Merge branch 'loft-sh:main' into ebcloud-dev

Author: Lanyujiex

.backportrc.json

@@ -2,7 +2,7 @@
   "repoOwner": "loft-sh",
   "repoName": "vcluster",
   "targetBranchChoices": ["v0.19", "v0.20", "v0.21", "v0.22", "v0.23", "v0.24"],
-    "prDescription": "Backport from `{{sourceBranch}}` to `{{targetBranch}}`\n\nOriginal PR Nr.: #{{sourcePullRequest.number}}\n\n### Backported Commits:\n{{#each commits}}\n- {{shortSha this.sourceCommit.sha}} {{this.sourceCommit.message}}\n{{/each}}\n\n## Original PR Description:\n{{sourcePullRequest}}",
+    "prDescription": "Backport from `{{sourceBranch}}` to `{{targetBranch}}`\n\nOriginal PR Nr.: #{{sourcePullRequest.number}}\n\n### Backported Commits:\n{{#each commits}}\n- {{shortSha this.sourceCommit.sha}} {{this.sourceCommit.message}}\n{{/each}}",
   "branchLabelMapping": {
     "^backport-to-(.+)$": "$1"
   }

.github/workflows/backport.yaml

@@ -18,26 +18,6 @@ jobs:
       - name: Install GH CLI
         uses: dev-hanz-ops/install-gh-cli-action@v0.2.1
 
-      - name: Fetch PR description and update backportrc
-        env:
-          GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          REPO: ${{ github.repository }}
-        run: |
-          # Grab raw original PR body, gh CLI uses the default token.
-          BODY_CONTENT="$(gh api "/repos/$REPO/pulls/$PR_NUMBER" | jq -r .body)"
-
-          # Escape the markdown content so that sed can produce valid JSON.
-          # Remove starting and ending quites and replace new lines with literals.
-          ESCAPED_CONTENT=$(echo "$BODY_CONTENT" | jq -aRs .)
-          ESCAPED_CONTENT="${ESCAPED_CONTENT%\"}"
-          ESCAPED_CONTENT="${ESCAPED_CONTENT#\"}"
-          ESCAPED_CONTENT=$(echo "$ESCAPED_CONTENT" | sed 's/[\/&]/\\&/g')
-
-          # sourcePullRequest is an actual variable, but the PR description is not provided by the action or the CLI.
-          # Instead we are using it as a substitution target and replacing it with the markdown content.
-          sed -i "s/{{sourcePullRequest}}/$ESCAPED_CONTENT/g" .backportrc.json
-
       - name: Backport Action
         uses: sorenlouv/backport-github-action@v9.5.1
         with:

.github/workflows/compatibility.yaml

@@ -170,7 +170,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        distribution: ["k3s", "k8s", "k0s"]
+        distribution: ["k3s", "k8s"]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -255,7 +255,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        distribution: ["k3s", "k8s", "k0s"]
+        distribution: ["k3s", "k8s"]
         test-suite-path: ${{fromJson(needs.get-testsuites-dir.outputs.matrix)}}
         multinamespace-mode: ["false", "true"]
         ha: ["false", "true"]
@@ -268,16 +268,10 @@ jobs:
             ha: "true"
             test-suite-path: "./test/e2e"
             multinamespace-mode: "false"
-          - distribution: "k0s"
-            ha: "true"
-            test-suite-path: "./test/e2e"
-            multinamespace-mode: "false"
         exclude:
           - ha: "true"
           - distribution: "k8s"
             multinamespace-mode: "true"
-          - distribution: "k0s"
-            multinamespace-mode: "true"
           - distribution: "k3s"
             multinamespace-mode: "true"
             test-suite-path: "./test/e2e_target_namespace"

.github/workflows/docs.yaml

@@ -50,6 +50,6 @@ jobs:
           fi
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.0
+          version: v2.1

.github/workflows/e2e.yaml

@@ -36,7 +36,7 @@ jobs:
         with:
           cosign-release: "v2.2.3"
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@v0.18.0
+        uses: anchore/sbom-action/download-syft@v0.19.0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -122,10 +122,28 @@ jobs:
           CHART_MUSEUM_PASSWORD: ${{ secrets.CHART_MUSEUM_PASSWORD }}
   # The workflow will only trigger on non-draft releases
   # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#release
+  sync_linear:
+    needs:
+      - publish
+      - publish-chart
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Update linear issues
+        run: go run . -release-tag="${{ needs.publish.outputs.release_version }}"
+        working-directory: hack/linear-sync
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
+          LINEAR_TOKEN: ${{ secrets.LINEAR_TOKEN }}
+
   notify_release:
     needs:
       - publish
       - publish-chart
+      - sync_linear
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4

.github/workflows/lint.yaml

@@ -57,8 +57,8 @@ generate-vcluster-latest-images version="0.0.0":
 
 # Generate the vcluster optional images file
 [private]
-generate-vcluster-optional-images:
-  {{ASSETS_RUN}} --optional > ./release/images-optional.txt
+generate-vcluster-optional-images version="0.0.0":
+  {{ASSETS_RUN}} --optional {{ version }} > ./release/images-optional.txt
 
 # Generate versioned vCluster image files for multiple versions and distros
 [private]
@@ -73,10 +73,6 @@ generate-matrix-specific-images version="0.0.0":
     done
   done
 
-# Generate the CLI docs
-generate-cli-docs:
-  go run -mod vendor -tags pro ./hack/docs/main.go
-
 # Generate the vcluster.yaml config schema
 generate-config-schema:
   go run -mod vendor ./hack/schema/main.go
@@ -86,6 +82,9 @@ generate-config-schema:
 embed-chart version="0.0.0":
   RELEASE_VERSION={{ version }} go generate -tags embed_chart ./...
 
+test-chart:
+  helm unittest chart
+
 # Run e2e tests
 e2e distribution="k3s" path="./test/e2e" multinamespace="false": create-kind && delete-kind
   echo "Execute test suites ({{ distribution }}, {{ path }}, {{ multinamespace }})"

