Bump overall dependencies

[pjbgf]

Summary of changes:

• Bump go dependencies and update vendored files.
• Bump dapper version on drone to v0.6.0.
• Nginx updated to v1.24.0.
• Kubectl updated to v1.24.15.
• Deprecate use of rancher/plugins in favour of the upstream latest version.
• Deprecate use of rancher/docker in favour of the upstream latest version.

[superseb]

vendor folder should be dropped entirely at this point, other repositories have dropped that a long time ago.

[pjbgf]

@superseb thank you for the review. Given the size of the PR and the moving parts, do you think those changes can be tackled as a follow-up PR, or should I just add to this?

[pjbgf]

@superseb removed Go mod vendoring. PTAL

[kinarashah]

@pjbgf Do you have an ETA for when Seb's review comments will be addressed? We need a new tag with cri-dockerd bump for v1.26, so I could cherry-pick your commit and update remaining deps if you're busy. Thanks!

[pjbgf]

All the changes were made, @superseb @kinarashah. PTAL

[superseb]

Why deviate from the default binary install like in every other project? Based on their own docs, go get/go install is discouraged (https://golangci-lint.run/usage/install/#install-from-source). This also blocks auto updating because it doesn't match our generic rules.

[pjbgf]

The change was aligned with the current version in master which uses go get.

This has now changed to use upstream's install.sh instead.

[superseb]

Was this tested to be compatible with the oldest Docker we support?

[pjbgf]

I am not completely sure what version we do support, but generally that is defined via DOCKER_API_VERSION, which we are not setting in this project apart from the entrypoint.sh. What API version is this project meant to support?

@kinarashah can you please help testing this?

[superseb]

You can override the rke-tools image to test using the system_images option in cluster.yml (CLI only)

Basically comes down to API support for the versions we do support (see support matrix)

[pjbgf]

Aligned this with support matrix, and bumped to latest patch: 20.10.25.

[superseb]

I'm fine with 23.0.3 as long as its API compatible with the versions we support. But in the PR I am viewing it still says 23.0.3 while you say you bumped it to 20.10.25

[pjbgf]

Nice spot, that is now fixed as well.

[pjbgf]

I kept the docker within the 20.x series as that is aligned with other projects and our support matrix.

The choice of 20.10.24 over 20.10.25, was due to although the project has a tag for 20.10.25, it does not have the artefacts published for them.

[superseb]

One final question is if we are going for Go 1.20 in 2.7 Q2 release as we are moving to k8s 1.26 which is 1.19, do we want to keep that version across the board or is it up to the teams?

[kpsingh219]

Is it possible to know when this will be merged ?

[pjbgf]

@kpsingh219 I am not entirely sure. It will largely dependent on reviews and testing.

[pjbgf]

One final question is if we are going for Go 1.20 in 2.7 Q2 release as we are moving to k8s 1.26 which is 1.19, do we want to keep that version across the board or is it up to the teams?

I think the main constraint is running supported version only. Apart from that, I would assume that's up to the teams/projects.

[macedogm]

Approving from a pure security perspective regarding the bumps. We still need @kinarashah's review and probably tag someone from QA to test all the pieces together.

[superseb]

I guess this is a nit, but naming it more specifically allows us to put this automated bump in Renovate with a more descriptive variable (for example CNI_PLUGINS_VERSION instead of PLUGINS_VERSION)

[pjbgf]

Good shout, amended it accordingly.

[manuelbuil]

Note that CNI plugins v0.9.1 included flannel binary but v1.2.0 does not include it. Flannel has its own repo now: https://github.com/flannel-io/cni-plugin

[pjbgf]

@manuelbuil thank you for pointing that out, that should be fixed now. PTAL

I noticed that all the plugins are being kept on /tmp and only a few are copied over to /opt/cni/bin. At no point flannel is copied over (as far as I can see), is that intentional?

[manuelbuil]

@manuelbuil thank you for pointing that out, that should be fixed now. PTAL

I noticed that all the plugins are being kept on /tmp and only a few are copied over to /opt/cni/bin. At no point flannel is copied over (as far as I can see), is that intentional?

You are pointing to weave script which is another CNI plugin. All plugins should go into /opt/cni/bin but I think the code that adds that plugin to rke is the one responsible to copy those binaries

[pjbgf]

You are pointing to weave script which is another CNI plugin.

@manuelbuil That was intentional, as that was I trying to highlight the current version on master. All plugins are copied into /tmp and not to /opt/cni/bin. Within the code base the only copy across to the latter directory is via the weave cni script.

As per latest tag published 3 months ago:

[pjbgf]

Following up from off-line chat with @manuelbuil, we will keep binaries as per current public image. If necessary, a future PR will move things around.

I added a test to verify all binaries being packaged up are in place and are valid for the target architecture.

[pjbgf]

The build is failing as confd is not a valid arm64 binary. Ideally we would fix that (rancher/confd#8) and bump the version. The good news is that the tests work.

[pjbgf]

PR rebased.

[doflamingo721]

Changes looks good to me.

[superseb]

@pjbgf please create an issue which can be used to QA this PR