preserve license on automated airgap installs (#5275)

Author: sgalsaleh

cmd/kots/cli/install.go

@@ -108,7 +108,7 @@ func InstallCmd() *cobra.Command {
 				}
 			}
 
-			license, err := getLicense(v)
+			license, licenseData, err := getLicense(v)
 			if err != nil {
 				return errors.Wrap(err, "failed to get license")
 			}
@@ -306,6 +306,7 @@ func InstallCmd() *cobra.Command {
 				ApplicationMetadata:    applicationMetadata.Manifest,
 				UpstreamURI:            upstream,
 				License:                license,
+				LicenseData:            licenseData,
 				ConfigValues:           configValues,
 				Airgap:                 isAirgap,
 				ProgressWriter:         os.Stdout,
@@ -843,17 +844,22 @@ func getRegistryConfig(v *viper.Viper, clientset kubernetes.Interface, appSlug s
 	}, nil
 }
 
-func getLicense(v *viper.Viper) (*kotsv1beta1.License, error) {
+func getLicense(v *viper.Viper) (*kotsv1beta1.License, string, error) {
 	if v.GetString("license-file") == "" {
-		return nil, nil
+		return nil, "", nil
 	}
 
-	license, err := kotsutil.LoadLicenseFromPath(ExpandDir(v.GetString("license-file")))
+	licenseData, err := os.ReadFile(ExpandDir(v.GetString("license-file")))
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to parse license file")
+		return nil, "", errors.Wrap(err, "failed to read license file")
 	}
 
-	return license, nil
+	license, err := kotsutil.LoadLicenseFromBytes(licenseData)
+	if err != nil {
+		return nil, "", errors.Wrap(err, "failed to parse license file")
+	}
+
+	return license, string(licenseData), nil
 }
 
 func getHttpProxyEnv(v *viper.Viper) map[string]string {

cmd/kots/cli/pull.go

@@ -44,7 +44,7 @@ func PullCmd() *cobra.Command {
 				}
 			}
 
-			license, err := getLicense(v)
+			license, _, err := getLicense(v)
 			if err != nil {
 				return errors.Wrap(err, "failed to get license")
 			}

pkg/kotsadm/license.go

@@ -43,13 +43,7 @@ func ensureLicenseSecret(deployOptions *types.DeployOptions, clientset *kubernet
 		return false, nil
 	}
 
-	s := json.NewYAMLSerializer(json.DefaultMetaFactory, scheme.Scheme, scheme.Scheme)
-	var b bytes.Buffer
-	if err := s.Encode(deployOptions.License, &b); err != nil {
-		return false, errors.Wrap(err, "failed to encode license")
-	}
-
-	_, err = clientset.CoreV1().Secrets(deployOptions.Namespace).Create(context.TODO(), kotsadmobjects.LicenseSecret(deployOptions.Namespace, deployOptions.License.Spec.AppSlug, deployOptions.Airgap, b.String()), metav1.CreateOptions{})
+	_, err = clientset.CoreV1().Secrets(deployOptions.Namespace).Create(context.TODO(), kotsadmobjects.LicenseSecret(deployOptions.Namespace, deployOptions.License.Spec.AppSlug, deployOptions.Airgap, deployOptions.LicenseData), metav1.CreateOptions{})
 	if err != nil {
 		return false, errors.Wrap(err, "failed to create license secret")
 	}

pkg/kotsadm/types/deployoptions.go

@@ -25,6 +25,7 @@ type DeployOptions struct {
 	LimitRange             *corev1.LimitRange
 	IsOpenShift            bool
 	License                *kotsv1beta1.License
+	LicenseData            string
 	ConfigValues           *kotsv1beta1.ConfigValues
 	AppVersionLabel        string
 	Airgap                 bool

pkg/license/signature.go

@@ -164,9 +164,6 @@ func verifyLicenseData(outerLicense *kotsv1beta1.License, innerLicense *kotsv1be
 	if outerLicense.Spec.IsSupportBundleUploadSupported != innerLicense.Spec.IsSupportBundleUploadSupported {
 		return fmt.Errorf("\"IsSupportBundleUploadSupported\" field has changed to %t (license) from %t (within signature)", outerLicense.Spec.IsSupportBundleUploadSupported, innerLicense.Spec.IsSupportBundleUploadSupported)
 	}
-	if outerLicense.Spec.IsEmbeddedClusterMultiNodeEnabled != innerLicense.Spec.IsEmbeddedClusterMultiNodeEnabled {
-		return fmt.Errorf("\"IsEmbeddedClusterMultiNodeEnabled\" field has changed to %t (license) from %t (within signature)", outerLicense.Spec.IsEmbeddedClusterMultiNodeEnabled, innerLicense.Spec.IsEmbeddedClusterMultiNodeEnabled)
-	}
 	if outerLicense.Spec.IsSemverRequired != innerLicense.Spec.IsSemverRequired {
 		return fmt.Errorf("\"IsSemverRequired\" field has changed to %t (license) from %t (within signature)", outerLicense.Spec.IsSemverRequired, innerLicense.Spec.IsSemverRequired)
 	}

