From 5626cf925c43af6556643b38a6a03fe764f4f0b5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 29 Dec 2022 10:29:35 +0100 Subject: [PATCH 1/2] update CI to test against go1.19, and regenerate protos Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- api/types.pb.go | 105 ++++++++++++------- protobuf/plugin/deepcopy/test/deepcopy.pb.go | 2 + 3 files changed, 73 insertions(+), 36 deletions(-) diff --git a/Dockerfile b/Dockerfile index c568abeb88..b87b243774 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.9 +ARG GO_VERSION=1.19.11 ARG PROTOC_VERSION=3.11.4 ARG GOLANGCI_LINT_VERSION=v1.50.1 ARG DEBIAN_FRONTEND=noninteractive diff --git a/api/types.pb.go b/api/types.pb.go index d53775cd6d..312b77eb19 100644 --- a/api/types.pb.go +++ b/api/types.pb.go @@ -67,8 +67,9 @@ func (ResourceType) EnumDescriptor() ([]byte, []int) { // Only the manager create a NEW task, and move the task to PENDING and ASSIGNED. // Afterward, the manager must rely on the agent to update the task status // (pre-run: preparing, ready, starting; -// running; -// end-state: complete, shutdown, failed, rejected) +// +// running; +// end-state: complete, shutdown, failed, rejected) type TaskState int32 const ( @@ -1032,6 +1033,7 @@ var xxx_messageInfo_DiscreteGenericResource proto.InternalMessageInfo // be either an integer (e.g: SSD=3) or a string (e.g: SSD=sda1) type GenericResource struct { // Types that are valid to be assigned to Resource: + // // *GenericResource_NamedResourceSpec // *GenericResource_DiscreteResourceSpec Resource isGenericResource_Resource `protobuf_oneof:"resource"` @@ -2059,6 +2061,7 @@ type TaskStatus struct { // Container status contains container specific status information. // // Types that are valid to be assigned to RuntimeStatus: + // // *TaskStatus_Container RuntimeStatus isTaskStatus_RuntimeStatus `protobuf_oneof:"runtime_status"` // HostPorts provides a list of ports allocated at the host @@ -2451,6 +2454,7 @@ type IssuanceStatus struct { State IssuanceStatus_State `protobuf:"varint,1,opt,name=state,proto3,enum=docker.swarmkit.v1.IssuanceStatus_State" json:"state,omitempty"` // Err is set if the Certificate Issuance is in an error state. // The following states should report a companion error: + // // FAILED Err string `protobuf:"bytes,2,opt,name=err,proto3" json:"err,omitempty"` } @@ -2951,6 +2955,7 @@ var xxx_messageInfo_SpreadOver proto.InternalMessageInfo type PlacementPreference struct { // Types that are valid to be assigned to Preference: + // // *PlacementPreference_Spread Preference isPlacementPreference_Preference `protobuf_oneof:"Preference"` } @@ -3382,6 +3387,7 @@ type SecretReference struct { // Target specifies how this secret should be exposed to the task. // // Types that are valid to be assigned to Target: + // // *SecretReference_File Target isSecretReference_Target `protobuf_oneof:"target"` } @@ -3462,6 +3468,7 @@ type ConfigReference struct { // Target specifies how this config should be exposed to the task. // // Types that are valid to be assigned to Target: + // // *ConfigReference_File // *ConfigReference_Runtime Target isConfigReference_Target `protobuf_oneof:"target"` @@ -3765,6 +3772,7 @@ var xxx_messageInfo_Privileges proto.InternalMessageInfo // CredentialSpec for managed service account (Windows only). type Privileges_CredentialSpec struct { // Types that are valid to be assigned to Source: + // // *Privileges_CredentialSpec_File // *Privileges_CredentialSpec_Registry // *Privileges_CredentialSpec_Config @@ -3971,6 +3979,7 @@ type VolumeAccessMode struct { // but the upstream is free to do so. However, one of these MUST be set. // // Types that are valid to be assigned to AccessType: + // // *VolumeAccessMode_Block // *VolumeAccessMode_Mount AccessType isVolumeAccessMode_AccessType `protobuf_oneof:"access_type"` @@ -4196,12 +4205,12 @@ var xxx_messageInfo_VolumeSecret proto.InternalMessageInfo // // Without this two-step process, the following could happen: // -// 1. ControllerPublishVolume is called and the Volume is successfully -// published. -// 2. A crash or leadership change disrupts the cluster before -// the Volume with the updated VolumePublishStatus can be added to the -// store. -// 3. The Task that required the Volume to be published is deleted. +// 1. ControllerPublishVolume