PANDARIA: Merge tag 'v0.5.2' into release/v0.5-ent

.github/workflows/release.yaml

@@ -0,0 +1,221 @@
+name: release
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+env:
+  REGISTRY: docker.io
+  REPO: rancher
+
+jobs:
+  build:
+    name: build and package
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+        - amd64
+        - arm64
+    steps:
+
+    - name: Checkout repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      # https://github.com/actions/checkout/releases/tag/v4.1.1
+
+    - name: Setup Go
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      # https://github.com/actions/setup-go/releases/tag/v5.0.0
+      with:
+        go-version-file: 'go.mod'
+
+    - name: Build and package
+      run: |
+          ./scripts/build
+          mkdir -p dist/artifacts
+          cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
+      env:
+        ARCH: "${{ matrix.arch}}"
+        GOARCH: "${{ matrix.arch}}"
+
+    - name: Generate checksum files
+      run: |
+        ls -lR dist
+        cd dist/artifacts
+        sha256sum webhook-linux-${{ matrix.arch }} > sha256sum-${{ matrix.arch }}.txt
+
+    - name: Upload artifacts
+      # https://github.com/actions/upload-artifact/commit/65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
+      with:
+        name: webhook-artifacts-${{ matrix.arch }}
+        path: |
+          dist/artifacts/webhook-linux-${{ matrix.arch }}
+          dist/artifacts/sha256sum-${{ matrix.arch }}.txt
+          dist/artifacts/rancher-webhook-*.tgz
+
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout repository
+       # https://github.com/actions/checkout/releases/tag/v4.1.1
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - name: package-helm
+      run: ./scripts/package-helm
+
+    - name: Download the amd64 artifacts
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      # https://github.com/actions/download-artifact/releases/tag/v4.1.7
+      with:
+        name: webhook-artifacts-amd64
+        path: dist/artifacts
+
+    - name: Download the arm64 artifacts
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      # https://github.com/actions/download-artifact/releases/tag/v4.1.7
+      with:
+        name: webhook-artifacts-arm64
+        path: dist/artifacts
+
+    - name: Get the version
+      run: |
+        source ./scripts/version
+        echo "TAG=$(echo $TAG | sed 's/-amd64$//')" >> $GITHUB_ENV
+
+    - name: Upload the files
+      run: |
+        ls -lR dist
+        cd dist/artifacts
+        gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --prerelease --verify-tag --generate-notes webhook-linux-* sha256sum-*.txt rancher-webhook*.tgz
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  image:
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        arch:
+        - amd64
+        - arm64
+    name: Build and push Webhook images
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout repository
+        # https://github.com/actions/checkout/releases/tag/v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Download the artifacts
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        # https://github.com/actions/download-artifact/releases/tag/v4.1.7
+        with:
+          name: webhook-artifacts-${{ matrix.arch }}
+          path: dist/artifacts
+
+      - name: Move binary to bin/
+        run: |
+          mkdir -p bin/
+          cp -v dist/artifacts/webhook-linux-${{ matrix.arch }} bin/webhook
+          chmod +x bin/webhook
+
+      - name: "Read vault secrets"
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+
+      - name: Set up QEMU
+        # https://github.com/docker/setup-qemu-action/releases/tag/v3.1.0
+        uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        # https://github.com/docker/setup-buildx-action/releases/tag/v3.4.0
+
+      - name: Log in to the Container registry
+        # https://github.com/docker/login-action/releases/tag/v3.2.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+
+      - name: Build and push the webhook image
+        id: build
+        # https://github.com/docker/build-push-action/releases/tag/v6.3.0
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+        with:
+          context: .
+          file: ./package/Dockerfile
+          platforms: "linux/${{ matrix.arch }}"
+          outputs: type=image,name=${{ env.REPO }}/rancher-webhook,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        # https://github.com/actions/upload-artifact/releases/tag/v4.3.3
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: image
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        # https://github.com/actions/download-artifact/releases/tag/v4.1.7
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        # https://github.com/docker/setup-buildx-action/releases/tag/v3.4.0
+
+      - name: "Read vault secrets"
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        # https://github.com/docker/login-action/releases/tag/v3.2.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+
+        # setup tag name
+      - if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.REPO }}/rancher-webhook:${{ env.TAG_NAME }} \
+            $(printf '${{ env.REPO }}/rancher-webhook@sha256:%s ' *)

docs.md

@@ -361,12 +361,24 @@ When a UserAttribute is updated, the following checks take place:
 
 ### Validation Checks
 
+#### On Create
+
+##### Data Directories
+
+Prevent the creation of new objects with an env var (under `spec.agentEnvVars`) with a name of `CATTLE_AGENT_VAR_DIR`.
+Prevent the creation of new objects with an invalid data directory. An invalid data directory is defined as the 
+following:
+- Is not an absolute path (i.e. does not start with `/`)
+- Attempts to include environment variables (e.g. `$VARIABLE` or `${VARIABLE}`)
+- Attempts to include shell expressions (e.g. `$(command)` or `` `command` ``)
+- Equal to another data directory
+- Attempts to nest another data directory
+
 #### On Update
 
 ##### Data Directories
 
-Prevent the creation of new objects with an env var (under `spec.agentEnvVars`) with a name of `CATTLE_AGENT_VAR_DIR`. 
-On update, also prevent new env vars with this name from being added but allow them to be removed. Rancher will perform 
+On update, prevent new env vars with this name from being added but allow them to be removed. Rancher will perform 
 a one-time migration to move the system-agent data dir definition to the top level field from the `AgentEnvVars` 
 section. A secondary validator will ensure that the effective data directory for the `system-agent` is not different 
 from the one chosen during cluster creation. Additionally, the changing of a data directory for the `system-agent`, 

go.mod

@@ -2,10 +2,10 @@ module github.com/rancher/webhook
 
 go 1.22.0
 
-toolchain go1.22.5
+toolchain go1.22.7
 
 replace (
-	github.com/rancher/rancher/pkg/apis => github.com/cnrancher/pandaria/pkg/apis v0.0.0-20240827073043-51ff09fd6428
+	github.com/rancher/rancher/pkg/apis => github.com/cnrancher/pandaria/pkg/apis v0.0.0-20240927075849-a7ff49fc0e34
 	k8s.io/api => k8s.io/api v0.30.1
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.1
 	k8s.io/apimachinery => k8s.io/apimachinery v0.30.1
@@ -41,16 +41,16 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/gorilla/mux v1.8.1
 	github.com/rancher/dynamiclistener v0.6.0
-	github.com/rancher/lasso v0.0.0-20240705194423-b2a060d103c1
-	github.com/rancher/rancher/pkg/apis v0.0.0-20240816071246-0c3b39a95054
-	github.com/rancher/rke v1.6.1
+	github.com/rancher/lasso v0.0.0-20240809125800-8da6f11865d5
+	github.com/rancher/rancher/pkg/apis v0.0.0-20240918011937-2f9a7509687f
+	github.com/rancher/rke v1.6.2
 	github.com/rancher/wrangler/v3 v3.0.0
 	github.com/robfig/cron v1.2.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
-	golang.org/x/text v0.16.0
-	golang.org/x/tools v0.23.0
+	golang.org/x/text v0.18.0
+	golang.org/x/tools v0.24.0
 	k8s.io/api v0.30.2
 	k8s.io/apimachinery v0.30.2
 	k8s.io/apiserver v0.30.1
@@ -111,10 +111,10 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.47.0 // indirect
 	github.com/prometheus/procfs v0.14.0 // indirect
-	github.com/rancher/aks-operator v1.9.1 // indirect
-	github.com/rancher/eks-operator v1.9.1 // indirect
+	github.com/rancher/aks-operator v1.9.2 // indirect
+	github.com/rancher/eks-operator v1.9.2 // indirect
 	github.com/rancher/fleet/pkg/apis v0.10.0 // indirect
-	github.com/rancher/gke-operator v1.9.1 // indirect
+	github.com/rancher/gke-operator v1.9.2 // indirect
 	github.com/rancher/norman v0.0.0-20240708202514-a0127673d1b9 // indirect
 	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -133,13 +133,13 @@ require (
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.25.0 // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/oauth2 v0.22.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/term v0.22.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/mod v0.20.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/term v0.24.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect