Merge branch 'main' into dependabot/docker/distroless/static-c0f429e

Author: voigt

.github/workflows/ci.yml

@@ -20,6 +20,9 @@ jobs:
   helm_install_smoke_test:
     uses: ./.github/workflows/helm-chart-smoketest.yml
 
+  helm_node_scaling_test:
+    uses: ./.github/workflows/helm-chart-node-scaling-test.yml
+
   unit_tests:
     name: Test
     runs-on: ubuntu-latest

.github/workflows/helm-chart-node-scaling-test.yml

@@ -0,0 +1,149 @@
+name: Helm Node Scaling Test
+
+on:
+  workflow_call:
+
+env:
+  SHIM_SPIN_VERSION: v0.19.0
+  DOCKER_BUILD_SUMMARY: false
+
+jobs:
+  helm-node-scaling-test:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install helm
+        uses: Azure/setup-helm@v4
+        with:
+          version: v3.15.4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build RCM
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+          tags: |
+            runtime-class-manager:chart-test
+
+      - name: Build node installer
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./images/installer/Dockerfile
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+          tags: |
+            node-installer:chart-test
+
+      - name: Build shim downloader
+        uses: docker/build-push-action@v6
+        with:
+          context: ./images/downloader
+          file: ./images/downloader/Dockerfile
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+          tags: |
+            shim-downloader:chart-test
+
+      - name: create kind config
+        run: |
+          cat << EOF > kind-config.yaml
+            kind: Cluster
+            apiVersion: kind.x-k8s.io/v1alpha4
+            nodes:
+            - role: control-plane
+            - role: worker
+              labels:
+                spin: true
+          EOF
+
+      - name: fetch kindscaler script
+        run: |
+          curl -so kindscaler.sh https://raw.githubusercontent.com/lobuhi/kindscaler/refs/heads/main/kindscaler.sh
+          chmod +x kindscaler.sh
+
+      - name: create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
+          config: kind-config.yaml
+
+      - name: import images into kind cluster
+        run: |
+          kind load docker-image runtime-class-manager:chart-test
+          kind load docker-image node-installer:chart-test
+          kind load docker-image shim-downloader:chart-test
+
+      - name: helm install runtime-class-manager
+        run: |
+          helm install rcm \
+            --namespace rcm \
+            --create-namespace \
+            --debug \
+            --set image.repository=runtime-class-manager \
+            --set image.tag=chart-test \
+            --set rcm.nodeInstallerImage.repository=node-installer \
+            --set rcm.nodeInstallerImage.tag=chart-test \
+            --set rcm.shimDownloaderImage.repository=shim-downloader \
+            --set rcm.shimDownloaderImage.tag=chart-test \
+            deploy/helm
+
+      - name: apply Spin shim
+        run: |
+          # Ensure shim binary is compatible with runner arch
+          yq -i '.spec.fetchStrategy.anonHttp.location = "https://github.com/spinkube/containerd-shim-spin/releases/download/${{ env.SHIM_SPIN_VERSION }}/containerd-shim-spin-v2-linux-x86_64.tar.gz"' \
+            config/samples/test_shim_spin.yaml
+          kubectl apply -f config/samples/test_shim_spin.yaml
+
+      - name: verify shim is installed into one node
+        run: |
+          timeout 1m bash -c 'until [[ "$(kubectl get node -l spin=true -l spin-v2=provisioned -o name | wc -l)" == "1" ]]; do sleep 2; done'
+          timeout 1m bash -c 'until [[ "$(kubectl get shim.runtime.spinkube.dev/spin-v2 -o json | jq -r '.status.nodesReady')" == "1" ]]; do sleep 2; done'
+
+      - name: scale kind worker nodes to 2
+        run: ./kindscaler.sh kind -r worker -c 1
+
+      - name: re-import images into kind cluster, for new node
+        run: |
+          kind load docker-image runtime-class-manager:chart-test
+          kind load docker-image node-installer:chart-test
+          kind load docker-image shim-downloader:chart-test
+
+      - name: verify shim is installed into two nodes
+        run: |
+          timeout 1m bash -c 'until [[ "$(kubectl get node -l spin=true -l spin-v2=provisioned -o name | wc -l)" == "2" ]]; do sleep 2; done'
+          timeout 1m bash -c 'until [[ "$(kubectl get shim.runtime.spinkube.dev/spin-v2 -o json | jq -r '.status.nodesReady')" == "2" ]]; do sleep 2; done'
+
+      - name: delete Spin Shim
+        run: kubectl delete -f config/samples/test_shim_spin.yaml
+
+      - name: verify shim is uninstalled from both nodes
+        run: |
+          timeout 1m bash -c 'until [[ "$(kubectl get node -l spin=true -l spin-v2=provisioned -o name | wc -l)" == "0" ]]; do sleep 2; done'
+          timeout 1m bash -c 'until ! kubectl get shims.runtime.spinkube.dev/spin-v2; do sleep 2; done'
+
+      - name: debug
+        if: failure()
+        run: |
+          kubectl get pods -A
+          kubectl describe shim spin-v2
+          kubectl describe runtimeclass wasmtime-spin-v2
+          kubectl describe -n rcm pod -l job-name=kind-worker-spin-v2-install || true
+          kubectl logs -n rcm -l app.kubernetes.io/name=runtime-class-manager || true
+          kubectl describe -n rcm pod -l app.kubernetes.io/name=runtime-class-manager || true
+          kubectl describe nodes

