cherrypick rhel fixes and ccm upgrade to release 1.34

docs/operations/images.md

@@ -6,10 +6,10 @@ You can choose a different image for an instance group by editing it with `kops
 
 For AWS, you should set the `image` field in one of the following formats:
 
-* `ami-abcdef` - specifies an image by id directly (image id is precise, but ids vary by region)
-* `<owner>/<name>` specifies an image by its owner's account ID  and name properties
-* `<alias>/<name>` specifies an image by its [owner's alias](#owner-aliases) and name properties
-* `ssm:<ssm_parameter>` specifies an image through an SSM parameter (kOps 1.25.3+)
+- `ami-abcdef` - specifies an image by id directly (image id is precise, but ids vary by region)
+- `<owner>/<name>` specifies an image by its owner's account ID and name properties
+- `<alias>/<name>` specifies an image by its [owner's alias](#owner-aliases) and name properties
+- `ssm:<ssm_parameter>` specifies an image through an SSM parameter (kOps 1.25.3+)
 
 ```yaml
 image: ami-00579fbb15b954340
@@ -32,24 +32,29 @@ spec:
 The following table provides the support status for various distros with regards to kOps version:
 
 | Distro                                  | Experimental | Stable | Deprecated | Removed |
-|-----------------------------------------|-------------:|-------:|-----------:|--------:|
+| --------------------------------------- | -----------: | -----: | ---------: | ------: |
 | [Amazon Linux 2](#amazon-linux-2)       |         1.10 |   1.18 |          - |       - |
 | [Amazon Linux 2023](#amazon-linux-2023) |         1.27 |      - |          - |       - |
 | CentOS 7                                |            - |    1.5 |       1.21 |    1.23 |
 | CentOS 8                                |         1.15 |      - |       1.21 |    1.23 |
+| CentOS Stream 9                         |         1.35 |      - |          - |       - |
+| CentOS Stream 10                        |         1.35 |      - |          - |       - |
 | CoreOS                                  |          1.6 |    1.9 |       1.17 |    1.18 |
 | Debian 8                                |            - |    1.5 |       1.17 |    1.18 |
 | Debian 9                                |          1.8 |   1.10 |       1.21 |    1.23 |
 | [Debian 10](#debian-10-buster)          |         1.13 |   1.17 |          - |       - |
 | [Debian 11](#debian-11-bullseye)        |       1.21.1 |      - |          - |       - |
 | [Debian 12](#debian-12-bookworm)        |       1.26.3 |      - |          - |       - |
+| [Debian 13](#debian-13-trixie)          |         1.34 |      - |          - |       - |
 | [Flatcar](#flatcar)                     |       1.15.1 |   1.17 |          - |       - |
 | Kope.io                                 |            - |      - |       1.18 |    1.23 |
 | RHEL 7                                  |            - |    1.5 |       1.21 |    1.23 |
 | [RHEL 8](#rhel-8)                       |         1.15 |   1.18 |          - |       - |
 | [RHEL 9](#rhel-9)                       |         1.27 |      - |          - |       - |
+| [RHEL 10](#rhel-10)                     |         1.35 |      - |          - |       - |
 | [Rocky 8](#rocky-8)                     |       1.23.2 |   1.24 |          - |       - |
 | [Rocky 9](#rocky-9)                     |         1.30 |      - |          - |       - |
+| [Rocky 10](#rocky-10)                   |         1.35 |      - |          - |       - |
 | Ubuntu 16.04                            |          1.5 |   1.10 |       1.17 |    1.20 |
 | Ubuntu 18.04                            |         1.10 |   1.16 |       1.26 |    1.28 |
 | [Ubuntu 20.04](#ubuntu-2004-focal)      |       1.16.2 |   1.18 |          - |       - |
@@ -114,7 +119,8 @@ aws ec2 describe-images --region us-east-1 --output table \
   --filters "Name=name,Values=debian-10-*-*"
 
 # Google Cloud Platform (GCP)
-gcloud compute images list --filter debian-10-buster-v
+gcloud compute images list --filter debian-10-buster- \
+  --project debian-cloud
 
 # Microsoft Azure
 az vm image list --all --output table \
@@ -135,7 +141,8 @@ aws ec2 describe-images --region us-east-1 --output table \
   --filters "Name=name,Values=debian-11-*-*"
 
 # Google Cloud Platform (GCP)
-gcloud compute images list --filter debian-11-bullseye-v
+gcloud compute images list --filter debian-11-bullseye- \
+  --project debian-cloud
 
 # Microsoft Azure
 az vm image list --all --output table \
@@ -154,6 +161,36 @@ aws ec2 describe-images --region us-east-1 --output table \
   --owners 136693071363 \
   --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
   --filters "Name=name,Values=debian-12-*-*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter debian-12-bookworm- \
+  --project debian-cloud
+
+# Microsoft Azure
+az vm image list --all --output table \
+  --publisher Debian --offer debian-11 --sku 12-gen2
+```
+
+### Debian 13 (Trixie)
+
+Debian 13 is based on Kernel version **6.12** which has no known major Kernel bugs and fully supports all Cilium features.
+
+Available images can be listed using:
+
+```bash
+# Amazon Web Services (AWS)
+aws ec2 describe-images --region us-east-1 --output table \
+  --owners 136693071363 \
+  --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
+  --filters "Name=name,Values=debian-13-*-*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter debian-13-trixie- \
+  --project debian-cloud
+
+# Microsoft Azure
+az vm image list --all --output table \
+  --publisher Debian --offer debian-13 --sku 13-gen2
 ```
 
 ### Flatcar
@@ -182,6 +219,10 @@ aws ec2 describe-images --region us-east-1 --output table \
   --owners 309956199498 \
   --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
   --filters "Name=name,Values=RHEL-8.*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter rhel-8- \
+  --project rhel-cloud
 ```
 
 ### RHEL 9
@@ -195,6 +236,27 @@ aws ec2 describe-images --region us-east-1 --output table \
   --owners 309956199498 \
   --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
   --filters "Name=name,Values=RHEL-9.*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter rhel-9- \
+  --project rhel-cloud
+```
+
+### RHEL 10
+
+RHEL 10 is based on Kernel version **6.12** which fixes all the known major Kernel bugs.
+
+Available images can be listed using:
+
+```bash
+aws ec2 describe-images --region us-east-1 --output table \
+  --owners 309956199498 \
+  --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
+  --filters "Name=name,Values=RHEL-10.*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter rhel-10- \
+  --project rhel-cloud
 ```
 
 ### Rocky 8
@@ -208,6 +270,10 @@ aws ec2 describe-images --region us-east-1 --output table \
   --owners 792107900819 \
   --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
   --filters "Name=name,Values=Rocky-8-ec2-8.*.*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter rocky-linux-8-optimized-gcp-v \
+  --project rocky-linux-cloud
 ```
 
 ### Rocky 9
@@ -221,8 +287,29 @@ aws ec2 describe-images --region us-east-1 --output table \
   --owners 792107900819 \
   --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
   --filters "Name=name,Values=Rocky-9-EC2-Base-9.*.*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter rocky-linux-9-optimized-gcp-v \
+  --project rocky-linux-cloud
 ```
 
+### Rocky 10
+
+Rocky Linux 10 is based on Kernel version **6.12**.
+
+Available images can be listed using:
+
+```bash
+aws ec2 describe-images --region us-east-1 --output table \
+  --owners 792107900819 \
+  --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
+  --filters "Name=name,Values=Rocky-10-EC2-Base-10.*.*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter rocky-linux-10-optimized-gcp-v \
+  --project rocky-linux-cloud
+
+```
 
 ### Ubuntu 20.04 (Focal)
 
@@ -236,9 +323,10 @@ aws ec2 describe-images --region us-east-1 --output table \
   --owners 099720109477 \
   --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
   --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-focal-20.04-*-*"
-  
+
 # Google Cloud Platform (GCP)
-gcloud compute images list --filter ubuntu-2004-focal-v
+gcloud compute images list --filter ubuntu-2004-focal-v \
+  --project ubuntu-os-cloud
 
 # Microsoft Azure
 az vm image list --all --output table \
@@ -259,7 +347,8 @@ aws ec2 describe-images --region us-east-1 --output table \
   --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-*-*"
 
 # Google Cloud Platform (GCP)
-gcloud compute images list --filter ubuntu-2204-jammy-v
+gcloud compute images list --filter ubuntu-2204-jammy-v \
+  --project ubuntu-os-cloud
 
 # Microsoft Azure
 az vm image list --all --output table \
@@ -278,15 +367,23 @@ aws ec2 describe-images --region us-east-1 --output table \
   --owners 099720109477 \
   --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
   --filters "Name=name,Values=ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-*-*"
+
+# Google Cloud Platform (GCP)
+gcloud compute images list --filter ubuntu-2204-jammy-v \
+  --project ubuntu-os-cloud
+
+# Microsoft Azure
+az vm image list --all --output table \
+  --publisher Canonical --offer 0001-com-ubuntu-server-jammy --sku 22_04-lts-gen2
 ```
 
 ## Owner aliases
 
 kOps supports owner aliases for the official accounts of supported distros:
 
-* `amazon` => `137112412989`
-* `debian10` => `136693071363`
-* `debian11` => `136693071363`
-* `flatcar` => `075585003325`
-* `redhat` => `309956199498`
-* `ubuntu` => `099720109477`
+- `amazon` => `137112412989`
+- `debian` => `136693071363`
+- `flatcar` => `075585003325`
+- `redhat` => `309956199498`
+- `ubuntu` => `099720109477`
+- `rocky` => `792107900819`

nodeup/pkg/model/packages.go

@@ -55,11 +55,16 @@ func (b *PackagesBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 	} else if b.Distribution.IsRHELFamily() {
 		// From containerd: https://github.com/containerd/cri/blob/master/contrib/ansible/tasks/bootstrap_centos.yaml
 		c.AddTask(&nodetasks.Package{Name: "conntrack-tools"})
-		if b.Distribution == distributions.DistributionAmazonLinux2023 {
+		// RHEL 10+ doesn't support iptables anymore
+		switch b.Distribution {
+		case distributions.DistributionAmazonLinux2023:
 			// install iptables-nft in al2023 (NOT the iptables-legacy!)
 			c.AddTask(&nodetasks.Package{Name: "iptables-nft"})
-		} else {
+		case distributions.DistributionRhel8, distributions.DistributionRhel9,
+			distributions.DistributionRocky8, distributions.DistributionAmazonLinux2:
 			c.AddTask(&nodetasks.Package{Name: "iptables"})
+		default:
+			c.AddTask(&nodetasks.Package{Name: "nftables"})
 		}
 		c.AddTask(&nodetasks.Package{Name: "libseccomp"})
 		c.AddTask(&nodetasks.Package{Name: "libtool-ltdl"})

pkg/model/components/gcpcloudcontrollermanager.go

@@ -71,10 +71,9 @@ func (b *GCPCloudControllerManagerOptionsBuilder) BuildOptions(cluster *kops.Clu
 	}
 
 	if ccmConfig.Image == "" {
-		// TODO: Implement CCM image publishing
 		switch b.ControlPlaneKubernetesVersion().Minor() {
 		default:
-			ccmConfig.Image = "registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1"
+			ccmConfig.Image = "registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0"
 		}
 	}
 

tests/integration/update_cluster/ha_gce/data/aws_s3_object_cluster-completed.spec_content

@@ -23,7 +23,7 @@ spec:
     clusterName: ha-gce-example-com
     controllers:
     - '*'
-    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
     leaderElection:
       leaderElect: true
   cloudProvider: gce

tests/integration/update_cluster/ha_gce/data/aws_s3_object_ha-gce.example.com-addons-bootstrap_content

@@ -54,7 +54,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.23
     manifest: gcp-cloud-controller.addons.k8s.io/k8s-1.23.yaml
-    manifestHash: d05688c98128f6bb7361a931705fc2a64f535d010c8c11f0d6177c9aa7ae16f9
+    manifestHash: 9e82a18eb446294f009d209d8f8a0903b1fe789b4cf1c4754142469d355a1687
     name: gcp-cloud-controller.addons.k8s.io
     prune:
       kinds:

tests/integration/update_cluster/ha_gce/data/aws_s3_object_ha-gce.example.com-addons-gcp-cloud-controller.addons.k8s.io-k8s-1.23_content

@@ -44,7 +44,7 @@ spec:
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
-        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3

tests/integration/update_cluster/many-addons-gce/data/aws_s3_object_cluster-completed.spec_content

@@ -24,7 +24,7 @@ spec:
     clusterName: minimal-example-com
     controllers:
     - '*'
-    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
     leaderElection:
       leaderElect: true
   cloudProvider: gce

tests/integration/update_cluster/many-addons-gce/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -125,7 +125,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.23
     manifest: gcp-cloud-controller.addons.k8s.io/k8s-1.23.yaml
-    manifestHash: 2778517c19f2247cead060bfa7e3c34027d4611b202e8365d552248b89a552cb
+    manifestHash: edfe9c3eb5ae99cb2622968999c435d3a67152b3c0245754127a728a09c7446c
     name: gcp-cloud-controller.addons.k8s.io
     prune:
       kinds:

tests/integration/update_cluster/many-addons-gce/data/aws_s3_object_minimal.example.com-addons-gcp-cloud-controller.addons.k8s.io-k8s-1.23_content

@@ -44,7 +44,7 @@ spec:
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
-        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3

tests/integration/update_cluster/minimal_gce/data/aws_s3_object_cluster-completed.spec_content

@@ -23,7 +23,7 @@ spec:
     clusterName: minimal-gce-example-com
     controllers:
     - '*'
-    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
     leaderElection:
       leaderElect: true
   cloudProvider: gce

tests/integration/update_cluster/minimal_gce/data/aws_s3_object_minimal-gce.example.com-addons-bootstrap_content

@@ -54,7 +54,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.23
     manifest: gcp-cloud-controller.addons.k8s.io/k8s-1.23.yaml
-    manifestHash: dd48ce99e79111f6fa61e057cc3740b802c63e5fee4af1cd55b39fe1651298c6
+    manifestHash: 8bc52ae1d41caceb2ca8dd61d99700f5d01d6f7ffb27c97c486fbb9d700378e9
     name: gcp-cloud-controller.addons.k8s.io
     prune:
       kinds:

tests/integration/update_cluster/minimal_gce/data/aws_s3_object_minimal-gce.example.com-addons-gcp-cloud-controller.addons.k8s.io-k8s-1.23_content

@@ -44,7 +44,7 @@ spec:
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
-        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3

tests/integration/update_cluster/minimal_gce_dns-none/data/aws_s3_object_cluster-completed.spec_content

@@ -26,7 +26,7 @@ spec:
     clusterName: minimal-gce-example-com
     controllers:
     - '*'
-    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
     leaderElection:
       leaderElect: true
   cloudProvider: gce

tests/integration/update_cluster/minimal_gce_dns-none/data/aws_s3_object_minimal-gce.example.com-addons-bootstrap_content

@@ -47,7 +47,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.23
     manifest: gcp-cloud-controller.addons.k8s.io/k8s-1.23.yaml
-    manifestHash: dd48ce99e79111f6fa61e057cc3740b802c63e5fee4af1cd55b39fe1651298c6
+    manifestHash: 8bc52ae1d41caceb2ca8dd61d99700f5d01d6f7ffb27c97c486fbb9d700378e9
     name: gcp-cloud-controller.addons.k8s.io
     prune:
       kinds:

tests/integration/update_cluster/minimal_gce_dns-none/data/aws_s3_object_minimal-gce.example.com-addons-gcp-cloud-controller.addons.k8s.io-k8s-1.23_content

@@ -44,7 +44,7 @@ spec:
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
-        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+        image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3

tests/integration/update_cluster/minimal_gce_ilb/data/aws_s3_object_cluster-completed.spec_content

@@ -27,7 +27,7 @@ spec:
     clusterName: minimal-gce-ilb-example-com
     controllers:
     - '*'
-    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v33.1.1
+    image: registry.k8s.io/cloud-provider-gcp/cloud-controller-manager:v34.2.0
     leaderElection:
       leaderElect: true
   cloudProvider: gce

tests/integration/update_cluster/minimal_gce_ilb/data/aws_s3_object_minimal-gce-ilb.example.com-addons-bootstrap_content

@@ -54,7 +54,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.23
     manifest: gcp-cloud-controller.addons.k8s.io/k8s-1.23.yaml
-    manifestHash: befa575c858bc6c278ce42d4cdba1353a54be025a22af21f796ddb710079e9ba
+    manifestHash: 1aac11efeafb217c65bd3a79c657168a412c489c30ed7595b4cf2b338357d635
     name: gcp-cloud-controller.addons.k8s.io
     prune:
       kinds: