Skip to content

Commit

Permalink
feat: onboard kubernetes-binaries, azure-acr-credential-provider and …
Browse files Browse the repository at this point in the history 
…containerd-wasm-shims to renovate (#5256)
  • Loading branch information
@Devinwong
Devinwong authored Nov 16, 2024
1 parent a46c5d5 commit 4c84bee
Show file tree
Hide file tree
Showing 180 changed files with 688 additions and 139 deletions.
50 changes: 46 additions & 4 deletions .github/README-RENOVATE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
- [Okay, I just have 5 minutes. Please just tell me how to onboard a new package/container now to Renovate.json for auto-update.](#okay-i-just-have-5-minutes-please-just-tell-me-how-to-onboard-a-new-packagecontainer-now-to-renovatejson-for-auto-update)
- [What is the responsibility of a PR assignee?](#what-is-the-responsibility-of-a-pr-assignee)
- [What components are onboarded to Renovate for auto-update and what are not yet?](#what-components-are-onboarded-to-renovate-for-auto-update-and-what-are-not-yet)

- [Details on supporting the MAR OCI artifacts.](#details-on-supporting-the-mar-oci-artifacts)
# TL;DR
This readme is mainly describing how the renovate.json is constructed and the reasoning behind. If you are adding a new component to be cached in VHD, please refer to this [Readme-components](../parts/linux/cloud-init/artifacts/README-COMPONENTS.md) for tutorial. If you are onboarding a newly added component to Renovate automatic updates, you can jump to the [Hands-on guide and FAQ](#hands-on-guide-and-faq).

Expand Down Expand Up @@ -343,9 +343,51 @@ If your GitHub ID is placed in the `assignees` array, you are responsible for th
## What components are onboarded to Renovate for auto-update and what are not yet?
In general, if a component has the `"renovateTag": "<DO_NOT_UPDATE>"`, it means it's not monitored by Renovate and won't be updated automatically.

As of 9/18/2024,
As of 11/12/2024,
- All the container images are onboarded to Renovate for auto-update.
- PMC hosted packages, namely `runc` and `containerd`, are onboarded for auto-update.
- Acs-mirror hosted packages/binaries, namely `cni-plugins`, `azure-cni`, `cri-tools`, `kubernetes-binaries` and `azure-acr-credential-provider`, are NOT onboarded for auto-update yet. There are plans to move the acs-mirror hosted packages to MCR OCI which will be downloaded by Oras. We will wait for this transition to be completed to understand the details how to manage them.
- OCI artifacts hosted on MAR(aka MCR) such as `kubernetes-binaries`, `azure-acr-credential-provider` and `containerd-wasm-shims` are onboarded for auto-update.
- Acs-mirror hosted packages/binaries, namely `cni-plugins`, `azure-cni`, `cri-tools`, etc., are NOT onboarded for auto-update yet. There are plans to move the acs-mirror hosted packages to MCR OCI which will be downloaded by Oras. We will wait for this transition to be completed to understand the details how to manage them.

For the most up-to-date information, please refer to the actual configuration file `components.json`.

## Details on supporting the MAR OCI artifacts.
MAR OCI artifact is a bit special. The artifact is hosted/stored in a container registry (e.g. MCR, now rebranded to MAR), while it's not necessarily a container image. Instead it could be any format such as Helm charts, Software Bill of Materials (SBOM), a package or a tar/tgz file.
The `renovate.json` file is configured to support OCI artifact now. There is a packageRule like below to support auto updating OCI artifact, which is,
```
{
"matchDatasources": ["docker"],
"matchPackageNames": ["oss/binaries/kubernetes/kubernetes-node", "oss/binaries/kubernetes/azure-acr-credential-provider", "oss/binaries/deislabs/containerd-wasm-shims"],
"extractVersion": "^(?P<version>.*?)-[^-]*-[^-]*$"
},
```
Explanations as below.
1. The `datasource` should be `docker`.
2. The `packageName` should be one of those in the list.
3. In `extractVersion`, we use a regex to extract only part of the tag as the version to be stored in `latestVersion` in `components.json`.

Take `kubernetes-binaries` as an example. If you view all the tags from this list https://mcr.microsoft.com/v2/oss/binaries/kubernetes/kubernetes-node/tags/list?n=10000, you will notice that the format of the tags is quite varied, like, `v1.27.100-akslts-linux-amd64` , `v1.30.0-linux-amd64`, `v1.31.1-linux-arm64`. This regex is to capture only the values before the second-to-last dash (-). For example, if the tag is `v1.27.100-akslts-linux-amd64`, we capture `v1.27.100-akslts` as the version to be stored in `latestVersion` in `components.json`. If the tag is `v1.30.0-linux-amd64`, we capture `v1.30.0`. We do not capture the CPU architecture (amd64|arm64) to keep it generic, avoiding the need to define the same thing for both `amd64` and `arm64`.

For the most up-to-date information, please refer to the actual configuration file `components.json`.
3 packages in `components.json` are onboarded now: `oss/binaries/kubernetes/kubernetes-node`, `oss/binaries/kubernetes/azure-acr-credential-provider` and `oss/binaries/deislabs/containerd-wasm-shims`. You will see a new tag `OCI_registry` in `renovateTag`.

Continue using `kubernetes-binaries` as an example. Here is a block of version information defined as follows.
```
{
"k8sVersion": "1.31",
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/kubernetes-node",
"latestVersion": "v1.31.2",
"previousLatestVersion": "v1.31.1"
}
```
where
1. `k8sVersion` is optional and specifies that it is tied to Kubernetes v1.31.
1. `renovateTag` defines the OCI registry and artifact name that Renovate should look up from its datasource.
1. `latestVersion` and `previousLatestVersion` define the versions to be cached as usual.

And next you will see
```
"downloadURL": "mcr.microsoft.com/oss/binaries/kubernetes/kubernetes-node:${version}-linux-${CPU_ARCH}"
```
where
- `${version}` will be resolved at runtime with the `latestVersion` and `previousLatestVersion` defined above.
- `${CPU_ARCH}` will be resolved at runtime depending on the CPU architecture of the Node (VM) under provisioning.
9 changes: 0 additions & 9 deletions .github/README.md
View file

This file was deleted.

18 changes: 18 additions & 0 deletions .github/renovate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,11 @@
"matchPackageNames": ["moby-runc", "moby-containerd"],
"extractVersion": "^v?(?<version>.+)$"
},
{
"matchDatasources": ["docker"],
"matchPackageNames": ["oss/binaries/kubernetes/kubernetes-node", "oss/binaries/kubernetes/azure-acr-credential-provider", "oss/binaries/deislabs/containerd-wasm-shims"],
"extractVersion": "^(?P<version>.*?)-[^-]*-[^-]*$"
},
{
"matchPackageNames": ["aks/aks-gpu-cuda", "aks/aks-gpu-grid"],
"versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-(?<prerelease>\\d{14})$",
Expand All @@ -110,6 +115,19 @@
"datasourceTemplate": "docker",
"autoReplaceStringTemplate": "\"renovateTag\": \"registry={{{registryUrl}}}, name={{{packageName}}}\",\n \"latestVersion\": \"{{{newValue}}}\"{{#if depType}},\n \"previousLatestVersion\": \"{{{currentValue}}}\"{{/if}}"
},
{
"customType": "regex",
"description": "auto update OCI artifacts in components.json",
"fileMatch": [
"parts/linux/cloud-init/artifacts/components.json"
],
"matchStringsStrategy": "any",
"matchStrings": [
"\"renovateTag\":\\s*\"OCI_registry=(?<registryUrl>[^,]+), name=(?<packageName>[^\"]+)\",\\s*\"latestVersion\":\\s*\"(?<currentValue>[^\"]+)\"(?:[^}]*\"previousLatestVersion\":\\s*\"(?<depType>[^\"]+)\")?"
],
"datasourceTemplate": "docker",
"autoReplaceStringTemplate": "\"renovateTag\": \"OCI_registry={{{registryUrl}}}, name={{{packageName}}}\",\n \"latestVersion\": \"{{{newValue}}}\"{{#if depType}},\n \"previousLatestVersion\": \"{{{currentValue}}}\"{{/if}}"
},
{
"customType": "regex",
"description": "auto update packages for OS ubuntu 18.04 in components.json",
Expand Down
5 changes: 1 addition & 4 deletions CODEOWNERS
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
* @juan-lee @cameronmeissner @UtheMan @ganeshkumarashok @anujmaheshwari1 @AlisonB319 @Devinwong @lilypan26 @ShiqianTao @AbelHu @junjiezhang1997 @jason1028kr @djsly @phealy @r2k1 @timmy-wright

# Code owners for cse_cmd.sh.gtpl and cse_cmd.sh.
# In case someone modifies one file but forgets the other one.
# Testing if it will work as expected.
cse_cmd.sh.gtpl @Devinwong @lilypan26 @r2k1 @timmy-wright
# Code owners for for cse_cmd.sh. This is to ensure that the scriptless v-team is aware of the changes in order to sync with AKSNodeConfig.
cse_cmd.sh @Devinwong @lilypan26 @r2k1 @timmy-wright
60 changes: 31 additions & 29 deletions parts/linux/cloud-init/artifacts/components.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -784,36 +784,36 @@
"versionsV2": [
{
"k8sVersion": "1.27",
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "1.27.101-akslts",
"previousLatestVersion": "1.27.100-akslts"
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/kubernetes-node",
"latestVersion": "v1.27.101-akslts",
"previousLatestVersion": "v1.27.100-akslts"
},
{
"k8sVersion": "1.28",
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "1.28.15",
"previousLatestVersion": "1.28.14"
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/kubernetes-node",
"latestVersion": "v1.28.15",
"previousLatestVersion": "v1.28.14"
},
{
"k8sVersion": "1.29",
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "1.29.10",
"previousLatestVersion": "1.29.9"
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/kubernetes-node",
"latestVersion": "v1.29.10",
"previousLatestVersion": "v1.29.9"
},
{
"k8sVersion": "1.30",
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "1.30.6",
"previousLatestVersion": "1.30.5"
"k8sVersion": "1.30",
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/kubernetes-node",
"latestVersion": "v1.30.6",
"previousLatestVersion": "v1.30.5"
},
{
"k8sVersion": "1.31",
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "1.31.2",
"previousLatestVersion": "1.31.1"
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/kubernetes-node",
"latestVersion": "v1.31.2",
"previousLatestVersion": "v1.31.1"
}
],
"downloadURL": "https://acs-mirror.azureedge.net/kubernetes/v${version}/binaries/kubernetes-node-linux-${CPU_ARCH}.tar.gz"
"downloadURL": "mcr.microsoft.com/oss/binaries/kubernetes/kubernetes-node:${version}-linux-${CPU_ARCH}"
}
}
}
Expand All @@ -826,15 +826,17 @@
"current": {
"versionsV2": [
{
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "1.30.0"
"k8sVersion": "1.30",
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/azure-acr-credential-provider",
"latestVersion": "v1.30.0"
},
{
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "1.29.2"
"k8sVersion": "1.29",
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/kubernetes/azure-acr-credential-provider",
"latestVersion": "v1.29.2"
}
],
"downloadURL": "https://acs-mirror.azureedge.net/cloud-provider-azure/v${version}/binaries/azure-acr-credential-provider-linux-${CPU_ARCH}-v${version}.tar.gz"
"downloadURL": "mcr.microsoft.com/oss/binaries/kubernetes/azure-acr-credential-provider:${version}-linux-${CPU_ARCH}"
}
}
}
Expand All @@ -847,19 +849,19 @@
"current": {
"versionsV2": [
{
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "0.3.0"
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/deislabs/containerd-wasm-shims",
"latestVersion": "v0.3.0"
},
{
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "0.5.1"
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/deislabs/containerd-wasm-shims",
"latestVersion": "v0.5.1"
},
{
"renovateTag": "<DO_NOT_UPDATE>",
"latestVersion": "0.8.0"
"renovateTag": "OCI_registry=https://mcr.microsoft.com, name=oss/binaries/deislabs/containerd-wasm-shims",
"latestVersion": "v0.8.0"
}
],
"downloadURL": "https://acs-mirror.azureedge.net/containerd-wasm-shims/v${version}/linux/${CPU_ARCH}"
"downloadURL": "mcr.microsoft.com/oss/binaries/deislabs/containerd-wasm-shims:${version}-linux-${CPU_ARCH}"
}
}
}
Expand Down
7 changes: 7 additions & 0 deletions parts/linux/cloud-init/artifacts/cse_install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,13 @@ downloadCredentialProvider() {
CREDENTIAL_PROVIDER_TGZ_TMP="${CREDENTIAL_PROVIDER_DOWNLOAD_URL##*/}" # Use bash builtin ## to remove all chars ("*") up to the final "/"
retrycmd_get_tarball_from_registry_with_oras 120 5 "$CREDENTIAL_PROVIDER_DOWNLOAD_DIR/$CREDENTIAL_PROVIDER_TGZ_TMP" "${credential_provider_download_url_for_oras}" || exit $ERR_ORAS_PULL_K8S_FAIL
return
elif isRegistryUrl "${CREDENTIAL_PROVIDER_DOWNLOAD_URL}"; then
# if the URL is a registry URL, then download the credential provider using oras
# extract version v1.30.0 from format like mcr.microsoft.com/oss/binaries/kubernetes/azure-acr-credential-provider:v1.30.0-linux-amd64
local cred_version=$(echo "$CREDENTIAL_PROVIDER_DOWNLOAD_URL" | grep -oP 'v\d+(\.\d+)*' | head -n 1)
CREDENTIAL_PROVIDER_TGZ_TMP="azure-acr-credential-provider-linux-${CPU_ARCH}-${cred_version}.tar.gz"
retrycmd_get_tarball_from_registry_with_oras 120 5 "$CREDENTIAL_PROVIDER_DOWNLOAD_DIR/$CREDENTIAL_PROVIDER_TGZ_TMP" "${CREDENTIAL_PROVIDER_DOWNLOAD_URL}" || exit $ERR_ORAS_PULL_K8S_FAIL
return
fi

CREDENTIAL_PROVIDER_TGZ_TMP="${CREDENTIAL_PROVIDER_DOWNLOAD_URL##*/}" # Use bash builtin ## to remove all chars ("*") up to the final "/"
Expand Down
Loading

0 comments on commit 4c84bee

Please sign in to comment.