2025-08-18 14:47:37 +00:00
24 changed files with 347 additions and 786 deletions
--- a/.earthlyignore
+++ b/.earthlyignore
@ -1 +0,0 @@
-bin/
--- a/.github/workflows/dependabot_auto.yml
+++ b/.github/workflows/dependabot_auto.yml
@ -1,42 +0,0 @@
-name: Dependabot auto-merge
-on:
- pull_request_target
-
-permissions:
-  contents: write
-  pull-requests: write
-  packages: read
-
-jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v2.4.0
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-          skip-commit-verification: true
-
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Approve a PR if not already approved
-        run: |
-          gh pr checkout "$PR_URL"
-            if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
-          then
-            gh pr review --approve "$PR_URL"
-          else
-            echo "PR already approved.";
-          fi
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@ -18,15 +18,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Install Go
-        uses: actions/setup-go@v5
-      - name: Install earthly
-        uses: earthly/actions-setup@v1
+        uses: actions/setup-go@v4
        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          go-version: ^1.20
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_LOGIN }}
+          password: ${{ secrets.DOCKER_PASS }}
+      - name: Install earthly
+        uses: Luet-lab/luet-install-action@v1
+        with:
+          repository: quay.io/kairos/packages
+          packages: utils/earthly
      - name: build iso
        run: |
          # Configure earthly to use the docker mirror in CI
@ -42,7 +50,7 @@ jobs:
          EOF

          earthly -P +iso
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: challenger.iso.zip
          path: |
@ -50,7 +58,7 @@ jobs:
  e2e-tests:
    needs:
      - build-iso
-    runs-on: kvm
+    runs-on: self-hosted
    strategy:
      fail-fast: false
      matrix:
@ -63,17 +71,18 @@ jobs:
          - label: "discoverable-kms"
    steps:
      - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
-      - name: Install earthly
-        uses: earthly/actions-setup@v1
+          go-version: ^1.20
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.DOCKER_LOGIN }}
+          password: ${{ secrets.DOCKER_PASS }}
      - name: Install deps
        run: |
          curl -L https://github.com/mudler/luet/releases/download/0.33.0/luet-0.33.0-linux-amd64 -o luet
@ -81,9 +90,9 @@ jobs:
          sudo mv luet /usr/bin/luet
          sudo mkdir -p /etc/luet/repos.conf.d/
          sudo luet repo add -y kairos --url quay.io/kairos/packages --type docker
-          LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d
+          LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d utils/earthly
      - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
        with:
          name: challenger.iso.zip
      - name: Run tests
@ -96,13 +105,10 @@ jobs:
          openssl curl gettext ca-certificates curl gnupg lsb-release

          export ISO=$PWD/$(ls *.iso)
-          # update controllers
-          make test
-          # Generate controller image
-          make docker-build
+
          # We run with sudo to be able to access /dev/kvm
-          sudo -E ./scripts/e2e-tests.sh
-      - uses: actions/upload-artifact@v4
+          ./scripts/e2e-tests.sh
+      - uses: actions/upload-artifact@v3
        if: failure()
        with:
          name: ${{ matrix.label }}-test.logs.zip
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@ -1,3 +1,4 @@
+---
 name: 'build container images'

 on:
@ -17,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v3

      - name: Prepare
        id: prep
@ -50,14 +51,14 @@ jobs:

      - name: Login to DockerHub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v1
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_PASSWORD }}

