Wpb 11492 bump k8s

ansible/inventory/offline/group_vars/all/offline.yml

@@ -20,8 +20,8 @@ docker_ubuntu_repo_gpgkey: "{{ ubuntu_repos }}/gpg"
 binaries_url: "http://{{ assethost_host }}/binaries"
 nodelocaldns_ip: 10.233.0.10
 
-kube_version: "v1.28.2"
-etcd_version: "v3.5.10"
+kube_version: "v1.29.10"
+etcd_version: "v3.5.16"
 
 kubeadm_download_url: "{{ binaries_url }}/kubeadm"
 kubectl_download_url: "{{ binaries_url }}/kubectl"
@@ -67,7 +67,7 @@ syslog_target_ip: 12.34.56.78
 # OVERRIDES
 
 coredns_version: "v1.11.4"
-ingress_nginx_version: "v1.10.6"
+ingress_nginx_version: "v1.12.1"
 metrics_server_version: "v0.7.2"
 ingress_nginx_kube_webhook_certgen_image_tag: "v20231011-8b53cabe0"
 cert_manager_version: "v1.16.3"

default.nix

@@ -26,13 +26,13 @@ rec {
   env = pkgs.buildEnv {
     name = "wire-server-deploy";
     paths = with pkgs; [
-      ansible_2_15
+      ansible_2_16
       pythonForAnsible
       jmespath
       apacheHttpd
       awscli2
       gnumake
-      gnupg
+      gnupg1
 
       kubernetes-tools
 

nix/overlay.nix

@@ -3,7 +3,7 @@ let helm-mapkubeapis = self.callPackage ./pkgs/helm-mapkubeapis.nix { };
 in
 super: {
   pythonForAnsible = (self.python3.withPackages (_: self.ansible.requiredPythonModules ++ [
-    super.python3Packages.boto
+    super.python3Packages.botocore
     super.python3Packages.boto3
     super.python3Packages.cryptography
     super.python3Packages.six
@@ -37,7 +37,7 @@ super: {
 
       install -Dm755 ${./scripts/generate-gpg1-key.sh} $out/bin/generate-gpg1-key
       # we *--set* PATH here, to ensure we don't pick wrong gpgs
-      wrapProgram $out/bin/generate-gpg1-key --set PATH '${super.lib.makeBinPath (with self; [ bash coreutils gnupg1orig ])}'
+      wrapProgram $out/bin/generate-gpg1-key --set PATH '${super.lib.makeBinPath (with self; [ bash coreutils gnupg1 ])}'
     '';
   mirror-apt-jammy = super.runCommandNoCC "mirror-apt-jammy"
     {
@@ -46,7 +46,7 @@ super: {
     ''
       install -Dm755 ${./scripts/mirror-apt-jammy.sh} $out/bin/mirror-apt-jammy
       # we need to *--set* PATH here, otherwise aptly will pick the wrong gpg
-      wrapProgram $out/bin/mirror-apt-jammy --set PATH '${super.lib.makeBinPath (with self; [ aptly bash coreutils curl gnupg1orig gnused gnutar ])}'
+      wrapProgram $out/bin/mirror-apt-jammy --set PATH '${super.lib.makeBinPath (with self; [ aptly bash coreutils curl gnupg1 gnused gnutar ])}'
     '';
 
   create-container-dump = super.runCommandNoCC "create-container-dump"

nix/pkgs/kubernetes-tools.nix

@@ -3,13 +3,13 @@
 
 buildGoModule rec {
   pname = "kubernetes";
-  version = "1.28.2";
+  version = "1.29.10";
 
   src = fetchFromGitHub {
     owner = "kubernetes";
     repo = "kubernetes";
     rev = "v${version}";
-    hash = "sha256-7juoX4nFvQbIIbhTlnIYVUEYUJGwu+aKrpw4ltujjXI=";
+    hash = "sha256-28cgqn/PRWJyb5uRKW/moX0kCDzEPAxc+YAkZBq/j2U=";
   };
 
   vendorHash = null;

nix/pkgs/wire-binaries.nix

@@ -6,16 +6,16 @@ let
   image_arch = "amd64";
 
   # These values are manually kept in sync with:
-  # https://github.com/kubernetes-sigs/kubespray/blob/release-2.24/roles/kubespray-defaults/defaults/main/download.yml
+  # https://github.com/kubernetes-sigs/kubespray/blob/release-2.25/roles/kubespray-defaults/defaults/main/download.yml
   # TODO: Find a better process. Automate this!
-  kube_version = "v1.28.2";
-  etcd_version = "v3.5.10";
+  kube_version = "v1.29.10";
+  etcd_version = "v3.5.16";
   cni_version = "v1.3.0";
-  calico_version = "v3.26.4";
-  crictl_version = "v1.28.0";
-  runc_version = "v1.1.10";
-  nerdctl_version = "1.7.1";
-  containerd_version = "1.7.11";
+  calico_version = "v3.27.4";
+  crictl_version = "v1.29.0";
+  runc_version = "v1.1.14";
+  nerdctl_version = "1.7.7";
+  containerd_version = "1.7.22";
   minio_version = "RELEASE.2023-07-07T07-13-57Z";
   mc_version = "RELEASE.2023-10-24T05-18-28Z";
 
