Fix embedded mirror blocked by SAR RBAC and re-enable test

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-05-30 19:00:47 +00:00 · 2024-05-30 19:00:47 +00:00 · 2c50f4aa5b
parent 8262c02cdd
commit 2c50f4aa5b
3 changed files with 13 additions and 4 deletions
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -36,8 +36,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        # TODO fix embeddedmirror and add it to the matrix
-        etest: [startup, s3, btrfs, externalip, privateregistry, wasm]
+        etest: [startup, s3, btrfs, externalip, privateregistry, embeddedmirror, wasm]
      max-parallel: 3
    steps:
      - name: "Checkout"
@ -116,4 +115,4 @@ jobs:
        chmod +x ./dist/artifacts/k3s
        . ./tests/docker/test-helpers
        . ./tests/docker/test-run-${{ matrix.dtest }}
-        echo "Did test-run-${{ matrix.dtest }} pass $?"
+        echo "Did test-run-${{ matrix.dtest }} pass $?"
--- a/pkg/agent/https/https.go
+++ b/pkg/agent/https/https.go
@ -75,7 +75,11 @@ func Start(ctx context.Context, nodeConfig *config.Node, runtime *config.Control
 		}

 		authz := options.NewDelegatingAuthorizationOptions()
-		authz.AlwaysAllowPaths = []string{"/v2", "/debug/pprof", "/v1-" + version.Program + "/p2p"}
+		authz.AlwaysAllowPaths = []string{ // skip authz for paths that should not use SubjectAccessReview; basically everything that will use this router other than metrics
+			"/v1-" + version.Program + "/p2p", // spegel libp2p peer discovery
+			"/v2/*",                           // spegel registry mirror
+			"/debug/pprof/*",                  // profiling
+		}
 		authz.RemoteKubeConfigFile = nodeConfig.AgentConfig.KubeConfigKubelet
 		if applyErr := authz.ApplyTo(&config.Authorization); applyErr != nil {
 			err = applyErr
--- a/tests/e2e/embeddedmirror/Vagrantfile
+++ b/tests/e2e/embeddedmirror/Vagrantfile
@ -38,6 +38,9 @@ def provision(vm, role, role_num, node_num)

  if role.include?("server") && role_num == 0
    vm.provision "private-registry", type: "shell", inline: writePrivateRegistry
+    vm.provision "create-images-dir", type: "shell", inline: "mkdir -p -m 777 /tmp/images /var/lib/rancher/k3s/agent/images"
+    vm.provision "copy-images-file", type: "file", source: "../../../scripts/airgap/image-list.txt", destination: "/tmp/images/image-list.txt"
+    vm.provision "move-images-file", type: "shell", inline: "mv /tmp/images/image-list.txt /var/lib/rancher/k3s/agent/images/image-list.txt"

    vm.provision 'k3s-primary-server', type: 'k3s', run: 'once' do |k3s|
      k3s.args = "server "
@ -54,6 +57,9 @@ def provision(vm, role, role_num, node_num)
  
  elsif role.include?("server") && role_num != 0
    vm.provision "shell", inline: writePrivateRegistry
+    vm.provision "create-images-dir", type: "shell", inline: "mkdir -p -m 777 /tmp/images /var/lib/rancher/k3s/agent/images"
+    vm.provision "copy-images-file", type: "file", source: "../../../scripts/airgap/image-list.txt", destination: "/tmp/images/image-list.txt"
+    vm.provision "move-images-file", type: "shell", inline: "mv /tmp/images/image-list.txt /var/lib/rancher/k3s/agent/images/image-list.txt"

    vm.provision 'k3s-secondary-server', type: 'k3s', run: 'once' do |k3s|
      k3s.args = "server"