Merge branch 'main' into auth-config

Author: joshfrench

.devcontainer/devcontainer.json

@@ -0,0 +1,29 @@
+{
+  "name": "CAPA Devcontainer + Devbox + VSCode",
+  "image": "mcr.microsoft.com/devcontainers/base",
+  "features": {
+    "ghcr.io/dlouwers/devcontainer-features/devbox:1": {},
+    "ghcr.io/devcontainers/features/docker-in-docker:2.12.0": {},
+    "ghcr.io/devcontainers/features/kubectl-helm-minikube:1.2.0": {
+      "version": "latest",
+      "helm": "none",
+      "minikube": "none"
+    }
+  },
+  "postCreateCommand": "devbox install",
+  "customizations": {
+    "vscode": {
+      "settings": {},
+      "extensions": [
+        "jetpack-io.devbox",
+        "foxundermoon.shell-format",
+        "golang.go",
+        "ethan-reesor.vscode-go-test-adapter",
+        "ms-kubernetes-tools.vscode-kubernetes-tools",
+        "ms-kubernetes-tools.kubernetes-ide",
+        "ms-azuretools.vscode-dockerr", 
+        "redhat.vscode-yaml"
+      ]
+    }
+  }
+}

.github/PULL_REQUEST_TEMPLATE.md

@@ -28,11 +28,14 @@ Fixes #
 **Special notes for your reviewer**:
 
 **Checklist**:
-<!-- Put an "X" character inside the brackets of each completed task. Some may be optional depending on the PR in which case these can be deleted -->
+<!-- Put an "X" character inside the brackets of each completed task. Some may be optional depending on the PR in which case these can be deleted 
+
+ Please add an icon to the title of this PR, the icon will be either ⚠️ (:warning:, major or breaking changes), ✨ (:sparkles:, feature additions), 🐛 (:bug:, patch and bugfixes), 📖 (:book:, documentation or proposals), or 🌱 (:seedling:, minor or other) 
+-->
 
 - [ ] squashed commits
 - [ ] includes documentation
-- [ ] includes [emojis](https://github.com/kubernetes-sigs/kubebuilder-release-tools?tab=readme-ov-file#kubebuilder-project-versioning)
+- [ ] includes emoji in title 
 - [ ] adds unit tests
 - [ ] adds or updates e2e tests
 

.github/dependabot.yml

@@ -45,7 +45,8 @@ updates:
       - dependency-name: "google.golang.org/grpc"
         update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
       # Bumping the kustomize API independently can break compatibility with client-go as they share k8s.io/kube-openapi as a dependency.
-      - dependency-name: "sigs.k8s.io/kustomize/api"
+      # Bumping kustomize itself has led to using Go versions newer than what's available in the image builder jobs, breaking our builds.
+      - dependency-name: "sigs.k8s.io/kustomize/*"
         update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
       # Ignore openshift ROSA pkgs as its upgraded manually.
       - dependency-name: "github.com/openshift*"

.github/workflows/build-ami-varsfile.yml

@@ -0,0 +1,63 @@
+name: build-and-publish-ami-with-vars
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_builder_version:
+        description: "Image builder version"
+        required: true
+        default: 'v0.1.38'
+      target:
+        description: "target os"
+        required: true
+        type: choice
+        options:
+        - ubuntu-2204
+        - ubuntu-2404
+        - flatcar
+      packer_vars:
+        description: "Packer vars (json)"
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  buildandpublish:
+    name: Build and publish CAPA AMIs
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v4
+        with:
+          repository: kubernetes-sigs/image-builder
+          ref: ${{ inputs.image_builder_version }}
+          fetch-depth: 0
+      - name: Create packer vars file
+        if: inputs.packer_vars != ''
+        env:
+          PACKER_VARS: ${{ inputs.packer_vars }}
+        run: |
+          echo "$PACKER_VARS" | jq -r > ./images/capi/vars.json
+          cat ./images/capi/vars.json
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::819546954734:role/gh-image-builder
+      - name: Install deps
+        run: make deps-ami
+        working-directory: ./images/capi
+      - name: Install Amazon EBS Plugin
+        working-directory: ./images/capi
+        run: ./.local/bin/packer plugins install github.com/hashicorp/amazon
+      - name: Build AMI with vars
+        if: inputs.packer_vars != ''
+        working-directory: ./images/capi
+        run: PACKER_VAR_FILES=vars.json make build-ami-${{ inputs.target }}
+      - name: Build AMI without vars
+        if: inputs.packer_vars == ''
+        working-directory: ./images/capi
+        run: make build-ami-${{ inputs.target }}
+