@@ -27,53 +27,53 @@ let
   srcs = {
     kubelet = fetchurl rec {
       passthru.url = url;
-      url = "https://storage.googleapis.com/kubernetes-release/release/${ kube_version }/bin/linux/${ image_arch }/kubelet";
-      sha256 = "17edb866636f14eceaad58c56eab12af7ab3be3c78400aff9680635d927f1185";
+      url = "https://dl.k8s.io/release/${kube_version}/bin/linux/${image_arch}/kubelet";
+      sha256 = "sha256-TMCUBizRz/ScpVEghjVmmrhuOYLTjo0Kd6uDOpQf9wg=";
     };
     kubeadm = fetchurl rec {
       passthru.url = url;
-      url = "https://storage.googleapis.com/kubernetes-release/release/${ kube_version }/bin/linux/${ image_arch }/kubeadm";
-      sha256 = "6a4808230661c69431143db2e200ea2d021c7f1b1085e6353583075471310d00";
+      url = "https://dl.k8s.io/release/${kube_version}/bin/linux/${image_arch}/kubeadm";
+      sha256 = "sha256-kJjJCODzpgHovvmyzbSpd34YIEWVplQr5Ys5KMe1FEA=";
     };
     kubectl = fetchurl rec {
       passthru.url = url;
-      url = "https://storage.googleapis.com/kubernetes-release/release/${ kube_version }/bin/linux/${ image_arch }/kubectl";
-      sha256 = "c922440b043e5de1afa3c1382f8c663a25f055978cbc6e8423493ec157579ec5";
+      url = "https://dl.k8s.io/release/${kube_version}/bin/linux/${image_arch}/kubectl";
+      sha256 = "sha256-JPLwmmNdNrLONurr8ZEybislCX7sVBo+R/7mcm7wbO8=";
     };
     crictl = fetchurl rec {
       passthru.url = url;
       url = "https://github.com/kubernetes-sigs/cri-tools/releases/download/${ crictl_version }/crictl-${ crictl_version }-linux-${ image_arch }.tar.gz";
-      sha256 = "8dc78774f7cbeaf787994d386eec663f0a3cf24de1ea4893598096cb39ef2508";
+      sha256 = "d16a1ffb3938f5a19d5c8f45d363bd091ef89c0bc4d44ad16b933eede32fdcbb";
     };
     containerd = fetchurl rec {
       passthru.url = url;
       url = "https://github.com/containerd/containerd/releases/download/v${ containerd_version }/containerd-${ containerd_version }-linux-${ image_arch }.tar.gz";
-      sha256 = "d66161d54546fad502fd50a13fcb79efff033fcd895adc9c44762680dcde4e69";
+      sha256 = "f8b2d935d1f86003f4e0c1af3b9f0d2820bacabe6dc9f562785b74af24c5e468";
     };
     runc = fetchurl rec {
       passthru.url = url;
       url = "https://github.com/opencontainers/runc/releases/download/${ runc_version }/runc.${ image_arch }";
-      sha256 = "81f73a59be3d122ab484d7dfe9ddc81030f595cc59968f61c113a9a38a2c113a";
+      sha256 = "a83c0804ebc16826829e7925626c4793da89a9b225bbcc468f2b338ea9f8e8a8";
     };
     calico_crds = fetchurl rec {
       passthru.url = url;
       url = "https://github.com/projectcalico/calico/archive/${ calico_version }.tar.gz";
-      sha256 = "481e52de684c049f3f7f7bac78f0f6f4ae424d643451adc9e3d3fa9d03fb6d57";
+      sha256 = "5f6ac510bd6bd8c14542afe91f7dbcf2a846dba02ae3152a3b07a1bfdea96078";
     };
     nerdctl = fetchurl rec {
       passthru.url = url;
       url = "https://github.com/containerd/nerdctl/releases/download/v${ nerdctl_version }/nerdctl-${ nerdctl_version }-linux-${ image_arch }.tar.gz";
-      sha256 = "5fc0a6e8c3a71cbba95fbdb6833fb8a7cd8e78f53de10988362d4029c14b905a";
+      sha256 = "298bb95aee485b24d566115ef7e4e90951dd232447b05de5646a652a23db70a9";
     };
     calicoctl = fetchurl rec {
       passthru.url = url;
       url = "https://github.com/projectcalico/calico/releases/download/${ calico_version }/calicoctl-linux-${ image_arch }";
-      sha256 = "9960357ef6d61eda7abf80bd397544c1952f89d61e5eaf9f6540dae379a3ef61";
+      sha256 = "84f2bd29ef7b06e85a2caf0b6c6e0d3da5ab5264d46b360e6baaf49bbc3b957d";
     };
     etcd = fetchurl rec {
       passthru.url = url;
       url = "https://github.com/coreos/etcd/releases/download/${ etcd_version }/etcd-${ etcd_version }-linux-${ image_arch }.tar.gz";
-      sha256 = "26e90d024fa2310bc52bb40e7f2132e81640b55f8fc446c00ae07e30af2a44fd";
+      sha256 = "b414b27a5ad05f7cb01395c447c85d3227e3fb1c176e51757a283b817f645ccc";
     };
     cni = fetchurl rec {
       passthru.url = url;

nix/scripts/mirror-apt-jammy.sh

@@ -22,6 +22,7 @@ aptly_root=$1
 mkdir -p "$aptly_root"
 shift
 
+#export APTLY_SKIP_GPG_VERSION_CHECK=1
 
 # NOTE:  These are all the packages needed for all our playbooks to succeed. This list was created by trial and error
 packages=(
@@ -107,7 +108,7 @@ aptly_config=$(mktemp)
 trap 'rm -Rf -- "$aptly_config $GNUPGHOME"' EXIT
 
 cat > "$aptly_config" <<FOO
-{ "rootDir": "$aptly_root", "downloadConcurrency": 10, "gpgProvider": "internal" }
+{ "rootDir": "$aptly_root", "downloadConcurrency": 10, "gpgProvider": "gpg2" }
 FOO
 
 aptly="aptly -config=${aptly_config} "
@@ -121,12 +122,13 @@ gpg --no-default-keyring --keyring trustedkeys.gpg --fingerprint
 # Import our signing key to our keyring
 echo -e "$GPG_PRIVATE_KEY" | gpg --import
 
-echo "Printing the public key ids..."
+echo "GPG dir: $GNUPGHOME"
+
+echo "Printing the public key ids from default keyring..."
 gpg --list-keys
-echo "Printing the secret key ids..."
+echo "Printing the secret key ids from default keyring..."
 gpg --list-secret-keys
 
-
 # import the ubuntu and docker signing keys
 # TODO: Do we want to pin these better? Verify them?
 curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x790bc7277767219c42c86f933b4fe6acc0b21f32' | gpg --no-default-keyring --keyring=trustedkeys.gpg --import
@@ -156,6 +158,21 @@ $aptly snapshot create docker-ce from mirror docker-ce
 
 $aptly snapshot merge wire jammy jammy-security jammy-updates docker-ce
 
-$aptly publish snapshot -gpg-key="[email protected]" -secret-keyring="$GNUPGHOME/secring.gpg" -distribution jammy wire
+# TODO: hardcoded
+gpg --batch --yes --delete-secret-key 128696F420731E19BC0D36C516691483A7637513
+#gpg --delete-key 16691483A7637513
+
+echo "Verify GPG key by ID before publish:"
+
+# show public portion
+gpg --list-keys --keyid-format LONG "[email protected]"
+
+$aptly publish snapshot -gpg-key="A054D0B66346B27919CE5EC02872CB8EEBD99578" -distribution jammy wire
+
+gpg --export --export-options export-minimal [email protected] -a > "$aptly_root/public/gpg"
+
+echo "Check if the exported public key contains the subkey"
+gpg --show-keys "$aptly_root/public/gpg"
 
-gpg --export [email protected] -a > "$aptly_root/public/gpg"
+echo "Check repo signature"
+gpg --verify "$aptly_root/public/dists/jammy/Release.gpg" "$aptly_root/public/dists/jammy/Release"

nix/sources.json

@@ -17,10 +17,10 @@
         "homepage": "https://github.com/NixOS/nixpkgs",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "057f9aecfb71c4437d2b27d3323df7f93c010b7e",
-        "sha256": "1ndiv385w1qyb3b18vw13991fzb9wg4cl21wglk89grsfsnra41k",
+        "rev": "e68b342423c69aa8113894d9e89ae50e4fd9c456",
+        "sha256": "0g3a9p2llmhfz5avrkgwvbvpp9r32h01g1gcyil8a7zm953pgj98",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/057f9aecfb71c4437d2b27d3323df7f93c010b7e.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e68b342423c69aa8113894d9e89ae50e4fd9c456.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }