OCPBUGS-36001: PODAUTO-204: Upstream rebase to 2.14.0 #32
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…e#5421) Signed-off-by: Siva Guruvareddiar <[email protected]> Co-authored-by: Jorge Turrado Ferrero <[email protected]>
…re#5427) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Yoon Park <[email protected]>
* Update Signed-off-by: SpiritZhou <[email protected]> * Update Signed-off-by: SpiritZhou <[email protected]> --------- Signed-off-by: SpiritZhou <[email protected]>
…ok (kedacore#5403) Signed-off-by: Jan Wozniak <[email protected]>
* chore: bump deps Signed-off-by: Jorge Turrado <[email protected]> * update manifests Signed-off-by: Jorge Turrado <[email protected]> --------- Signed-off-by: Jorge Turrado <[email protected]>
…re#5485) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: dttung2905 <[email protected]>
…s and properly close the connecctions (kedacore#5452) * fix(gcp scalers): Restore previous time horizon to fix missing metrics Signed-off-by: Jorge Turrado <[email protected]> * Close gcp client on scaler closing Signed-off-by: Jorge Turrado <[email protected]> * fix style Signed-off-by: Jorge Turrado <[email protected]> --------- Signed-off-by: Jorge Turrado <[email protected]>
* add grpc authority head override command-line flag Signed-off-by: Ali Aqel <[email protected]> Signed-off-by: aliaqel-stripe <[email protected]> Co-authored-by: Zbynek Roubalik <[email protected]>
Signed-off-by: rahulii <[email protected]>
Signed-off-by: Zbynek Roubalik <[email protected]>
Signed-off-by: googs1025 <[email protected]>
…edacore#5518) Signed-off-by: Vinod Kumar Nair <[email protected]>
Signed-off-by: SpiritZhou <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: June Han <[email protected]>
…e#5433) Signed-off-by: atilsensalduz <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
| datasource | package | from | to | | ----------- | ------------- | ------ | ------ | | github-tags | actions/cache | v4.0.0 | v4.0.1 | Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… creation (kedacore#5524) Signed-off-by: SpiritZhou <[email protected]>
…riggerAuthentication (kedacore#5517) Signed-off-by: Paul Yu <[email protected]> Signed-off-by: Paul Yu <[email protected]> Signed-off-by: Jorge Turrado Ferrero <[email protected]> Co-authored-by: Jorge Turrado Ferrero <[email protected]>
Signed-off-by: Joel Smith <[email protected]>
Signed-off-by: Arun Yogesh <[email protected]>
…acore#5591) Signed-off-by: Jorge Turrado Ferrero <[email protected]>
Allow the test setup to skip the installation of KEDA and/or Kafka so that tests can run even if they were installed via other methods, such as OLM operators. Signed-off-by: Joel Smith <[email protected]>
…core#5593) Signed-off-by: Jorge Turrado <[email protected]>
* feat: add schema field in mongodb scaler Signed-off-by: tico88612 <[email protected]> * test: mongodb scaler support srv scheme Signed-off-by: tico88612 <[email protected]> * docs: Changelog about MongoDB Scaler scheme field Signed-off-by: tico88612 <[email protected]> --------- Signed-off-by: tico88612 <[email protected]> Signed-off-by: Jorge Turrado Ferrero <[email protected]> Co-authored-by: Jorge Turrado Ferrero <[email protected]>
* Allow privileged pods in OpenShift test namespaces The way the e2e test suite is set up, there are several pods that are to running with more privilege than our "restricted" SCC provides. Long-term I don't think there is anything in here that *requires* the privilege, but we'll need to do some testing and find out. In the mean time, this injects an adjusted pod admission policy into each test namespace via the centralized namespace creation helper function so that those privileged pods can run in the test namespaces. * Specify securityContext for privileged e2e pods The e2e test suite here is used to running in a "vanilla kube" environment that does not have OpenShift/OpenShift CI restrictions. This becomes a problem when one of the test containers attempts to do something privileged (like bind to a privileged port) and is denied. This just adds securityContexts to the pods that require privilege so that they can get assigned a proper SCC and successfully run. The securityContext addition is limited to only the tests that OpenShift runs (internal, sequential, cpu/memory/kafka scalers) because we haven't tested the others. * Allow e2e test image overrides for OpenShift CI The e2e test suite references multiple images spread across multiple public registries (ghcr.io,docker.io,k8s.io) and some of those registries have pull limits, which will cause our tests to fail. We also cache some of these upstream images in our CI system, and so it is beneficial to be able to reference our cached copy rather than have to pull it from "the internet" every time. Anyway, the way that the e2e tests are set up, all those images are hard-coded in each of the manifests, which are just vars that exist in each test's .go file. They are not templated. There is, however a central helper function that applies all these resources (using kubectl). So, in order for us to be able to override the image list for CI, this temporarily: - adds an image rewrite map that specifies replacement images for images we might have difficulty pulling - adds a helper function that will let those replacement images be specified by environment variables for use in CI until we can figure out a more elegant refactor. * Account for OpenShift CI in Prometheus build test There is a test in the prometheus sequential suite that checks the git commit hash of the current code and compares it to the containers running in the test to make sure that the test version matches the code version. This version is injected as GIT_COMMIT during the docker builds in the Makefile, but it does not get injected when the containers are build in OpenShift CI. I would like to find a way to inject it via CI, but until then we are supplying a dummy string "dummy-ci-commit-value" that is at least "yes you are running against a CI payload we built, and not one that you pulled from upstream". Eventually when we figure out how to make all the variables available in CI and inject them, this can go away because then the commits will match.
* Pull test container dockerfile out of CI and into keda repo Previously we were building the test container in CI from a dockerfile_literal, which was kind of hacky and more difficult to manage than it being here in the keda repo. This pulls that dockerfile out of CI and into a Dockerfile.tests which we now just reference from CI. * Add Makefile targets to makefile for OpenShift tests We kind of stuffed those tests into CI quick so we had something, and when we did we didn't heavily consider ergonomics. Now that we find ourselves having to enable additional tests for fixes and new features, it will be much easier in the long run if we can manage the test targets here in the repo so we don't have to put in a separate PR to the release repo to see if our changes work. This adds some e2e-test-openshift* makefile targets that we can point and whatever we need to, and once CI is updated, it can just call those targets, whatever they happen to entail. * Reenable CPU scaler test Now that we figured out how the CPU test was broken, we can add it back in to the testing since it's supported. This adds the cpu test into the e2e-test-openshift Makefile target, so when CI calls it, it will run with the rest of the scaler tests Signed-off-by: John Kyros <[email protected]>
This excludes deps and tests from snyk scans to cut down on noise. This also excludes the tests/ directory as it contains some launcher .go files that don't end in _test.go, but are part of the testing suite and are not shipped with the final product.
This scaledjob test template was missing its namespace, which doesn't generally matter for the test -- the test is just checking if the webhook works, it doesn't care where the scaledjob ends up. Where it does matter, is if you happen to run this test suite in a more restrictive environment where you can't write to the default namespace, because you fail with a namespace-related creation error instead of the expected "no triggers defined in the ScaledObject/ScaledJob" error. This just adds the namespace to the template so it's just like all the other ones in the test suite. Signed-off-by: John Kyros <[email protected]>
There are a ton of credentials in our test suite because of how keda works, but every last one of them is fake/useless. This just excludes our test files from the scanner so they will stop generating false-positives. The preferred method to deal with them is to comment the exact line as "# notasecret" but that's not feasible given the size of the test suite and the number of fake credentials. This should stop the scary false positive ALERT! emails. Signed-off-by: John Kyros <[email protected]>
Signed-off-by: John Kyros <[email protected]>
…e/v2.14 branch instead of main Signed-off-by: John Kyros <[email protected]>
|
@jkyros: This pull request references PODAUTO-204 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
Do you think it's worth pulling in 10840ef which is the only commit we're missing from 2.14.1? Most of it is more deps bumps, upstream build & test infra and scalers we don't care about, but there are some ScaledJobs changes from kedacore#5876 and kedacore#5916 that might be good to get in. Plus, then we could call our release 2.14.1 |
* bump golang Signed-off-by: Jorge Turrado <[email protected]> * chore: build with keda-tools:1.22.5 (kedacore#5971) * chore: build with keda-tools:1.22.5 to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791 bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255 Signed-off-by: Paul Yu <[email protected]> * chore: use go install instead of go get and replacing deprecated tools Signed-off-by: Paul Yu <[email protected]> * chore: vendor dependency cleanup Signed-off-by: Paul Yu <[email protected]> * Update missing references to 1.21 Signed-off-by: Jorge Turrado <[email protected]> --------- Signed-off-by: Paul Yu <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> Co-authored-by: Jorge Turrado Ferrero <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * [BUG-5922] Report failing ScaledJob triggers in status (kedacore#5916) Signed-off-by: Josef Karasek <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * [BUG-5656] Annotate Jobs with parent ScaledJob generation (kedacore#5876) * Annotate Jobs with parent ScaledJob generation Signed-off-by: Josef Karasek <[email protected]> * fix tests Signed-off-by: Josef Karasek <[email protected]> * fix lint Signed-off-by: Josef Karasek <[email protected]> * fix log message Signed-off-by: Josef Karasek <[email protected]> * update changelog Signed-off-by: Josef Karasek <[email protected]> * update changelog Signed-off-by: Josef Karasek <[email protected]> * update changelog Signed-off-by: Josef Karasek <[email protected]> --------- Signed-off-by: Josef Karasek <[email protected]> Signed-off-by: Zbynek Roubalik <[email protected]> Co-authored-by: Zbynek Roubalik <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * fix: `+srv` mongodb url scheme parsing bug (kedacore#5773) This commit fixs issue kedacore#5760. where OP was facing problem with +srv schema Signed-off-by: Rishikesh Betigeri <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * fix: issue when GitHub organization contains more than 30 repos (kedacore#5746) Signed-off-by: Simon Kobler <[email protected]> Signed-off-by: Simon Kobler <[email protected]> Co-authored-by: Jorge Turrado Ferrero <[email protected]> Co-authored-by: Simon Kobler <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * Fix scaler leak during cache refresh (kedacore#5807) Signed-off-by: Guillaume Jacquet <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * Prepare release v2.14.1 Signed-off-by: Jorge Turrado <[email protected]> * add missing change Signed-off-by: Jorge Turrado <[email protected]> * update changelog Signed-off-by: Jorge Turrado <[email protected]> * fix: e2e test regex check tag (kedacore#5831) Signed-off-by: Jan Wozniak <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * Validate regex before building image for e2e test (kedacore#5783) * added regex pre check before building image Signed-off-by: Yaxhveer <[email protected]> * updated changelog Signed-off-by: Yaxhveer <[email protected]> * refactored Signed-off-by: Yaxhveer <[email protected]> * corrected Signed-off-by: Yaxhveer <[email protected]> * corrected changelog Signed-off-by: Yaxhveer <[email protected]> * updated the workflow Signed-off-by: Yaxhveer <[email protected]> * updated the workflow Signed-off-by: Yaxhveer <[email protected]> --------- Signed-off-by: Yaxhveer <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> * fix some pending tasks Signed-off-by: Jorge Turrado <[email protected]> * use AAD-Pod-Identity always Signed-off-by: Jorge Turrado <[email protected]> * use AAD-Pod-Identity always Signed-off-by: Jorge Turrado <[email protected]> --------- Signed-off-by: Jorge Turrado <[email protected]> Signed-off-by: Paul Yu <[email protected]> Signed-off-by: Josef Karasek <[email protected]> Signed-off-by: Zbynek Roubalik <[email protected]> Signed-off-by: Rishikesh Betigeri <[email protected]> Signed-off-by: Simon Kobler <[email protected]> Signed-off-by: Simon Kobler <[email protected]> Signed-off-by: Guillaume Jacquet <[email protected]> Signed-off-by: Jan Wozniak <[email protected]> Signed-off-by: Yaxhveer <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> Co-authored-by: Paul Yu <[email protected]> Co-authored-by: Josef Karasek <[email protected]> Co-authored-by: Zbynek Roubalik <[email protected]> Co-authored-by: Rishikesh <[email protected]> Co-authored-by: Simon Kobler <[email protected]> Co-authored-by: Simon Kobler <[email protected]> Co-authored-by: Guillaume Jacquet <[email protected]> Co-authored-by: Jan Wozniak <[email protected]> Co-authored-by: Yashveer <[email protected]>
|
Yep, pulled it in, and thanks for doing the legwork on the diff there 😄 |
|
This all looks good except for one small thing: it seems like rebasebot doesn't handle re-picking numbered PRs when it is used in the branch switching way that we use it. So upstream 5859 got dropped by this rebase. Could you please cherry-pick 929fa69 again? That commit will be in 2.15, so we won't have to worry about it next time, but we do apparently have to check all numbered picks to make sure that they are present, and re-pick them if not. AFAICT, that's the only one on this release. |
Signed-off-by: Joel Smith <[email protected]>
|
@jkyros: This pull request references PODAUTO-204 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Great catch, thank you. I've added kedacore#5859 it back. I wonder if it's "all versions of rebasebot" or just that my version is too new. That 2.14.1 commit we picked also looks like it might have broken the tests -- something around pod identity in setup. I'm looking into that now (I expect it to fail again this time). |
This is not a cherry-pick of upstream 5782, this is my downstream fix that will go away once upstream 5782 obsoletes it. They removed the AAD pod identity config variable upstream and just flipped it to "always on" for 2.14, but we had it turned off down here. This just explicitly turns it off for us until the tests go away. Signed-off-by: John Kyros <[email protected]>
|
The test failure looks like just some hacks from upstream -- they force-enabled the add pod identity test for 2.14, but we previously had it disabled. It's apparently obsolete and will all go away in 2.15 (kedacore#5782) so I just force-set it back to disabled for now. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jkyros, joelsmith The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hmmm, seems like that run had trouble deleting the prometheus namespace, we'll see what this one does: |
|
@jkyros: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
jkyros
changed the title
|
@jkyros: Jira Issue OCPBUGS-36001: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-36001 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
.ci-operator.yamlto referencerhel-9-release-golang-1.21-openshift-4.17(vs 4.16, staying on go 1.21 for now)go get -u github.com/hashicorp/go-retryablehttpfor CVE-2024-6104Dockerfile.testsFROM image to the 1.22 builder (the tooling requires it, it will complain if it's on 1.21 even though the operator is on 1.21)Weirdness:
.gitleaks.tomlthat excludes*._test.goso incoming upstream tests don't trigger false positives when we do a branch push after a rebase