.github/workflows/build-ami.yml

@@ -0,0 +1,95 @@
+name: build-and-publish-ami
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_builder_version:
+        description: "Image builder version"
+        required: true
+        default: 'v0.1.38'
+      regions:
+        description: 'Publication regions'
+        required: true
+        default: 'ap-south-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-2,ap-northeast-1,sa-east-1,ca-central-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2'
+      k8s_semver:
+        description: 'K8s Semver'
+        required: true
+      k8s_series:
+        description: 'K8s Release Series (major.minor version)'
+        required: true
+      k8s_rpm_version:
+        description: 'K8s rpm package version'
+        required: true
+      k8s_deb_version:
+        description: 'K8s deb package version'
+        required: true
+      cni_semver:
+        description: 'CNI Semver'
+        required: true
+      cni_deb_version:
+        description: 'CNI deb package version'
+        required: true
+      crictl_version:
+        description: 'Crictl version'
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  buildandpublish:
+    strategy:
+      matrix:
+        target: ['ubuntu-2204', 'ubuntu-2404', 'flatcar']
+      max-parallel: 1
+      fail-fast: false
+    name: Build and publish CAPA AMIs
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v4
+        with:
+          repository: kubernetes-sigs/image-builder
+          ref: ${{ inputs.image_builder_version }}
+          fetch-depth: 0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::819546954734:role/gh-image-builder
+      - name: Install deps
+        run: make deps-ami
+        working-directory: ./images/capi
+      - name: Install Amazon EBS Plugin
+        working-directory: ./images/capi
+        run: ./.local/bin/packer plugins install github.com/hashicorp/amazon
+      - name: Create Packer Args
+        env:
+          K8S_RPM_VERSION: ${{ inputs.k8s_rpm_version }}
+          K8S_SEMVER: ${{ inputs.k8s_semver }}
+          K8S_SERIES: ${{ inputs.k8s_series }}
+          K8S_DEB_VERSION: ${{ inputs.k8s_deb_version }}
+          CNI_SEMVER: ${{ inputs.cni_semver }}
+          CNI_DEB_VERSION: ${{ inputs.cni_deb_version }}
+          CRICTL_VERSION: ${{ inputs.crictl_version }}
+          AMI_REGIONS: ${{ inputs.regions }}
+        run: |
+          cat > ./images/capi/vars.json << EOF
+          {
+            "kubernetes_rpm_version": "$K8S_RPM_VERSION",
+            "kubernetes_semver": "$K8S_SEMVER",
+            "kubernetes_series": "$K8S_SERIES",
+            "kubernetes_deb_version": "$K8S_DEB_VERSION",
+            "kubernetes_cni_semver": "$CNI_SEMVER",
+            "kubernetes_cni_deb_version": "$CNI_DEB_VERSION",
+            "crictl_version": "$CRICTL_VERSION",
+            "ami_regions": "$AMI_REGIONS"
+          }
+          EOF
+      - name: Show vars
+        run: cat ./images/capi/vars.json
+      - name: Build AMI
+        working-directory: ./images/capi
+        run: PACKER_VAR_FILES=vars.json make build-ami-${{ matrix.target }}
+

.github/workflows/dependabot.yml

@@ -25,7 +25,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v5
       with:
-        go-version: '1.22'
+        go-version: '1.23'
       id: go
     - name: Check out code into the Go module directory
       uses: actions/[email protected]

.github/workflows/pr-gh-workflow-approve.yaml

@@ -37,4 +37,4 @@ jobs:
                 repo: context.repo.repo,
                 run_id: run.id
               });
-            }
+            }

.github/workflows/pr-golangci-lint.yaml

@@ -17,17 +17,18 @@ jobs:
         working-directory:
           - ""
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
       - name: Calculate go version
         id: vars
         run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # tag=v5.5.0
         with:
           go-version: ${{ steps.vars.outputs.go_version }}
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # tag=v6.0.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # tag=v8.0.0
         with:
-          version: v1.56.1
-          args: --out-format=colored-line-number
+          version: v2.1.0
           working-directory: ${{matrix.working-directory}}
+      - name: Lint API
+        run: make lint-api

.github/workflows/pr-verify.yml

@@ -4,16 +4,15 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
-permissions:
-  checks: write
-
 jobs:
   verify:
     runs-on: ubuntu-latest
     name: verify PR contents
     steps:
-    - name: Verifier action
-      id: verifier
-      uses: kubernetes-sigs/kubebuilder-release-tools@012269a88fa4c034a0acf1ba84c26b195c0dbab4 # tag=v0.4.3
-      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+
+    - name: Check if PR title is valid
+      env:
+        PR_TITLE: ${{ github.event.pull_request.title }}
+      run: |
+        ./hack/verify-pr-title.sh "${PR_TITLE}"

.github/workflows/release.yaml

@@ -20,11 +20,13 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.23'
       - name: Set version info
         run: |
           echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_ENV
-          echo "PREVIOUS_VERSION=$(git describe --abbrev=0 2> /dev/null)" >> $GITHUB_ENV
+          # NB: this gets the closest tag cut from the same branch; for new minor tags, it will find the previous minor, not the previous patch release
+          # (for example v2.7.0, not v2.7.3). For new patch releases, it should fetch the previous patch (e.g. 2.7.3, not v2.7.0)
+          echo "PREVIOUS_VERSION=$(git describe --abbrev=0 2> /dev/null)" >> $GITHUB_ENV 
           echo "RELEASE_BRANCH=release-$(echo ${GITHUB_REF_NAME} | grep -Eo '[0-9]\.[0-9]+')" >> $GITHUB_ENV
           echo "RELEASE_TAG=${GITHUB_REF_NAME}" >> $GITHUB_ENV
       - name: Run release