diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4aa9fe858a..5993a254bb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -42,6 +42,16 @@ jobs: with: username: ${{ secrets.DOCKERHUB_LOGIN }} password: ${{ secrets.DOCKERHUB_PASSWORD }} + # - name: Login to Chainguard using pull token + # uses: docker/login-action@v2 + # with: + # registry: cgr.dev + # username: ${{ secrets.CGR_DEV_TEST_LOGIN }} + # password: ${{ secrets.CGR_DEV_TEST_PASSWORD }} + - name: Login to Chainguard + uses: chainguard-dev/setup-chainctl@main + with: + identity: ${{ secrets.CGR_DEV_TEST_IDENTITY }} - name: Checkout uses: actions/checkout@v4 with: diff --git a/.github/workflows/pre-merge.yaml b/.github/workflows/pre-merge.yaml index 7b09c57f23..42b2b1b1bb 100644 --- a/.github/workflows/pre-merge.yaml +++ b/.github/workflows/pre-merge.yaml @@ -24,6 +24,10 @@ on: - "w/**" - "q/*/**" +permissions: + contents: read + id-token: write + jobs: changed-files: runs-on: ubuntu-24.04 diff --git a/buildchain/buildchain/constants.py b/buildchain/buildchain/constants.py index 945105f988..253663b95b 100644 --- a/buildchain/buildchain/constants.py +++ b/buildchain/buildchain/constants.py @@ -32,6 +32,7 @@ PROMETHEUS_REPOSITORY: str = "quay.io/prometheus" THANOS_REPOSITORY: str = "quay.io/thanos" CERT_MANAGER_REPOSITORY: str = "quay.io/jetstack" +CHAINGUARD_REPOSITORY: str = "cgr.dev/scality.com" # Paths {{{ diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py index 1b31b77fd3..6ddfefd24a 100644 --- a/buildchain/buildchain/image.py +++ b/buildchain/buildchain/image.py @@ -184,7 +184,6 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage: ], constants.K8S_REPOSITORY: [ "pause", - "etcd", "kube-apiserver", "kube-controller-manager", "kube-proxy", @@ -206,17 +205,21 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage: constants.PROMETHEUS_REPOSITORY: [ "alertmanager", "node-exporter", - "prometheus", ], constants.THANOS_REPOSITORY: [ "thanos", ], constants.CERT_MANAGER_REPOSITORY: [ - "cert-manager-controller", + # "cert-manager-controller", "cert-manager-webhook", "cert-manager-cainjector", "cert-manager-acmesolver", ], + constants.CHAINGUARD_REPOSITORY: [ + "cert-manager-controller", + "etcd", + "prometheus", + ], } REMOTE_NAMES: Dict[str, str] = { diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index 4f007407e6..e470317590 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -76,7 +76,7 @@ def load_version_information() -> None: "c464612ef7e3d54d658c3eaa4778b5cdc990ec7a4d9ab63b0f00c9994c6ce980" ) -ETCD_VERSION: str = "3.5.15" +ETCD_VERSION: str = "3.5.16" ETCD_IMAGE_VERSION: str = f"{ETCD_VERSION}-0" NGINX_IMAGE_VERSION: str = "1.27.0-alpine" NODEJS_IMAGE_VERSION: str = "16.14.0" @@ -136,8 +136,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str: ), Image( name="etcd", - version=ETCD_IMAGE_VERSION, - digest="sha256:a6dc63e6e8cfa0307d7851762fa6b629afb18f28d8aa3fab5a6e91b4af60026a", + version=ETCD_VERSION, + digest="sha256:bf42a7470fc32872947ba769c2cc886affa726dec2d2bfeabd68050ef5487623", ), Image( name="grafana", @@ -198,8 +198,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str: ), Image( name="prometheus", - version="v2.55.0", - digest="sha256:378f4e03703557d1c6419e6caccf922f96e6d88a530f7431d66a4c4f4b1000fe", + version="2.55.0", + digest="sha256:c0907ae3a99e682698d7b539e61649f6479747a356038cbfdffb4ee56cae71b1", ), Image( name="prometheus-adapter", @@ -274,8 +274,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str: ), Image( name="cert-manager-controller", - version=_version_prefix(CERT_MANAGER_VERSION), - digest="sha256:eee34b3de2dd63f7e5ac459fc2d407662d433fd267d574557b76ee3c7d4bc44f", + version=_version_prefix(CERT_MANAGER_VERSION, ""), + digest="sha256:284cbab7a2a83a182efe4fac7b8efa2fc1074d7f1170f11eebd4c9d462189067", ), Image( name="cert-manager-webhook", diff --git a/charts/cert-manager.yaml b/charts/cert-manager.yaml index 886a328e52..38e8206e94 100644 --- a/charts/cert-manager.yaml +++ b/charts/cert-manager.yaml @@ -4,6 +4,7 @@ acmesolver: image: repository: '__image__(cert-manager-controller)' + tag: '1.15.3' installCRDs: true diff --git a/charts/kube-prometheus-stack.yaml b/charts/kube-prometheus-stack.yaml index 1455aefcad..902ba9ed80 100644 --- a/charts/kube-prometheus-stack.yaml +++ b/charts/kube-prometheus-stack.yaml @@ -109,6 +109,7 @@ prometheus: image: registry: '__var__(repo.registry_endpoint)' repository: '__image_no_reg__(prometheus)' + tag: 2.55.0 tolerations: - key: 'node-role.kubernetes.io/bootstrap' diff --git a/salt/metalk8s/addons/cert-manager/deployed/chart.sls b/salt/metalk8s/addons/cert-manager/deployed/chart.sls index 5065a8422d..35f0f4a690 100644 --- a/salt/metalk8s/addons/cert-manager/deployed/chart.sls +++ b/salt/metalk8s/addons/cert-manager/deployed/chart.sls @@ -9741,7 +9741,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: {% endraw -%}{{ build_image_name("cert-manager-controller", False) }}{%- raw %}:v1.15.3 + image: {% endraw -%}{{ build_image_name("cert-manager-controller", False) }}{%- raw %}:1.15.3 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 diff --git a/salt/metalk8s/addons/prometheus-operator/deployed/chart.sls b/salt/metalk8s/addons/prometheus-operator/deployed/chart.sls index 63aa2b48ba..6de37fb8d3 100644 --- a/salt/metalk8s/addons/prometheus-operator/deployed/chart.sls +++ b/salt/metalk8s/addons/prometheus-operator/deployed/chart.sls @@ -72118,7 +72118,7 @@ spec: enableAdminAPI: {% endraw -%}{{ prometheus.spec.config.enable_admin_api }}{%- raw %} externalUrl: http://prometheus-operator-prometheus.metalk8s-monitoring:9090 hostNetwork: false - image: {% endraw -%}{{ repo.registry_endpoint }}{%- raw %}/{% endraw -%}{{ build_image_name("prometheus", False, False) }}{%- raw %}:v2.55.0 + image: {% endraw -%}{{ repo.registry_endpoint }}{%- raw %}/{% endraw -%}{{ build_image_name("prometheus", False, False) }}{%- raw %}:2.55.0 listenLocal: false logFormat: logfmt logLevel: info @@ -72182,7 +72182,7 @@ spec: operator: Exists tsdb: outOfOrderTimeWindow: 0s - version: v2.55.0 + version: 2.55.0 walCompression: true --- apiVersion: monitoring.coreos.com/v1 diff --git a/scripts/backup.sh.in b/scripts/backup.sh.in index 73fd7992db..4c0285be52 100755 --- a/scripts/backup.sh.in +++ b/scripts/backup.sh.in @@ -116,11 +116,11 @@ backup_cas() { backup_etcd() { local -r etcd_snapshot="etcd_snapshot_$(date -u +%Y%m%d_%H%M%S)" local -r cmd=( - "ETCDCTL_API=3 etcdctl --endpoints https://127.0.0.1:2379" - "--cert /etc/kubernetes/pki/etcd/salt-master-etcd-client.crt" - "--key /etc/kubernetes/pki/etcd/salt-master-etcd-client.key" - "--cacert /etc/kubernetes/pki/etcd/ca.crt" - "snapshot save $etcd_snapshot" + "etcdctl" "--endpoints" "https://127.0.0.1:2379" + "--cert" "/etc/kubernetes/pki/etcd/salt-master-etcd-client.crt" + "--key" "/etc/kubernetes/pki/etcd/salt-master-etcd-client.key" + "--cacert" "/etc/kubernetes/pki/etcd/ca.crt" + "snapshot" "save" "$etcd_snapshot" ) local etcd_container='' echo "Snapshot etcd" @@ -129,7 +129,7 @@ backup_etcd() { --label io.kubernetes.container.name=etcd \ --state Running)" echo "Running '${cmd[*]}' in etcd container $etcd_container" - crictl exec -i "$etcd_container" sh -c "${cmd[*]}" + crictl exec -i "$etcd_container" "${cmd[@]}" local -r rootfs_v1="/run/containerd/io.containerd.runtime.v1.linux/k8s.io/${etcd_container}/rootfs" local -r rootfs_v2="/run/containerd/io.containerd.runtime.v2.task/k8s.io/${etcd_container}/rootfs"