getditto · sl1pm4t · Oct 3, 2025 · Oct 2, 2025 · Aug 25, 2025 · Oct 2, 2025
diff --git a/.github/workflows/image-ami-builds.yaml b/.github/workflows/image-ami-builds.yaml
@@ -11,10 +11,7 @@ on:
       k8s_version:
         description: "Specify the Kubernetes version"
         required: false
-        default: "1.31.4"
-        options:
-        - "1.31.4"
-        - "1.31.5"
+        default: "1.31.13"
       make_public:
         description: "Include step to make AMIs public. Useful to disable when testing, so we don't pollute our public AMI list or bloat our quota limit."
         type: boolean
@@ -138,7 +135,7 @@ jobs:
       - name: Build Ubuntu AMI
         env:
           AWS_PROFILE: ditto-prod-primary
-          K8S_VERSION: ${{ github.event.inputs.k8s_version || '1.31.4' }}
+          K8S_VERSION: ${{ github.event.inputs.k8s_version }}
         run: |
           AWS_REGION=${{ env.AWS_REGION }} \
           ./images/capi/update_k8s_version.sh && \
@@ -151,9 +148,13 @@ jobs:
         run: |
 
   build-aws-flatcar-ami:
-    name: Build and Publish Flatcar AMI
+    name: Build and Publish Flatcar AMI (${{ matrix.arch }})
     runs-on: ubuntu-latest
     if: ${{ github.event.inputs.build_target == 'all' || github.event.inputs.build_target == 'flatcar-only' || github.event.inputs.build_target == '' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [amd64, arm64]
     env:
       CLOUD: "aws"
       FLATCAR_CHANNEL: "stable"
@@ -187,11 +188,15 @@ jobs:
       - name: Build Flatcar AMI
         env:
           AWS_PROFILE: ditto-prod-primary
-          K8S_VERSION: ${{ github.event.inputs.k8s_version || '1.31.4' }}
+          K8S_VERSION: ${{ github.event.inputs.k8s_version }}
           TARGET_OS: flatcar
         run: |
           ./images/capi/update_k8s_version.sh && \
-          make build-ami-flatcar
+          if [ "${{ matrix.arch }}" = "amd64" ]; then
+            make build-ami-flatcar
+          else
+            make build-ami-flatcar-${{ matrix.arch }}
+          fi
 
       - name: Make Flatcar AMI Public
         if: ${{ github.event.inputs.make_public == 'true' }}
@@ -237,7 +242,7 @@ jobs:
 
       - name: Build Ubuntu GCP Images
         env:
-          K8S_VERSION: ${{ github.event.inputs.k8s_version || '1.31.4' }}
+          K8S_VERSION: ${{ github.event.inputs.k8s_version }}
           PKR_VAR_google_access_token: "${{ steps.gcp-auth.outputs.access_token }}"
         run: |
           ./images/capi/update_k8s_version.sh && \

diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .vscode/
 .idea/
 .venv/
+.envrc
diff --git a/images/capi/ansible/roles/node/tasks/main.yml b/images/capi/ansible/roles/node/tasks/main.yml
@@ -89,21 +89,12 @@
 
 - name: Configure auditd rules for containerd
   ansible.builtin.copy:
-    src: etc/audit/rules.d/containerd.rules
+    src: "etc/audit/rules.d/containerd.rules{{ '-flatcar' if ansible_os_family == 'Flatcar' else '' }}"
     dest: /etc/audit/rules.d/containerd.rules
     owner: root
     group: root
     mode: "0644"
-  when: ansible_os_family != "Flatcar" and enable_containerd_audit
-
-- name: Configure auditd rules for containerd (Flatcar)
-  ansible.builtin.copy:
-    src: etc/audit/rules.d/containerd.rules-flatcar
-    dest: /etc/audit/rules.d/containerd.rules
-    owner: root
-    group: root
-    mode: "0644"
-  when: ansible_os_family == "Flatcar" and enable_containerd_audit
+  when: enable_containerd_audit|default(false)|bool
 
 - name: Ensure reverse packet filtering is set as strict
   ansible.posix.sysctl:

diff --git a/images/capi/ansible/roles/python/defaults/main.yml b/images/capi/ansible/roles/python/defaults/main.yml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 ---
-pypy_python_version: "3.6"
-pypy_version: 7.2.0
+pypy_python_version: "3.9"
+pypy_version: 7.3.16
 pypy_download_path: /tmp/pypy.tar.bz2
 pypy_install_path: /opt
diff --git a/images/capi/ansible/roles/python/tasks/flatcar.yml b/images/capi/ansible/roles/python/tasks/flatcar.yml
@@ -20,14 +20,14 @@
   when:
     - pypy_installed.stdout_lines[0] == "false"
   vars:
-    pypy_url_base: https://github.com/squeaky-pl/portable-pypy/releases/download/pypy{{ pypy_python_version }}-{{ pypy_version }}
-    pypy_url_path: pypy{{ pypy_python_version }}-{{ pypy_version }}-linux_x86_64-portable.tar.bz2
+    pypy_url_base: https://downloads.python.org/pypy
+    pypy_url_path: pypy{{ pypy_python_version }}-v{{ pypy_version }}-linux64.tar.bz2
   block:
     - name: Download pypy archive
       ansible.builtin.raw: curl {{ pypy_url_base }}/{{ pypy_url_path }} -L --output {{ pypy_download_path }}
     - name: Extract archive
       ansible.builtin.raw: tar -xjf {{ pypy_download_path }} -C {{ pypy_install_path }}
     - name: Rename pypy folder
-      ansible.builtin.raw: mv {{ pypy_install_path }}/pypy{{ pypy_python_version }}-{{ pypy_version }}-linux_x86_64-portable/ {{ pypy_install_path }}/pypy
+      ansible.builtin.raw: mv {{ pypy_install_path }}/pypy{{ pypy_python_version }}-v{{ pypy_version }}-linux64/ {{ pypy_install_path }}/pypy
     - name: Delete downloaded archive
       ansible.builtin.raw: rm -f {{ pypy_download_path }}
diff --git a/images/capi/ansible/roles/sysprep/tasks/debian.yml b/images/capi/ansible/roles/sysprep/tasks/debian.yml
@@ -30,7 +30,9 @@
     path: /etc/apt/sources.list.d/{{ item | basename }}
     state: absent
   loop: "{{ extra_repos.split() }}"
-  when: remove_extra_repos and extra_repos != ""
+  when:
+    - remove_extra_repos|default(false)|bool
+    - extra_repos != ""
 
 - name: Find disabled repo files
   ansible.builtin.find:

diff --git a/images/capi/ansible/roles/sysprep/tasks/main.yml b/images/capi/ansible/roles/sysprep/tasks/main.yml
@@ -37,7 +37,9 @@
   ansible.builtin.file:
     path: /etc/pip.conf
     state: absent
-  when: remove_extra_repos and pip_conf_file != ""
+  when:
+    - remove_extra_repos|default(false)|bool
+    - pip_conf_file != ""
 
 - name: Truncate machine id
   ansible.builtin.file:

diff --git a/images/capi/ansible/roles/sysprep/tasks/rpm_repos.yml b/images/capi/ansible/roles/sysprep/tasks/rpm_repos.yml
@@ -17,7 +17,9 @@
     path: /etc/yum.repos.d/{{ item | basename }}
     state: absent
   loop: "{{ extra_repos.split() }}"
-  when: remove_extra_repos and extra_repos != ""
+  when:
+    - remove_extra_repos|default(false)|bool
+    - extra_repos != ""
 
 - name: Find disabled repo files
   ansible.builtin.find:

diff --git a/images/capi/packer/ami/flatcar-arm64.json b/images/capi/packer/ami/flatcar-arm64.json
@@ -7,6 +7,7 @@
   "arch": "arm64",
   "build_name": "flatcar-{{env `FLATCAR_CHANNEL`}}",
   "builder_instance_type": "t4g.small",
+  "containerd_arch": "arm64",
   "crictl_arch": "arm64",
   "crictl_source_type": "http",
   "distribution": "flatcar",

diff --git a/images/capi/packer/ami/packer.json b/images/capi/packer/ami/packer.json
@@ -204,10 +204,11 @@
     "aws_session_token": "",
     "build_timestamp": "{{timestamp}}",
     "builder_instance_type": "m6a.xlarge",
+    "containerd_arch": "amd64",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_sha256": null,
-    "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
+    "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-{{user `containerd_arch`}}.tar.gz",
     "containerd_version": null,
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,