Repolinter Report

🤖This issue was automatically generated by repolinter-action, developed by the Open Source and Developer Advocacy team at New Relic. This issue will be automatically updated or closed when changes are pushed. If you have any problems with this tool, please feel free to open a GitHub issue or give us a ping in #help-opensource.

This Repolinter run generated the following results:

• Fail
  • ❌ readme-starts-with-community-plus-header
  • ❌ readme-contains-link-to-security-policy
  • ❌ code-of-conduct-should-not-exist-here
• Warning
  • ⚠️ third-party-notices-file-exists
• Passed
  • ✅ license-file-exists
  • ✅ readme-file-exists
  • ✅ readme-contains-discuss-topic

Fail #

❌ readme-starts-with-community-plus-header #

The README of a community plus project should have a community plus header at the start of the README. If you already have a community plus header and this rule is failing, your header may be out of date, and you should update your header with the suggested one below. For more information please visit https://opensource.newrelic.com/oss-category/. Below is a list of files or patterns that failed:

• README.md: The first 5 lines do not contain the pattern(s): Open source Community Plus header (see https://opensource.newrelic.com/oss-category).
  • 🔨 Suggested Fix: prepend [![Community Plus header](https://github.com/newrelic/opensource-website/raw/master/src/images/categories/Community_Plus.png)](https://opensource.newrelic.com/oss-category/#community-plus) to file

❌ readme-contains-link-to-security-policy #

Doesn't contain a link to the security policy for this repository (README.md). New Relic recommends putting a link to the open source security policy for your project (https://github.com/newrelic/<repo-name>/security/policy or ../../security/policy) in the README. For an example of this, please see the "a note about vulnerabilities" section of the Open By Default repository. For more information please visit https://nerdlife.datanerd.us/new-relic/security-guidelines-for-publishing-source-code.

❌ code-of-conduct-should-not-exist-here #

New Relic has moved the CODE_OF_CONDUCT file to a centralized location where it is referenced automatically by every repository in the New Relic organization. Because of this change, any other CODE_OF_CONDUCT file in a repository is now redundant and should be removed. Note that you will need to adjust any links to the local CODE_OF_CONDUCT file in your documentation to point to the central file (README and CONTRIBUTING will probably have links that need updating). For more information please visit https://docs.google.com/document/d/1y644Pwi82kasNP5VPVjDV8rsmkBKclQVHFkz8pwRUtE/view. Found files. Below is a list of files or patterns that failed:

• CODE_OF_CONDUCT.md
  • 🔨 Suggested Fix: Remove file

Warning #

Passed #

Description

When running this image in a 1.19 KIND cluster the kubectl get csr step fails because the version of kubectl is too old.

Expected Behavior

The docker images should work in 1.19

Troubleshooting or NR Diag results

Steps to Reproduce

Running version 1.3.0 of the docker image in a KIND 1.19 cluster.

Your Environment

KIND 1.19

Additional context

Updating to a newer version of kubectl that supporter certificates.k8s.io/v1 or fully qualifying the kubectl get should fix this issue. kubectl get certificatesigningrequests.v1beta1.certificates.k8s.io

https://fsi-build.pdx.vm.datanerd.us/view/k8s-metadata/job/k8s-webhook-cert-manager-r
elease/

Notice that:

• The release in the job options directly in jenkins
• The tests are performed in a minikube spin up in Travis

We should make sure we follow a common pattern:
PR/Merge -> Run tests/build using a makefile
Create Tag -> Push release

Description

newrelic-bundle-nri-metadata-injection-job failed to locate certificate approved.

Expected Behavior

Certificate approved.
./generate_certificate.sh script able to find approved certificate

Troubleshooting or NR Diag results

container log:

kubectl command

kubectl command

{
"apiVersion": "certificates.k8s.io/v1beta1",
"kind": "CertificateSigningRequest",
"metadata": {
"creationTimestamp": "2021-02-12T12:26:03Z"

 deleted  

}
"status": {
    "conditions": [
        {
            "lastTransitionTime": "2021-02-12T12:26:03Z",
            "lastUpdateTime": "2021-02-12T12:26:03Z",
            "message": "This CSR was approved by kubectl certificate approve.",
            "reason": "KubectlApprove",
            "status": "True",
            "type": "Approved"
        }
    ]
}

}

script failed to find approved certificate

kubectl command

kubectl command

kubectl command

kubectl get certificatesigningrequests.v1beta1.certificates.k8s.io/nri-bundle-nri-metadata-injection.master -o 'jsonpath={.status.conditions[0].status}'
True

Steps to Reproduce

helm repo add newrelic https://helm-charts.newrelic.com

helm install newrelic-bundle newrelic/nri-bundle
--set global.licenseKey=LICENCE_KEY
--set global.cluster=mycluster
--namespace=master
--set newrelic-infrastructure.privileged=true
--set ksm.enabled=true
--set kubeEvents.enabled=true
--set logging.enabled=true

Your Environment

Rancher 2.5.5
v1.19.7
Red Hat Enterprise Linux Server 7.9
docker 1.13.1

Additional context

When newrelic/helm-charts#334 gets merged, this repo will no longer be used and will be marked read-only.

No bugfixes or other support will be offered for this software.

I run the cert gen script on my laptop (Mac OS) and got the following errors:

creating certs in tmpdir /var/folders/6b/wmx7z7bs7sx3r7tx_rt9z6cc0000gp/T/tmp.Y6seDAGr 
Generating RSA private key, 2048 bit long modulus
.........+++
..................................+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io "k8sbot-webhook-service.k8sbot-system" deleted
WARN: Previous CSR was found and removed.
certificatesigningrequest.certificates.k8s.io/k8sbot-webhook-service.k8sbot-system created
NAME                                   AGE   SIGNERNAME                     REQUESTOR          CONDITION
k8sbot-webhook-service.k8sbot-system   0s    kubernetes.io/legacy-unknown   kubernetes-admin   Pending
certificatesigningrequest.certificates.k8s.io/k8sbot-webhook-service.k8sbot-system approved
secret/k8sbot-webhook-server-cert configured
./webhook_cert_gen.sh: line 166: /run/secrets/kubernetes.io/serviceaccount/ca.crt: No such file or directory
INFO: Trying to patch webhook adding the caBundle.
mutatingwebhookconfiguration.admissionregistration.k8s.io/k8sbot-mutating-webhook-configuration patched (no change)

Description

When deploying on openshift 4.x the metadata injector doesn't work as expected.
The root cause of the issue seems to be the certificate generation.

We are seeing checking the logs of the nri-bundle-nri-metadata-injection:

2020/10/16 09:45:12 http: TLS handshake error from 10.131.0.29:37428: remote error: tls: unknown certificate authority
2020/10/16 09:53:39 http: TLS handshake error from 10.129.0.1:49314: remote error: tls: bad certificate

We checked the certificate with the CA provided by MutatingWebhookConfiguration and in a random minikube is valid in openshift it is not.

That CA is added by our script, that takes it from /run/secrets/kubernetes.io/serviceaccount/ca.crt, but the certificated generated and placed into nri-bundle-nri-metadata-injection is signed by a different CA

For older version of openshift (3.x) there is a Guide to follow in order to set it up properly, but it does not apply for 4.x

Expected Behavior

The Metadata injection should work properly

Steps to Reproduce

In an openshift 4.x cluster install nri-bundle