From 6b041223f6ad57ad8c1faf0b04162059ef2e2d05 Mon Sep 17 00:00:00 2001 From: Filip Brychta Date: Wed, 10 Dec 2025 13:30:01 +0100 Subject: [PATCH] Add support for pinning tool versions to minor releases (#1421) (#1431) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add support for pinning tool versions to minor releases - Add PIN_MINOR flag to only update patch versions while keeping major.minor the same - Add TOOLS_ONLY flag to skip Istio updates and only update tools - Remove kube-rbac-proxy update as it's no longer needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) * Make the linter happy * Fix regex for getLatestMinorVersion and rename it to make better sense --------- Signed-off-by: Filip Brychta Co-authored-by: Claude --- .devcontainer/devcontainer.json | 2 +- Makefile.core.mk | 2 +- common/.commonfiles.sha | 2 +- common/scripts/setup_env.sh | 2 +- go.mod | 2 +- go.sum | 4 +- tools/update_deps.sh | 145 +++++++++++++++++++++++++------- 7 files changed, 121 insertions(+), 38 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 19ab1b2e29..4da3010e9e 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:release-1.26-80a1b41acf1fe5b60c2b49153f6d3f9ed3a82a0d", + "image": "gcr.io/istio-testing/build-tools:release-1.26-512a1e34a2bc63dd3c54ddcba27df1bcf95e7360", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/Makefile.core.mk b/Makefile.core.mk index 23451b1e85..a780a03e04 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -559,7 +559,7 @@ RUNME ?= $(LOCALBIN)/runme ## Tool Versions OPERATOR_SDK_VERSION ?= v1.41.1 -HELM_VERSION ?= v3.19.0 +HELM_VERSION ?= v3.19.2 CONTROLLER_TOOLS_VERSION ?= v0.19.0 CONTROLLER_RUNTIME_BRANCH ?= release-0.22 OPM_VERSION ?= v1.60.0 diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index 6ea5974b00..6a7569195d 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -3c071fd614ac519af1ca763cfe46521b7113b16c +2a3998972172ea44d10217ac13cabfac18a47fff diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index 95d4f99db3..04b201ce6d 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=release-1.26-80a1b41acf1fe5b60c2b49153f6d3f9ed3a82a0d + IMAGE_VERSION=release-1.26-512a1e34a2bc63dd3c54ddcba27df1bcf95e7360 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/go.mod b/go.mod index 63c299f5bd..bab8c047d6 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( k8s.io/apimachinery v0.34.1 k8s.io/cli-runtime v0.33.3 k8s.io/client-go v0.34.1 - sigs.k8s.io/controller-runtime v0.22.3 + sigs.k8s.io/controller-runtime v0.22.4 ) require ( diff --git a/go.sum b/go.sum index c8337ed59a..13b9ab6057 100644 --- a/go.sum +++ b/go.sum @@ -501,8 +501,8 @@ oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.1 h1:Cf+ed5N8038zbsaXFO7mKQDi/+VcSRafb0jM84KX5so= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.1/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= -sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= +sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= +sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= sigs.k8s.io/controller-tools v0.15.0 h1:4dxdABXGDhIa68Fiwaif0vcu32xfwmgQ+w8p+5CxoAI= sigs.k8s.io/controller-tools v0.15.0/go.mod h1:8zUSS2T8Hx0APCNRhJWbS3CAQEbIxLa07khzh7pZmXM= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= diff --git a/tools/update_deps.sh b/tools/update_deps.sh index ff5b35873e..6a569ffebf 100755 --- a/tools/update_deps.sh +++ b/tools/update_deps.sh @@ -16,18 +16,91 @@ set -exo pipefail -UPDATE_BRANCH=${UPDATE_BRANCH:-"master"} +# Set up a cross-platform sed command. +# On macOS, we use gsed (GNU sed) to have consistent behavior with Linux. +# This requires gsed to be installed on macOS (e.g., via `brew install gnu-sed`). +SED_CMD="sed" +if [[ "$(uname)" == "Darwin" ]]; then + SED_CMD="gsed" +fi + +UPDATE_BRANCH=${UPDATE_BRANCH:-"release-1.26"} +# When true, only update to the latest patch version (keeps major.minor version the same) +PIN_MINOR=${PIN_MINOR:-true} +# When true, skip Istio module updates (istio.io/istio and istio.io/client-go), do not add new Istio versions and only update tools +TOOLS_ONLY=${TOOLS_ONLY:-false} SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ROOTDIR=$(dirname "${SCRIPTPATH}") cd "${ROOTDIR}" +# Extract tool versions from Makefile +function getVersionFromMakefile() { + grep "^${1} ?= " "${ROOTDIR}/Makefile.core.mk" | cut -d'=' -f2 | tr -d ' ' +} + +# Get current versions from Makefile and set as variables +# Only needed when PIN_MINOR is true (for patch version updates) +if [[ "${PIN_MINOR}" == "true" ]]; then + OPERATOR_SDK_VERSION=$(getVersionFromMakefile "OPERATOR_SDK_VERSION") + # shellcheck disable=SC2034 + HELM_VERSION=$(getVersionFromMakefile "HELM_VERSION") + CONTROLLER_TOOLS_VERSION=$(getVersionFromMakefile "CONTROLLER_TOOLS_VERSION") + CONTROLLER_RUNTIME_BRANCH=$(getVersionFromMakefile "CONTROLLER_RUNTIME_BRANCH") + OPM_VERSION=$(getVersionFromMakefile "OPM_VERSION") + OLM_VERSION=$(getVersionFromMakefile "OLM_VERSION") + GITLEAKS_VERSION=$(getVersionFromMakefile "GITLEAKS_VERSION") + RUNME_VERSION=$(getVersionFromMakefile "RUNME_VERSION") +fi + + # getLatestVersion gets the latest released version of a github project # $1 = org/repo function getLatestVersion() { curl -sL "https://api.github.com/repos/${1}/releases/latest" | yq '.tag_name' } +# getLatestVersionByPrefix gets the latest released version of a github project with a specific version prefix +# $1 = org/repo +# $2 = version prefix +function getLatestVersionByPrefix() { + curl -sL "https://api.github.com/repos/${1}/releases?per_page=100" | \ + yq -r '.[].tag_name' | \ + grep -E "^v?${2}[.0-9]*$" | \ + sort -V | \ + tail -n 1 +} + +# getLatestPatchVersion gets the latest patch version for a given major.minor version +# $1 = org/repo +# $2 = current version (e.g., v1.2.3) +function getLatestPatchVersion() { + local repo=$1 + local current_version=$2 + + # Extract major.minor from current version + # Handle versions with or without 'v' prefix + local version_no_v=${current_version#v} + local major_minor="" + major_minor=$(echo "${version_no_v}" | cut -d'.' -f1,2) + + getLatestVersionByPrefix "$repo" "${major_minor}" +} + +# getVersionForUpdate chooses between getLatestVersion and getLatestPatchVersion based on PIN_MINOR +# $1 = org/repo +# $2 = current version (optional, required if PIN_MINOR=true) +function getVersionForUpdate() { + local repo=$1 + local current_version=$2 + + if [[ "${PIN_MINOR}" == "true" ]]; then + getLatestPatchVersion "${repo}" "${current_version}" + else + getLatestVersion "${repo}" + fi +} + function getReleaseBranch() { minor=$(echo "${1}" | cut -f1,2 -d'.') echo "release-${minor#*v}" @@ -38,59 +111,69 @@ make update-common # update build container used in github actions NEW_IMAGE_MASTER=$(grep IMAGE_VERSION= < common/scripts/setup_env.sh | cut -d= -f2) -sed -i -e "s|\(gcr.io/istio-testing/build-tools\):master.