Merge branch 'master' into v2.1.1_branch

Signed-off-by: Mauro Morales <[email protected]>

.github/ISSUE_TEMPLATE/release.md

@@ -17,13 +17,21 @@ assignees: mudler
 ## ✅ Release Checklist
 
 - [ ] **Stage 0 - Finishing Touches**
-    - [ ] Check kairos/packages, and for any needed update
+    - [ ] Check if Kairos-docs were updated and consider tagging them with the same version as Kairos
+    - [ ] Check if osbuilder is in the wanted version/latest
+    - [ ] Check if any kairos/packages was bumped and they were merged and repo updated (https://github.com/kairos-io/packages)
+    - [ ] Check latest repository update was merged, otherwise trigger its job (https://github.com/kairos-io/kairos/actions/workflows/bump_repos.yml)
     - [ ] Make sure CI tests are passing.
     - [ ] Consider cutting an `rc`, `alpha`, ... based on changes on the CI
 - [ ] **Stage 1 - Manual testing**
   - How: Using the assets from master, make sure that test scenarios not covered by automatic tests are passing, and that docs are still aligned
     - [ ] Fedora flavor install, and manual upgrade works
+    - [ ] Any flavor interactive install
+    - [ ] Any flavor recovery reset
     - [ ] ARM images (openSUSE, alpine) boots and manual upgrade works
+    - [ ] ARM images passive and recovery booting
+    - [ ] ARM images reset works
+    - [ ] ARM images /oem exists
 - [ ] **Stage 3 - Release**
   - [ ] Tag the release on master.
 - [ ] **Stage 4 - Update provider-kairos**
@@ -34,4 +42,4 @@ assignees: mudler
   - [ ] Update the `CORE_VERSION` file of `kairos-io/provider` to match the release tag of `kairos-io/kairos`
   - [ ] Tag the release on `provider-kairos`
 - [ ] **Stage 5 - Announcement**
-  - [ ] Blog post announcement
+  - [ ] Blog post announcement

.github/encryption-tests.sh

@@ -7,53 +7,57 @@ set -ex
 
 GINKGO_NODES="${GINKGO_NODES:-1}"
 K3S_IMAGE="rancher/k3s:v1.26.1-k3s1"
-
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 CLUSTER_NAME=$(echo $RANDOM | md5sum | head -c 10; echo;)
-KUBECONFIG=$(mktemp)
-export KUBECONFIG
-
-cleanup() {
-  echo "Cleaning up $CLUSTER_NAME"
-  k3d cluster delete "$CLUSTER_NAME" || true
-  rm -rf "$KUBECONFIG"
-}
-trap cleanup EXIT
-
-# Create a cluster and bind ports 80 and 443 on the host
-# This will allow us to access challenger server on 10.0.2.2 which is the IP
-# on which qemu "sees" the host.
-# We change the CIDR because k3s creates iptables rules that block DNS traffic to this CIDR
-# (something like that). If you run k3d inside a k3s cluster (inside a Pod), DNS won't work
-# inside the k3d server container unless you use a different CIDR.
-# Here we are avoiding CIDR "10.43.x.x"
-k3d cluster create "$CLUSTER_NAME" --k3s-arg "--cluster-cidr=10.49.0.1/16@server:0" --k3s-arg "--service-cidr=10.48.0.1/16@server:0" -p '80:80@server:0' -p '443:443@server:0' --image "$K3S_IMAGE"
-k3d kubeconfig get "$CLUSTER_NAME" > "$KUBECONFIG"
-
-# Import the image to the cluster
-#docker pull quay.io/kairos/kcrypt-challenger:latest
-#k3d image import -c "$CLUSTER_NAME" quay.io/kairos/kcrypt-challenger:latest
-
-# Install cert manager
-kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
-kubectl wait --for=condition=Available deployment --timeout=2m -n cert-manager --all
-
-# Replace the CLUSTER_IP in the kustomize resource
-# Only needed for debugging so that we can access the server from the host
-# (the 10.0.2.2 IP address is only useful from within qemu)
-CLUSTER_IP=$(docker inspect "k3d-${CLUSTER_NAME}-server-0"  | jq -r '.[0].NetworkSettings.Networks[].IPAddress')
-export CLUSTER_IP
-
-envsubst \
-    < "$SCRIPT_DIR/../tests/assets/encryption/challenger-server-ingress.template.yaml" \
-    > "$SCRIPT_DIR/../tests/assets/encryption/challenger-server-ingress.yaml"
-
-# Install the challenger server kustomization
-kubectl apply -k "$SCRIPT_DIR/../tests/assets/encryption/"
-
-# 10.0.2.2 is where the vm sees the host
-# https://stackoverflow.com/a/6752280
-export KMS_ADDRESS="10.0.2.2.challenger.sslip.io"
+
+
+if [ "$LABEL" != "local-encryption" ]; then
+  KUBECONFIG=$(mktemp)
+  export KUBECONFIG
+
+  cleanup() {
+    echo "Cleaning up $CLUSTER_NAME"
+    k3d cluster delete "$CLUSTER_NAME" || true
+    rm -rf "$KUBECONFIG"
+  }
+  trap cleanup EXIT
+
+  # Create a cluster and bind ports 80 and 443 on the host
+  # This will allow us to access challenger server on 10.0.2.2 which is the IP
+  # on which qemu "sees" the host.
+  # We change the CIDR because k3s creates iptables rules that block DNS traffic to this CIDR
+  # (something like that). If you run k3d inside a k3s cluster (inside a Pod), DNS won't work
+  # inside the k3d server container unless you use a different CIDR.
+  # Here we are avoiding CIDR "10.43.x.x"
+  k3d cluster create "$CLUSTER_NAME" --k3s-arg "--cluster-cidr=10.49.0.1/16@server:0" --k3s-arg "--service-cidr=10.48.0.1/16@server:0" -p '80:80@server:0' -p '443:443@server:0' --image "$K3S_IMAGE"
+  k3d kubeconfig get "$CLUSTER_NAME" > "$KUBECONFIG"
+
+  # Import the image to the cluster
+  #docker pull quay.io/kairos/kcrypt-challenger:latest
+  #k3d image import -c "$CLUSTER_NAME" quay.io/kairos/kcrypt-challenger:latest
+
+  # Install cert manager
+  kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
+  kubectl wait --for=condition=Available deployment --timeout=2m -n cert-manager --all
+
+  # Replace the CLUSTER_IP in the kustomize resource
+  # Only needed for debugging so that we can access the server from the host
+  # (the 10.0.2.2 IP address is only useful from within qemu)
+  CLUSTER_IP=$(docker inspect "k3d-${CLUSTER_NAME}-server-0"  | jq -r '.[0].NetworkSettings.Networks[].IPAddress')
+  export CLUSTER_IP
+
+  envsubst \
+      < "$SCRIPT_DIR/../tests/assets/encryption/challenger-server-ingress.template.yaml" \
+      > "$SCRIPT_DIR/../tests/assets/encryption/challenger-server-ingress.yaml"
+
+  # Install the challenger server kustomization
+  kubectl apply -k "$SCRIPT_DIR/../tests/assets/encryption/"
+
+  # 10.0.2.2 is where the vm sees the host
+  # https://stackoverflow.com/a/6752280
+  export KMS_ADDRESS="10.0.2.2.challenger.sslip.io"
+fi
+
 
 pushd "$SCRIPT_DIR/../tests/"
 go run github.com/onsi/ginkgo/v2/ginkgo -v --nodes "$GINKGO_NODES" --label-filter "$LABEL" --fail-fast -r ./...

.github/flavors-arm.json

@@ -1,26 +1,37 @@
 [
     {
        "flavor": "opensuse-leap-arm-rpi",
-       "model": "rpi64"
+       "model": "rpi64",
+       "worker": "ubuntu-latest"
     },
     {
         "flavor": "opensuse-tumbleweed-arm-rpi",
-        "model": "rpi64"
+        "model": "rpi64",
+        "worker": "ubuntu-latest"
     },
     {
         "flavor": "alpine-arm-rpi",
-        "model": "rpi64"
+        "model": "rpi64",
+        "worker": "ubuntu-latest"
     },
     {
         "flavor": "ubuntu-arm-rpi",
-        "model": "rpi64"
+        "model": "rpi64",
+        "worker": "ubuntu-latest"
     },
     {
         "flavor": "ubuntu-20-lts-arm-rpi",
-        "model": "rpi64"
+        "model": "rpi64",
+        "worker": "ubuntu-latest"
     },
     {
         "flavor": "ubuntu-22-lts-arm-rpi",
-        "model": "rpi64"
+        "model": "rpi64",
+        "worker": "ubuntu-latest"
+    },
+    {
+        "flavor": "ubuntu-20-lts-arm-nvidia-jetson-agx-orin",
+        "model": "none",
+        "worker": "self-hosted"
     }
 ]

.github/flavors.json

@@ -1,16 +1,20 @@
 [
     {
-       "flavor": "opensuse-leap"
+        "flavor": "opensuse-leap"
     },
     {
-       "flavor": "opensuse-tumbleweed"
+        "flavor": "opensuse-tumbleweed"
     },
     {
         "flavor": "ubuntu"
     },
     {
         "flavor": "ubuntu-20-lts"
     },
+    {
+        "flavor": "ubuntu-20-lts-fips",
+        "frameworkonly": "true"
+    },
     {
         "flavor": "ubuntu-22-lts"
     },
@@ -28,5 +32,8 @@
     },
     {
         "flavor": "rockylinux"
+    },
+    {
+        "flavor": "almalinux"
     }
-]
+]

.github/workflows/image-arm.yaml

@@ -7,7 +7,6 @@ on:
   pull_request:
     paths:
       - '**'
-      - '!docs/**'
 
 concurrency:
   group: ci-arm-${{ github.head_ref || github.ref }}-${{ github.repository }}
@@ -37,7 +36,7 @@ jobs:
   docker:
     needs:
     - get-matrix
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.worker }}
     permissions:
       id-token: write  # OIDC support
       contents: write
@@ -48,9 +47,38 @@ jobs:
       matrix: ${{fromJson(needs.get-matrix.outputs.matrix)}}
     steps:
       - name: Release space from worker
+        if: ${{ matrix.worker != 'self-hosted' }}
         run: |
-          sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
-          sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
+          echo "Listing top largest packages"
+          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
+          head -n 30 <<< "${pkgs}"
+          echo
+          df -h
+          echo
+          sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
+          sudo apt-get remove --auto-remove android-sdk-platform-tools || true
+          sudo apt-get purge --auto-remove android-sdk-platform-tools || true
+          sudo rm -rf /usr/local/lib/android
+          sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
+          sudo rm -rf /usr/share/dotnet
+          sudo apt-get remove -y '^mono-.*' || true
+          sudo apt-get remove -y '^ghc-.*' || true
+          sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
+          sudo apt-get remove -y 'php.*' || true
+          sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
+          sudo apt-get remove -y '^google-.*' || true
+          sudo apt-get remove -y azure-cli || true
+          sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
+          sudo apt-get remove -y '^gfortran-.*' || true
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+          echo
+          echo "Listing top largest packages"
+          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
+          head -n 30 <<< "${pkgs}"
+          echo
+          sudo rm -rfv build || true
+          df -h
       - uses: actions/checkout@v3
       - run: |
           git fetch --prune --unshallow
@@ -66,12 +94,49 @@ jobs:
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@master
-      - name: Build  🔧
+      - name: Install earthly
+        uses: Luet-lab/luet-install-action@v1
+        with:
+          repository: quay.io/kairos/packages
+          packages: utils/earthly
+      - name: Set compression for PR
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          echo "IMG_COMPRESSION=zstd" >> $GITHUB_ENV
+      - name: Set compression for master
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        run: |
+          echo "IMG_COMPRESSION=xz" >> $GITHUB_ENV
+      - name: Standard Build  🔧
+        if: ${{ matrix.worker != 'self-hosted' }}
         env:
           FLAVOR: ${{ matrix.flavor }}
           MODEL: ${{ matrix.model }}
         run: |
-          ./earthly.sh +all-arm --IMAGE_NAME=kairos-$FLAVOR-latest.img --IMAGE=quay.io/kairos/core-$FLAVOR:latest --MODEL=$MODEL --FLAVOR=$FLAVOR
+          ./earthly.sh +all-arm --IMAGE_NAME=kairos-$FLAVOR-latest.img --IMAGE=quay.io/kairos/core-$FLAVOR:latest --MODEL=$MODEL --FLAVOR=$FLAVOR --IMG_COMPRESSION=${{env.IMG_COMPRESSION}}
+      - name: Selfhosted Build  🔧
+        if: ${{ matrix.worker == 'self-hosted' }}
+        env:
+          FLAVOR: ${{ matrix.flavor }}
+          MODEL: ${{ matrix.model }}
+        run: |
+          # Configure earthly to use the docker mirror in CI
+          # https://docs.earthly.dev/ci-integration/pull-through-cache#configuring-earthly-to-use-the-cache
+          mkdir -p ~/.earthly/
+          cat << EOF > ~/.earthly/config.yml
+          global:
+            buildkit_additional_config: |
+              [registry."docker.io"]
+                mirrors = ["registry.docker-mirror.svc.cluster.local:5000"]
+              [registry."registry.docker-mirror.svc.cluster.local:5000"]
+                insecure = true
+                http = true
+          EOF
+          docker run --privileged -v $HOME/.earthly/config.yml:/etc/.earthly/config.yml -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -v "$(pwd)":/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.7.5 --allow-privileged +all-arm --IMAGE_NAME=kairos-$FLAVOR-latest.img --IMAGE=quay.io/kairos/core-$FLAVOR:latest --MODEL=$MODEL --FLAVOR=$FLAVOR --IMG_COMPRESSION=${{env.IMG_COMPRESSION}}
+      - name: Show img sizes
+        run: |
+          ls -ltra build
+          ls -ltrh build
       - name: Push  🔧
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         env:
@@ -111,6 +176,7 @@ jobs:
           # in-toto attestation
           cosign attest --type spdx --predicate $spdx $image_ref
       - name: Upload results
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         uses: actions/upload-artifact@v3
         with:
           name: ${{ matrix.flavor }}-image