Merge branch 'main' into renovate/go-1.x

.github/workflows/e2e-ci.yml

@@ -29,6 +29,11 @@ jobs:
           # https://hub.docker.com/r/rancher/k3s/tags
           - v1.29.0-k3s1
           - v1.24.17-k3s1
+        test_type:
+          - name: default
+          - name: sharding
+            shards: '[{"id":"shard0"},{"id":"shard1"},{"id":"shard2"}]'
+          - name: infra-setup
     steps:
       -
         uses: actions/checkout@v4
@@ -43,17 +48,17 @@ jobs:
         name: Install Ginkgo CLI
         run: go install github.com/onsi/ginkgo/v2/ginkgo
       -
-        name: Build Fleet Binaries
+        name: Build Fleet
         run: |
           ./.github/scripts/build-fleet-binaries.sh
-
-          cd e2e/testenv/infra
-          go build
+          ./.github/scripts/build-fleet-images.sh
       -
-        name: Build Docker Images
+        name: Build Infra Tool
+        if: ${{ matrix.test_type.name == 'infra-setup' }}
         run: |
-          ./.github/scripts/build-fleet-images.sh
-
+          pushd e2e/testenv/infra
+          go build
+          popd
           cd e2e/assets/gitrepo
           # Buildkit needed here for proper here-document support
           DOCKER_BUILDKIT=1 docker build -f Dockerfile.gitserver -t nginx-git:test --build-arg="passwd=$(openssl passwd foo)" .
@@ -81,17 +86,36 @@ jobs:
           limit-access-to-actor: true
       -
         name: Deploy Fleet
+        env:
+          SHARDS: ${{ matrix.test_type.shards }}
+        run: |
+          ./.github/scripts/deploy-fleet.sh
+      -
+        name: E2E Tests
+        if: ${{ matrix.test_type.name == 'default' }}
+        env:
+          FLEET_E2E_NS: fleet-local
         run: |
-          SHARDS='[{"id":"shard0"},{"id":"shard1"},{"id":"shard2"}]' ./.github/scripts/deploy-fleet.sh
+          ginkgo --github-output --label-filter='!infra-setup && !sharding' e2e/single-cluster e2e/keep-resources e2e/drift
+      -
+        name: E2E Sharding/Metrics Tests
+        if: ${{ matrix.test_type.name == 'sharding' }}
+        env:
+          FLEET_E2E_NS: fleet-local
+        run: |
+          ginkgo --github-output --label-filter='sharding' e2e/single-cluster
+          ginkgo --github-output e2e/metrics
+          SHARD=shard1 ginkgo --github-output e2e/metrics
       -
         name: Create Zot certificates for OCI tests
+        if: ${{ matrix.test_type.name == 'infra-setup' }}
         env:
           FLEET_E2E_NS: fleet-local
         run: |
-          # Generate cert and key for TLS
           ./.github/scripts/create-zot-certs.sh "FleetCI-RootCA"
       -
-        name: E2E Tests
+        name: E2E Infra Tests
+        if: ${{ matrix.test_type.name == 'infra-setup' }}
         env:
           FLEET_E2E_NS: fleet-local
           # Git and OCI credentials are here used in a local, ephemeral environment. Leaks would be harmless.
@@ -103,33 +127,25 @@ jobs:
         run: |
           export CI_OCI_CERTS_DIR="$(git rev-parse --show-toplevel)/FleetCI-RootCA"
 
-          # 1. Run test cases not needing infra
-          ginkgo --github-output --label-filter='!infra-setup' e2e/single-cluster e2e/keep-resources e2e/drift
-
-          # 2. Run tests for metrics
-          ginkgo --github-output e2e/metrics
-          SHARD=shard1 ginkgo --github-output e2e/metrics
-
-          # 3. Run tests requiring only the git server
+          # Run tests requiring only the git server
           e2e/testenv/infra/infra setup --git-server=true
           ginkgo --github-output --label-filter='infra-setup && !helm-registry && !oci-registry' e2e/single-cluster/
 
-          # 4. Run tests requiring a Helm registry
+          # Run tests requiring a Helm registry
           e2e/testenv/infra/infra setup --helm-registry=true
           ginkgo --github-output --label-filter='helm-registry' e2e/single-cluster
 
           e2e/testenv/infra/infra teardown --helm-registry=true
 
-          # 5. Run tests requiring an OCI registry
+          # Run tests requiring an OCI registry
           e2e/testenv/infra/infra setup --oci-registry=true
           ginkgo --github-output --label-filter='oci-registry' e2e/single-cluster
 
-          # 6. Tear down all infra
           e2e/testenv/infra/infra teardown
-
       -
         name: Acceptance Tests for Examples
         if: >
+          matrix.test_type.name == 'default' &&
           github.event_name == 'schedule'
         env:
           FLEET_E2E_NS: fleet-local
@@ -139,6 +155,7 @@ jobs:
         name: Fleet Tests Requiring Github Secrets
         # These tests can't run for PRs, because PRs don't have access to the secrets
         if: >
+          matrix.test_type.name == 'default' &&
           github.event_name != 'pull_request' &&
           github.repository == 'rancher/fleet'
 

charts/fleet/templates/deployment_gitjob.yaml

@@ -57,6 +57,18 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          {{- if $.Values.leaderElection.leaseDuration }}
+            - name: CATTLE_ELECTION_LEASE_DURATION
+              value: {{$.Values.leaderElection.leaseDuration}}
+          {{- end }}
+          {{- if $.Values.leaderElection.retryPeriod }}
+            - name: CATTLE_ELECTION_RETRY_PERIOD
+              value: {{$.Values.leaderElection.retryPeriod}}
+          {{- end }}
+          {{- if $.Values.leaderElection.renewDeadline }}
+            - name: CATTLE_ELECTION_RENEW_DEADLINE
+              value: {{$.Values.leaderElection.renewDeadline}}
+          {{- end }}
           {{- if $.Values.proxy }}
             - name: HTTP_PROXY
               value: {{ $.Values.proxy }}
@@ -87,6 +99,11 @@ spec:
       nodeSelector: {{ include "linux-node-selector" $shard.id | nindent 8 }}
 {{- if $.Values.nodeSelector }}
 {{ toYaml $.Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if $shard.nodeSelector -}}
+{{- range $key, $value := $shard.nodeSelector }}
+{{ $key | indent 8}}: {{ $value }}
+{{- end }}
 {{- end }}
       tolerations: {{ include "linux-node-tolerations" $shard.id | nindent 8 }}
 {{- if $.Values.tolerations }}

go.mod

@@ -17,8 +17,8 @@ require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/docker/docker v26.1.4+incompatible
 	github.com/evanphx/json-patch v5.9.0+incompatible
-	github.com/go-git/go-billy/v5 v5.5.0
-	github.com/go-git/go-git/v5 v5.12.0
+	github.com/go-git/go-billy/v5 v5.5.1-0.20240701174852-839dcd3ad096
+	github.com/go-git/go-git/v5 v5.12.1-0.20240629213349-b00c68ab7140
 	github.com/go-logr/logr v1.4.2
 	github.com/go-playground/webhooks/v6 v6.3.0
 	github.com/gobwas/glob v0.2.3
@@ -101,7 +101,7 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/cli v25.0.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect

go.sum

@@ -290,8 +290,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lV
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
+github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -317,8 +317,8 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arXfYcAtECDFgAgHklGI8CxgjHnXKJ4=
 github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v0.0.0-20240618083138-03be62527ccb h1:2SoxRauy2IqekRMggrQk3yNI5X6omSnk6ugVbFywwXs=
+github.com/elazarl/goproxy v0.0.0-20240618083138-03be62527ccb/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
 github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
 github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
@@ -359,12 +359,12 @@ github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxI
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-billy/v5 v5.5.1-0.20240701174852-839dcd3ad096 h1:2WsH0tWd8Swy52EeffY/42nkm7jKDGyqErCbO54Yp08=
+github.com/go-git/go-billy/v5 v5.5.1-0.20240701174852-839dcd3ad096/go.mod h1:028g84TK/7xLYqjR/Ypl7ynJtp2bl7cmAH0ceNheF9Y=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
-github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
+github.com/go-git/go-git/v5 v5.12.1-0.20240629213349-b00c68ab7140 h1:hG3GDmuUc+xR0wrabHYQ3xSefdfACVOpkuCn9P25lx0=
+github.com/go-git/go-git/v5 v5.12.1-0.20240629213349-b00c68ab7140/go.mod h1:hp36mMcS+/NwPczbhaD6RDHgas6kbmuQVqFwtHTYu7Y=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=

integrationtests/gitcloner/clone_test.go

@@ -146,7 +146,7 @@ var _ = Describe("Applying a git job gets content from git repo", Label("network
 				})
 
 				It("Fails to clone the repo", func() {
-					Expect(cloneErr.Error()).To(Equal("authentication required"))
+					Expect(cloneErr.Error()).To(ContainSubstring("authentication required"))
 				})
 			})
 

integrationtests/gitjob/git/git_test.go

@@ -117,8 +117,10 @@ func TestLatestCommit_NoAuth(t *testing.T) {
 			client := mocks.NewMockClient(ctlr)
 			client.EXPECT().Get(ctx, gomock.Any(), gomock.Any()).Return(kerrors.NewNotFound(schema.GroupResource{}, "notfound"))
 			latestCommit, err := f.LatestCommit(ctx, test.gitrepo, client)
-			if err != test.expectedErr {
-				t.Errorf("expected error is: %v, but got %v", test.expectedErr, err)
+			if test.expectedErr == nil {
+				require.NoError(t, err)
+			} else {
+				require.Contains(t, err.Error(), test.expectedErr.Error())
 			}
 			if latestCommit != test.expectedCommit {
 				t.Errorf("latestCommit doesn't match. got %s, expected %s", latestCommit, test.expectedCommit)

internal/cmd/builder.go

@@ -125,7 +125,11 @@ func Command(obj Runnable, cmd cobra.Command) *cobra.Command {
 			maps[name] = v
 			flags.StringSliceP(name, alias, nil, usage)
 		case reflect.Bool:
-			flags.BoolVarP((*bool)(unsafe.Pointer(v.Addr().Pointer())), name, alias, false, usage)
+			initVal := false
+			if defValue == "true" {
+				initVal = true
+			}
+			flags.BoolVarP((*bool)(unsafe.Pointer(v.Addr().Pointer())), name, alias, initVal, usage)
 		default:
 			panic("Unknown kind on field " + fieldType.Name + " on " + objValue.Type().Name())
 		}

internal/cmd/controller/gitops/operator.go

@@ -86,12 +86,25 @@ func (g *GitOperator) Run(cmd *cobra.Command, args []string) error {
 
 	namespace := g.Namespace
 
+	leaderOpts, err := command.NewLeaderElectionOptions()
+	if err != nil {
+		return err
+	}
+
+	var leaderElectionSuffix string
+	if g.ShardID != "" {
+		leaderElectionSuffix = fmt.Sprintf("-%s", g.ShardID)
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                  scheme,
 		Metrics:                 g.setupMetrics(),
 		LeaderElection:          g.EnableLeaderElection,
-		LeaderElectionID:        "gitjob-leader",
+		LeaderElectionID:        fmt.Sprintf("fleet-gitops-leader-election-shard%s", leaderElectionSuffix),
 		LeaderElectionNamespace: namespace,
+		LeaseDuration:           leaderOpts.LeaseDuration,
+		RenewDeadline:           leaderOpts.RenewDeadline,
+		RetryPeriod:             leaderOpts.RetryPeriod,
 	})
 
 	if err != nil {

internal/cmd/controller/operator.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/reugn/go-quartz/quartz"
 
+	"github.com/rancher/fleet/internal/cmd"
 	"github.com/rancher/fleet/internal/cmd/controller/reconciler"
 	"github.com/rancher/fleet/internal/cmd/controller/target"
 	"github.com/rancher/fleet/internal/manifest"
@@ -35,7 +36,7 @@ func start(
 	ctx context.Context,
 	systemNamespace string,
 	config *rest.Config,
-	leaderOpts LeaderElectionOptions,
+	leaderOpts cmd.LeaderElectionOptions,
 	workersOpts ControllerReconcilerWorkers,
 	bindAddresses BindAddresses,
 	disableMetrics bool,

internal/cmd/controller/root.go

@@ -37,21 +37,6 @@ type FleetManager struct {
 	ShardID        string `usage:"only manage resources labeled with a specific shard ID" name:"shard-id"`
 }
 
-type LeaderElectionOptions struct {
-	// LeaseDuration is the duration that non-leader candidates will
-	// wait to force acquire leadership. This is measured against time of
-	// last observed ack. Default is 15 seconds.
-	LeaseDuration *time.Duration
-
-	// RenewDeadline is the duration that the acting controlplane will retry
-	// refreshing leadership before giving up. Default is 10 seconds.
-	RenewDeadline *time.Duration
-
-	// RetryPeriod is the duration the LeaderElector clients should wait
-	// between tries of actions. Default is 2 seconds.
-	RetryPeriod *time.Duration
-}
-
 type ControllerReconcilerWorkers struct {
 	GitRepo          int
 	Bundle           int
@@ -85,35 +70,11 @@ func (f *FleetManager) Run(cmd *cobra.Command, args []string) error {
 	ctx := clog.IntoContext(cmd.Context(), ctrl.Log)
 
 	kubeconfig := ctrl.GetConfigOrDie()
-
-	leaderOpts := LeaderElectionOptions{}
-
 	workersOpts := ControllerReconcilerWorkers{}
 
-	if d := os.Getenv("CATTLE_ELECTION_LEASE_DURATION"); d != "" {
-		v, err := time.ParseDuration(d)
-		if err != nil {
-			setupLog.Error(err, "failed to parse CATTLE_ELECTION_LEASE_DURATION", "duration", d)
-			return err
-
-		}
-		leaderOpts.LeaseDuration = &v
-	}
-	if d := os.Getenv("CATTLE_ELECTION_RENEW_DEADLINE"); d != "" {
-		v, err := time.ParseDuration(d)
-		if err != nil {
-			setupLog.Error(err, "failed to parse CATTLE_ELECTION_RENEW_DEADLINE", "duration", d)
-			return err
-		}
-		leaderOpts.RenewDeadline = &v
-	}
-	if d := os.Getenv("CATTLE_ELECTION_RETRY_PERIOD"); d != "" {
-		v, err := time.ParseDuration(d)
-		if err != nil {
-			setupLog.Error(err, "failed to parse CATTLE_ELECTION_RETRY_PERIOD", "duration", d)
-			return err
-		}
-		leaderOpts.RetryPeriod = &v
+	leaderOpts, err := command.NewLeaderElectionOptions()
+	if err != nil {
+		return err
 	}
 
 	bindAddresses := BindAddresses{