Merge pull request #174 from sighupio/feat/add-v1.26.5-backport-from-…

…v1.27.2

Feat: add v1.26.5 release with backport features from v1.27.2

.drone.yml

@@ -10,6 +10,9 @@ platform:
   os: linux
   arch: amd64
 
+clone:
+  depth: 1
+
 steps:
   - name: license-check
     image: quay.io/sighup/golang:1.21.5
@@ -59,9 +62,6 @@ steps:
     # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0
     image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1
     pull: always
-    volumes:
-      - name: shared
-        path: /shared
     depends_on:
       - license-check
       - schema-check
@@ -97,12 +97,12 @@ name: e2e-kubernetes-1.26
 kind: pipeline
 type: docker
 
-node:
-  runner: internal
-
 depends_on:
   - qa
 
+clone:
+  depth: 1
+
 platform:
   os: linux
   arch: amd64
@@ -111,101 +111,92 @@ trigger:
   ref:
     include:
       - refs/tags/**
-      - refs/heads/master
       - refs/heads/main
       - refs/heads/release-v**
     exclude:
       - refs/tags/**-docs*
 
 steps:
-  - name: init
-    image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4
+  - name: create Kind cluster
+    image: quay.io/sighup/dind-kind-kubectl-kustomize:0.20.0_1.29.1_3.10.0
     pull: always
     volumes:
-      - name: shared
-        path: /shared
-    depends_on: [clone]
-    settings:
-      action: custom-cluster-126
-      pipeline_id: cluster-126
-      local_kind_config_path: tests/config/kind-config-custom
-      cluster_version: "1.26.4"
-      instance_path: /shared
-      instance_size: 2-extra-large
-      aws_default_region:
-        from_secret: aws_region
-      aws_access_key_id:
-        from_secret: aws_access_key_id
-      aws_secret_access_key:
-        from_secret: aws_secret_access_key
-      terraform_tf_states_bucket_name:
-        from_secret: terraform_tf_states_bucket_name
-      vsphere_server:
-        from_secret: vsphere_server
-      vsphere_password:
-        from_secret: vsphere_password
-      vsphere_user:
-        from_secret: vsphere_user
-      dockerhub_username:
-        from_secret: dockerhub_username
-      dockerhub_password:
-        from_secret: dockerhub_password
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      CLUSTER_VERSION: v1.26.4
+      CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}
+      # /drone/src is the default workdir for the pipeline
+      # using this folder we don't need to mount another
+      # shared volume between the steps
+      KUBECONFIG: /drone/src/kubeconfig
+    commands:
+      # create a custom config to disable Kind's default CNI so
+      # we can test using KFD's networking module.
+      - |
+        cat <<EOF > kind-config.yaml
+        kind: Cluster
+        apiVersion: kind.x-k8s.io/v1alpha4
+        networking:
+          disableDefaultCNI: true
+        nodes:
+          - role: control-plane
+          - role: worker
+        EOF
+      # NOTE: kind's `--wait` flag that waits for the control-plane ot be ready
+      # does not work when disabling the default CNI. It will always go in timeout.
+      - kind create cluster --name $${CLUSTER_NAME} --image registry.sighup.io/fury/kindest/node:$${CLUSTER_VERSION} --config kind-config.yaml
+      # save the kubeconfig so we can use it from other steps.
+      - kind get kubeconfig --name $${CLUSTER_NAME} > $${KUBECONFIG}
 
-  - name: e2e
-    # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0
+  - name: e2e-kfddistribution
+    # KUBECTL_KUSTOMIZE_HELM_YQ_ISTIOCTL_FURYCTL_BATS
     image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3
     pull: always
-    volumes:
-      - name: shared
-        path: /shared
-    depends_on: [init]
+    # we need to use host network to access Kind API port that is listening on the worker's loopback
+    # beacuse we mount the host's Docker socket to run Kind.
+    network_mode: host
+    environment:
+      CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}
+      KUBECONFIG: /drone/src/kubeconfig
+      FURYCTL_VERSION: v0.27.3-rc.2
+    depends_on: [create Kind cluster]
     commands:
-      - ls -la /shared/
-      - ls -la /shared/kube/
-      - export KUBECONFIG=/shared/kube/kubeconfig-126
-      - bats -t tests/install.sh
-      - bats -t tests/networking.sh
-      - bats -t tests/monitoring.sh
-      - bats -t tests/logging.sh
-      - bats -t tests/ingress.sh
-      - bats -t tests/dr.sh
-      - bats -t tests/opa.sh
-      - bats -t tests/schema.sh
+      - export KUBECONFIG=/drone/src/kubeconfig
+      # We change the loopback IP in the kubeconfig to use the service hostname and keep the port.
+      # - 'sed -Ei "s#(server: https://)(.*)(:.*)#\1kind-cluster\3#" $${KUBECONFIG}'
+      - echo "Installing the correct furyctl version..."
+      - curl -L "https://github.com/sighupio/furyctl/releases/download/$${FURYCTL_VERSION}/furyctl-$(uname -s)-amd64.tar.gz" -o /tmp/furyctl.tar.gz && tar xfz /tmp/furyctl.tar.gz -C /tmp
+      # to use furyctl latest, use the following instead:
+      # - curl -L "https://github.com/sighupio/furyctl/releases/latest/download/furyctl-$(uname -s)-amd64.tar.gz" -o /tmp/furyctl.tar.gz && tar xfz /tmp/furyctl.tar.gz -C /tmp
+      - chmod +x /tmp/furyctl
+      # check that the kind cluster is ready before we move on
+      # - kubectl wait --timeout=180s --for=condition=ready pod --all -n kube-system
+      - until kubectl get serviceaccount default > /dev/null 2>&1; do echo "waiting for control-plane" && sleep 1; done
+      # finally, run the e2e tests
+      - tests/e2e-kfddistribution.sh
 
