From 20bfb7eda8aa947169a94a798aac5656d64e9b2d Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Tue, 18 Feb 2025 15:56:50 -0800 Subject: [PATCH 1/2] Pin calico/base to release tags This change pins calico/base version to a particular tag instead of `latest`. It resolves issues during a (hash) release when non-amd64 components accidentally pull in amd64 bases. --- Makefile | 2 +- lib.Makefile | 26 +++++++++++++++++++++++--- metadata.mk | 4 +++- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 432180ea29f..1ca3a549172 100644 --- a/Makefile +++ b/Makefile @@ -206,7 +206,7 @@ endif python:3 \ bash -c '/usr/local/bin/python release/get-contributors.py >> /code/AUTHORS.md' -update-pins: update-go-build-pin +update-pins: update-go-build-pin update-calico-base-pin ############################################################################### # Post-release validation diff --git a/lib.Makefile b/lib.Makefile index 14f6ef6c368..e1b188abf8d 100644 --- a/lib.Makefile +++ b/lib.Makefile @@ -265,7 +265,7 @@ CERTS_PATH := $(REPO_ROOT)/hack/test/certs ifdef USE_UBI_AS_CALICO_BASE CALICO_BASE ?= $(UBI_IMAGE) else -CALICO_BASE ?= calico/base +CALICO_BASE ?= calico/base:$(CALICO_BASE_VER) endif ifndef NO_DOCKER_PULL @@ -355,12 +355,12 @@ define get_go_build_version $(shell git ls-remote --tags --refs --sort=-version:refname $(GO_BUILD_REPO) | head -n 1 | awk -F '/' '{print $$NF}') endef -# update_go_build updates the GO_BUILD_VER in metadata.mk or Makefile. +# update_go_build_pin updates the GO_BUILD_VER in metadata.mk or Makefile. # for annotated git tags, we need to remove the trailing `^{}`. # for the obsoleted vx.y go-build version, we need to remove the leading `v` for bash string comparison to work properly. define update_go_build_pin $(eval new_ver := $(subst ^{},,$(call get_go_build_version))) - $(eval old_ver := $(subst v,,$(shell grep -E "^GO_BUILD_VER" $(1) | cut -d'=' -f2 | xargs))) + $(eval old_ver := $(shell grep -E "^GO_BUILD_VER" $(1) | cut -d'=' -f2 | xargs | sed 's/^v//')) @echo "current GO_BUILD_VER=$(old_ver)" @echo "latest GO_BUILD_VER=$(new_ver)" @@ -374,6 +374,23 @@ define update_go_build_pin fi' endef +# update_calico_base_pin updates the CALICO_BASE_VER in metadata.mk. +define update_calico_base_pin + $(eval new_ver := $(shell curl -s "https://hub.docker.com/v2/repositories/calico/base/tags/?page_size=100" | jq -r '.results[].name' | grep -E "^ubi8-[0-9]+$$" | sort -r | head -n 1)) + $(eval old_ver := $(shell grep -E "^CALICO_BASE_VER" $(1) | cut -d'=' -f2 | xargs)) + + @echo "current CALICO_BASE_VER=$(old_ver)" + @echo "latest CALICO_BASE_VER=$(new_ver)" + + bash -c '\ + if [[ "$(new_ver)" > "$(old_ver)" ]]; then \ + sed -i "s/^CALICO_BASE_VER[[:space:]]*=.*/CALICO_BASE_VER=$(new_ver)/" $(1); \ + echo "CALICO_BASE_VER is updated to $(new_ver)"; \ + else \ + echo "no need to update CALICO_BASE_VER"; \ + fi' +endef + GIT_REMOTE?=origin API_BRANCH?=$(PIN_BRANCH) API_REPO?=github.com/projectcalico/calico/api @@ -433,6 +450,9 @@ replace-cni-pin: update-go-build-pin: $(call update_go_build_pin,$(GIT_GO_BUILD_UPDATE_COMMIT_FILE)) +update-calico-base-pin: + $(call update_calico_base_pin,$(GIT_GO_BUILD_UPDATE_COMMIT_FILE)) + git-status: git status --porcelain diff --git a/metadata.mk b/metadata.mk index b23ccfe5fe4..010952618cf 100644 --- a/metadata.mk +++ b/metadata.mk @@ -2,8 +2,10 @@ # This file contains Makefile configuration parameters and metadata for this branch. ################################################################################################# -# The version of github.com/projectcalico/go-build to use. +# The version of calico/go-build and calico/base to use. GO_BUILD_VER=1.24.0-llvm18.1.8-k8s1.31.5-2 +CALICO_BASE_VER=ubi8-1739912267 + # Env var to ACK Ginkgo deprecation warnings, may need updating with go-build. ACK_GINKGO=ACK_GINKGO_DEPRECATIONS=1.16.5 From b2e64e8bf09f1288a4a14f0c3d19e0e9d51c79f4 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Tue, 18 Feb 2025 20:44:57 -0800 Subject: [PATCH 2/2] Use UBI latest tag --- lib.Makefile | 2 +- metadata.mk | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/lib.Makefile b/lib.Makefile index e1b188abf8d..bea803ccf06 100644 --- a/lib.Makefile +++ b/lib.Makefile @@ -199,7 +199,7 @@ ifeq ($(BUILDARCH),amd64) # *-amd64 tagged images for etcd are not available until v3.5.0 ETCD_IMAGE = quay.io/coreos/etcd:$(ETCD_VERSION) endif -UBI_IMAGE ?= registry.access.redhat.com/ubi8/ubi-minimal:$(UBI_VERSION) +UBI_IMAGE ?= registry.access.redhat.com/ubi8/ubi-minimal:latest ifeq ($(GIT_USE_SSH),true) GIT_CONFIG_SSH ?= git config --global url."ssh://git@github.com/".insteadOf "https://github.com/"; diff --git a/metadata.mk b/metadata.mk index 010952618cf..c6313ba6213 100644 --- a/metadata.mk +++ b/metadata.mk @@ -19,8 +19,6 @@ GHR_VERSION=v0.17.0 HELM_VERSION=v3.11.3 KINDEST_NODE_VERSION=v1.31.4 KIND_VERSION=v0.25.0 -PROTOC_VER=v0.1 -UBI_VERSION=8.10 # Configuration for Semaphore/Github integration. This needs to be set # differently for a forked repo.