From f72544f9a137bb97a29f4c370ec3da31c202861f Mon Sep 17 00:00:00 2001 From: Peter Matseykanets Date: Thu, 8 Feb 2024 06:50:13 -0500 Subject: [PATCH] [2.6] Fixes (#44370) * Add a check for specific fields we don't want in the headers (#394) * Merge pull request #417 from rmweir/rbac-pkg-p1-v2.6 [Backport] v2.6: Rbac pkg p1 * Merge pull request #425 from bfbachmann/backport-ssh Adds openssh-clients package installation. * [2.6] Bump API-UI version #435 * Update norman and apiserver * Update RKE to 1.3.24 * Regenerate files after updating RKE to 1.3.24 * Update runc to 1.1.12 * [v2.6] Backport Github Action to verify generated code changes * Update steve --------- Co-authored-by: Jonathan Crowther Co-authored-by: Ricardo Weir Co-authored-by: Bruno Bachmann --- .../verify-generated-code-changes.yml | 2 +- go.mod | 12 +- go.sum | 36 +- package/Dockerfile | 4 +- pkg/apis/go.mod | 4 +- pkg/apis/go.sum | 8 +- pkg/auth/audit/audit.go | 8 +- pkg/auth/audit/audit_test.go | 22 ++ .../v3/zz_generated_aci_network_provider.go | 374 ++++++++++-------- pkg/client/go.mod | 2 +- pkg/client/go.sum | 4 +- .../managementuser/rbac/cluster_handler.go | 7 + .../managementuser/rbac/handler_base_test.go | 199 ++++++++-- .../managementuser/rbac/namespace_handler.go | 4 +- .../rbac/namespace_handler_test.go | 169 ++++++-- .../rbac/project_handler_test.go | 39 +- .../managementuser/rbac/prtb_handler.go | 17 +- .../rbac/reconcile_roletemplate.go | 117 +++--- .../rbac/reconcile_roletemplate_test.go | 255 ++++++++++++ .../rbac/roletemplate_handler.go | 16 +- pkg/settings/setting.go | 2 +- .../v3/zz_generated_aci_network_provider.go | 374 ++++++++++-------- tests/v2/codecoverage/package/Dockerfile | 2 +- .../package/Dockerfile.ranchertest | 2 +- 24 files changed, 1158 insertions(+), 521 deletions(-) create mode 100644 pkg/controllers/managementuser/rbac/reconcile_roletemplate_test.go diff --git a/.github/workflows/verify-generated-code-changes.yml b/.github/workflows/verify-generated-code-changes.yml index a765d4e97a4..612a2595c76 100644 --- a/.github/workflows/verify-generated-code-changes.yml +++ b/.github/workflows/verify-generated-code-changes.yml @@ -40,7 +40,7 @@ jobs: run: ./.github/scripts/check-for-go-mod-changes.sh - name: Install controller-gen - run: go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.12.0 + run: go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.12.0 - name: Verify auto-generated changes run: ./.github/scripts/check-for-auto-generated-changes.sh diff --git a/go.mod b/go.mod index 314521e3ec6..874b686b626 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ replace ( github.com/knative/pkg => github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e github.com/matryer/moq => github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77 - github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.2 + github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.12 github.com/rancher/rancher/pkg/apis => ./pkg/apis github.com/rancher/rancher/pkg/client => ./pkg/client @@ -103,7 +103,7 @@ require ( github.com/prometheus/client_model v0.2.0 github.com/prometheus/common v0.32.1 github.com/rancher/aks-operator v1.0.9 - github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5 + github.com/rancher/apiserver v0.0.0-20240205164636-4df268e250f6 github.com/rancher/channelserver v0.5.1-0.20220405170618-28c9b37deff1 github.com/rancher/dynamiclistener v0.3.5 github.com/rancher/eks-operator v1.1.6-rc3 @@ -113,14 +113,14 @@ require ( github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc github.com/rancher/lasso/controller-runtime v0.0.0-20220627205005-00d9c8e9dda6 github.com/rancher/machine v0.15.0-rancher96 - github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a + github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b github.com/rancher/rancher/pkg/apis v0.0.0 github.com/rancher/rancher/pkg/client v0.0.0 github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8 - github.com/rancher/rke v1.3.20 + github.com/rancher/rke v1.3.24 github.com/rancher/security-scan v0.1.7-0.20200222041501-f7377f127168 - github.com/rancher/steve v0.0.0-20230224165120-1a36a52a25b7 + github.com/rancher/steve v0.0.0-20240207201906-815e20b6e12b github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007 github.com/rancher/wrangler v1.0.1-0.20230208234005-a59a11cc3ef5 github.com/robfig/cron v1.1.0 @@ -215,7 +215,7 @@ require ( github.com/coredns/corefile-migration v1.0.17 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/dimchansky/utfbom v1.1.0 // indirect github.com/docker/cli v20.10.17+incompatible // indirect github.com/docker/docker-credential-helpers v0.6.4 // indirect diff --git a/go.sum b/go.sum index 8568ac308e6..123f017aab2 100644 --- a/go.sum +++ b/go.sum @@ -430,8 +430,8 @@ github.com/creasty/defaults v1.5.2/go.mod h1:FPZ+Y0WNrbqOVw+c6av63eyHUAl6pMHZwqL github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.10 h1:Rjs6x4s/aQFXiaPjw3uhB4VdxRqoxHXOJrrj4BsMn9o= github.com/crewjam/saml v0.4.10/go.mod h1:9Zh6dWPtB3MSzTRt8fIFH60Z351QQ+s7hCU3J/tTlA4= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ= github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= @@ -1201,6 +1201,7 @@ github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1: github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c h1:3wkDRdxK92dF+c1ke2dtj7ZzemFWBHB9plnJOtlwdFA= github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c/go.mod h1:skjdDftzkFALcuGzYSklqYd8gvat6F1gZJ4YPVbkZpM= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= +github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= @@ -1265,8 +1266,8 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 h1:+czc/J8SlhPKLOtVLMQc+xDCFBT73ZStMsRhSsUhsSg= github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198/go.mod h1:j4h1pJW6ZcJTgMZWP3+7RlG3zTaP02aDZ/Qw0sppK7Q= -github.com/opencontainers/runc v1.1.2 h1:2VSZwLx5k/BfsBxMMipG/LYUnmqOD/BPkIVgQUcTlLw= -github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss= +github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= @@ -1385,8 +1386,8 @@ github.com/quobyte/api v0.1.8/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H github.com/rancher/aks-operator v1.0.9 h1:RXBce90HqgYpSlGMiIRMviN4qOvfYcKA8BnBG3X8gzM= github.com/rancher/aks-operator v1.0.9/go.mod h1:qK59c7DFxpYn14sXHbbPkNl7zUNyuN0qkFUUHXsQ0jA= github.com/rancher/apiserver v0.0.0-20201023000256-1a0a904f9197/go.mod h1:8W0EwaR9dH5NDFw6mpAX437D0q+EZqKWbZyX71+z2WI= -github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5 h1:n+hEi53DqCPD+RnjH/uGuz3ER2sx7DzGQWt/n7q1jYs= -github.com/rancher/apiserver v0.0.0-20230502191800-c17b7df705a5/go.mod h1:Ff9wwzgKLCg30LjywsK1Tswvn+5ELvQZ6GXmutPA6po= +github.com/rancher/apiserver v0.0.0-20240205164636-4df268e250f6 h1:XmTVxa8K29C/uYdTKZ+OE3K1FkpdOTEEZZdh6nE1WS0= +github.com/rancher/apiserver v0.0.0-20240205164636-4df268e250f6/go.mod h1:Ff9wwzgKLCg30LjywsK1Tswvn+5ELvQZ6GXmutPA6po= github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863 h1:7cVEMgwyiVhLyu/Ywuw58mkkh9cWpFE3+X8IrWncBxU= github.com/rancher/aws-iam-authenticator v0.5.9-0.20220713170329-78acb8c83863/go.mod h1:6dId2LCc8oHqeBzP6E8ndp4DflhKTxYLb5ZXwI4YmFA= github.com/rancher/channelserver v0.5.1-0.20220405170618-28c9b37deff1 h1:NMYQzCtLEEaJZ2xleLzDixN6Y+yO9ShzgsjHDg4zOrk= @@ -1417,20 +1418,20 @@ github.com/rancher/machine v0.15.0-rancher96 h1:aDrERdpxpFf2R5CqOlQHCD2JecZC5Mg7 github.com/rancher/machine v0.15.0-rancher96/go.mod h1:rwF2JgIwaIqHthd9ByUQAZohCROaUP807Zsx1DLKo84= github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77 h1:k+vzmkZQsH06rZnDr+phskSixG9ByNj9gVdzHcc8nxw= github.com/rancher/moq v0.0.0-20200712062324-13d1f37d2d77/go.mod h1:wpITyDPTi/Na5h73XkbuEf2AP9fbgrIGqqxVzFhYD6U= -github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4= -github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk= +github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b h1:DEDBVlylKTCC6KPl3BnPqsw3+aVygmcYwpJv3AJnOo0= +github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk= github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e h1:j6+HqCET/NLPBtew2m5apL7jWw/PStQ7iGwXjgAqdvo= github.com/rancher/pkg v0.0.0-20190514055449-b30ab9de040e/go.mod h1:XbYHTPaXuw8ZY9bylhYKQh/nJxDaTKk3YhAxPl4Qy/k= github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a h1:6xqYlVz4uAXBa/AuNAG0bhMusIXVh74dc1bbYOAe+HY= github.com/rancher/rdns-server v0.0.0-20180802070304-bf662911db6a/go.mod h1:YW8wJ/coee2n9ed937uPBWQArBaVlxs+5wkkS9KiyDc= github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8 h1:leqh0chjBsXhKWebxxFd5QPcoQLu51EpaHo04ce0o+8= github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8/go.mod h1:BwwztuvViX2JrLLUwDlsYt5DiyUwHLlzynRwkZLAY0Q= -github.com/rancher/rke v1.3.20 h1:t/rgErjPEnmByUPKNuMsz9EF7OjY3SBt5eD8J4pZnDI= -github.com/rancher/rke v1.3.20/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY= +github.com/rancher/rke v1.3.24 h1:UgMSUyhHAPjAsOFb9AkUtP5PgnbaBK5W4bKtT7w0+D8= +github.com/rancher/rke v1.3.24/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY= github.com/rancher/security-scan v0.1.7-0.20200222041501-f7377f127168 h1:SIshhsz0O71FYyyDmjUmbFGvmgp4ASm8J1zmhMK/UG0= github.com/rancher/security-scan v0.1.7-0.20200222041501-f7377f127168/go.mod h1:WlLAocVyVQs5J8r0IiQXsp0ajVZO6hYi/Vo6zxjo73s= -github.com/rancher/steve v0.0.0-20230224165120-1a36a52a25b7 h1:5SqYbU1q88Cpo2LUabdy0jM8oXwt3svwhVdHOSETPsY= -github.com/rancher/steve v0.0.0-20230224165120-1a36a52a25b7/go.mod h1:Ru8iivHNQvpSShVnbrzl04fzGcVtLAll2LumntQJ4qw= +github.com/rancher/steve v0.0.0-20240207201906-815e20b6e12b h1:QoR/TpPWLk/HRnGfV2rcX0r/GK7SlK+ZBnSyqRbsff4= +github.com/rancher/steve v0.0.0-20240207201906-815e20b6e12b/go.mod h1:PL44vTbqAzcJRUKtLqp5k7XQany4jend3gOt26I5ig0= github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007 h1:ru+mqGnxMmKeU0Q3XIDxkARvInDIqT1hH2amTcsjxI4= github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007/go.mod h1:Ja346o44aTPWADc/5Jm93+KgctT6KtftuOosgz0F2AM= github.com/rancher/wrangler v0.6.1/go.mod h1:L4HtjPeX8iqLgsxfJgz+JjKMcX2q3qbRXSeTlC/CSd4= @@ -1478,7 +1479,7 @@ github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102 h1:WAQaHPfnpevd8S github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= github.com/segmentio/kafka-go v0.0.0-20190411192201-218fd49cff39 h1:k9ngiuh0VU21Xjy9f/wVsRFsX8l0uxGH1ZOLNpjTt5U= github.com/segmentio/kafka-go v0.0.0-20190411192201-218fd49cff39/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= @@ -1931,6 +1932,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1966,6 +1969,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180117170059-2c42eef0765b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2092,12 +2096,16 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2111,6 +2119,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/package/Dockerfile b/package/Dockerfile index 051e044c03c..48c7ec290c8 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -1,6 +1,6 @@ FROM registry.suse.com/bci/bci-base:15.5 -RUN zypper -n install git-core curl ca-certificates unzip xz gzip sed tar shadow gawk vim netcat-openbsd mkisofs && \ +RUN zypper -n install git-core curl ca-certificates unzip xz gzip sed tar shadow gawk vim netcat-openbsd mkisofs openssh-clients && \ zypper -n clean -a && rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/* && \ useradd rancher && \ mkdir -p /var/lib/rancher /var/lib/cattle /opt/jail /opt/drivers/management-state/bin && \ @@ -167,7 +167,7 @@ ENV CATTLE_DASHBOARD_UI_VERSION v2.6.13 ENV CATTLE_CLI_VERSION v2.6.11 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here. -ENV CATTLE_API_UI_VERSION 1.1.10 +ENV CATTLE_API_UI_VERSION 1.1.11 RUN mkdir -p /var/log/auditlog ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log diff --git a/pkg/apis/go.mod b/pkg/apis/go.mod index 6cf0fcf52c0..7e4600f21fa 100644 --- a/pkg/apis/go.mod +++ b/pkg/apis/go.mod @@ -10,8 +10,8 @@ require ( github.com/rancher/eks-operator v1.1.6-rc3 github.com/rancher/fleet/pkg/apis v0.0.0-20230116113701-fc276f5505be github.com/rancher/gke-operator v1.1.5-rc4 - github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a - github.com/rancher/rke v1.3.20 + github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b + github.com/rancher/rke v1.3.24 github.com/rancher/wrangler v1.0.1-0.20230208234005-a59a11cc3ef5 github.com/sirupsen/logrus v1.9.3 k8s.io/api v0.25.4 diff --git a/pkg/apis/go.sum b/pkg/apis/go.sum index e703055cc42..d1ae574f868 100644 --- a/pkg/apis/go.sum +++ b/pkg/apis/go.sum @@ -590,10 +590,10 @@ github.com/rancher/lasso v0.0.0-20200820172840-0e4cc0ef5cb0/go.mod h1:OhBBBO1pBw github.com/rancher/lasso v0.0.0-20220519004610-700f167d8324/go.mod h1:T6WoUopOHBWTGjnphruTJAgoZ+dpm6llvn6GDYaa7Kw= github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc h1:29VHrInLV4qSevvcvhBj5UhQWkPShxrxv4AahYg2Scw= github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc/go.mod h1:dEfC9eFQigj95lv/JQ8K5e7+qQCacWs1aIA6nLxKzT8= -github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4= -github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk= -github.com/rancher/rke v1.3.20 h1:t/rgErjPEnmByUPKNuMsz9EF7OjY3SBt5eD8J4pZnDI= -github.com/rancher/rke v1.3.20/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY= +github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b h1:DEDBVlylKTCC6KPl3BnPqsw3+aVygmcYwpJv3AJnOo0= +github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk= +github.com/rancher/rke v1.3.24 h1:UgMSUyhHAPjAsOFb9AkUtP5PgnbaBK5W4bKtT7w0+D8= +github.com/rancher/rke v1.3.24/go.mod h1:FYb66B2+kAJVQ80SFEr56mC9yjm7TrviK2miZG+c5qY= github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106/go.mod h1:iKqQcYs4YSDjsme52OZtQU4jHPmLlIiM93aj2c8c/W8= github.com/rancher/wrangler v1.0.1-0.20230208234005-a59a11cc3ef5 h1:NrOPBlG0zswdgpAe6Db1rrzNpP2tpJytUiZ25LJHo+k= github.com/rancher/wrangler v1.0.1-0.20230208234005-a59a11cc3ef5/go.mod h1:045DEilEDtD9RJLQcChKbI2hAa26MOQ78VJ2yaKihXs= diff --git a/pkg/auth/audit/audit.go b/pkg/auth/audit/audit.go index d9f18c62020..afd8dbe86ac 100644 --- a/pkg/auth/audit/audit.go +++ b/pkg/auth/audit/audit.go @@ -20,6 +20,7 @@ import ( "github.com/sirupsen/logrus" k8stypes "k8s.io/apimachinery/pkg/types" "k8s.io/apiserver/pkg/endpoints/request" + "k8s.io/utils/strings/slices" ) const ( @@ -50,8 +51,9 @@ var ( http.MethodPut: true, http.MethodPost: true, } - sensitiveRequestHeader = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token"} - sensitiveResponseHeader = []string{"Cookie", "Set-Cookie"} + sensitiveRequestHeader = []string{"Cookie", "Authorization", "X-Api-Tunnel-Params", "X-Api-Tunnel-Token", "X-Api-Auth-Header", "X-Amz-Security-Token"} + sensitiveResponseHeader = []string{"Cookie", "Set-Cookie", "X-Api-Set-Cookie-Header"} + sensitiveBodyFields = []string{"credentials", "applicationSecret", "oauthCredential", "serviceAccountCredential", "spKey", "spCert", "certificate", "privateKey"} // ErrUnsupportedEncoding is returned when the response encoding is unsupported ErrUnsupportedEncoding = fmt.Errorf("unsupported encoding") secretBaseType = regexp.MustCompile(".