Skip to content

[release-1.34] Backports for 2025-12 #13251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
brandond wants to merge 32 commits into
base: release-1.34
Choose a base branch
from
Open

[release-1.34] Backports for 2025-12 #13251

brandond wants to merge 32 commits into from
+1,957 −1,639

Conversation

@brandond
Copy link
Member

@brandond brandond commented Nov 21, 2025
edited
Loading

Proposed Changes

Backports:

Types of Changes

backports

Verification

see linked issues

Testing

Linked Issues

User-Facing Change

Further Comments

@brandond brandond requested a review from a team as a code owner November 21, 2025 18:53
@codecov
Copy link

codecov bot commented Nov 21, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 6.91824% with 444 lines in your changes missing coverage. Please review.
✅ Project coverage is 21.45%. Comparing base (293350f) to head (80985ad).

Files with missing lines Patch % Lines
pkg/executor/embed/embed.go 0.00% 81 Missing ⚠️
pkg/agent/containerd/containerd.go 0.00% 75 Missing ⚠️
pkg/agent/run.go 0.00% 42 Missing ⚠️
pkg/agent/flannel/setup.go 0.00% 41 Missing ⚠️
pkg/daemons/executor/executor.go 0.00% 24 Missing and 12 partials ⚠️
pkg/util/patch.go 33.33% 28 Missing and 2 partials ⚠️
pkg/spegel/bootstrap.go 0.00% 21 Missing ⚠️
pkg/etcd/metadata_controller.go 0.00% 15 Missing ⚠️
pkg/server/server.go 0.00% 13 Missing ⚠️
pkg/etcd/member_controller.go 0.00% 12 Missing ⚠️
... and 12 more
Additional details and impacted files 
@@               Coverage Diff                @@
##           release-1.34   #13251      +/-   ##
================================================
- Coverage         21.91%   21.45%   -0.46%     
================================================
  Files               186      187       +1     
  Lines             15171    15271     +100     
================================================
- Hits               3324     3276      -48     
- Misses            11408    11549     +141     
- Partials            439      446       +7
Flag Coverage Δ
unittests 21.45% <6.91%> (-0.46%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dereknola and others added 13 commits December 8, 2025 23:50
@dereknola @brandond
Add docker dualstack test (k3s-io#13070)
dc2b3d3 
Signed-off-by: Derek Nola <[email protected]>
(cherry picked from commit cfcc9ef)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Fix windows build os (k3s-io#13201)
72579f7 
* Pass GOOS into Dockerfile.local build args
  Fixes issue with build-windows job not actually building for windows
* Remove `go generate` from package-cli
  We no longer use codegen in this repo
* Fix go:embed path separator on Windows
* Bump hcsshim for containerd 2.1 compat on windows
* Include failing lister in error message
* Bump k3s-io/api and k3s-io/helm-controller for embedded CRD windows path fix

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit ed57fb5)
Signed-off-by: Brad Davidson <[email protected]>
@jvassev @brandond
tunnel: handle pod IP reuse (k3s-io#13212)
cac32d8 
* tunnel: handle pod IP reuse

a valid tunnel/session may be deleted when an IP is reused while a
Complete pod (for example a job) was using that IP but is being gc'ed.

This causes timeouts to webhooks after directDial is attempted because
session was removed.

Solution is to track the owner of the IP and delete the entry only when
the the owner pod is deleted.

Signed-off-by: Julian Vassev <[email protected]>
(cherry picked from commit 9130056)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Stop waiting on CRI ready if context is cancelled
f210f41 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit f0d5452)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Fix spegel ready checks to give server more time to find a peer
0abbba9 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 9806524)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Add digests and source labels for imported images
3105da2 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 1037dcb)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Add test for sharing imported images by digest
e3c2130 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit af441c2)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Fix airgap-extra-registry flag
6bdc2b5 
It is hidden and undocumented, but also apparently broken.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit f783052)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Use docker containerd snapshotter for stable image digests
4c93212 
The legacy Docker snapshotter flattens application/vnd.docker.distribution.manifest.v2+json manifests to application/vnd.oci.image.manifest.v1+json when saving. Switching to the containerd snapshotter allows us to keep the original manifest digest when pulling and saving image tarballs.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 74088f5)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Clean tools from runners before tests
374cb0d 
Remove optional tools from runners to make space available for docker/vagrant

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit f726966)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Bump opencontainers/selinux
e2d7f29 
We do not use any vulnerable code from this project, but we should bump it anyway to pacify scanners

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 3de0888)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Remove remaining references to drone
8671515 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 96ed439)
Signed-off-by: Brad Davidson <[email protected]>
@dependabot @brandond
Bump actions/checkout from 5 to 6 (k3s-io#13256)
9038b20 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 68749aa)
Signed-off-by: Brad Davidson <[email protected]>
@brandond brandond force-pushed the 2025-12-backports_release-1.34 branch 2 times, most recently from 7117776 to 3995ac9 Compare December 9, 2025 00:08
dereknola and others added 9 commits December 9, 2025 00:36
@dereknola @brandond
Consolidate RunCommand between Docker and E2E tests
2646ba4 
Signed-off-by: Derek Nola <[email protected]>
(cherry picked from commit 572cc8e)
Signed-off-by: Brad Davidson <[email protected]>
@dereknola @brandond
Fix naming convention for docker test import
f3d0552 
Signed-off-by: Derek Nola <[email protected]>
(cherry picked from commit cd08e73)
Signed-off-by: Brad Davidson <[email protected]>
@dereknola @brandond
Move from ranchertest to mirrored-busybox
3409816 
Signed-off-by: Derek Nola <[email protected]>
(cherry picked from commit 0d39c86)
Signed-off-by: Brad Davidson <[email protected]>
@dereknola @brandond
Define DefaultHelmJobImage in K3s, overriding what helm-controller de…
f62281a 
…faults to. (k3s-io#13258)

Signed-off-by: Derek Nola <[email protected]>
(cherry picked from commit 543b630)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Move etcd metrics to separate package
4e7cde9 
Allows importing pkg/metrics without pulling in pkg/etcd, which was causing an import loop in a follow-up commit.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit b7ca944)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Move CNI execution into executor
245985d 
Allows properly delegating CNI startup to executor, so that it can be plugged in as platform and distro specific implimentation without relying on cli flag hacks

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit ec3cc04)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Move embedded flannel and vpn config setup into embedded executor
090336b 
Flannel and VPN setup shouldn't be done in generic agent config as it is only
used with embeded executor's flannel CNI.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit efcf8eb)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Add JSON patch helper
5a92b72 
Adds helper function for building JsonPatch operation lists,
which allows modifying a resource without having to manually
refresh the object and retry the change on conflict.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit ceebaad)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Use patch helper for etcd snapshot annotation patch
a6aeaa7 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 785cfad)
Signed-off-by: Brad Davidson <[email protected]>
brandond added 10 commits December 9, 2025 00:36
@brandond
Use patch helper for etcd member controller
192fb68 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 2b39b68)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Use patch helper for etcd labels and annotations
529eac4 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 713cf8f)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Use patch helper for node labels and annotations
fd37f33 
Move flannel annotations into flannel setup, and use patch helpers to manage other node labels and annotations

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 57210b8)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Use patch helper for spegel annotations and labels
fa70129 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 1cb80fb)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Use patch helper for secrets-encryption labels and annotations
e0f032a 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit d198956)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Reorganize flannel consts and fields
83e4495 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit d582a0d)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Move embed into separate package from executor
623bd10 
Better isolates the K3s implementation from the interface, and aligns
the package path with other projects executors. This should also remove
the indirect flannel dep from other projects that don't use the embedded
executor.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit c3ca02a)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Fix inconsistent curl flags in tests
d33f088 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit d337570)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Bump kine and etcd
2ea8a32 
kine => v0.14.7
etcd => v3.6.6

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit aaa7fa2)
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Bump runc to v1.4.0
80985ad 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 613a5e4)
Signed-off-by: Brad Davidson <[email protected]>
@brandond brandond force-pushed the 2025-12-backports_release-1.34 branch from 3995ac9 to 80985ad Compare December 9, 2025 00:36
mgfritch
mgfritch approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@mgfritch mgfritch left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also include these?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwayne18 cwayne18 cwayne18 approved these changes

@mgfritch mgfritch mgfritch approved these changes

@dereknola dereknola dereknola approved these changes

@vitorsavian vitorsavian vitorsavian approved these changes

+1 more reviewer

@farazkhawaja farazkhawaja farazkhawaja approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@brandond @cwayne18 @mgfritch @dereknola @farazkhawaja @vitorsavian @jvassev