*|\1:$NEW_IMAGE_MASTER|" .github/workflows/update-deps.yaml +"$SED_CMD" -i -e "s|\(gcr.io/istio-testing/build-tools\):master.*|\1:$NEW_IMAGE_MASTER|" .github/workflows/update-deps.yaml # Update go dependencies export GO111MODULE=on -go get -u "istio.io/istio@${UPDATE_BRANCH}" -go get -u "istio.io/client-go@${UPDATE_BRANCH}" -go mod tidy +if [[ "${TOOLS_ONLY}" != "true" ]]; then + go get -u "istio.io/istio@${UPDATE_BRANCH}" + go get -u "istio.io/client-go@${UPDATE_BRANCH}" + go mod tidy +else + echo "Skipping Istio module updates (TOOLS_ONLY=true)" +fi # Update operator-sdk -OPERATOR_SDK_LATEST_VERSION=$(getLatestVersion operator-framework/operator-sdk) -sed -i "s|OPERATOR_SDK_VERSION ?= .*|OPERATOR_SDK_VERSION ?= ${OPERATOR_SDK_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" -find "${ROOTDIR}/chart/templates/olm/scorecard.yaml" -type f -exec sed -i "s|quay.io/operator-framework/scorecard-test:.*|quay.io/operator-framework/scorecard-test:${OPERATOR_SDK_LATEST_VERSION}|" {} + +OPERATOR_SDK_LATEST_VERSION=$(getVersionForUpdate operator-framework/operator-sdk "${OPERATOR_SDK_VERSION}") +"$SED_CMD" -i "s|OPERATOR_SDK_VERSION ?= .*|OPERATOR_SDK_VERSION ?= ${OPERATOR_SDK_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" +find "${ROOTDIR}/chart/templates/olm/scorecard.yaml" -type f -exec "$SED_CMD" -i "s|quay.io/operator-framework/scorecard-test:.*|quay.io/operator-framework/scorecard-test:${OPERATOR_SDK_LATEST_VERSION}|" {} + # Update helm -HELM_LATEST_VERSION=$(getLatestVersion helm/helm | cut -d/ -f2) -sed -i "s|HELM_VERSION ?= .*|HELM_VERSION ?= ${HELM_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" +HELM_LATEST_VERSION=$(getVersionForUpdate helm/helm "${HELM_VERSION}") +"$SED_CMD" -i "s|HELM_VERSION ?= .*|HELM_VERSION ?= ${HELM_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" # Update controller-tools -CONTROLLER_TOOLS_LATEST_VERSION=$(getLatestVersion kubernetes-sigs/controller-tools) -sed -i "s|CONTROLLER_TOOLS_VERSION ?= .*|CONTROLLER_TOOLS_VERSION ?= ${CONTROLLER_TOOLS_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" +CONTROLLER_TOOLS_LATEST_VERSION=$(getVersionForUpdate kubernetes-sigs/controller-tools "${CONTROLLER_TOOLS_VERSION}") +"$SED_CMD" -i "s|CONTROLLER_TOOLS_VERSION ?= .*|CONTROLLER_TOOLS_VERSION ?= ${CONTROLLER_TOOLS_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" # Update controller-runtime -CONTROLLER_RUNTIME_LATEST_VERSION=$(getLatestVersion kubernetes-sigs/controller-runtime) +# Note: For controller-runtime, we use the branch to determine the current version +CONTROLLER_RUNTIME_CURRENT_VERSION="v${CONTROLLER_RUNTIME_BRANCH#release-}.0" +CONTROLLER_RUNTIME_LATEST_VERSION=$(getVersionForUpdate kubernetes-sigs/controller-runtime "${CONTROLLER_RUNTIME_CURRENT_VERSION}") # FIXME: Do not use `go get -u` until https://github.com/kubernetes/apimachinery/issues/190 is resolved # go get -u "sigs.k8s.io/controller-runtime@${CONTROLLER_RUNTIME_LATEST_VERSION}" go get "sigs.k8s.io/controller-runtime@${CONTROLLER_RUNTIME_LATEST_VERSION}" CONTROLLER_RUNTIME_BRANCH=$(getReleaseBranch "${CONTROLLER_RUNTIME_LATEST_VERSION}") -sed -i "s|CONTROLLER_RUNTIME_BRANCH ?