pkg/license/signature_test.go

@@ -226,6 +226,50 @@ spec:
 			wantErr:    true,
 			wantErrMsg: `"endpoint" field has changed to "https://replicated.app.modified" (license) from "https://replicated.app" (within signature)`,
 		},
+		{
+			name: "isEmbeddedClusterMultiNodeEnabled field changed",
+			license: `apiVersion: kots.io/v1beta1
+kind: License
+metadata:
+  creationTimestamp: null
+  name: salahecdev
+spec:
+  appSlug: embedded-cluster-smoke-test-staging-app
+  channelID: 2lq8qMex7BwLxz6W2Yww1oa37bL
+  channelName: Salah
+  channels:
+  - channelID: 2lq8qMex7BwLxz6W2Yww1oa37bL
+    channelName: Salah
+    channelSlug: salah
+    endpoint: https://ec-e2e-replicated-app.testcluster.net
+    isDefault: true
+    replicatedProxyDomain: ec-e2e-proxy.testcluster.net
+  customerEmail: [email protected]
+  customerName: Salah EC Dev
+  endpoint: https://ec-e2e-replicated-app.testcluster.net
+  entitlements:
+    expires_at:
+      description: License Expiration
+      title: Expiration
+      value: ""
+      valueType: String
+  isAirgapSupported: true
+  isDisasterRecoverySupported: true
+  isEmbeddedClusterDownloadEnabled: true
+  isSnapshotSupported: true
+  isSupportBundleUploadSupported: true
+  licenseID: 2lhxc32VuCTVO2LrhLo44iDaIjl
+  licenseSequence: 21
+  licenseType: dev
+  replicatedProxyDomain: ec-e2e-proxy.testcluster.net
+  signature: eyJsaWNlbnNlRGF0YSI6ImV5SmhjR2xXWlhKemFXOXVJam9pYTI5MGN5NXBieTkyTVdKbGRHRXhJaXdpYTJsdVpDSTZJa3hwWTJWdWMyVWlMQ0p0WlhSaFpHRjBZU0k2ZXlKdVlXMWxJam9pYzJGc1lXaGxZMlJsZGlKOUxDSnpjR1ZqSWpwN0lteHBZMlZ1YzJWSlJDSTZJakpzYUhoak16SldkVU5VVms4eVRISm9URzgwTkdsRVlVbHFiQ0lzSW14cFkyVnVjMlZVZVhCbElqb2laR1YySWl3aVkzVnpkRzl0WlhKT1lXMWxJam9pVTJGc1lXZ2dSVU1nUkdWMklpd2lZM1Z6ZEc5dFpYSkZiV0ZwYkNJNkluTmhiR0ZvUUhKbGNHeHBZMkYwWldRdVkyOXRJaXdpWVhCd1UyeDFaeUk2SW1WdFltVmtaR1ZrTFdOc2RYTjBaWEl0YzIxdmEyVXRkR1Z6ZEMxemRHRm5hVzVuTFdGd2NDSXNJbU5vWVc1dVpXeEpSQ0k2SWpKc2NUaHhUV1Y0TjBKM1RIaDZObGN5V1hkM01XOWhNemRpVENJc0ltTm9ZVzV1Wld4T1lXMWxJam9pVTJGc1lXZ2lMQ0pqYUdGdWJtVnNjeUk2VzNzaVkyaGhibTVsYkVsRUlqb2lNbXh4T0hGTlpYZzNRbmRNZUhvMlZ6SlpkM2N4YjJFek4ySk1JaXdpWTJoaGJtNWxiRk5zZFdjaU9pSnpZV3hoYUNJc0ltTm9ZVzV1Wld4T1lXMWxJam9pVTJGc1lXZ2lMQ0pwYzBSbFptRjFiSFFpT25SeWRXVXNJbVZ1WkhCdmFXNTBJam9pYUhSMGNITTZMeTlsWXkxbE1tVXRjbVZ3YkdsallYUmxaQzFoY0hBdWRHVnpkR05zZFhOMFpYSXVibVYwSWl3aWNtVndiR2xqWVhSbFpGQnliM2g1Ukc5dFlXbHVJam9pWldNdFpUSmxMWEJ5YjNoNUxuUmxjM1JqYkhWemRHVnlMbTVsZENKOVhTd2liR2xqWlc1elpWTmxjWFZsYm1ObElqb3lNU3dpWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDJWakxXVXlaUzF5WlhCc2FXTmhkR1ZrTFdGd2NDNTBaWE4wWTJ4MWMzUmxjaTV1WlhRaUxDSnlaWEJzYVdOaGRHVmtVSEp2ZUhsRWIyMWhhVzRpT2lKbFl5MWxNbVV0Y0hKdmVIa3VkR1Z6ZEdOc2RYTjBaWEl1Ym1WMElpd2laVzUwYVhSc1pXMWxiblJ6SWpwN0ltVjRjR2x5WlhOZllYUWlPbnNpZEdsMGJHVWlPaUpGZUhCcGNtRjBhVzl1SWl3aVpHVnpZM0pwY0hScGIyNGlPaUpNYVdObGJuTmxJRVY0Y0dseVlYUnBiMjRpTENKMllXeDFaU0k2SWlJc0luWmhiSFZsVkhsd1pTSTZJbE4wY21sdVp5SXNJbk5wWjI1aGRIVnlaU0k2ZTMxOWZTd2lhWE5CYVhKbllYQlRkWEJ3YjNKMFpXUWlPblJ5ZFdVc0ltbHpVMjVoY0hOb2IzUlRkWEJ3YjNKMFpXUWlPblJ5ZFdVc0ltbHpSR2x6WVhOMFpYSlNaV052ZG1WeWVWTjFjSEJ2Y25SbFpDSTZkSEoxWlN3aWFYTk9aWGRMYjNSelZXbEZibUZpYkdWa0lqcDBjblZsTENKcGMxTjFjSEJ2Y25SQ2RXNWtiR1ZWY0d4dllXUlRkWEJ3YjNKMFpXUWlPblJ5ZFdVc0ltbHpSVzFpWldSa1pXUkRiSFZ6ZEdWeVJHOTNibXh2WVdSRmJtRmliR1ZrSWpwMGNuVmxMQ0pwYzBWdFltVmtaR1ZrUTJ4MWMzUmxjazExYkhScFRtOWtaVVZ1WVdKc1pXUWlPblJ5ZFdVc0ltbHpTMjkwYzBsdWMzUmhiR3hGYm1GaWJHVmtJanAwY25WbGZYMD0iLCJpbm5lclNpZ25hdHVyZSI6ImV5SnNhV05sYm5ObFUybG5ibUYwZFhKbElqb2liekk0ZEdwVFlrdENjeTh4VW5sd2RFSjRjV3RRVFV4T1QwZFdWSE5wTVVKNlMxTkZjVEZsVmxJeWIwSXJRM2N4VjFaTFEzTnNUamxDYmpOU1RuZHdla1ZZYUhsS1JUTnNSSE5KUmpocU5FRjVRVTU2YkZaT1ZYSnhlVFJEVlZwMk5GTkxTV1JNUlZSTmJIbDRVbmRNVnpScVpHaDVhelp1UVZSU1FXdHZNVlE1ZVdkd1RVWXhWak5IZVVoTE1rMXVRaXR5Y2toWk0yUlJZV1l2TTFGaGRscElZbkZOVmtoelJGUXJaVXQ1VlRCVFdEaDVXbEZ6YmtWWFUyTXlUek55UkRKbVUzcHVjR3hzVVhsUFFVRjFaWFl5UWk5NGRsRTFObEJEY0V4TVZIVk1jM0UwYXpsc1J6QkNNazlEWVdkS1RrOHhRVVpqYVhOeGFtaG9lVGc1WmlzeFdFTmhjSE5rYWxSbU4zQldZVGM0Y1RKdFVGQmhTREp2ZUVkUWFFeHpXbXBSZG1oRlkxRXhhRlF5TUZKTU5DOUxkREIxZWtrM1ZVOTFkMFl2V0hoQ1pVaGlVRFZLT0U1eFdFUlJVRmRuVnl0aU1WVkJQVDBpTENKd2RXSnNhV05MWlhraU9pSXRMUzB0TFVKRlIwbE9JRkJWUWt4SlF5QkxSVmt0TFMwdExWeHVUVWxKUWtscVFVNUNaMnR4YUd0cFJ6bDNNRUpCVVVWR1FVRlBRMEZST0VGTlNVbENRMmRMUTBGUlJVRTBWSFZGVTBaMVZXSkxXVTh4V0hGVWRWVTNVMXh1YkUwMVZXRXZkV0ZITTNjeGJHRjJXVW94Vms5cE0yWkNaMUpTUm1Fd04wazFUMGxxZGtwU1NWRlVkMlExUnk5Vk5tOXJhbEpoVFZneE5tWTRZemgwYUZ4dWRXUlJhVEU0YWtZNFRtWmxkVXhFY0c1bE5WSmhTa05zTlc5WmEwOURRVmhuZEdKSmRVaHdSa1I0UzBjM1FUVmtNWFpXUkcxUWFubGtaVUp6U0haMlExeHVaWGgzY1VGS2VFZGtNamxOU0hOQllVTldUWHBsVW5SV09VVktkMFZ1TDJSdE9VVnpZMGhpUnpnMllscGpZWGxFWmpOblRYSXhNamN3T1RGUFRrOVdSVnh1T1ZWR1pVWldZV3hoTW5GbE5URmlNRGszTmtka1kzUnNSWEoyZG1OUVRWcHdTbVFyZWpKVGRtTnhVMlJLY0U5WlFqRXphbVJXYW5OTmRtRkJTVzh4VDF4dU4xcEZVMFZwVWtGNk5VaGFjSHAyV1c0emNpOXhhMHg2U0dScFRVTk9SeXRtZW1SbGR6ZGxaVUp0WTNrcmExQlZXRmd6WkdGeU0yRmFWeXR0WmtOU09WeHViRkZKUkVGUlFVSmNiaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExWeHVJaXdpYTJWNVUybG5ibUYwZFhKbElqb2laWGxLZW1GWFpIVlpXRkl4WTIxVmFVOXBTbEJWYkhCd1ZGWldjVmt4VG1GUk1qaDNXWHByTUdKRE9UVlBSM2hPVjFkb1JXRXpXWGRrYmsxNldtMXdVbU5GV2pKTmJteFJaVmhaZGxZeVRrZGxSbGx5VWxad1dGbHBPVWhTYlhnellraE5OV0pwT1hGWmEyd3daV3RHVUdNeWFHeFJNMmR5VTFWc2VWZElVbTlPTTFFd1lWaHNUMDlYU2xGYWFtaHdXWGwwTWxKVWJEVmhWRTUxVlVkTk1rNHlWWFpOTVVKcVVWVldWRkV3V1RKWmJIQjNWVWRHTW1KNldYcGtiVTE1WTBSa1VGWlhaelZYV0Zwb1RsTTVlbEV6UWxOUFZVWnpZM3BzZVZOcmFHNWlWRUY2VWtod2VGWlZhRFZpZW1oVFZESldlbUZWVWtkaVJYaHRWRlZHYldWc1RrWmFSVGxIVGpOR2VVMHpaRkppV0VGMlRtMU9NRTFYYUU5TE1XUnNVVlZhVWxkVE9VdFNWbWd5WkZodmNsVkVTWEpNTUdReFlqSldWMDVVUWxwUmJrNTVWREIzTTFaWFNrcFVWWFJXV2xaT1RGbFhUbFpoV0VGMlRURmFjazlIU25aaGVtaHNaV3hGTTB3eGFESlhibkJZVEROTmQxWllhSFJoTTBaTFZtcFZNRXg2WkZCTk1rWmFUMVJHUzFVeWJGSmthbVJzVkZaS1JWWkZOV3RqVlVaUFRVVXhTRlJXVWxaaFNHeHdVVmhzV2xNemNGbGpNbkJJV2pCTmVXVlhOWEZQUkZKMVRXeFZlRTF0ZEVaTk1XaHJURE5zYTFKWFl6bFFVMGx6U1cxa2MySXlTbWhpUlhSc1pWVnNhMGxxYjJsYVIxVjVXWHBKTTA1VVdURk9iVkYzVGtkSmVGbHRTWGRhYWtVeFdUSlpNMDFIV1hkYVYwVjVXVlJKYVdaUlBUMGlmUT09In0=
+`,
+			// kots versions <= v1.124.15 do not preserve the license structure for automated airgap installs
+			// which causes the license verification for isEmbeddedClusterMultiNodeEnabled to fail
+			// in kots versions that have this license field.
+			wantErr:    false,
+			wantErrMsg: "",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {