Merge pull request #1443 from rancher/dev-v2.7

[release-v2.7] Sync `dev-v2.7` to `release-v2.7`

.github/runs-on.yml

@@ -0,0 +1 @@
+_extends: .github-private

.github/workflows/fossa.yaml

@@ -0,0 +1,28 @@
+name: Fossa Scan
+
+on:
+  push: 
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+
+jobs:
+  fossa:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    timeout-minutes: 20
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Read FOSSA token
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY
+      - name: FOSSA scan
+        uses: fossas/fossa-action@main
+        with:
+          api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }}
+          run-tests: false

.github/workflows/provisioning-tests.yaml

@@ -0,0 +1,78 @@
+name: Provisioning tests
+
+on:
+  push: 
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+  pull_request:
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+
+jobs:
+  provisioning-test:
+    permissions:
+      contents: read
+    runs-on: runs-on,runner=4cpu-linux-x64,image=legacy-cgroups-for-x64,run-id=${{ github.run_id }}
+    container: 
+      image: rancher/dapper:v0.6.0
+      options: --privileged
+    timeout-minutes: 90
+    strategy:
+      matrix:
+        dist: [rke2, k3s]
+        k8s-minor: [23, 24, 25, 26, 27]
+      fail-fast: false
+    steps:
+      - name: Force Install GIT latest
+        run: |
+          apk add git --update-cache
+          git --version
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+      - name: Provisioning test
+        run: |
+          dapper provisioning-tests
+        env:
+          V2PROV_TEST_DIST: ${{ matrix.dist }}
+          V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$"
+          KDM_TEST_K8S_MINOR: ${{ matrix.k8s-minor }}
+          PREV_COMMIT_PR_SHA: ${{ github.event.pull_request.base.sha }}
+          PREV_COMMIT_PUSH_SHA: ${{ github.event.before }}
+
+  provisioning-operations-test:
+    permissions:
+      contents: read
+    runs-on: runs-on,runner=4cpu-linux-x64,image=legacy-cgroups-for-x64,run-id=${{ github.run_id }}
+    container: 
+      image: rancher/dapper:v0.6.0
+      options: --privileged
+    timeout-minutes: 90
+    strategy:
+      fail-fast: false
+      matrix:
+        dist: [rke2, k3s]
+        k8s-minor: [23, 24, 25, 26, 27]
+    steps:
+      - name: Force Install GIT latest
+        run: |
+          apk add git --update-cache
+          git --version
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+      - name: Provisioning Operations tests
+        run: |
+          dapper provisioning-tests
+        env:
+          V2PROV_TEST_DIST: ${{ matrix.dist }}
+          V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$"
+          KDM_TEST_K8S_MINOR: ${{ matrix.k8s-minor }}
+          PREV_COMMIT_PR_SHA: ${{ github.event.pull_request.base.sha }}
+          PREV_COMMIT_PUSH_SHA: ${{ github.event.before }}

.github/workflows/workflow.yaml

@@ -0,0 +1,106 @@
+name: Main workflow
+
+on:
+  push: 
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+  pull_request:
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+
+jobs:
+  validate:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    container: 
+      image: rancher/dapper:v0.6.0
+    steps:
+      - name: Force Install GIT latest
+        run: |
+          apk add git --update-cache
+          git --version
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Validate
+        run: dapper ci
+
+  mirror-images:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: validate
+    container: 
+      image: rancher/dapper:v0.6.0
+    if: github.event_name == 'push' && startsWith(github.ref_name, 'release-v')
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Retrieve Registy secrets from vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/registry-endpoint/credentials token | REGISTRY_ENDPOINT ;
+            secret/data/github/repo/${{ github.repository }}/registry-username/credentials token | REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/registry-password/credentials token | REGISTRY_PASSWORD
+      - name: Validate
+        run: dapper mirror-images
+
+  upload:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: validate
+    if: github.event_name == 'push'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Retrieve Google auth from vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/google-auth/rancher/credentials token | GOOGLE_AUTH ;
+      - name: Authenticate with Google Cloud
+        uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: '${{ env.GOOGLE_AUTH }}'
+      - name: Upload to Google Cloud Storage
+        uses: google-github-actions/upload-cloud-storage@v2
+        with:
+          path: data/
+          destination: releases.rancher.com/kontainer-driver-metadata/${{ github.ref_name }}
+          parent: false
+          predefinedAcl: publicRead
+          process_gcloudignore: false
+          headers: |-
+            cache-control: public,no-cache,proxy-revalidate
+
+  dispatch:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: upload
+    if: github.event_name == 'push' && (github.ref_name == 'release-v2.7' || github.ref_name == 'dev-v2.7')
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Retrieve token from vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/github-token/credentials token | PAT_TOKEN
+      - name: Run dispatch
+        run: |
+          gh workflow run "Go Generate" --repo rancher/rke --ref release/v1.4 -F source_author=${{ github.actor }}
+        env:
+          GH_TOKEN: ${{ env.PAT_TOKEN }}

Dockerfile.dapper

@@ -71,14 +71,15 @@ RUN if [[ "${ARCH}" == "amd64" ]]; then \
         curl -sL https://github.com/regclient/regclient/releases/download/v0.4.8/regsync-linux-amd64 -o /bin/regsync && chmod +x /bin/regsync; \
     fi
 
-ENV DAPPER_ENV REPO TAG CI DRONE_BUILD_NUMBER DRONE_BUILD_EVENT DRONE_TAG DRONE_COMMIT_BEFORE \
+ENV DAPPER_ENV REPO TAG CI \
+    PREV_COMMIT_PR_SHA PREV_COMMIT_PUSH_SHA GITHUB_EVENT_NAME GITHUB_RUN_NUMBER GITHUB_REF_TYPE GITHUB_REF_NAME \
     REGISTRY_ENDPOINT REGISTRY_USERNAME REGISTRY_PASSWORD \
     V2PROV_TEST_DIST V2PROV_TEST_RUN_REGEX KDM_TEST_K8S_MINOR DEBUG
 ENV DAPPER_SOURCE /go/src/github.com/rancher/kontainer-driver-metadata
 ENV DAPPER_DOCKER_SOCKET true
 ARG CI
-ARG DRONE_BUILD_NUMBER
-ENV DAPPER_RUN_ARGS "--privileged --label CI=${CI} --label DRONE_BUILD_NUMBER=${DRONE_BUILD_NUMBER}"
+ARG GITHUB_RUN_NUMBER
+ENV DAPPER_RUN_ARGS "--privileged --label CI=${CI} --label DRONE_BUILD_NUMBER=${GITHUB_RUN_NUMBER}"
 ENV HOME ${DAPPER_SOURCE}
 ENV GOPATH /go
 VOLUME /var/lib/rancher

channels-rke2.yaml

@@ -1922,3 +1922,36 @@ releases:
         repo: rancher-rke2-charts
         version: 1.15.500
     featureVersions: *featureVersions-v1
+  - version: v1.27.15+rke2r1
+    minChannelServerVersion: v2.7.11-alpha1
+    maxChannelServerVersion: v2.8.99
+    serverArgs: &serverArgs-v1-27-15-rke2r1
+      <<: *serverArgs-v1-27-13-rke2r1
+      supervisor-metrics:
+        type: boolean
+      write-kubeconfig-group:
+        type: string
+    agentArgs: &agentArgs-v1-27-15-rke2r1
+      <<: *agentArgs-v1-25-15-rke2r2
+      enable-pprof:
+        type: boolean
+      bind-address:
+        type: string
+    charts: &charts-v1-27-15-rke2r1
+      <<: *charts-v1-27-14-rke2r1
+      rke2-canal:
+        repo: rancher-rke2-charts
+        version: v3.28.0-build2024062503
+      rke2-ingress-nginx:
+        repo: rancher-rke2-charts
+        version: 4.10.101
+      rke2-multus:
+        repo: rancher-rke2-charts
+        version: v4.0.205
+      rke2-flannel:
+        repo: rancher-rke2-charts
+        version: v0.25.400
+      harvester-cloud-provider:
+        repo: rancher-rke2-charts
+        version: 0.2.400
+    featureVersions: *featureVersions-v1

channels.yaml

@@ -573,3 +573,19 @@ releases:
     serverArgs: *serverArgs-v8
     agentArgs: *agentArgs-v5
     featureVersions: *featureVersions-v1
+  - version: v1.27.15+k3s2
+    minChannelServerVersion: v2.7.11-alpha1
+    maxChannelServerVersion: v2.7.99
+    serverArgs: &serverArgs-v9
+      <<: *serverArgs-v8
+      supervisor-metrics:
+        type: boolean
+      write-kubeconfig-group:
+        type: string
+    agentArgs: &agentArgs-v6
+      <<: *agentArgs-v5
+      enable-pprof:
+        type: boolean
+      bind-address:
+        type: string
+    featureVersions: *featureVersions-v1

pkg/rke/k8s_rke_system_images.go

@@ -10310,6 +10310,48 @@ func loadK8sRKESystemImages() map[string]v3.RKESystemImages {
 			WindowsPodInfraContainer:  "rancher/mirrored-pause:3.7",
 			Nodelocal:                 "rancher/mirrored-k8s-dns-node-cache:1.22.28",
 		},
+		// Out of band post v2.7.14
+		"v1.27.15-rancher1-1": {
+			Etcd:                      "rancher/mirrored-coreos-etcd:v3.5.10",
+			Kubernetes:                "rancher/hyperkube:v1.27.15-rancher1",
+			Alpine:                    "rancher/rke-tools:v0.1.100",
+			NginxProxy:                "rancher/rke-tools:v0.1.100",
+			CertDownloader:            "rancher/rke-tools:v0.1.100",
+			KubernetesServicesSidecar: "rancher/rke-tools:v0.1.100",
+			KubeDNS:                   "rancher/mirrored-k8s-dns-kube-dns:1.22.28",
+			DNSmasq:                   "rancher/mirrored-k8s-dns-dnsmasq-nanny:1.22.28",
+			KubeDNSSidecar:            "rancher/mirrored-k8s-dns-sidecar:1.22.28",
+			KubeDNSAutoscaler:         "rancher/mirrored-cluster-proportional-autoscaler:v1.8.9",
+			Flannel:                   "rancher/mirrored-flannel-flannel:v0.21.4",
+			FlannelCNI:                "rancher/flannel-cni:v0.3.0-rancher8",
+			CalicoNode:                "rancher/mirrored-calico-node:v3.26.3",
+			CalicoCNI:                 "rancher/calico-cni:v3.26.3-rancher1",
+			CalicoControllers:         "rancher/mirrored-calico-kube-controllers:v3.26.3",
+			CalicoCtl:                 "rancher/mirrored-calico-ctl:v3.26.3",
+			CalicoFlexVol:             "rancher/mirrored-calico-pod2daemon-flexvol:v3.26.3",
+			CanalNode:                 "rancher/mirrored-calico-node:v3.26.3",
+			CanalCNI:                  "rancher/calico-cni:v3.26.3-rancher1",
+			CanalControllers:          "rancher/mirrored-calico-kube-controllers:v3.26.3",
+			CanalFlannel:              "rancher/mirrored-flannel-flannel:v0.21.4",
+			CanalFlexVol:              "rancher/mirrored-calico-pod2daemon-flexvol:v3.26.3",
+			WeaveNode:                 "weaveworks/weave-kube:2.8.1",
+			WeaveCNI:                  "weaveworks/weave-npc:2.8.1",
+			AciCniDeployContainer:     "noiro/cnideploy:6.0.4.2.81c2369",
+			AciHostContainer:          "noiro/aci-containers-host:6.0.4.2.81c2369",
+			AciOpflexContainer:        "noiro/opflex:6.0.4.2.81c2369",
+			AciMcastContainer:         "noiro/opflex:6.0.4.2.81c2369",
+			AciOpenvSwitchContainer:   "noiro/openvswitch:6.0.4.2.81c2369",
+			AciControllerContainer:    "noiro/aci-containers-controller:6.0.4.2.81c2369",
+			PodInfraContainer:         "rancher/mirrored-pause:3.7",
+			Ingress:                   "rancher/nginx-ingress-controller:nginx-1.9.4-rancher1",
+			IngressBackend:            "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1",
+			IngressWebhook:            "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231011-8b53cabe0",
+			MetricsServer:             "rancher/mirrored-metrics-server:v0.6.3",
+			CoreDNS:                   "rancher/mirrored-coredns-coredns:1.10.1",
+			CoreDNSAutoscaler:         "rancher/mirrored-cluster-proportional-autoscaler:v1.8.9",
+			WindowsPodInfraContainer:  "rancher/mirrored-pause:3.7",
+			Nodelocal:                 "rancher/mirrored-k8s-dns-node-cache:1.22.28",
+		},
 		// k8s version from 2.1.x release with old rke-tools to allow upgrade from 2.1.x clusters
 		// without all clusters being restarted
 		"v1.11.9-rancher1-3": {

pkg/rke/k8s_version_info.go

@@ -61,7 +61,7 @@ func loadRKEDefaultK8sVersions() map[string]string {
 	return map[string]string{
 		"0.3": "v1.16.3-rancher1-1",
 		// rke will use default if its version is absent
-		"default": "v1.27.14-rancher1-1",
+		"default": "v1.27.15-rancher1-1",
 	}
 }