Merge branch 'develop' into CSPL-2409

Signed-off-by: vivekr-splunk <[email protected]>

.env

@@ -2,8 +2,8 @@ OPERATOR_SDK_VERSION=v1.28.1
 REVIEWERS=pdhanoya-splunk,smohan-splunk,sgontla,gaurav-splunk,jryb,vivekr-splunk,kumarajeet
 GO_VERSION=1.19.2
 AWSCLI_URL=https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.8.6.zip
-KUBECTL_VERSION=v1.25.3
+KUBECTL_VERSION=v1.28.0
 AZ_CLI_VERSION=2.30.0
 EKSCTL_VERSION=v0.143.0
-EKS_CLUSTER_K8_VERSION=1.22
-SPLUNK_ENTERPRISE_RELEASE_IMAGE=splunk/splunk:9.0.5
+EKS_CLUSTER_K8_VERSION=1.26
+SPLUNK_ENTERPRISE_RELEASE_IMAGE=docker.io/splunk/splunk:9.0.5

.github/workflows/automated-release-workflow.yml

@@ -38,7 +38,6 @@ jobs:
 
     - name: Set up Docker Buildx
       uses: docker/[email protected]
-
     - name: Configure Docker Credentials
       uses: docker/login-action@v1
       with:

.github/workflows/bundle-push-post-release.yml

@@ -17,7 +17,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v2
 
-    - name: Deep Fetch 
+    - name: Deep Fetch
       run: |
         git fetch --prune --unshallow
 
@@ -31,7 +31,6 @@ jobs:
         go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
     - name: Set up Docker Buildx
       uses: docker/[email protected]
-
     - name: Configure Docker Credentials
       uses: docker/login-action@v1
       with:
@@ -44,13 +43,13 @@ jobs:
         export OS=$(uname | awk '{print tolower($0)}')
         export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}
         sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH}
-        sudo chmod +x operator-sdk_${OS}_${ARCH} 
+        sudo chmod +x operator-sdk_${OS}_${ARCH}
         sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
 
     - name: Pull RC Splunk Operator Image
       run: |
         docker pull splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
-    
+
     - name: Run Bundle Push for the release
       run: |
         make bundle-build bundle-push catalog-build catalog-push IMAGE_TAG_BASE=docker.io/splunk/splunk-operator VERSION=${{ github.event.inputs.release_version }} IMG=docker.io/splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}

.github/workflows/int-test-azure-workflow.yml

@@ -124,7 +124,7 @@ jobs:
       # AZURE_MANAGED_ID_ENABLED: "${{ matrix.auth_method_managed_id }}"
       AZURE_MANAGED_ID_ENABLED: "false"
     steps:
-      # Need this because apps are downloaded from S3. 
+      # Need this because apps are downloaded from S3.
       - name: Set Test Cluster Name
         run: |
           echo "TEST_CLUSTER_NAME=az${{ github.run_id }}" >> $GITHUB_ENV

.github/workflows/int-test-workflow.yml

@@ -121,7 +121,7 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
-      - name: Install Ginkgo 
+      - name: Install Ginkgo
         run: |
           make setup/ginkgo
       - name: Install Helm

.github/workflows/manual-int-test-workflow.yml

@@ -60,7 +60,7 @@ jobs:
         run: >-
           if grep -q "appframework" <<< "${{ matrix.test }}"; then
             echo "CLUSTER_WORKERS=5" >> $GITHUB_ENV
-            echo "CLUSTER_NODES=2" >> $GITHUB_ENV  
+            echo "CLUSTER_NODES=2" >> $GITHUB_ENV
           fi
       - name: Checkout code
         uses: actions/checkout@v2
@@ -197,5 +197,5 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PUSH_TOKEN}}
-    - name: Push Splunk Operator Image to Docker Hub 
+    - name: Push Splunk Operator Image to Docker Hub
       run: docker push ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ env.TAG }}

.github/workflows/namespace-scope-int-workflow.yml

@@ -55,7 +55,7 @@ jobs:
         run: >-
           if grep -q "appframework" <<< "${{ matrix.test }}"; then
             echo "CLUSTER_WORKERS=5" >> $GITHUB_ENV
-            echo "CLUSTER_NODES=2" >> $GITHUB_ENV  
+            echo "CLUSTER_NODES=2" >> $GITHUB_ENV
           fi
       - name: Checkout code
         uses: actions/checkout@v2
@@ -80,7 +80,7 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
-      - name: Install Ginkgo 
+      - name: Install Ginkgo
         run: |
           make setup/ginkgo
       - name: Install EKS CTL
@@ -156,4 +156,3 @@ jobs:
         if: ${{ always() }}
         run: |
           make cluster-down
-   

.github/workflows/nightly-int-test-workflow.yml

@@ -29,7 +29,7 @@ jobs:
         export OS=$(uname | awk '{print tolower($0)}')
         export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}
         sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH}
-        sudo chmod +x operator-sdk_${OS}_${ARCH} 
+        sudo chmod +x operator-sdk_${OS}_${ARCH}
         sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v1
@@ -100,10 +100,10 @@ jobs:
         run: >-
           if grep -q "appframework" <<< "${{ matrix.test }}"; then
             echo "CLUSTER_WORKERS=5" >> $GITHUB_ENV
-            echo "CLUSTER_NODES=2" >> $GITHUB_ENV  
+            echo "CLUSTER_NODES=2" >> $GITHUB_ENV
           fi
       - uses: actions/checkout@v2
-        with: 
+        with:
           ref: develop
       - name: Dotenv Action
         id: dotenv
@@ -234,5 +234,5 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PUSH_TOKEN}}
-    - name: Push Splunk Operator Image to Docker Hub 
+    - name: Push Splunk Operator Image to Docker Hub
       run: docker push ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ env.TAG }}

.semgrepignore

@@ -0,0 +1 @@
+tools/k8s_collectors/k8s-splunk-collector-helper.py

docs/Helm.md

@@ -11,12 +11,12 @@ helm repo update
 
 The ```splunk``` chart repository contains the ```splunk/splunk-operator``` chart to deploy the Splunk Operator and the ```splunk/splunk-enterprise``` chart to deploy Splunk Enterprise custom resources.
 
-Currently only latest version splunk operator is hosted on `https://splunk.github.io/splunk-operator`. For previous version of helm chart, checkout release branch code. For example, for 2.0.0 release, please follow the below steps:
+Upgrading to latest version of splunk operator using helm chart will not upgrade CRDs. User need to deploy the latest CRDs manually. this is [limitation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) from helm
 
 ```
 git clone https://github.com/splunk/splunk-operator.git .
-git checkout release/2.0.0
-helm install splunk-s1 helm-chart/splunk-enterprise ...
+git checkout release/2.3.0
+make install
 ```
 
 Helm provides a long list of commands to manage your deployment, we'll be going over a few useful ones in the sections to come. You can learn more about supported commands [here](https://helm.sh/docs/helm/helm/).

docs/index.yaml

@@ -3,14 +3,14 @@ entries:
   splunk-enterprise:
   - apiVersion: v2
     appVersion: 2.3.0
-    created: "2023-07-06T13:56:05.403586-07:00"
+    created: "2023-07-25T15:50:32.734375-07:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
       repository: file://splunk-operator/helm-chart/splunk-operator
       version: 2.3.0
     description: A Helm chart for Splunk Enterprise managed by the Splunk Operator
-    digest: c18bcc16332114dbc46abf2b809aa26ab8576a10dae3da4241d502b3fdd9079d
+    digest: 589aeff022db846bb284d2c74ada95a7dd79949546238d7854f8e80163445d56
     maintainers:
     - email: [email protected]
       name: Vivek Reddy
@@ -25,7 +25,7 @@ entries:
     version: 2.3.0
   - apiVersion: v2
     appVersion: 2.2.1
-    created: "2023-07-06T13:56:05.376932-07:00"
+    created: "2023-07-25T15:50:32.719883-07:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -40,7 +40,7 @@ entries:
     version: 2.2.1
   - apiVersion: v2
     appVersion: 2.2.0
-    created: "2023-07-06T13:56:05.364159-07:00"
+    created: "2023-07-25T15:50:32.704801-07:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -55,7 +55,7 @@ entries:
     version: 2.2.0
   - apiVersion: v2
     appVersion: 2.1.0
-    created: "2023-07-06T13:56:05.339298-07:00"
+    created: "2023-07-25T15:50:32.677517-07:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -71,9 +71,9 @@ entries:
   splunk-operator:
   - apiVersion: v2
     appVersion: 2.3.0
-    created: "2023-07-06T13:56:05.450488-07:00"
+    created: "2023-07-25T15:50:32.785117-07:00"
     description: A Helm chart for the Splunk Operator for Kubernetes
-    digest: a4eba8f2af1d624794bb37a75d462e26ea5dbbf729276f5c4e2b65610f397d8a
+    digest: f2f9ef0149f093bb56f69c967388086ab799d40a543ea1ea4e398fe16a99927e
     maintainers:
     - email: [email protected]
       name: Vivek Reddy
@@ -86,34 +86,4 @@ entries:
     urls:
     - https://splunk.github.io/splunk-operator/splunk-operator-2.3.0.tgz
     version: 2.3.0
-  - apiVersion: v2
-    appVersion: 2.2.1
-    created: "2023-07-06T13:56:05.436792-07:00"
-    description: A Helm chart for the Splunk Operator for Kubernetes
-    digest: 8868b9ae2ebde0c667b13c97d71d904a31b5a9f2c803b199bc77324f1727e1fd
-    name: splunk-operator
-    type: application
-    urls:
-    - https://splunk.github.io/splunk-operator/splunk-operator-2.2.1.tgz
-    version: 2.2.1
-  - apiVersion: v2
-    appVersion: 2.2.0
-    created: "2023-07-06T13:56:05.425506-07:00"
-    description: A Helm chart for the Splunk Operator for Kubernetes
-    digest: 49c72276bd7ff93465b0545d8b0814f684cade7d2cd191b6d73d4c3660bd1fb4
-    name: splunk-operator
-    type: application
-    urls:
-    - https://splunk.github.io/splunk-operator/splunk-operator-2.2.0.tgz
-    version: 2.2.0
-  - apiVersion: v2
-    appVersion: 2.1.0
-    created: "2023-07-06T13:56:05.414264-07:00"
-    description: A Helm chart for the Splunk Operator for Kubernetes
-    digest: 34e5463f8f5442655d05cb616b50391b738a0827b30d8440b4c7fce99a291d9a
-    name: splunk-operator
-    type: application
-    urls:
-    - https://splunk.github.io/splunk-operator/splunk-operator-1.0.0.tgz
-    version: 1.0.0
-generated: "2023-07-06T13:56:05.323719-07:00"
+generated: "2023-06-15T11:57:34.671074-07:00"

pkg/splunk/enterprise/cp.go

@@ -19,6 +19,7 @@ import (
 	"archive/tar"
 	"io"
 	"os"
+	"path/filepath"
 )
 
 var cpMakeTar = func(src localPath, dest remotePath, writer io.Writer) error {
@@ -85,7 +86,7 @@ func recursiveTar(srcDir, srcFile localPath, destDir, destFile remotePath, tw *t
 			if err := tw.WriteHeader(hdr); err != nil {
 				return err
 			}
-
+			fpath = filepath.Clean(fpath)
 			f, err := os.Open(fpath)
 			if err != nil {
 				return err

pkg/splunk/enterprise/util.go

@@ -427,7 +427,7 @@ func createAppDownloadDir(ctx context.Context, path string) error {
 	scopedLog := reqLogger.WithName("createAppDownloadDir").WithValues("path", path)
 	_, err := os.Stat(path)
 	if errors.Is(err, os.ErrNotExist) {
-		errDir := os.MkdirAll(path, 0755)
+		errDir := os.MkdirAll(path, 0700)
 		if errDir != nil {
 			scopedLog.Error(errDir, "Unable to create directory at path")
 			return errDir
@@ -447,7 +447,7 @@ func getAvailableDiskSpace(ctx context.Context) (uint64, error) {
 	if err != nil {
 		scopedLog.Error(err, "There is no default volume configured for the App framework, use the temporary location", "dir", TmpAppDownloadDir)
 		splcommon.AppDownloadVolume = TmpAppDownloadDir
-		err = os.MkdirAll(splcommon.AppDownloadVolume, 0755)
+		err = os.MkdirAll(splcommon.AppDownloadVolume, 0700)
 		if err != nil {
 			scopedLog.Error(err, "Unable to create the directory", "dir", splcommon.AppDownloadVolume)
 			return 0, err

test/deploy-eks-cluster.sh

@@ -16,8 +16,8 @@ if [[ -z "${ECR_REPOSITORY}" ]]; then
 fi
 
 if [[ -z "${EKS_CLUSTER_K8_VERSION}" ]]; then
-  echo "EKS_CLUSTER_K8_VERSION not set. Changing to 1.22"
-  export EKS_CLUSTER_K8_VERSION="1.22"
+  echo "EKS_CLUSTER_K8_VERSION not set. Changing to 1.26"
+  export EKS_CLUSTER_K8_VERSION="1.26"
 fi
 
 function deleteCluster() {
@@ -35,6 +35,8 @@ function deleteCluster() {
     echo "Unable to delete cluster - ${TEST_CLUSTER_NAME}"
     return 1
   fi
+  rolename= echo ${TEST_CLUSTER_NAME} | awk -F- '{print "EBS_" $(NF-1) "_" $(NF)}'
+  aws iam delete-role --role-name ${rolename}
 
   return 0
 }
@@ -54,6 +56,36 @@ function createCluster() {
       echo "Unable to create cluster - ${TEST_CLUSTER_NAME}"
       return 1
     fi
+    eksctl utils associate-iam-oidc-provider --cluster=${TEST_CLUSTER_NAME}  --approve
+    oidc_id=$(aws eks describe-cluster --name ${TEST_CLUSTER_NAME} --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
+    account_id=$(aws sts get-caller-identity --query "Account" --output text)
+    oidc_provider=$(aws eks describe-cluster --name ${TEST_CLUSTER_NAME}  --region "us-west-2" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
+    namespace=kube-system
+    service_account=ebs-csi-controller-sa
+    kubectl create serviceaccount ${service_account} --namespace ${namespace}
+    echo "{
+      \"Version\": \"2012-10-17\",
+      \"Statement\": [
+        {
+          \"Effect\": \"Allow\",
+          \"Principal\": {
+            \"Federated\": \"arn:aws:iam::$account_id:oidc-provider/$oidc_provider\"
+          },
+          \"Action\": \"sts:AssumeRoleWithWebIdentity\",
+          \"Condition\": {
+            \"StringEquals\": {
+              \"$oidc_provider:aud\": \"sts.amazonaws.com\",
+              \"$oidc_provider:sub\": \"system:serviceaccount:$namespace:$service_account\"
+            }
+          }
+        }
+      ]
+    }"  >aws-ebs-csi-driver-trust-policy.json
+    rolename=$(echo ${TEST_CLUSTER_NAME} | awk -F- '{print "EBS_" $(NF-1) "_" $(NF)}')
+    aws iam create-role --role-name ${rolename} --assume-role-policy-document file://aws-ebs-csi-driver-trust-policy.json --description "irsa role for ${TEST_CLUSTER_NAME}"
+    aws iam attach-role-policy  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy  --role-name ${rolename}
+    kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com/role-arn=arn:aws:iam::$account_id:role/${rolename}
+    eksctl create addon --name aws-ebs-csi-driver --cluster ${TEST_CLUSTER_NAME} --service-account-role-arn arn:aws:iam::$account_id:role/${rolename} --force
   else
     echo "Retrieving kubeconfig for ${TEST_CLUSTER_NAME}"
     # Cluster exists but kubeconfig may not
@@ -72,4 +104,4 @@ function createCluster() {
   # Output
   echo "EKS cluster nodes:"
   eksctl get cluster --name=${TEST_CLUSTER_NAME}
-}
+}

test/env.sh

@@ -11,7 +11,7 @@
 : "${ECR_REGISTRY:=}"
 : "${VPC_PUBLIC_SUBNET_STRING:=}"
 : "${VPC_PRIVATE_SUBNET_STRING:=}"
-: "${EKS_CLUSTER_K8_VERSION:=1.22}"
+: "${EKS_CLUSTER_K8_VERSION:=1.26}"
 # Below env variables required to run license master test cases
 : "${ENTERPRISE_LICENSE_S3_PATH:=}"
 : "${TEST_S3_BUCKET:=}"