Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-agent for
openSUSE:Factory checked in at 2022-10-21 16:20:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-agent (Old)
and /work/SRC/openSUSE:Factory/.google-guest-agent.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-agent"
Fri Oct 21 16:20:18 2022 rev:17 rq:1030399 version:20221018.00
Changes:
--------
--- /work/SRC/openSUSE:Factory/google-guest-agent/google-guest-agent.changes
2022-10-11 18:05:30.506080794 +0200
+++
/work/SRC/openSUSE:Factory/.google-guest-agent.new.2275/google-guest-agent.changes
2022-10-21 16:20:26.894274193 +0200
@@ -1,0 +2,8 @@
+Fri Oct 21 11:21:06 UTC 2022 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Update to version 20221018.00
+ * Write workload cert status file (#184)
+- from version 20221017.00
+ * Update workload_cert permissions (#180)
+
+-------------------------------------------------------------------
Old:
----
guest-agent-20220927.00.tar.gz
New:
----
guest-agent-20221018.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-agent.spec ++++++
--- /var/tmp/diff_new_pack.vmbDcy/_old 2022-10-21 16:20:27.710275722 +0200
+++ /var/tmp/diff_new_pack.vmbDcy/_new 2022-10-21 16:20:27.710275722 +0200
@@ -24,7 +24,7 @@
%global import_path %{provider_prefix}
Name: google-guest-agent
-Version: 20220927.00
+Version: 20221018.00
Release: 0
Summary: Google Cloud Guest Agent
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.vmbDcy/_old 2022-10-21 16:20:27.742275782 +0200
+++ /var/tmp/diff_new_pack.vmbDcy/_new 2022-10-21 16:20:27.746275789 +0200
@@ -3,8 +3,8 @@
<param
name="url">https://github.com/GoogleCloudPlatform/guest-agent/</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="versionformat">20220927.00</param>
- <param name="revision">20220927.00</param>
+ <param name="versionformat">20221018.00</param>
+ <param name="revision">20221018.00</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="disabled">
@@ -15,7 +15,7 @@
<param name="basename">guest-agent</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">guest-agent-20220927.00.tar.gz</param>
+ <param name="archive">guest-agent-20221018.00.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.vmbDcy/_old 2022-10-21 16:20:27.762275819 +0200
+++ /var/tmp/diff_new_pack.vmbDcy/_new 2022-10-21 16:20:27.766275828 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/GoogleCloudPlatform/guest-agent/</param>
- <param
name="changesrevision">1036d38c4ea039b6cd9683c5c9c235c59d08b102</param></service></servicedata>
+ <param
name="changesrevision">5dd01096fddd83d2ea4401fea078f343f8e26708</param></service></servicedata>
(No newline at EOF)
++++++ guest-agent-20220927.00.tar.gz -> guest-agent-20221018.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-agent-20220927.00/gce_workload_cert_refresh/main.go
new/guest-agent-20221018.00/gce_workload_cert_refresh/main.go
--- old/guest-agent-20220927.00/gce_workload_cert_refresh/main.go
2022-09-27 23:29:08.000000000 +0200
+++ new/guest-agent-20221018.00/gce_workload_cert_refresh/main.go
2022-10-19 00:34:58.000000000 +0200
@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-// GoogleAuthorizedKeys obtains SSH keys from metadata.
+// gce_workload_cert_refresh downloads and rotates workload certificates for
GCE VMs.
package main
import (
@@ -91,7 +91,7 @@
{
"status": "OK",
"workloadCredentials": {
- "PROJECT.svc.id.goog": {
+ "PROJECT_ID.svc.id.goog": {
"metadata": {
"workload_creds_dir_path":
"/var/run/secrets/workload-spiffe-credentials"
},
@@ -236,19 +236,42 @@
return fmt.Errorf("Error getting project ID: %v", err)
}
- wisMd, err := getMetadata("instance/workload-identities")
+ // Get status first so it can be written even when other endpoints are
empty.
+ certConfigStatus, err :=
getMetadata("instance/workload-certificates-config-status")
if err != nil {
- logger.Infof("No workload identities found: %v", err)
+ // Return success when certs are not configured to avoid
unnecessary systemd failed units.
+ logger.Infof("Error getting config status, workload
certificates may not be configured: %v", err)
return nil
}
- wtrcsMd, err := getMetadata("instance/workload-trusted-root-certs")
+ domain := fmt.Sprintf("%s.svc.id.goog", project)
+ logger.Infof("Rotating workload credentials for trust domain %s",
domain)
+
+ now := time.Now().Format(time.RFC3339)
+ contentDir := fmt.Sprintf("%s-%s", contentDirPrefix, now)
+ tempSymlink := fmt.Sprintf("%s-%s", tempSymlinkPrefix, now)
+
+ logger.Infof("Creating timestamp contents dir %s", contentDir)
+
+ if err := os.MkdirAll(contentDir, 0755); err != nil {
+ return fmt.Errorf("Error creating contents dir: %v", err)
+ }
+
+ // Write config_status first even if remaining endpoints are empty.
+ if err := os.WriteFile(fmt.Sprintf("%s/config_status", contentDir),
certConfigStatus, 0644); err != nil {
+ return fmt.Errorf("Error writing config_status: %v", err)
+ }
+
+ // Now get the rest of the content.
+ wisMd, err := getMetadata("instance/workload-identities")
if err != nil {
return fmt.Errorf("Error getting workload-identities: %v", err)
}
- domain := fmt.Sprintf("%s.svc.id.goog", project)
- logger.Infof("Rotating workload credentials for domain %s", domain)
+ wtrcsMd, err := getMetadata("instance/workload-trusted-root-certs")
+ if err != nil {
+ return fmt.Errorf("Error getting workload-trusted-root-certs:
%v", err)
+ }
wis := WorkloadIdentities{}
if err := json.Unmarshal(wisMd, &wis); err != nil {
@@ -260,25 +283,15 @@
return fmt.Errorf("Error unmarshaling workload trusted root
certs: %v", err)
}
- now := time.Now().Format(time.RFC3339)
- contentDir := fmt.Sprintf("%s-%s", contentDirPrefix, now)
- tempSymlink := fmt.Sprintf("%s-%s", tempSymlinkPrefix, now)
-
- logger.Infof("Creating timestamp contents dir %s", contentDir)
-
- if err := os.MkdirAll(contentDir, 0750); err != nil {
- return fmt.Errorf("Error creating contents dir: %v", err)
- }
-
- if err := os.WriteFile(fmt.Sprintf("%s/certificates.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].CertificatePem), 0666); err != nil {
+ if err := os.WriteFile(fmt.Sprintf("%s/certificates.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].CertificatePem), 0644); err != nil {
return fmt.Errorf("Error writing certificates.pem: %v", err)
}
- if err := os.WriteFile(fmt.Sprintf("%s/private_key.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].PrivateKeyPem), 0666); err != nil {
+ if err := os.WriteFile(fmt.Sprintf("%s/private_key.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].PrivateKeyPem), 0644); err != nil {
return fmt.Errorf("Error writing private_key.pem: %v", err)
}
- if err := os.WriteFile(fmt.Sprintf("%s/ca_certificates.pem",
contentDir), []byte(wtrcs.RootCertificates[domain].RootCertificatesPem), 0666);
err != nil {
+ if err := os.WriteFile(fmt.Sprintf("%s/ca_certificates.pem",
contentDir), []byte(wtrcs.RootCertificates[domain].RootCertificatesPem), 0644);
err != nil {
return fmt.Errorf("Error writing ca_certificates.pem: %v", err)
}
@@ -292,6 +305,7 @@
oldTarget = ""
}
+ // Only rotate on success of all steps above.
logger.Infof("Rotating symlink %s", symlink)
if err := os.Rename(tempSymlink, symlink); err != nil {
++++++ vendor.tar.gz ++++++
