Merge branch 'rancher:main' into nullable-gitrepo-status

Author: cvalerio-va

.github/workflows/golangci-lint.yml

@@ -28,7 +28,7 @@ jobs:
           export PATH=$PATH:/home/runner/go/bin/
 
       - name: golangci-lint
-        uses: golangci/[email protected].0
+        uses: golangci/[email protected].2
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
           version: v1.61.0

.github/workflows/release.yml

@@ -83,7 +83,7 @@ jobs:
 
       - name: Install Cosign
         uses: sigstore/[email protected]
-      - uses: rancherlabs/slsactl/actions/[email protected].8
+      - uses: rancherlabs/slsactl/actions/[email protected].10
 
       - name: "Read Vault Secrets"
         uses: rancher-eio/read-vault-secrets@main
@@ -141,35 +141,33 @@ jobs:
       - name: Create Docker manifest for Prime and sign it
         shell: bash
         run: |
-            for IMAGE in fleet fleet-agent; do
-              URL="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}:${{ github.ref_name }}"
-              docker buildx imagetools create -t "${URL}" \
-                "${URL}-linux-amd64" \
-                "${URL}-linux-arm64"
+          for IMAGE in fleet fleet-agent; do
+            URL="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}:${{ github.ref_name }}"
+            docker buildx imagetools create -t "${URL}" \
+              "${URL}-linux-amd64" \
+              "${URL}-linux-arm64"
 
-              cosign sign --oidc-provider=github-actions --yes "${URL}"
-            done
+            cosign sign --oidc-provider=github-actions --yes "${URL}"
+          done
 
       - name: Attest provenance
         shell: bash
         run: |
           for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep PRIME_REGISTRY | sed "s/{{ .Env.PRIME_REGISTRY }}/${{ env.PRIME_REGISTRY }}/g" | sed "s/{{ .Tag }}/${{ github.ref_name }}/g"); do
             # Extract Docker image reference plus digest from local image
-            URL=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME})
+            URL=$(docker inspect --format='{{index .RepoDigests 0}}' "${IMG_NAME}")
 
             max_retries=3
             retry_delay=5
-            i=0
 
-            while [ "${i}" -lt "${max_retries}" ]; do
+            for ((i=0; i<max_retries; i++)); do
               if slsactl download provenance --format=slsav1 "${URL}" > provenance-slsav1.json; then
                 break
               fi
               if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
                 echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry."
                 exit 1
               fi
-              i=$(( i + 1 ))
               sleep "${retry_delay}"
             done
 
@@ -181,25 +179,59 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           repo: "rancher"
         run: |
-          version=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.version')
-          tag=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.tag')
+          version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
+          tag=$(jq -r '.tag' <<< '${{ steps.goreleaser.outputs.metadata }}')
           echo "publishing helm chart for (repo: $repo, tag: $tag, version: $version)"
 
           # Replace rancher/fleet, rancher/fleet-agent and rancher/gitjob image names, but not eg. rancher/kubectl
           sed -i \
-              -e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
-              -e "s/tag:.*/tag: $tag/" \
-              charts/fleet/values.yaml
+            -e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
+            -e "s/tag:.*/tag: $tag/" \
+            charts/fleet/values.yaml
 
           sed -i \
-              -e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
-              -e "s/tag: dev/tag: $tag/" \
-              charts/fleet-agent/values.yaml
+            -e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
+            -e "s/tag: dev/tag: $tag/" \
+            charts/fleet-agent/values.yaml
 
-          helm package --version="$version" --app-version="$version" -d ./dist ./charts/fleet
-          helm package --version="$version" --app-version="$version" -d ./dist ./charts/fleet-crd
-          helm package --version="$version" --app-version="$version" -d ./dist ./charts/fleet-agent
+          find charts/ -maxdepth 1 -mindepth 1 -type d -exec helm package --version="$version" --app-version="$version" -d ./dist {} \;
 
-          for f in $(find dist/ -name '*.tgz'); do
-            gh release upload $tag $f
-          done
+          find dist/ -name '*.tgz' -exec gh release upload $tag {} +
+
+      - name: Add charts to branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
+          branch_version=v$(cut -d'.' -f1,2 <<< "$version")
+          charts_branch=charts/$branch_version
+
+          if [ ! -e ~/.gitconfig ]; then
+            git config --global user.name "fleet-bot"
+            git config --global user.email [email protected]
+          fi
+
+          echo "publishing helm chart in the branch $charts_branch"
+          if ! git show-ref --quiet "refs/heads/$charts_branch"; then
+            git checkout --orphan "$charts_branch"
+            git rm -rf .
+
+            echo "# Fleet Helm Charts for $branch_version versions" > README.md
+            echo "The documentation is centralized in a unique place, checkout https://fleet.rancher.io/." >> README.md
+
+            git checkout origin/main -- LICENSE .gitignore
+
+            git add README.md LICENSE .gitignore
+            git commit -m "Initial commit for $charts_branch"
+          else
+            git checkout "$charts_branch"
+          fi
+
+          mkdir charts
+          find dist/ -name '*.tgz' -exec tar -xf {} -C charts/ \;
+
+          git add charts/**/*
+          git commit -m "Update charts to version $version"
+
+          git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
+          git push origin "$charts_branch"

.github/workflows/renovate.yml renamed to .github/workflows/renovate-vault.yml

@@ -16,9 +16,13 @@ on:
   schedule:
     - cron: '30 4,6 * * *'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   call-workflow:
-    uses: rancher/renovate-config/.github/workflows/renovate.yml@release
+    uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release
     with:
       logLevel: ${{ inputs.logLevel || 'info' }}
       overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}

charts/fleet-agent/Chart.yaml

@@ -1,10 +1,12 @@
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.33.0-0'
   catalog.cattle.io/namespace: cattle-fleet-system
-  catalog.cattle.io/release-name: fleet-agent
   catalog.cattle.io/os: linux
   catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0'
+  catalog.cattle.io/release-name: fleet-agent
 apiVersion: v2
 appVersion: 0.0.0
 description: Fleet Agent - GitOps at Scale

charts/fleet-crd/templates/crds.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: bundledeployments.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -1118,7 +1118,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: bundlenamespacemappings.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -1298,7 +1298,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: bundles.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -3245,7 +3245,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: clustergroups.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -3672,7 +3672,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: clusterregistrations.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -3776,7 +3776,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: clusterregistrationtokens.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -3855,7 +3855,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: clusters.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -6065,7 +6065,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: contents.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -6133,7 +6133,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: gitreporestrictions.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -6239,7 +6239,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: gitrepos.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -7091,7 +7091,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: helmapps.fleet.cattle.io
 spec:
   group: fleet.cattle.io
@@ -8971,7 +8971,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: imagescans.fleet.cattle.io
 spec:
   group: fleet.cattle.io

charts/fleet/Chart.yaml

@@ -3,10 +3,12 @@ annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/experimental: "true"
   catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.33.0-0'
   catalog.cattle.io/namespace: cattle-fleet-system
   catalog.cattle.io/os: linux
   catalog.cattle.io/permits-os: linux,windows
   catalog.cattle.io/provides-gvr: clusters.fleet.cattle.io/v1alpha1
+  catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0'
   catalog.cattle.io/release-name: fleet
 apiVersion: v2
 appVersion: 0.0.0

go.mod

@@ -38,22 +38,22 @@ require (
 	github.com/prometheus/client_model v0.6.1
 	github.com/prometheus/common v0.62.0
 	github.com/rancher/fleet/pkg/apis v0.11.3
-	github.com/rancher/lasso v0.2.0
-	github.com/rancher/wrangler/v3 v3.2.0-rc.2
+	github.com/rancher/lasso v0.2.1
+	github.com/rancher/wrangler/v3 v3.2.0-rc.3
 	github.com/reugn/go-quartz v0.13.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/testcontainers/testcontainers-go v0.35.0
 	go.uber.org/mock v0.5.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.32.0
+	golang.org/x/crypto v0.33.0
 	golang.org/x/sync v0.11.0
 	gonum.org/v1/gonum v0.15.1
 	gopkg.in/go-playground/webhooks.v5 v5.17.0
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.17.0
+	helm.sh/helm/v3 v3.17.1
 	k8s.io/api v0.32.1
 	k8s.io/apiextensions-apiserver v0.32.1
 	k8s.io/apimachinery v0.32.1
@@ -62,12 +62,12 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f
 	k8s.io/kubectl v0.32.1
-	k8s.io/kubernetes v1.32.1
+	k8s.io/kubernetes v1.32.2
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	oras.land/oras-go/v2 v2.5.0
 	sigs.k8s.io/cli-utils v0.37.2
-	sigs.k8s.io/controller-runtime v0.19.3
-	sigs.k8s.io/controller-tools v0.16.5
+	sigs.k8s.io/controller-runtime v0.20.1
+	sigs.k8s.io/controller-tools v0.17.2
 	sigs.k8s.io/kustomize/api v0.18.0
 	sigs.k8s.io/kustomize/kyaml v0.18.1
 	sigs.k8s.io/yaml v1.4.0
@@ -117,6 +117,7 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
@@ -134,7 +135,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/gomodule/redigo v2.0.0+incompatible // indirect
-	github.com/google/btree v1.1.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
@@ -204,7 +205,7 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect
@@ -225,14 +226,14 @@ require (
 	go.opentelemetry.io/otel/trace v1.33.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.25.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/term v0.28.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.29.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/api v0.155.0 // indirect
 	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
@@ -249,7 +250,7 @@ require (
 	k8s.io/component-base v0.32.1 // indirect
 	k8s.io/component-helpers v0.32.1 // indirect
 	k8s.io/controller-manager v0.32.1 // indirect
-	k8s.io/gengo v0.0.0-20240911193312-2b36238f13e9 // indirect
+	k8s.io/gengo v0.0.0-20250130153323-76c5745d3511 // indirect
 	k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 // indirect
 	k8s.io/helm v2.17.0+incompatible // indirect
 	oras.land/oras-go v1.2.5 // indirect