Add "cis "to the cis-profile enum to support 1.29+ #301
Conversation
richardcase
added
area/api
|
Thanks for this @AshleyDumaine . Would you be able to look at the CI failure? |
Head branch was pushed to by a user without write access
It looks like controller-gen for |
Yes i think so 👍 |
Okay sounds good! I regenerated the CRDs and |
|
@richardcase I also had to bump conversion-gen to 0.30.0 since the conversion files were failing to generate as well, but I had to account for this issue in conversion.go: kubernetes/code-generator#94 (comment) |
|
This PR is stale because it has been open 90 days with no activity. |
github-actions
bot
added
the
lifecycle/stale
|
Hey @richardcase would you be able to retrigger the CI for this? 🙏 Just updated for the repo being moved out of the sandbox project. |
github-actions
bot
removed
the
lifecycle/stale
|
@AshleyDumaine - i'm afraid i can no longer trigger the CI. Perhaps @alexander-demicev , @Danil-Grigorev or @furkatgofurov7 can? |
|
@AshleyDumaine hey, sorry for late reply on this. Can you please rebase the PR on the latest main and then we can re-trigger e2e tests. |
AshleyDumaine
force-pushed
the
cis-enum
branch
from
75241a2
to
b78ccc4
Compare
| --build-tag=ignore_autogenerated_rk2_control_plane \ | ||
| --output-file-base=zz_generated.conversion $(ROOT_DIR) \ | ||
| --go-header-file=./hack/boilerplate.go.txt | ||
| --output-file=zz_generated.conversion.go $(ROOT_DIR)/$(CAPRKE2_DIR) \ |
There was a problem hiding this comment.
I think the --build-tag here need to be removed like the bootstrap?
make generate works for me locally with that removed, and we can see unknown flag: --build-tag in the CI results
AshleyDumaine
force-pushed
the
cis-enum
branch
from
b78ccc4
to
e4c6b9e
Compare
|
The test failure now looks unrelated to the PR @furkatgofurov7 is it worth rechecking as that may be an issue with a specific runner? |
@hardys sure re-triggering it, I can't find last e2e run logs when checking it so looks like an infra issue with GH runner (seeing this frequently these days). |
|
@furkatgofurov7 I know there were some issues with the e2e test recently which appear to have caused the most recent failure, are those now resolved so this can be rechecked again? |
|
I can't approve but this lgtm - I tested locally in conjunction with #402 and all works as expected when deploying RKE2 1.30.3, hopefully we can resolve the e2e issues soon as AFAICS they aren't related to this PR |
|
@hardys @AshleyDumaine sorry for the CI problems unrelated to your PRs. We are still investigating it, meanwhile we have some assumptions around what could be the root cause based on the latest runs on this PR (TL;DR is, scaling up workers to 3 and applying an upgrade to newer version of k8s does not work due to some errors on CP never being upgraded to new k8s version |
Possible e2e fix #413 is merged, can you please rebase once again and we rerun the tests? Thank you. |
AshleyDumaine
force-pushed
the
cis-enum
branch
from
e9f6014
to
60f4d5f
Compare
Should be good to run now, just rebased. Thanks! |
There was a problem hiding this comment.
Thank you very much for your work and patience @AshleyDumaine!
|
@AshleyDumaine We have a check that requires all commits to be signed, can I ask you to sign them? |
@alexander-demicev all commits are signed AFAICT |
|
@furkatgofurov7 Commits have to be signed with a GPG key https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification |
I just followed this guide and had issues with the GPG key local signing, but configuring for SSH key signing worked (note you have to upload the public key again even if it's already used for verification, since the key upload UI has a dropdown for key type which must be signing) Also @AshleyDumaine you might find it convenient when configured to run |
Signed-off-by: Ashley Dumaine <ashley.dumaine@gmail.com>
…ate CRDs Signed-off-by: Ashley Dumaine <ashley.dumaine@gmail.com>
Signed-off-by: Ashley Dumaine <ashley.dumaine@gmail.com>
Head branch was pushed to by a user without write access
AshleyDumaine
force-pushed
the
cis-enum
branch
from
60f4d5f
to
da2fd6e
Compare
Thanks, should be good to go now. |
What this PR does / why we need it: For RKE2 version >=1.29, the cis profile flag needs to be "cis" (https://docs.rke2.io/security/hardening_guide#generic-cis-configuration), but this isn't currently in the CRD enums.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer: I'm not sure if a v1beta2 will be needed for this since this since this is a CRD change but no fields are being added/removed from the spec.
Checklist: