Upgrade to Salt 3000.2 python2 #2504
Conversation
Package version may not be a string but an int or a float, so just cast the versions to string before comparing them
In salt we push CA content to the mine but in newer Salt version (>= 2019) if we not use the `tojson` filter on it we get unicode lines so on each line of the resulting certificate you will have `u'<content>'` which is not a valid certificate
In Salt '3000.2' we can't provide kwargs for mine call, so we need to use potitional arguments in pillar and for `module.run` with `mine.send` we need to use potitional arguments to provide the mine name, as `func` get renamed to `name` but this arguments is gave to the function behind, which make the mine function call fail. Sees saltstack/salt#56584
Hello teddyandrieux,My role is to assist you with the merge of this Status report is not available. |
Branches have divergedThis pull request's source branch To avoid any integration risks, please re-synchronize them using one of the
Note: If you choose to rebase, you may have to ask me to rebuild |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/2.1/improvement/GH-650-upgrade-to-salt-3000 origin/development/2.1
$ git merge origin/improvement/GH-650-upgrade-to-salt-3000
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/2.1/improvement/GH-650-upgrade-to-salt-3000 |
Sometimes we use a complex structure as an interpolated value in an SLS file. Whilst this works, this is merely by accident, and Salt 2019.2 changes the behaviour: complex values would be spliced in using their `unicode` representation, including `u""` markers. As such, use a proper `tojson` filter in the Jinja templates instead. See: #650 See: #650 See: https://docs.saltstack.com/en/latest/topics/releases/2019.2.0.html#non-backward-compatible-change-to-yaml-renderer (cherry picked from commit 0dbcbd1)
TeddyAndrieux
force-pushed
the
improvement/GH-650-upgrade-to-salt-3000
branch
2 times, most recently
from
203aa01
to
b01769f
Compare
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/2.4/improvement/GH-650-upgrade-to-salt-3000 origin/development/2.4
$ git merge origin/w/2.3/improvement/GH-650-upgrade-to-salt-3000
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/2.4/improvement/GH-650-upgrade-to-salt-3000 |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/2.5/improvement/GH-650-upgrade-to-salt-3000 origin/development/2.5
$ git merge origin/w/2.4/improvement/GH-650-upgrade-to-salt-3000
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/2.5/improvement/GH-650-upgrade-to-salt-3000 |
TeddyAndrieux
force-pushed
the
improvement/GH-650-upgrade-to-salt-3000
branch
from
b01769f
to
b296660
Compare
History mismatchMerge commit #19ef077932b64e9be95ba7496b7905cba27b982a on the integration branch It is likely due to a rebase of the branch Please use the |
|
/reset |
Reset completeI have successfully deleted this pull request's integration branches. |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/2.1/improvement/GH-650-upgrade-to-salt-3000 origin/development/2.1
$ git merge origin/improvement/GH-650-upgrade-to-salt-3000
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/2.1/improvement/GH-650-upgrade-to-salt-3000 |
Salt auth not longer support additional kwargs for custom auth in Salt 3000.2, so we cannot provide `token_type` instead consider it's a Bearer auth if a `token` is provided and a Basic auth if we have a `password` See: saltstack/salt@3dbe8dc
Change salt-master image to salt 3000.2 and download salt-minion version 3000.2 Fixes: #650
TeddyAndrieux
force-pushed
the
improvement/GH-650-upgrade-to-salt-3000
branch
from
b296660
to
6e9bbfd
Compare
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/2.4/improvement/GH-650-upgrade-to-salt-3000 origin/development/2.4
$ git merge origin/w/2.3/improvement/GH-650-upgrade-to-salt-3000
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/2.4/improvement/GH-650-upgrade-to-salt-3000 |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/2.5/improvement/GH-650-upgrade-to-salt-3000 origin/development/2.5
$ git merge origin/w/2.4/improvement/GH-650-upgrade-to-salt-3000
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/2.5/improvement/GH-650-upgrade-to-salt-3000 |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/2.6/improvement/GH-650-upgrade-to-salt-3000 origin/development/2.6
$ git merge origin/w/2.5/improvement/GH-650-upgrade-to-salt-3000
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/2.6/improvement/GH-650-upgrade-to-salt-3000 |
History mismatchMerge commit #604a2922455cebaaa856ccf2158521dda075da45 on the integration branch It is likely due to a rebase of the branch Please use the |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
|
/help |
Help pageThe following options and commands are available at this time. Options
Commands
|
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
|
/create_pull_requests |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
Follow integration pull requests if you would like to be notified of The following options are set: create_pull_requests |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
The following options are set: create_pull_requests |
| '"password" at the same time' | ||
| ) | ||
| return False | ||
| if not token and (not password or not username): |
There was a problem hiding this comment.
Don't change it, but in the future, you can make this boolean expression more readable with:
if not (token or password and username):
# Or with parentheses
if not (token or (password and username)):
There was a problem hiding this comment.
An underrated pattern:
if not any([
token,
username and password,
]):
blah()There was a problem hiding this comment.
Like this one, it's even more readable :)
There was a problem hiding this comment.
While strictly speaking less efficient (so could make a difference in 'hot' loops and such), any and all often make multiple or'ed or and'ed boolean expressions easier to grasp.
|
/approve |
In the queueThe changeset has received all authorizations and has been added to the The changeset will be merged in:
The following branches will NOT be impacted:
There is no action required on your side. You will be notified here once IMPORTANT Please do not attempt to modify this pull request.
If you need this pull request to be removed from the queue, please contact a The following options are set: create_pull_requests, approve |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue GH-650. Goodbye teddyandrieux. |
Component:
'salt'
Context:
Two CVE were found on the Salt side that has a huge security impact, Salt version 3000.2 include these fixes.
https://docs.saltstack.com/en/latest/topics/releases/3000.2.html#salt-3000-2-release-notes
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
Summary:
In order to fix this CVE ASAP do not wait to have a full python3 solution for MetalK8s and use the python2 version of Salt 3000.2.
To support Salt 3000.2:
tojsonfilter when dumping certs from Salt mine to avoid unicode invalid certificatetoken_typefromkubernetes_rbacsalt Auth as we cannot provide additional kwargs for auth in Salt 3000.2 (saltstack/salt@3dbe8dc)Fixes: #650