From d8bbf231e7751856c86919fab8ce360ff46d4799 Mon Sep 17 00:00:00 2001 From: Pedro Juarez Date: Mon, 9 Dec 2024 11:37:54 -0800 Subject: [PATCH 1/4] Update release scripts (#2365) * Update release scripts * Update controller-gen 0.16.5 * Add `sed_inplace` method in bash script to make the sed syntax compatible in Linux and MacOS * Remove files that reference MCJob in release.sh * Update vulnerable package Update `github.com/golang-jwt/jwt/v4` from v4.5.0 to github.com/golang-jwt/jwt/v4 v4.5.1 to fix `CVE-2024-51744` --- Makefile | 2 +- go.mod | 2 +- go.sum | 2 ++ release.sh | 88 +++++++++++++++++++++++++------------------------- sidecar/go.mod | 2 +- sidecar/go.sum | 2 ++ 6 files changed, 51 insertions(+), 47 deletions(-) diff --git a/Makefile b/Makefile index 1524d478a98..ce947b28974 100644 --- a/Makefile +++ b/Makefile @@ -66,7 +66,7 @@ clean: @rm -rf dist/ regen-crd: - @go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.15.0 + @go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.5 @${GOPATH}/bin/controller-gen crd:maxDescLen=0,generateEmbeddedObjectMeta=true webhook paths="./..." output:crd:artifacts:config=$(KUSTOMIZE_CRDS) @sed 's#namespace: minio-operator#namespace: {{ .Release.Namespace }}#g' resources/base/crds/minio.min.io_tenants.yaml > $(HELM_TEMPLATES)/minio.min.io_tenants.yaml @sed 's#namespace: minio-operator#namespace: {{ .Release.Namespace }}#g' resources/base/crds/sts.min.io_policybindings.yaml > $(HELM_TEMPLATES)/sts.min.io_policybindings.yaml diff --git a/go.mod b/go.mod index 774fbd42e82..2edf83839df 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/fatih/color v1.17.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v4 v4.5.1 // indirect github.com/google/go-containerregistry v0.19.2 github.com/google/uuid v1.6.0 // indirect github.com/gorilla/mux v1.8.1 diff --git a/go.sum b/go.sum index 2710d19040e..2e725cff7e0 100644 --- a/go.sum +++ b/go.sum @@ -66,6 +66,8 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= diff --git a/release.sh b/release.sh index 0436b378496..aa5af8361a4 100755 --- a/release.sh +++ b/release.sh @@ -4,49 +4,52 @@ set -e # Parse command line arguments while [[ "$#" -gt 0 ]]; do - case $1 in - --release-sidecar) - RELEASE_SIDECAR="$2" - shift 2 - ;; - *) - ;; - esac - shift + case $1 in + --release-sidecar) + RELEASE_SIDECAR="$2" + shift 2 + ;; + *) ;; + esac + shift done +sed_inplace() { + if [[ "$OSTYPE" == "darwin"* ]]; then + sed -i "" -E "$@" + else + sed -i -r "$@" + fi +} + get_latest_release() { - curl --silent "https://api.github.com/repos/$1/releases/latest" | # Get latest release from GitHub api - grep '"tag_name":' | # Get tag line - sed -E 's/.*"([^"]+)".*/\1/' # Pluck JSON value + curl --silent "https://api.github.com/repos/$1/releases/latest" | # Get latest release from GitHub api + grep '"tag_name":' | # Get tag line + sed -E 's/.*"([^"]+)".*/\1/' # Pluck JSON value } MINIO_RELEASE=$(get_latest_release minio/minio) KES_RELEASE=$(get_latest_release minio/kes) -MC_RELEASE=$(get_latest_release minio/mc) MINIO_CURRENT_RELEASE=$(sed -nr 's/.*(minio\/minio\:)([v]?.*)"/\2/p' pkg/apis/minio.min.io/v2/constants.go) KES_CURRENT_RELEASE=$(sed -nr 's/.*(minio\/kes\:)([v]?.*)"/\2/p' pkg/apis/minio.min.io/v2/constants.go) files=( - "README.md" - "pkg/apis/job.min.io/v1alpha1/types.go" - "docs/tenant_crd.adoc" - "docs/policybinding_crd.adoc" - "docs/job_crd.adoc" - "docs/minio-job.md" - "docs/templates/asciidoctor/gv_list.tpl" - "examples/kustomization/base/tenant.yaml" - "examples/kustomization/tenant-certmanager-kes/tenant.yaml" - "examples/kustomization/tenant-kes-encryption/tenant.yaml" - "helm/operator/Chart.yaml" - "helm/operator/values.yaml" - "helm/tenant/Chart.yaml" - "helm/tenant/values.yaml" - "pkg/apis/minio.min.io/v2/constants.go" - "pkg/controller/operator.go" - "resources/base/deployment.yaml" - "testing/console-tenant+kes.sh" + "README.md" + "docs/tenant_crd.adoc" + "docs/policybinding_crd.adoc" + "docs/templates/asciidoctor/gv_list.tpl" + "examples/kustomization/base/tenant.yaml" + "examples/kustomization/tenant-certmanager-kes/tenant.yaml" + "examples/kustomization/tenant-kes-encryption/tenant.yaml" + "helm/operator/Chart.yaml" + "helm/operator/values.yaml" + "helm/tenant/Chart.yaml" + "helm/tenant/values.yaml" + "pkg/apis/minio.min.io/v2/constants.go" + "pkg/controller/operator.go" + "resources/base/deployment.yaml" + "testing/console-tenant+kes.sh" ) CURRENT_RELEASE=$(get_latest_release minio/operator) @@ -55,36 +58,33 @@ CURRENT_RELEASE="${CURRENT_RELEASE:1}" echo "Upgrade: $CURRENT_RELEASE => $RELEASE" echo "MinIO: $MINIO_RELEASE => $MINIO_RELEASE" echo "KES: $KES_CURRENT_RELEASE => $KES_RELEASE" -echo "MC: $MC_CURRENT_RELEASE => $MC_RELEASE" if [ -z "$MINIO_RELEASE" ]; then - echo "\$MINIO_RELEASE is empty" - exit 0 + echo "\$MINIO_RELEASE is empty" + exit 0 fi for file in "${files[@]}"; do - sed -i -e "s/${KES_CURRENT_RELEASE}/${KES_RELEASE}/g" "$file" - sed -i -e "s/${MC_CURRENT_RELEASE}/${MC_RELEASE}/g" "$file" - sed -i -e "s/${CURRENT_RELEASE}/${RELEASE}/g" "$file" - sed -i -e "s/${MINIO_CURRENT_RELEASE}/${MINIO_RELEASE}/g" "$file" + sed_inplace "s/${KES_CURRENT_RELEASE}/${KES_RELEASE}/g" "$file" + sed_inplace "s/${CURRENT_RELEASE}/${RELEASE}/g" "$file" + sed_inplace "s/${MINIO_CURRENT_RELEASE}/${MINIO_RELEASE}/g" "$file" done annotations_files=( - "pkg/apis/job.min.io/v1alpha1/types.go" - "pkg/apis/minio.min.io/v2/types.go" - "pkg/apis/sts.min.io/v1beta1/types.go" + "pkg/apis/minio.min.io/v2/types.go" + "pkg/apis/sts.min.io/v1beta1/types.go" ) for file in "${annotations_files[@]}"; do - sed -i -e "s~operator.min.io/version=.*~operator.min.io/version=v${RELEASE}~g" "$file" + sed_inplace "s~operator.min.io/version=.*~operator.min.io/version=v${RELEASE}~g" "$file" done # Update annotation in kustomization yaml -sed -i -e "s~operator.min.io/version: .*~operator.min.io/version: v${RELEASE}~g" "resources/kustomization.yaml" +sed_inplace "s~operator.min.io/version: .*~operator.min.io/version: v${RELEASE}~g" "resources/kustomization.yaml" if [ "${RELEASE_SIDECAR}" = "true" ]; then - sed -i -e 's~quay.io/minio/operator-sidecar:.*\"~quay.io/minio/operator-sidecar:v'$RELEASE'\"~g' "pkg/resources/statefulsets/minio-sidecar.go" + sed_inplace 's~quay.io/minio/operator-sidecar:.*\"~quay.io/minio/operator-sidecar:v'$RELEASE'\"~g' "pkg/resources/statefulsets/minio-sidecar.go" fi # Add all the generated files to git diff --git a/sidecar/go.mod b/sidecar/go.mod index 4bf5f52397d..19dc79bd75b 100644 --- a/sidecar/go.mod +++ b/sidecar/go.mod @@ -29,7 +29,7 @@ require ( github.com/goccy/go-json v0.10.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt v3.2.2+incompatible // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v4 v4.5.1 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect diff --git a/sidecar/go.sum b/sidecar/go.sum index 0fe5d557195..125532541a2 100644 --- a/sidecar/go.sum +++ b/sidecar/go.sum @@ -32,6 +32,8 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= From bdab1602e9676b3bbc136f8fb6c4bfab27f5c129 Mon Sep 17 00:00:00 2001 From: M Junaid <155959111+safijunaid17@users.noreply.github.com> Date: Tue, 10 Dec 2024 00:39:51 +0300 Subject: [PATCH 2/4] Fix storageClassName references in tenant.pool.volumeClaimtemplates (#2362) Currently, No matter what storageClassName you define under tenant.pools, it always defaults to gp3 i.e., EBS store. However, I want to point the storageclass to use direcpv. Updating this code to fix that ref issue. --- helm/tenant/templates/tenant.yaml | 54 ++++++++++++++----------------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/helm/tenant/templates/tenant.yaml b/helm/tenant/templates/tenant.yaml index 15c8f79136a..24a1b4ef620 100644 --- a/helm/tenant/templates/tenant.yaml +++ b/helm/tenant/templates/tenant.yaml @@ -35,62 +35,56 @@ spec: {{- end }} {{- end }} pools: - {{- range (dig "pools" (list) .) }} - - servers: {{ dig "servers" 4 . }} - name: {{ dig "name" "" . }} - volumesPerServer: {{ dig "volumesPerServer" 4 . }} - {{- if dig "runtimeClassName" "" . }} - runtimeClassName: {{ dig "runtimeClassName" "" . }} + {{- range .pools }} + - servers: {{ .servers | default 4 }} + name: {{ .name | default "" }} + volumesPerServer: {{ .volumesPerServer | default 4 }} + {{- if .runtimeClassName }} + runtimeClassName: {{ .runtimeClassName }} {{- end }} volumeClaimTemplate: metadata: name: data - {{- with (dig "storageAnnotations" (dict) .) }} + {{- with .storageAnnotations }} annotations: {{- toYaml . | nindent 12 }} - {{- end }} - {{- with (dig "storageLabels" (dict) .) }} + {{- end }} + {{- with .storageLabels }} labels: {{- toYaml . | nindent 12 }} - {{- end }} + {{- end }} spec: - {{- if dig "storageClassName" "" . }} - storageClassName: {{ dig "storageClassName" "" . }} + {{- if .storageClassName }} + storageClassName: {{ .storageClassName }} {{- end }} accessModes: - ReadWriteOnce resources: requests: - storage: {{ dig "size" "10Gi" . }} - {{- with (dig "annotations" (dict) .) }} + storage: {{ .size | default "10Gi" }} + {{- with .annotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} - {{- with (dig "labels" (dict) .) }} + {{- with .labels }} labels: {{- toYaml . | nindent 8 }} {{- end }} - {{- with (dig "tolerations" (list) .) }} + {{- with .tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- with (dig "nodeSelector" (dict) .) }} + {{- with .nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with (dig "affinity" (dict) .) }} + {{- with .affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with (dig "resources" (dict) .) }} + {{- with .resources }} resources: {{- toYaml . | nindent 8 }} {{- end }} - {{- if hasKey . "securityContext" }} - securityContext: {{- if eq (len .securityContext) 0 }} {} {{- end }} - {{- with (dig "securityContext" (dict) .) }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - {{- if hasKey . "containerSecurityContext" }} - containerSecurityContext: {{- if eq (len .containerSecurityContext) 0 }} {} {{- end }} - {{- with (dig "containerSecurityContext" (dict) .) }} - {{- toYaml . | nindent 8 }} + {{- if .securityContext }} + securityContext: {{- toYaml .securityContext | nindent 8 }} {{- end }} + {{- if .containerSecurityContext }} + containerSecurityContext: {{- toYaml .containerSecurityContext | nindent 8 }} {{- end }} - {{- with (dig "topologySpreadConstraints" (list) .) }} + {{- with .topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} From d1653714e56e083a3cb0eca3669d0252f7b55aad Mon Sep 17 00:00:00 2001 From: Luca Cominoli Date: Tue, 10 Dec 2024 23:15:17 +0100 Subject: [PATCH 3/4] Add initContainers to tenant Helm Chart (#2366) Add initcontainers to tenant Helm Chart --- helm/tenant/templates/tenant.yaml | 3 +++ helm/tenant/values.yaml | 24 ++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/helm/tenant/templates/tenant.yaml b/helm/tenant/templates/tenant.yaml index 24a1b4ef620..173e44f4ff6 100644 --- a/helm/tenant/templates/tenant.yaml +++ b/helm/tenant/templates/tenant.yaml @@ -25,6 +25,9 @@ spec: imagePullSecret: name: {{ dig "imagePullSecret" "name" "" . }} {{- end }} + {{- with (dig "initContainers" (list) .) }} + initContainers: {{- toYaml . | nindent 4 }} + {{- end }} ## Secret with default environment variable configurations configuration: name: {{ .configuration.name }} diff --git a/helm/tenant/values.yaml b/helm/tenant/values.yaml index 52d8ca8dd62..1dcc4311502 100644 --- a/helm/tenant/values.yaml +++ b/helm/tenant/values.yaml @@ -38,6 +38,30 @@ tenant: # Only one array element is supported at this time. imagePullSecret: { } ### + # + # Specify `initContainers `__ to perform setup or configuration tasks before the main Tenant pods starts. + # + # Example of init container which waits for idenity provider to be reachable before starting MinIO Tenant: + # + # .. code-block:: yaml + # + # initContainers: + # - name: wait-for-idp + # image: busybox + # command: + # - sh + # - -c + # - | + # URL="https://idp-url" + # echo "Checking IdP reachability (${URL})" + # until $(wget -q -O "/dev/null" ${URL}) ; do + # echo "IdP (${URL}) not reachable. Waiting to be reachable..." + # sleep 5 + # done + # echo "IdP (${URL}) reachable. Starting MinIO..." + # + initContainers: [ ] + ### # The Kubernetes `Scheduler `__ to use for dispatching Tenant pods. # # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler. From c3495a77092729708b5fef7ac6e95f9dfc6f57fb Mon Sep 17 00:00:00 2001 From: Ramon de Klein Date: Wed, 18 Dec 2024 21:46:44 +0100 Subject: [PATCH 4/4] Enable verbose logging (#2371) --- cmd/operator/controller.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/cmd/operator/controller.go b/cmd/operator/controller.go index ff4ad600163..1c2286213d7 100644 --- a/cmd/operator/controller.go +++ b/cmd/operator/controller.go @@ -15,6 +15,9 @@ package main import ( + "flag" + "strconv" + "github.com/minio/cli" "github.com/minio/operator/pkg/controller" ) @@ -30,9 +33,17 @@ var controllerCmd = cli.Command{ Name: "kubeconfig", Usage: "Load configuration from `KUBECONFIG`", }, + cli.IntFlag{ + Name: "v", + Usage: "logging level", + }, }, } func startController(ctx *cli.Context) { + if ctx.Int("v") > 0 { + flag.Set("v", strconv.Itoa(ctx.Int("v"))) + flag.Parse() + } controller.StartOperator(ctx.String("kubeconfig")) }