It's been found that the verify assets script is out of date and is resuling in a "MISMATCH" result when ran against releases. The current value of assets it's checking for is 50 when it should be expecting 52.

It would be nice to have the ability to update the relevant KDM branches with a new release of RKE2 and k3s. At a minimum, adding a new block of YAML for the release in the dev-v2.6 branch and bumping the previous release in the dev-v2.5 branch, if relevant.

The release notes program currently generates release notes for a given milestone but will not aggregates the packaged component versions for that milestone. This functionality should be added so this process is all encompassing.

The documentation to find the packaged component versions can be found in the RKE2 documentation.

Once moved onto BCIs, we need the ability to update the version used in each of the images in RKE2.

Current Dockerfile is trying to copy the standup binary from the backport/bin dir:

...
COPY cmd/gen-release-notes/bin/gen-release-notes /usr/local/bin
COPY cmd/backport/bin/backport /usr/local/bin
COPY cmd/backport/bin/standup /usr/local/bin

After reading the code for finding release notes I thought it would be cool to have a way to manually validate the release notes "changes since" section.
The code uses the compare API, so it was a bit more complex than I wanted to take on for manual verification, and I found a small issue query which finds the same information:

https://github.com/rancher/rke2/issues?q=base%3Arelease-1.23+merged%3A%3E2022-06-13+sort%3Aupdated-asc+
base:release-1.23 merged:>2022-06-13 sort:updated-asc

This may be slightly less accurate since it pulls PRs based on date rather than PRs for commits which merged between tags, but so far I have not found any practical cases where it has not matched up. This is a much easier to parse and limits the queries to a single call to GH vs the O(n) that the code currently operates on (it gets all commits, then queries every commit for a PR, then dedups the PR list ). It is not much of a practical improvement, since we don't really have thousands of commits to parse, but it does help conceptually with understanding what we are looking for and provides an easy way to manually validate, which helps with the learning/training process. It also reduces calls to the GH API, which does get rate limited after a certain number of queries.

You need two pieces of information, the target branch and the previous release date. I also sorted by last updated to get the same sorting as the current code. The failure mode for this is if someone merges a PR for the next release on the day the release is cut you might miss that PR in the release notes.

We need to have a process that will create a new image published to Dockerhub whenever a new release is created in this repo, similar to the processes we have in k3s and rke2.

We need the ability to automate the verification of assets being present on a given release.

When image-build-base releases a new version, all the rancher/image-build-xxxx projects [1] should update their Dockerfiles. We are talking about ~24 projects. This process is not automated but manual and the consequence is that most of them are outdated.

It'd be so great that a PR would be created for each of them updating that parameter (e.g https://github.com/rancher/image-build-calico/blob/master/Dockerfile#L4) every time there is a new release of image-build-base.

Ideally, we should trigger this from drone/github_actions/etc in the image-build-base github project as soon as there is a new release. However, as we are still unsure what will be our CI at the end of the year, I think it would be great to start having the functionality here.

[1] https://github.com/orgs/rancher/repositories?language=&q=image-build-&sort=&type=all

it'd be helpful to have a script that performs image security scans the same way that rancher performs its scan.

There has been a request to create a "simple" script that can deploy common k3s cluster configurations.

Goals:

• Make it really, really easy for developers to test on common k3s/rke2 cluster configurations
• Use existing E2E tests so if more advanced options are needed, developers can find them.
• Enable developers to bring over their locally built k3s executable for PR testing.

The CheckUpstreamRelease methods needs to be refactored to return a map of string bool with the release tag as the key and it's availability represented as a bool.

From past march RKE2 release we identified the following artifacts on gen-release-notes output

• CNI Plugins standalone version reference is not longer needed for RKE2 Fixed on #67
• Calico url's have the v3.22 fixed version on its path
• etcd version should be pulled from version.sh instead of go.mod
• helm-controller uses an outdated version

The README needs to be filled out to include the following:

• Index of available utilities
• Usage examples
• Contributing guidelines
• Feature request guidelines

As well as additional inconsequential sections.

I'd like us to add Trivy and Grype to our CI pipeline.

To create RPMs for RKE2 we create new releases which creates new tags as well. We need a script

This should be done in a Go package.

We can also move to a multistage dockerfile that handles building the tools and packing them.

The update Go program needs to be be extended to include the functionality to create a branch, perform the update, add the changed files to staging, commit the changes, push to the origin branch, and create a PR filled out with the necessary information.

Background

The rke2-charts are downstream updated each time a Kubernetes component or Kubernetes itself. The big picture desire has been documented on rke2#2077.

There are validation rules between the relationship specific values in Chart.yaml and package.yaml that currently are not supported.

Original request

Whenever we update a chart value, packageVersion should increase its value otherwise CI will fail. Example: https://github.com/rancher/rke2-charts/runs/4948436190?check_suite_focus=true
[...]
The reason for that is that otherwise we would be overwriting an existing helm chart and users might get confused. The name of the chart contains the packageVersion: https://github.com/rancher/rke2-charts/tree/main/charts/rke2-canal/rke2-canal.
To be fully accurate, when changing the version, we should go back to packageVersion: 1

Request

Ensure packageVersion (package.yaml) is reset to 1 every time the Chart version changes

We're currently using UBI7 for our base artifact images. These images are updated but not often and not all concerns are taken care of. We need to work on the following:

• Investigate the move from UBI7 to something newer
• Investigate the use of BCI, UBI8, alpine, scratch
• Update the base image to not have all of the reported vulnerabilities from the image-scan process.

All experiments need to be scanned the same as Rancher does to make sure we're meeting customer expectations. This line below references how Rancher image scan performs its scan.

https://github.com/rancher/image-scanning/blob/main/run.py#L303

Background

The rke2-charts are downstream updated each time a Kubernetes component or Kubernetes itself. The big picture desire has been documented on rke2#2077, this tool is part of it.

Request

Create a Go tool that updates the rke2 referenced versions within the existing rke2-charts. A version reference can be:

• Package version
• Helm chart version
• Helm chart appVersion
• Docker image tag within values.yaml file

Acceptance criteria

• Working Go tool on ecm-distro-tools able to perform the behavior described above.

When the assignee is nil in the given issue to be backported, backport throws a panic as the pointer is referenced but is nil.

https://github.com/anchore/grype

This logic needs to be ported to Go for functionality in OpDom and other CLI utilities.

• rke2_list_image_repos
• rke2_list_images
• rke2_charts_get_index
• rancher_list_local_repos