= .*|CONTROLLER_RUNTIME_BRANCH ?= ${CONTROLLER_RUNTIME_BRANCH}|" "${ROOTDIR}/Makefile.core.mk" +"$SED_CMD" -i "s|CONTROLLER_RUNTIME_BRANCH ?= .*|CONTROLLER_RUNTIME_BRANCH ?= ${CONTROLLER_RUNTIME_BRANCH}|" "${ROOTDIR}/Makefile.core.mk" # Update opm -OPM_LATEST_VERSION=$(getLatestVersion operator-framework/operator-registry) -sed -i "s|OPM_VERSION ?= .*|OPM_VERSION ?= ${OPM_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" +OPM_LATEST_VERSION=$(getVersionForUpdate operator-framework/operator-registry "${OPM_VERSION}") +"$SED_CMD" -i "s|OPM_VERSION ?= .*|OPM_VERSION ?= ${OPM_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" # Update olm -OLM_LATEST_VERSION=$(getLatestVersion operator-framework/operator-lifecycle-manager) -sed -i "s|OLM_VERSION ?= .*|OLM_VERSION ?= ${OLM_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" - -# Update kube-rbac-proxy -RBAC_PROXY_LATEST_VERSION=$(getLatestVersion brancz/kube-rbac-proxy | cut -d/ -f1) -# Only update it if the newer image is available in the registry -if docker manifest inspect "gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}" >/dev/null 2>/dev/null; then - sed -i "s|gcr.io/kubebuilder/kube-rbac-proxy:.*|gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}|" "${ROOTDIR}/chart/values.yaml" -fi +OLM_LATEST_VERSION=$(getVersionForUpdate operator-framework/operator-lifecycle-manager "${OLM_VERSION}") +"$SED_CMD" -i "s|OLM_VERSION ?= .*|OLM_VERSION ?= ${OLM_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" + +# Update gateway-api +GW_API_LATEST_VERSION=$(getLatestVersion kubernetes-sigs/gateway-api) +"$SED_CMD" -i "s|GW_API_VERSION=.*|GW_API_VERSION=\${GW_API_VERSION:-${GW_API_LATEST_VERSION}}|" "${ROOTDIR}/tests/e2e/setup/setup-kind.sh" # Update gitleaks -GITLEAKS_VERSION=$(getLatestVersion gitleaks/gitleaks) -sed -i "s|GITLEAKS_VERSION ?= .*|GITLEAKS_VERSION ?= ${GITLEAKS_VERSION}|" "${ROOTDIR}/Makefile.core.mk" +GITLEAKS_LATEST_VERSION=$(getVersionForUpdate gitleaks/gitleaks "${GITLEAKS_VERSION}") +"$SED_CMD" -i "s|GITLEAKS_VERSION ?= .*|GITLEAKS_VERSION ?= ${GITLEAKS_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" # Update runme -RUNME_LATEST_VERSION=$(getLatestVersion runmedev/runme) -# Remove the leading "v" from the version string +# Add 'v' prefix to current version for comparison if it doesn't have one +RUNME_VERSION_WITH_V="v${RUNME_VERSION}" +RUNME_LATEST_VERSION=$(getVersionForUpdate runmedev/runme "${RUNME_VERSION_WITH_V}") +# Remove the leading "v" from the version string for storage in Makefile RUNME_LATEST_VERSION=${RUNME_LATEST_VERSION#v} -sed -i "s|RUNME_VERSION ?= .*|RUNME_VERSION ?= ${RUNME_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" +"$SED_CMD" -i "s|RUNME_VERSION ?= .*|RUNME_VERSION ?= ${RUNME_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" # Regenerate files -make update-istio gen +if [[ "${TOOLS_ONLY}" != "true" ]]; then + make update-istio gen +else + echo "Skipping 'make update-istio' (TOOLS_ONLY=true), running 'make gen' only" + make gen +fi