Merge branch 'main' into native-template-value-support

rancher · Jan 31, 2025 · 4792bf2 · 4792bf2
2 parents 86be9f3 + 168d1eb
commit 4792bf2
Show file tree

Hide file tree

Showing 15 changed files with 351 additions and 159 deletions.
diff --git a/.github/workflows/release-against-charts.yml b/.github/workflows/release-against-charts.yml
@@ -5,7 +5,7 @@ on:
       charts_ref:
         description: "Submit PR against the following rancher/charts branch (e.g. dev-v2.7)"
         required: true
-        default: "dev-v2.9"
+        default: "dev-v2.10"
       prev_fleet:
         description: "Previous Fleet version (e.g. 0.6.0-rc.3)"
         required: true

diff --git a/.github/workflows/release-against-rancher.yml b/.github/workflows/release-against-rancher.yml
@@ -5,7 +5,7 @@ on:
       rancher_ref:
         description: "Submit PR against the following rancher/rancher branch (e.g. release/v2.7)"
         required: true
-        default: "release/v2.9"
+        default: "release/v2.10"
       new_fleet:
         description: "New Fleet version (e.g. 0.8.0-rc.3)"
         required: true
@@ -21,7 +21,7 @@ on:
       go_version:
         description: "Go version used for bumping the api. This should be the same version as in the go.mod file of the project."
         required: true
-        default: '1.22.*'
+        default: '1.23.*'
 
 env:
   GOARCH: amd64

diff --git a/.github/workflows/release-against-test-charts.yml b/.github/workflows/release-against-test-charts.yml
@@ -12,7 +12,7 @@ on:
       charts_base_branch:
         description: "Use the following rancher/charts branch as a base (e.g. dev-v2.7)"
         required: true
-        default: "dev-v2.10"
+        default: "dev-v2.11"
       charts_repo:
         description: "Push to the following Rancher charts repo (which must exist)"
         required: true
@@ -41,7 +41,7 @@ jobs:
           ref=${tmp:-${{github.ref}}}
 
           tmp=${{github.event.inputs.charts_base_branch}}
-          charts_base_branch=${tmp:-'dev-v2.10'}
+          charts_base_branch=${tmp:-'dev-v2.11'}
 
           tmp=${{github.event.inputs.charts_repo}}
           charts_repo=${tmp:-fleetrepoci/charts}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,8 +22,8 @@ jobs:
     runs-on: runs-on,runner=8cpu-linux-x64,mem=16,run-id=${{ github.run_id }}
 
     env:
-      IS_HOTFIX: ${{ contains(github.ref, '-hotfix-ch-') }}
-      REGISTRY: "${{ contains(github.ref, '-hotfix-ch-') && 'stgregistry.suse.com' || 'docker.io' }}"
+      IS_HOTFIX: ${{ contains(github.ref, '-hotfix-') }}
+      REGISTRY: "${{ contains(github.ref, '-hotfix-') && 'stgregistry.suse.com' || 'docker.io' }}"
 
     if: github.repository == 'rancher/fleet'
     steps:
@@ -81,6 +81,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - name: "Read Vault Secrets"
         uses: rancher-eio/read-vault-secrets@main
         with:
@@ -89,6 +92,14 @@ jobs:
             secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
             secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ;
             secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ;
+            secret/data/github/repo/${{ github.repository}}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository}}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY;
+
+      - name: Prepare Docker environment to support sbom/provenance parameters
+        run: |
+          sudo bash -c 'echo "{\"features\": {\"containerd-snapshotter\": true}}" > /etc/docker/daemon.json'
+          sudo systemctl restart docker
 
       - name: Log into Docker Container registry
         uses: docker/login-action@v3
@@ -105,6 +116,13 @@ jobs:
           password: ${{ env.STAGE_REGISTRY_PASSWORD }}
           registry: ${{ env.REGISTRY }}
 
+      - name: Log into Prime registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.PRIME_REGISTRY_USERNAME }}
+          password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+          registry: ${{ env.PRIME_REGISTRY }}
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         id: goreleaser
@@ -115,6 +133,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
+          PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
 
       - name: Upload charts to release
         env:

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -88,6 +88,7 @@ dockers:
   # fleet-controller images
   -
     use: buildx
+    id: fleet-amd64-public
 
     # GOOS of the built binaries/packages that should be used.
     goos: linux
@@ -121,6 +122,7 @@ dockers:
     extra_files: [ "package/log.sh" ]
   -
     use: buildx
+    id: fleet-arm64-public
     goos: linux
     goarch: arm64
     ids:
@@ -143,6 +145,7 @@ dockers:
   # fleet-agent images
   -
     use: buildx
+    id: fleet-agent-amd64-public
     goos: linux
     goarch: amd64
     ids:
@@ -162,6 +165,7 @@ dockers:
     - "--platform=linux/amd64"
   -
     use: buildx
+    id: fleet-agent-arm64-public
     goos: linux
     goarch: arm64
     ids:
@@ -180,14 +184,183 @@ dockers:
     - "--build-arg=BUILD_ENV=goreleaser"
     - "--platform=linux/arm64/v8"
 
+  # Prime fleet-controller images
+  -
+    use: buildx
+    id: fleet-amd64-private
+
+    # GOOS of the built binaries/packages that should be used.
+    goos: linux
+
+    # GOARCH of the built binaries/packages that should be used.
+    goarch: amd64
+
+    # IDs to filter the binaries/packages.
+    ids:
+    - fleet-controller
+    - fleet-cli
+
+    # Templates of the Docker image names.
+    image_templates:
+    - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-amd64"
+
+    # Path to the Dockerfile (from the project root).
+    dockerfile: package/Dockerfile
+
+    # Template of the docker build flags.
+    build_flag_templates:
+    - "--pull"
+    - "--label=org.opencontainers.image.created={{.Date}}"
+    - "--label=org.opencontainers.image.title={{.ProjectName}}"
+    - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+    - "--label=org.opencontainers.image.version={{.Version}}"
+    - "--label=org.opencontainers.image.source=https://github.com/rancher/fleet"
+    - "--build-arg=ARCH=amd64"
+    - "--build-arg=BUILD_ENV=goreleaser"
+    - "--platform=linux/amd64"
+    - "--sbom=true"
+    - "--provenance=true"
+    - "--provenance=mode=max"
+    extra_files: [ "package/log.sh" ]
+  -
+    use: buildx
+    id: fleet-arm64-private
+    goos: linux
+    goarch: arm64
+    ids:
+    - fleet-controller
+    - fleet-cli
+    image_templates:
+    - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-arm64"
+    dockerfile: package/Dockerfile
+    build_flag_templates:
+    - "--pull"
+    - "--label=org.opencontainers.image.created={{.Date}}"
+    - "--label=org.opencontainers.image.title={{.ProjectName}}"
+    - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+    - "--label=org.opencontainers.image.version={{.Version}}"
+    - "--label=org.opencontainers.image.source=https://github.com/rancher/fleet"
+    - "--build-arg=ARCH=arm64"
+    - "--build-arg=BUILD_ENV=goreleaser"
+    - "--platform=linux/arm64/v8"
+    - "--sbom=true"
+    - "--provenance=true"
+    - "--provenance=mode=max"
+    extra_files: [ "package/log.sh" ]
+  # fleet-agent images
+  -
+    use: buildx
+    id: fleet-agent-amd64-private
+    goos: linux
+    goarch: amd64
+    ids:
+    - fleet-agent
+    image_templates:
+    - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64"
+    dockerfile: package/Dockerfile.agent
+    build_flag_templates:
+    - "--pull"
+    - "--label=org.opencontainers.image.created={{.Date}}"
+    - "--label=org.opencontainers.image.title={{.ProjectName}}"
+    - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+    - "--label=org.opencontainers.image.version={{.Version}}"
+    - "--label=org.opencontainers.image.source=https://github.com/rancher/fleet"
+    - "--build-arg=ARCH=amd64"
+    - "--build-arg=BUILD_ENV=goreleaser"
+    - "--platform=linux/amd64"
+    - "--sbom=true"
+    - "--provenance=true"
+    - "--provenance=mode=max"
+  -
+    use: buildx
+    id: fleet-agent-arm64-private
+    goos: linux
+    goarch: arm64
+    ids:
+    - fleet-agent
+    image_templates:
+    - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64"
+    dockerfile: package/Dockerfile.agent
+    build_flag_templates:
+    - "--pull"
+    - "--label=org.opencontainers.image.created={{.Date}}"
+    - "--label=org.opencontainers.image.title={{.ProjectName}}"
+    - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+    - "--label=org.opencontainers.image.version={{.Version}}"
+    - "--label=org.opencontainers.image.source=https://github.com/rancher/fleet"
+    - "--build-arg=ARCH=arm64"
+    - "--build-arg=BUILD_ENV=goreleaser"
+    - "--platform=linux/arm64/v8"
+    - "--sbom=true"
+    - "--provenance=true"
+    - "--provenance=mode=max"
+
+
 docker_manifests:
   # https://goreleaser.com/customization/docker_manifest/
   - name_template: "{{ .Env.REGISTRY }}/rancher/fleet:{{ .Tag }}"
+    id: fleet-manifest-public
     image_templates:
     - "{{ .Env.REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-amd64"
     - "{{ .Env.REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-arm64"
 
   - name_template: "{{ .Env.REGISTRY }}/rancher/fleet-agent:{{ .Tag }}"
+    id: fleet-agent-manifest-public
     image_templates:
     - "{{ .Env.REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64"
     - "{{ .Env.REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64"
+
+  # Creating a manifest does not work atm with Prime
+  # - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}"
+  #   id: fleet-manifest-private
+  #   image_templates:
+  #   - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-amd64"
+  #   - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-arm64"
+
+  # - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}"
+  #   id: fleet-agent-manifest-private
+  #   image_templates:
+  #   - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64"
+  #   - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64"
+
+docker_signs:
+  - # ID of the sign config, must be unique.
+    # Only relevant if you want to produce some sort of signature file.
+    #
+    # Default: 'default'.
+    id: prime
+
+    # Path to the signature command.
+    #
+    # Default: 'cosign'.
+    cmd: cosign
+
+    # Command line arguments for the command.
+    #
+    # Default: ["sign", "--key=cosign.key", "${artifact}", "--yes"].
+    # Templates: allowed.
+    args:
+      - "sign"
+      - "--oidc-provider=github-actions"
+      - "--yes" # needed on cosign 2.0.0+
+      - "${artifact}@${digest}"
+
+    # Which artifacts to sign.
+    #
+    #   all:       all artifacts
+    #   none:      no signing
+    #   images:    only docker images
+    #   manifests: only docker manifests
+    #
+    # Default: 'none'.
+    artifacts: all
+
+    # IDs of the artifacts to sign.
+    ids:
+      - fleet-amd64-private
+      - fleet-arm64-private
+      - fleet-agent-amd64-private
+      - fleet-agent-arm64-private
+      # Creating a manifest does not work atm with Prime
+      # - fleet-manifest-private
+      # - fleet-agent-manifest-private
diff --git a/charts/fleet/templates/job_cleanup_clusterregistrations.yaml b/charts/fleet/templates/job_cleanup_clusterregistrations.yaml
@@ -37,5 +37,8 @@ spec:
         - clusterregistration
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
       tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if $.Values.tolerations }}
+{{ toYaml $.Values.tolerations | indent 8 }}
+{{- end }}
   backoffLimit: 1
 {{- end }}
diff --git a/charts/fleet/templates/job_cleanup_gitrepojobs.yaml b/charts/fleet/templates/job_cleanup_gitrepojobs.yaml
@@ -40,5 +40,8 @@ spec:
             - gitjob
           nodeSelector: {{ include "linux-node-selector" . | nindent 12 }}
           tolerations: {{ include "linux-node-tolerations" . | nindent 12 }}
+{{- if $.Values.tolerations }}
+{{ toYaml $.Values.tolerations | indent 12 }}
+{{- end }}
       backoffLimit: 1
 {{- end }}
diff --git a/dev/import-images-k3d b/dev/import-images-k3d
@@ -8,20 +8,15 @@ upstream_ctx="${FLEET_E2E_CLUSTER-k3d-upstream}"
 # The single downstream cluster to import the agent image to.
 downstream_ctx="${FLEET_E2E_CLUSTER_DOWNSTREAM-k3d-downstream1}"
 
-# If multi-cluster is enabled, import the agent image to all downstream clusters.
-FLEET_E2E_DS_CLUSTER_COUNT="${FLEET_E2E_DS_CLUSTER_COUNT:-1}"
-
 k3d image import rancher/fleet:dev rancher/fleet-agent:dev -m direct -c "${upstream_ctx#k3d-}"
 
+downstream_keyword="${downstream_ctx#k3d-}"
+downstream_keyword="${downstream_keyword%[0-9]*}"
 if [ "$upstream_ctx" != "$downstream_ctx" ]; then
-  if [ "$FLEET_E2E_DS_CLUSTER_COUNT" -gt 1 ]; then
-    for cluster in $(k3d cluster list -o json | \
-        jq -r ".[].name | select(. | contains(\"${downstream_ctx#k3d-}\"))"); do
-      k3d image import rancher/fleet-agent:dev -m direct -c "${cluster}"
-    done
-  else
-    k3d image import rancher/fleet-agent:dev -m direct -c "${downstream_ctx#k3d-}"
-  fi
+  for cluster in $(k3d cluster list -o json | \
+      jq -r ".[].name | select(. | contains(\"${downstream_keyword}\"))"); do
+    k3d image import rancher/fleet-agent:dev -m direct -c "${cluster}"
+  done
 else
   echo "not importing agent to any downstream clusters. Set FLEET_E2E_CLUSTER_DOWNSTREAM"
 fi
diff --git a/go.mod b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/cheggaaa/pb v1.0.29
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/docker/docker v27.5.1+incompatible
-	github.com/evanphx/json-patch v5.9.10+incompatible
+	github.com/evanphx/json-patch v5.9.11+incompatible
 	github.com/go-git/go-billy/v5 v5.6.2
 	github.com/go-git/go-git/v5 v5.13.2
 	github.com/go-logr/logr v1.4.2

diff --git a/go.sum b/go.sum
@@ -784,8 +784,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
 github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
 github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
-github.com/evanphx/json-patch v5.9.10+incompatible h1:f9RK4b5sgikwA7D5BkGR9oz69KM7riR/0qaNoBzmJso=
-github.com/evanphx/json-patch v5.9.10+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=

diff --git a/internal/cmd/controller/gitops/reconciler/status_controller.go b/internal/cmd/controller/gitops/reconciler/status_controller.go
@@ -154,7 +154,7 @@ func setStatus(list *fleet.BundleDeploymentList, gitrepo *fleet.GitRepo) error {
 		return err
 	}
 
-	resourcestatus.SetResources(list, &gitrepo.Status.StatusBase)
+	resourcestatus.SetResources(list.Items, &gitrepo.Status.StatusBase)
 
 	summary.SetReadyConditions(&gitrepo.Status, "Bundle", gitrepo.Status.Summary)