rke2: refactor update-script and update rke2 channel versions (#344692)

crumohr · web-flow · commit 8ffe4bbf5e2b · 2024-10-08T18:40:22.000+02:00
diff --git a/pkgs/applications/networking/cluster/rke2/README.md b/pkgs/applications/networking/cluster/rke2/README.md
@@ -1,15 +1,19 @@
 # RKE2 Version
 
-RKE2, Kubernetes, and other clustered software has the property of not being able to update atomically. Most software in nixpkgs, like for example bash, can be updated as part of a `nixos-rebuild switch` without having to worry about the old and the new bash interacting in some way.
+RKE2, Kubernetes, and other clustered software has the property of not being able to update atomically.
+Most software in nixpkgs, like for example bash, can be updated as part of a `nixos-rebuild switch`
+without having to worry about the old and the new bash interacting in some way.
 
 > [!NOTE]
 > Upgrade the server nodes first, one at a time. Once all servers have been upgraded, you may then upgrade agent nodes.
 
 ## Release Channels
 
-RKE2 has there own release channels, which are: `stable`, `latest` and `testing`.
+RKE2 has three main release channels, which are: `stable`, `latest` and `testing`.
 
-The `stable` channel is the default channel and is recommended for production use. The `latest` channel is the latest stable release. The `testing` channel is the latest release, including pre-releases.
+The `stable` channel is the default channel and is recommended for production use.
+The `latest` channel is the latest release.
+The `testing` channel is the latest release, including pre-releases.
 
 | Channel   | Description                                                                                                                                                                                    |
 | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -19,7 +23,12 @@ The `stable` channel is the default channel and is recommended for production us
 
 Learn more about the [RKE2 release channels](https://docs.rke2.io/upgrade/manual_upgrade).
 
-For an exhaustive and up-to-date list of channels, you can visit the [rke2 channel service API](https://update.rke2.io/v1-release/channels). For more technical details on how channels work, you can see the [channelserver project](https://github.com/rancher/channelserver).
+For an exhaustive and up-to-date list of channels, you can visit the
+[rke2 channel service API](https://update.rke2.io/v1-release/channels).
+For more technical details on how channels work, you can see the [channelserver project](https://github.com/rancher/channelserver).
 
 > [!TIP]
-> When attempting to upgrade to a new version of RKE2, the [Kubernetes version skew policy](https://kubernetes.io/docs/setup/release/version-skew-policy) applies. Ensure that your plan does not skip intermediate minor versions when upgrading. Nothing in the upgrade process will protect against unsupported changes to the Kubernetes version.
+> When attempting to upgrade to a new version of RKE2,
+> the [Kubernetes version skew policy](https://kubernetes.io/docs/setup/release/version-skew-policy) applies.
+> Ensure that your plan **does not skip intermediate minor versions** when upgrading. Nothing in the upgrade process will
+> protect you against unsupported changes to the Kubernetes version.
diff --git a/pkgs/applications/networking/cluster/rke2/builder.nix b/pkgs/applications/networking/cluster/rke2/builder.nix
@@ -1,8 +1,8 @@
-lib: { rke2Version, rke2RepoSha256, rke2VendorHash, updateScript
+lib: { rke2Version, rke2Commit, rke2TarballHash, rke2VendorHash, updateScript
+, k8sImageTag, etcdVersion, pauseVersion, ccmVersion, dockerizedVersion, ... }:
 
-, rke2Commit, k8sImageTag, etcdVersion, pauseVersion, ccmVersion, dockerizedVersion, ... }:
-
-{ lib, stdenv, buildGoModule, go, fetchgit, makeWrapper
+# Build dependencies
+{ lib, stdenv, buildGoModule, go, makeWrapper, fetchzip
 
 # Runtime dependencies
 , procps, coreutils, util-linux, ethtool, socat, iptables, bridge-utils, iproute2, kmod, lvm2
@@ -18,10 +18,9 @@ buildGoModule rec {
   pname = "rke2";
   version = rke2Version;
 
-  src = fetchgit {
-    url = "https://github.com/rancher/rke2.git";
-    rev = "v${version}";
-    sha256 = rke2RepoSha256;
+  src = fetchzip {
+    url = "https://github.com/rancher/rke2/archive/refs/tags/v${rke2Version}.tar.gz";
+    hash = "${rke2TarballHash}";
   };
 
   vendorHash = rke2VendorHash;
@@ -52,7 +51,7 @@ buildGoModule rec {
     "-X github.com/k3s-io/k3s/pkg/version.Version=v${version}"
     "-X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go${go.version}"
     "-X github.com/rancher/rke2/pkg/images.DefaultRegistry=docker.io"
-    "-X github.com/rancher/rke2/pkg/images.DefaultEtcdImage=rancher/hardened-etcd:${etcdVersion}-build20240418"
+    "-X github.com/rancher/rke2/pkg/images.DefaultEtcdImage=rancher/hardened-etcd:${etcdVersion}"
     "-X github.com/rancher/rke2/pkg/images.DefaultKubernetesImage=rancher/hardened-kubernetes:${k8sImageTag}"
     "-X github.com/rancher/rke2/pkg/images.DefaultPauseImage=rancher/mirrored-pause:${pauseVersion}"
     "-X github.com/rancher/rke2/pkg/images.DefaultRuntimeImage=rancher/rke2-runtime:${dockerizedVersion}"
diff --git a/pkgs/applications/networking/cluster/rke2/latest/versions.nix b/pkgs/applications/networking/cluster/rke2/latest/versions.nix
@@ -1,14 +1,14 @@
 {
-  rke2Version = "1.31.0+rke2r1";
-  rke2RepoSha256 = "1xf7yhpfwiydhl31dd8wc2bhq0j470ad8vazjzzsl76skcy07rbc";
-  rke2Commit = "4bf1156f41631dc0e81d66a6834a53d14b48aaef";
-  rke2VendorHash = "sha256-/ALzC2fYYI+DbF+2TSNBiMy57T8wfXGPpdyKtbqdrtE=";
-  k8sVersion = "v1.31.0";
-  k8sImageTag = "v1.31.0-rke2r1-build20240815";
-  etcdVersion = "v3.5.13-k3s1";
+  rke2Version = "1.31.1+rke2r1";
+  rke2Commit = "909d20d6a28cd7656b7177190f06f69f57927613";
+  rke2TarballHash = "sha256-9ZryOX6QMNpjDtsOXLOVNPjCc6AMAa+XDLOn1EpyCcg=";
+  rke2VendorHash = "sha256-7nWbWi4oJTOWZ5iZr9ptECDJJakPg4qZ7hW+tU7LBsI=";
+  k8sVersion = "v1.31.1";
+  k8sImageTag = "v1.31.1-rke2r1-build20240912";
+  etcdVersion = "v3.5.13-k3s1-build20240910";
   pauseVersion = "3.6";
-  ccmVersion = "v1.29.3-build20240515";
-  dockerizedVersion = "v1.31.0-dev.";
-  golangVersion = "go1.22.5";
+  ccmVersion = "v1.31.0-build20240910";
+  dockerizedVersion = "v1.31.1-rke2r1";
+  golangVersion = "go1.22.6";
   eol = "2025-10-28";
 }
diff --git a/pkgs/applications/networking/cluster/rke2/stable/versions.nix b/pkgs/applications/networking/cluster/rke2/stable/versions.nix
@@ -1,14 +1,14 @@
 {
-  rke2Version = "1.30.4+rke2r1";
-  rke2RepoSha256 = "1daxs8gxy775qn1yrf7zh77cyaj3nn3qlwj0vjqfpbv1gpkimfyi";
-  rke2Commit = "9517eea519b780e154dd791c555c698e84a0e5cd";
-  rke2VendorHash = "sha256-Q+Wt4Hyp6VyxfCXNsRQMyAo0QCGWhnY9tcV/NQrrSEY=";
-  k8sVersion = "v1.30.4";
-  k8sImageTag = "v1.30.4-rke2r1-build20240815";
-  etcdVersion = "v3.5.13-k3s1";
+  rke2Version = "1.30.5+rke2r1";
+  rke2Commit = "0c83bc82315cd61664880d0b52a7e070e9fbd623";
+  rke2TarballHash = "sha256-K5e7TNlL97PQ13IYnr4PSrXb4XaGJT9bPq55iWL0m1g=";
+  rke2VendorHash = "sha256-QIcVyWnedKNF10OqJ2WmZqZeKA+8hvwDQ4Pl+WUOEJY=";
+  k8sVersion = "v1.30.5";
+  k8sImageTag = "v1.30.5-rke2r1-build20240912";
+  etcdVersion = "v3.5.13-k3s1-build20240910";
   pauseVersion = "3.6";
-  ccmVersion = "v1.29.3-build20240515";
-  dockerizedVersion = "v1.30.4-dev.877838a0-dirty";
-  golangVersion = "go1.22.5";
+  ccmVersion = "v1.30.4-build20240910";
+  dockerizedVersion = "v1.30.5-rke2r1";
+  golangVersion = "go1.22.6";
   eol = "2025-06-28";
 }
diff --git a/pkgs/applications/networking/cluster/rke2/testing/versions.nix b/pkgs/applications/networking/cluster/rke2/testing/versions.nix
@@ -1,14 +1,14 @@
 {
   rke2Version = "1.31.1-rc3+rke2r1";
-  rke2RepoSha256 = "1j09f95d99xk1jbsy08cl1rw5y1ljnrmq3nv1rixlc4hgqwz56pm";
   rke2Commit = "909d20d6a28cd7656b7177190f06f69f57927613";
+  rke2TarballHash = "sha256-9ZryOX6QMNpjDtsOXLOVNPjCc6AMAa+XDLOn1EpyCcg=";
   rke2VendorHash = "sha256-7nWbWi4oJTOWZ5iZr9ptECDJJakPg4qZ7hW+tU7LBsI=";
   k8sVersion = "v1.31.1";
   k8sImageTag = "v1.31.1-rke2r1-build20240912";
-  etcdVersion = "v3.5.13-k3s1";
+  etcdVersion = "v3.5.13-k3s1-build20240910";
   pauseVersion = "3.6";
   ccmVersion = "v1.31.0-build20240910";
-  dockerizedVersion = "v1.31.1-dev.";
+  dockerizedVersion = "v1.31.1-rc3-rke2r1";
   golangVersion = "go1.22.6";
   eol = "2025-10-28";
 }
diff --git a/pkgs/applications/networking/cluster/rke2/update-script.sh b/pkgs/applications/networking/cluster/rke2/update-script.sh
@@ -1,49 +1,46 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p curl git gnugrep gnused yq-go nix-prefetch
+#!nix-shell -i bash -p curl git gnugrep gnused yq-go nix-prefetch go
 
+SHELL_FLAGS=$(set +o)
 set -x -eu -o pipefail
 
 CHANNEL_NAME="${1:?Must provide a release channel, like 'stable', as the only argument}"
 
 WORKDIR=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd -P)
-
 mkdir --parents --verbose "${WORKDIR}/${CHANNEL_NAME}"
 
-LATEST_TAG_NAME=$(curl --silent --fail https://update.rke2.io/v1-release/channels | \
-    yq eval ".data[] | select(.id == \"${CHANNEL_NAME}\").latest" - | \
-    sort -rV | grep --extended-regexp "^v[0-9]+\.[0-9]+\.[0-9]+" | head -n1)
+LATEST_TAG_NAME=$(curl -sS --fail https://update.rke2.io/v1-release/channels | \
+    yq ".data[] | select(.id == \"${CHANNEL_NAME}\") | .latest")
 
 RKE2_VERSION=$(echo ${LATEST_TAG_NAME} | sed 's/^v//')
+RKE2_COMMIT=$(curl -sS --fail "https://api.github.com/repos/rancher/rke2/git/refs/tags/${LATEST_TAG_NAME}" | yq '.object.sha')
 
-RKE2_REPO_SHA256=$(nix-prefetch-url --quiet --unpack \
-        https://github.com/rancher/rke2/archive/refs/tags/${LATEST_TAG_NAME}.tar.gz)
-
-RKE2_COMMIT=$(curl --silent --fail ${GITHUB_TOKEN:+-u ":${GITHUB_TOKEN}"} \
-        https://api.github.com/repos/rancher/rke2/git/refs/tags | \
-    yq eval ".[] | select(.ref == \"refs/tags/${LATEST_TAG_NAME}\").object.sha" -)
+PREFETCH_META=$(nix-prefetch-url --unpack --print-path "https://github.com/rancher/rke2/archive/refs/tags/${LATEST_TAG_NAME}.tar.gz")
+STORE_HASH="$(nix --extra-experimental-features nix-command hash to-sri --type sha256 ${PREFETCH_META%%$'\n'*})"
+STORE_PATH="${PREFETCH_META##*$'\n'}"
 
-VERSIONS_SCRIPT=$(mktemp --suffix ".${RKE2_COMMIT:0:6}.sh")
-trap "rm --force ${VERSIONS_SCRIPT}" EXIT
+cd ${STORE_PATH}
+GITHUB_ACTION_TAG=${LATEST_TAG_NAME}
+DRONE_COMMIT=${RKE2_COMMIT}
 
-curl --silent --fail --output ${VERSIONS_SCRIPT} \
-        https://raw.githubusercontent.com/rancher/rke2/${RKE2_COMMIT}/scripts/version.sh
+set +u
+source scripts/version.sh
+set -u
 
-set +eu
-DRONE_TAG=${LATEST_TAG_NAME} source ${VERSIONS_SCRIPT}
-set -eu
+ETCD_BUILD=$(grep "images.DefaultEtcdImage" scripts/build-binary | sed 's/.*-\(build[0-9]*\)$/\1/')
+ETCD_VERSION="${ETCD_VERSION}-${ETCD_BUILD}"
+cd ${WORKDIR}
 
 KUBERNETES_CYCLES=$(echo ${KUBERNETES_VERSION} | grep -Eo "[0-9]+\.[0-9]+")
-KUBERNETES_EOL=$(curl --silent --fail \
-        https://endoflife.date/api/kubernetes/${KUBERNETES_CYCLES}.json | \
-    yq eval ".eol" -)
+KUBERNETES_EOL=$(curl -sS --fail https://endoflife.date/api/kubernetes/${KUBERNETES_CYCLES}.json | yq ".eol")
 
 FAKE_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
 
 cat << EOF > "${WORKDIR}/${CHANNEL_NAME}/versions.nix"
 {
   rke2Version = "${RKE2_VERSION}";
-  rke2RepoSha256 = "${RKE2_REPO_SHA256}";
   rke2Commit = "${RKE2_COMMIT}";
+  rke2TarballHash = "${STORE_HASH}";
   rke2VendorHash = "${FAKE_HASH}";
   k8sVersion = "${KUBERNETES_VERSION}";
   k8sImageTag = "${KUBERNETES_IMAGE_TAG}";
@@ -70,6 +67,7 @@ fi
 
 # Implement commit
 # See: https://nixos.org/manual/nixpkgs/stable/#var-passthru-updateScript-commit
+set +u
 cat << EOF
 [
   {
@@ -82,3 +80,6 @@ cat << EOF
   }
 ]
 EOF
+
+set +x
+eval "$SHELL_FLAGS"
