Merge branch 'main' into kms-beta

Author: JanStern

.github/workflows/release.yaml

@@ -41,6 +41,15 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
+      # nfpm-rpm signing needs gpg provided as filepath
+      # https://goreleaser.com/customization/nfpm/
+      - name: Create GPG key file
+        run: |
+          KEY_PATH="$RUNNER_TEMP/gpg-private-key.asc"
+          printf '%s' "${{ secrets.GPG_PRIVATE_KEY }}" > "$KEY_PATH"
+          chmod 600 "$KEY_PATH"
+          echo "GPG_KEY_PATH=$KEY_PATH" >> "$GITHUB_ENV"
+      
       - name: Set up keychain
         run: |
           echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12
@@ -71,15 +80,22 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }}
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_KEY_PATH: ${{ env.GPG_KEY_PATH }}
+          # nfpm-rpm signing needs this env to be set.
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
-      # artifacts need to be passed to the "publish-apt" job somehow
+      - name: Clean up GPG key file
+        if: always()
+        run: |
+          rm -f "$GPG_KEY_PATH"
+      
       - name: Upload artifacts to workflow
         uses: actions/upload-artifact@v4
         with:
           name: goreleaser-dist-temp
           path: dist
           retention-days: 1
-  
+
   publish-apt:
     name: Publish APT
     runs-on: macOS-latest
@@ -115,3 +131,42 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
           GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
         run: ./scripts/publish-apt-packages.sh
+
+  publish-rpm:
+    name: Publish RPM
+    runs-on: ubuntu-latest
+    needs: [goreleaser]
+    env:
+      # Needed to publish new packages to our S3-hosted RPM repo
+      AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: eu01
+      AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      
+      - name: Download artifacts from workflow
+        uses: actions/download-artifact@v5
+        with:
+          name: goreleaser-dist-temp
+          path: dist
+
+      - name: Install RPM tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y createrepo-c
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        id: import_gpg
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Publish RPM packages
+        if: contains(github.ref_name, '-') == false
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+        run: ./scripts/publish-rpm-packages.sh

.github/workflows/renovate.yaml

@@ -13,7 +13,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
       - name: Self-hosted Renovate
-        uses: renovatebot/[email protected].16
+        uses: renovatebot/[email protected].17
         with:
           configurationFile: .github/renovate.json
           token: ${{ secrets.RENOVATE_TOKEN }}

.goreleaser.yaml

@@ -99,17 +99,10 @@ nfpms:
       - deb
       - rpm
 
-signs:
-  - artifacts: package
-    args:
-      [
-        "-u",
-        "{{ .Env.GPG_FINGERPRINT }}",
-        "--output",
-        "${signature}",
-        "--detach-sign",
-        "${artifact}",
-      ]
+    rpm:
+      # The package is signed if a key_file is set
+      signature:
+        key_file: "{{ .Env.GPG_KEY_PATH }}"
 
 homebrew_casks:
   - name: stackit

INSTALLATION.md

@@ -130,16 +130,54 @@ asset_filters=["stackit-cli_", "_linux_amd64.tar.gz"]
 eget stackitcloud/stackit-cli
 ```
 
-#### RPM package via dnf, yum and zypper
+#### RHEL/Fedora/Rocky/Alma/openSUSE/... (`DNF/YUM/Zypper`)
 
-The STACKIT CLI is available as [RPM Package](https://github.com/stackitcloud/stackit-cli/releases) and can be installed via dnf, yum and zypper package manager.
+The STACKIT CLI can be installed through the [`DNF/YUM`](https://docs.fedoraproject.org/en-US/fedora/f40/system-administrators-guide/package-management/DNF/) / [`Zypper`](https://de.opensuse.org/Zypper) package managers.
 
-Just download the rpm package from the [release page](https://github.com/stackitcloud/stackit-cli/releases) and run the install command like the following:
+> Requires rpm version 4.15 or newer to support Ed25519 signatures.
+
+> `$basearch` is supported by modern distributions. On older systems that don't expand `$basearch`, replace it in the `baseurl` with your architecture explicitly (for example, `.../rpm/cli/x86_64` or `.../rpm/cli/aarch64`).
+
+##### Installation via DNF/YUM
+
+1. Add the repository:
+
+```shell
+sudo tee /etc/yum.repos.d/stackit.repo > /dev/null << 'EOF'
+[stackit]
+name=STACKIT CLI
+baseurl=https://packages.stackit.cloud/rpm/cli/$basearch
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.stackit.cloud/keys/key.gpg
+EOF
+```
+
+2. Install the CLI:
+
+```shell
+sudo dnf install stackit
+```
+
+##### Installation via Zypper
+
+1. Add the repository:
+
+```shell
+sudo tee /etc/zypp/repos.d/stackit.repo > /dev/null << 'EOF'
+[stackit]
+name=STACKIT CLI
+baseurl=https://packages.stackit.cloud/rpm/cli/$basearch
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.stackit.cloud/keys/key.gpg
+EOF
+```
+
+2. Install the CLI:
 