.github/workflows/helm-chart-smoketest.yml

@@ -4,12 +4,9 @@ on:
   workflow_call:
 
 env:
-  # TODO: bump to a more recent K8S_VERSION once rcm supports containerd 2.0+
-  # see https://github.com/spinframework/runtime-class-manager/issues/371
-  # For k3d in particular, containerd 2.0 is used starting with k3s image tag v1.32.2-k3s1
-  K8S_VERSION: v1.32.1
+  K8S_VERSION: v1.32.3
   MICROK8S_CHANNEL: 1.32/stable
-  SHIM_SPIN_VERSION: v0.18.0
+  SHIM_SPIN_VERSION: v0.19.0
   DOCKER_BUILD_SUMMARY: false
 
 jobs:

.github/workflows/scorecard.yml

@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           sarif_file: results.sarif

config/samples/test_shim_spin.yaml

@@ -15,7 +15,7 @@ spec:
   fetchStrategy:
     type: anonymousHttp
     anonHttp:
-      location: "https://github.com/spinframework/containerd-shim-spin/releases/download/v0.15.1/containerd-shim-spin-v2-linux-aarch64.tar.gz"
+      location: "https://github.com/spinframework/containerd-shim-spin/releases/download/v0.19.0/containerd-shim-spin-v2-linux-aarch64.tar.gz"
 
   runtimeClass:
     # Note: this name is used by the Spin Operator project as its default:

internal/containerd/configure.go

@@ -49,8 +49,6 @@ func (c *Config) AddRuntime(shimPath string) error {
 	runtimeName := shim.RuntimeName(path.Base(shimPath))
 	l := slog.With("runtime", runtimeName)
 
-	cfg := generateConfig(shimPath, runtimeName)
-
 	// Containerd config file needs to exist, otherwise return the error
 	data, err := afero.ReadFile(c.hostFs, c.configPath)
 	if err != nil {
@@ -63,6 +61,8 @@ func (c *Config) AddRuntime(shimPath string) error {
 		return nil
 	}
 
+	cfg := generateConfig(shimPath, runtimeName, data)
+
 	// Open file in append mode
 	file, err := c.hostFs.OpenFile(c.configPath, os.O_APPEND|os.O_WRONLY, 0o644) //nolint:mnd // file permissions
 	if err != nil {
@@ -83,8 +83,6 @@ func (c *Config) RemoveRuntime(shimPath string) (changed bool, err error) {
 	runtimeName := shim.RuntimeName(path.Base(shimPath))
 	l := slog.With("runtime", runtimeName)
 
-	cfg := generateConfig(shimPath, runtimeName)
-
 	// Containerd config file needs to exist, otherwise return the error
 	data, err := afero.ReadFile(c.hostFs, c.configPath)
 	if err != nil {
@@ -97,6 +95,8 @@ func (c *Config) RemoveRuntime(shimPath string) (changed bool, err error) {
 		return false, nil
 	}
 
+	cfg := generateConfig(shimPath, runtimeName, data)
+
 	// Convert the file data to a string and replace the target string with an empty string.
 	modifiedData := strings.ReplaceAll(string(data), cfg, "")
 
@@ -113,10 +113,17 @@ func (c *Config) RestartRuntime() error {
 	return c.restarter.Restart()
 }
 
-func generateConfig(shimPath string, runtimeName string) string {
+func generateConfig(shimPath string, runtimeName string, configData []byte) string {
+	// Config domain for containerd 1.0 (config version 2)
+	domain := "io.containerd.grpc.v1.cri"
+	if strings.Contains(string(configData), "version = 3") {
+		// Config domain for containerd 2.0 (config version 3)
+		domain = "io.containerd.cri.v1.runtime"
+	}
+
 	return fmt.Sprintf(`
 # RCM runtime config for %s
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.%s]
+[plugins."%s".containerd.runtimes.%s]
 runtime_type = "%s"
-`, runtimeName, runtimeName, shimPath)
+`, runtimeName, domain, runtimeName, shimPath)
 }

internal/containerd/configure_test.go

@@ -201,3 +201,58 @@ func TestConfig_RemoveRuntime(t *testing.T) {
 		})
 	}
 }
+
+func TestGenerateConfig_ContainerdVersions(t *testing.T) {
+	type fields struct {
+		hostFs     afero.Fs
+		configPath string
+	}
+	type args struct {
+		shimPath string
+	}
+	tests := []struct {
+		name            string
+		fields          fields
+		args            args
+		wantErr         bool
+		wantFileContent string
+	}{
+		{"containerd 1.x", fields{
+			hostFs:     tests.FixtureFs("../../testdata/node-installer/containerd/1.x"),
+			configPath: "/etc/containerd/config.toml",
+		}, args{"/opt/rcm/bin/containerd-shim-spin-v1"}, false, `version = 2
+# RCM runtime config for spin-v1
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.spin-v1]
+runtime_type = "/opt/rcm/bin/containerd-shim-spin-v1"
+`},
+		{"containerd 2.x", fields{
+			hostFs:     tests.FixtureFs("../../testdata/node-installer/containerd/2.x"),
+			configPath: "/etc/containerd/config.toml",
+		}, args{"/opt/rcm/bin/containerd-shim-spin-v1"}, false, `version = 3
+# RCM runtime config for spin-v1
+[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.spin-v1]
+runtime_type = "/opt/rcm/bin/containerd-shim-spin-v1"
+`},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Config{
+				hostFs:     tt.fields.hostFs,
+				configPath: tt.fields.configPath,
+			}
+			err := c.AddRuntime(tt.args.shimPath)
+
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			gotContent, err := afero.ReadFile(c.hostFs, c.configPath)
+			require.NoError(t, err)
+
+			assert.Equal(t, tt.wantFileContent, string(gotContent))
+		})
+	}
+}