      - name: Build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v4
        with:
          builder: ${{ steps.buildx.outputs.name }}
          context: .
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -19,15 +19,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Install Go
-        uses: actions/setup-go@v5
-      - name: Install earthly
-        uses: earthly/actions-setup@v1
+        uses: actions/setup-go@v4
        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          go-version: ^1.20
+      - name: Install earthly
+        uses: Luet-lab/luet-install-action@v1
+        with:
+          repository: quay.io/kairos/packages
+          packages: utils/earthly
      - name: Run Lint checks
        run: |
          earthly +lint
--- a/.github/workflows/osv-scanner-pr.yaml
+++ b/.github/workflows/osv-scanner-pr.yaml
@ -1,21 +0,0 @@
-name: OSV-Scanner PR Scan
-
-# Change "main" to your default branch if you use a different name, i.e. "master"
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-  merge_group:
-    branches: [main]
-
-permissions:
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents adn actions
-  contents: read
-  actions: read
-
-jobs:
-  scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.1"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,27 +0,0 @@
-name: goreleaser
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  goreleaser:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - run: |
-          git fetch --prune --unshallow
-      - name: Install gcc for arm64
-        run: sudo apt-get update && sudo apt-get install -y build-essential crossbuild-essential-arm64
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          version: latest
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/renovate_auto.yml
+++ b/.github/workflows/renovate_auto.yml
@ -1,35 +0,0 @@
-name: Renovate auto-merge
-on:
- pull_request_target
-
-permissions:
-  contents: write
-  pull-requests: write
-  packages: read
-
-jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'renovate[bot]' }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Approve a PR if not already approved
-        run: |
-          gh pr checkout "$PR_URL"
-            if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
-          then
-            gh pr review --approve "$PR_URL"
-          else
-            echo "PR already approved.";
-          fi
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Enable auto-merge for Renovate PRs
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
--- a/.github/workflows/secscan.yaml
+++ b/.github/workflows/secscan.yaml
@ -1,32 +0,0 @@
-name: "Security Scan"
-
-# Run workflow each time code is pushed to your repository and on a schedule.
-# The scheduled workflow runs every at 00:00 on Sunday UTC time.
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - '**'
-  schedule:
-    - cron: '0 0 * * 0'
-
-jobs:
-  tests:
-    runs-on: ubuntu-latest
-    env:
-      GO111MODULE: on
-    steps:
-      - name: Checkout Source
-        uses: actions/checkout@v5
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          # we let the report trigger content trigger a failure using the GitHub Security features.
-          args: '-no-fail -fmt sarif -out results.sarif ./...'
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@ -1,35 +1,24 @@
+---
 name: Unit tests
 on:
  push:
    branches:
      - master
  pull_request:
-env:
-  FORCE_COLOR: 1
+
+
 concurrency:
  group: ci-unit-${{ github.head_ref || github.ref }}-${{ github.repository }}
  cancel-in-progress: true
+
 jobs:
  unit-tests:
-    strategy:
-      matrix:
-        go-version: ["1.24-bookworm"]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - name: Install earthly
-        uses: earthly/actions-setup@v1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run tests
        run: |
-          earthly +test --GO_VERSION=${{ matrix.go-version }}
-      - name: Codecov
-        uses: codecov/codecov-action@v5
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          file: ./coverage.out
+          ./earthly.sh +test
--- a/.gitignore
+++ b/.gitignore
@ -24,5 +24,3 @@ testbin/*
 *~

 /helm-chart
-build/
-dist/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -1,73 +0,0 @@
-# Make sure to check the documentation at http://goreleaser.com
-version: 2
-project_name: kcrypt-discovery-challenger
-builds:
-  - env:
-      - CGO_ENABLED=0
-      - CGO_LDFLAGS="-ldl"
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-    binary: '{{ .ProjectName }}'
-    id: default
-    main: ./cmd/discovery/main.go
-  - env:
-      - CGO_ENABLED=0
-      - GOEXPERIMENT=boringcrypto
-      - CGO_LDFLAGS="-ldl"
-    goos:
-      - linux
-    goarch:
-      - amd64
-    binary: '{{ .ProjectName }}'
-    id: fips-amd64
-    main: ./cmd/discovery/main.go
-    hooks:
-      post:
-        - bash -c 'set -e; go version {{.Path}} | grep boringcrypto || (echo "boringcrypto not found" && exit 1)'
-  - env:
-      - CGO_ENABLED=0
-      - GOEXPERIMENT=boringcrypto
-      - CC=aarch64-linux-gnu-gcc
-      - CGO_LDFLAGS="-ldl"
-    goos:
-      - linux
-    goarch:
-      - arm64
-    binary: '{{ .ProjectName }}'
-    id: fips-arm64
-    main: ./cmd/discovery/main.go
-    hooks:
-      post:
-      - bash -c 'set -e; go version {{.Path}} | grep boringcrypto || (echo "boringcrypto not found" && exit 1)'
-source:
-  enabled: true
-  name_template: '{{ .ProjectName }}-{{ .Tag }}-source'
-archives:
-  - id: default-archive
-    ids:
-      - default
-    name_template: '{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}-{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-  - id: fips-archive
-    ids:
-     - fips-arm64
-     - fips-amd64
-    name_template: '{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}-{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}-fips'
-checksum:
-  name_template: '{{ .ProjectName }}-{{ .Tag }}-checksums.txt'
-snapshot:
-  version_template: "{{ .Tag }}-next"
-changelog:
-  sort: asc
-  filters:
-    exclude:
-      - '^docs:'
-      - '^test:'
-      - '^Merge pull request'
-env:
-  - GOSUMDB=sum.golang.org
-before:
-  hooks:
-    - go mod tidy
--- a/4
+++ b/4
@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.24 as builder
+FROM golang:1.20 as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@ -16,7 +16,7 @@ COPY pkg/ pkg/
 COPY controllers/ controllers/