.github/workflows/release.yaml

@@ -33,7 +33,7 @@ brew install loft-sh/tap/vcluster
 vcluster create my-vcluster --namespace team-x
 ```
 
-https://github.com/user-attachments/assets/d97c21ae-5d23-499c-a1e8-e8d784493be4
+![vCluster gif](./docs/static/media/vcluster-github-gif-1280.gif)
 
 For detailed steps, visit our [Quickstart Documentation](https://www.vcluster.com/docs/get-started).
 
@@ -90,7 +90,7 @@ For detailed steps, visit our [Quickstart Documentation](https://www.vcluster.co
 <summary><strong>Enhanced Flexibility and Compatibility</strong></summary>
 
 - **Diverse Kubernetes Environments**:  
-  vCluster supports different Kubernetes versions and distributions (including K8s, K3s, and K0s), allowing version skews. This makes it possible to tailor each virtual cluster to specific requirements without impacting others.
+  vCluster supports different Kubernetes versions and distributions (including K8s and K3s), allowing version skews. This makes it possible to tailor each virtual cluster to specific requirements without impacting others.
 
 - **Adaptable Backing Stores**:  
   Choose from a range of data stores, from lightweight (SQLite) to enterprise-grade options (embedded etcd, external data stores like Global RDS), catering to various scalability and durability needs.

Justfile

@@ -27,7 +27,7 @@ Corefile: |-
           fallthrough in-addr.arpa ip6.arpa
           {{- end }}
       }
-      hosts /etc/NodeHosts {
+      hosts /etc/coredns/NodeHosts {
           ttl 60
           reload 15s
           fallthrough

README.md

@@ -3,8 +3,6 @@
 {{ toYaml .Values.controlPlane.distro.k3s.env }}
 {{- else if and (eq (include "vcluster.distro" .) "k8s") .Values.controlPlane.distro.k8s.env -}}
 {{ toYaml .Values.controlPlane.distro.k8s.env }}
-{{- else if and (eq (include "vcluster.distro" .) "k0s") .Values.controlPlane.distro.k0s.env -}}
-{{ toYaml .Values.controlPlane.distro.k0s.env }}
 {{- end -}}
 {{- end -}}
 
@@ -17,10 +15,6 @@
 k3s
 {{- $distros = add1 $distros -}}
 {{- end -}}
-{{- if .Values.controlPlane.distro.k0s.enabled -}}
-k0s
-{{- $distros = add1 $distros -}}
-{{- end -}}
 {{- if .Values.controlPlane.distro.k8s.enabled -}}
 k8s
 {{- $distros = add1 $distros -}}

chart/templates/_coredns.tpl

@@ -3,35 +3,17 @@
 {{ include "vcluster.k3s.initContainers" . }}
 {{- else if eq (include "vcluster.distro" .) "k8s" -}}
 {{ include "vcluster.k8s.initContainers" . }}
-{{- else if eq (include "vcluster.distro" .) "k0s" -}}
-{{ include "vcluster.k0s.initContainers" . }}
-{{- end -}}
-{{- end -}}
-
-{{- define "vcluster.k8s.capabilities.version" -}}
-{{/* We need to workaround here for unit tests because Capabilities.KubeVersion.Version is not supported, so we use .Chart.Version */}}
-{{- if hasPrefix "test-" .Chart.Version -}}
-{{- regexFind "^v[0-9]+\\.[0-9]+\\.[0-9]+" (trimPrefix "test-" .Chart.Version) -}}
-{{- else -}}
-{{- regexFind "^v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version -}}
 {{- end -}}
 {{- end -}}
 
 {{/* Bump $defaultTag value whenever k8s version is bumped */}}
 {{- define "vcluster.k8s.image.tag" -}}
-{{- $defaultTag := "v1.32.1" -}}
-{{- if and (not (empty .Values.controlPlane.distro.k8s.version)) (eq .Values.controlPlane.distro.k8s.image.tag $defaultTag) -}}
+{{- if not (empty .Values.controlPlane.distro.k8s.version) -}}
 {{ .Values.controlPlane.distro.k8s.version }}
 {{- else -}}
-{{- if not (eq .Values.controlPlane.distro.k8s.image.tag $defaultTag) -}}
-{{ .Values.controlPlane.distro.k8s.image.tag }}
-{{- else if not (empty (include "vcluster.k8s.capabilities.version" .)) -}}
-{{ include "vcluster.k8s.capabilities.version" . }}
-{{- else -}}
 {{ .Values.controlPlane.distro.k8s.image.tag }}
 {{- end -}}
 {{- end -}}
-{{- end -}}
 
 {{- define "vcluster.k8s.initContainers" -}}
 {{- include "vcluster.oldPlugins.initContainers" . }}
@@ -78,28 +60,6 @@
 {{ toYaml .Values.controlPlane.distro.k3s.resources | indent 4 }}
 {{- end -}}
 
-{{- define "vcluster.k0s.initContainers" -}}
-{{- include "vcluster.oldPlugins.initContainers" . }}
-{{- include "vcluster.plugins.initContainers" . }}
-- name: vcluster
-  image: "{{ include "vcluster.image" (dict "defaultImageRegistry" .Values.controlPlane.advanced.defaultImageRegistry "registry" .Values.controlPlane.distro.k0s.image.registry "repository" .Values.controlPlane.distro.k0s.image.repository "tag" .Values.controlPlane.distro.k0s.image.tag) }}"
-  command:
-    - /bin/sh
-  args:
-    - -c
-    - "cp /usr/local/bin/k0s /binaries/k0s"
-  {{- if .Values.controlPlane.distro.k0s.imagePullPolicy }}
-  imagePullPolicy: {{ .Values.controlPlane.distro.k0s.imagePullPolicy }}
-  {{- end }}
-  securityContext:
-{{ toYaml .Values.controlPlane.distro.k0s.securityContext | indent 4 }}
-  volumeMounts:
-    - name: binaries
-      mountPath: /binaries
-  resources:
-{{ toYaml .Values.controlPlane.distro.k0s.resources | indent 4 }}
-{{- end -}}
-
 {{/*
   Plugin init container definition
 */}}

chart/templates/_distro.tpl

@@ -171,11 +171,16 @@ data:
           topologySpreadConstraints:
 {{ toYaml .Values.controlPlane.coredns.deployment.topologySpreadConstraints  | indent 12 }}
           {{- end }}
+          {{- if .Values.controlPlane.coredns.security.podSecurityContext }}
+          securityContext:
+{{ toYaml .Values.controlPlane.coredns.security.podSecurityContext | indent 12 }}
+          {{- else }}
           {{- if .Values.policies.podSecurityStandard }}
           securityContext:
             seccompProfile:
               type: RuntimeDefault
           {{- end }}
+          {{- end }}
           containers:
             - name: coredns
               {{- if .Values.controlPlane.coredns.deployment.image }}
@@ -200,6 +205,10 @@ data:
                 - name: custom-config-volume
                   mountPath: /etc/coredns/custom
                   readOnly: true
+              {{- if .Values.controlPlane.coredns.security.containerSecurityContext }}
+              securityContext:
+{{ toYaml .Values.controlPlane.coredns.security.containerSecurityContext | indent 16 }}
+              {{- else }}
               securityContext:
                 runAsNonRoot: true
                 runAsUser: {{`{{.RUN_AS_USER}}`}}
@@ -211,6 +220,7 @@ data:
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
+              {{- end }}
               livenessProbe:
                 httpGet:
                   path: /health