Merge pull request #239204 from euank/euan/k3s-1-27-bump

pkgs/applications/networking/cluster/k3s/1_27/chart-versions.nix

@@ -1,10 +1,10 @@
 {
     traefik-crd  = {
-        url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-20.3.1+up20.3.0.tgz";
-        sha256 = "1775vjldvqvhzdbzanxhbaqbmkih09yb91im651q8bc7z5sb9ckn";
+        url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-21.2.1+up21.2.0.tgz";
+        sha256 = "05j3vyikb7g2z2i07rij9h4ki5lb2hb2rynpiqfd4l1y5qm0qhw9";
     };
     traefik = {
-        url = "https://k3s.io/k3s-charts/assets/traefik/traefik-20.3.1+up20.3.0.tgz";
-        sha256 = "1rj0f0n0vgjcbzfwzhqmsd501i2f6vw145w9plbp8gwdyzmg2nc6";
+        url = "https://k3s.io/k3s-charts/assets/traefik/traefik-21.2.1+up21.2.0.tgz";
+        sha256 = "0gvz0yzph2893scd0q10b938yc7f36b3zqs57pkjgqqpl1d0nwhg";
     };
 }

pkgs/applications/networking/cluster/k3s/1_27/versions.nix

@@ -1,14 +1,14 @@
 {
-  k3sVersion = "1.27.1+k3s1";
-  k3sCommit = "bc5b42c27908ab430101eff0db0a0b22f870bd7a";
-  k3sRepoSha256 = "1xj3blfayrsfbcsljjdaswy49hhz8yiwf1d85arnsgbn8fidswpm";
-  k3sVendorSha256 = "sha256-+sM2fjS88kxMQzra2t+jU1IaKCoJpW7p3w7lCOv5mMU=";
+  k3sVersion = "1.27.2+k3s1";
+  k3sCommit = "213d7ad499e166290872f51c63d8eaa2f1fe78b3";
+  k3sRepoSha256 = "0qjkrhmjf4fyclnpyhb059dzxghpzshrs5a5z1vc83mrz1zg6vbq";
+  k3sVendorSha256 = "sha256-ZSfQIBS8KsNkYPUH2er6iL3A02SIJwXZ5YLd3NYFl8E=";
   chartVersions = import ./chart-versions.nix;
-  k3sRootVersion = "0.12.1";
-  k3sRootSha256 = "0724yx3zk89m2239fmdgwzf9w672pik71xqrvgb7pdmknmmdn9f4";
-  k3sCNIVersion = "1.1.1-k3s1";
-  k3sCNISha256 = "14mb3zsqibj1sn338gjmsyksbm0mxv9p016dij7zidccx2rzn6nl";
-  containerdVersion = "1.6.19-k3s1";
-  containerdSha256 = "12dwqh77wplg30kdi73d90qni23agw2cwxjd2p5lchq86mpmmwwr";
+  k3sRootVersion = "0.12.2";
+  k3sRootSha256 = "1gjynvr350qni5mskgm7pcc7alss4gms4jmkiv453vs8mmma9c9k";
+  k3sCNIVersion = "1.2.0-k3s1";
+  k3sCNISha256 = "0hzcap4vbl94zsiqc66dlwjgql50gw5g6f0adag0p8yqwcy6vaw2";
+  containerdVersion = "1.7.1-k3s1";
+  containerdSha256 = "00k7nkclfxwbzcgnn8s7rkrxyn0zpk57nyy18icf23wsj352gfrn";
   criCtlVersion = "1.26.0-rc.0-k3s1";
 }

pkgs/applications/networking/cluster/k3s/builder.nix

@@ -21,6 +21,13 @@ lib:
   # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
   criCtlVersion,
   updateScript ? null,
+  # multicallContainerd is a temporary variable for migrating k3s versions
+  # forward, and can be removed once all callers set it.
+  # It is here so we can update 1.26 and 1.27 independently, but they'll both migrate to this.
+  # This variable controls whether we build with containerd as a separate
+  # binary, or as a k3s multicall. Upstream k3s changed this in 1.27.2 and
+  # 1.26.5. See https://github.com/k3s-io/k3s/issues/7419 for more context
+  multicallContainerd ? false,
 }:
 
 # builder.nix contains a "builder" expression that, given k3s version and hash
@@ -186,21 +193,28 @@ let
     subPackages = [ "cmd/server" ];
     ldflags = versionldflags;
 
-    tags = [ "libsqlite3" "linux" ];
+    tags = [ "libsqlite3" "linux" ] ++ lib.optional multicallContainerd "ctrd";
 
     # create the multicall symlinks for k3s
     postInstall = ''
       mv $out/bin/server $out/bin/k3s
       pushd $out
       # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
-      ln -s k3s ./bin/k3s-agent
-      ln -s k3s ./bin/k3s-server
-      ln -s k3s ./bin/k3s-etcd-snapshot
-      ln -s k3s ./bin/k3s-secrets-encrypt
-      ln -s k3s ./bin/k3s-certificate
-      ln -s k3s ./bin/kubectl
       ln -s k3s ./bin/crictl
       ln -s k3s ./bin/ctr
+      ln -s k3s ./bin/k3s-agent
+      ln -s k3s ./bin/k3s-certificate
+      ln -s k3s ./bin/k3s-completion
+      ln -s k3s ./bin/k3s-etcd-snapshot
+      ln -s k3s ./bin/k3s-secrets-encrypt
+      ln -s k3s ./bin/k3s-server
+      ln -s k3s ./bin/k3s-token
+      ln -s k3s ./bin/kubectl
+    '' + lib.optionalString multicallContainerd ''
+      # for the multicall binary, also do containerd per
+      # https://github.com/k3s-io/k3s/blob/v1.27.2%2Bk3s1/scripts/build#L136-L146
+      ln -s k3s ./bin/containerd
+    '' + ''
       popd
     '';
 
@@ -208,6 +222,8 @@ let
       description = "The various binaries that get packaged into the final k3s binary";
     };
   };
+  # For the multicall binary, only used for the shim
+  # https://github.com/k3s-io/k3s/blob/v1.27.2%2Bk3s1/scripts/build#L153
   k3sContainerd = buildGoModule {
     pname = "k3s-containerd";
     version = containerdVersion;
@@ -219,7 +235,7 @@ let
     };
     vendorSha256 = null;
     buildInputs = [ btrfs-progs ];
-    subPackages = [ "cmd/containerd" "cmd/containerd-shim-runc-v2" ];
+    subPackages = [ "cmd/containerd-shim-runc-v2" ] ++ lib.optional (!multicallContainerd) "cmd/containerd";
     ldflags = versionldflags;
   };
 in
@@ -227,6 +243,7 @@ buildGoModule rec {
   pname = "k3s";
   version = k3sVersion;
 
+  tags = [ "libsqlite3" "linux" ] ++ lib.optional multicallContainerd "ctrd";
   src = k3sRepo;
   vendorSha256 = k3sVendorSha256;
 
@@ -263,6 +280,7 @@ buildGoModule rec {
     ethtool
     util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
     conntrack-tools
+    runc
   ];
 
   buildInputs = k3sRuntimeDeps;
@@ -279,7 +297,6 @@ buildGoModule rec {
     k3sCNIPlugins
     k3sContainerd
     k3sServer
-    runc
   ];
 
   # We override most of buildPhase due to peculiarities in k3s's build.
@@ -293,9 +310,9 @@ buildGoModule rec {
     # copy needed 'go generate' inputs into place
     mkdir -p ./bin/aux
     rsync -a --no-perms ${k3sServer}/bin/ ./bin/
-    ln -vsf ${runc}/bin/runc ./bin/runc
     ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
-    ln -vsf ${k3sContainerd}/bin/* ./bin/
+    ln -vsf ${k3sContainerd}/bin/containerd-shim-runc-v2 ./bin
+    ${lib.optionalString (!multicallContainerd) "ln -vsf ${k3sContainerd}/bin/containerd ./bin/"}
     rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
     mkdir -p ./build/static/charts
 

pkgs/applications/networking/cluster/k3s/default.nix

@@ -22,6 +22,7 @@ in
 
   # 1_27 can be built with the same builder as 1_26
   k3s_1_27 = common ((import ./1_27/versions.nix) // {
-    updateScript = ./1_27/update-script.sh;
+    multicallContainerd = true;
+    updateScript = [ ./update-script.sh "27" ];
   }) { };
 }

pkgs/applications/networking/cluster/k3s/update-script.sh

@@ -3,6 +3,8 @@
 
 set -x -eu -o pipefail
 
+MINOR_VERSION="${1:?Must provide a minor version number, like '26', as the only argument}"
+
 WORKDIR=$(mktemp -d)
 trap "rm -rf ${WORKDIR}" EXIT
 
@@ -10,12 +12,15 @@ NIXPKGS_ROOT="$(git rev-parse --show-toplevel)"/
 NIXPKGS_K3S_PATH=$(cd $(dirname ${BASH_SOURCE[0]}); pwd -P)/
 cd ${NIXPKGS_K3S_PATH}
 
+cd 1_${MINOR_VERSION}
+
+
 LATEST_TAG_RAWFILE=${WORKDIR}/latest_tag.json
 curl --silent -f ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} \
     https://api.github.com/repos/k3s-io/k3s/releases > ${LATEST_TAG_RAWFILE}
 
 LATEST_TAG_NAME=$(jq 'map(.tag_name)' ${LATEST_TAG_RAWFILE} | \
-    grep -v -e rc -e engine | tail -n +2 | head -n -1 | sed 's|[", ]||g' | sort -rV | head -n1)
+    grep -v -e rc -e engine | tail -n +2 | head -n -1 | sed 's|[", ]||g' | sort -rV | grep -E "^v1\.${MINOR_VERSION}\." | head -n1)
 
 K3S_VERSION=$(echo ${LATEST_TAG_NAME} | sed 's/^v//')
 
@@ -76,8 +81,9 @@ CNIPLUGINS_VERSION=$(grep 'VERSION_CNIPLUGINS=' ${FILE_SCRIPTS_VERSION} \
 CNIPLUGINS_SHA256=$(nix-prefetch-url --quiet --unpack \
     "https://github.com/rancher/plugins/archive/refs/tags/v${CNIPLUGINS_VERSION}.tar.gz")
 
-CONTAINERD_VERSION=$(grep 'VERSION_CONTAINERD=' ${FILE_SCRIPTS_VERSION} \
-    | cut -d'=' -f2 | sed -e 's/"//g' -e 's/^v//')
+# mimics https://github.com/k3s-io/k3s/blob/v1.26.5%2Bk3s1/scripts/version.sh#L25
+CONTAINERD_VERSION=$(grep github.com/containerd/containerd ${FILE_GO_MOD} \
+    | head -n1 | awk '{print $4}' | sed -e 's/^v//')
 CONTAINERD_SHA256=$(nix-prefetch-url --quiet --unpack \
     "https://github.com/k3s-io/containerd/archive/refs/tags/v${CONTAINERD_VERSION}.tar.gz")
 
@@ -108,20 +114,24 @@ cat >versions.nix <<EOF
 EOF
 
 set +e
-K3S_VENDOR_SHA256=$(nix-prefetch -I nixpkgs=${NIXPKGS_ROOT} "{ sha256 }: (import ${NIXPKGS_ROOT}. {}).k3s.go-modules.overrideAttrs (_: { vendorSha256 = sha256; })")
+K3S_VENDOR_SHA256=$(nix-prefetch -I nixpkgs=${NIXPKGS_ROOT} "{ sha256 }: (import ${NIXPKGS_ROOT}. {}).k3s_1_${MINOR_VERSION}.go-modules.overrideAttrs (_: { vendorSha256 = sha256; })")
 set -e
 
 if [ -n "${K3S_VENDOR_SHA256:-}" ]; then
-    sed "s|${FAKE_HASH}|${K3S_VENDOR_SHA256}|g" ./versions.nix
+    sed -i "s|${FAKE_HASH}|${K3S_VENDOR_SHA256}|g" ./versions.nix
 else
     echo "Update failed. K3S_VENDOR_SHA256 is empty."
     exit 1
 fi
 
-# `git` flag here is to be used by local maintainers to speed up the bump process
-if [ $# -eq 1 ] && [ "$1" = "git" ]; then
-    OLD_VERSION="$(nix-instantiate --eval -E "with import $NIXPKGS_ROOT. {}; k3s.version or (builtins.parseDrvName k3s.name).version" | tr -d '"')"
-    git switch -c "package-k3s-${K3S_VERSION}"
-    git add "$NIXPKGS_K3S_PATH"/default.nix
-    git commit -m "k3s: ${OLD_VERSION} -> ${K3S_VERSION}"
-fi
+# Implement commit
+# See https://nixos.org/manual/nixpkgs/stable/#var-passthru-updateScript-commit
+OLD_VERSION="$(nix-instantiate --eval -E "with import $NIXPKGS_ROOT. {}; k3s.version or (builtins.parseDrvName k3s.name).version" | tr -d '"')"
+cat <<EOF
+[{
+    "attrPath": "k3s_1_${MINOR_VERSION}",
+    "oldVersion": "$OLD_VERSION",
+    "newVersion": "$K3S_VERSION",
+    "files": ["$PWD/versions.nix","$PWD/chart-versions.nix"]
+}]
+EOF