 # Build
-RUN CGO_ENABLED=0 go build -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go

 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
--- a/56
+++ b/56
@ -6,11 +6,11 @@ ARG BASE_IMAGE=quay.io/kairos/ubuntu:23.10-core-amd64-generic-$KAIROS_VERSION

 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools
 # renovate: datasource=docker depName=golang
-ARG GO_VERSION=1.24-bookworm
+ARG GO_VERSION=1.20
 ARG LUET_VERSION=0.33.0

 build-challenger:
-    FROM +go-deps
+    FROM golang:alpine
    COPY . /work
    WORKDIR /work
    RUN CGO_ENABLED=0 go build -o kcrypt-discovery-challenger ./cmd/discovery
@ -23,8 +23,8 @@ image:
    SAVE IMAGE $IMAGE

 image-rootfs:
-    FROM +image
-    SAVE ARTIFACT --keep-own /. rootfs
+  FROM +image
+  SAVE ARTIFACT --keep-own /. rootfs

 iso:
    ARG OSBUILDER_IMAGE
@ -36,39 +36,35 @@ iso:
    SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
    SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256

-go-deps:
+test:
    ARG GO_VERSION
    FROM golang:$GO_VERSION
-    WORKDIR /build
-    COPY go.mod go.sum ./
-    RUN go mod download
-    RUN go mod verify
-    SAVE ARTIFACT go.mod AS LOCAL go.mod
-    SAVE ARTIFACT go.sum AS LOCAL go.sum
-
-test:
-    FROM +go-deps
    ENV CGO_ENABLED=0
+
    WORKDIR /work

-    COPY . .
+    # Cache layer for modules
+    COPY go.mod go.sum ./
+    RUN go mod download && go mod verify
+
+    COPY . /work
    RUN go run github.com/onsi/ginkgo/v2/ginkgo run --covermode=atomic --coverprofile=coverage.out -p -r pkg/challenger cmd/discovery/client
    SAVE ARTIFACT coverage.out AS LOCAL coverage.out

 # Generic targets
 # usage e.g. ./earthly.sh +datasource-iso --CLOUD_CONFIG=tests/assets/qrcode.yaml
 datasource-iso:
-    ARG OSBUILDER_IMAGE
-    ARG CLOUD_CONFIG
-    FROM $OSBUILDER_IMAGE
-    RUN zypper in -y mkisofs
-    WORKDIR /build
-    RUN touch meta-data
+  ARG OSBUILDER_IMAGE
+  ARG CLOUD_CONFIG
+  FROM $OSBUILDER_IMAGE
+  RUN zypper in -y mkisofs
+  WORKDIR /build
+  RUN touch meta-data

-    COPY ${CLOUD_CONFIG} user-data
-    RUN cat user-data
-    RUN mkisofs -output ci.iso -volid cidata -joliet -rock user-data meta-data
-    SAVE ARTIFACT /build/ci.iso iso.iso AS LOCAL build/datasource.iso
+  COPY ${CLOUD_CONFIG} user-data
+  RUN cat user-data
+  RUN mkisofs -output ci.iso -volid cidata -joliet -rock user-data meta-data
+  SAVE ARTIFACT /build/ci.iso iso.iso AS LOCAL build/datasource.iso

 luet:
    FROM quay.io/luet/base:$LUET_VERSION
@ -76,7 +72,7 @@ luet:

 e2e-tests-image:
    FROM opensuse/tumbleweed
-    RUN zypper in -y go1.23 git qemu-x86 qemu-arm qemu-tools swtpm docker jq docker-compose make glibc libopenssl-devel curl gettext-runtime awk envsubst
+    RUN zypper in -y go git qemu-x86 qemu-arm qemu-tools swtpm docker jq docker-compose make glibc libopenssl-devel curl gettext-runtime
    ENV GOPATH="/go"

    COPY . /test
@ -94,15 +90,11 @@ e2e-tests-image:
    RUN luet repo add -y kairos --url quay.io/kairos/packages --type docker
    RUN LUET_NOLOCK=true luet install -y container/kubectl utils/k3d

-controller-latest:
-    FROM DOCKERFILE .
-    SAVE IMAGE controller:latest
-
 e2e-tests:
    FROM +e2e-tests-image
    ARG LABEL
-    RUN make test # This also generates the latest controllers automatically, we do that before building the docker image with them
-    WITH DOCKER --allow-privileged --load controller:latest=+controller-latest
+
+    WITH DOCKER --allow-privileged
        RUN ./scripts/e2e-tests.sh
    END

--- a/2
+++ b/2
@ -160,7 +160,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest

 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
-CONTROLLER_TOOLS_VERSION ?= v0.14.0
+CONTROLLER_TOOLS_VERSION ?= v0.9.2

