- reverts changes to runlocal-rp
- updates old run-portal to runlocal-portal since it uses local bins
- adds new targets for containerized run of RP and Portal; opt-in
- fixes docs and pipelines to use updated targets
* Clarifying etcd cert renew test
- Updated the test to make it clear it is passing because timeout is being reached
- Updated the timeout from 10s -> 0s to pass faster
* Fix slow changefeed tests
* This is the new CI-RP stage for the pipline (#3753)
* Ensure Podman Service is Started and PODMAN_REMOTE_ARGS is Configured Automatically
Ensure Podman Service is Started and PODMAN_REMOTE_ARGS is Configured Automatically
Ensure Podman Service is Started and PODMAN_REMOTE_ARGS is Configured Automatically
removed the tag
Add Podman service start and remote args setup for seamless operation
Add sudo to start Podman service for elevated permissions and fix permission errors
Add sudo to start Podman service for elevated permissions and fix permission errors
Refactor Makefile: Update Podman service handling with sudo and remove default PODMAN_REMOTE_ARGS to improve flexibility and ensure proper permissions.
Add sudo to start Podman service for elevated permissions and fix permission errors
* Added Podman service target and set PODMAN_REMOTE_ARGS for seamless builds.
* fix the makefile
* added the port to fix the Makefile
* Update RP and Gateway vmss OS image to cbl-mariner-2-gen2 with Manually Configured FIPS Mode
System Changes:
Remove lvm disk resize, Mariner does not use lvm, the disk is automatically grown to the full size specified.
Remove semanage, Mariner Linux does not have selinux configured.
Remove gateway log rotation config
Log rotation for the podman level driver log was not the correct
approach. The podman log driver is now journald, so all logs will be
shipped to journald rather than a ctr.log file.
fips mode is manually configured following the example code at https://eng.ms/docs/products/azure-linux/features/security/fips
SKU cbl-mariner-2-gen2-fips does not support Automatic OS Updates, therefore we are switching to cbl-mariner-2-gen2, manually configuring fips mode, to allow for Automatic OS Updates.
Script Changes:
Restructure VMSS bootstrap bash scripts for increased reliability, and easier debugging
Move all shared code into a commonly shared file to be sourced by all
bootstrapping scripts. This allows for code reuse, minimal duplication.
Fix mdm mdsd certificate download script
During mdm and mdsd setup, I've added wait steps for the download
scripts to complete getting certificates. Without this, the download
scripts run in a subshell and fixing up the certificates fails.
Add firewalld configuration, required for podman networking
Add podman aro network creation to isolate RP containers from possible
interaction on the default podman network.
Package Changes:
Install Azure Security Monitor via VMSS Extension
Remove RHUI and Microsoft repo configuration, add Mariner Extended repo config
Increase rpm retry time to 30 minutes total, every 30 seconds.
* Embed scripts as strings rather than []byte
This is to reduce the amount of type conversions needed.
- Allows true use of NO_CACHE by using LABELs and podman tag commands instead of --cache-from
- Standardizes formatting of image names and variables
- Standardizes use of VERSION for image tags
- Standardizes formatting of podman commands and parameter ordering
* Add unit tests for existing frontend version validation
* Use semver package to validate versions in frontend instead of regex
This allows the ability to provide prerelease versions or version strings
containing metadata.
* Ensure disableUpdates does not propagate metadata in version string to clusterversion resource
* Exclude platform identities from permissions denial
Add platform workload identities to the list of service principals
excluded from the permissions denial so that those identities can manage
Azure resources in the cluster's resource group
* improve testing of deny assignment generation
this confirms that ExcludePrincipals are generated correctly for the
deny assignment based on the presence of a ServicePrincipalProfile or a
PlatformWorkloadIdentityProfile
* use UsesWorkloadIdentity() helper function instead of bespoke check
* check empty ObjectID/SPObjectID values separately
* prevent nil pointer dereference for missing ServicePrincipalProfile
Amber Brown
Ayato Tokubi
Brendan Bergen
Hilliary Lipsig
Nont
Miguel Abad Perez
Petr Kotas
Shubhadapaithankar
Maitiú Ó Ciaráin
Alex Chvatal
Alex Chvatal
dependabot[bot]
Amit Arora
Lisa Rashidi-Ranjbar
Tanmay Satam
Steven Fairchild
Nicolas Ontiveros