-  - name: destroy
-    image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4
-    pull: always
-    depends_on: [e2e]
-    settings:
-      action: destroy
-      pipeline_id: cluster-126
-      instance_size: 2-extra-large
-      aws_default_region:
-        from_secret: aws_region
-      aws_access_key_id:
-        from_secret: aws_access_key_id
-      aws_secret_access_key:
-        from_secret: aws_secret_access_key
-      terraform_tf_states_bucket_name:
-        from_secret: terraform_tf_states_bucket_name
-      vsphere_server:
-        from_secret: vsphere_server
-      vsphere_password:
-        from_secret: vsphere_password
-      vsphere_user:
-        from_secret: vsphere_user
-      dockerhub_username:
-        from_secret: dockerhub_username
-      dockerhub_password:
-        from_secret: dockerhub_password
+  - name: delete-kind-cluster
+    image: quay.io/sighup/dind-kind-kubectl-kustomize:0.20.0_1.29.1_3.10.0
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}
+    commands:
+      # does not matter if the command fails
+      - kind delete cluster --name $${CLUSTER_NAME} || true
+    depends_on:
+      - e2e-kfddistribution
     when:
       status:
         - success
         - failure
 
 volumes:
-  - name: shared
-    temp: {}
+  - name: dockersock
+    host:
+      path: /var/run/docker.sock
 
 ---
 name: release
@@ -236,7 +227,6 @@ steps:
     commands:
       - furyctl vendor -H
       - kustomize build . > $${RELEASE_MANIFESTS_PATH}
-      - cp tests/config/kind-config-custom kind-config-${DRONE_TAG}.yml
     when:
       ref:
         include:
@@ -268,7 +258,6 @@ steps:
       file_exists: skip
       files:
         - fury-distribution-${DRONE_TAG}.yml
-        - kind-config-${DRONE_TAG}.yml
         - Furyfile.yaml
         - kustomization.yaml
         - kfd.yaml
@@ -298,7 +287,6 @@ steps:
       file_exists: skip
       files:
         - fury-distribution-${DRONE_TAG}.yml
-        - kind-config-${DRONE_TAG}.yml
         - Furyfile.yaml
         - kustomization.yaml
         - kfd.yaml

.gitignore

@@ -6,3 +6,4 @@ vendor
 
 go.work
 go.work.sum
+.envrc

Furyfile.yaml

@@ -10,9 +10,9 @@ versions:
   ingress: v2.2.0
   logging: v3.3.1
   monitoring: v3.0.1
-  opa: v1.11.0
+  opa: v1.11.1
   networking: v1.15.0
-  tracing: v1.0.1
+  tracing: v1.0.2
 
 bases:
   - name: auth

Makefile

@@ -60,7 +60,7 @@ tools-go:
 	@go install golang.org/x/tools/cmd/goimports@v0.9.3
 	@go install github.com/daixiang0/gci@v0.10.1
 	@go install github.com/momaek/formattag@v0.0.9
-	@go install github.com/santhosh-tekuri/jsonschema/cmd/jv@v5.3.0
+	@go install github.com/santhosh-tekuri/jsonschema/cmd/jv@v0.4.0
 
 .PHONY: generate-private-schema dump-go-models
 

README.md

@@ -7,8 +7,8 @@
 <p align="center">Kubernetes Fury Distribution (KFD) is a certified battle-tested Kubernetes distribution based purely on upstream Kubernetes.</p>
 <!-- markdownlint-enable MD033 -->
 
-[![Build Status](http://ci.sighup.io/api/badges/sighupio/fury-distribution/status.svg?ref=refs/tags/v1.26.4)](http://ci.sighup.io/sighupio/fury-distribution)
-[![Release](https://img.shields.io/badge/release-v1.26.4-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest)
+[![Build Status](http://ci.sighup.io/api/badges/sighupio/fury-distribution/status.svg?ref=refs/tags/v1.26.5)](http://ci.sighup.io/sighupio/fury-distribution)
+[![Release](https://img.shields.io/badge/release-v1.26.5-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest)
 [![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack)](https://kubernetes.slack.com/archives/C0154HYTAQH)
 [![License](https://img.shields.io/github/license/sighupio/fury-distribution)](https://github.com/sighupio/fury-distribution/blob/main/LICENSE)
 
