            install "$APP_SLUG/automated" \
+            --license-file license.yaml \
+            --no-port-forward \
+            --namespace "$APP_SLUG" \
+            --shared-password password \
+            --kotsadm-registry ttl.sh \
+            --kotsadm-namespace automated-${{ github.run_id }} \
+            --private-ca-configmap custom-cas \
+            --kotsadm-tag 24h
+
+          echo "exec into the deployment and check for the file and its contents"
+          if ! kubectl exec -n "$APP_SLUG" deployment/kotsadm -- cat /certs/ca.crt | grep "test value"; then
+            echo "expected /certs/ca.crt to contain 'test value'"
+            kubectl exec -n "$APP_SLUG" deployment/kotsadm -- cat /certs/ca.crt
+            exit 1
+          fi
+
+          echo "check that the deployment has an environment variable pointing to the file"
+          if ! kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env | grep "SSL_CERT_DIR" | grep "/certs"; then
+            echo "expected env output to contain SSL_CERT_DIR=/certs"
+            kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env
+            exit 1
+          fi
+
+          echo "check that the deployment has an environment variable with the configmap name"
+          if ! kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env | grep "SSL_CERT_CONFIGMAP" | grep "custom-cas"; then
+            echo "expected env output to contain SSL_CERT_CONFIGMAP=custom-cas"
+            kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env
+            exit 1
+          fi
+
+          ./bin/kots admin-console generate-manifests -n "$APP_SLUG" --shared-password password --private-ca-configmap generated-custom-cas 
+          ls ./admin-console
+          if !  grep SSL_CERT_CONFIGMAP < ./admin-console/kotsadm-deployment.yaml; then
+            echo "expected generated kotsadm-deployment.yaml to contain SSL_CERT_CONFIGMAP"
+            cat ./admin-console/kotsadm-deployment.yaml
+            exit 1
+          fi
+          if ! grep generated-custom-cas < ./admin-console/kotsadm-deployment.yaml; then
+            echo "expected generated kotsadm-deployment.yaml to contain generated-custom-cas"
+            cat ./admin-console/kotsadm-deployment.yaml
+            exit 1
+          fi
+
+      - name: Generate support bundle on failure
+        if: failure()
+        uses: ./.github/actions/generate-support-bundle
+        with:
+          kots-namespace: "$APP_SLUG"
+          artifact-name: ${{ github.job }}-${{ matrix.cluster.distribution }}-${{ matrix.cluster.version }}-support-bundle
+
+      - name: Remove Cluster
+        id: remove-cluster
+        uses: replicatedhq/replicated-actions/remove-cluster@v1
+        if: ${{ always() && steps.create-cluster.outputs.cluster-id != '' }}
+        continue-on-error: true
+        with:
+          api-token: ${{ secrets.C11Y_MATRIX_TOKEN }}
+          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
+
 
   validate-pr-tests:
     runs-on: ubuntu-20.04
@@ -4254,6 +4368,7 @@ jobs:
       - validate-replicated-sdk
       - validate-strict-preflight-checks
       - validate-get-set-config
+      - validate-custom-cas
       # cli-only tests
       - validate-kots-push-images-anonymous
     steps:

.github/workflows/release.yaml

@@ -298,6 +298,7 @@ jobs:
         PACT_BROKER_BASE_URL: ${{ vars.PACT_BROKER_BASE_URL }}
         PACT_BROKER_TOKEN: ${{ secrets.PACT_BROKER_TOKEN }}
         PACT_PUBLISH_CONTRACT: true
+        PACT_VERSION: ${{ github.sha }}
         GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
       run: |
         set -x

.image.env

@@ -1,8 +1,8 @@
 # Generated file, do not modify.  This file is generated from a text file containing a list of images. The
 # most recent tag is interpolated from the source repository and used to generate a fully qualified image
 # name.
-MINIO_TAG='0.20240909.165928-r0'
-RQLITE_TAG='8.30.2-r0'
+MINIO_TAG='0.20240913.202602-r0'
+RQLITE_TAG='8.30.3-r0'
 DEX_TAG='2.41.1-r1'
 SCHEMAHERO_TAG='0.17.10'
 LVP_TAG='v0.6.7'

Makefile

@@ -1,7 +1,7 @@
 include Makefile.build.mk
 CURRENT_USER := $(shell id -u -n)
-MINIO_TAG ?= 0.20240909.165928-r0
-RQLITE_TAG ?= 8.30.2-r0
+MINIO_TAG ?= 0.20240913.202602-r0
+RQLITE_TAG ?= 8.30.3-r0
 DEX_TAG ?= 2.41.1-r1
 LVP_TAG ?= v0.6.7
 PACT_PUBLISH_CONTRACT ?= false
@@ -25,6 +25,12 @@ pact-consumer:
 		pact-broker publish ./pacts/consumer \
 			--auto-detect-version-properties \
 			--consumer-app-version ${GIT_TAG} || true; \
+
+		pact-broker record-release \
+			--pacticipant kots \
+			--version ${PACT_VERSION} \
+			--environment production \
+			--verbose
 	fi
 
 .PHONY: e2e

README.md

@@ -90,6 +90,8 @@ Changes to the kotsadm web component are reflected in real-time, no manual steps
 1. To apply your current changes, run the following commands:
     ```bash
     make kotsadm-up
+    ```
+    ```bash
     make build run
     ```
 
@@ -99,6 +101,9 @@ Changes to the kotsadm web component are reflected in real-time, no manual steps
     ```
 
 1. When finished developing, run the following command to revert back to the original state:
+    ```bash
+    exit
+    ```
     ```bash
     make kotsadm-down
     ```
@@ -108,6 +113,8 @@ Changes to the kotsadm web component are reflected in real-time, no manual steps
 1. To apply your current changes, run the following commands:
     ```bash
     make kurl-proxy-up
+    ```
+    ```bash
     make build run
     ```
 
@@ -117,6 +124,9 @@ Changes to the kotsadm web component are reflected in real-time, no manual steps
     ```
 
 1. When finished developing, run the following command to revert back to the original state:
+    ```bash
+    exit
+    ```
     ```bash
     make kurl-proxy-down
     ```

cmd/kots/cli/admin-console-generate-manifests.go

@@ -73,6 +73,7 @@ func AdminGenerateManifestsCmd() *cobra.Command {
 				IsOpenShift:          isOpenShift,
 				IsGKEAutopilot:       isGKEAutopilot,
 				RegistryConfig:       registryConfig,
+				PrivateCAsConfigmap:  v.GetString("private-ca-configmap"),
 			}
 			adminConsoleFiles, err := upstream.GenerateAdminConsoleFiles(renderDir, options)
 			if err != nil {
@@ -104,6 +105,7 @@ func AdminGenerateManifestsCmd() *cobra.Command {
 	cmd.Flags().String("https-proxy", "", "sets HTTPS_PROXY environment variable in all KOTS Admin Console components")
 	cmd.Flags().String("no-proxy", "", "sets NO_PROXY environment variable in all KOTS Admin Console components")
 	cmd.Flags().String("shared-password", "", "shared password to use when deploying the admin console")
+	cmd.Flags().String("private-ca-configmap", "", "the name of a configmap containing private CAs to add to the kotsadm deployment")
 	cmd.Flags().Bool("with-minio", true, "set to true to include a local minio instance to be used for storage")
 	cmd.Flags().Bool("minimal-rbac", false, "set to true to use the namespaced role and bindings instead of cluster-level permissions")
 	cmd.Flags().StringSlice("additional-namespaces", []string{}, "Comma separate list to specify additional namespace(s) managed by KOTS outside where it is to be deployed. Ignored without with '--minimal-rbac=true'")

cmd/kots/cli/install.go

@@ -308,6 +308,7 @@ func InstallCmd() *cobra.Command {
 				RequestedChannelSlug:   preferredChannelSlug,
 				AdditionalLabels:       additionalLabels,
 				AdditionalAnnotations:  additionalAnnotations,
+				PrivateCAsConfigmap:    v.GetString("private-ca-configmap"),
 
 				RegistryConfig: *registryConfig,
 
@@ -551,6 +552,7 @@ func InstallCmd() *cobra.Command {
 	cmd.Flags().Bool("exclude-admin-console", false, "set to true to exclude the admin console and only install the application")
 	cmd.Flags().StringArray("additional-annotations", []string{}, "additional annotations to add to kotsadm pods")
 	cmd.Flags().StringArray("additional-labels", []string{}, "additional labels to add to kotsadm pods")
+	cmd.Flags().String("private-ca-configmap", "", "the name of a configmap containing private CAs to add to the kotsadm deployment")
 
 	registryFlags(cmd.Flags())
 

go.mod

@@ -8,8 +8,8 @@ require (
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/Azure/go-autorest/autorest/adal v0.9.24
 	github.com/Masterminds/semver v1.5.0
-	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/Masterminds/sprig/v3 v3.2.3
+	github.com/Masterminds/semver/v3 v3.3.0
+	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/ahmetalpbalkan/go-cursor v0.0.0-20131010032410-8136607ea412
 	github.com/aws/aws-sdk-go v1.55.5
 	github.com/bitnami-labs/sealed-secrets v0.27.1
@@ -76,20 +76,20 @@ require (
 	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.15.4
-	k8s.io/api v0.31.0
-	k8s.io/apimachinery v0.31.0
-	k8s.io/cli-runtime v0.31.0
-	k8s.io/client-go v0.31.0
-	k8s.io/cluster-bootstrap v0.31.0
+	helm.sh/helm/v3 v3.16.1
+	k8s.io/api v0.31.1
+	k8s.io/apimachinery v0.31.1
+	k8s.io/cli-runtime v0.31.1
+	k8s.io/client-go v0.31.1
+	k8s.io/cluster-bootstrap v0.31.1
 	k8s.io/helm v2.17.0+incompatible
-	k8s.io/kubelet v0.31.0
-	k8s.io/metrics v0.31.0
+	k8s.io/kubelet v0.30.3
+	k8s.io/metrics v0.31.1
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
 	oras.land/oras-go/v2 v2.5.0
 	sigs.k8s.io/application v0.8.3
 	sigs.k8s.io/controller-runtime v0.19.0
-	sigs.k8s.io/kustomize/api v0.17.2
+	sigs.k8s.io/kustomize/api v0.17.3
 	sigs.k8s.io/kustomize/kyaml v0.17.2
 	sigs.k8s.io/yaml v1.4.0
 )
@@ -98,7 +98,7 @@ require (
 	cloud.google.com/go v0.112.1 // indirect
 	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	cloud.google.com/go/iam v1.1.7 // indirect
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -246,7 +246,7 @@ require (
 	github.com/jackc/pgx/v5 v5.7.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.5 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/k0sproject/k0s v1.29.9-0.20240821114611-d76eb6bb05a7 // indirect
@@ -309,7 +309,7 @@ require (
 	github.com/redis/go-redis/v9 v9.5.1 // indirect
 	github.com/replicatedhq/termui/v3 v3.1.1-0.20200811145416-f40076d26851 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rubenv/sql-migrate v1.5.2 // indirect
+	github.com/rubenv/sql-migrate v1.7.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -323,7 +323,7 @@ require (
 	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/sylabs/sif/v2 v2.18.0 // indirect
@@ -385,7 +385,7 @@ require (
 	k8s.io/component-base v0.31.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240709000822-3c01b740850f // indirect
-	k8s.io/kubectl v0.30.3 // indirect
+	k8s.io/kubectl v0.31.0 // indirect
 	oras.land/oras-go v1.2.6 // indirect
 	periph.io/x/host/v3 v3.8.2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect