Merge pull request #2 from azimuth-cloud/main

Sync fork to upstream azimuth-images

.github/workflows/build_test_images.yaml

@@ -88,14 +88,18 @@ jobs:
         run: sudo guestmount -a ${{ steps.publish-image.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.publish-image.outputs.image-name }}'
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.17.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: fs
           scan-ref: "./${{ steps.publish-image.outputs.image-name }}"
           scanners: "vuln"
           format: sarif
           output: "${{ steps.publish-image.outputs.image-name }}.sarif"
-          # turn off secret scanning to speed things up
+          # limit to medium and higher as we get too many results for GH security otherwise
+          limit-severities-for-sarif: 'true'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
@@ -104,7 +108,7 @@ jobs:
           category: "${{ matrix.name }}"
 
       - name: Fail if scan has CRITICAL vulnerabilities
-        uses: aquasecurity/trivy-action@0.16.1
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: fs
           scan-ref: "./${{ steps.publish-image.outputs.image-name }}"
@@ -113,6 +117,8 @@ jobs:
           exit-code: '1'
           severity: 'CRITICAL'
           ignore-unfixed: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
 
       - name: Write matrix outputs
         uses: cloudposse/[email protected]

.github/workflows/kubernetes_update.yaml

@@ -85,8 +85,19 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Check for most recent image-builder release
+        id: next
+        uses: azimuth-cloud/github-actions/github-latest-release@master
+        with:
+          repository: kubernetes-sigs/image-builder
+
+      - name: Fetch tags for image-builder submodule
+        run: git fetch --tags
+        working-directory: ./vendor/image-builder
+
       - name: Update image-builder submodule
-        run: git submodule update --remote vendor/image-builder
+        run: git checkout ${{ steps.next.outputs.version }}
+        working-directory: ./vendor/image-builder
 
       - name: Generate app token for PR
         uses: azimuth-cloud/github-actions/generate-app-token@master
@@ -100,13 +111,15 @@ jobs:
         uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ steps.generate-app-token.outputs.token }}
-          commit-message: Update Kubernetes image-builder submodule
+          commit-message: >-
+            Update image-builder submodule to ${{ steps.next.outputs.version }}
           branch: update/kubernetes-image-builder
           delete-branch: true
-          title: Update Kubernetes image-builder submodule
+          title: >-
+            Update image-builder submodule to ${{ steps.next.outputs.version }}
           body: |
             This PR was created automatically to update the Kubernetes image-builder
-            submodule to `HEAD`.
+            submodule to ${{ steps.next.outputs.version }}.
           labels: |
             automation
             dependency-update

ansible/jupyter-repo2docker.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - jupyter-repo2docker

ansible/kubernetes.yml

@@ -3,6 +3,6 @@
 - hosts: all
   become: yes
   roles:
-    - linux-volumes-by-tag
+    - linux-common
 
 - import_playbook: ../vendor/image-builder/images/capi/ansible/node.yml

ansible/linux-rdp-gateway.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-rdp-gateway

ansible/linux-rstudio.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-rstudio

ansible/linux-webconsole.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-webconsole

ansible/roles/jupyter-repo2docker/tasks/main.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

ansible/roles/linux-common/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Update apt cache
+  apt:
+    update_cache: true
+  when: ansible_os_family == "Debian"
+
+- name: Ensure up-to-date CA certificates
+  package:
+    name: ca-certificates
+    state: latest
+
+# Required for become to an unprivileged user to work
+# Using the apt module seems to work more reliably than package :-/
+- name: Install ACL package
+  apt:
+    update_cache: true
+    name: acl
+    state: present
+  when: ansible_os_family == "Debian"
+
+# Enables the ansible-init system, but does not install any default playbooks
+- include_role:
+    name: azimuth_cloud.image_utils.linux_ansible_init
+
+# Enables volumes to be referred to by tag for setting up mounts in cloud-config
+- include_role:
+    name: linux-volumes-by-tag

ansible/roles/linux-rdp-gateway/tasks/main.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

ansible/roles/linux-rstudio/tasks/main.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

ansible/roles/linux-webconsole/tasks/desktop.yml

@@ -24,9 +24,6 @@
 - name: Set graphical environment as default systemd target
   command: systemctl set-default graphical.target
 
-- name: Set current systemd runlevel to graphical environment
-  command: systemctl isolate graphical.target
-
 - name: Create user dconf profile
   lineinfile:
     line: "{{ item }}"

ansible/roles/linux-webconsole/tasks/main.yml

@@ -17,25 +17,6 @@
     - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
     - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
 
-- name: Update apt cache
-  apt:
-    update_cache: true
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: true
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
 - name: Add apptainer repository
   apt_repository:
     repo: 'ppa:apptainer/ppa'
@@ -51,9 +32,6 @@
     - include_tasks: vnc_server.yml
   when: desktop_enabled is defined and desktop_enabled
 
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

env/base/ubuntu-jammy.env

@@ -1,3 +1,3 @@
-SOURCE_IMAGE_URL="https://cloud-images.ubuntu.com/releases/jammy/release-20240821/ubuntu-22.04-server-cloudimg-amd64.img"
+SOURCE_IMAGE_URL="https://cloud-images.ubuntu.com/releases/jammy/release-20241002/ubuntu-22.04-server-cloudimg-amd64.img"
 
 PACKER_VAR_FILES="$PACKER_VAR_FILES,vars/base/ubuntu-jammy.json"

requirements.yml

@@ -13,7 +13,7 @@ collections:
   - name: containers.podman
     version: 1.15.4
   - name: prometheus.prometheus
-    version: 0.17.1
+    version: 0.19.0
   - name: https://github.com/azimuth-cloud/ansible-collection-image-utils
     type: git
     version: 0.2.0

vars/base/kubernetes_1_28.json

@@ -1,6 +1,6 @@
 {
-    "kubernetes_deb_version": "1.28.13-*",
-    "kubernetes_rpm_version": "1.28.13",
-    "kubernetes_semver": "v1.28.13",
+    "kubernetes_deb_version": "1.28.14-*",
+    "kubernetes_rpm_version": "1.28.14",
+    "kubernetes_semver": "v1.28.14",
     "kubernetes_series": "v1.28"
 }

vars/base/kubernetes_1_29.json

@@ -1,6 +1,6 @@
 {
-    "kubernetes_deb_version": "1.29.8-*",
-    "kubernetes_rpm_version": "1.29.8",
-    "kubernetes_semver": "v1.29.8",
+    "kubernetes_deb_version": "1.29.9-*",
+    "kubernetes_rpm_version": "1.29.9",
+    "kubernetes_semver": "v1.29.9",
     "kubernetes_series": "v1.29"
 }

vars/base/kubernetes_1_30.json

@@ -1,6 +1,6 @@
 {
-    "kubernetes_deb_version": "1.30.4-*",
-    "kubernetes_rpm_version": "1.30.4",
-    "kubernetes_semver": "v1.30.4",
+    "kubernetes_deb_version": "1.30.5-*",
+    "kubernetes_rpm_version": "1.30.5",
+    "kubernetes_semver": "v1.30.5",
     "kubernetes_series": "v1.30"
 }

vars/base/kubernetes_1_31.json

@@ -1,6 +1,6 @@
 {
-    "kubernetes_deb_version": "1.31.0-*",
-    "kubernetes_rpm_version": "1.31.0",
-    "kubernetes_semver": "v1.31.0",
+    "kubernetes_deb_version": "1.31.1-*",
+    "kubernetes_rpm_version": "1.31.1",
+    "kubernetes_semver": "v1.31.1",
     "kubernetes_series": "v1.31"
 }