is called and the Volume is successfully +// published. +// 2. A crash or leadership change disrupts the cluster before +// the Volume with the updated VolumePublishStatus can be added to the +// store. +// 3. The Task that required the Volume to be published is deleted. // // In this case, the Volume would be published to the Node, but Swarm would be // unaware of this, and would additionally be unaware that the Volume _should_ @@ -4466,21 +4475,27 @@ type TopologyRequirement struct { // accessible from at least one of the requisite topologies. // // Given - // x = number of topologies provisioned volume is accessible from - // n = number of requisite topologies + // + // x = number of topologies provisioned volume is accessible from + // n = number of requisite topologies + // // The CO MUST ensure n >= 1. The SP MUST ensure x >= 1 // If x==n, then the SP MUST make the provisioned volume available to // all topologies from the list of requisite topologies. If it is // unable to do so, the SP MUST fail the CreateVolume call. // For example, if a volume should be accessible from a single zone, // and requisite = - // {"region": "R1", "zone": "Z2"} + // + // {"region": "R1", "zone": "Z2"} + // // then the provisioned volume MUST be accessible from the "region" // "R1" and the "zone" "Z2". // Similarly, if a volume should be accessible from two zones, and // requisite = - // {"region": "R1", "zone": "Z2"}, - // {"region": "R1", "zone": "Z3"} + // + // {"region": "R1", "zone": "Z2"}, + // {"region": "R1", "zone": "Z3"} + // // then the provisioned volume MUST be accessible from the "region" // "R1" and both "zone" "Z2" and "zone" "Z3". // @@ -4489,18 +4504,23 @@ type TopologyRequirement struct { // the CreateVolume call. // For example, if a volume should be accessible from a single zone, // and requisite = - // {"region": "R1", "zone": "Z2"}, - // {"region": "R1", "zone": "Z3"} + // + // {"region": "R1", "zone": "Z2"}, + // {"region": "R1", "zone": "Z3"} + // // then the SP may choose to make the provisioned volume available in // either the "zone" "Z2" or the "zone" "Z3" in the "region" "R1". // Similarly, if a volume should be accessible from two zones, and // requisite = - // {"region": "R1", "zone": "Z2"}, - // {"region": "R1", "zone": "Z3"}, - // {"region": "R1", "zone": "Z4"} + // + // {"region": "R1", "zone": "Z2"}, + // {"region": "R1", "zone": "Z3"}, + // {"region": "R1", "zone": "Z4"} + // // then the provisioned volume MUST be accessible from any combination // of two unique topologies: e.g. "R1/Z2" and "R1/Z3", or "R1/Z2" and - // "R1/Z4", or "R1/Z3" and "R1/Z4". + // + // "R1/Z4", or "R1/Z3" and "R1/Z4". // // If x>n, then the SP MUST make the provisioned volume available from // all topologies from the list of requisite topologies and MAY choose @@ -4509,7 +4529,9 @@ type TopologyRequirement struct { // CreateVolume call. // For example, if a volume should be accessible from two zones, and // requisite = - // {"region": "R1", "zone": "Z2"} + // + // {"region": "R1", "zone": "Z2"} + // // then the provisioned volume MUST be accessible from the "region" // "R1" and the "zone" "Z2" and the SP may select the second zone // independently, e.g. "R1/Z4". @@ -4538,10 +4560,14 @@ type TopologyRequirement struct { // Example 1: // Given a volume should be accessible from a single zone, and // requisite = - // {"region": "R1", "zone": "Z2"}, - // {"region": "R1", "zone": "Z3"} + // + // {"region": "R1", "zone": "Z2"}, + // {"region": "R1", "zone": "Z3"} + // // preferred = - // {"region": "R1", "zone": "Z3"} + // + // {"region": "R1", "zone": "Z3"} + // // then the the SP SHOULD first attempt to make the provisioned volume // available from "zone" "Z3" in the "region" "R1" and fall back to // "zone" "Z2" in the "region" "R1" if that is not possible. @@ -4549,13 +4575,17 @@ type TopologyRequirement struct { // Example 2: // Given a volume should be accessible from a single zone, and // requisite = - // {"region": "R1", "zone": "Z2"}, - // {"region": "R1", "zone": "Z3"}, - // {"region": "R1", "zone": "Z4"}, - // {"region": "R1", "zone": "Z5"} + // + // {"region": "R1", "zone": "Z2"}, + // {"region": "R1", "zone": "Z3"}, + // {"region": "R1", "zone": "Z4"}, + // {"region": "R1", "zone": "Z5"} + // // preferred = - // {"region": "R1", "zone": "Z4"}, - // {"region": "R1", "zone": "Z2"} + // + // {"region": "R1", "zone": "Z4"}, + // {"region": "R1", "zone": "Z2"} + // // then the the SP SHOULD first attempt to make the provisioned volume // accessible from "zone" "Z4" in the "region" "R1" and fall back to // "zone" "Z2" in the "region" "R1" if that is not possible. If that @@ -4568,13 +4598,17 @@ type TopologyRequirement struct { // the volume is accessible from two zones, aka synchronously // replicated), and // requisite = - // {"region": "R1", "zone": "Z2"}, - // {"region": "R1", "zone": "Z3"}, - // {"region": "R1", "zone": "Z4"}, - // {"region": "R1", "zone": "Z5"} + // + // {"region": "R1", "zone": "Z2"}, + // {"region": "R1", "zone": "Z3"}, + // {"region": "R1", "zone": "Z4"}, + // {"region": "R1", "zone": "Z5"} + // // preferred = - // {"region": "R1", "zone": "Z5"}, - // {"region": "R1", "zone": "Z3"} + // + // {"region": "R1", "zone": "Z5"}, + // {"region": "R1", "zone": "Z3"} + // // then the the SP SHOULD first attempt to make the provisioned volume // accessible from the combination of the two "zones" "Z5" and "Z3" in // the "region" "R1". If that's not possible, it should fall back to @@ -4689,6 +4723,7 @@ type VolumeCapability struct { // following fields MUST be specified. // // Types that are valid to be assigned to AccessType: + // // *VolumeCapability_Block // *VolumeCapability_Mount AccessType isVolumeCapability_AccessType `protobuf_oneof:"access_type"` diff --git a/protobuf/plugin/deepcopy/test/deepcopy.pb.go b/protobuf/plugin/deepcopy/test/deepcopy.pb.go index 1b3d51dbe4..9c87ce7b6e 100644 --- a/protobuf/plugin/deepcopy/test/deepcopy.pb.go +++ b/protobuf/plugin/deepcopy/test/deepcopy.pb.go @@ -293,6 +293,7 @@ var xxx_messageInfo_MapStruct proto.InternalMessageInfo type OneOf struct { // Types that are valid to be assigned to Fields: + // // *OneOf_Field1 // *OneOf_Field2 // *OneOf_Field3 @@ -304,6 +305,7 @@ type OneOf struct { // *OneOf_Field9 Fields isOneOf_Fields `protobuf_oneof:"fields"` // Types that are valid to be assigned to FieldsTwo: + // // *OneOf_Field10 // *OneOf_Field11 FieldsTwo isOneOf_FieldsTwo `protobuf_oneof:"fieldsTwo"` From 0dfa4f1383bf9c4b4fc015c9c40f16cb58659044 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 29 Dec 2022 13:31:37 +0100 Subject: [PATCH 2/2] debug TestRenewTLSConfigUpdatesRootOnUnknownAuthError Signed-off-by: Sebastiaan van Stijn --- ca/config_test.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/ca/config_test.go b/ca/config_test.go index 105866eb43..bb5946c308 100644 --- a/ca/config_test.go +++ b/ca/config_test.go @@ -5,6 +5,7 @@ import ( "context" "crypto/tls" "crypto/x509" + "encoding/pem" "net" "os" "path/filepath" @@ -618,6 +619,24 @@ func TestSecurityConfigWatch(t *testing.T) { require.NoError(t, ca.RenewTLSConfigNow(tc.Context, secConfig, tc.ConnBroker, tc.Paths.RootCA)) } +func printCert(t *testing.T, pemData []byte) { + t.Helper() + + block, _ := pem.Decode(pemData) + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + t.Error(err) + } + + cert.RawSubject = nil + cert.Raw = nil + cert.RawIssuer = nil + cert.RawSubjectPublicKeyInfo = nil + cert.RawTBSCertificate = nil + cert.Signature = nil + t.Logf("%+v", cert) +} + // If we get an unknown authority error when trying to renew the TLS certificate, attempt to download the // root certificate. If it validates against the current TLS credentials, it will be used to download // new ones, (only if the new certificate indicates that it's a worker, though). @@ -633,6 +652,8 @@ func TestRenewTLSConfigUpdatesRootOnUnknownAuthError(t *testing.T) { for i := 0; i < 3; i++ { certs[i], keys[i], err = cautils.CreateRootCertAndKey("CA" + strconv.Itoa(i)) require.NoError(t, err) + t.Log("CA"+strconv.Itoa(i), ":\n", string(certs[i])) + printCert(t, certs[i]) switch i { case 0: crossSigneds[i] = nil @@ -641,6 +662,8 @@ func TestRenewTLSConfigUpdatesRootOnUnknownAuthError(t *testing.T) { default: crossSigneds[i], err = cas[i-1].CrossSignCACertificate(certs[i]) require.NoError(t, err) + t.Log("Intermediate"+strconv.Itoa(i), ":\n", string(crossSigneds[i])) + printCert(t, crossSigneds[i]) cas[i], err = ca.NewRootCA(certs[i-1], certs[i], keys[i], ca.DefaultNodeCertExpiration, crossSigneds[i]) require.NoError(t, err) }