chore: backport PR from kubefleet 10/17/2025 (#1211)

Author: Arvindthiru

.github/workflows/ci.yml

@@ -57,34 +57,6 @@ jobs:
           ## Comma-separated list of files to upload
           files: ./it-coverage.xml;./ut-coverage.xml
 
-  e2e-tests-v1alpha1:
-    runs-on: ubuntu-latest
-    needs: [
-      detect-noop,
-    ]
-    if: needs.detect-noop.outputs.noop != 'true'
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v5
-      
-      - name: Install Kind
-        # Before updating the kind version to use, verify that the current kind image
-        # is still supported by the version.
-        run: |
-          go install sigs.k8s.io/[email protected]
-
-      - name: Run e2e tests
-        run: |
-          OUTPUT_TYPE=type=docker make docker-build-member-agent docker-build-hub-agent docker-build-refresh-token e2e-tests-v1alpha1
-        env:
-          KUBECONFIG: '/home/runner/.kube/config'
-          HUB_SERVER_URL: 'https://172.19.0.2:6443'
-  
   e2e-tests:
     strategy:
       fail-fast: false
@@ -129,13 +101,13 @@ jobs:
 
       - name: Install Ginkgo CLI
         run: |
-          go install github.com/onsi/ginkgo/v2/ginkgo@v2.19.1
+          go install github.com/onsi/ginkgo/v2/ginkgo@v2.23.4
       
       - name: Install Kind
         # Before updating the kind version to use, verify that the current kind image
         # is still supported by the version.
         run: |
-          go install sigs.k8s.io/kind@v0.22.0
+          go install sigs.k8s.io/kind@v0.30.0
 
       - name: Run e2e tests
         run: |

.github/workflows/codeql-analysis.yml

@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,4 +69,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4

.github/workflows/trivy.yml

@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Login to ${{ env.REGISTRY }}
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

Makefile

@@ -1,5 +1,5 @@
 REGISTRY ?= ghcr.io
-KIND_IMAGE ?= kindest/node:v1.31.0
+KIND_IMAGE ?= kindest/node:v1.33.4
 ifndef TAG
 	TAG ?= $(shell git rev-parse --short=7 HEAD)
 endif
@@ -20,6 +20,30 @@ TARGET_ARCH ?= amd64
 # progress.
 BUILDKIT_PROGRESS_TYPE ?= auto
 
+TARGET_OS ?= linux
+TARGET_ARCH ?= amd64
+AUTO_DETECT_ARCH ?= TRUE
+
+# Auto-detect system architecture if it is allowed and the necessary commands are available on the system.
+ifeq ($(AUTO_DETECT_ARCH), TRUE)
+ARCH_CMD_INSTALLED := $(shell command -v arch 2>/dev/null)
+ifdef ARCH_CMD_INSTALLED
+TARGET_ARCH := $(shell arch)
+# The arch command may return arch strings that are aliases of expected TARGET_ARCH values;
+# do the mapping here.
+ifeq ($(TARGET_ARCH),$(filter $(TARGET_ARCH),x86_64))
+	TARGET_ARCH := amd64
+else ifeq ($(TARGET_ARCH),$(filter $(TARGET_ARCH),aarch64 arm))
+	TARGET_ARCH := arm64
+endif
+$(info Auto-detected system architecture: $(TARGET_ARCH))
+endif
+endif
+
+# Note (chenyu1): switch to the `plain` progress type to see the full outputs in the docker build
+# progress.
+BUILDKIT_PROGRESS_TYPE ?= auto
+
 KUBECONFIG ?= $(HOME)/.kube/config
 HUB_SERVER_URL ?= https://172.19.0.2:6443
 
@@ -311,6 +335,13 @@ push:
 # On some systems the emulation setup might not work at all (e.g., macOS on Apple Silicon -> Rosetta 2 will be used 
 # by Docker Desktop as the default emulation option for AMD64 on ARM64 container compatibility).
 .PHONY: docker-buildx-builder
+# Note (chenyu1): the step below sets up emulation for building/running non-native binaries on the host. The original
+# setup assumes that the Makefile is always run on an x86_64 platform, and adds support for non-x86_64 hosts. Here
+# we keep the original setup if the build target is x86_64 platforms (default) for compatibility reasons, but will switch to
+# a more general setup for non-x86_64 hosts.
+#
+# On some systems the emulation setup might not work at all (e.g., macOS on Apple Silicon -> Rosetta 2 will be used 
+# by Docker Desktop as the default emulation option for AMD64 on ARM64 container compatibility).
 docker-buildx-builder:
 	@if ! docker buildx ls | grep $(BUILDX_BUILDER_NAME); then \
 		if [ "$(TARGET_ARCH)" = "amd64" ] ; then \

apis/placement/v1beta1/clusterresourceplacement_types.go

@@ -539,6 +539,11 @@ type RolloutStrategy struct {
 	// DeleteStrategy configures the deletion behavior when the ClusterResourcePlacement is deleted.
 	// +kubebuilder:validation:Optional
 	DeleteStrategy *DeleteStrategy `json:"deleteStrategy,omitempty"`
+
+	// ReportBackStrategy describes how to report back the status of applied resources on the member cluster.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:XValidation:rule="(self == null) || (self.type == 'Mirror' ? size(self.destination) != 0 : true)",message="when reportBackStrategy.type is 'Mirror', a destination must be specified"
+	ReportBackStrategy *ReportBackStrategy `json:"reportBackStrategy,omitempty"`
 }
 
 // ApplyStrategy describes when and how to apply the selected resource to the target cluster.
@@ -1480,6 +1485,66 @@ const (
 	DeletePropagationPolicyDelete DeletePropagationPolicy = "Delete"
 )
 
+type ReportBackStrategyType string
+
+const (
+	// ReportBackStrategyTypeDisabled disables status back-reporting from the member clusters.
+	ReportBackStrategyTypeDisabled ReportBackStrategyType = "Disabled"
+
+	// ReportBackStrategyTypeMirror enables status back-reporting by
+	// copying the status fields verbatim to some destination on the hub cluster side.
+	ReportBackStrategyTypeMirror ReportBackStrategyType = "Mirror"
+)
+
+type ReportBackDestination string
+
+const (
+	// ReportBackDestinationOriginalResource implies the status fields will be copied verbatim to the
+	// the original resource on the hub cluster side. This is only performed when the placement object has a
+	// scheduling policy that selects exactly one member cluster (i.e., a pickFixed scheduling policy with
+	// exactly one cluster name, or a pickN scheduling policy with the numberOfClusters field set to 1).
+	ReportBackDestinationOriginalResource ReportBackDestination = "OriginalResource"
+
+	// ReportBackDestinationWorkAPI implies the status fields will be copied verbatim via the Work API
+	// on the hub cluster side. Users may look up the status of a specific resource applied to a specific
+	// member cluster by inspecting the corresponding Work object on the hub cluster side.
+	ReportBackDestinationWorkAPI ReportBackDestination = "WorkAPI"
+)
+
+// ReportBackStrategy describes how to report back the resource status from member clusters.
+type ReportBackStrategy struct {
+	// Type dictates the type of the report back strategy to use.
+	//
+	// Available options include:
+	//
+	// * Disabled: status back-reporting is disabled. This is the default behavior.
+	//
+	// * Mirror: status back-reporting is enabled by copying the status fields verbatim to
+	//   a destination on the hub cluster side; see the Destination field for more information.
+	//
+	// +kubebuilder:default=Disabled
+	// +kubebuilder:validation:Enum=Disabled;Mirror
+	// +kubebuilder:validation:Required
+	Type ReportBackStrategyType `json:"type"`
+
+	// Destination dictates where to copy the status fields to when the report back strategy type is Mirror.
+	//
+	// Available options include:
+	//
+	// * OriginalResource: the status fields will be copied verbatim to the original resource on the hub cluster side.
+	//   This is only performed when the placement object has a scheduling policy that selects exactly one member cluster
+	//   (i.e., a pickFixed scheduling policy with exactly one cluster name, or a pickN scheduling policy with the numberOfClusters
+	//   field set to 1).
+	//
+	// * WorkAPI: the status fields will be copied verbatim via the Work API on the hub cluster side. Users may look up
+	//   the status of a specific resource applied to a specific member cluster by inspecting the corresponding Work object
+	//   on the hub cluster side. This is the default behavior.
+	//
+	// +kubebuilder:validation:Enum=OriginalResource;WorkAPI
+	// +kubebuilder:validation:Optional
+	Destination *ReportBackDestination `json:"destination,omitempty"`
+}
+
 // ClusterResourcePlacementList contains a list of ClusterResourcePlacement.
 // +kubebuilder:resource:scope="Cluster"
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

apis/placement/v1beta1/commons.go

@@ -47,6 +47,12 @@ const (
 	ClusterStagedUpdateStrategyKind = "ClusterStagedUpdateStrategy"
 	// ClusterApprovalRequestKind is the kind of the ClusterApprovalRequest.
 	ClusterApprovalRequestKind = "ClusterApprovalRequest"
+	// StagedUpdateRunKind is the kind of the StagedUpdateRun.
+	StagedUpdateRunKind = "StagedUpdateRun"
+	// StagedUpdateStrategyKind is the kind of the StagedUpdateStrategy.
+	StagedUpdateStrategyKind = "StagedUpdateStrategy"
+	// ApprovalRequestKind is the kind of the ApprovalRequest.
+	ApprovalRequestKind = "ApprovalRequest"
 	// ClusterResourcePlacementEvictionKind is the kind of the ClusterResourcePlacementEviction.
 	ClusterResourcePlacementEvictionKind = "ClusterResourcePlacementEviction"
 	// ClusterResourcePlacementDisruptionBudgetKind is the kind of the ClusterResourcePlacementDisruptionBudget.
@@ -145,9 +151,9 @@ const (
 	// This is used to remember if an "unscheduled" binding was moved from a "bound" state or a "scheduled" state.
 	PreviousBindingStateAnnotation = FleetPrefix + "previous-binding-state"
 
-	// ClusterStagedUpdateRunFinalizer is used by the ClusterStagedUpdateRun controller to make sure that the ClusterStagedUpdateRun
+	// UpdateRunFinalizer is used by the UpdateRun controller to make sure that the UpdateRun
 	// object is not deleted until all its dependent resources are deleted.
-	ClusterStagedUpdateRunFinalizer = FleetPrefix + "stagedupdaterun-finalizer"
+	UpdateRunFinalizer = FleetPrefix + "stagedupdaterun-finalizer"
 
 	// TargetUpdateRunLabel indicates the target update run on a staged run related object.
 	TargetUpdateRunLabel = FleetPrefix + "targetupdaterun"