@@ -96,9 +96,9 @@ Current supported versions of KFD are:
 
 |                                  KFD Version                                   | Kubernetes Version |
 | :----------------------------------------------------------------------------: | :----------------: |
-| [`1.27.0`](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.4) |      `1.27.x`      |
-| [`1.26.4`](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.4) |      `1.26.x`      |
-| [`1.25.9`](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.9) |      `1.25.x`      |
+| [`1.27.3`](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.3) |      `1.27.x`      |
+| [`1.26.5`](https://github.com/sighupio/fury-distribution/releases/tag/v1.26.5) |      `1.26.x`      |
+| [`1.25.10`](https://github.com/sighupio/fury-distribution/releases/tag/v1.25.10) |      `1.25.x`      |
 
 Check the [compatibility matrix][compatibility-matrix] for additional information about previous releases of the Distribution and the compatibility with `furyctl`.
 
@@ -140,9 +140,9 @@ KFD is open-source software and it's released under the following [LICENSE](LICE
 [ingress-version]: https://img.shields.io/badge/release-v2.2.0-blue
 [logging-version]: https://img.shields.io/badge/release-v3.3.1-blue
 [monitoring-version]: https://img.shields.io/badge/release-v3.0.1-blue
-[tracing-version]: https://img.shields.io/badge/release-v1.0.1-blue
+[tracing-version]: https://img.shields.io/badge/release-v1.0.2-blue
 [dr-version]: https://img.shields.io/badge/release-v2.2.0-blue
-[opa-version]: https://img.shields.io/badge/release-v1.11.0-blue
+[opa-version]: https://img.shields.io/badge/release-v1.11.1-blue
 [auth-version]: https://img.shields.io/badge/release-v0.1.0-blue
 
 <!-- Addon Modules -->

defaults/ekscluster-kfd-v1alpha2.yaml

@@ -142,9 +142,10 @@ data:
         retentionSize: 120GB
         storageSize: 150Gi
       alertmanager:
+        installDefaultRules: true
         deadManSwitchWebhookUrl: ""
         slackWebhookUrl: ""
-      mimir: 
+      mimir:
         retentionTime: 30d
         # backend can be minio, externalEndpoint
         backend: minio
@@ -210,21 +211,33 @@ data:
       gatekeeper:
         # this configuration adds namespaces to the excluded list, actually whitelisting them
         additionalExcludedNamespaces: []
+        enforcementAction: deny
+        installDefaultPolicies: true
       kyverno:
         # this configuration adds namespaces to the excluded list, actually whitelisting them
         additionalExcludedNamespaces: []
+        validationFailureAction: enforce
+        installDefaultPolicies: true
     # dr module configuration
     dr:
+      type: none
       overrides:
         nodeSelector: null
         tolerations: null
       # the standard configuration for velero on the dr module
       velero:
+        backend: minio
         # this configuration will be used if common.provider.type is eks
         eks:
           iamRoleArn: arn:aws:iam::123456789012:role/example-velero
           region: eu-west-1
           bucketName: example-velero
+        externalEndpoint:
+          endpoint: s3.eu-west-1.amazonaws.com
+          insecure: false
+          secretAccessKey: example
+          accessKeyId: example
+          bucketName: velerobucket
     # auth module configuration
     auth:
       overrides:

defaults/kfddistribution-kfd-v1alpha2.yaml

@@ -135,9 +135,10 @@ data:
         retentionSize: 120GB
         storageSize: 150Gi
       alertmanager:
+        installDefaultRules: true
         deadManSwitchWebhookUrl: ""
         slackWebhookUrl: ""
-      mimir: 
+      mimir:
         retentionTime: 30d
         # backend can be minio, externalEndpoint
         backend: minio
@@ -202,16 +203,28 @@ data:
       gatekeeper:
         # this configuration adds namespaces to the excluded list, actually whitelisting them
         additionalExcludedNamespaces: []
+        enforcementAction: deny
+        installDefaultPolicies: true
       kyverno:
         # this configuration adds namespaces to the excluded list, actually whitelisting them
         additionalExcludedNamespaces: []
+        validationFailureAction: enforce
+        installDefaultPolicies: true
     # dr module configuration
     dr:
+      type: none
       overrides:
         nodeSelector: null
         tolerations: null
       # the standard configuration for velero on the dr module
-      velero: {}
+      velero:
+        backend: minio
+        externalEndpoint:
+          endpoint: s3.eu-west-1.amazonaws.com
+          insecure: false
+          secretAccessKey: example
+          accessKeyId: example
+          bucketName: velerobucket
     # auth module configuration
     auth:
       overrides: