Update tools to 0.9.0

.github/workflows/build.yaml

@@ -41,6 +41,8 @@ jobs:
       labels: bottlerocket_ubuntu-latest_16-core
     steps:
       - uses: actions/checkout@v4
+      # Build local tools container in case we are working on a new tools release
+      - run: make tools
       - run: make images
   license-check:
     # A small machine is OK for this independent job.

Makefile

@@ -10,7 +10,7 @@ TOP := $(dir $(firstword $(MAKEFILE_LIST)))
 # Variables we update as newer versions are released
 BOTTLEROCKET_SDK_VERSION = v0.42.0
 BOTTLEROCKET_SDK_ARCH = $(TESTSYS_BUILD_HOST_UNAME_ARCH)
-BOTTLEROCKET_TOOLS_VERSION ?= v0.8.0
+BOTTLEROCKET_TOOLS_VERSION ?= v0.9.0
 
 BUILDER_IMAGE = public.ecr.aws/bottlerocket/bottlerocket-sdk:$(BOTTLEROCKET_SDK_VERSION)
 TOOLS_IMAGE ?= public.ecr.aws/bottlerocket-test-system/bottlerocket-test-tools:$(BOTTLEROCKET_TOOLS_VERSION)

bottlerocket/samples/Makefile.toml

@@ -8,7 +8,7 @@ ARCH = { value = "x86_64", condition = { env_not_set = ["ARCH"] } }
 CLUSTER_TYPE = { value = "eks", condition = { env_not_set = ["CLUSTER_TYPE"] } }
 ASSUME_ROLE = { value = "~", condition = { env_not_set = ["ASSUME_ROLE"] } }
 AWS_REGION = { value = "us-west-2", condition = { env_not_set = ["AWS_REGION"] } }
-UPGRADE_VERSION = { value = "v1.11.1", condition = { env_not_set = ["UPGRADE_VERSION"] } }
+UPGRADE_VERSION = { value = "v1.20.4", condition = { env_not_set = ["UPGRADE_VERSION"] } }
 STARTING_VERSION = { script = ["""\
         aws ssm get-parameter \
             --region us-west-2 \

tools/CHANGELOG.md

@@ -6,6 +6,15 @@ The format is inspired by [Keep a Changelog](https://keepachangelog.com/en/1.0.0
 Since this project is only a vessel for packaging a few binary tools, its adherence to
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html) is loose at best.
 
+## [0.9.0] - 2024-07-23
+
+Update Bottlerocket SDK to 0.42.0
+Update kubernetes to EKSD 1.27.35
+Update eksctl to 0.187.0
+Update helm to 3.15.3
+Update aws-iam-authenticator to 0.6.21
+Update sonobuoy to 0.57.1
+
 ## [0.8.0] - 2024-01-29
 
 Update eksctl to 0.169.0

tools/Dockerfile

@@ -7,6 +7,7 @@ USER root
 COPY ./hashes /hashes
 COPY ./clarify.toml /clarify.toml
 COPY ./eksctl.clarify.toml /eksctl.clarify.toml
+COPY ./sonobuoy.clarify.toml /sonobuoy.clarify.toml
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 # Shared build stage used to build Go binaries.
@@ -26,7 +27,7 @@ USER root
 RUN mkdir -p /usr/share/licenses/eksctl && \
     chown -R builder:builder /usr/share/licenses/eksctl
 
-ARG EKSCTL_VERSION=0.183.0
+ARG EKSCTL_VERSION=0.187.0
 ARG EKSCTL_SOURCE_URL="https://github.com/eksctl-io/eksctl/archive/refs/tags/v${EKSCTL_VERSION}.tar.gz"
 
 ARG EKSCTL_BINARY_URL="https://github.com/eksctl-io/eksctl/releases/download/v${EKSCTL_VERSION}/eksctl_Linux_${GOARCH}.tar.gz"
@@ -61,45 +62,69 @@ RUN curl -L "${EKSCTL_BINARY_URL}" \
 FROM build-go as kubernetes-build
 
 USER root
+RUN dnf -y install yq
 RUN mkdir -p /usr/share/licenses/kubernetes && \
     chown -R builder:builder /usr/share/licenses/kubernetes
 
-ARG K8S_VERSION=1.26.3
-ARG K8S_SOURCE_URL="https://github.com/kubernetes/kubernetes/archive/refs/tags/v${K8S_VERSION}.tar.gz"
+ARG K8S_MINOR_VERSION=1-27
+ARG EKSD_PATCH_VERSION=35
 
-ARG KUBEADM_BINARY_URL="https://dl.k8s.io/release/v${K8S_VERSION}/bin/linux/${GOARCH}/kubeadm"
-ARG KUBECTL_BINARY_URL="https://dl.k8s.io/release/v${K8S_VERSION}/bin/linux/${GOARCH}/kubectl"
+ARG K8S_SOURCE_URL="https://github.com/aws/eks-distro/archive/refs/tags/v${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.tar.gz"
+ARG EKSD_RELEASE_MANIFEST="https://distro.eks.amazonaws.com/kubernetes-${K8S_MINOR_VERSION}/kubernetes-${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.yaml"
 
 USER builder
 WORKDIR /home/builder/
 RUN mkdir kubernetes && \
-    curl -L "${K8S_SOURCE_URL}" -o "kubernetes_${K8S_VERSION}.tar.gz" && \
-    grep "kubernetes_${K8S_VERSION}.tar.gz" \
+    curl -L "${K8S_SOURCE_URL}" -o "kubernetes_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}.tar.gz" && \
+    grep "kubernetes_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}.tar.gz" \
       /hashes/kubernetes | sha512sum --check - && \
-    tar -xf "kubernetes_${K8S_VERSION}.tar.gz" \
+    tar -xf "kubernetes_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}.tar.gz" \
       --strip-components 1 -C kubernetes && \
-    rm "kubernetes_${K8S_VERSION}.tar.gz"
+    rm "kubernetes_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}.tar.gz"
 
 WORKDIR /home/builder/kubernetes/
 
 # We don't need to run `go mod vendor` to generate the vendored code:
 # upstream kubernetes already vendors all its dependencies
 RUN cp -p LICENSE /usr/share/licenses/kubernetes && \
+    go mod vendor && \
     /usr/libexec/tools/bottlerocket-license-scan \
       --clarify /clarify.toml \
       --spdx-data /usr/libexec/tools/spdx-data \
       --out-dir /usr/share/licenses/kubernetes/vendor \
       go-vendor ./vendor
-RUN curl -L "${KUBEADM_BINARY_URL}" \
-      -o "kubeadm_${K8S_VERSION}_${GOOS}_${GOARCH}" && \
-    grep "kubeadm_${K8S_VERSION}_${GOOS}_${GOARCH}" \
-      /hashes/kubernetes | sha512sum --check - && \
-    install -m 0755 "kubeadm_${K8S_VERSION}_${GOOS}_${GOARCH}" ./kubeadm
-RUN curl -L "${KUBECTL_BINARY_URL}" \
-      -o "kubectl_${K8S_VERSION}_${GOOS}_${GOARCH}" && \
-    grep "kubectl_${K8S_VERSION}_${GOOS}_${GOARCH}" \
-      /hashes/kubernetes | sha512sum --check - && \
-    install -m 0755 "kubectl_${K8S_VERSION}_${GOOS}_${GOARCH}" ./kubectl
+
+RUN curl -L "${EKSD_RELEASE_MANIFEST}" -o "kubernetes-${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.yaml" && \
+  grep "kubernetes-${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.yaml" \
+    /hashes/kubernetes | sha512sum --check -
+
+RUN yq ".status.components.[] | \
+  select(.name ==  \"kubernetes\").assets.[] | \
+  select(.name ==  \"bin/${GOOS}/${GOARCH}/kubeadm\") \
+  .archive.uri" "kubernetes-${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.yaml" | \
+  xargs curl -L \
+      -o "kubeadm_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}_${GOOS}_${GOARCH}" && \
+  EXPECTED_CHECKSUM=$(yq ".status.components.[] | \
+    select(.name == \"kubernetes\").assets.[] | \
+    select(.name == \"bin/${GOOS}/${GOARCH}/kubeadm\") \
+    .archive.sha512" "kubernetes-${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.yaml") && \
+  sha512sum "kubeadm_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}_${GOOS}_${GOARCH}" | \
+    awk "\$1!=\"${EXPECTED_CHECKSUM}\"{print \"checksum mismatch\"; exit 1}" && \
+  install -m 0755 "kubeadm_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}_${GOOS}_${GOARCH}" ./kubeadm
+
+RUN yq ".status.components.[] | \
+    select(.name == \"kubernetes\").assets.[] | \
+    select(.name == \"bin/${GOOS}/${GOARCH}/kubectl\") \
+    .archive.uri" "kubernetes-${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.yaml" | \
+  xargs curl -L \
+      -o "kubectl_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}_${GOOS}_${GOARCH}" && \
+  EXPECTED_CHECKSUM=$(yq ".status.components.[] | \
+    select(.name == \"kubernetes\").assets.[] | \
+    select(.name == \"bin/${GOOS}/${GOARCH}/kubectl\") \
+    .archive.sha512" "kubernetes-${K8S_MINOR_VERSION}-eks-${EKSD_PATCH_VERSION}.yaml") && \
+  sha512sum "kubectl_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}_${GOOS}_${GOARCH}" | \
+    awk "\$1!=\"${EXPECTED_CHECKSUM}\"{print \"checksum mismatch\"; exit 1}" && \
+  install -m 0755 "kubectl_${K8S_MINOR_VERSION}-${EKSD_PATCH_VERSION}_${GOOS}_${GOARCH}" ./kubectl
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 FROM build-go as sonobuoy-build
@@ -108,7 +133,7 @@ USER root
 RUN mkdir -p /usr/share/licenses/sonobuoy && \
     chown -R builder:builder /usr/share/licenses/sonobuoy
 
-ARG SONOBUOY_VERSION=0.56.15
+ARG SONOBUOY_VERSION=0.57.1
 ARG SONOBUOY_SOURCE_URL="https://github.com/vmware-tanzu/sonobuoy/archive/refs/tags/v${SONOBUOY_VERSION}.tar.gz"
 
 ARG SONOBUOY_BINARY_URL="https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_${GOARCH}.tar.gz"
@@ -128,7 +153,7 @@ WORKDIR /home/builder/sonobuoy/
 RUN go mod vendor
 RUN cp -p LICENSE /usr/share/licenses/sonobuoy && \
     /usr/libexec/tools/bottlerocket-license-scan \
-      --clarify /clarify.toml \
+      --clarify /sonobuoy.clarify.toml \
       --spdx-data /usr/libexec/tools/spdx-data \
       --out-dir /usr/share/licenses/sonobuoy/vendor \
       go-vendor ./vendor
@@ -146,7 +171,7 @@ USER root
 RUN mkdir -p /usr/share/licenses/helm && \
     chown -R builder:builder /usr/share/licenses/helm
 
-ARG HELM_VERSION=3.14.0
+ARG HELM_VERSION=3.15.3
 ARG HELM_SOURCE_URL="https://github.com/helm/helm/archive/refs/tags/v${HELM_VERSION}.tar.gz"
 
 # ARG HELM_BINARY_URL="https://github.com/helm/helm/releases/download/v${HELM_VERSION}/helm-v${HELM_VERSION}-${GOOS}-${GOARCH}.tar.gz.asc"
@@ -188,8 +213,8 @@ USER root
 RUN mkdir -p /usr/share/licenses/aws-iam-authenticator && \
     chown -R builder:builder /usr/share/licenses/aws-iam-authenticator
 
-ARG AWS_IAM_AUTHENTICATOR_VERSION=0.6.8
-ARG AWS_IAM_AUTHENTICATOR_SHA512_SUM=6e9f43852cdd3fb7d47ea70df5d108a0e235245b6db1a4f6406efffc329f5c940bf284c216e4bf20e83ff691b078652cee3fbae4c7c3da658ea3eef2ecab92b5
+ARG AWS_IAM_AUTHENTICATOR_VERSION=0.6.21
+ARG AWS_IAM_AUTHENTICATOR_SHA512_SUM=5548748efa330fc89256fda0e723e75f83040f55301f692166588d32c883a69d8f955a86f38c39558a6ccd65de6b622a59b7768486cc9ba6f1d78b2f9d183eed
 ARG AWS_IAM_AUTHENTICATOR_SOURCE_URL="https://cache.bottlerocket.aws/aws-iam-authenticator-${AWS_IAM_AUTHENTICATOR_VERSION}.tar.gz/${AWS_IAM_AUTHENTICATOR_SHA512_SUM}/aws-iam-authenticator-${AWS_IAM_AUTHENTICATOR_VERSION}.tar.gz"
 
 USER builder

tools/clarify.toml

@@ -106,9 +106,12 @@ license-files = [
 ]
 
 [[clarify."sigs.k8s.io/yaml"]]
-expression = "MIT AND BSD-3-Clause"
+expression = "MIT AND BSD-3-Clause AND Apache-2.0"
 license-files = [
-    { path = "LICENSE", hash = 0xcdf3ae00 },
+    { path = "LICENSE", hash = 0x617d80bc },
+    { path = "goyaml.v2/LICENSE", hash = 0xe569d630 },
+    { path = "goyaml.v2/LICENSE.libyaml", hash = 0xa2e4ce3 },
+    { path = "goyaml.v2/NOTICE", hash = 0x49bceeb9 },
 ]
 
 [clarify."github.com/cloudflare/circl"]

tools/hashes/aws-iam-authenticator

@@ -1 +1 @@
-6e9f43852cdd3fb7d47ea70df5d108a0e235245b6db1a4f6406efffc329f5c940bf284c216e4bf20e83ff691b078652cee3fbae4c7c3da658ea3eef2ecab92b5 aws-iam-authenticator_0.6.8.tar.gz
+5548748efa330fc89256fda0e723e75f83040f55301f692166588d32c883a69d8f955a86f38c39558a6ccd65de6b622a59b7768486cc9ba6f1d78b2f9d183eed aws-iam-authenticator_0.6.21.tar.gz

tools/hashes/eksctl

@@ -1,3 +1,3 @@
-abccd74a7e1ab9ee91c3223ebc8a1e1084b70f1a002aec1669842f8c610bf3d8c0baccb3d6dd0aa28c668d6e2d65399c441d1386a337e6eb592d2ae642c80bcc  eksctl_0.183.0_linux_amd64.tar.gz
-9ae219725693b9a663c6a9f6a8749769617b553561363e246b1234e5de4a4627e17d71dab82dc299e364a40afd0a335330515f8910ba7b96a210e8fb8a9fe452  eksctl_0.183.0_linux_arm64.tar.gz
-e32a9819d00b94fffa2b7a7356f8434777fa2610ad8f48ed5d5696fc735337fed3a60a4487c176a2cd90e0547a265d31b0bec26bb56fc12e86105a413406834a  eksctl_0.183.0.tar.gz
+4c5b2cc1343da499e1211c8aa4a0b027ffef16279e9774aabc85659167d25cd510a6c35ec7d972a318350e3c22955b1398cc673bceb4d078e1d0ccd43a1e2589  eksctl_0.187.0_linux_amd64.tar.gz
+fd9566b2187cff60946a207bb2560467b002481eec8d8be615c007c2faaaefd3f4479d2b00abce3fbcc6ac564c5a543be79f1f4cb7599b9c2458c96d366e2001  eksctl_0.187.0_linux_arm64.tar.gz
+8a1af86f2ee3b41f28f0952513336dafea2660fbe9803cea23ad637d288172bfd75c04091ccbd7ba4b2fb0f57aa95a21aed729e28b9e84f9659bdc53cf47e3a3  eksctl_0.187.0.tar.gz

tools/hashes/helm

@@ -1,3 +1,3 @@
-119f6cee49358207d151a70b936b20e6fd0857b06801eb5fd79dd341eb7b1a193c2d4e0bb1ba4a89d647e5a0d92431cf84ad09d4b3096fa859e2e38d0b19bcda  helm_3.14.0_linux_amd64.tar.gz
-119f6cee49358207d151a70b936b20e6fd0857b06801eb5fd79dd341eb7b1a193c2d4e0bb1ba4a89d647e5a0d92431cf84ad09d4b3096fa859e2e38d0b19bcda  helm_3.14.0_linux_arm64.tar.gz
-46bfa547be1ce8278c5719239aed178e657b438235558665633202dac5fde30543d745e5caa18eb3bde139c9514fde164dd85a6514019a0c315eda6959f92b6d  helm_3.14.0.tar.gz
+753b427da1d7203b0178de26aac7a7f0c4dfb4249339ab2f8e4c77b5fdd234dd491d9dc15729aca961186ac98db78f77eb334cdbc9de5d315456e2be579b7c98  helm_3.15.3_linux_amd64.tar.gz
+f4d1423717d20b006cf5377e3b4a7a53ea491b80e6d4edce0084157e4f95820a66c98719e7bf918446b8a31797381a2eb7f5b3053d3e6cd049f757e746f79eef  helm_3.15.3_linux_arm64.tar.gz
+72c3267b1bae9f938c524d9d5565d2240ff9eb911fdd9cfb1d104f9eddc20cdc3f87aa644b331384a854a49af7a3f7b01f2d1bdbbd317af40b33ffe4b2bafab7  helm_3.15.3.tar.gz

tools/hashes/kubernetes

@@ -1,5 +1,2 @@
-7a8aa29ea282aec99046d231d4c6756e36ba74eca4c2300b3b1f5a1362d211ffe712957746044168b254ba7332e324e341a2e4d56be7bb6a58de953fa630ac14  kubernetes_1.26.3.tar.gz
-353cfd0cbc49971a335ee3c4453310b0e65d5c4edac532e70427b0017119eb43ec8f3c8e5d8786ef94897fc7720df6b7c261e90b299a00ee516e9e665781a149  kubeadm_1.26.3_linux_amd64
-dd443f02d5569f5168929b895b083d2d41c373d3c085462f340f9e392f7763e48167d4e6b6822c9bb8b40b363f5e6a1aa1bbde2de98c4d9e38a49ac02c73ff2d  kubectl_1.26.3_linux_amd64
-987333e227d249936ef4aa95b98b351967d557413983bb93aa95a81cc26247cc5b6294094c8c2d5b909e7a34dd0070f748a8897b0b424ac2f2eb753fac53da62  kubeadm_1.26.3_linux_arm64
-29c015a5ac00184497668e2d4f120f448c0779523761c150145e563bd45e2f1665f9a6d3970bccf6400a32b9b9d688791ee32738d3bd338c8e03b898e918b768  kubectl_1.26.3_linux_arm64
+afb7c89db7246b6a7ad9d5e86afe4b4ce012da9a56225f285d4e47d963e616ef19ff719f26242cdc392c6a952c32ec3067966cdaadbd9f5dd7120b24c3c52b3f  kubernetes_1-27-35.tar.gz
+b87c2861fc28339f43b5f15d0957aa19550f0d6a550b9abc889fa440dd21e3cd3b97d5523b9c5e16c943a1e0b952c9f12433d850841d6951edf549fd733d9994  kubernetes-1-27-eks-35.yaml

tools/hashes/sonobuoy

@@ -1,3 +1,3 @@
-7eea0f60e8386ec07a5dad032392a760d84b1457d177d1ca142b6b1afeb65643b2d70263b28cfc71cd3c71621068953d3ea795522c0d67bf8613ccd9227a206d  sonobuoy_0.56.15.tar.gz
-50621480671936c43708d6c9f80021ee935f40a7ccbaeaec6d75b3d34caccb4d3e9404f625447a87f2dd95794081963562585b403cc3b99bebc7c66caebeb68d  sonobuoy_0.56.15_linux_amd64.tar.gz
-00d57ede87bccd6c09207c0376e8ea4bb96f5b4661e76c5f6567497ccc6aa0b6265b10a67a4bd29c12059d6d4ed9d855cdf1af9c67f41fc584871902037ca030  sonobuoy_0.56.15_linux_arm64.tar.gz
+90f6ca5191db72166e952a51148fa943068792f53f81a2887e4fe88cb1f4573c081265d42fb07749bc0b6f08b9f194d789352327363ff2f2da587ca14115a722  sonobuoy_0.57.1.tar.gz
+fb4342aa380b9ccba8d70fd408fc33aefa6509b5399e7b67c78d3d79b8fb768fa9161c6942702e18e2e3ceae8bee3bb488e8586bf3abef1e77ed64ca738f7185  sonobuoy_0.57.1_linux_amd64.tar.gz
+a3080a9206dc76db8eeefff4273965a5fc598d05ccb4e066a1eae94f4597e053abd035464f06a7846114f2240626aa06b376fc69ed54a37706658b1c5ebb5c69  sonobuoy_0.57.1_linux_arm64.tar.gz

tools/sonobuoy.clarify.toml

@@ -0,0 +1,5 @@
+[[clarify."sigs.k8s.io/yaml"]]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00 },
+]