Merge branch 'main' into laverya/error-typo

.dockerignore

@@ -1,7 +1,6 @@
 web/node_modules
 web/src
 api
-dev
 docs
 kustomize
 migrations

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,32 +1,19 @@
-<!--  Thanks for sending a pull request!  Here are some tips for you:
-
-1. If this is your first time, please read our contributor guidelines here:
-https://github.com/replicatedhq/kots/blob/main/CONTRIBUTING.md.
-2. Ensure you have added appropriate tests for your PR. For more information read here:
-https://github.com/replicatedhq/kots/blob/main/CONTRIBUTING.md#testing
-3. If the PR is unfinished, please mark it as a draft.
--->
-
 #### What this PR does / why we need it:
-
-#### Which issue(s) this PR fixes:
 <!--
-*Automatically closes linked issue when PR is merged.
-Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
+Describe the purpose of this change and the problem it solves.
 -->
-Fixes #
 
-#### Special notes for your reviewer:
+#### Which issue(s) this PR fixes:
 <!--
-Any additional special notes for your reviewer.
+Link to the Shortcut story or Github issue this PR fixes.
 -->
 
-## Steps to reproduce
+#### Does this PR require a test?
 <!---
-Please provide minimum instructions for how someone can view/test/verify your changes.
+If no, just write "NONE" below.
 -->
 
-#### Does this PR introduce a user-facing change?
+#### Does this PR require a release note?
 <!--
 If no, just write "NONE" in the release-note block below.
 If yes, a release note is required:
@@ -38,5 +25,5 @@ If yes, a release note is required:
 #### Does this PR require documentation?
 <!--
 If no, just write "NONE" below.
-If yes, link to the related https://github.com/replicatedhq/kots.io documentation PR:
+If yes, link to the related https://github.com/replicatedhq/replicated-docs documentation PR:
 -->

.github/actions/copy-assets/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22 as builder
+FROM golang:1.23 as builder
 WORKDIR /action
 COPY . /action
 

.github/actions/kots-e2e/action.yml

@@ -95,6 +95,7 @@ runs:
     - name: execute suite "${{ inputs.test-focus }}"
       env:
         TESTIM_ACCESS_TOKEN: ${{ inputs.testim-access-token }}
+        REPLICATED_API_TOKEN: ${{ inputs.replicated-api-token }}
         KOTS_NAMESPACE: ${{ inputs.kots-namespace }}
       run: |
         make -C e2e test \

.github/workflows/build-test.yaml

@@ -691,6 +691,10 @@ jobs:
             --shared-password password \
             --kotsadm-registry ttl.sh \
             --kotsadm-namespace automated-${{ github.run_id }} \
+            --additional-labels testlabel1=testvalue1 \
+            --additional-labels test.label/two=test.value.two \
+            --additional-annotations testannotation1=testannotationvalue1 \
+            --additional-annotations test.annotation/two=testannotation.value.two \
             --kotsadm-tag 24h | tee output.txt
 
           if ! grep -q "The Kubernetes RBAC policy that the Admin Console is running with does not have access to complete the Preflight Checks. It's recommended that you run these manually before proceeding." output.txt; then
@@ -732,6 +736,73 @@ jobs:
             exit 1
           fi
 