\"baseType\":\"([A-Za-z]*[S|s]ecret)\".") @@ -394,7 +396,7 @@ func (a *auditLog) redactMap(m map[string]interface{}) bool { for key := range m { switch val := m[key].(type) { case string: - if a.keysToRedactRegex.MatchString(key) { + if a.keysToRedactRegex.MatchString(key) || slices.Contains(sensitiveBodyFields, key) { changed = true m[key] = redacted } diff --git a/pkg/auth/audit/audit_test.go b/pkg/auth/audit/audit_test.go index 084ab946dec..67de7d64ab3 100644 --- a/pkg/auth/audit/audit_test.go +++ b/pkg/auth/audit/audit_test.go @@ -199,6 +199,11 @@ func (a *AuditTest) TestRedactSensitiveData() { want: []byte(fmt.Sprintf(`{"kubeConfig":"%s","namespace":"testns","secretName":"secret-name"}`, redacted)), uri: `asdf`, }, + { + name: "With items from sensitiveBodyFields", + input: []byte(`{"credentials": "{'fakeCredName': 'fakeCred'}", "applicationSecret": "fakeAppSecret", "oauthCredential": "fakeOauth", "serviceAccountCredential": "fakeSACred", "spKey": "fakeSPKey", "spCert": "fakeSPCERT", "certificate": "fakeCert", "privateKey": "fakeKey"}`), + want: []byte(fmt.Sprintf(`{"credentials": "%s", "applicationSecret": "%[1]s", "oauthCredential": "%[1]s", "serviceAccountCredential": "%[1]s", "spKey": "%[1]s", "spCert": "%[1]s", "certificate": "%[1]s", "privateKey": "%[1]s"}`, redacted)), + }, } for i := range tests { test := tests[i] @@ -437,6 +442,18 @@ func (a *AuditTest) TestFilterSensitiveHeader() { respHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, }, + { + name: "sensitive request header: \"X-Api-Auth-Header\"", + reqHeader: http.Header{"X-Api-Auth-Header": []string{"abcd"}}, + respHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, + expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, + }, + { + name: "sensitive request header: \"X-Amz-Security-Token\"", + reqHeader: http.Header{"X-Amz-Security-Token": []string{"abcd"}}, + respHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, + expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, + }, { name: "non-sensitive request header and sensitive request header: \"Cookie\"", reqHeader: http.Header{"Cookie": []string{"abcd"}, "User-Agent": []string{"useragent1"}}, @@ -454,6 +471,11 @@ func (a *AuditTest) TestFilterSensitiveHeader() { respHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "Set-Cookie": []string{"abcd"}}, expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, }, + { + name: "sensitive response header: \"X-Api-Set-Cookie-Header\"", + respHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}, "X-Api-Set-Cookie-Header": []string{"abcd"}}, + expectedRespHeader: http.Header{"Content-Type": []string{"application/json"}, "Content-Encoding": []string{"none"}}, + }, } writer.Level = LevelMetadata for i := range tests { diff --git a/pkg/client/generated/management/v3/zz_generated_aci_network_provider.go b/pkg/client/generated/management/v3/zz_generated_aci_network_provider.go index 707bc8fb87f..5e626065e92 100644 --- a/pkg/client/generated/management/v3/zz_generated_aci_network_provider.go +++ b/pkg/client/generated/management/v3/zz_generated_aci_network_provider.go @@ -1,172 +1,216 @@ package client const ( - AciNetworkProviderType = "aciNetworkProvider" - AciNetworkProviderFieldAEP = "aep" - AciNetworkProviderFieldAddExternalSubnetsToRdconfig = "addExternalSubnetsToRdconfig" - AciNetworkProviderFieldApicHosts = "apicHosts" - AciNetworkProviderFieldApicRefreshTickerAdjust = "apicRefreshTickerAdjust" - AciNetworkProviderFieldApicRefreshTime = "apicRefreshTime" - AciNetworkProviderFieldApicSubscriptionDelay = "apicSubscriptionDelay" - AciNetworkProviderFieldApicUserCrt = "apicUserCrt" - AciNetworkProviderFieldApicUserKey = "apicUserKey" - AciNetworkProviderFieldApicUserName = "apicUserName" - AciNetworkProviderFieldCApic = "capic" - AciNetworkProviderFieldControllerLogLevel = "controllerLogLevel" - AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync = "disablePeriodicSnatGlobalInfoSync" - AciNetworkProviderFieldDisableWaitForNetwork = "disableWaitForNetwork" - AciNetworkProviderFieldDropLogEnable = "dropLogEnable" - AciNetworkProviderFieldDurationWaitForNetwork = "durationWaitForNetwork" - AciNetworkProviderFieldDynamicExternalSubnet = "externDynamic" - AciNetworkProviderFieldEnableEndpointSlice = "enableEndpointSlice" - AciNetworkProviderFieldEncapType = "encapType" - AciNetworkProviderFieldEpRegistry = "epRegistry" - AciNetworkProviderFieldGbpPodSubnet = "gbpPodSubnet" - AciNetworkProviderFieldHostAgentLogLevel = "hostAgentLogLevel" - AciNetworkProviderFieldHppOptimization = "hppOptimization" - AciNetworkProviderFieldImagePullPolicy = "imagePullPolicy" - AciNetworkProviderFieldImagePullSecret = "imagePullSecret" - AciNetworkProviderFieldInfraVlan = "infraVlan" - AciNetworkProviderFieldInstallIstio = "installIstio" - AciNetworkProviderFieldIstioProfile = "istioProfile" - AciNetworkProviderFieldKafkaBrokers = "kafkaBrokers" - AciNetworkProviderFieldKafkaClientCrt = "kafkaClientCrt" - AciNetworkProviderFieldKafkaClientKey = "kafkaClientKey" - AciNetworkProviderFieldKubeAPIVlan = "kubeApiVlan" - AciNetworkProviderFieldL3Out = "l3out" - AciNetworkProviderFieldL3OutExternalNetworks = "l3outExternalNetworks" - AciNetworkProviderFieldMTUHeadRoom = "mtuHeadRoom" - AciNetworkProviderFieldMaxNodesSvcGraph = "maxNodesSvcGraph" - AciNetworkProviderFieldMcastRangeEnd = "mcastRangeEnd" - AciNetworkProviderFieldMcastRangeStart = "mcastRangeStart" - AciNetworkProviderFieldMultusDisable = "multusDisable" - AciNetworkProviderFieldNoPriorityClass = "noPriorityClass" - AciNetworkProviderFieldNoWaitForServiceEpReadiness = "noWaitForServiceEpReadiness" - AciNetworkProviderFieldNodePodIfEnable = "nodePodIfEnable" - AciNetworkProviderFieldNodeSubnet = "nodeSubnet" - AciNetworkProviderFieldOVSMemoryLimit = "ovsMemoryLimit" - AciNetworkProviderFieldOpflexAgentLogLevel = "opflexLogLevel" - AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled = "opflexAgentOpflexAsyncjsonEnabled" - AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled = "opflexAgentOvsAsyncjsonEnabled" - AciNetworkProviderFieldOpflexClientSSL = "opflexClientSsl" - AciNetworkProviderFieldOpflexDeviceDeleteTimeout = "opflexDeviceDeleteTimeout" - AciNetworkProviderFieldOpflexMode = "opflexMode" - AciNetworkProviderFieldOpflexServerPort = "opflexServerPort" - AciNetworkProviderFieldOverlayVRFName = "overlayVrfName" - AciNetworkProviderFieldPBRTrackingNonSnat = "pbrTrackingNonSnat" - AciNetworkProviderFieldPodSubnetChunkSize = "podSubnetChunkSize" - AciNetworkProviderFieldRunGbpContainer = "runGbpContainer" - AciNetworkProviderFieldRunOpflexServerContainer = "runOpflexServerContainer" - AciNetworkProviderFieldServiceGraphEndpointAddDelay = "serviceGraphEndpointAddDelay" - AciNetworkProviderFieldServiceGraphEndpointAddServices = "serviceGraphEndpointAddServices" - AciNetworkProviderFieldServiceGraphSubnet = "nodeSvcSubnet" - AciNetworkProviderFieldServiceMonitorInterval = "serviceMonitorInterval" - AciNetworkProviderFieldServiceVlan = "serviceVlan" - AciNetworkProviderFieldSleepTimeSnatGlobalInfoSync = "sleepTimeSnatGlobalInfoSync" - AciNetworkProviderFieldSnatContractScope = "snatContractScope" - AciNetworkProviderFieldSnatNamespace = "snatNamespace" - AciNetworkProviderFieldSnatPortRangeEnd = "snatPortRangeEnd" - AciNetworkProviderFieldSnatPortRangeStart = "snatPortRangeStart" - AciNetworkProviderFieldSnatPortsPerNode = "snatPortsPerNode" - AciNetworkProviderFieldSriovEnable = "sriovEnable" - AciNetworkProviderFieldStaticExternalSubnet = "externStatic" - AciNetworkProviderFieldSubnetDomainName = "subnetDomainName" - AciNetworkProviderFieldSystemIdentifier = "systemId" - AciNetworkProviderFieldTenant = "tenant" - AciNetworkProviderFieldToken = "token" - AciNetworkProviderFieldUseAciAnywhereCRD = "useAciAnywhereCrd" - AciNetworkProviderFieldUseAciCniPriorityClass = "useAciCniPriorityClass" - AciNetworkProviderFieldUseClusterRole = "useClusterRole" - AciNetworkProviderFieldUseHostNetnsVolume = "useHostNetnsVolume" - AciNetworkProviderFieldUseOpflexServerVolume = "useOpflexServerVolume" - AciNetworkProviderFieldUsePrivilegedContainer = "usePrivilegedContainer" - AciNetworkProviderFieldVRFName = "vrfName" - AciNetworkProviderFieldVRFTenant = "vrfTenant" - AciNetworkProviderFieldVmmController = "vmmController" - AciNetworkProviderFieldVmmDomain = "vmmDomain" + AciNetworkProviderType = "aciNetworkProvider" + AciNetworkProviderFieldAEP = "aep" + AciNetworkProviderFieldAccProvisionOperatorMemoryLimit = "accProvisionOperatorMemoryLimit" + AciNetworkProviderFieldAccProvisionOperatorMemoryRequest = "accProvisionOperatorMemoryRequest" + AciNetworkProviderFieldAciContainersControllerMemoryLimit = "aciContainersControllerMemoryLimit" + AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest" + AciNetworkProviderFieldAciContainersHostMemoryLimit = "aciContainersHostMemoryLimit" + AciNetworkProviderFieldAciContainersHostMemoryRequest = "aciContainersHostMemoryRequest" + AciNetworkProviderFieldAciContainersMemoryLimit = "aciContainersMemoryLimit" + AciNetworkProviderFieldAciContainersMemoryRequest = "aciContainersMemoryRequest" + AciNetworkProviderFieldAciContainersOperatorMemoryLimit = "aciContainersOperatorMemoryLimit" + AciNetworkProviderFieldAciContainersOperatorMemoryRequest = "aciContainersOperatorMemoryRequest" + AciNetworkProviderFieldAciMultipod = "aciMultipod" + AciNetworkProviderFieldAciMultipodUbuntu = "aciMultipodUbuntu" + AciNetworkProviderFieldAddExternalSubnetsToRdconfig = "addExternalSubnetsToRdconfig" + AciNetworkProviderFieldApicHosts = "apicHosts" + AciNetworkProviderFieldApicRefreshTickerAdjust = "apicRefreshTickerAdjust" + AciNetworkProviderFieldApicRefreshTime = "apicRefreshTime" + AciNetworkProviderFieldApicSubscriptionDelay = "apicSubscriptionDelay" + AciNetworkProviderFieldApicUserCrt = "apicUserCrt" + AciNetworkProviderFieldApicUserKey = "apicUserKey" + AciNetworkProviderFieldApicUserName = "apicUserName" + AciNetworkProviderFieldCApic = "capic" + AciNetworkProviderFieldControllerLogLevel = "controllerLogLevel" + AciNetworkProviderFieldDhcpDelay = "dhcpDelay" + AciNetworkProviderFieldDhcpRenewMaxRetryCount = "dhcpRenewMaxRetryCount" + AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync = "disablePeriodicSnatGlobalInfoSync" + AciNetworkProviderFieldDisableWaitForNetwork = "disableWaitForNetwork" + AciNetworkProviderFieldDropLogEnable = "dropLogEnable" + AciNetworkProviderFieldDurationWaitForNetwork = "durationWaitForNetwork" + AciNetworkProviderFieldDynamicExternalSubnet = "externDynamic" + AciNetworkProviderFieldEnableEndpointSlice = "enableEndpointSlice" + AciNetworkProviderFieldEncapType = "encapType" + AciNetworkProviderFieldEpRegistry = "epRegistry" + AciNetworkProviderFieldGbpPodSubnet = "gbpPodSubnet" + AciNetworkProviderFieldHostAgentLogLevel = "hostAgentLogLevel" + AciNetworkProviderFieldHppOptimization = "hppOptimization" + AciNetworkProviderFieldImagePullPolicy = "imagePullPolicy" + AciNetworkProviderFieldImagePullSecret = "imagePullSecret" + AciNetworkProviderFieldInfraVlan = "infraVlan" + AciNetworkProviderFieldInstallIstio = "installIstio" + AciNetworkProviderFieldIstioProfile = "istioProfile" + AciNetworkProviderFieldKafkaBrokers = "kafkaBrokers" + AciNetworkProviderFieldKafkaClientCrt = "kafkaClientCrt" + AciNetworkProviderFieldKafkaClientKey = "kafkaClientKey" + AciNetworkProviderFieldKubeAPIVlan = "kubeApiVlan" + AciNetworkProviderFieldL3Out = "l3out" + AciNetworkProviderFieldL3OutExternalNetworks = "l3outExternalNetworks" + AciNetworkProviderFieldMTUHeadRoom = "mtuHeadRoom" + AciNetworkProviderFieldMaxNodesSvcGraph = "maxNodesSvcGraph" + AciNetworkProviderFieldMcastDaemonMemoryLimit = "mcastDaemonMemoryLimit" + AciNetworkProviderFieldMcastDaemonMemoryRequest = "mcastDaemonMemoryRequest" + AciNetworkProviderFieldMcastRangeEnd = "mcastRangeEnd" + AciNetworkProviderFieldMcastRangeStart = "mcastRangeStart" + AciNetworkProviderFieldMultusDisable = "multusDisable" + AciNetworkProviderFieldNoPriorityClass = "noPriorityClass" + AciNetworkProviderFieldNoWaitForServiceEpReadiness = "noWaitForServiceEpReadiness" + AciNetworkProviderFieldNodePodIfEnable = "nodePodIfEnable" + AciNetworkProviderFieldNodeSubnet = "nodeSubnet" + AciNetworkProviderFieldOVSMemoryLimit = "ovsMemoryLimit" + AciNetworkProviderFieldOVSMemoryRequest = "ovsMemoryRequest" + AciNetworkProviderFieldOpflexAgentLogLevel = "opflexLogLevel" + AciNetworkProviderFieldOpflexAgentMemoryLimit = "opflexAgentMemoryLimit" + AciNetworkProviderFieldOpflexAgentMemoryRequest = "opflexAgentMemoryRequest" + AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled = "opflexAgentOpflexAsyncjsonEnabled" + AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled = "opflexAgentOvsAsyncjsonEnabled" + AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer = "opflexAgentPolicyRetryDelayTimer" + AciNetworkProviderFieldOpflexClientSSL = "opflexClientSsl" + AciNetworkProviderFieldOpflexDeviceDeleteTimeout = "opflexDeviceDeleteTimeout" + AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout = "opflexDeviceReconnectWaitTimeout" + AciNetworkProviderFieldOpflexMode = "opflexMode" + AciNetworkProviderFieldOpflexServerPort = "opflexServerPort" + AciNetworkProviderFieldOverlayVRFName = "overlayVrfName" + AciNetworkProviderFieldPBRTrackingNonSnat = "pbrTrackingNonSnat" + AciNetworkProviderFieldPodSubnetChunkSize = "podSubnetChunkSize" + AciNetworkProviderFieldRunGbpContainer = "runGbpContainer" + AciNetworkProviderFieldRunOpflexServerContainer = "runOpflexServerContainer" + AciNetworkProviderFieldServiceGraphEndpointAddDelay = "serviceGraphEndpointAddDelay" + AciNetworkProviderFieldServiceGraphEndpointAddServices = "serviceGraphEndpointAddServices" + AciNetworkProviderFieldServiceGraphSubnet = "nodeSvcSubnet" + AciNetworkProviderFieldServiceMonitorInterval = "serviceMonitorInterval" + AciNetworkProviderFieldServiceVlan = "serviceVlan" + AciNetworkProviderFieldSleepTimeSnatGlobalInfoSync = "sleepTimeSnatGlobalInfoSync" + AciNetworkProviderFieldSnatContractScope = "snatContractScope" + AciNetworkProviderFieldSnatNamespace = "snatNamespace" + AciNetworkProviderFieldSnatPortRangeEnd = "snatPortRangeEnd" + AciNetworkProviderFieldSnatPortRangeStart = "snatPortRangeStart" + AciNetworkProviderFieldSnatPortsPerNode = "snatPortsPerNode" + AciNetworkProviderFieldSriovEnable = "sriovEnable" + AciNetworkProviderFieldStaticExternalSubnet = "externStatic" + AciNetworkProviderFieldSubnetDomainName = "subnetDomainName" + AciNetworkProviderFieldSystemIdentifier = "systemId" + AciNetworkProviderFieldTenant = "tenant" + AciNetworkProviderFieldToken = "token" + AciNetworkProviderFieldUseAciAnywhereCRD = "useAciAnywhereCrd" + AciNetworkProviderFieldUseAciCniPriorityClass = "useAciCniPriorityClass" + AciNetworkProviderFieldUseClusterRole = "useClusterRole" + AciNetworkProviderFieldUseHostNetnsVolume = "useHostNetnsVolume" + AciNetworkProviderFieldUseOpflexServerVolume = "useOpflexServerVolume" + AciNetworkProviderFieldUsePrivilegedContainer = "usePrivilegedContainer" + AciNetworkProviderFieldUseSystemNodePriorityClass = "useSystemNodePriorityClass" + AciNetworkProviderFieldVRFName = "vrfName" + AciNetworkProviderFieldVRFTenant = "vrfTenant" + AciNetworkProviderFieldVmmController = "vmmController" + AciNetworkProviderFieldVmmDomain = "vmmDomain" ) type AciNetworkProvider struct { - AEP string `json:"aep,omitempty" yaml:"aep,omitempty"` - AddExternalSubnetsToRdconfig string `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"` - ApicHosts []string `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"` - ApicRefreshTickerAdjust string `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"` - ApicRefreshTime string `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"` - ApicSubscriptionDelay string `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"` - ApicUserCrt string `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"` - ApicUserKey string `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"` - ApicUserName string `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"` - CApic string `json:"capic,omitempty" yaml:"capic,omitempty"` - ControllerLogLevel string `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"` - DisablePeriodicSnatGlobalInfoSync string `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"` - DisableWaitForNetwork string `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"` - DropLogEnable string `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"` - DurationWaitForNetwork string `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"` - DynamicExternalSubnet string `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"` - EnableEndpointSlice string `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"` - EncapType string `json:"encapType,omitempty" yaml:"encapType,omitempty"` - EpRegistry string `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"` - GbpPodSubnet string `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"` - HostAgentLogLevel string `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"` - HppOptimization string `json:"hppOptimization,omitempty" yaml:"hppOptimization,omitempty"` - ImagePullPolicy string `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"` - ImagePullSecret string `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"` - InfraVlan string `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"` - InstallIstio string `json:"installIstio,omitempty" yaml:"installIstio,omitempty"` - IstioProfile string `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"` - KafkaBrokers []string `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"` - KafkaClientCrt string `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"` - KafkaClientKey string `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"` - KubeAPIVlan string `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"` - L3Out string `json:"l3out,omitempty" yaml:"l3out,omitempty"` - L3OutExternalNetworks []string `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"` - MTUHeadRoom string `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"` - MaxNodesSvcGraph string `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"` - McastRangeEnd string `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"` - McastRangeStart string `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"` - MultusDisable string `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"` - NoPriorityClass string `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"` - NoWaitForServiceEpReadiness string `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"` - NodePodIfEnable string `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"` - NodeSubnet string `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"` - OVSMemoryLimit string `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"` - OpflexAgentLogLevel string `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"` - OpflexAgentOpflexAsyncjsonEnabled string `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"` - OpflexAgentOvsAsyncjsonEnabled string `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"` - OpflexClientSSL string `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"` - OpflexDeviceDeleteTimeout string `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"` - OpflexMode string `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"` - OpflexServerPort string `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"` - OverlayVRFName string `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"` - PBRTrackingNonSnat string `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"` - PodSubnetChunkSize string `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"` - RunGbpContainer string `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"` - RunOpflexServerContainer string `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"` - ServiceGraphEndpointAddDelay string `json:"serviceGraphEndpointAddDelay,omitempty" yaml:"serviceGraphEndpointAddDelay,omitempty"` - ServiceGraphEndpointAddServices []map[string]string `json:"serviceGraphEndpointAddServices,omitempty" yaml:"serviceGraphEndpointAddServices,omitempty"` - ServiceGraphSubnet string `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"` - ServiceMonitorInterval string `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"` - ServiceVlan string `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"` - SleepTimeSnatGlobalInfoSync string `json:"sleepTimeSnatGlobalInfoSync,omitempty" yaml:"sleepTimeSnatGlobalInfoSync,omitempty"` - SnatContractScope string `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"` - SnatNamespace string `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"` - SnatPortRangeEnd string `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"` - SnatPortRangeStart string `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"` - SnatPortsPerNode string `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"` - SriovEnable string `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"` - StaticExternalSubnet string `json:"externStatic,omitempty" yaml:"externStatic,omitempty"` - SubnetDomainName string `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"` - SystemIdentifier string `json:"systemId,omitempty" yaml:"systemId,omitempty"` - Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` - Token string `json:"token,omitempty" yaml:"token,omitempty"` - UseAciAnywhereCRD string `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"` - UseAciCniPriorityClass string `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"` - UseClusterRole string `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"` - UseHostNetnsVolume string `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"` - UseOpflexServerVolume string `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"` - UsePrivilegedContainer string `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"` - VRFName string `json:"vrfName,omitempty" yaml:"vrfName,omitempty"` - VRFTenant string `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"` - VmmController string `json:"vmmController,omitempty" yaml:"vmmController,omitempty"` - VmmDomain string `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"` + AEP string `json:"aep,omitempty" yaml:"aep,omitempty"` + AccProvisionOperatorMemoryLimit string `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"` + AccProvisionOperatorMemoryRequest string `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"` + AciContainersControllerMemoryLimit string `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"` + AciContainersControllerMemoryRequest string `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"` + AciContainersHostMemoryLimit string `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"` + AciContainersHostMemoryRequest string `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"` + AciContainersMemoryLimit string `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"` + AciContainersMemoryRequest string `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"` + AciContainersOperatorMemoryLimit string `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"` + AciContainersOperatorMemoryRequest string `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"` + AciMultipod string `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"` + AciMultipodUbuntu string `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"` + AddExternalSubnetsToRdconfig string `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"` + ApicHosts []string `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"` + ApicRefreshTickerAdjust string `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"` + ApicRefreshTime string `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"` + ApicSubscriptionDelay string `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"` + ApicUserCrt string `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"` + ApicUserKey string `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"` + ApicUserName string `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"` + CApic string `json:"capic,omitempty" yaml:"capic,omitempty"` + ControllerLogLevel string `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"` + DhcpDelay string `json:"dhcpDelay,omitempty" yaml:"dhcpDelay,omitempty"` + DhcpRenewMaxRetryCount string `json:"dhcpRenewMaxRetryCount,omitempty" yaml:"dhcpRenewMaxRetryCount,omitempty"` + DisablePeriodicSnatGlobalInfoSync string `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"` + DisableWaitForNetwork string `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"` + DropLogEnable string `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"` + DurationWaitForNetwork string `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"` + DynamicExternalSubnet string `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"` + EnableEndpointSlice string `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"` + EncapType string `json:"encapType,omitempty" yaml:"encapType,omitempty"` + EpRegistry string `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"` + GbpPodSubnet string `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"` + HostAgentLogLevel string `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"` + HppOptimization string `json:"hppOptimization,omitempty" yaml:"hppOptimization,omitempty"` + ImagePullPolicy string `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"` + ImagePullSecret string `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"` + InfraVlan string `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"` + InstallIstio string `json:"installIstio,omitempty" yaml:"installIstio,omitempty"` + IstioProfile string `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"` + KafkaBrokers []string `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"` + KafkaClientCrt string `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"` + KafkaClientKey string `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"` + KubeAPIVlan string `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"` + L3Out string `json:"l3out,omitempty" yaml:"l3out,omitempty"` + L3OutExternalNetworks []string `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"` + MTUHeadRoom string `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"` + MaxNodesSvcGraph string `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"` + McastDaemonMemoryLimit string `json:"mcastDaemonMemoryLimit,omitempty" yaml:"mcastDaemonMemoryLimit,omitempty"` + McastDaemonMemoryRequest string `json:"mcastDaemonMemoryRequest,omitempty" yaml:"mcastDaemonMemoryRequest,omitempty"` + McastRangeEnd string `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"` + McastRangeStart string `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"` + MultusDisable string `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"` + NoPriorityClass string `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"` + NoWaitForServiceEpReadiness string `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"` + NodePodIfEnable string `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"` + NodeSubnet string `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"` + OVSMemoryLimit string `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"` + OVSMemoryRequest string `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"` + OpflexAgentLogLevel string `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"` + OpflexAgentMemoryLimit string `json:"opflexAgentMemoryLimit,omitempty" yaml:"opflexAgentMemoryLimit,omitempty"` + OpflexAgentMemoryRequest string `json:"opflexAgentMemoryRequest,omitempty" yaml:"opflexAgentMemoryRequest,omitempty"` + OpflexAgentOpflexAsyncjsonEnabled string `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"` + OpflexAgentOvsAsyncjsonEnabled string `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"` + OpflexAgentPolicyRetryDelayTimer string `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"` + OpflexClientSSL string `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"` + OpflexDeviceDeleteTimeout string `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"` + OpflexDeviceReconnectWaitTimeout string `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"` + OpflexMode string `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"` + OpflexServerPort string `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"` + OverlayVRFName string `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"` + PBRTrackingNonSnat string `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"` + PodSubnetChunkSize string `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"` + RunGbpContainer string `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"` + RunOpflexServerContainer string `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"` + ServiceGraphEndpointAddDelay string `json:"serviceGraphEndpointAddDelay,omitempty" yaml:"serviceGraphEndpointAddDelay,omitempty"` + ServiceGraphEndpointAddServices []map[string]string `json:"serviceGraphEndpointAddServices,omitempty" yaml:"serviceGraphEndpointAddServices,omitempty"` + ServiceGraphSubnet string `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"` + ServiceMonitorInterval string `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"` + ServiceVlan string `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"` + SleepTimeSnatGlobalInfoSync string `json:"sleepTimeSnatGlobalInfoSync,omitempty" yaml:"sleepTimeSnatGlobalInfoSync,omitempty"` + SnatContractScope string `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"` + SnatNamespace string `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"` + SnatPortRangeEnd string `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"` + SnatPortRangeStart string `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"` + SnatPortsPerNode string `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"` + SriovEnable string `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"` + StaticExternalSubnet string `json:"externStatic,omitempty" yaml:"externStatic,omitempty"` + SubnetDomainName string `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"` + SystemIdentifier string `json:"systemId,omitempty" yaml:"systemId,omitempty"` + Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` + Token string `json:"token,omitempty" yaml:"token,omitempty"` + UseAciAnywhereCRD string `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"` + UseAciCniPriorityClass string `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"` + UseClusterRole string `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"` + UseHostNetnsVolume string `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"` + UseOpflexServerVolume string `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"` + UsePrivilegedContainer string `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"` + UseSystemNodePriorityClass string `json:"useSystemNodePriorityClass,omitempty" yaml:"useSystemNodePriorityClass,omitempty"` + VRFName string `json:"vrfName,omitempty" yaml:"vrfName,omitempty"` + VRFTenant string `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"` + VmmController string `json:"vmmController,omitempty" yaml:"vmmController,omitempty"` + VmmDomain string `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"` } diff --git a/pkg/client/go.mod b/pkg/client/go.mod index 4ad8348daf4..fba887b0f65 100644 --- a/pkg/client/go.mod +++ b/pkg/client/go.mod @@ -5,7 +5,7 @@ go 1.17 replace k8s.io/client-go => k8s.io/client-go v0.18.8 require ( - github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a + github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b k8s.io/apimachinery v0.24.0 ) diff --git a/pkg/client/go.sum b/pkg/client/go.sum index 12699dedc35..868f5aff354 100644 --- a/pkg/client/go.sum +++ b/pkg/client/go.sum @@ -500,8 +500,8 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T github.com/qri-io/starlib v0.4.2-0.20200213133954-ff2e8cd5ef8d/go.mod h1:7DPO4domFU579Ga6E61sB9VFNaniPVwJP5C4bBCu3wA= github.com/rancher/lasso v0.0.0-20200820172840-0e4cc0ef5cb0/go.mod h1:OhBBBO1pBwYp0hacWdnvSGOj+XE9yMLOLnaypIlic18= github.com/rancher/lasso v0.0.0-20220519004610-700f167d8324/go.mod h1:T6WoUopOHBWTGjnphruTJAgoZ+dpm6llvn6GDYaa7Kw= -github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a h1:sAnJ58als7qhLCzsIUjvawoHgojPOazxFi7xMi6r/d4= -github.com/rancher/norman v0.0.0-20230426211157-18989f78fc0a/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk= +github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b h1:DEDBVlylKTCC6KPl3BnPqsw3+aVygmcYwpJv3AJnOo0= +github.com/rancher/norman v0.0.0-20240205164525-bd13c653293b/go.mod h1:9zlHK0aLVQManRI6bpzRmuxAlTE70JKsN3JJ+PonHVk= github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106 h1:ed0NTDvIwulez4zVvBZ1U7mFe2PBxtHvJ9bn2l9bcZ8= github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106/go.mod h1:iKqQcYs4YSDjsme52OZtQU4jHPmLlIiM93aj2c8c/W8= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= diff --git a/pkg/controllers/managementuser/rbac/cluster_handler.go b/pkg/controllers/managementuser/rbac/cluster_handler.go index 4432add7ac5..409ef045202 100644 --- a/pkg/controllers/managementuser/rbac/cluster_handler.go +++ b/pkg/controllers/managementuser/rbac/cluster_handler.go @@ -9,9 +9,11 @@ import ( "github.com/rancher/rancher/pkg/rbac" "github.com/rancher/rancher/pkg/types/config" k8srbac "k8s.io/api/rbac/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/tools/cache" ) @@ -19,6 +21,11 @@ const ( grbByRoleIndex = "management.cattle.io/grb-by-role" ) +var ( + errNotFound = apierrors.NewNotFound(schema.GroupResource{}, "") + errAlreadyExist = apierrors.NewAlreadyExists(schema.GroupResource{}, "") +) + func newClusterHandler(workload *config.UserContext) v3.ClusterHandlerFunc { //*clusterHandler { informer := workload.Management.Management.GlobalRoleBindings("").Controller().Informer() diff --git a/pkg/controllers/managementuser/rbac/handler_base_test.go b/pkg/controllers/managementuser/rbac/handler_base_test.go index 5ccbebdd328..c280afa7f02 100644 --- a/pkg/controllers/managementuser/rbac/handler_base_test.go +++ b/pkg/controllers/managementuser/rbac/handler_base_test.go @@ -4,32 +4,180 @@ import ( "fmt" "testing" + apimgmtv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" - fakes "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes" + "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3/fakes" + fakes2 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes" "github.com/stretchr/testify/assert" + v1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime/schema" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" ) -var roles = map[string]*v3.RoleTemplate{ - "recursive1": { - RoleTemplateNames: []string{"recursive2"}, - }, - "recursive2": { - RoleTemplateNames: []string{"recursive1"}, - }, - "non-recursive": {}, - "inherit non-recursive": { - RoleTemplateNames: []string{"non-recursive"}, - }, +var ( + recursiveTestRoleTemplates = map[string]*v3.RoleTemplate{ + "recursive1": { + RoleTemplateNames: []string{"recursive2"}, + }, + "recursive2": { + RoleTemplateNames: []string{"recursive1"}, + }, + "non-recursive": {}, + "inherit non-recursive": { + RoleTemplateNames: []string{"non-recursive"}, + }, + } + createNSRoleTemplate = &v3.RoleTemplate{ + ObjectMeta: metav1.ObjectMeta{ + Name: "create-ns", + }, + Builtin: true, + Rules: []v1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + Verbs: []string{"create"}, + }, + }, + } +) + +type clientErrs struct { + getError error + updateError error + createError error } -func Test_gatherRoles(t *testing.T) { - manager := &manager{ +func setupManager(roleTemplates map[string]*v3.RoleTemplate, clusterRoles map[string]*v1.ClusterRole, roles map[string]*v1.Role, projects map[string]*v3.Project, crErrs, rtErrs, rErrs clientErrs) *manager { + return &manager{ rtLister: &fakes.RoleTemplateListerMock{ - GetFunc: roleListerGetFunc, + GetFunc: func(namespace string, name string) (*v3.RoleTemplate, error) { + if rtErrs.getError != nil { + return nil, rtErrs.getError + } + rt, ok := roleTemplates[name] + if !ok { + return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name) + } + return rt.DeepCopy(), nil + }, + ListFunc: func(namespace string, selector labels.Selector) ([]*v3.RoleTemplate, error) { + rts := make([]*v3.RoleTemplate, len(roleTemplates)) + for i := range roleTemplates { + rts = append(rts, roleTemplates[i]) + } + return rts, nil + }, }, + crLister: &fakes2.ClusterRoleListerMock{ + GetFunc: func(namespace string, name string) (*v1.ClusterRole, error) { + if crErrs.getError != nil { + return nil, crErrs.getError + } + cr, ok := clusterRoles[name] + if !ok { + return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name) + } + return cr.DeepCopy(), nil + }, + ListFunc: func(namespace string, selector labels.Selector) ([]*v1.ClusterRole, error) { + crs := make([]*v1.ClusterRole, len(roleTemplates)) + for i := range clusterRoles { + crs = append(crs, clusterRoles[i]) + } + return crs, nil + }, + }, + clusterRoles: &fakes2.ClusterRoleInterfaceMock{ + GetFunc: func(name string, opts metav1.GetOptions) (*v1.ClusterRole, error) { + if crErrs.getError != nil { + return nil, crErrs.getError + } + cr, ok := clusterRoles[name] + if !ok { + return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name) + } + return cr.DeepCopy(), nil + }, + UpdateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) { + if crErrs.updateError != nil { + return nil, crErrs.updateError + } + _, ok := clusterRoles[cr.Name] + if !ok { + return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name) + } + clusterRoles[cr.Name] = cr + return clusterRoles[cr.Name].DeepCopy(), nil + }, + CreateFunc: func(cr *v1.ClusterRole) (*v1.ClusterRole, error) { + if crErrs.createError != nil { + return nil, crErrs.createError + } + _, ok := clusterRoles[cr.Name] + if ok { + return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), cr.Name) + } + clusterRoles[cr.Name] = cr + return clusterRoles[cr.Name].DeepCopy(), nil + }, + }, + rLister: &fakes2.RoleListerMock{ + GetFunc: func(namespace string, name string) (*v1.Role, error) { + if rErrs.getError != nil { + return nil, rErrs.getError + } + key := fmt.Sprintf("%s:%s", namespace, name) + r, ok := roles[key] + if !ok { + return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name) + } + return r.DeepCopy(), nil + }, + ListFunc: func(namespace string, selector labels.Selector) ([]*v1.Role, error) { + rs := make([]*v1.Role, len(roles)) + for i := range roles { + rs = append(rs, roles[i]) + } + return rs, nil + }, + }, + roles: &fakes2.RoleInterfaceMock{ + UpdateFunc: func(r *v1.Role) (*v1.Role, error) { + key := fmt.Sprintf("%s:%s", r.Namespace, r.Name) + _, ok := roles[key] + if ok { + return nil, errors.NewAlreadyExists(v3.RoleTemplateGroupVersionResource.GroupResource(), key) + } + roles[r.Name] = r + return roles[r.Name].DeepCopy(), nil + }, + GetNamespacedFunc: func(namespace string, name string, opts metav1.GetOptions) (*v1.Role, error) { + key := fmt.Sprintf("%s:%s", namespace, name) + r, ok := roles[key] + if !ok { + return nil, errors.NewNotFound(v3.RoleTemplateGroupVersionResource.GroupResource(), name) + } + return r.DeepCopy(), nil + }, + }, + projectLister: &fakes.ProjectListerMock{ + ListFunc: func(namespace string, selector labels.Selector) ([]*apimgmtv3.Project, error) { + rs := make([]*v3.Project, len(projects)) + for i := range projects { + rs = append(rs, projects[i]) + } + return rs, nil + }, + }, + clusterName: "testcluster", } +} + +func Test_gatherRoles(t *testing.T) { + m := setupManager(recursiveTestRoleTemplates, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{}) + emptyRoleTemplates := make(map[string]*v3.RoleTemplate) type args struct { rt *v3.RoleTemplate @@ -44,7 +192,7 @@ func Test_gatherRoles(t *testing.T) { { name: "Non-recursive role, none inherited", args: args{ - rt: roles["non-recursive"], + rt: recursiveTestRoleTemplates["non-recursive"], roleTemplates: emptyRoleTemplates, depthCounter: 0, }, @@ -53,7 +201,7 @@ func Test_gatherRoles(t *testing.T) { { name: "Non-recursive role, inherits another", args: args{ - rt: roles["inherit non-recursive"], + rt: recursiveTestRoleTemplates["inherit non-recursive"], roleTemplates: emptyRoleTemplates, depthCounter: 0, }, @@ -62,7 +210,7 @@ func Test_gatherRoles(t *testing.T) { { name: "Recursive role", args: args{ - rt: roles["recursive1"], + rt: recursiveTestRoleTemplates["recursive1"], roleTemplates: emptyRoleTemplates, depthCounter: 0, }, @@ -72,7 +220,7 @@ func Test_gatherRoles(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - err := manager.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter) + err := m.gatherRoles(tt.args.rt, tt.args.roleTemplates, tt.args.depthCounter) if tt.wantErr { assert.Error(t, err, "expected an error, received none") } else { @@ -81,14 +229,3 @@ func Test_gatherRoles(t *testing.T) { }) } } - -func roleListerGetFunc(ns, name string) (*v3.RoleTemplate, error) { - role, ok := roles[name] - if !ok { - return nil, errors.NewNotFound(schema.GroupResource{ - Group: v3.RoleTemplateGroupVersionKind.Group, - Resource: v3.RoleTemplateGroupVersionResource.Resource, - }, name) - } - return role, nil -} diff --git a/pkg/controllers/managementuser/rbac/namespace_handler.go b/pkg/controllers/managementuser/rbac/namespace_handler.go index e62931c8933..f03eb48e777 100644 --- a/pkg/controllers/managementuser/rbac/namespace_handler.go +++ b/pkg/controllers/managementuser/rbac/namespace_handler.go @@ -334,7 +334,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err return err } - roleCli := n.m.workload.RBAC.ClusterRoles("") + roleCli := n.m.clusterRoles nsInDesiredRole := false for _, c := range clusterRoles { cr, ok := c.(*rbacv1.ClusterRole) @@ -442,7 +442,7 @@ func (n *nsLifecycle) reconcileNamespaceProjectClusterRole(ns *v1.Namespace) err } func (m *manager) createProjectNSRole(roleName, verb, ns, projectName string) error { - roleCli := m.workload.RBAC.ClusterRoles("") + roleCli := m.clusterRoles cr := &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/controllers/managementuser/rbac/namespace_handler_test.go b/pkg/controllers/managementuser/rbac/namespace_handler_test.go index 4dd2d3fc358..d937debb30f 100644 --- a/pkg/controllers/managementuser/rbac/namespace_handler_test.go +++ b/pkg/controllers/managementuser/rbac/namespace_handler_test.go @@ -6,11 +6,13 @@ import ( "github.com/rancher/rancher/pkg/apis/management.cattle.io" apisV3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" + v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes" - "github.com/rancher/rancher/pkg/types/config" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + v1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/api/errors" apierror "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -177,31 +179,6 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) { }, err: test.indexerError, } - fakeRBACInterface := &fakeRBAC{ - clusterRoleFake: fakes.ClusterRoleInterfaceMock{ - CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { - newRoles = append(newRoles, in) - if test.createError != nil { - return nil, test.createError - } - return in, nil - }, - UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { - newRoles = append(newRoles, in) - if test.updateError != nil { - return nil, test.updateError - } - return in, nil - }, - DeleteFunc: func(name string, options *metav1.DeleteOptions) error { - deletedRoleNames = append(deletedRoleNames, name) - if test.deleteError != nil { - return test.deleteError - } - return nil - }, - }, - } fakeLister := &fakes.ClusterRoleListerMock{ GetFunc: func(namespace string, name string) (*rbacv1.ClusterRole, error) { if test.getError != nil { @@ -218,13 +195,34 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) { }, name) }, } + fakeClusterRoles := &fakes.ClusterRoleInterfaceMock{ + CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { + newRoles = append(newRoles, in) + if test.createError != nil { + return nil, test.createError + } + return in, nil + }, + UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { + newRoles = append(newRoles, in) + if test.updateError != nil { + return nil, test.updateError + } + return in, nil + }, + DeleteFunc: func(name string, options *metav1.DeleteOptions) error { + deletedRoleNames = append(deletedRoleNames, name) + if test.deleteError != nil { + return test.deleteError + } + return nil + }, + } lifecycle := nsLifecycle{ m: &manager{ - workload: &config.UserContext{ - RBAC: fakeRBACInterface, - }, - crLister: fakeLister, - crIndexer: &indexer, + crLister: fakeLister, + crIndexer: &indexer, + clusterRoles: fakeClusterRoles, }, } err := lifecycle.reconcileNamespaceProjectClusterRole(&corev1.Namespace{ @@ -253,6 +251,115 @@ func TestReconcileNamespaceProjectClusterRole(t *testing.T) { } +func TestCreateProjectNSRole(t *testing.T) { + t.Parallel() + crs := make(map[string]*v1.ClusterRole) + m := setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{}) + type testCase struct { + description string + verb string + namespace string + projectName string + startingCR *v1.ClusterRole + expectedCR *v1.ClusterRole + isErrExpected bool + expectedErr string + } + testCases := []testCase{ + { + description: "create get role", + verb: "get", + projectName: "p-123xyz", + expectedCR: &v1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: "p-123xyz-namespaces-readonly", + Annotations: map[string]string{ + projectNSAnn: "p-123xyz-namespaces-readonly", + }, + }, + }, + }, + { + description: "create edit role", + verb: "*", + projectName: "p-123xyz", + expectedCR: &v1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: "p-123xyz-namespaces-edit", + Annotations: map[string]string{ + projectNSAnn: "p-123xyz-namespaces-edit", + }, + }, + Rules: []v1.PolicyRule{ + { + APIGroups: []string{"management.cattle.io"}, + Verbs: []string{"manage-namespaces"}, + Resources: []string{"projects"}, + ResourceNames: []string{"p-123xyz"}, + }, + }, + }, + }, + { + description: "do not change role if already exists and return AlreadyExists error", + verb: "*", + projectName: "p-123xyz", + expectedCR: &v1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: "p-123xyz-namespaces-edit", + Annotations: map[string]string{ + projectNSAnn: "p-123xyz-namespaces-edit", + }, + }, + Rules: []v1.PolicyRule{ + { + APIGroups: []string{"management.cattle.io"}, + Verbs: []string{"manage-namespaces"}, + Resources: []string{"projects"}, + ResourceNames: []string{"p-123xyz"}, + }, + }, + }, + startingCR: &v1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: "p-123xyz-namespaces-edit", + Annotations: map[string]string{ + projectNSAnn: "p-123xyz-namespaces-edit", + }, + }, + Rules: []v1.PolicyRule{ + { + APIGroups: []string{"management.cattle.io"}, + Verbs: []string{"manage-namespaces"}, + Resources: []string{"projects"}, + ResourceNames: []string{"p-123xyz"}, + }, + }, + }, + isErrExpected: true, + expectedErr: "roletemplates.management.cattle.io \"p-123xyz-namespaces-edit\" already exists", + }, + } + for _, test := range testCases { + if test.startingCR != nil { + crs[test.startingCR.Name] = test.startingCR + } + err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, test.projectName, projectNSVerbToSuffix[test.verb]), test.verb, test.namespace, test.projectName) + if test.isErrExpected { + assert.NotNil(t, err, test.description) + } else { + assert.Nil(t, err) + } + assert.Equal(t, test.expectedCR, crs[test.expectedCR.Name], test.description) + delete(crs, test.expectedCR.Name) + } + m = setupManager(make(map[string]*v3.RoleTemplate), crs, make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{createError: errors.NewInternalError(fmt.Errorf("some error"))}, clientErrs{}, clientErrs{}) + description := "test should return non-AlreadyExists error" + err := m.createProjectNSRole(fmt.Sprintf(projectNSGetClusterRoleNameFmt, "p-123xyz", "edit"), "*", "", "p-123xyz") + assert.NotNil(t, err, description) + assert.Equal(t, "Internal error occurred: some error", err.Error(), description) +} + func createClusterRoleForProject(projectName string, namespace string, verb string) *rbacv1.ClusterRole { cr := createBaseClusterRoleForProject(projectName, verb) return addNamespaceToClusterRole(namespace, verb, cr) diff --git a/pkg/controllers/managementuser/rbac/project_handler_test.go b/pkg/controllers/managementuser/rbac/project_handler_test.go index 504ee8593e1..b0d1a0e767b 100644 --- a/pkg/controllers/managementuser/rbac/project_handler_test.go +++ b/pkg/controllers/managementuser/rbac/project_handler_test.go @@ -7,7 +7,6 @@ import ( v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" v1 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1" "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1/fakes" - "github.com/rancher/rancher/pkg/types/config" "github.com/stretchr/testify/assert" rbacv1 "k8s.io/api/rbac/v1" apierror "k8s.io/apimachinery/pkg/api/errors" @@ -103,17 +102,13 @@ func TestCreate(t *testing.T) { }, name) }, }, - workload: &config.UserContext{ - RBAC: &fakeRBAC{ - clusterRoleFake: fakes.ClusterRoleInterfaceMock{ - CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { - newCRs = append(newCRs, in) - if test.createErr != nil { - return nil, test.createErr - } - return in, nil - }, - }, + clusterRoles: &fakes.ClusterRoleInterfaceMock{ + CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { + newCRs = append(newCRs, in) + if test.createErr != nil { + return nil, test.createErr + } + return in, nil }, }, }, @@ -288,6 +283,13 @@ func TestUpdated(t *testing.T) { }, }, clusterRoles: &fakes.ClusterRoleInterfaceMock{ + CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { + newCRs = append(newCRs, in) + if test.createError != nil { + return nil, test.createError + } + return in, nil + }, UpdateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { newCRs = append(newCRs, in) if test.updError != nil { @@ -296,19 +298,6 @@ func TestUpdated(t *testing.T) { return in, nil }, }, - workload: &config.UserContext{ - RBAC: &fakeRBAC{ - clusterRoleFake: fakes.ClusterRoleInterfaceMock{ - CreateFunc: func(in *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { - newCRs = append(newCRs, in) - if test.createError != nil { - return nil, test.createError - } - return in, nil - }, - }, - }, - }, }, } _, err := lifecycle.Updated(project) diff --git a/pkg/controllers/managementuser/rbac/prtb_handler.go b/pkg/controllers/managementuser/rbac/prtb_handler.go index 4ca4386b636..a4dc1516668 100644 --- a/pkg/controllers/managementuser/rbac/prtb_handler.go +++ b/pkg/controllers/managementuser/rbac/prtb_handler.go @@ -3,6 +3,7 @@ package rbac import ( "reflect" "sort" + "strings" "github.com/hashicorp/go-multierror" "github.com/pkg/errors" @@ -161,7 +162,11 @@ func (p *prtbLifecycle) ensurePRTBDelete(binding *v3.ProjectRoleTemplateBinding) } func (p *prtbLifecycle) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) error { - _, err := p.m.reconcileProjectAccessToGlobalResources(binding, rts) + roles, err := p.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(binding.ProjectName), rts) + if err != nil { + return err + } + _, err = p.m.reconcileProjectAccessToGlobalResources(binding, roles) if err != nil { return err } @@ -277,7 +282,7 @@ func (m *manager) checkForGlobalResourceRules(role *v3.RoleTemplate, resource st // Ensure the clusterRole used to grant access of global resources to users/groups in projects has appropriate rules for the given resource and verbs func (m *manager) reconcileRoleForProjectAccessToGlobalResource(resource string, rt *v3.RoleTemplate, newVerbs map[string]bool, baseRule rbacv1.PolicyRule) (string, error) { - clusterRoles := m.workload.RBAC.ClusterRoles("") + clusterRoles := m.clusterRoles roleName := rt.Name + "-promoted" if role, err := m.crLister.Get("", roleName); err == nil && role != nil { currentVerbs := map[string]bool{} @@ -465,3 +470,11 @@ func (p *prtbLifecycle) reconcilePRTBUserClusterLabels(binding *v3.ProjectRoleTe }) return retryErr } + +func parseProjectName(id string) string { + parts := strings.SplitN(id, ":", 2) + if len(parts) != 2 || len(parts[1]) == 0 { + return "" + } + return parts[1] +} diff --git a/pkg/controllers/managementuser/rbac/reconcile_roletemplate.go b/pkg/controllers/managementuser/rbac/reconcile_roletemplate.go index ef16be7a6e3..1da30b751ec 100644 --- a/pkg/controllers/managementuser/rbac/reconcile_roletemplate.go +++ b/pkg/controllers/managementuser/rbac/reconcile_roletemplate.go @@ -2,7 +2,6 @@ package rbac import ( "fmt" - "strings" "github.com/rancher/norman/types/slice" v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" @@ -13,68 +12,13 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, rts map[string]*v3.RoleTemplate) (map[string]bool, error) { - var role string - var createNSPerms bool - var roles []string - if parts := strings.SplitN(binding.ProjectName, ":", 2); len(parts) == 2 && len(parts[1]) > 0 { - projectName := parts[1] - var roleVerb, roleSuffix string - for _, r := range rts { - for _, rule := range r.Rules { - if slice.ContainsString(rule.Resources, "namespaces") && len(rule.ResourceNames) == 0 { - if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") { - roleVerb = "*" - createNSPerms = true - break - } - } - - } - } - if roleVerb == "" { - roleVerb = "get" - } - roleSuffix = projectNSVerbToSuffix[roleVerb] - role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix) - roles = append(roles, role) - - for _, rt := range rts { - for resource, baseRule := range globalResourceRulesNeededInProjects { - verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule) - if err != nil { - return nil, err - } - if len(verbs) > 0 { - roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule) - if err != nil { - return nil, err - } - roles = append(roles, roleName) - } - } - } - } - +func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRoleTemplateBinding, roles []string) (map[string]bool, error) { if len(roles) == 0 { return nil, nil } bindingCli := m.workload.RBAC.ClusterRoleBindings("") - if createNSPerms { - roles = append(roles, "create-ns") - if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil { - createNSRT, err := m.rtLister.Get("", "create-ns") - if err != nil { - return nil, err - } - if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) { - return nil, err - } - } - } - rtbUID := binding.Namespace + "_" + binding.Name subject, err := pkgrbac.BuildSubjectFromRTB(binding) if err != nil { @@ -147,3 +91,62 @@ func (m *manager) reconcileProjectAccessToGlobalResources(binding *v3.ProjectRol return crbsToKeep, nil } + +// EnsureGlobalResourcesRolesForPRTB ensures that all necessary roles exist and contain the rules needed to +// enforce permissions described by RoleTemplate rules. A slice of strings indicating role names is returned. +func (m *manager) ensureGlobalResourcesRolesForPRTB(projectName string, rts map[string]*v3.RoleTemplate) ([]string, error) { + var role string + var roles []string + + if projectName == "" { + return nil, nil + } + + var roleVerb, roleSuffix string + for _, r := range rts { + for _, rule := range r.Rules { + hasNamespaceResources := slice.ContainsString(rule.Resources, "namespaces") || slice.ContainsString(rule.Resources, "*") + hasNamespaceGroup := slice.ContainsString(rule.APIGroups, "") || slice.ContainsString(rule.APIGroups, "*") + if hasNamespaceGroup && hasNamespaceResources && len(rule.ResourceNames) == 0 { + if slice.ContainsString(rule.Verbs, "*") || slice.ContainsString(rule.Verbs, "create") { + roleVerb = "*" + roles = append(roles, "create-ns") + if nsRole, _ := m.crLister.Get("", "create-ns"); nsRole == nil { + createNSRT, err := m.rtLister.Get("", "create-ns") + if err != nil { + return nil, err + } + if err := m.ensureRoles(map[string]*v3.RoleTemplate{"create-ns": createNSRT}); err != nil && !apierrors.IsAlreadyExists(err) { + return nil, err + } + } + break + } + } + + } + } + if roleVerb == "" { + roleVerb = "get" + } + roleSuffix = projectNSVerbToSuffix[roleVerb] + role = fmt.Sprintf(projectNSGetClusterRoleNameFmt, projectName, roleSuffix) + roles = append(roles, role) + + for _, rt := range rts { + for resource, baseRule := range globalResourceRulesNeededInProjects { + verbs, err := m.checkForGlobalResourceRules(rt, resource, baseRule) + if err != nil { + return nil, err + } + if len(verbs) > 0 { + roleName, err := m.reconcileRoleForProjectAccessToGlobalResource(resource, rt, verbs, baseRule) + if err != nil { + return nil, err + } + roles = append(roles, roleName) + } + } + } + return roles, nil +} diff --git a/pkg/controllers/managementuser/rbac/reconcile_roletemplate_test.go b/pkg/controllers/managementuser/rbac/reconcile_roletemplate_test.go new file mode 100644 index 00000000000..bfef67441cc --- /dev/null +++ b/pkg/controllers/managementuser/rbac/reconcile_roletemplate_test.go @@ -0,0 +1,255 @@ +package rbac + +import ( + "testing" + + "github.com/pkg/errors" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + + v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" + "github.com/stretchr/testify/assert" + v1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestEnsureGlobalResourcesRolesForPRTB(t *testing.T) { + t.Parallel() + m := setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{}) + type testCase struct { + description string + projectName string + roleTemplates map[string]*v3.RoleTemplate + expectedRoles []string + isErrExpected bool + } + testCases := []testCase{ + { + description: "global resource rule should grant namespace read", + projectName: "testproject", + expectedRoles: []string{"testproject-namespaces-readonly"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt1": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt1", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + }, + }, + }, + }, + }, + { + description: "namespace create rule should grant create-ns and a namespaces-edit role", + projectName: "testproject", + expectedRoles: []string{"create-ns", "testproject-namespaces-edit"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt2": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt2", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"create"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + }, + }, + }, + }, + { + description: "namespace create rule for other API group should grant namespaces-read role only", + projectName: "testproject", + expectedRoles: []string{"testproject-namespaces-readonly"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt3": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt3", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"create"}, + APIGroups: []string{"some.other.apigroup"}, + Resources: []string{"namespaces"}, + }, + }, + }, + }, + }, + { + description: "namespace * rule for other API group should grant namespaces-read role only", + projectName: "testproject", + expectedRoles: []string{"testproject-namespaces-readonly"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt4": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt4", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{"some.other.apigroup"}, + Resources: []string{"namespaces"}, + }, + }, + }, + }, + }, + { + description: "global resource rule result in promoted role returned", + projectName: "testproject", + expectedRoles: []string{"testproject-namespaces-readonly", "testrt5-promoted"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt5": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt5", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{"catalog.cattle.io"}, + Resources: []string{"clusterrepos"}, + }, + }, + }, + }, + }, + { + description: "empty project name will result in no roles returned", + projectName: "", + expectedRoles: nil, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt6": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt6", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{"catalog.cattle.io"}, + Resources: []string{"clusterrepos"}, + }, + }, + }, + }, + }, + { + description: "* resources and non-core APIGroup should only result in namespace-readonly role", + projectName: "testproject", + expectedRoles: []string{"testproject-namespaces-readonly"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt7": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt7", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{"some.other.apigroup"}, + Resources: []string{"*"}, + }, + }, + }, + }, + }, + { + description: "* resources and * APIGroup should only result in namespace-readonly and promoted role", + projectName: "testproject", + // at the time of adding these tests ensureGlobalResourceRoleForPRTB returns duplicate promoted roles + // names per applicable rule found in globalResourceRulesNeededInProjects. This is not incompatible with + // current reconcile logic but should be fixed in the future. + expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted", "testrt8-promoted"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt8": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt8", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + }, + }, + }, + }, + { + description: "* resources and core (\"\") APIGroup should only result in namespace-readonly and promoted role", + projectName: "testproject", + expectedRoles: []string{"create-ns", "testproject-namespaces-edit", "testrt9-promoted", "testrt9-promoted"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt9": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt9", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{""}, + Resources: []string{"*"}, + }, + }, + }, + }, + }, + } + for _, test := range testCases { + test := test + t.Run(test.description, func(t *testing.T) { + t.Parallel() + roles, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates) + assert.Nil(t, err) + assert.Equal(t, test.expectedRoles, roles, test.description) + }) + } + + test := testCase{ + projectName: "testproject", + expectedRoles: []string{"create-ns", "testproject-namespaces-edit"}, + roleTemplates: map[string]*v3.RoleTemplate{ + "testrt": { + ObjectMeta: metav1.ObjectMeta{ + Name: "testrt", + }, + Rules: []v1.PolicyRule{ + { + Verbs: []string{"create"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + }, + }, + }, + } + m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{getError: errNotFound}, clientErrs{}) + test1 := test + test1.description = "error return when RoleTemplate client returns error" + t.Run(test.description, func(t *testing.T) { + t.Parallel() + _, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates) + assert.NotNil(t, err) + }) + m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{}, clientErrs{}, clientErrs{createError: errAlreadyExist}) + test2 := test + test2.description = "error return when Role client returns error" + t.Run(test.description, func(t *testing.T) { + t.Parallel() + _, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates) + assert.NotNil(t, err) + }) + m = setupManager(map[string]*v3.RoleTemplate{"create-ns": createNSRoleTemplate}, make(map[string]*v1.ClusterRole), make(map[string]*v1.Role), make(map[string]*v3.Project), clientErrs{getError: apierrors.NewInternalError(errors.New("error"))}, clientErrs{}, clientErrs{}) + test3 := test + test3.description = "error return when ClusterRole client returns error and RoleTemplate is external" + test3.roleTemplates["testrt"].External = true + t.Run(test.description, func(t *testing.T) { + t.Parallel() + _, err := m.ensureGlobalResourcesRolesForPRTB(test.projectName, test.roleTemplates) + assert.NotNil(t, err) + }) +} diff --git a/pkg/controllers/managementuser/rbac/roletemplate_handler.go b/pkg/controllers/managementuser/rbac/roletemplate_handler.go index 81f5e776035..b5e6eaea402 100644 --- a/pkg/controllers/managementuser/rbac/roletemplate_handler.go +++ b/pkg/controllers/managementuser/rbac/roletemplate_handler.go @@ -54,18 +54,18 @@ func (c *rtSync) sync(key string, obj *v3.RoleTemplate) (runtime.Object, error) } func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []interface{}, crtbs []interface{}) error { - roles := map[string]*v3.RoleTemplate{} - if err := c.m.gatherRoles(template, roles, 0); err != nil { + roleTemplates := map[string]*v3.RoleTemplate{} + if err := c.m.gatherRoles(template, roleTemplates, 0); err != nil { return err } - if err := c.m.ensureRoles(roles); err != nil { + if err := c.m.ensureRoles(roleTemplates); err != nil { return errors.Wrapf(err, "couldn't ensure roles") } rolesToKeep := make(map[string]bool) if usedInProjects { - for _, rt := range roles { + for _, rt := range roleTemplates { for resource, baseRule := range globalResourceRulesNeededInProjects { verbs, err := c.m.checkForGlobalResourceRules(rt, resource, baseRule) if err != nil { @@ -88,6 +88,10 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs [] continue } + roles, err := c.m.ensureGlobalResourcesRolesForPRTB(parseProjectName(prtb.ProjectName), roleTemplates) + if err != nil { + return err + } crbsToKeep, err := c.m.reconcileProjectAccessToGlobalResources(prtb, roles) if err != nil { return err @@ -117,7 +121,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs [] if !ns.DeletionTimestamp.IsZero() { continue } - if err := c.m.ensureProjectRoleBindings(ns.Name, roles, prtb); err != nil { + if err := c.m.ensureProjectRoleBindings(ns.Name, roleTemplates, prtb); err != nil { return errors.Wrapf(err, "couldn't ensure binding %v in %v", prtb.Name, ns.Name) } } @@ -128,7 +132,7 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs [] if !ok { continue } - if err := c.m.ensureClusterBindings(roles, crtb); err != nil { + if err := c.m.ensureClusterBindings(roleTemplates, crtb); err != nil { return err } } diff --git a/pkg/settings/setting.go b/pkg/settings/setting.go index bf2ce9c7bbb..ca8de381d51 100644 --- a/pkg/settings/setting.go +++ b/pkg/settings/setting.go @@ -85,7 +85,7 @@ var ( WhitelistDomain = NewSetting("whitelist-domain", "forums.rancher.com") WhitelistEnvironmentVars = NewSetting("whitelist-envvars", "HTTP_PROXY,HTTPS_PROXY,NO_PROXY") AuthUserInfoResyncCron = NewSetting("auth-user-info-resync-cron", "0 0 * * *") - APIUIVersion = NewSetting("api-ui-version", "1.1.10") // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here. + APIUIVersion = NewSetting("api-ui-version", "1.1.11") // Please update the CATTLE_API_UI_VERSION in package/Dockerfile when updating the version here. RotateCertsIfExpiringInDays = NewSetting("rotate-certs-if-expiring-in-days", "7") // 7 days ClusterTemplateEnforcement = NewSetting("cluster-template-enforcement", "false") InitialDockerRootDir = NewSetting("initial-docker-root-dir", "/var/lib/docker") diff --git a/tests/framework/clients/rancher/generated/management/v3/zz_generated_aci_network_provider.go b/tests/framework/clients/rancher/generated/management/v3/zz_generated_aci_network_provider.go index 707bc8fb87f..5e626065e92 100644 --- a/tests/framework/clients/rancher/generated/management/v3/zz_generated_aci_network_provider.go +++ b/tests/framework/clients/rancher/generated/management/v3/zz_generated_aci_network_provider.go @@ -1,172 +1,216 @@ package client const ( - AciNetworkProviderType = "aciNetworkProvider" - AciNetworkProviderFieldAEP = "aep" - AciNetworkProviderFieldAddExternalSubnetsToRdconfig = "addExternalSubnetsToRdconfig" - AciNetworkProviderFieldApicHosts = "apicHosts" - AciNetworkProviderFieldApicRefreshTickerAdjust = "apicRefreshTickerAdjust" - AciNetworkProviderFieldApicRefreshTime = "apicRefreshTime" - AciNetworkProviderFieldApicSubscriptionDelay = "apicSubscriptionDelay" - AciNetworkProviderFieldApicUserCrt = "apicUserCrt" - AciNetworkProviderFieldApicUserKey = "apicUserKey" - AciNetworkProviderFieldApicUserName = "apicUserName" - AciNetworkProviderFieldCApic = "capic" - AciNetworkProviderFieldControllerLogLevel = "controllerLogLevel" - AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync = "disablePeriodicSnatGlobalInfoSync" - AciNetworkProviderFieldDisableWaitForNetwork = "disableWaitForNetwork" - AciNetworkProviderFieldDropLogEnable = "dropLogEnable" - AciNetworkProviderFieldDurationWaitForNetwork = "durationWaitForNetwork" - AciNetworkProviderFieldDynamicExternalSubnet = "externDynamic" - AciNetworkProviderFieldEnableEndpointSlice = "enableEndpointSlice" - AciNetworkProviderFieldEncapType = "encapType" - AciNetworkProviderFieldEpRegistry = "epRegistry" - AciNetworkProviderFieldGbpPodSubnet = "gbpPodSubnet" - AciNetworkProviderFieldHostAgentLogLevel = "hostAgentLogLevel" - AciNetworkProviderFieldHppOptimization = "hppOptimization" - AciNetworkProviderFieldImagePullPolicy = "imagePullPolicy" - AciNetworkProviderFieldImagePullSecret = "imagePullSecret" - AciNetworkProviderFieldInfraVlan = "infraVlan" - AciNetworkProviderFieldInstallIstio = "installIstio" - AciNetworkProviderFieldIstioProfile = "istioProfile" - AciNetworkProviderFieldKafkaBrokers = "kafkaBrokers" - AciNetworkProviderFieldKafkaClientCrt = "kafkaClientCrt" - AciNetworkProviderFieldKafkaClientKey = "kafkaClientKey" - AciNetworkProviderFieldKubeAPIVlan = "kubeApiVlan" - AciNetworkProviderFieldL3Out = "l3out" - AciNetworkProviderFieldL3OutExternalNetworks = "l3outExternalNetworks" - AciNetworkProviderFieldMTUHeadRoom = "mtuHeadRoom" - AciNetworkProviderFieldMaxNodesSvcGraph = "maxNodesSvcGraph" - AciNetworkProviderFieldMcastRangeEnd = "mcastRangeEnd" - AciNetworkProviderFieldMcastRangeStart = "mcastRangeStart" - AciNetworkProviderFieldMultusDisable = "multusDisable" - AciNetworkProviderFieldNoPriorityClass = "noPriorityClass" - AciNetworkProviderFieldNoWaitForServiceEpReadiness = "noWaitForServiceEpReadiness" - AciNetworkProviderFieldNodePodIfEnable = "nodePodIfEnable" - AciNetworkProviderFieldNodeSubnet = "nodeSubnet" - AciNetworkProviderFieldOVSMemoryLimit = "ovsMemoryLimit" - AciNetworkProviderFieldOpflexAgentLogLevel = "opflexLogLevel" - AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled = "opflexAgentOpflexAsyncjsonEnabled" - AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled = "opflexAgentOvsAsyncjsonEnabled" - AciNetworkProviderFieldOpflexClientSSL = "opflexClientSsl" - AciNetworkProviderFieldOpflexDeviceDeleteTimeout = "opflexDeviceDeleteTimeout" - AciNetworkProviderFieldOpflexMode = "opflexMode" - AciNetworkProviderFieldOpflexServerPort = "opflexServerPort" - AciNetworkProviderFieldOverlayVRFName = "overlayVrfName" - AciNetworkProviderFieldPBRTrackingNonSnat = "pbrTrackingNonSnat" - AciNetworkProviderFieldPodSubnetChunkSize = "podSubnetChunkSize" - AciNetworkProviderFieldRunGbpContainer = "runGbpContainer" - AciNetworkProviderFieldRunOpflexServerContainer = "runOpflexServerContainer" - AciNetworkProviderFieldServiceGraphEndpointAddDelay = "serviceGraphEndpointAddDelay" - AciNetworkProviderFieldServiceGraphEndpointAddServices = "serviceGraphEndpointAddServices" - AciNetworkProviderFieldServiceGraphSubnet = "nodeSvcSubnet" - AciNetworkProviderFieldServiceMonitorInterval = "serviceMonitorInterval" - AciNetworkProviderFieldServiceVlan = "serviceVlan" - AciNetworkProviderFieldSleepTimeSnatGlobalInfoSync = "sleepTimeSnatGlobalInfoSync" - AciNetworkProviderFieldSnatContractScope = "snatContractScope" - AciNetworkProviderFieldSnatNamespace = "snatNamespace" - AciNetworkProviderFieldSnatPortRangeEnd = "snatPortRangeEnd" - AciNetworkProviderFieldSnatPortRangeStart = "snatPortRangeStart" - AciNetworkProviderFieldSnatPortsPerNode = "snatPortsPerNode" - AciNetworkProviderFieldSriovEnable = "sriovEnable" - AciNetworkProviderFieldStaticExternalSubnet = "externStatic" - AciNetworkProviderFieldSubnetDomainName = "subnetDomainName" - AciNetworkProviderFieldSystemIdentifier = "systemId" - AciNetworkProviderFieldTenant = "tenant" - AciNetworkProviderFieldToken = "token" - AciNetworkProviderFieldUseAciAnywhereCRD = "useAciAnywhereCrd" - AciNetworkProviderFieldUseAciCniPriorityClass = "useAciCniPriorityClass" - AciNetworkProviderFieldUseClusterRole = "useClusterRole" - AciNetworkProviderFieldUseHostNetnsVolume = "useHostNetnsVolume" - AciNetworkProviderFieldUseOpflexServerVolume = "useOpflexServerVolume" - AciNetworkProviderFieldUsePrivilegedContainer = "usePrivilegedContainer" - AciNetworkProviderFieldVRFName = "vrfName" - AciNetworkProviderFieldVRFTenant = "vrfTenant" - AciNetworkProviderFieldVmmController = "vmmController" - AciNetworkProviderFieldVmmDomain = "vmmDomain" + AciNetworkProviderType = "aciNetworkProvider" + AciNetworkProviderFieldAEP = "aep" + AciNetworkProviderFieldAccProvisionOperatorMemoryLimit = "accProvisionOperatorMemoryLimit" + AciNetworkProviderFieldAccProvisionOperatorMemoryRequest = "accProvisionOperatorMemoryRequest" + AciNetworkProviderFieldAciContainersControllerMemoryLimit = "aciContainersControllerMemoryLimit" + AciNetworkProviderFieldAciContainersControllerMemoryRequest = "aciContainersControllerMemoryRequest" + AciNetworkProviderFieldAciContainersHostMemoryLimit = "aciContainersHostMemoryLimit" + AciNetworkProviderFieldAciContainersHostMemoryRequest = "aciContainersHostMemoryRequest" + AciNetworkProviderFieldAciContainersMemoryLimit = "aciContainersMemoryLimit" + AciNetworkProviderFieldAciContainersMemoryRequest = "aciContainersMemoryRequest" + AciNetworkProviderFieldAciContainersOperatorMemoryLimit = "aciContainersOperatorMemoryLimit" + AciNetworkProviderFieldAciContainersOperatorMemoryRequest = "aciContainersOperatorMemoryRequest" + AciNetworkProviderFieldAciMultipod = "aciMultipod" + AciNetworkProviderFieldAciMultipodUbuntu = "aciMultipodUbuntu" + AciNetworkProviderFieldAddExternalSubnetsToRdconfig = "addExternalSubnetsToRdconfig" + AciNetworkProviderFieldApicHosts = "apicHosts" + AciNetworkProviderFieldApicRefreshTickerAdjust = "apicRefreshTickerAdjust" + AciNetworkProviderFieldApicRefreshTime = "apicRefreshTime" + AciNetworkProviderFieldApicSubscriptionDelay = "apicSubscriptionDelay" + AciNetworkProviderFieldApicUserCrt = "apicUserCrt" + AciNetworkProviderFieldApicUserKey = "apicUserKey" + AciNetworkProviderFieldApicUserName = "apicUserName" + AciNetworkProviderFieldCApic = "capic" + AciNetworkProviderFieldControllerLogLevel = "controllerLogLevel" + AciNetworkProviderFieldDhcpDelay = "dhcpDelay" + AciNetworkProviderFieldDhcpRenewMaxRetryCount = "dhcpRenewMaxRetryCount" + AciNetworkProviderFieldDisablePeriodicSnatGlobalInfoSync = "disablePeriodicSnatGlobalInfoSync" + AciNetworkProviderFieldDisableWaitForNetwork = "disableWaitForNetwork" + AciNetworkProviderFieldDropLogEnable = "dropLogEnable" + AciNetworkProviderFieldDurationWaitForNetwork = "durationWaitForNetwork" + AciNetworkProviderFieldDynamicExternalSubnet = "externDynamic" + AciNetworkProviderFieldEnableEndpointSlice = "enableEndpointSlice" + AciNetworkProviderFieldEncapType = "encapType" + AciNetworkProviderFieldEpRegistry = "epRegistry" + AciNetworkProviderFieldGbpPodSubnet = "gbpPodSubnet" + AciNetworkProviderFieldHostAgentLogLevel = "hostAgentLogLevel" + AciNetworkProviderFieldHppOptimization = "hppOptimization" + AciNetworkProviderFieldImagePullPolicy = "imagePullPolicy" + AciNetworkProviderFieldImagePullSecret = "imagePullSecret" + AciNetworkProviderFieldInfraVlan = "infraVlan" + AciNetworkProviderFieldInstallIstio = "installIstio" + AciNetworkProviderFieldIstioProfile = "istioProfile" + AciNetworkProviderFieldKafkaBrokers = "kafkaBrokers" + AciNetworkProviderFieldKafkaClientCrt = "kafkaClientCrt" + AciNetworkProviderFieldKafkaClientKey = "kafkaClientKey" + AciNetworkProviderFieldKubeAPIVlan = "kubeApiVlan" + AciNetworkProviderFieldL3Out = "l3out" + AciNetworkProviderFieldL3OutExternalNetworks = "l3outExternalNetworks" + AciNetworkProviderFieldMTUHeadRoom = "mtuHeadRoom" + AciNetworkProviderFieldMaxNodesSvcGraph = "maxNodesSvcGraph" + AciNetworkProviderFieldMcastDaemonMemoryLimit = "mcastDaemonMemoryLimit" + AciNetworkProviderFieldMcastDaemonMemoryRequest = "mcastDaemonMemoryRequest" + AciNetworkProviderFieldMcastRangeEnd = "mcastRangeEnd" + AciNetworkProviderFieldMcastRangeStart = "mcastRangeStart" + AciNetworkProviderFieldMultusDisable = "multusDisable" + AciNetworkProviderFieldNoPriorityClass = "noPriorityClass" + AciNetworkProviderFieldNoWaitForServiceEpReadiness = "noWaitForServiceEpReadiness" + AciNetworkProviderFieldNodePodIfEnable = "nodePodIfEnable" + AciNetworkProviderFieldNodeSubnet = "nodeSubnet" + AciNetworkProviderFieldOVSMemoryLimit = "ovsMemoryLimit" + AciNetworkProviderFieldOVSMemoryRequest = "ovsMemoryRequest" + AciNetworkProviderFieldOpflexAgentLogLevel = "opflexLogLevel" + AciNetworkProviderFieldOpflexAgentMemoryLimit = "opflexAgentMemoryLimit" + AciNetworkProviderFieldOpflexAgentMemoryRequest = "opflexAgentMemoryRequest" + AciNetworkProviderFieldOpflexAgentOpflexAsyncjsonEnabled = "opflexAgentOpflexAsyncjsonEnabled" + AciNetworkProviderFieldOpflexAgentOvsAsyncjsonEnabled = "opflexAgentOvsAsyncjsonEnabled" + AciNetworkProviderFieldOpflexAgentPolicyRetryDelayTimer = "opflexAgentPolicyRetryDelayTimer" + AciNetworkProviderFieldOpflexClientSSL = "opflexClientSsl" + AciNetworkProviderFieldOpflexDeviceDeleteTimeout = "opflexDeviceDeleteTimeout" + AciNetworkProviderFieldOpflexDeviceReconnectWaitTimeout = "opflexDeviceReconnectWaitTimeout" + AciNetworkProviderFieldOpflexMode = "opflexMode" + AciNetworkProviderFieldOpflexServerPort = "opflexServerPort" + AciNetworkProviderFieldOverlayVRFName = "overlayVrfName" + AciNetworkProviderFieldPBRTrackingNonSnat = "pbrTrackingNonSnat" + AciNetworkProviderFieldPodSubnetChunkSize = "podSubnetChunkSize" + AciNetworkProviderFieldRunGbpContainer = "runGbpContainer" + AciNetworkProviderFieldRunOpflexServerContainer = "runOpflexServerContainer" + AciNetworkProviderFieldServiceGraphEndpointAddDelay = "serviceGraphEndpointAddDelay" + AciNetworkProviderFieldServiceGraphEndpointAddServices = "serviceGraphEndpointAddServices" + AciNetworkProviderFieldServiceGraphSubnet = "nodeSvcSubnet" + AciNetworkProviderFieldServiceMonitorInterval = "serviceMonitorInterval" + AciNetworkProviderFieldServiceVlan = "serviceVlan" + AciNetworkProviderFieldSleepTimeSnatGlobalInfoSync = "sleepTimeSnatGlobalInfoSync" + AciNetworkProviderFieldSnatContractScope = "snatContractScope" + AciNetworkProviderFieldSnatNamespace = "snatNamespace" + AciNetworkProviderFieldSnatPortRangeEnd = "snatPortRangeEnd" + AciNetworkProviderFieldSnatPortRangeStart = "snatPortRangeStart" + AciNetworkProviderFieldSnatPortsPerNode = "snatPortsPerNode" + AciNetworkProviderFieldSriovEnable = "sriovEnable" + AciNetworkProviderFieldStaticExternalSubnet = "externStatic" + AciNetworkProviderFieldSubnetDomainName = "subnetDomainName" + AciNetworkProviderFieldSystemIdentifier = "systemId" + AciNetworkProviderFieldTenant = "tenant" + AciNetworkProviderFieldToken = "token" + AciNetworkProviderFieldUseAciAnywhereCRD = "useAciAnywhereCrd" + AciNetworkProviderFieldUseAciCniPriorityClass = "useAciCniPriorityClass" + AciNetworkProviderFieldUseClusterRole = "useClusterRole" + AciNetworkProviderFieldUseHostNetnsVolume = "useHostNetnsVolume" + AciNetworkProviderFieldUseOpflexServerVolume = "useOpflexServerVolume" + AciNetworkProviderFieldUsePrivilegedContainer = "usePrivilegedContainer" + AciNetworkProviderFieldUseSystemNodePriorityClass = "useSystemNodePriorityClass" + AciNetworkProviderFieldVRFName = "vrfName" + AciNetworkProviderFieldVRFTenant = "vrfTenant" + AciNetworkProviderFieldVmmController = "vmmController" + AciNetworkProviderFieldVmmDomain = "vmmDomain" ) type AciNetworkProvider struct { - AEP string `json:"aep,omitempty" yaml:"aep,omitempty"` - AddExternalSubnetsToRdconfig string `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"` - ApicHosts []string `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"` - ApicRefreshTickerAdjust string `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"` - ApicRefreshTime string `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"` - ApicSubscriptionDelay string `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"` - ApicUserCrt string `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"` - ApicUserKey string `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"` - ApicUserName string `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"` - CApic string `json:"capic,omitempty" yaml:"capic,omitempty"` - ControllerLogLevel string `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"` - DisablePeriodicSnatGlobalInfoSync string `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"` - DisableWaitForNetwork string `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"` - DropLogEnable string `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"` - DurationWaitForNetwork string `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"` - DynamicExternalSubnet string `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"` - EnableEndpointSlice string `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"` - EncapType string `json:"encapType,omitempty" yaml:"encapType,omitempty"` - EpRegistry string `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"` - GbpPodSubnet string `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"` - HostAgentLogLevel string `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"` - HppOptimization string `json:"hppOptimization,omitempty" yaml:"hppOptimization,omitempty"` - ImagePullPolicy string `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"` - ImagePullSecret string `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"` - InfraVlan string `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"` - InstallIstio string `json:"installIstio,omitempty" yaml:"installIstio,omitempty"` - IstioProfile string `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"` - KafkaBrokers []string `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"` - KafkaClientCrt string `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"` - KafkaClientKey string `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"` - KubeAPIVlan string `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"` - L3Out string `json:"l3out,omitempty" yaml:"l3out,omitempty"` - L3OutExternalNetworks []string `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"` - MTUHeadRoom string `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"` - MaxNodesSvcGraph string `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"` - McastRangeEnd string `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"` - McastRangeStart string `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"` - MultusDisable string `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"` - NoPriorityClass string `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"` - NoWaitForServiceEpReadiness string `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"` - NodePodIfEnable string `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"` - NodeSubnet string `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"` - OVSMemoryLimit string `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"` - OpflexAgentLogLevel string `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"` - OpflexAgentOpflexAsyncjsonEnabled string `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"` - OpflexAgentOvsAsyncjsonEnabled string `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"` - OpflexClientSSL string `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"` - OpflexDeviceDeleteTimeout string `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"` - OpflexMode string `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"` - OpflexServerPort string `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"` - OverlayVRFName string `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"` - PBRTrackingNonSnat string `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"` - PodSubnetChunkSize string `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"` - RunGbpContainer string `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"` - RunOpflexServerContainer string `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"` - ServiceGraphEndpointAddDelay string `json:"serviceGraphEndpointAddDelay,omitempty" yaml:"serviceGraphEndpointAddDelay,omitempty"` - ServiceGraphEndpointAddServices []map[string]string `json:"serviceGraphEndpointAddServices,omitempty" yaml:"serviceGraphEndpointAddServices,omitempty"` - ServiceGraphSubnet string `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"` - ServiceMonitorInterval string `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"` - ServiceVlan string `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"` - SleepTimeSnatGlobalInfoSync string `json:"sleepTimeSnatGlobalInfoSync,omitempty" yaml:"sleepTimeSnatGlobalInfoSync,omitempty"` - SnatContractScope string `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"` - SnatNamespace string `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"` - SnatPortRangeEnd string `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"` - SnatPortRangeStart string `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"` - SnatPortsPerNode string `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"` - SriovEnable string `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"` - StaticExternalSubnet string `json:"externStatic,omitempty" yaml:"externStatic,omitempty"` - SubnetDomainName string `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"` - SystemIdentifier string `json:"systemId,omitempty" yaml:"systemId,omitempty"` - Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` - Token string `json:"token,omitempty" yaml:"token,omitempty"` - UseAciAnywhereCRD string `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"` - UseAciCniPriorityClass string `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"` - UseClusterRole string `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"` - UseHostNetnsVolume string `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"` - UseOpflexServerVolume string `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"` - UsePrivilegedContainer string `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"` - VRFName string `json:"vrfName,omitempty" yaml:"vrfName,omitempty"` - VRFTenant string `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"` - VmmController string `json:"vmmController,omitempty" yaml:"vmmController,omitempty"` - VmmDomain string `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"` + AEP string `json:"aep,omitempty" yaml:"aep,omitempty"` + AccProvisionOperatorMemoryLimit string `json:"accProvisionOperatorMemoryLimit,omitempty" yaml:"accProvisionOperatorMemoryLimit,omitempty"` + AccProvisionOperatorMemoryRequest string `json:"accProvisionOperatorMemoryRequest,omitempty" yaml:"accProvisionOperatorMemoryRequest,omitempty"` + AciContainersControllerMemoryLimit string `json:"aciContainersControllerMemoryLimit,omitempty" yaml:"aciContainersControllerMemoryLimit,omitempty"` + AciContainersControllerMemoryRequest string `json:"aciContainersControllerMemoryRequest,omitempty" yaml:"aciContainersControllerMemoryRequest,omitempty"` + AciContainersHostMemoryLimit string `json:"aciContainersHostMemoryLimit,omitempty" yaml:"aciContainersHostMemoryLimit,omitempty"` + AciContainersHostMemoryRequest string `json:"aciContainersHostMemoryRequest,omitempty" yaml:"aciContainersHostMemoryRequest,omitempty"` + AciContainersMemoryLimit string `json:"aciContainersMemoryLimit,omitempty" yaml:"aciContainersMemoryLimit,omitempty"` + AciContainersMemoryRequest string `json:"aciContainersMemoryRequest,omitempty" yaml:"aciContainersMemoryRequest,omitempty"` + AciContainersOperatorMemoryLimit string `json:"aciContainersOperatorMemoryLimit,omitempty" yaml:"aciContainersOperatorMemoryLimit,omitempty"` + AciContainersOperatorMemoryRequest string `json:"aciContainersOperatorMemoryRequest,omitempty" yaml:"aciContainersOperatorMemoryRequest,omitempty"` + AciMultipod string `json:"aciMultipod,omitempty" yaml:"aciMultipod,omitempty"` + AciMultipodUbuntu string `json:"aciMultipodUbuntu,omitempty" yaml:"aciMultipodUbuntu,omitempty"` + AddExternalSubnetsToRdconfig string `json:"addExternalSubnetsToRdconfig,omitempty" yaml:"addExternalSubnetsToRdconfig,omitempty"` + ApicHosts []string `json:"apicHosts,omitempty" yaml:"apicHosts,omitempty"` + ApicRefreshTickerAdjust string `json:"apicRefreshTickerAdjust,omitempty" yaml:"apicRefreshTickerAdjust,omitempty"` + ApicRefreshTime string `json:"apicRefreshTime,omitempty" yaml:"apicRefreshTime,omitempty"` + ApicSubscriptionDelay string `json:"apicSubscriptionDelay,omitempty" yaml:"apicSubscriptionDelay,omitempty"` + ApicUserCrt string `json:"apicUserCrt,omitempty" yaml:"apicUserCrt,omitempty"` + ApicUserKey string `json:"apicUserKey,omitempty" yaml:"apicUserKey,omitempty"` + ApicUserName string `json:"apicUserName,omitempty" yaml:"apicUserName,omitempty"` + CApic string `json:"capic,omitempty" yaml:"capic,omitempty"` + ControllerLogLevel string `json:"controllerLogLevel,omitempty" yaml:"controllerLogLevel,omitempty"` + DhcpDelay string `json:"dhcpDelay,omitempty" yaml:"dhcpDelay,omitempty"` + DhcpRenewMaxRetryCount string `json:"dhcpRenewMaxRetryCount,omitempty" yaml:"dhcpRenewMaxRetryCount,omitempty"` + DisablePeriodicSnatGlobalInfoSync string `json:"disablePeriodicSnatGlobalInfoSync,omitempty" yaml:"disablePeriodicSnatGlobalInfoSync,omitempty"` + DisableWaitForNetwork string `json:"disableWaitForNetwork,omitempty" yaml:"disableWaitForNetwork,omitempty"` + DropLogEnable string `json:"dropLogEnable,omitempty" yaml:"dropLogEnable,omitempty"` + DurationWaitForNetwork string `json:"durationWaitForNetwork,omitempty" yaml:"durationWaitForNetwork,omitempty"` + DynamicExternalSubnet string `json:"externDynamic,omitempty" yaml:"externDynamic,omitempty"` + EnableEndpointSlice string `json:"enableEndpointSlice,omitempty" yaml:"enableEndpointSlice,omitempty"` + EncapType string `json:"encapType,omitempty" yaml:"encapType,omitempty"` + EpRegistry string `json:"epRegistry,omitempty" yaml:"epRegistry,omitempty"` + GbpPodSubnet string `json:"gbpPodSubnet,omitempty" yaml:"gbpPodSubnet,omitempty"` + HostAgentLogLevel string `json:"hostAgentLogLevel,omitempty" yaml:"hostAgentLogLevel,omitempty"` + HppOptimization string `json:"hppOptimization,omitempty" yaml:"hppOptimization,omitempty"` + ImagePullPolicy string `json:"imagePullPolicy,omitempty" yaml:"imagePullPolicy,omitempty"` + ImagePullSecret string `json:"imagePullSecret,omitempty" yaml:"imagePullSecret,omitempty"` + InfraVlan string `json:"infraVlan,omitempty" yaml:"infraVlan,omitempty"` + InstallIstio string `json:"installIstio,omitempty" yaml:"installIstio,omitempty"` + IstioProfile string `json:"istioProfile,omitempty" yaml:"istioProfile,omitempty"` + KafkaBrokers []string `json:"kafkaBrokers,omitempty" yaml:"kafkaBrokers,omitempty"` + KafkaClientCrt string `json:"kafkaClientCrt,omitempty" yaml:"kafkaClientCrt,omitempty"` + KafkaClientKey string `json:"kafkaClientKey,omitempty" yaml:"kafkaClientKey,omitempty"` + KubeAPIVlan string `json:"kubeApiVlan,omitempty" yaml:"kubeApiVlan,omitempty"` + L3Out string `json:"l3out,omitempty" yaml:"l3out,omitempty"` + L3OutExternalNetworks []string `json:"l3outExternalNetworks,omitempty" yaml:"l3outExternalNetworks,omitempty"` + MTUHeadRoom string `json:"mtuHeadRoom,omitempty" yaml:"mtuHeadRoom,omitempty"` + MaxNodesSvcGraph string `json:"maxNodesSvcGraph,omitempty" yaml:"maxNodesSvcGraph,omitempty"` + McastDaemonMemoryLimit string `json:"mcastDaemonMemoryLimit,omitempty" yaml:"mcastDaemonMemoryLimit,omitempty"` + McastDaemonMemoryRequest string `json:"mcastDaemonMemoryRequest,omitempty" yaml:"mcastDaemonMemoryRequest,omitempty"` + McastRangeEnd string `json:"mcastRangeEnd,omitempty" yaml:"mcastRangeEnd,omitempty"` + McastRangeStart string `json:"mcastRangeStart,omitempty" yaml:"mcastRangeStart,omitempty"` + MultusDisable string `json:"multusDisable,omitempty" yaml:"multusDisable,omitempty"` + NoPriorityClass string `json:"noPriorityClass,omitempty" yaml:"noPriorityClass,omitempty"` + NoWaitForServiceEpReadiness string `json:"noWaitForServiceEpReadiness,omitempty" yaml:"noWaitForServiceEpReadiness,omitempty"` + NodePodIfEnable string `json:"nodePodIfEnable,omitempty" yaml:"nodePodIfEnable,omitempty"` + NodeSubnet string `json:"nodeSubnet,omitempty" yaml:"nodeSubnet,omitempty"` + OVSMemoryLimit string `json:"ovsMemoryLimit,omitempty" yaml:"ovsMemoryLimit,omitempty"` + OVSMemoryRequest string `json:"ovsMemoryRequest,omitempty" yaml:"ovsMemoryRequest,omitempty"` + OpflexAgentLogLevel string `json:"opflexLogLevel,omitempty" yaml:"opflexLogLevel,omitempty"` + OpflexAgentMemoryLimit string `json:"opflexAgentMemoryLimit,omitempty" yaml:"opflexAgentMemoryLimit,omitempty"` + OpflexAgentMemoryRequest string `json:"opflexAgentMemoryRequest,omitempty" yaml:"opflexAgentMemoryRequest,omitempty"` + OpflexAgentOpflexAsyncjsonEnabled string `json:"opflexAgentOpflexAsyncjsonEnabled,omitempty" yaml:"opflexAgentOpflexAsyncjsonEnabled,omitempty"` + OpflexAgentOvsAsyncjsonEnabled string `json:"opflexAgentOvsAsyncjsonEnabled,omitempty" yaml:"opflexAgentOvsAsyncjsonEnabled,omitempty"` + OpflexAgentPolicyRetryDelayTimer string `json:"opflexAgentPolicyRetryDelayTimer,omitempty" yaml:"opflexAgentPolicyRetryDelayTimer,omitempty"` + OpflexClientSSL string `json:"opflexClientSsl,omitempty" yaml:"opflexClientSsl,omitempty"` + OpflexDeviceDeleteTimeout string `json:"opflexDeviceDeleteTimeout,omitempty" yaml:"opflexDeviceDeleteTimeout,omitempty"` + OpflexDeviceReconnectWaitTimeout string `json:"opflexDeviceReconnectWaitTimeout,omitempty" yaml:"opflexDeviceReconnectWaitTimeout,omitempty"` + OpflexMode string `json:"opflexMode,omitempty" yaml:"opflexMode,omitempty"` + OpflexServerPort string `json:"opflexServerPort,omitempty" yaml:"opflexServerPort,omitempty"` + OverlayVRFName string `json:"overlayVrfName,omitempty" yaml:"overlayVrfName,omitempty"` + PBRTrackingNonSnat string `json:"pbrTrackingNonSnat,omitempty" yaml:"pbrTrackingNonSnat,omitempty"` + PodSubnetChunkSize string `json:"podSubnetChunkSize,omitempty" yaml:"podSubnetChunkSize,omitempty"` + RunGbpContainer string `json:"runGbpContainer,omitempty" yaml:"runGbpContainer,omitempty"` + RunOpflexServerContainer string `json:"runOpflexServerContainer,omitempty" yaml:"runOpflexServerContainer,omitempty"` + ServiceGraphEndpointAddDelay string `json:"serviceGraphEndpointAddDelay,omitempty" yaml:"serviceGraphEndpointAddDelay,omitempty"` + ServiceGraphEndpointAddServices []map[string]string `json:"serviceGraphEndpointAddServices,omitempty" yaml:"serviceGraphEndpointAddServices,omitempty"` + ServiceGraphSubnet string `json:"nodeSvcSubnet,omitempty" yaml:"nodeSvcSubnet,omitempty"` + ServiceMonitorInterval string `json:"serviceMonitorInterval,omitempty" yaml:"serviceMonitorInterval,omitempty"` + ServiceVlan string `json:"serviceVlan,omitempty" yaml:"serviceVlan,omitempty"` + SleepTimeSnatGlobalInfoSync string `json:"sleepTimeSnatGlobalInfoSync,omitempty" yaml:"sleepTimeSnatGlobalInfoSync,omitempty"` + SnatContractScope string `json:"snatContractScope,omitempty" yaml:"snatContractScope,omitempty"` + SnatNamespace string `json:"snatNamespace,omitempty" yaml:"snatNamespace,omitempty"` + SnatPortRangeEnd string `json:"snatPortRangeEnd,omitempty" yaml:"snatPortRangeEnd,omitempty"` + SnatPortRangeStart string `json:"snatPortRangeStart,omitempty" yaml:"snatPortRangeStart,omitempty"` + SnatPortsPerNode string `json:"snatPortsPerNode,omitempty" yaml:"snatPortsPerNode,omitempty"` + SriovEnable string `json:"sriovEnable,omitempty" yaml:"sriovEnable,omitempty"` + StaticExternalSubnet string `json:"externStatic,omitempty" yaml:"externStatic,omitempty"` + SubnetDomainName string `json:"subnetDomainName,omitempty" yaml:"subnetDomainName,omitempty"` + SystemIdentifier string `json:"systemId,omitempty" yaml:"systemId,omitempty"` + Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"` + Token string `json:"token,omitempty" yaml:"token,omitempty"` + UseAciAnywhereCRD string `json:"useAciAnywhereCrd,omitempty" yaml:"useAciAnywhereCrd,omitempty"` + UseAciCniPriorityClass string `json:"useAciCniPriorityClass,omitempty" yaml:"useAciCniPriorityClass,omitempty"` + UseClusterRole string `json:"useClusterRole,omitempty" yaml:"useClusterRole,omitempty"` + UseHostNetnsVolume string `json:"useHostNetnsVolume,omitempty" yaml:"useHostNetnsVolume,omitempty"` + UseOpflexServerVolume string `json:"useOpflexServerVolume,omitempty" yaml:"useOpflexServerVolume,omitempty"` + UsePrivilegedContainer string `json:"usePrivilegedContainer,omitempty" yaml:"usePrivilegedContainer,omitempty"` + UseSystemNodePriorityClass string `json:"useSystemNodePriorityClass,omitempty" yaml:"useSystemNodePriorityClass,omitempty"` + VRFName string `json:"vrfName,omitempty" yaml:"vrfName,omitempty"` + VRFTenant string `json:"vrfTenant,omitempty" yaml:"vrfTenant,omitempty"` + VmmController string `json:"vmmController,omitempty" yaml:"vmmController,omitempty"` + VmmDomain string `json:"vmmDomain,omitempty" yaml:"vmmDomain,omitempty"` } diff --git a/tests/v2/codecoverage/package/Dockerfile b/tests/v2/codecoverage/package/Dockerfile index ff1b2d279b2..5cbf104d22a 100644 --- a/tests/v2/codecoverage/package/Dockerfile +++ b/tests/v2/codecoverage/package/Dockerfile @@ -167,7 +167,7 @@ ENV CATTLE_CLI_VERSION v2.7.2-rc1 ENV CATTLE_BASE_UI_BRAND= # Please update the api-ui-version in pkg/settings/settings.go when updating the version here. -ENV CATTLE_API_UI_VERSION 1.1.9 +ENV CATTLE_API_UI_VERSION 1.1.11 RUN mkdir -p /var/log/auditlog ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log diff --git a/tests/v2/codecoverage/package/Dockerfile.ranchertest b/tests/v2/codecoverage/package/Dockerfile.ranchertest index 27d0f6a4129..c4e7d6956b7 100644 --- a/tests/v2/codecoverage/package/Dockerfile.ranchertest +++ b/tests/v2/codecoverage/package/Dockerfile.ranchertest @@ -166,7 +166,7 @@ ENV CATTLE_DASHBOARD_UI_VERSION v2.6.9 ENV CATTLE_CLI_VERSION v2.6.9 # Please update the api-ui-version in pkg/settings/settings.go when updating the version here. -ENV CATTLE_API_UI_VERSION 1.1.9 +ENV CATTLE_API_UI_VERSION 1.1.11 RUN mkdir -p /var/log/auditlog ENV AUDIT_LOG_PATH /var/log/auditlog/rancher-api-audit.log