rke2: switch to minor release versions (#379844)

Author: zimbatm

pkgs/applications/networking/cluster/rke2/1_29/versions.nix

@@ -0,0 +1,11 @@
+{
+  rke2Version = "1.29.13+rke2r1";
+  rke2Commit = "00803ef95072be9d13b6e52a56fa9b6d9e7b0a51";
+  rke2TarballHash = "sha256-1OphaTrEU2MvV0kdEyxomRGgbl/YSVikcYtLuL3QnBI=";
+  rke2VendorHash = "sha256-6XczvyQMqYqHHu+cSsmXsi7zMG128ZwiAHr482qQqpI=";
+  k8sImageTag = "v1.29.13-rke2r1-build20250117";
+  etcdVersion = "v3.5.16-k3s1-build20241106";
+  pauseVersion = "3.6";
+  ccmVersion = "v1.29.10-0.20241016053521-9510ac25fefb-build20241016";
+  dockerizedVersion = "v1.29.13-rke2r1";
+}

pkgs/applications/networking/cluster/rke2/1_30/versions.nix

@@ -0,0 +1,11 @@
+{
+  rke2Version = "1.30.9+rke2r1";
+  rke2Commit = "bfd23524f32a4d9fa6f19ab58a2d47572e56f813";
+  rke2TarballHash = "sha256-/WVKmK9ZackY9ULST0zFi/RRwA4ZR3u1DXULWTc6G3o=";
+  rke2VendorHash = "sha256-kghiYswm3s7bILGp8t452jx84MY73EF9OTaWdncFr34=";
+  k8sImageTag = "v1.30.9-rke2r1-build20250116";
+  etcdVersion = "v3.5.16-k3s1-build20241106";
+  pauseVersion = "3.6";
+  ccmVersion = "v1.30.6-0.20241016053533-5ec454f50e7a-build20241016";
+  dockerizedVersion = "v1.30.9-rke2r1";
+}

pkgs/applications/networking/cluster/rke2/stable/versions.nix renamed to pkgs/applications/networking/cluster/rke2/1_31/versions.nix

@@ -3,12 +3,9 @@
   rke2Commit = "08e198bbe3f0b8d4c9b0af4d92085c06bb94aa89";
   rke2TarballHash = "sha256-GG1GOs/kLWDCvc/+l0ymRpJzEthIyGpampCjvfnEPB8=";
   rke2VendorHash = "sha256-xWqMidOWiLgJXp6AEITkyOieLw4yi1JMmi80YS4RNy0=";
-  k8sVersion = "v1.31.5";
   k8sImageTag = "v1.31.5-rke2r1-build20250115";
   etcdVersion = "v3.5.16-k3s1-build20241106";
   pauseVersion = "3.6";
   ccmVersion = "v1.31.2-0.20241016053446-0955fa330f90-build20241016";
   dockerizedVersion = "v1.31.5-rke2r1";
-  golangVersion = "go1.22.10";
-  eol = "2025-10-28";
 }

pkgs/applications/networking/cluster/rke2/latest/versions.nix renamed to pkgs/applications/networking/cluster/rke2/1_32/versions.nix

@@ -3,12 +3,9 @@
   rke2Commit = "c0f7be4407cf2c437cacfe735e5c943e827f2ff8";
   rke2TarballHash = "sha256-clZpTnMnj2PRDDYz7+r11RlyX2ExwsE1Tmdt3/kUmtE=";
   rke2VendorHash = "sha256-aIB2fRkccx5fXMnFxZ+tirXp5gg8o/h/a6Lgc+EG4L4=";
-  k8sVersion = "v1.32.1";
   k8sImageTag = "v1.32.1-rke2r1-build20250115";
   etcdVersion = "v3.5.16-k3s1-build20241106";
   pauseVersion = "3.6";
   ccmVersion = "v1.32.0-rc3.0.20241220224140-68fbd1a6b543-build20250101";
   dockerizedVersion = "v1.32.1-rke2r1";
-  golangVersion = "go1.23.4";
-  eol = "2026-02-28";
 }

pkgs/applications/networking/cluster/rke2/README.md

@@ -1,34 +1,42 @@
 # RKE2 Version
 
-RKE2, Kubernetes, and other clustered software has the property of not being able to update atomically.
-Most software in nixpkgs, like for example bash, can be updated as part of a `nixos-rebuild switch`
-without having to worry about the old and the new bash interacting in some way.
+RKE2, Kubernetes, and other clustered software has the property of not being able to update
+atomically. Most software in nixpkgs, like for example bash, can be updated as part of a
+`nixos-rebuild switch` without having to worry about the old and the new bash interacting in some
+way. RKE2/Kubernetes, on the other hand, is typically run across several machines, and each machine
+is updated independently. As such, different versions of the package and NixOS module must maintain
+compatibility with each other through temporary version skew during updates. The upstream Kubernetes
+project documents this in their
+[version-skew policy](https://kubernetes.io/releases/version-skew-policy/#supported-component-upgrade-order).
+
+Within nixpkgs, we strive to maintain a valid "upgrade path" that does not run afoul of the upstream
+version skew policy.
 
 > [!NOTE]
-> Upgrade the server nodes first, one at a time. Once all servers have been upgraded, you may then upgrade agent nodes.
+> Upgrade the server nodes first, one at a time. Once all servers have been upgraded, you may then
+> upgrade agent nodes.
 
 ## Release Channels
 
-RKE2 has three main release channels, which are: `stable`, `latest` and `testing`.
+RKE2 has two named release channels, i.e. `stable` and `latest`. Additionally, there exists a
+release channel tied to each Kubernetes minor version, e.g. `v1.32`.
 
-The `stable` channel is the default channel and is recommended for production use.
-The `latest` channel is the latest release.
-The `testing` channel is the latest release, including pre-releases.
+Nixpkgs follows active minor version release channels (typically 4 at a time) and sets aliases for
+`rke2_stable` and `rke2_latest` accordingly.
 
-| Channel   | Description                                                                                                                                                                                    |
-| --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `stable`  | **(Default)** Stable is recommended for production environments. These releases have been through a period of community hardening, and are compatible with the most recent release of Rancher. |
-| `latest`  | Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening, and may not be compatible with Rancher.                    |
-| `testing` | The most recent release, including pre-releases.                                                                                                                                               |
+Patch releases should be backported to to the latest stable release branch, however, new minor
+versions are not backported.
 
-Learn more about the [RKE2 release channels](https://docs.rke2.io/upgrade/manual_upgrade).
+For further information visit the
+[RKE2 release channels documentation](https://docs.rke2.io/upgrades/manual_upgrade?_highlight=manua#release-channels).
 
-For an exhaustive and up-to-date list of channels, you can visit the
-[rke2 channel service API](https://update.rke2.io/v1-release/channels).
-For more technical details on how channels work, you can see the [channelserver project](https://github.com/rancher/channelserver).
+## EOL Versions
 
-> [!TIP]
-> When attempting to upgrade to a new version of RKE2,
-> the [Kubernetes version skew policy](https://kubernetes.io/docs/setup/release/version-skew-policy) applies.
-> Ensure that your plan **does not skip intermediate minor versions** when upgrading. Nothing in the upgrade process will
-> protect you against unsupported changes to the Kubernetes version.
+Approximately every 4 months a minor RKE2 version reaches EOL. EOL versions should be removed from
+`nixpkgs-unstable`, preferably by throwing with an explanatory message in
+`pkgs/top-level/aliases.nix`. With stable releases, however, it isn't expected that packages will be
+removed. Instead we set `meta.knownVulnerabilities` for stable EOL packages, like it is also done
+for EOL JDKs, browser engines, Node.js versions, etc.
+
+For further information on the RKE2 lifecycle, see the
+[SUSE Product Support Lifecycle page](https://www.suse.com/lifecycle#rke2).

pkgs/applications/networking/cluster/rke2/builder.nix

@@ -10,7 +10,6 @@ lib:
   pauseVersion,
   ccmVersion,
   dockerizedVersion,
-  ...
 }:
 
 # Build dependencies
@@ -42,107 +41,108 @@ lib:
   # Testing dependencies
   nixosTests,
   testers,
-  rke2,
 }:
+let
+  rke2 = buildGoModule rec {
+    pname = "rke2";
+    version = rke2Version;
+
+    src = fetchzip {
+      url = "https://github.com/rancher/rke2/archive/refs/tags/v${rke2Version}.tar.gz";
+      hash = "${rke2TarballHash}";
+    };
 
-buildGoModule rec {
-  pname = "rke2";
-  version = rke2Version;
+    vendorHash = rke2VendorHash;
+
+    nativeBuildInputs = [ makeWrapper ];
+
+    # Important utilities used by the kubelet.
+    # See: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
+    # Notice the list in that issue is stale, but as a redundancy reservation.
+    buildInputs = [
+      procps # pidof pkill
+      coreutils # uname touch env nice du
+      util-linux # lsblk fsck mkfs nsenter mount umount
+      ethtool # ethtool
+      socat # socat
+      iptables # iptables iptables-restore iptables-save
+      bridge-utils # brctl
+      iproute2 # ip tc
+      kmod # modprobe
+      lvm2 # dmsetup
+    ];
 
-  src = fetchzip {
-    url = "https://github.com/rancher/rke2/archive/refs/tags/v${rke2Version}.tar.gz";
-    hash = "${rke2TarballHash}";
-  };
+    # See: https://github.com/rancher/rke2/blob/e7f87c6dd56fdd76a7dab58900aeea8946b2c008/scripts/build-binary#L27-L38
+    ldflags = [
+      "-w"
+      "-X github.com/k3s-io/k3s/pkg/version.GitCommit=${lib.substring 0 6 rke2Commit}"
+      "-X github.com/k3s-io/k3s/pkg/version.Program=${pname}"
+      "-X github.com/k3s-io/k3s/pkg/version.Version=v${version}"
+      "-X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go${go.version}"
+      "-X github.com/rancher/rke2/pkg/images.DefaultRegistry=docker.io"
+      "-X github.com/rancher/rke2/pkg/images.DefaultEtcdImage=rancher/hardened-etcd:${etcdVersion}"
+      "-X github.com/rancher/rke2/pkg/images.DefaultKubernetesImage=rancher/hardened-kubernetes:${k8sImageTag}"
+      "-X github.com/rancher/rke2/pkg/images.DefaultPauseImage=rancher/mirrored-pause:${pauseVersion}"
+      "-X github.com/rancher/rke2/pkg/images.DefaultRuntimeImage=rancher/rke2-runtime:${dockerizedVersion}"
+      "-X github.com/rancher/rke2/pkg/images.DefaultCloudControllerManagerImage=rancher/rke2-cloud-provider:${ccmVersion}"
+    ];
 
-  vendorHash = rke2VendorHash;
-
-  nativeBuildInputs = [ makeWrapper ];
-
-  # Important utilities used by the kubelet.
-  # See: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
-  # Notice the list in that issue is stale, but as a redundancy reservation.
-  buildInputs = [
-    procps # pidof pkill
-    coreutils # uname touch env nice du
-    util-linux # lsblk fsck mkfs nsenter mount umount
-    ethtool # ethtool
-    socat # socat
-    iptables # iptables iptables-restore iptables-save
-    bridge-utils # brctl
-    iproute2 # ip tc
-    kmod # modprobe
-    lvm2 # dmsetup
-  ];
-
-  # See: https://github.com/rancher/rke2/blob/e7f87c6dd56fdd76a7dab58900aeea8946b2c008/scripts/build-binary#L27-L38
-  ldflags = [
-    "-w"
-    "-X github.com/k3s-io/k3s/pkg/version.GitCommit=${lib.substring 0 6 rke2Commit}"
-    "-X github.com/k3s-io/k3s/pkg/version.Program=${pname}"
-    "-X github.com/k3s-io/k3s/pkg/version.Version=v${version}"
-    "-X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go${go.version}"
-    "-X github.com/rancher/rke2/pkg/images.DefaultRegistry=docker.io"
-    "-X github.com/rancher/rke2/pkg/images.DefaultEtcdImage=rancher/hardened-etcd:${etcdVersion}"
-    "-X github.com/rancher/rke2/pkg/images.DefaultKubernetesImage=rancher/hardened-kubernetes:${k8sImageTag}"
-    "-X github.com/rancher/rke2/pkg/images.DefaultPauseImage=rancher/mirrored-pause:${pauseVersion}"
-    "-X github.com/rancher/rke2/pkg/images.DefaultRuntimeImage=rancher/rke2-runtime:${dockerizedVersion}"
-    "-X github.com/rancher/rke2/pkg/images.DefaultCloudControllerManagerImage=rancher/rke2-cloud-provider:${ccmVersion}"
-  ];
-
-  tags = [
-    "no_cri_dockerd"
-    "no_embedded_executor"
-    "no_stage"
-    "sqlite_omit_load_extension"
-    "selinux"
-    "netgo"
-    "osusergo"
-  ];
-
-  subPackages = [ "." ];
-
-  installPhase = ''
-    install -D $GOPATH/bin/rke2 $out/bin/rke2
-    wrapProgram $out/bin/rke2 \
-      --prefix PATH : ${lib.makeBinPath buildInputs}
-
-    install -D ./bundle/bin/rke2-killall.sh $out/bin/rke2-killall.sh
-    wrapProgram $out/bin/rke2-killall.sh \
-      --prefix PATH : ${
-        lib.makeBinPath [
-          systemd
-          gnugrep
-          gnused
-        ]
-      } \
-      --prefix PATH : ${lib.makeBinPath buildInputs}
-  '';
-
-  doCheck = false;
-
-  passthru.updateScript = updateScript;
-
-  passthru.tests =
-    {
-      version = testers.testVersion {
-        package = rke2;
-        version = "v${version}";
+    tags = [
+      "no_cri_dockerd"
+      "no_embedded_executor"
+      "no_stage"
+      "sqlite_omit_load_extension"
+      "selinux"
+      "netgo"
+      "osusergo"
+    ];
+
+    subPackages = [ "." ];
+
+    installPhase = ''
+      install -D $GOPATH/bin/rke2 $out/bin/rke2
+      wrapProgram $out/bin/rke2 \
+        --prefix PATH : ${lib.makeBinPath buildInputs}
+
+      install -D ./bundle/bin/rke2-killall.sh $out/bin/rke2-killall.sh
+      wrapProgram $out/bin/rke2-killall.sh \
+        --prefix PATH : ${
+          lib.makeBinPath [
+            systemd
+            gnugrep
+            gnused
+          ]
+        } \
+        --prefix PATH : ${lib.makeBinPath buildInputs}
+    '';
+
+    doCheck = false;
+
+    passthru.updateScript = updateScript;
+
+    passthru.tests =
+      {
+        version = testers.testVersion {
+          package = rke2;
+          version = "v${version}";
+        };
+      }
+      // lib.optionalAttrs stdenv.hostPlatform.isLinux {
+        inherit (nixosTests) rke2;
       };
-    }
-    // lib.optionalAttrs stdenv.hostPlatform.isLinux {
-      inherit (nixosTests) rke2;
-    };
 
-  meta = with lib; {
-    homepage = "https://github.com/rancher/rke2";
-    description = "RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution";
-    changelog = "https://github.com/rancher/rke2/releases/tag/v${version}";
-    license = licenses.asl20;
-    maintainers = with maintainers; [
-      zimbatm
-      zygot
-    ];
-    mainProgram = "rke2";
-    platforms = platforms.linux;
+    meta = with lib; {
+      homepage = "https://github.com/rancher/rke2";
+      description = "RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution";
+      changelog = "https://github.com/rancher/rke2/releases/tag/v${version}";
+      license = licenses.asl20;
+      maintainers = with maintainers; [
+        zimbatm
+        zygot
+      ];
+      mainProgram = "rke2";
+      platforms = platforms.linux;
+    };
   };
-}
+in
+rke2

pkgs/applications/networking/cluster/rke2/default.nix

@@ -4,34 +4,48 @@ let
   common = opts: callPackage (import ./builder.nix lib opts);
   extraArgs = builtins.removeAttrs args [ "callPackage" ];
 in
-{
-  rke2_stable = common (
-    (import ./stable/versions.nix)
+rec {
+  rke2_1_29 = common (
+    (import ./1_29/versions.nix)
     // {
       updateScript = [
         ./update-script.sh
-        "stable"
+        "29"
       ];
     }
   ) extraArgs;
 
-  rke2_latest = common (
-    (import ./latest/versions.nix)
+  rke2_1_30 = common (
+    (import ./1_30/versions.nix)
     // {
       updateScript = [
         ./update-script.sh
-        "latest"
+        "30"
       ];
     }
   ) extraArgs;
 
-  rke2_testing = common (
-    (import ./testing/versions.nix)
+  rke2_1_31 = common (
+    (import ./1_31/versions.nix)
     // {
       updateScript = [
         ./update-script.sh
-        "testing"
+        "31"
       ];
     }
   ) extraArgs;
+
+  rke2_1_32 = common (
+    (import ./1_32/versions.nix)
+    // {
+      updateScript = [
+        ./update-script.sh
+        "32"
+      ];
+    }
+  ) extraArgs;
+
+  # Automatically set by update script
+  rke2_stable = rke2_1_31;
+  rke2_latest = rke2_1_32;
 }