[Release-1.30] 2025 January Backports

.github/workflows/e2e.yaml

@@ -80,6 +80,13 @@ jobs:
           chmod +x ./dist/artifacts/k3s
           cd tests/e2e/${{ matrix.etest }}
           go test -v -timeout=45m ./${{ matrix.etest}}_test.go -ci -local
+      - name: On Failure, Upload Journald Logs
+        uses: actions/upload-artifact@v4
+        if: ${{ failure() }}
+        with:
+          name: ${{ matrix.etest}}-journald-logs
+          path: tests/e2e/${{ matrix.etest }}/*-jlog.txt
+          retention-days: 30
       - name: On Failure, Launch Debug Session
         uses: lhotari/action-upterm@v1
         if: ${{ failure() }}
@@ -121,3 +128,96 @@ jobs:
         . ./tests/docker/test-helpers
         . ./tests/docker/test-run-${{ matrix.dtest }}
         echo "Did test-run-${{ matrix.dtest }} pass $?"
+
+  build-go-tests:
+    name: "Build Go Tests"
+    runs-on: ubuntu-latest
+    outputs:
+      branch_name: ${{ steps.branch_step.outputs.BRANCH_NAME }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Install Go
+      uses: ./.github/actions/setup-go
+    - name: Build Go Tests
+      run: |
+        mkdir -p ./dist/artifacts
+        go test -c -ldflags="-w -s" -o ./dist/artifacts ./tests/docker/...
+    - name: Upload Go Tests
+      uses: actions/upload-artifact@v4
+      with:
+        name: docker-go-tests
+        path: ./dist/artifacts/*.test
+        compression-level: 9
+        retention-days: 1
+    # For upgrade and skew tests, we need to know the branch name this run is based off.
+    # Since this is predetermined, we can run this step before the docker-go job, saving time.
+    # For PRs we can use the base_ref (ie the target branch of the PR).
+    # For pushes to k3s-io/k3s, the branch_name is a valid ref, master or release-x.y.
+    # For pushes to a fork, we need to determine the branch name by finding the parent branch from git show-branch history.
+    - name: Determine branch name
+      id: branch_step
+      run: |
+        if [ ${{ github.repository }} = "k3s-io/k3s" ]; then 
+          BRANCH_NAME=$(echo ${{ github.base_ref || github.ref_name }})
+        elif [ -z "${{ github.base_ref }}" ]; then
+          # We are in a fork, and need some git history to determine the branch name
+          # For some reason, the first fetch doesn't always get the full history, so we sleep and fetch again
+          git fetch origin --depth=100 +refs/heads/*:refs/remotes/origin/*
+          sleep 5
+          git fetch origin --depth=100 +refs/heads/*:refs/remotes/origin/*
+          BRANCH_NAME=$(git show-branch -a 2> /dev/null  | grep '\*' | grep -v `git rev-parse --abbrev-ref HEAD` | head -n1 |  sed 's/.*\[\(.*\/\)\(.*\)\].*/\2/' | sed 's/[\^~].*//')
+        else
+          BRANCH_NAME=${{ github.base_ref }}
+        fi
+        echo "Branch Name is $BRANCH_NAME"
+        echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_OUTPUT
+    # branch name should be either master or release-1.XX
+    - name: Fail if branch name does not match pattern
+      run: |
+        if [[ ! ${{ steps.branch_step.outputs.branch_name }} =~ ^(master|release-[0-9]+\.[0-9]+)$ ]]; then
+          echo "Branch name ${{ steps.branch_step.outputs.branch_name }} does not match pattern"
+          echo "If this is a PR/fork, ensure you have recently rebased off master/release-1.XX branch"
+          exit 1
+        fi
+
+  docker-go:
+    needs: [build, build-go-tests]
+    name: Docker Tests In GO
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        dtest: [basics, bootstraptoken, cacerts, etcd, lazypull, skew, upgrade]
+    env:
+      BRANCH_NAME: ${{ needs.build-go-tests.outputs.branch_name }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: "Download K3s image"
+      uses: actions/download-artifact@v4
+      with:
+        name: k3s
+        path: ./dist/artifacts
+    - name: Load and set K3s image
+      run: |
+        docker image load -i ./dist/artifacts/k3s-image.tar
+        IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep 'rancher/k3s')
+        echo "K3S_IMAGE=$IMAGE_TAG" >> $GITHUB_ENV
+    - name: Download Go Tests
+      uses: actions/download-artifact@v4
+      with:
+        name: docker-go-tests
+        path: ./dist/artifacts
+    - name: Run ${{ matrix.dtest }} Test
+      # Put the compied test binary back in the same place as the test source
+      run: |
+        chmod +x ./dist/artifacts/${{ matrix.dtest }}.test
+        mv ./dist/artifacts/${{ matrix.dtest }}.test ./tests/docker/${{ matrix.dtest }}/
+        cd ./tests/docker/${{ matrix.dtest }}
+        if [ ${{ matrix.dtest }} = "upgrade" ] || [ ${{ matrix.dtest }} = "skew" ]; then
+          ./${{ matrix.dtest }}.test -k3sImage=$K3S_IMAGE -branch=$BRANCH_NAME
+        else
+          ./${{ matrix.dtest }}.test -k3sImage=$K3S_IMAGE
+        fi

Dockerfile.local

@@ -1,9 +1,9 @@
 ARG GOLANG=golang:1.22.9-alpine3.19
-FROM ${GOLANG} as infra
+FROM ${GOLANG} AS infra
 
-ARG http_proxy=$http_proxy
-ARG https_proxy=$https_proxy
-ARG no_proxy=$no_proxy
+ARG http_proxy
+ARG https_proxy
+ARG no_proxy
 ENV http_proxy=$http_proxy
 ENV https_proxy=$https_proxy
 ENV no_proxy=$no_proxy
@@ -28,13 +28,13 @@ RUN if [ "$(go env GOARCH)" = "amd64" ]; then \
     fi
 
 ARG SELINUX=true
-ENV SELINUX $SELINUX
-ENV STATIC_BUILD true
+ENV SELINUX=$SELINUX
+ENV STATIC_BUILD=true
 ENV SRC_DIR=/go/src/github.com/k3s-io/k3s
 WORKDIR ${SRC_DIR}/
 
 
-FROM infra as build
+FROM infra AS build
 
 ARG SKIP_VALIDATE
 
@@ -60,7 +60,7 @@ RUN --mount=type=cache,id=gomod,target=/go/pkg/mod \
 
 RUN ./scripts/binary_size_check.sh
 
-FROM scratch as result
+FROM scratch AS result
 ENV SRC_DIR=/go/src/github.com/k3s-io/k3s
 COPY --from=build ${SRC_DIR}/dist /dist
 COPY --from=build ${SRC_DIR}/bin /bin

Dockerfile.test

@@ -1,24 +1,24 @@
 ARG GOLANG=golang:1.22.9-alpine3.20
-FROM ${GOLANG} as test-base
+FROM ${GOLANG} AS test-base
 
 RUN apk -U --no-cache add bash jq
-ENV K3S_SOURCE /go/src/github.com/k3s-io/k3s/
+ENV K3S_SOURCE=/go/src/github.com/k3s-io/k3s/
 WORKDIR ${K3S_SOURCE}
 
 COPY . ${K3S_SOURCE}
 
-FROM test-base as test-mods
+FROM test-base AS test-mods
 
 COPY ./scripts/test-mods /bin/
 ENTRYPOINT ["/bin/test-mods"]
 
-FROM test-base as test-k3s
+FROM test-base AS test-k3s
 
 RUN apk -U --no-cache add git gcc musl-dev docker curl coreutils python3 openssl py3-pip procps findutils yq pipx
 
 RUN PIPX_BIN_DIR=/usr/local/bin pipx install awscli
 
-ENV SONOBUOY_VERSION 0.57.1
+ENV SONOBUOY_VERSION=0.57.2
 
 RUN OS=linux; \
     ARCH=$(go env GOARCH); \
@@ -30,7 +30,7 @@ RUN OS=linux; \
     curl -fsL https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/${ARCH}/kubectl -o /usr/local/bin/kubectl; \
     chmod a+x /usr/local/bin/kubectl; 
 
-ENV TEST_CLEANUP true
+ENV TEST_CLEANUP=true
 
 ENTRYPOINT ["./scripts/entry.sh"]
 CMD ["test"]

go.mod

@@ -146,6 +146,7 @@ require (
 	go.etcd.io/etcd/server/v3 v3.5.16
 	go.uber.org/zap v1.27.0
 	golang.org/x/crypto v0.27.0
+	golang.org/x/mod v0.20.0
 	golang.org/x/net v0.29.0
 	golang.org/x/sync v0.8.0
 	golang.org/x/sys v0.25.0
@@ -446,7 +447,6 @@ require (
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/oauth2 v0.22.0 // indirect
 	golang.org/x/term v0.24.0 // indirect
 	golang.org/x/text v0.18.0 // indirect

pkg/cli/cert/cert.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"text/tabwriter"
 	"time"
 
 	"github.com/k3s-io/k3s/pkg/agent/util"
@@ -92,27 +93,60 @@ func check(app *cli.Context, cfg *cmds.Server) error {
 
 	now := time.Now()
 	warn := now.Add(time.Hour * 24 * config.CertificateRenewDays)
-
-	for service, files := range fileMap {
-		logrus.Info("Checking certificates for " + service)
-		for _, file := range files {
-			// ignore errors, as some files may not exist, or may not contain certs.
-			// Only check whatever exists and has certs.
-			certs, _ := certutil.CertsFromFile(file)
-			for _, cert := range certs {
-				if now.Before(cert.NotBefore) {
-					logrus.Errorf("%s: certificate %s is not valid before %s", file, cert.Subject, cert.NotBefore.Format(time.RFC3339))
-				} else if now.After(cert.NotAfter) {
-					logrus.Errorf("%s: certificate %s expired at %s", file, cert.Subject, cert.NotAfter.Format(time.RFC3339))
-				} else if warn.After(cert.NotAfter) {
-					logrus.Warnf("%s: certificate %s will expire within %d days at %s", file, cert.Subject, config.CertificateRenewDays, cert.NotAfter.Format(time.RFC3339))
-				} else {
-					logrus.Infof("%s: certificate %s is ok, expires at %s", file, cert.Subject, cert.NotAfter.Format(time.RFC3339))
+	outFmt := app.String("output")
+	switch outFmt {
+	case "text":
+		for service, files := range fileMap {
+			logrus.Info("Checking certificates for " + service)
+			for _, file := range files {
+				// ignore errors, as some files may not exist, or may not contain certs.
+				// Only check whatever exists and has certs.
+				certs, _ := certutil.CertsFromFile(file)
+				for _, cert := range certs {
+					if now.Before(cert.NotBefore) {
+						logrus.Errorf("%s: certificate %s is not valid before %s", file, cert.Subject, cert.NotBefore.Format(time.RFC3339))
+					} else if now.After(cert.NotAfter) {
+						logrus.Errorf("%s: certificate %s expired at %s", file, cert.Subject, cert.NotAfter.Format(time.RFC3339))
+					} else if warn.After(cert.NotAfter) {
+						logrus.Warnf("%s: certificate %s will expire within %d days at %s", file, cert.Subject, config.CertificateRenewDays, cert.NotAfter.Format(time.RFC3339))
+					} else {
+						logrus.Infof("%s: certificate %s is ok, expires at %s", file, cert.Subject, cert.NotAfter.Format(time.RFC3339))
+					}
 				}
 			}
 		}
+	case "table":
+		var tabBuffer bytes.Buffer
+		w := tabwriter.NewWriter(&tabBuffer, 0, 0, 2, ' ', 0)
+		fmt.Fprintf(w, "\n")
+		fmt.Fprintf(w, "CERTIFICATE\tSUBJECT\tSTATUS\tEXPIRES\n")
+		fmt.Fprintf(w, "-----------\t-------\t------\t-------")
+		for _, files := range fileMap {
+			for _, file := range files {
+				certs, _ := certutil.CertsFromFile(file)
+				for _, cert := range certs {
+					baseName := filepath.Base(file)
+					var status string
+					expiration := cert.NotAfter.Format(time.RFC3339)
+					if now.Before(cert.NotBefore) {
+						status = "NOT YET VALID"
+						expiration = cert.NotBefore.Format(time.RFC3339)
+					} else if now.After(cert.NotAfter) {
+						status = "EXPIRED"
+					} else if warn.After(cert.NotAfter) {
+						status = "WARNING"
+					} else {
+						status = "OK"
+					}
+					fmt.Fprintf(w, "\n%s\t%s\t%s\t%s", baseName, cert.Subject, status, expiration)
+				}
+			}
+		}
+		w.Flush()
+		fmt.Println(tabBuffer.String())
+	default:
+		return fmt.Errorf("invalid output format %s", outFmt)
 	}
-
 	return nil
 }
 

pkg/cli/cmds/certs.go

@@ -63,7 +63,11 @@ func NewCertCommands(check, rotate, rotateCA func(ctx *cli.Context) error) cli.C
 				SkipFlagParsing: false,
 				SkipArgReorder:  true,
 				Action:          check,
-				Flags:           CertRotateCommandFlags,
+				Flags: append(CertRotateCommandFlags, &cli.StringFlag{
+					Name:  "output,o",
+					Usage: "Format output. Options: text, table",
+					Value: "text",
+				}),
 			},
 			{
 				Name:            "rotate",

scripts/test

@@ -23,6 +23,10 @@ docker ps
 # Only run basic tests on non amd64 archs, we use GitHub Actions for amd64
 if [ "$ARCH" != 'amd64' ]; then
 
+  export K3S_IMAGE="rancher/k3s:${VERSION_TAG}${SUFFIX}"
+  go test ./tests/docker/basics/basics_test.go -k3sImage="$K3S_IMAGE"
+  echo "Did go test basics $?"
+
   . ./tests/docker/test-run-basics
   echo "Did test-run-basics $?"