[CKS] script to generate cks images with cilium as default CNI

[ewerton-silva00]

…a default CNI

Description

This PR fixes #9304.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

The script in question generates CloudStack Kubernetes Service (CKS) images using Cilium as the default CNI.

Additionally, the other components are up-to-date.

You can also use ready-made images from my repository.. See: https://download.suanuvem.io/cks/

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

• In case of a new feature add useful documentation (raise doc PR at https://github.com/apache/cloudstack-documentation)
• Be patient and persistent. It might take some time to get a review or get the final approval from the committers.
• Pay attention to the quality of your code, ensure tests are passing and your PR doesn't have conflicts.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Issues, Mailing list and Slack.
• Be sure to read the CloudStack Coding Conventions.
  Apache CloudStack is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@cloudstack.apache.org (https://cloudstack.apache.org/mailing-lists.html)
  Slack: https://apachecloudstack.slack.com/

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 17.94%. Comparing base (d3e1976) to head (9362ba8).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12619      +/-   ##
============================================
+ Coverage     17.90%   17.94%   +0.04%     
- Complexity    16094    16165      +71     
============================================
  Files          5938     5939       +1     
  Lines        532864   533015     +151     
  Branches      65192    65218      +26     
============================================
+ Hits          95392    95649     +257     
+ Misses       426793   426638     -155     
- Partials      10679    10728      +49     

Flag	Coverage Δ
uitests	3.67% <ø> (-0.01%)	⬇️
unittests	19.05% <ø> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 16769

[Copilot]

Pull request overview

Adds a new utility script to generate CloudStack Kubernetes Service (CKS) “binaries ISO” images that bundle Kubernetes components plus manifests/images needed to run with Cilium as the default CNI, addressing the requested Cilium support in #9304.

Changes:

• Introduces create-kubernetes-binaries-iso-with-cilium.sh to build an ISO with Kubernetes binaries, CNI/crictl, addons/manifests, and pre-pulled container images.
• Generates the Cilium manifest via Helm with a set of default Cilium configuration values.
• Updates image collection/pulling logic to include images referenced by generated Cilium and Dashboard manifests.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

RedHat install path downloads a container-selinux RPM from a CentOS 7 x86_64 URL. This will fail (and possibly install an incompatible package) on aarch64/arm64, even though the script advertises arm support. Consider selecting the correct arch/repo or using distro-provided packages/repos instead of a hard-coded x86_64 RPM URL.

[shwstppr]

@ewerton-silva00 can you please check comments from Copilot and look into failing pre-commit GHA?

[ewerton-silva00]

@shwstppr, yes.

I am reviewing the points reported by Copilot.

I will make the necessary adjustments, test, and submit the changes.

[ewerton-silva00]

@shwstppr and @DaanHoogland, could you please review this Pull Request again?

[DaanHoogland]

Suggested change

	mkisofs -o "${output_dir}/${build_name}" -J -R -l "${iso_dir}"
	mkisofs -o "${output_dir}/${build_name}" -J -R -l "${iso_dir}"

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The curl | sed > file pipelines can silently succeed even if curl fails (because the pipeline exit status is from sed unless pipefail is set). With set -e alone, this can leave empty/partial kubelet.service (and similarly 10-kubeadm.conf) in the ISO without failing the script. Consider enabling set -o pipefail and/or avoiding pipelines by downloading to a temp file and transforming it after a successful curl --fail.

[Copilot]

The Kubernetes version comparison echo "${2} $VAL" | awk '{print ($1 < $2)}' is not a reliable semver comparison (e.g., 1.9.0 is treated as 1.9 and compares as greater than 1.18.0). This can select the wrong source for kubelet.service/10-kubeadm.conf. Use a version-aware compare (e.g., sort -V, dpkg --compare-versions, or parsing major/minor/patch) instead of numeric awk.

[Copilot]

helm repo add ... || true suppresses failures (e.g., network/DNS issues), which can turn an actionable error into a later, less-clear failure during helm template. It’s better to either let helm repo add fail normally or only ignore the specific “already exists” case (e.g., by checking helm repo list).

Suggested change

	helm repo add cilium https://helm.cilium.io/ > /dev/null 2>&1 || true
	# Add the Cilium Helm repository only if it is not already configured
	if ! helm repo list 2>/dev/null | awk 'NR>1 {print $1}' | grep -qx "cilium"; then
	helm repo add cilium https://helm.cilium.io/ > /dev/null 2>&1
	fi

[Copilot]

This curl -sS -L download won’t fail the script on HTTP errors (e.g., 404/500) because --fail isn’t used; the ISO could be generated with an HTML error page instead of the etcd tarball. Add --fail/--fail-with-body (and optionally validate the archive) so the script reliably stops on download problems.

Suggested change

	curl -sS -L "https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${ARCH}.tar.gz" -o "${etcd_dir}/etcd-linux-${ARCH}.tar.gz"
	curl -sS -L --fail "https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${ARCH}.tar.gz" -o "${etcd_dir}/etcd-linux-${ARCH}.tar.gz"
	# Validate that the downloaded etcd archive is a valid tar.gz
	if ! tar -tzf "${etcd_dir}/etcd-linux-${ARCH}.tar.gz" > /dev/null; then
	echo "ERROR: Downloaded etcd archive is invalid or corrupted."
	exit 1
	fi

[Copilot]

The ARCH validation error message is inconsistent with the accepted values. The script accepts amd64/arm64 as aliases, but the error only mentions x86_64/aarch64, which can confuse users troubleshooting invalid input. Update the message (and/or the usage text) to reflect all accepted values.

Suggested change

	echo "ERROR: ARCH must be 'x86_64' or 'aarch64'."
	echo "ERROR: ARCH must be one of: x86_64, amd64, aarch64, or arm64."

[Copilot]

These curl calls fetch kubelet.service and 10-kubeadm.conf directly from the shapeblue GitHub repository main branch at ISO build time and embed them as systemd unit/config files that will later be executed with root privileges. Because they are pinned only to a mutable branch and no checksum or signature verification is performed, a compromise of that repository (or its branch) would silently inject arbitrary code into all clusters built with this script. To reduce supply-chain risk, vendor these files into this repository or pin them to immutable commits/tags and validate their integrity before packaging them into the ISO.