Automated repo sync 20230808

Fix typo in .travis.yml (release 1.28) (#3606)
Update vpcctl release to v0.18.0 (release-1.28) (#3601)
Update CCM to support custom endpoints (release 1.28) (#3594)
CVE-2023-3978 - golang.org/x/net v0.13.0 (release 1.28) (#3595)

.travis.yml

@@ -98,6 +98,6 @@ deploy:
     script: ./scripts/publishTag.sh
     skip_cleanup: true
     on:
-      branch: release-1.27
+      branch: release-1.28
       go: 1.20.6
       condition: ${TRAVIS_COMMIT_MESSAGE} =~ push_build && ${BUILD_JOB_NAME} == Default

addons/vpcctl.yml

@@ -21,7 +21,7 @@
 source: github.ibm.com/alchemy-containers/armada-vpc-lb
 
 # (Required) - git release or branch name in the source github repo
-release: v0.17.0
+release: v0.18.0
 
 # (Required) - source directory in the github repo containing GO files
 source_dir: pkg/vpcctl

go.mod

@@ -95,7 +95,7 @@ require (
 	go.uber.org/zap v1.19.0 // indirect
 	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/net v0.13.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
 	golang.org/x/sync v0.2.0 // indirect
 	golang.org/x/sys v0.10.0 // indirect

go.sum

@@ -442,8 +442,8 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY=
+golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

ibm/ibm.go

@@ -102,6 +102,12 @@ type Provider struct {
 	// List of VPC subnet names. Required when configured to get node
 	// data from VPC.
 	G2VpcSubnetNames string `gcfg:"g2VpcSubnetNames"`
+	// Optional: VPC RIaaS endpoint override URL
+	G2EndpointOverride string `gcfg:"g2EndpointOverride"`
+	// Optional: IAM endpoint override URL
+	IamEndpointOverride string `gcfg:"iamEndpointOverride"`
+	// Optional: Resource Manager endpoint override URL
+	RmEndpointOverride string `gcfg:"rmEndpointOverride"`
 }
 
 // CloudConfig is the ibm cloud provider config data.

ibm/ibm_loadbalancer.go

@@ -84,7 +84,6 @@ const (
 	lbPriorityClassName                 = "ibm-app-cluster-critical"
 	clusterInfoCM                       = "cluster-info"
 	lbIPVSInvlaidExternalTrafficPolicy  = "Cluster networking is not supported for IPVS-based load balancers. Set 'externalTrafficPolicy' to 'Local', and try again."
-	lbVpcClassicProvider                = "gc"
 	lbVpcNextGenProvider                = "g2"
 	updateCooldownPeriod                = 60
 )
@@ -2330,10 +2329,7 @@ func isFeatureEnabledDeployment(lbDeployment *apps.Deployment, feature string) b
 }
 
 func isProviderVpc(provider string) bool {
-	if provider == lbVpcClassicProvider || provider == lbVpcNextGenProvider {
-		return true
-	}
-	return false
+	return provider == lbVpcNextGenProvider
 }
 
 func getSchedulingAlgorithm(service *v1.Service) string {

ibm/ibm_test.go

@@ -239,6 +239,9 @@ func TestGetCloudConfig(t *testing.T) {
 	}
 	// Build off previous expected configuration with select overrides.
 	ecc.Kubernetes.ConfigFilePaths = nil
+	ecc.Prov.G2EndpointOverride = "https://us-south.iaas.cloud.ibm.com"
+	ecc.Prov.IamEndpointOverride = "https://iam.cloud.ibm.com"
+	ecc.Prov.RmEndpointOverride = "https://resource-controller.cloud.ibm.com"
 	verifyCloudConfig(t, cc, &ecc)
 
 	// Verify nil cloud config.

ibm/ibm_vpc_client.go

@@ -1,6 +1,6 @@
 /*******************************************************************************
 * IBM Cloud Kubernetes Service, 5737-D43
-* (C) Copyright IBM Corp. 2021, 2022 All Rights Reserved.
+* (C) Copyright IBM Corp. 2021, 2023 All Rights Reserved.
 *
 * SPDX-License-Identifier: Apache2.0
 *
@@ -54,6 +54,11 @@ var newVpcSdkClient = func(provider Provider) (*vpcv1.VpcV1, error) {
 		ApiKey: credential, // pragma: allowlist secret
 	}
 
+	// If the IAM endpoint override was specified in the config, update the URL
+	if provider.IamEndpointOverride != "" {
+		authenticator.URL = provider.IamEndpointOverride
+	}
+
 	// Virtual Private Cloud (VPC) API
 	sdk, err := vpcv1.NewVpcV1(&vpcv1.VpcV1Options{
 		Authenticator: authenticator,
@@ -62,16 +67,26 @@ var newVpcSdkClient = func(provider Provider) (*vpcv1.VpcV1, error) {
 		return nil, err
 	}
 
-	// Get Region and Set Service URL
-	region, _, err := sdk.GetRegion(sdk.NewGetRegionOptions(provider.Region))
-	if err != nil {
-		return nil, err
-	}
-
-	// Set the Service URL
-	err = sdk.SetServiceURL(*region.Endpoint + "/v1")
-	if err != nil {
-		return nil, err
+	// If the VPC RIaaS endpoint override was specified in the config, update the URL
+	if provider.G2EndpointOverride != "" {
+		// Set the Service URL
+		err = sdk.SetServiceURL(provider.G2EndpointOverride + "/v1")
+		if err != nil {
+			return nil, err
+		}
+
+	} else {
+		// Get Region and Set Service URL
+		region, _, err := sdk.GetRegion(sdk.NewGetRegionOptions(provider.Region))
+		if err != nil {
+			return nil, err
+		}
+
+		// Set the Service URL
+		err = sdk.SetServiceURL(*region.Endpoint + "/v1")
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	return sdk, nil

ibm/ibm_vpc_cloud.go

@@ -82,15 +82,18 @@ func (c *Cloud) NewConfigVpc(enablePrivateEndpoint bool) (*vpcctl.ConfigVpc, err
 	}
 	// Initialize config based on values in the cloud provider
 	config := &vpcctl.ConfigVpc{
-		AccountID:         c.Config.Prov.AccountID,
-		ClusterID:         c.Config.Prov.ClusterID,
-		EnablePrivate:     enablePrivateEndpoint,
-		ProviderType:      c.Config.Prov.ProviderType,
-		Region:            c.Config.Prov.Region,
-		ResourceGroupName: c.Config.Prov.G2ResourceGroupName,
-		SubnetNames:       c.Config.Prov.G2VpcSubnetNames,
-		WorkerAccountID:   c.Config.Prov.G2WorkerServiceAccountID,
-		VpcName:           c.Config.Prov.G2VpcName,
+		AccountID:           c.Config.Prov.AccountID,
+		ClusterID:           c.Config.Prov.ClusterID,
+		EnablePrivate:       enablePrivateEndpoint,
+		IamEndpointOverride: c.Config.Prov.IamEndpointOverride,
+		ProviderType:        c.Config.Prov.ProviderType,
+		Region:              c.Config.Prov.Region,
+		ResourceGroupName:   c.Config.Prov.G2ResourceGroupName,
+		RmEndpointOverride:  c.Config.Prov.RmEndpointOverride,
+		SubnetNames:         c.Config.Prov.G2VpcSubnetNames,
+		WorkerAccountID:     c.Config.Prov.G2WorkerServiceAccountID,
+		VpcName:             c.Config.Prov.G2VpcName,
+		VpcEndpointOverride: c.Config.Prov.G2EndpointOverride,
 	}
 	// If the G2Credentials is set, then look up the API key
 	if c.Config.Prov.G2Credentials != "" {

pkg/vpcctl/vpc_config.go

@@ -86,16 +86,19 @@ func SetInformers(informerFactory informers.SharedInformerFactory) {
 // ConfigVpc is the VPC configuration information
 type ConfigVpc struct {
 	// Externalized config settings from caller
-	AccountID         string
-	APIKeySecret      string
-	ClusterID         string
-	EnablePrivate     bool
-	ProviderType      string
-	Region            string
-	ResourceGroupName string
-	SubnetNames       string
-	WorkerAccountID   string // Not used, ignored
-	VpcName           string
+	AccountID           string
+	APIKeySecret        string
+	ClusterID           string
+	EnablePrivate       bool
+	IamEndpointOverride string
+	ProviderType        string
+	Region              string
+	ResourceGroupName   string
+	RmEndpointOverride  string
+	SubnetNames         string
+	WorkerAccountID     string // Not used, ignored
+	VpcName             string
+	VpcEndpointOverride string
 	// Internal config settings
 	endpointURL      string
 	resourceGroupID  string
@@ -104,6 +107,10 @@ type ConfigVpc struct {
 
 // getIamEndpoint - retrieve the correct IAM endpoint for the current config
 func (c *ConfigVpc) getIamEndpoint() string {
+	// If iam endpoint override was configured, use it instead
+	if c.IamEndpointOverride != "" {
+		return c.IamEndpointOverride
+	}
 	if strings.Contains(c.Region, "stage") {
 		if c.EnablePrivate {
 			return iamStagePrivateTokenExchangeURL
@@ -118,6 +125,10 @@ func (c *ConfigVpc) getIamEndpoint() string {
 
 // getVpcEndpoint - retrieve the correct VPC endpoint for the current config
 func (c *ConfigVpc) getVpcEndpoint() string {
+	// If vpc endpoint override was configured, use it instead
+	if c.VpcEndpointOverride != "" {
+		return c.VpcEndpointOverride
+	}
 	endpoint := vpcEndpointIaaSProdURL
 	if strings.Contains(c.Region, "stage") {
 		endpoint = vpcEndpointIaaSStageURL

pkg/vpcctl/vpc_sdk_gen2.go

@@ -1,6 +1,6 @@
 /*******************************************************************************
 * IBM Cloud Kubernetes Service, 5737-D43
-* (C) Copyright IBM Corp. 2021, 2022 All Rights Reserved.
+* (C) Copyright IBM Corp. 2021, 2023 All Rights Reserved.
 *
 * SPDX-License-Identifier: Apache2.0
 *
@@ -71,6 +71,10 @@ func convertResourceGroupNameToID(c *ConfigVpc) error {
 	if strings.Contains(c.endpointURL, "iaasdev.cloud.ibm.com") {
 		url = "https://resource-controller.test.cloud.ibm.com"
 	}
+	// If resource manager endpoint override was configured, use it instead
+	if c.RmEndpointOverride != "" {
+		url = c.RmEndpointOverride
+	}
 	// Create resource manager client
 	authenticator := &core.IamAuthenticator{ApiKey: c.APIKeySecret, URL: c.tokenExchangeURL}
 	client, err := resourcemanagerv2.NewResourceManagerV2(&resourcemanagerv2.ResourceManagerV2Options{URL: url, Authenticator: authenticator})

test-fixtures/ibm-cloud-config-ccm-in-cluster.ini

@@ -1,6 +1,6 @@
 # ******************************************************************************
 # IBM Cloud Kubernetes Service, 5737-D43
-# (C) Copyright IBM Corp. 2021 All Rights Reserved.
+# (C) Copyright IBM Corp. 2021, 2023 All Rights Reserved.
 #
 # SPDX-License-Identifier: Apache2.0
 #
@@ -23,3 +23,6 @@ cluster-default-provider = g2
 accountID = testAccountID
 clusterID = testClusterID
 g2workerServiceAccountID = testServiceAccountID
+g2EndpointOverride = https://us-south.iaas.cloud.ibm.com
+iamEndpointOverride = https://iam.cloud.ibm.com
+rmEndpointOverride = https://resource-controller.cloud.ibm.com