Merge branch 'main' into remove_hostPID

medik8s · Aug 3, 2023 · c50daf4 · c50daf4
2 parents fb3c16f + 044ff33
commit c50daf4
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Build the manager binary
 FROM quay.io/centos/centos:stream8 AS builder
-RUN yum install golang -y
+RUN yum install golang -y && yum clean all
 
 # Ensure correct Go version
 ENV GO_VERSION=1.20

diff --git a/Makefile b/Makefile
@@ -163,11 +163,13 @@ BIN_ASSETS_DIR=$(shell pwd)/bin
 ENVTEST_ASSETS_DIR = ${BIN_ASSETS_DIR}/setup-envtest
 ENVTEST = $(shell pwd)/bin/setup-envtest
 
+# Use TEST_OPS to pass further options to `go test` (e.g. -gingo.v and/or -ginkgo.focus)
+export TEST_OPS ?= ""
 .PHONY: test
 test: envtest manifests generate fmt vet ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path --bin-dir $(PROJECT_DIR)/testbin)" \
 		KUBEBUILDER_CONTROLPLANE_STOP_TIMEOUT="60s"\
-		go test ./api/... ./controllers/... ./pkg/... -coverprofile cover.out -v
+		go test ./api/... ./controllers/... ./pkg/... -coverprofile cover.out -v ${TEST_OPS}
 
 .PHONY: bundle-run
 export BUNDLE_RUN_NAMESPACE ?= openshift-operators
@@ -328,7 +330,7 @@ protoc-gen-go-grpc: ## Download protoc-gen-go-grpc locally if necessary.
 e2e-test:
 	# KUBECONFIG must be set to the cluster, and PP needs to be deployed already
     # count arg makes the test ignoring cached test results
-	go test ./e2e -ginkgo.v -ginkgo.progress -test.v -timeout 60m -count=1
+	go test ./e2e -ginkgo.v -ginkgo.progress -test.v -timeout 60m -count=1 ${TEST_OPS}
 
 .PHONY: operator-sdk
 OPERATOR_SDK_BIN_FOLDER = ./bin/operator-sdk
@@ -429,4 +431,4 @@ fix-imports: sort-imports ## Sort imports
 	$(SORT_IMPORTS) -w .
 
 .PHONY: full-gen
-full-gen:  generate manifests vendor tidy bundle fix-imports bundle-reset ## generates all automatically generated content
+full-gen:  generate manifests vendor tidy bundle fix-imports bundle-reset ## generates all automatically generated content
diff --git a/controllers/selfnoderemediation_controller.go b/controllers/selfnoderemediation_controller.go
@@ -871,6 +871,7 @@ func (r *SelfNodeRemediationReconciler) removeOutOfServiceTaint(node *v1.Node) e
 		r.logger.Error(err, "Failed to remove taint from node,", "node name", node.Name, "taint key", OutOfServiceTaint.Key, "taint effect", OutOfServiceTaint.Effect)
 		return err
 	}
+	r.logger.Info("outofservice taint removed", "new taints", node.Spec.Taints)
 	return nil
 }
 
@@ -882,6 +883,7 @@ func (r *SelfNodeRemediationReconciler) isResourceDeletionCompleted(node *v1.Nod
 	}
 	for _, pod := range pods.Items {
 		if pod.Spec.NodeName == node.Name && r.isPodTerminating(&pod) {
+			r.logger.Info("waiting for terminating pod ", "pod name", pod.Name, "phase", pod.Status.Phase)
 			return false
 		}
 	}
@@ -892,6 +894,7 @@ func (r *SelfNodeRemediationReconciler) isResourceDeletionCompleted(node *v1.Nod
 	}
 	for _, va := range volumeAttachments.Items {
 		if va.Spec.NodeName == node.Name {
+			r.logger.Info("waiting for deleting volumeAttachement", "name", va.Name)
 			return false
 		}
 	}

diff --git a/e2e/self_node_remediation_test.go b/e2e/self_node_remediation_test.go
@@ -424,7 +424,7 @@ func getBootTime(node *v1.Node) (*time.Time, error) {
 			return err
 		}
 		return nil
-	}, 6*time.Minute, 10*time.Second).ShouldNot(HaveOccurred())
+	}, 15*time.Minute, 10*time.Second).ShouldNot(HaveOccurred())
 	return &bootTime, nil
 }
 

diff --git a/pkg/certificates/credentials.go b/pkg/certificates/credentials.go
@@ -8,6 +8,8 @@ import (
 	"google.golang.org/grpc/credentials"
 )
 
+const TLSMinVersion = tls.VersionTLS13
+
 func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.TransportCredentials, error) {
 
 	keyPair, pool, err := prepareCredentials(certReader)
@@ -19,6 +21,7 @@ func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 		Certificates: []tls.Certificate{*keyPair},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		ClientCAs:    pool,
+		MinVersion:   TLSMinVersion,
 	}), nil
 }
 
@@ -33,6 +36,7 @@ func GetClientCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 		Certificates: []tls.Certificate{*keyPair},
 		RootCAs:      pool,
 		ServerName:   fixedCertIP.String(),
+		MinVersion:   TLSMinVersion,
 	}), nil
 }
 

diff --git a/pkg/controlplane/manager.go b/pkg/controlplane/manager.go
@@ -17,6 +17,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/medik8s/self-node-remediation/pkg/certificates"
 	"github.com/medik8s/self-node-remediation/pkg/peers"
 )
 
@@ -150,7 +151,10 @@ func (manager *Manager) isEndpointAccessible() bool {
 func (manager *Manager) isKubeletServiceRunning() bool {
 	url := fmt.Sprintf("https://%s:%s/pods", manager.nodeName, kubeletPort)
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			MinVersion:         certificates.TLSMinVersion,
+		},
 	}
 	httpClient := &http.Client{Transport: tr}
 

diff --git a/pkg/reboot/rebooter.go b/pkg/reboot/rebooter.go
@@ -82,7 +82,7 @@ func (r *watchdogRebooter) Reboot() error {
 func (r *watchdogRebooter) softwareReboot() error {
 	r.log.Info("about to try software reboot")
 	// privileged:true required to run this
-	rebootCmd := exec.Command("/usr/bin/nsenter", "-m/proc/1/ns/mnt", "/bin/systemctl", "reboot", "--force", "--force")
+	rebootCmd := exec.Command("/usr/bin/nsenter", "-m/proc/1/ns/mnt", "/bin/bash", "-c", "echo b > /proc/sysrq-trigger")
 
 	if err := rebootCmd.Run(); err != nil {
 		r.log.Error(err, "failed to run reboot command")