Automated cherry pick of #94975 #95341 upstream release 1.19

cluster/gce/config-default.sh

@@ -307,7 +307,7 @@ NODE_PROBLEM_DETECTOR_TAR_HASH="${NODE_PROBLEM_DETECTOR_TAR_HASH:-}"
 NODE_PROBLEM_DETECTOR_RELEASE_PATH="${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-}"
 NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS="${NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS:-}"
 
-CNI_SHA1="${CNI_SHA1:-}"
+CNI_HASH="${CNI_HASH:-}"
 CNI_TAR_PREFIX="${CNI_TAR_PREFIX:-cni-plugins-linux-amd64-}"
 CNI_STORAGE_URL_BASE="${CNI_STORAGE_URL_BASE:-https://storage.googleapis.com/k8s-artifacts-cni/release}"
 

cluster/gce/config-test.sh

@@ -339,7 +339,7 @@ NODE_PROBLEM_DETECTOR_TAR_HASH=${NODE_PROBLEM_DETECTOR_TAR_HASH:-}
 NODE_PROBLEM_DETECTOR_RELEASE_PATH=${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-}
 NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS=${NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS:-}
 
-CNI_SHA1=${CNI_SHA1:-}
+CNI_HASH=${CNI_HASH:-}
 CNI_TAR_PREFIX=${CNI_TAR_PREFIX:-cni-plugins-linux-amd64-}
 CNI_STORAGE_URL_BASE=${CNI_STORAGE_URL_BASE:-https://storage.googleapis.com/k8s-artifacts-cni/release}
 

cluster/gce/gci/configure.sh

@@ -25,12 +25,12 @@ set -o pipefail
 
 ### Hardcoded constants
 DEFAULT_CNI_VERSION="v0.8.7"
-DEFAULT_CNI_SHA1="96a30cb67e33da95fb1d99f93dd787c2a3c08627"
+DEFAULT_CNI_HASH="8f2cbee3b5f94d59f919054dccfe99a8e3db5473b553d91da8af4763e811138533e05df4dbeab16b3f774852b4184a7994968f5e036a3f531ad1ac4620d10ede"
 DEFAULT_NPD_VERSION="v0.8.0"
-DEFAULT_NPD_SHA1="9406c975b1b035995a137029a004622b905b4e7f"
+DEFAULT_NPD_HASH="b15d6919321e832b5fc7bc150c2e141e947305e82b34b514adbda9b9bc41088beadbf833f5bbbf44b9a8181c3fd8ed41e1629458d7544ccaecb374c22bde1517"
 DEFAULT_CRICTL_VERSION="v1.18.0"
-DEFAULT_CRICTL_SHA1="f384f594bd0a7e558a827363f54f58b45e670075"
-DEFAULT_MOUNTER_TAR_SHA="8003b798cf33c7f91320cd6ee5cec4fa22244571"
+DEFAULT_CRICTL_HASH="9fe9f80f96542e90b47ae13726fd1cf6ed329117c64cefc1c0dda81b65a46551a6d273810efc689993eff41f2091536af9b536a2d0c6a51ec2e6480db26b6b8b"
+DEFAULT_MOUNTER_TAR_SHA="7956fd42523de6b3107ddc3ce0e75233d2fcb78436ff07a1389b6eaac91fb2b1b72a08f7a219eaf96ba1ca4da8d45271002e0d60e0644e796c665f99bb356516"
 ###
 
 # Use --retry-connrefused opt only if it's supported by curl.
@@ -126,9 +126,10 @@ function validate-hash {
   local -r file="$1"
   local -r expected="$2"
 
-  actual=$(sha1sum ${file} | awk '{ print $1 }') || true
-  if [[ "${actual}" != "${expected}" ]]; then
-    echo "== ${file} corrupted, sha1 ${actual} doesn't match expected ${expected} =="
+  actual_sha1=$(sha1sum "${file}" | awk '{ print $1 }') || true
+  actual_sha512=$(sha512sum "${file}" | awk '{ print $1 }') || true
+  if [[ "${actual_sha1}" != "${expected}" ]] && [[ "${actual_sha512}" != "${expected}" ]]; then
+    echo "== ${file} corrupted, sha1 ${actual_sha1}/sha512 ${actual_sha512} doesn't match expected ${expected} =="
     return 1
   fi
 }
@@ -146,7 +147,7 @@ function valid-storage-scope {
 
 # Retry a download until we get it. Takes a hash and a set of URLs.
 #
-# $1 is the sha1 of the URL. Can be "" if the sha1 is unknown.
+# $1 is the sha512/sha1 hash of the URL. Can be "" if the sha512/sha1 hash is unknown.
 # $2+ are the URLs to download.
 function download-or-bust {
   local -r hash="$1"
@@ -168,7 +169,7 @@ function download-or-bust {
         echo "== Hash validation of ${url} failed. Retrying. =="
       else
         if [[ -n "${hash}" ]]; then
-          echo "== Downloaded ${url} (SHA1 = ${hash}) =="
+          echo "== Downloaded ${url} (HASH = ${hash}) =="
         else
           echo "== Downloaded ${url} =="
         fi
@@ -220,21 +221,21 @@ function install-gci-mounter-tools {
 function install-node-problem-detector {
   if [[ -n "${NODE_PROBLEM_DETECTOR_VERSION:-}" ]]; then
       local -r npd_version="${NODE_PROBLEM_DETECTOR_VERSION}"
-      local -r npd_sha1="${NODE_PROBLEM_DETECTOR_TAR_HASH}"
+      local -r npd_hash="${NODE_PROBLEM_DETECTOR_TAR_HASH}"
   else
       local -r npd_version="${DEFAULT_NPD_VERSION}"
-      local -r npd_sha1="${DEFAULT_NPD_SHA1}"
+      local -r npd_hash="${DEFAULT_NPD_HASH}"
   fi
   local -r npd_tar="node-problem-detector-${npd_version}.tar.gz"
 
-  if is-preloaded "${npd_tar}" "${npd_sha1}"; then
+  if is-preloaded "${npd_tar}" "${npd_hash}"; then
     echo "${npd_tar} is preloaded."
     return
   fi
 
   echo "Downloading ${npd_tar}."
   local -r npd_release_path="${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-https://storage.googleapis.com/kubernetes-release}"
-  download-or-bust "${npd_sha1}" "${npd_release_path}/node-problem-detector/${npd_tar}"
+  download-or-bust "${npd_hash}" "${npd_release_path}/node-problem-detector/${npd_tar}"
   local -r npd_dir="${KUBE_HOME}/node-problem-detector"
   mkdir -p "${npd_dir}"
   tar xzf "${KUBE_HOME}/${npd_tar}" -C "${npd_dir}" --overwrite
@@ -247,22 +248,22 @@ function install-node-problem-detector {
 function install-cni-binaries {
   if [[ -n "${CNI_VERSION:-}" ]]; then
       local -r cni_version="${CNI_VERSION}"
-      local -r cni_sha1="${CNI_SHA1}"
+      local -r cni_hash="${CNI_HASH}"
   else
       local -r cni_version="${DEFAULT_CNI_VERSION}"
-      local -r cni_sha1="${DEFAULT_CNI_SHA1}"
+      local -r cni_hash="${DEFAULT_CNI_HASH}"
   fi
 
   local -r cni_tar="${CNI_TAR_PREFIX}${cni_version}.tgz"
   local -r cni_url="${CNI_STORAGE_URL_BASE}/${cni_version}/${cni_tar}"
 
-  if is-preloaded "${cni_tar}" "${cni_sha1}"; then
+  if is-preloaded "${cni_tar}" "${cni_hash}"; then
     echo "${cni_tar} is preloaded."
     return
   fi
 
   echo "Downloading cni binaries"
-  download-or-bust "${cni_sha1}" "${cni_url}"
+  download-or-bust "${cni_hash}" "${cni_url}"
   local -r cni_dir="${KUBE_HOME}/cni"
   mkdir -p "${cni_dir}/bin"
   tar xzf "${KUBE_HOME}/${cni_tar}" -C "${cni_dir}/bin" --overwrite
@@ -275,10 +276,10 @@ function install-cni-binaries {
 function install-crictl {
   if [[ -n "${CRICTL_VERSION:-}" ]]; then
     local -r crictl_version="${CRICTL_VERSION}"
-    local -r crictl_sha1="${CRICTL_TAR_HASH}"
+    local -r crictl_hash="${CRICTL_TAR_HASH}"
   else
     local -r crictl_version="${DEFAULT_CRICTL_VERSION}"
-    local -r crictl_sha1="${DEFAULT_CRICTL_SHA1}"
+    local -r crictl_hash="${DEFAULT_CRICTL_HASH}"
   fi
   local -r crictl="crictl-${crictl_version}-linux-amd64.tar.gz"
 
@@ -287,14 +288,14 @@ function install-crictl {
 runtime-endpoint: ${CONTAINER_RUNTIME_ENDPOINT:-unix:///var/run/dockershim.sock}
 EOF
 
-  if is-preloaded "${crictl}" "${crictl_sha1}"; then
+  if is-preloaded "${crictl}" "${crictl_hash}"; then
     echo "crictl is preloaded"
     return
   fi
 
   echo "Downloading crictl"
   local -r crictl_path="https://storage.googleapis.com/k8s-artifacts-cri-tools/release/${crictl_version}"
-  download-or-bust "${crictl_sha1}" "${crictl_path}/${crictl}"
+  download-or-bust "${crictl_hash}" "${crictl_path}/${crictl}"
   tar xf "${crictl}"
   mv crictl "${KUBE_BIN}/crictl"
 }
@@ -304,15 +305,15 @@ function install-exec-auth-plugin {
       return
   fi
   local -r plugin_url="${EXEC_AUTH_PLUGIN_URL}"
-  local -r plugin_sha1="${EXEC_AUTH_PLUGIN_SHA1}"
+  local -r plugin_hash="${EXEC_AUTH_PLUGIN_HASH}"
 
-  if is-preloaded "gke-exec-auth-plugin" "${plugin_sha1}"; then
+  if is-preloaded "gke-exec-auth-plugin" "${plugin_hash}"; then
     echo "gke-exec-auth-plugin is preloaded"
     return
   fi
 
   echo "Downloading gke-exec-auth-plugin binary"
-  download-or-bust "${plugin_sha1}" "${plugin_url}"
+  download-or-bust "${plugin_hash}" "${plugin_url}"
   mv "${KUBE_HOME}/gke-exec-auth-plugin" "${KUBE_BIN}/gke-exec-auth-plugin"
   chmod a+x "${KUBE_BIN}/gke-exec-auth-plugin"
 
@@ -334,9 +335,9 @@ function install-kube-manifests {
   if [ -n "${KUBE_MANIFESTS_TAR_HASH:-}" ]; then
     local -r manifests_tar_hash="${KUBE_MANIFESTS_TAR_HASH}"
   else
-    echo "Downloading k8s manifests sha1 (not found in env)"
-    download-or-bust "" "${manifests_tar_urls[@]/.tar.gz/.tar.gz.sha1}"
-    local -r manifests_tar_hash=$(cat "${manifests_tar}.sha1")
+    echo "Downloading k8s manifests hash (not found in env)"
+    download-or-bust "" "${manifests_tar_urls[@]/.tar.gz/.tar.gz.sha512}"
+    local -r manifests_tar_hash=$(cat "${manifests_tar}.sha512")
   fi
 
   if is-preloaded "${manifests_tar}" "${manifests_tar_hash}"; then
@@ -363,7 +364,7 @@ function install-kube-manifests {
   cp "${dst_dir}/kubernetes/gci-trusty/health-monitor.sh" "${KUBE_BIN}/health-monitor.sh"
 
   rm -f "${KUBE_HOME}/${manifests_tar}"
-  rm -f "${KUBE_HOME}/${manifests_tar}.sha1"
+  rm -f "${KUBE_HOME}/${manifests_tar}.sha512"
 }
 
 # A helper function for loading a docker image. It keeps trying up to 5 times.
@@ -547,9 +548,9 @@ function install-kube-binary-config {
   if [[ -n "${SERVER_BINARY_TAR_HASH:-}" ]]; then
     local -r server_binary_tar_hash="${SERVER_BINARY_TAR_HASH}"
   else
-    echo "Downloading binary release sha1 (not found in env)"
-    download-or-bust "" "${server_binary_tar_urls[@]/.tar.gz/.tar.gz.sha1}"
-    local -r server_binary_tar_hash=$(cat "${server_binary_tar}.sha1")
+    echo "Downloading binary release sha512 (not found in env)"
+    download-or-bust "" "${server_binary_tar_urls[@]/.tar.gz/.tar.gz.sha512}"
+    local -r server_binary_tar_hash=$(cat "${server_binary_tar}.sha512")
   fi
 
   if is-preloaded "${server_binary_tar}" "${server_binary_tar_hash}"; then
@@ -613,7 +614,7 @@ function install-kube-binary-config {
   # Clean up.
   rm -rf "${KUBE_HOME}/kubernetes"
   rm -f "${KUBE_HOME}/${server_binary_tar}"
-  rm -f "${KUBE_HOME}/${server_binary_tar}.sha1"
+  rm -f "${KUBE_HOME}/${server_binary_tar}.sha512"
 }
 
 ######### Main Function ##########

cluster/gce/gci/mounter/stage-upload.sh

@@ -63,6 +63,6 @@ echo "Uploading gci mounter ACI in ${ACI_DIR} to ${MOUNTER_GCS_DIR}"
 gsutil cp "${ACI_DIR}/${MOUNTER_ACI_IMAGE}" "${MOUNTER_GCS_DIR}"
 
 echo "Upload completed"
-echo "Updated gci-mounter ACI version and SHA1 in cluster/gce/gci/configure.sh"
-ACI_HASH=$(sha1sum "${ACI_DIR}/${MOUNTER_ACI_IMAGE}")
+echo "Updated gci-mounter ACI version and SH512 in cluster/gce/gci/configure.sh"
+ACI_HASH=$(sha512sum "${ACI_DIR}/${MOUNTER_ACI_IMAGE}")
 echo "${MOUNTER_ACI_IMAGE} hash: ${ACI_HASH}"

cluster/gce/util.sh

@@ -239,10 +239,10 @@ function copy-to-staging() {
     fi
   fi
 
-  echo "${hash}" > "${tar}.sha1"
-  gsutil -m -q -h "Cache-Control:private, max-age=0" cp "${tar}" "${tar}.sha1" "${staging_path}"
-  gsutil -m acl ch -g all:R "${gs_url}" "${gs_url}.sha1" >/dev/null 2>&1 || true
-  echo "+++ ${basename_tar} uploaded (sha1 = ${hash})"
+  echo "${hash}" > "${tar}.sha512"
+  gsutil -m -q -h "Cache-Control:private, max-age=0" cp "${tar}" "${tar}.sha512" "${staging_path}"
+  gsutil -m acl ch -g all:R "${gs_url}" "${gs_url}.sha512" >/dev/null 2>&1 || true
+  echo "+++ ${basename_tar} uploaded (sha512 = ${hash})"
 }
 
 
@@ -314,13 +314,13 @@ function upload-tars() {
     DOCKER_REGISTRY_MIRROR_URL="https://mirror.gcr.io"
   fi
 
-  SERVER_BINARY_TAR_HASH=$(sha1sum-file "${SERVER_BINARY_TAR}")
+  SERVER_BINARY_TAR_HASH=$(sha512sum-file "${SERVER_BINARY_TAR}")
 
   if [[ -n "${NODE_BINARY_TAR:-}" ]]; then
-    NODE_BINARY_TAR_HASH=$(sha1sum-file "${NODE_BINARY_TAR}")
+    NODE_BINARY_TAR_HASH=$(sha512sum-file "${NODE_BINARY_TAR}")
   fi
   if [[ -n "${KUBE_MANIFESTS_TAR:-}" ]]; then
-    KUBE_MANIFESTS_TAR_HASH=$(sha1sum-file "${KUBE_MANIFESTS_TAR}")
+    KUBE_MANIFESTS_TAR_HASH=$(sha512sum-file "${KUBE_MANIFESTS_TAR}")
   fi
 
   local server_binary_tar_urls=()
@@ -506,11 +506,11 @@ function load-or-gen-kube-bearertoken() {
 #   SERVER_BINARY_TAR_URL
 #   SERVER_BINARY_TAR_HASH
 function tars_from_version() {
-  local sha1sum=""
-  if which sha1sum >/dev/null 2>&1; then
-    sha1sum="sha1sum"
+  local sha512sum=""
+  if which sha512sum >/dev/null 2>&1; then
+    sha512sum="sha512sum"
   else
-    sha1sum="shasum -a1"
+    sha512sum="shasum -a512"
   fi
 
   if [[ -z "${KUBE_VERSION-}" ]]; then
@@ -520,18 +520,18 @@ function tars_from_version() {
     SERVER_BINARY_TAR_URL="https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/kubernetes-server-linux-amd64.tar.gz"
     # TODO: Clean this up.
     KUBE_MANIFESTS_TAR_URL="${SERVER_BINARY_TAR_URL/server-linux-amd64/manifests}"
-    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha1sum} | awk '{print $1}')
+    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha512sum} | awk '{print $1}')
   elif [[ ${KUBE_VERSION} =~ ${KUBE_CI_VERSION_REGEX} ]]; then
     SERVER_BINARY_TAR_URL="https://storage.googleapis.com/kubernetes-release-dev/ci/${KUBE_VERSION}/kubernetes-server-linux-amd64.tar.gz"
     # TODO: Clean this up.
     KUBE_MANIFESTS_TAR_URL="${SERVER_BINARY_TAR_URL/server-linux-amd64/manifests}"
-    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha1sum} | awk '{print $1}')
+    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha512sum} | awk '{print $1}')
   else
     echo "Version doesn't match regexp" >&2
     exit 1
   fi
-  if ! SERVER_BINARY_TAR_HASH=$(curl -Ss --fail "${SERVER_BINARY_TAR_URL}.sha1"); then
-    echo "Failure trying to curl release .sha1"
+  if ! SERVER_BINARY_TAR_HASH=$(curl -Ss --fail "${SERVER_BINARY_TAR_URL}.sha512"); then
+    echo "Failure trying to curl release .sha512"
   fi
 
   if ! curl -Ss --head "${SERVER_BINARY_TAR_URL}" >&/dev/null; then
@@ -1144,7 +1144,7 @@ NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS: $(yaml-quote ${NODE_PROBLEM_DETECTOR_CUSTOM_
 CNI_STORAGE_URL_BASE: $(yaml-quote ${CNI_STORAGE_URL_BASE:-})
 CNI_TAR_PREFIX: $(yaml-quote ${CNI_TAR_PREFIX:-})
 CNI_VERSION: $(yaml-quote ${CNI_VERSION:-})
-CNI_SHA1: $(yaml-quote ${CNI_SHA1:-})
+CNI_HASH: $(yaml-quote ${CNI_HASH:-})
 ENABLE_NODE_LOGGING: $(yaml-quote ${ENABLE_NODE_LOGGING:-false})
 LOGGING_DESTINATION: $(yaml-quote ${LOGGING_DESTINATION:-})
 ELASTICSEARCH_LOGGING_REPLICAS: $(yaml-quote ${ELASTICSEARCH_LOGGING_REPLICAS:-})
@@ -1550,11 +1550,11 @@ WINDOWS_INFRA_CONTAINER: $(yaml-quote ${WINDOWS_INFRA_CONTAINER})
 EOF
 }
 
-function sha1sum-file() {
-  if which sha1sum >/dev/null 2>&1; then
-    sha1sum "$1" | awk '{ print $1 }'
+function sha512sum-file() {
+  if which sha512sum >/dev/null 2>&1; then
+    sha512sum "$1" | awk '{ print $1 }'
   else
-    shasum -a1 "$1" | awk '{ print $1 }'
+    shasum -a512 "$1" | awk '{ print $1 }'
   fi
 }
 

cluster/gce/windows/common.psm1

@@ -128,12 +128,12 @@ function Validate-SHA {
 # It will loop through the URLs list forever until it has a success. If
 # successful, it will write the file to OutFile. You can optionally provide a
 # Hash argument with an optional Algorithm, in which case it will attempt to
-# validate the downloaded file against the hash. SHA1 will be used if Algorithm
+# validate the downloaded file against the hash. SHA512 will be used if Algorithm
 # is not provided.
 function MustDownload-File {
   param (
     [parameter(Mandatory=$false)] [string]$Hash,
-    [parameter(Mandatory=$false)] [string]$Algorithm = 'SHA1',
+    [parameter(Mandatory=$false)] [string]$Algorithm = 'SHA512',
     [parameter(Mandatory=$true)] [string]$OutFile,
     [parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs,
     [parameter(Mandatory=$false)] [System.Collections.IDictionary]$Headers = @{}