+          echo "check that the kotsadm, minio and rqlite pods have the correct labels and annotations"
+          echo "label one"
+          if ! kubectl get pods -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.labels.testlabel1}' | grep -q testvalue1; then
+              echo "kotsadm pod does not have the correct testlabel1 label"
+              kubectl get pods -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.labels}'
+              exit 1
+          fi
+          if ! kubectl get pods -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.labels.testlabel1}' | grep -q testvalue1; then
+              echo "kotsadm-minio pod does not have the correct testlabel1 label"
+              kubectl get pods -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.labels}'
+              exit 1
+          fi
+          if ! kubectl get pods -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.labels.testlabel1}' | grep -q testvalue1; then
+              echo "kotsadm-rqlite pod does not have the correct testlabel1 label"
+              kubectl get pods -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.labels}'
+              exit 1
+          fi
+          echo "annotation one"
+          if ! kubectl get pods -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.annotations.testannotation1}' | grep -q testannotationvalue1; then
+              echo "kotsadm pod does not have the correct testannotation1 annotation"
+              kubectl get pods -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.annotations}'
+              exit 1
+          fi
+          if ! kubectl get pods -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.annotations.testannotation1}' | grep -q testannotationvalue1; then
+              echo "kotsadm-minio pod does not have the correct testannotation1 annotation"
+              kubectl get pods -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.annotations}'
+              exit 1
+          fi
+          if ! kubectl get pods -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.annotations.testannotation1}' | grep -q testannotationvalue1; then
+              echo "kotsadm-rqlite pod does not have the correct testannotation1 annotation"
+              kubectl get pods -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.annotations}'
+              exit 1
+          fi
+          echo "label two"
+          if ! kubectl get pod -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.labels.test\.label/two}' | grep -q 'test.value.two'; then
+              echo "kotsadm pod does not have the correct test.label/two label"
+              kubectl get pod -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.labels}'
+              exit 1
+          fi
+          if ! kubectl get pod -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.labels.test\.label/two}' | grep -q 'test.value.two'; then
+              echo "kotsadm-minio pod does not have the correct test.label/two label"
+              kubectl get pod -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.labels}'
+              exit 1
+          fi
+          if ! kubectl get pod -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.labels.test\.label/two}' | grep -q 'test.value.two'; then
+              echo "kotsadm-rqlite pod does not have the correct test.label/two label"
+              kubectl get pod -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.labels}'
+              exit 1
+          fi
+          echo "annotation two"
+          if ! kubectl get pod -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.annotations.test\.annotation/two}' | grep -q 'testannotation.value.two'; then
+              echo "kotsadm pod does not have the correct test.annotation/two annotation"
+              kubectl get pod -n "$APP_SLUG" -l app=kotsadm -o jsonpath='{.items[0].metadata.annotations}'
+              exit 1
+          fi
+          if ! kubectl get pod -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.annotations.test\.annotation/two}' | grep -q 'testannotation.value.two'; then
+              echo "kotsadm-minio pod does not have the correct test.annotation/two annotation"
+              kubectl get pod -n "$APP_SLUG" -l app=kotsadm-minio -o jsonpath='{.items[0].metadata.annotations}'
+              exit 1
+          fi
+          if ! kubectl get pod -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.annotations.test\.annotation/two}' | grep -q 'testannotation.value.two'; then
+              echo "kotsadm-rqlite pod does not have the correct test.annotation/two annotation"
+              kubectl get pod -n "$APP_SLUG" -l app=kotsadm-rqlite -o jsonpath='{.items[0].metadata.annotations}'
+              exit 1
+          fi
+          echo "additional pod labels and annotations are present"
+
       - name: Generate support bundle on failure
         if: failure()
         uses: ./.github/actions/generate-support-bundle
@@ -1085,6 +1156,40 @@ jobs:
           kots-dockerhub-username: '${{ secrets.E2E_DOCKERHUB_USERNAME }}'
           kots-dockerhub-password: '${{ secrets.E2E_DOCKERHUB_PASSWORD }}'
 
+  validate-change-channel:
+    runs-on: ubuntu-20.04
+    needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ]
+    strategy:
+      fail-fast: false
+      matrix:
+        cluster: [
+          {distribution: kind, version: v1.28.0}
+        ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: download e2e deps
+        uses: actions/download-artifact@v4
+        with:
+          name: e2e
+          path: e2e/bin/
+      - run: docker load -i e2e/bin/e2e-deps.tar
+      - run: chmod +x e2e/bin/*
+      - name: download kots binary
+        uses: actions/download-artifact@v4
+        with:
+          name: kots
+          path: bin/
+      - run: chmod +x bin/*
+      - uses: ./.github/actions/kots-e2e
+        with:
+          test-focus: 'Change Channel'
+          kots-namespace: 'change-channel'
+          k8s-distribution: ${{ matrix.cluster.distribution }}
+          k8s-version: ${{ matrix.cluster.version }}
+          replicated-api-token: '${{ secrets.C11Y_MATRIX_TOKEN }}'
+          kots-dockerhub-username: '${{ secrets.E2E_DOCKERHUB_USERNAME }}'
+          kots-dockerhub-password: '${{ secrets.E2E_DOCKERHUB_PASSWORD }}'
 
   validate-minimal-rbac-override:
     runs-on: ubuntu-20.04
@@ -2003,7 +2108,7 @@ jobs:
       - name: run kots admin-console push-images
         run: |
           set +e
-          ./bin/kots admin-console push-images ./hack/tests/small.airgap ttl.sh/automated-${{ github.run_id }}
+          ./bin/kots admin-console push-images ./e2e/artifacts/small.airgap ttl.sh/automated-${{ github.run_id }}
 
 
   validate-kots-admin-console-generate-manifests:
@@ -4104,6 +4209,120 @@ jobs:
           api-token: ${{ secrets.C11Y_MATRIX_TOKEN }}
           cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
 
+  validate-custom-cas:
+    runs-on: ubuntu-20.04
+    needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ]
+    strategy:
+      fail-fast: false
+      matrix:
+        cluster: [
+          {distribution: kind, version: v1.28.0}
+        ]
+    env:
+      APP_SLUG: get-set-config
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create Cluster
+        id: create-cluster
+        uses: replicatedhq/replicated-actions/create-cluster@v1
+        with:
+          api-token: ${{ secrets.C11Y_MATRIX_TOKEN }}
+          kubernetes-distribution: ${{ matrix.cluster.distribution }}
+          kubernetes-version: ${{ matrix.cluster.version }}
+          cluster-name: automated-kots-${{ github.run_id }}-${{ matrix.cluster.distribution }}-${{ matrix.cluster.version }}
+          timeout-minutes: '120'
+          ttl: 2h
+          export-kubeconfig: true
+
+      - name: download kots binary
+        uses: actions/download-artifact@v4
+        with:
+          name: kots
+          path: bin/
+
+      - run: chmod +x bin/kots
+
+      - name: create namespace and dockerhub secret
+        run: |
+          kubectl create ns "$APP_SLUG"
+          kubectl create secret docker-registry kotsadm-dockerhub --docker-server index.docker.io --docker-username "${{ secrets.E2E_DOCKERHUB_USERNAME }}" --docker-password "${{ secrets.E2E_DOCKERHUB_PASSWORD }}" --namespace "$APP_SLUG"
+
+      - name: install yq
+        run: |
+          sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
+          sudo chmod +x /usr/bin/yq
+
+      - name: run the test
+        run: |
+          set -e
+          echo ${{ secrets.GET_SET_CONFIG_LICENSE }} | base64 -d > license.yaml
+
+          echo "test value" > ./ca.crt
+          kubectl create configmap -n "$APP_SLUG" custom-cas --from-file=ca.crt=./ca.crt
+
+          ./bin/kots \
+            install "$APP_SLUG/automated" \
+            --license-file license.yaml \
+            --no-port-forward \
+            --namespace "$APP_SLUG" \
+            --shared-password password \
+            --kotsadm-registry ttl.sh \
+            --kotsadm-namespace automated-${{ github.run_id }} \
+            --private-ca-configmap custom-cas \
+            --kotsadm-tag 24h
+
+          echo "exec into the deployment and check for the file and its contents"
+          if ! kubectl exec -n "$APP_SLUG" deployment/kotsadm -- cat /certs/ca.crt | grep "test value"; then
+            echo "expected /certs/ca.crt to contain 'test value'"
+            kubectl exec -n "$APP_SLUG" deployment/kotsadm -- cat /certs/ca.crt
+            exit 1
+          fi
+
+          echo "check that the deployment has an environment variable pointing to the file"
+          if ! kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env | grep "SSL_CERT_DIR" | grep "/certs"; then
+            echo "expected env output to contain SSL_CERT_DIR=/certs"
+            kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env
+            exit 1
+          fi
+
+          echo "check that the deployment has an environment variable with the configmap name"
+          if ! kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env | grep "SSL_CERT_CONFIGMAP" | grep "custom-cas"; then
+            echo "expected env output to contain SSL_CERT_CONFIGMAP=custom-cas"
+            kubectl exec -n "$APP_SLUG" deployment/kotsadm -- env
+            exit 1
+          fi
+
+          ./bin/kots admin-console generate-manifests -n "$APP_SLUG" --shared-password password --private-ca-configmap generated-custom-cas 
+          ls ./admin-console
+          if !  grep SSL_CERT_CONFIGMAP < ./admin-console/kotsadm-deployment.yaml; then
+            echo "expected generated kotsadm-deployment.yaml to contain SSL_CERT_CONFIGMAP"
+            cat ./admin-console/kotsadm-deployment.yaml
+            exit 1
+          fi
+          if ! grep generated-custom-cas < ./admin-console/kotsadm-deployment.yaml; then
+            echo "expected generated kotsadm-deployment.yaml to contain generated-custom-cas"
+            cat ./admin-console/kotsadm-deployment.yaml
+            exit 1
+          fi
+
+      - name: Generate support bundle on failure
+        if: failure()
+        uses: ./.github/actions/generate-support-bundle
+        with:
+          kots-namespace: "$APP_SLUG"
+          artifact-name: ${{ github.job }}-${{ matrix.cluster.distribution }}-${{ matrix.cluster.version }}-support-bundle
+
+      - name: Remove Cluster
+        id: remove-cluster
+        uses: replicatedhq/replicated-actions/remove-cluster@v1
+        if: ${{ always() && steps.create-cluster.outputs.cluster-id != '' }}
+        continue-on-error: true
+        with:
+          api-token: ${{ secrets.C11Y_MATRIX_TOKEN }}
+          cluster-id: ${{ steps.create-cluster.outputs.cluster-id }}
+
 
   validate-pr-tests:
     runs-on: ubuntu-20.04
@@ -4130,6 +4349,7 @@ jobs:
       - validate-backup-and-restore
       - validate-no-required-config
       - validate-config
+      - validate-change-channel
       # non-testim tests
       - validate-minimal-rbac
       - validate-minimal-rbac-override
@@ -4148,6 +4368,7 @@ jobs:
       - validate-replicated-sdk
       - validate-strict-preflight-checks
       - validate-get-set-config
+      - validate-custom-cas
       # cli-only tests
       - validate-kots-push-images-anonymous
     steps:

.github/workflows/image-deps-updater.yaml

@@ -87,7 +87,7 @@ jobs:
           go run ./cmd/imagedeps
 
       - name: Create Pull Request # creates a PR if there are differences
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ secrets.GH_PAT }}
@@ -111,7 +111,7 @@ jobs:
 
       - name: Slack Notification
         if: ${{ steps.cpr.outputs.pull-request-number }}
-        uses: slackapi/slack-github-action@v1.26.0
+        uses: slackapi/slack-github-action@v1.27.0
         with: 
           payload: |
             {

.github/workflows/regression.yaml

@@ -145,7 +145,7 @@ jobs:
 
   tests:
     needs: [get-workspace-name, get-workspace-expiration, jumpbox]
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:1.0.11
     env: