[1.32] Upgrade select dependencies

[rifelpet]

Patching some CVEs

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[hakman]

/lgtm
/approve

[hakman]

/override tests-e2e-scenarios-bare-metal

[k8s-ci-robot]

@hakman: Overrode contexts on behalf of hakman: tests-e2e-scenarios-bare-metal

In response to this:

/override tests-e2e-scenarios-bare-metal

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[hakman]

/lgtm cancel
@ameukam @justinsb any idea why override fails?

[rifelpet]

@hakman lets try it now

[hakman]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hakman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hakman]

/override tests-e2e-scenarios-bare-metal

[k8s-ci-robot]

@hakman: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• tests-e2e-scenarios-bare-metal

Only the following failed contexts/checkruns were expected:

• EasyCLA
• build-linux-amd64
• build-linux-arm64
• build-macos-amd64
• build-windows-amd64
• pull-kops-build
• pull-kops-test
• pull-kops-verify-boilerplate
• pull-kops-verify-generated
• pull-kops-verify-govet
• tide
• verify-amd64
• verify-arm64

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

In response to this:

/override tests-e2e-scenarios-bare-metal

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rifelpet]

We might need make to make the e2e bare metal job manually-triggered only instead of ran every time.

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[hakman]

We might need make to make the e2e bare metal job manually-triggered only instead of ran every time.

The odd thing is that it used to work fine to override it...

[hakman]

I am ok with manual for now + on merge

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[rifelpet]

/hold

[rifelpet]

/override e2e/tests-e2e-scenarios-bare-metal

[k8s-ci-robot]

@rifelpet: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e/tests-e2e-scenarios-bare-metal

Only the following failed contexts/checkruns were expected:

• EasyCLA
• build-linux-amd64
• build-linux-arm64
• build-macos-amd64
• build-windows-amd64
• pull-kops-build
• pull-kops-test
• pull-kops-verify-boilerplate
• pull-kops-verify-generated
• pull-kops-verify-govet
• tide
• verify-amd64
• verify-arm64

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

In response to this:

/override e2e/tests-e2e-scenarios-bare-metal

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rifelpet]

For background, this provides a good comparison of the Github Status vs Checks APIs

@hakman @ameukam based on this prow code my only theory is that prow used to use app authentication but now uses a personal access token. The Checks API doesn't support PATs. I'm guessing we need to use the checks API to fix the status on the PR.

In my testing I was able to update the PR's head commit's "status" but it had no effect on the failing check on the PR itself. . The check-run returns a 403 when used with a fine-grained PAT and they can only work with the repos of a single organization or user, so my own account's token wont work on kubernetes/kops.

Status API

echo '{"state": "success", "description": "test from peter", "context": "tests-e2e-scenarios-bare-metal"}' | gh api "repos/kubernetes/kops/statuses/050a8dede17b1688c0b5140d4a95c21cb015590f" --input -

{
  "url": "https://api.github.com/repos/kubernetes/kops/statuses/050a8dede17b1688c0b5140d4a95c21cb015590f",
  "avatar_url": "https://avatars.githubusercontent.com/u/1455650?v=4",
  "id": 35332425941,
  "node_id": "SC_kwDOA7NwS88AAAAIOfoI1Q",
  "state": "success",
  "description": "test from peter",
  "target_url": null,
  "context": "tests-e2e-scenarios-bare-metal",
  "created_at": "2025-04-02T02:51:35Z",
  "updated_at": "2025-04-02T02:51:35Z",
...

Checks API

With a fine-grainted PAT

echo '{"conclusion": "success"}' | gh api -X PATCH "repos/kubernetes/kops/check-runs/39773935476" --input -

{
  "message": "Resource not accessible by personal access token",
  "documentation_url": "https://docs.github.com/rest/checks/runs#update-a-check-run",
  "status": "403"
}

@ameukam do you know if prow's authentication to github has changed in the past year or two? Perhaps related to any sig-k8s-infra migration?

[ameukam]

We didn't change the Oauth config during the migration, IIRC. And I think we still use the classic PAT for prow. It's possible we are dealing some changes with the Check API since the fine-grained tokens are GA.

[rifelpet]

I discovered that the job is failing because the staging etcd-manager image isn't found:

kops/tests/e2e/scenarios/bare-metal/run-test

Line 99 in 298e771

${KOPS} edit cluster metal.k8s.local --set 'spec.etcdClusters[*].manager.image=us-central1-docker.pkg.dev/k8s-staging-images/etcd-manager/etcd-manager-static:latest'

crane manifest us-central1-docker.pkg.dev/k8s-staging-images/etcd-manager/etcd-manager-static:latest

Error: fetching manifest us-central1-docker.pkg.dev/k8s-staging-images/etcd-manager/etcd-manager-static:latest: GET https://us-central1-docker.pkg.dev/v2/k8s-staging-images/etcd-manager/etcd-manager-static/manifests/latest: MANIFEST_UNKNOWN: Failed to fetch "latest"

The repo has a lifecycle setting to delete images after 90 days:

https://console.cloud.google.com/artifacts/docker/k8s-staging-images/us-central1/etcd-manager?invt=AbtuQQ

and the last etcd-manager commit was 4 months ago. I opened this PR just to trigger a new staging build: kubernetes-sigs/etcd-manager#20

[rifelpet]

/hold cancel