rke2: update and release packages by official release channels (#315599)

# RKE2 Version

RKE2, Kubernetes, and other clustered software has the property of not being able to update atomically. Most software in nixpkgs, like for example bash, can be updated as part of a `nixos-rebuild switch` without having to worry about the old and the new bash interacting in some way.

> [!NOTE]

> Upgrade the server nodes first, one at a time. Once all servers have been upgraded, you may then upgrade agent nodes.

## Release Channels

RKE2 has there own release channels, which are: `stable`, `latest` and `testing`.

The `stable` channel is the default channel and is recommended for production use. The `latest` channel is the latest stable release. The `testing` channel is the latest release, including pre-releases.

| Channel   | Description                                                                                                                                                                                    |

| --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

| `stable`  | **(Default)** Stable is recommended for production environments. These releases have been through a period of community hardening, and are compatible with the most recent release of Rancher. |

| `latest`  | Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening, and may not be compatible with Rancher.                    |

| `testing` | The most recent release, including pre-releases.                                                                                                                                               |

Learn more about the [RKE2 release channels](https://docs.rke2.io/upgrade/manual_upgrade).

For an exhaustive and up-to-date list of channels, you can visit the [rke2 channel service API](https://update.rke2.io/v1-release/channels). For more technical details on how channels work, you can see the [channelserver project](https://github.com/rancher/channelserver).

> [!TIP]

> When attempting to upgrade to a new version of RKE2, the [Kubernetes version skew policy](https://kubernetes.io/docs/setup/release/version-skew-policy) applies. Ensure that your plan does not skip intermediate minor versions when upgrading. Nothing in the upgrade process will protect against unsupported changes to the Kubernetes version.

lib: { rke2Version, rke2RepoSha256, rke2VendorHash, updateScript

, rke2Commit, k8sImageTag, etcdVersion, pauseVersion, ccmVersion, dockerizedVersion, ... }:

{ lib, stdenv, buildGoModule, go, fetchgit, makeWrapper

# Runtime dependencies

, procps, coreutils, util-linux, ethtool, socat, iptables, bridge-utils, iproute2, kmod, lvm2

# Testing dependencies

, nixosTests, testers, rke2

}:

buildGoModule rec {

  pname = "rke2";

  version = rke2Version;

  src = fetchgit {

    url = "https://github.com/rancher/rke2.git";

    rev = "v${version}";

    sha256 = rke2RepoSha256;

  };

  vendorHash = rke2VendorHash;

  nativeBuildInputs = [ makeWrapper ];

  # Important utilities used by the kubelet.

  # See: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494

  # Notice the list in that issue is stale, but as a redundancy reservation.

  buildInputs = [

    procps # pidof pkill

    coreutils # uname touch env nice du

    util-linux # lsblk fsck mkfs nsenter mount umount

    ethtool # ethtool

    socat # socat

    iptables # iptables iptables-restore iptables-save

    bridge-utils # brctl

    iproute2 # ip tc

    kmod # modprobe

    lvm2 # dmsetup

  ];

  # See: https://github.com/rancher/rke2/blob/e7f87c6dd56fdd76a7dab58900aeea8946b2c008/scripts/build-binary#L27-L38

  ldflags = [

    "-w"

    "-X github.com/k3s-io/k3s/pkg/version.GitCommit=${lib.substring 0 6 rke2Commit}"

    "-X github.com/k3s-io/k3s/pkg/version.Program=${pname}"

    "-X github.com/k3s-io/k3s/pkg/version.Version=v${version}"

    "-X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go${go.version}"

    "-X github.com/rancher/rke2/pkg/images.DefaultRegistry=docker.io"

    "-X github.com/rancher/rke2/pkg/images.DefaultEtcdImage=rancher/hardened-etcd:${etcdVersion}-build20240418"

    "-X github.com/rancher/rke2/pkg/images.DefaultKubernetesImage=rancher/hardened-kubernetes:${k8sImageTag}"

    "-X github.com/rancher/rke2/pkg/images.DefaultPauseImage=rancher/mirrored-pause:${pauseVersion}"

    "-X github.com/rancher/rke2/pkg/images.DefaultRuntimeImage=rancher/rke2-runtime:${dockerizedVersion}"

    "-X github.com/rancher/rke2/pkg/images.DefaultCloudControllerManagerImage=rancher/rke2-cloud-provider:${ccmVersion}"

  ];

  tags = [

    "no_cri_dockerd"

    "no_embedded_executor"

    "no_stage"

    "sqlite_omit_load_extension"

    "selinux"

    "netgo"

    "osusergo"

  ];

  subPackages = [ "." ];

  installPhase = ''

    install -D $GOPATH/bin/rke2 $out/bin/rke2

    wrapProgram $out/bin/rke2 \

      --prefix PATH : ${lib.makeBinPath buildInputs}

  '';

  doCheck = false;

  passthru.updateScript = updateScript;

  passthru.tests = {

    version = testers.testVersion {

      package = rke2;

      version = "v${version}";

    };

  } // lib.optionalAttrs stdenv.isLinux {

    inherit (nixosTests) rke2;

  };

  meta = with lib; {

    homepage = "https://github.com/rancher/rke2";

    description = "RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution.";

    changelog = "https://github.com/rancher/rke2/releases/tag/v${version}";

    license = licenses.asl20;

    maintainers = with maintainers; [ zimbatm zygot ];

    mainProgram = "rke2";

    platforms = platforms.linux;

  };

}

{ lib, stdenv, buildGoModule, fetchFromGitHub, makeWrapper, nix-update-script

# Runtime dependencies

, procps, coreutils, util-linux, ethtool, socat, iptables, bridge-utils, iproute2, kmod, lvm2

# Testing dependencies

, nixosTests, testers, rke2

}:

buildGoModule rec {

  pname = "rke2";

  version = "1.29.0+rke2r1";

  src = fetchFromGitHub {

    owner = "rancher";

    repo = pname;

    rev = "v${version}";

    hash = "sha256-E59GUcbnbvsGZYn87RGNrGTVUsydKsjL+C5h15q74p0=";

  };

  vendorHash = "sha256-Og0CqxNnhRN6PdggneGK05uprZ2D7lux/snXcArIm8Q=";

  postPatch = ''

    # Patch the build scripts so they work in the Nix build environment.

    patchShebangs ./scripts

    # Disable the static build as it breaks.

    sed -e 's/STATIC_FLAGS=.*/STATIC_FLAGS=/g' -i scripts/build-binary

  '';

  nativeBuildInputs = [ makeWrapper ];

  # Important utilities used by the kubelet.

  # See: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494

  # Notice the list in that issue is stale, but as a redundancy reservation.

  buildInputs = [

    procps # pidof pkill

    coreutils # uname touch env nice du

    util-linux # lsblk fsck mkfs nsenter mount umount

    ethtool # ethtool

    socat # socat

    iptables # iptables iptables-restore iptables-save

    bridge-utils # brctl

    iproute2 # ip tc

    kmod # modprobe

    lvm2 # dmsetup

  ];

  buildPhase = ''

    DRONE_TAG="v${version}" ./scripts/build-binary

  '';

  installPhase = ''

    install -D ./bin/rke2 $out/bin/rke2

    wrapProgram $out/bin/rke2 \

      --prefix PATH : ${lib.makeBinPath buildInputs}

  '';

  passthru.updateScript = nix-update-script { };

  passthru.tests = {

    version = testers.testVersion {

      package = rke2;

      version = "v${version}";

    };

  } // lib.optionalAttrs stdenv.isLinux {

    inherit (nixosTests) rke2;

  };

  meta = with lib; {

    homepage = "https://github.com/rancher/rke2";

    description = "RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution.";

    changelog = "https://github.com/rancher/rke2/releases/tag/v${version}";

    license = licenses.asl20;

    maintainers = with maintainers; [ zimbatm zygot ];

    mainProgram = "rke2";

    platforms = platforms.linux;

  };

{ lib, callPackage, ... }@args:

let

  common = opts: callPackage (import ./builder.nix lib opts);

  extraArgs = builtins.removeAttrs args [ "callPackage" ];

in

{

  rke2_stable = common ((import ./stable/versions.nix) // {

    updateScript = [ ./update-script.sh "stable" ];

  }) extraArgs;

  rke2_latest = common ((import ./latest/versions.nix) // {

    updateScript = [ ./update-script.sh "latest" ];

  }) extraArgs;

  rke2_testing = common ((import ./testing/versions.nix) // {

    updateScript = [ ./update-script.sh "testing" ];

  }) extraArgs;

}

{

  rke2Version = "1.30.1+rke2r1";

  rke2RepoSha256 = "0jrvvpj9fnlbykyr06w1f92ay708xzaizg8dhg1z4bsq1cdgs33k";

  rke2Commit = "e7f87c6dd56fdd76a7dab58900aeea8946b2c008";

  rke2VendorHash = "sha256-QqV8mSbqa8A5zABHQoVB2jht/eYCoqTZ/WoAqIl9oZY=";

  k8sVersion = "v1.30.1";

  k8sImageTag = "v1.30.1-rke2r1-build20240515";

  etcdVersion = "v3.5.9-k3s1";

  pauseVersion = "3.6";

  ccmVersion = "v1.29.3-build20240412";

  dockerizedVersion = "v1.30.1-rke2r1";

  golangVersion = "go1.22.2";

  eol = "2025-06-28";

}

{

  rke2Version = "1.28.10+rke2r1";

  rke2RepoSha256 = "1pbanikvrl6rqrplrpvjc9ym8qq1yrs621gwy99shp0prfw5zvsx";

  rke2Commit = "b0d0d687d98f4fa015e7b30aaf2807b50edcc5d7";

  rke2VendorHash = "sha256-iidkTSrrHyW5ZEouzHAWUwCC9nplGz1v/E9bM2lMPeM=";

  k8sVersion = "v1.28.10";

  k8sImageTag = "v1.28.10-rke2r1-build20240514";

  etcdVersion = "v3.5.9-k3s1";

  pauseVersion = "3.6";

  ccmVersion = "v1.29.3-build20240412";

  dockerizedVersion = "v1.28.10-rke2r1";

  golangVersion = "go1.21.9";

  eol = "2024-10-28";

}