Merge remote-tracking branch 'origin/main' into KU-91/nightly-runs

canonical · Apr 8, 2024 · ae774f7 · ae774f7
2 parents 4b9f533 + cb3368c
commit ae774f7
Show file tree

Hide file tree

Showing 143 changed files with 3,932 additions and 2,180 deletions.
diff --git a/.github/ISSUE_TEMPLATE/create_release_branch.md b/.github/ISSUE_TEMPLATE/create_release_branch.md
@@ -0,0 +1,162 @@
+---
+name: "[Runbook] Create release branch"
+about: Create a new branch for a new stable Kubernetes release
+---
+
+#### Summary
+
+Make sure to follow the steps below and ensure all actions are completed and signed-off by one team member.
+
+#### Information
+
+<!-- Replace with the version to create the branch for, e.g. 1.28 -->
+- **K8s version**: 1.xx
+
+<!-- Set this to the name of the person responsible for running the release tasks, e.g. @neoaggelos -->
+- **Owner**:
+
+<!-- Set this to the name of the team-member that will sign-off the tasks -->
+- **Reviewer**:
+
+<!-- Link to PR to initialize the release branch (see below) -->
+- **PR**:
+
+#### Actions
+
+The steps are to be followed in-order, each task must be completed by the person specified in **bold**. Do not perform any steps unless all previous ones have been signed-off. The **Reviewer** closes the issue once all steps are complete.
+
+- [ ] **Owner**: Add the assignee and reviewer as assignees to the GitHub issue
+- [ ] **Owner**: Ensure that you are part of the ["containers" team](https://launchpad.net/~containers)
+- [ ] **Owner**: Request a new `1.xx` Snapstore track for the snaps similar to the  [snapstore track-request][].
+  - #### Post template on https://discourse.charmhub.io/
+
+    **Title:** Request for 1.xx tracks for the k8s snap
+
+    **Category:** store-requests
+
+    **Body:**
+
+      Hi,
+
+      Could we please have a track "1.xx-classic" and "1.xx" for the respective K8s snap release?
+
+      Thank you, $name
+
+- [ ] **Owner**: Create `release-1.xx-strict` branch from latest `autoupdate/strict`
+  - `git switch autoupdate/strict`
+  - `git pull`
+  - `git checkout -b release-1.xx-strict`
+  - `git push origin release-1.xx-strict`
+- [ ] **Owner**: Create `release-1.xx` branch from latest `main`
+  - `git switch main`
+  - `git pull`
+  - `git checkout -b release-1.xx`
+  - `git push origin release-1.xx`
+- [ ] **Owner**: Create `1.xx` branch from latest `master` in k8s-dqlite
+  - `git clone [email protected]:canonical/k8s-dqlite.git ~/tmp/release-1.xx`
+  - `pushd ~/tmp/release-1.xx`
+  - `git switch main`
+  - `git pull`
+  - `git checkout -b release-1.xx`
+  - `git push origin release-1.xx`
+  - `popd`
+  - `rm -rf ~/tmp/release-1.xx`
+- [ ] **Owner**: Create `release-1.xx` branch from latest `main` in cilium-rocks
+  - `git clone [email protected]:canonical/cilium-rocks.git ~/tmp/release-1.xx`
+  - `pushd ~/tmp/release-1.xx`
+  - `git switch main`
+  - `git pull`
+  - `git checkout -b release-1.xx`
+  - `git push origin release-1.xx`
+  - `popd`
+  - `rm -rf ~/tmp/release-1.xx`
+- [ ] **Owner**: Create `release-1.xx` branch from latest `main` in coredns-rock
+  - `git clone [email protected]:canonical/coredns-rock.git ~/tmp/release-1.xx`
+  - `pushd ~/tmp/release-1.xx`
+  - `git switch main`
+  - `git pull`
+  - `git checkout -b release-1.xx`
+  - `git push origin release-1.xx`
+  - `popd`
+  - `rm -rf ~/tmp/release-1.xx`
+- [ ] **Owner**: Create `release-1.xx` branch from latest `main` in metrics-server-rock
+  - `git clone [email protected]:canonical/metrics-server-rock.git ~/tmp/release-1.xx`
+  - `pushd ~/tmp/release-1.xx`
+  - `git switch main`
+  - `git pull`
+  - `git checkout -b release-1.xx`
+  - `git push origin release-1.xx`
+  - `popd`
+  - `rm -rf ~/tmp/release-1.xx`
+- [ ] **Owner**: Create `release-1.xx` branch from latest `main` in rawfile-localpv
+  - `git clone [email protected]:canonical/rawfile-localpv.git ~/tmp/release-1.xx`
+  - `pushd ~/tmp/release-1.xx`
+  - `git switch main`
+  - `git pull`
+  - `git checkout -b release-1.xx`
+  - `git push origin release-1.xx`
+  - `popd`
+  - `rm -rf ~/tmp/release-1.xx`
+- [ ] **Reviewer**: Ensure `release-1.xx` branch is based on latest changes on `main` at the time of the release cut.
+- [ ] **Reviewer**: Ensure `release-1.xx-strict` branch is based on latest changes on `autoupdate/strict` at the time of the release cut.
+- [ ] **Owner**: Create PR to initialize `release-1.xx` branch:
+  - [ ] Update `KUBE_TRACK` to `1.xx` in [/build-scripts/components/kubernetes/version.sh][]
+  - [ ] Update `master` to `1.xx` in [/build-scripts/components/k8s-dqlite/version.sh][]
+  - [ ] Update `"main"` to `"release-1.xx"` in [/build-scripts/hack/generate-sbom.py][]
+  - [ ] `git commit -m 'Release 1.xx'`
+  - [ ] Create PR with the changes and request review from **Reviewer**. Make sure to update the issue `Information` section with a link to the PR.
+- [ ] **Reviewer**: Review and merge PR to initialize branch.
+- [ ] **Reviewer**: On merge, confirm [Auto-update strict branch] action runs to completion
+- [ ] **Owner**: Create launchpad builders for `release-1.xx`
+  - [ ] Go to [lp:k8s][] and do **Import now** to pick up all latest changes.
+  - [ ] Under **Branches**, select `release-1.xx`, then **Create snap package**
+  - [ ] Set **Snap recipe name** to `k8s-snap-1.xx`
+  - [ ] Set **Owner** to `Canonical Kubernetes (containers)`
+  - [ ] Set **The project that this Snap is associated with** to `k8s`
+  - [ ] Set **Series** to Infer from snapcraft.yaml
+  - [ ] Set **Processors** to `AMD x86-64 (amd64)` and `ARM ARMv8 (arm64)`
+  - [ ] Enable **Automatically upload to store**
+  - [ ] Set **Registered store name** to `k8s`
+  - [ ] In **Store Channels**, set **Track** to `1.xx-classic` and **Risk** to `edge`. Leave **Branch** empty
+  - [ ] Click **Create snap package** at the bottom of the page.
+- [ ] **Owner**: Create launchpad builders for `release-1.xx-strict`
+  - [ ] Return to [lp:k8s][].
+  - [ ] Under **Branches**, select `release-1.xx-strict`, then **Create snap package**
+  - [ ] Set **Snap recipe name** to `k8s-snap-1.xx-strict`
+  - [ ] Set **Owner** to `Canonical Kubernetes (containers)`
+  - [ ] Set **The project that this Snap is associated with** to `k8s`
+  - [ ] Set **Series** to Infer from snapcraft.yaml
+  - [ ] Set **Processors** to `AMD x86-64 (amd64)` and `ARM ARMv8 (arm64)`
+  - [ ] Enable **Automatically upload to store**
+  - [ ] Set **Registered store name** to `k8s`
+  - [ ] In **Store Channels**, set **Track** to `1.xx` and **Risk** to `edge`. Leave **Branch** empty
+  - [ ] Click **Create snap package** at the bottom of the page.
+- [ ] **Reviewer**: Ensure snap recipes are created in [lp:k8s/+snaps][]
+  - look for `k8s-snap-1.xx`
+  - look for `k8s-snap-1.xx-strict`
+
+#### After release
+
+- [ ] **Owner** follows up with the **Reviewer** and team about things to improve around the process.
+- [ ] **Owner**: After a few weeks of stable CI, update default track to `1.xx/stable` via
+  - On the snap [releases page][], select `Track` > `1.xx`
+- [ ] **Reviewer**: Ensure snap recipes are created in [lp:k8s/+snaps][]
+
+
+<!-- LINKS -->
+[Auto-update strict branch]: https://github.com/canonical/k8s-snap/actions/workflows/strict.yaml
+[snapstore track-request]: https://forum.snapcraft.io/t/tracks-request-for-k8s-snap/39122/2
+[releases-page]: https://snapcraft.io/k8s/releases
+[.github/workflows/cla.yaml]: ../workflows/cla.yaml
+[.github/workflows/cron-jobs.yaml]: ../workflows/cron-jobs.yaml
+[.github/workflows/go.yaml]: ../workflows/go.yaml
+[.github/workflows/integration.yaml]: ..workflows/integration.yaml
+[.github/workflows/python.yaml]: ../workflows/python.yaml
+[.github/workflows/sbom.yaml]: ../workflows/sbom.yaml
+[.github/workflows/strict-integration.yaml]: ../workflows/strict-integration.yaml
+[.github/workflows/strict.yaml]: ..workflows/strict.yaml
+[/build-scripts/components/kubernetes/version.sh]: ../../build-scripts/components/kubernetes/version.sh
+[/build-scripts/components/k8s-dqlite/version.sh]: ../../build-scripts/components/k8s-dqlite/version.sh
+[/build-scripts/hack/generate-sbom.py]: ../..//build-scripts/hack/generate-sbom.py
+[lp:k8s]: https://code.launchpad.net/~cdk8s/k8s/+git/k8s-snap
+[lp:k8s/+snaps]: https://launchpad.net/k8s/+snaps
diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
@@ -2,7 +2,9 @@ name: cla-check
 
 on:
   pull_request:
-    branches: [main]
+    branches:
+      - main
+      - 'release-[0-9]+.[0-9]+'
 
 jobs:
   cla-check:

diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml
@@ -2,7 +2,12 @@ name: Go
 
 on:
   push:
-    branches: [main, autoupdate/strict]
+    branches:
+      - main
+      - autoupdate/strict
+      - 'release-[0-9]+.[0-9]+'
+      - 'release-[0-9]+.[0-9]+-strict'
+
   pull_request:
 
 jobs:

diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -2,9 +2,15 @@ name: Integration Tests
 
 on:
   push:
-    branches: [main, autoupdate/strict]
+    branches:
+      - main
+      - autoupdate/strict
+      - 'release-[0-9]+.[0-9]+'
+      - 'release-[0-9]+.[0-9]+-strict'
   pull_request:
-    branches: [main]
+    branches:
+      - main
+      - 'release-[0-9].[0-9]+'
 
 jobs:
   build:

diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml
@@ -2,9 +2,15 @@ name: Python
 
 on:
   push:
-    branches: [main, autoupdate/strict]
+    branches:
+      - main
+      - autoupdate/strict
+      - 'release-[0-9]+.[0-9]+'
+      - 'release-[0-9]+.[0-9]+-strict'
   pull_request:
-    branches: [main]
+    branches:
+      - main
+      - 'release-[0-9]+.[0-9]+'
 
 jobs:
   lint:

diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml
@@ -2,9 +2,15 @@ name: SBOM
 
 on:
   push:
-    branches: [main, autoupdate/strict]
+    branches:
+      - main
+      - autoupdate/strict
+      - 'release-[0-9]+.[0-9]+'
+      - 'release-[0-9]+.[0-9]+-strict'
   pull_request:
-    branches: [main]
+    branches:
+      - main
+      - 'release-[0-9]+.[0-9]+'
 
 jobs:
   build:

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '43 6 * * *'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml
@@ -2,15 +2,40 @@ name: Integration Tests (Strict)
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
+      - 'release-[0-9]+.[0-9]+'
   pull_request:
-    branches: [main]
+    branches:
+      - main
+      - 'release-[0-9]+.[0-9]+'
 
 jobs:
+  prepare:
+    name: Prepare
+    runs-on: ubuntu-latest
+    outputs:
+      strict: ${{ steps.determine.outputs.strict }}
+    steps:
+      - name: Determine Strict branch
+        id: determine
+        env:
+          BRANCH: ${{ github.base_ref || github.ref }}
+        run: |
+          BRANCH=${BRANCH#refs/heads/}  # strip off refs/heads/ if it exists
+          if [[ "${BRANCH}" == "main" ]]; then
+            echo "strict=autoupdate/strict" >> "$GITHUB_OUTPUT"
+          elif [[ "${BRANCH}" =~ "^release-[0-9]+\.[0-9]+$" ]]; then
+            echo "strict=${BRANCH}" >> "$GITHUB_OUTPUT"
+          else
+            echo "Failed to determine matching strict branch for ${BRANCH}"
+            echo "strict=" >> $GITHUB_OUTPUT
+          fi
   build:
     name: Build
     runs-on: ubuntu-20.04
-
+    needs: [ prepare ]
+    if: ${{ needs.prepare.outputs.strict }}
     steps:
       - name: Checking out repo
         uses: actions/checkout@v4
@@ -24,7 +49,7 @@ jobs:
           sudo snap install snapcraft --classic
       - name: Apply strict patch
         run: |
-          git checkout -b autoupdate/strict
+          git checkout -b ${{ needs.prepare.outputs.strict }}
           git config --global user.email [email protected]
           git config --global user.name k8s-bot
           git am ./build-scripts/patches/strict/*.patch
@@ -39,13 +64,13 @@ jobs:
           path: k8s-strict.snap
 
   test-integration:
+    needs: [ prepare, build ]
+    if: ${{ needs.prepare.outputs.strict }}
     name: Test ${{ matrix.os }}
     strategy:
       matrix:
         os: ["ubuntu:20.04"]
     runs-on: ubuntu-20.04
-    needs: build
-
     steps:
       - name: Check out code
         uses: actions/checkout@v4