 ```shell
-dnf install stackitcli.rpm
-yum install stackitcli.rpm
-zypper install stackitcli.rpm
+sudo zypper install stackit
 ```
 
 #### Any distribution

go.mod

@@ -247,7 +247,7 @@ require (
 	github.com/stackitcloud/stackit-sdk-go/services/logme v0.25.1
 	github.com/stackitcloud/stackit-sdk-go/services/mariadb v0.25.1
 	github.com/stackitcloud/stackit-sdk-go/services/objectstorage v1.4.0
-	github.com/stackitcloud/stackit-sdk-go/services/observability v0.14.0
+	github.com/stackitcloud/stackit-sdk-go/services/observability v0.15.0
 	github.com/stackitcloud/stackit-sdk-go/services/rabbitmq v0.25.1
 	github.com/stackitcloud/stackit-sdk-go/services/redis v0.25.1
 	github.com/subosito/gotenv v1.6.0 // indirect

go.sum

@@ -585,8 +585,8 @@ github.com/stackitcloud/stackit-sdk-go/services/mongodbflex v1.5.2 h1:BQ+qAkVS/a
 github.com/stackitcloud/stackit-sdk-go/services/mongodbflex v1.5.2/go.mod h1:oc8Mpwl7O6EZwG0YxfhOzNCJwNQBWK5rFh764OtxoMY=
 github.com/stackitcloud/stackit-sdk-go/services/objectstorage v1.4.0 h1:g3yNDUc3JydAikezUrI9bQ4nuMJpVeAQ35jOFfFmq1U=
 github.com/stackitcloud/stackit-sdk-go/services/objectstorage v1.4.0/go.mod h1:foslkEiICdtHR3v0A/i/Rgo6EP9MMula9XNC9luNOgw=
-github.com/stackitcloud/stackit-sdk-go/services/observability v0.14.0 h1:oewwaYjABWbNqDkmSwIXmjDBK4a46+tnznyZSXh3Xk0=
-github.com/stackitcloud/stackit-sdk-go/services/observability v0.14.0/go.mod h1:tJEOi6L0le4yQZPGwalup/PZ13gqs1aCQDqlUs2cYW0=
+github.com/stackitcloud/stackit-sdk-go/services/observability v0.15.0 h1:MA5i1ScjXLWe5CYeFCLHeZzNS1AH4mbx1kUyiVbxKjI=
+github.com/stackitcloud/stackit-sdk-go/services/observability v0.15.0/go.mod h1:tJEOi6L0le4yQZPGwalup/PZ13gqs1aCQDqlUs2cYW0=
 github.com/stackitcloud/stackit-sdk-go/services/opensearch v0.24.1 h1:50n87uZn0EvSP9hJGLqd3Wm2hfqbyh7BMGGCk7axgqA=
 github.com/stackitcloud/stackit-sdk-go/services/opensearch v0.24.1/go.mod h1:jfguuSPa56Z5Bzs/Xg/CI37XzPo5Zn5lzC5LhfuT8Qc=
 github.com/stackitcloud/stackit-sdk-go/services/postgresflex v1.2.1 h1:K8vXele3U6b5urcSIpq21EkVblWfPDY3eMPSuQ48TkI=

internal/pkg/services/ske/utils/utils.go

@@ -6,6 +6,7 @@ import (
 	"maps"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 
 	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
@@ -16,13 +17,9 @@ import (
 )
 
 const (
-	defaultNodepoolAvailabilityZone = "eu01-3"
 	defaultNodepoolCRI              = ske.CRINAME_CONTAINERD
-	defaultNodepoolMachineType      = "b1.2"
 	defaultNodepoolMachineImageName = "flatcar"
-	defaultNodepoolMaxSurge         = 1
 	defaultNodepoolMaxUnavailable   = 0
-	defaultNodepoolMaximum          = 2
 	defaultNodepoolMinimum          = 1
 	defaultNodepoolName             = "pool-default"
 	defaultNodepoolVolumeType       = "storage_premium_perf2"
@@ -110,22 +107,38 @@ func getDefaultPayloadKubernetes(resp *ske.ProviderOptions) (*ske.Kubernetes, er
 }
 
 func getDefaultPayloadNodepool(resp *ske.ProviderOptions) (*ske.Nodepool, error) {
+	if resp.AvailabilityZones == nil || len(*resp.AvailabilityZones) == 0 {
+		return nil, fmt.Errorf("no availability zones found")
+	}
+	var availabilityZones []string
+	for i := range *resp.AvailabilityZones {
+		azName := (*resp.AvailabilityZones)[i].GetName()
+		// don't include availability zones like eu01-m, eu02-m, not all flavors are available there
+		if !regexp.MustCompile(`\w{2}\d{2}-m`).MatchString(azName) {
+			availabilityZones = append(availabilityZones, azName)
+		}
+	}
+
+	if resp.MachineTypes == nil || len(*resp.MachineTypes) == 0 {
+		return nil, fmt.Errorf("no machine types found")
+	}
+	machineType := (*resp.MachineTypes)[0].GetName()
+
 	output := &ske.Nodepool{
-		AvailabilityZones: &[]string{
-			defaultNodepoolAvailabilityZone,
-		},
+		AvailabilityZones: &availabilityZones,
 		Cri: &ske.CRI{
 			Name: utils.Ptr(defaultNodepoolCRI),
 		},
 		Machine: &ske.Machine{
-			Type: utils.Ptr(defaultNodepoolMachineType),
+			Type: &machineType,
 			Image: &ske.Image{
 				Name: utils.Ptr(defaultNodepoolMachineImageName),
 			},
 		},
-		MaxSurge:       utils.Ptr(int64(defaultNodepoolMaxSurge)),
+		// there must be as many nodes as availability zones are given
+		MaxSurge:       utils.Ptr(int64(len(availabilityZones))),
 		MaxUnavailable: utils.Ptr(int64(defaultNodepoolMaxUnavailable)),
-		Maximum:        utils.Ptr(int64(defaultNodepoolMaximum)),
+		Maximum:        utils.Ptr(int64(len(availabilityZones))),
 		Minimum:        utils.Ptr(int64(defaultNodepoolMinimum)),
 		Name:           utils.Ptr(defaultNodepoolName),
 		Volume: &ske.Volume{

internal/pkg/services/ske/utils/utils_test.go

@@ -146,6 +146,17 @@ func TestClusterExists(t *testing.T) {
 
 func fixtureProviderOptions(mods ...func(*ske.ProviderOptions)) *ske.ProviderOptions {
 	providerOptions := &ske.ProviderOptions{
+		AvailabilityZones: &[]ske.AvailabilityZone{
+			{Name: utils.Ptr("eu01-m")},
+			{Name: utils.Ptr("eu01-1")},
+			{Name: utils.Ptr("eu01-2")},
+			{Name: utils.Ptr("eu01-3")},
+		},
+		MachineTypes: &[]ske.MachineType{
+			{
+				Name: utils.Ptr("b1.2"),
+			},
+		},
 		KubernetesVersions: &[]ske.KubernetesVersion{
 			{
 				State:   utils.Ptr("supported"),
@@ -263,6 +274,8 @@ func fixtureGetDefaultPayload(mods ...func(*ske.CreateOrUpdateClusterPayload)) *
 		Nodepools: &[]ske.Nodepool{
 			{
 				AvailabilityZones: &[]string{
+					"eu01-1",
+					"eu01-2",
 					"eu01-3",
 				},
 				Cri: &ske.CRI{
@@ -275,9 +288,9 @@ func fixtureGetDefaultPayload(mods ...func(*ske.CreateOrUpdateClusterPayload)) *
 						Name:    utils.Ptr("flatcar"),
 					},
 				},
-				MaxSurge:       utils.Ptr(int64(1)),
+				MaxSurge:       utils.Ptr(int64(3)),
 				MaxUnavailable: utils.Ptr(int64(0)),
-				Maximum:        utils.Ptr(int64(2)),
+				Maximum:        utils.Ptr(int64(3)),
 				Minimum:        utils.Ptr(int64(1)),
 				Name:           utils.Ptr("pool-default"),
 				Volume: &ske.Volume{
@@ -312,6 +325,34 @@ func TestGetDefaultPayload(t *testing.T) {
 			listProviderOptionsFails: true,
 			isValid:                  false,
 		},
+		{
+			description: "availability zones nil",
+			listProviderOptionsResp: fixtureProviderOptions(func(po *ske.ProviderOptions) {
+				po.AvailabilityZones = nil
+			}),
+			isValid: false,
+		},
+		{
+			description: "no availability zones",
+			listProviderOptionsResp: fixtureProviderOptions(func(po *ske.ProviderOptions) {
+				po.AvailabilityZones = &[]ske.AvailabilityZone{}
+			}),
+			isValid: false,
+		},
+		{
+			description: "machine types nil",
+			listProviderOptionsResp: fixtureProviderOptions(func(po *ske.ProviderOptions) {
+				po.MachineTypes = nil
+			}),
+			isValid: false,
+		},
+		{
+			description: "no machine types",
+			listProviderOptionsResp: fixtureProviderOptions(func(po *ske.ProviderOptions) {
+				po.MachineTypes = &[]ske.MachineType{}
+			}),
+			isValid: false,
+		},
 		{
 			description: "no Kubernetes versions 1",
 			listProviderOptionsResp: fixtureProviderOptions(func(po *ske.ProviderOptions) {

scripts/publish-apt-packages.sh

@@ -49,4 +49,4 @@ aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapsho
 
 # Publish the new snapshot to the remote repo
 printf "\n>>> Publishing updated snapshot \n"
-aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" updated-snapshot "s3:${APT_BUCKET_NAME}:${APT_REPO_PATH}"
+aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" updated-snapshot "s3:${APT_BUCKET_NAME}:${APT_REPO_PATH}"