 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
--- a/cmd/discovery/client/client.go
+++ b/cmd/discovery/client/client.go
@ -10,7 +10,7 @@ import (
 	"github.com/jaypipes/ghw/pkg/block"
 	"github.com/kairos-io/kairos-challenger/pkg/constants"
 	"github.com/kairos-io/kairos-challenger/pkg/payload"
-	"github.com/kairos-io/kairos-sdk/kcrypt/bus"
+	"github.com/kairos-io/kcrypt/pkg/bus"
 	"github.com/kairos-io/tpm-helpers"
 	"github.com/mudler/go-pluggable"
 	"github.com/mudler/yip/pkg/utils"
--- a/cmd/discovery/client/config.go
+++ b/cmd/discovery/client/config.go
@ -2,16 +2,10 @@ package client

 import (
 	"github.com/kairos-io/kairos-sdk/collector"
+	kconfig "github.com/kairos-io/kcrypt/pkg/config"
 	"gopkg.in/yaml.v3"
 )

-// There are the directories under which we expect to find kairos configuration.
-// When we are booted from an iso (during installation), configuration is expected
-// under `/oem`. When we are booting an installed system (in initramfs phase),
-// the path is `/sysroot/oem`.
-// When we run the challenger in hooks, we may have the config under /tmp/oem
-var confScanDirs = []string{"/oem", "/sysroot/oem", "/tmp/oem"}
-
 type Client struct {
 	Config Config
 }
@ -33,7 +27,7 @@ func unmarshalConfig() (Config, error) {
 	var result Config

 	o := &collector.Options{NoLogs: true, MergeBootCMDLine: false}
-	if err := o.Apply(collector.Directories(confScanDirs...)); err != nil {
+	if err := o.Apply(collector.Directories(append(kconfig.ConfigScanDirs, "/tmp/oem")...)); err != nil {
 		return result, err
 	}

--- a/cmd/discovery/client/enc.go
+++ b/cmd/discovery/client/enc.go
@ -47,7 +47,7 @@ func getPass(server string, headers map[string]string, certificate string, parti
 		if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {
 			return "", false, errBadCertificate
 		}
-		return "", false, errors.New(result.Error)
+		return "", false, fmt.Errorf(result.Error)
 	}

 	return "", false, errPartNotFound
--- a/cmd/discovery/main.go
+++ b/cmd/discovery/main.go
@ -5,13 +5,12 @@ import (
 	"os"

 	"github.com/kairos-io/kairos-challenger/cmd/discovery/client"
-	"github.com/kairos-io/kairos-sdk/kcrypt/bus"
+	"github.com/kairos-io/kcrypt/pkg/bus"
 	"github.com/kairos-io/tpm-helpers"
-	"github.com/mudler/go-pluggable"
 )

 func main() {
-	if len(os.Args) >= 2 && isEventDefined(os.Args[1]) {
+	if len(os.Args) >= 2 && bus.IsEventDefined(os.Args[1]) {
 		c, err := client.NewClient()
 		checkErr(err)
 		checkErr(c.Start())
@ -29,25 +28,3 @@ func checkErr(err error) {
 		os.Exit(1)
 	}
 }
-
-// isEventDefined checks whether an event is defined in the bus.
-// It accepts strings or EventType, returns a boolean indicating that
-// the event was defined among the events emitted by the bus.
-func isEventDefined(i interface{}) bool {
-	checkEvent := func(e pluggable.EventType) bool {
-		if e == bus.EventDiscoveryPassword {
-			return true
-		}
-
-		return false
-	}
-
-	switch f := i.(type) {
-	case string:
-		return checkEvent(pluggable.EventType(f))
-	case pluggable.EventType:
-		return checkEvent(f)
-	default:
-		return false
-	}
-}
--- a/earthly.sh
+++ b/earthly.sh
@ -1,3 +1,3 @@
 #!/bin/bash

-docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.15 --allow-privileged $@
+docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.7.8 --allow-privileged $@
--- a/go.mod
+++ b/go.mod
@ -1,174 +1,156 @@
 module github.com/kairos-io/kairos-challenger

-go 1.24.2
+go 1.20

 require (
-	github.com/go-logr/logr v1.4.3
-	github.com/google/uuid v1.6.0
-	github.com/gorilla/websocket v1.5.3
-	github.com/hashicorp/mdns v1.0.6
-	github.com/kairos-io/kairos-sdk v0.9.4
-	github.com/jaypipes/ghw v0.17.0
+	github.com/go-logr/logr v1.2.4
+	github.com/google/uuid v1.3.0
+	github.com/gorilla/websocket v1.5.0
+	github.com/hashicorp/mdns v1.0.5
+	github.com/jaypipes/ghw v0.11.0
+	github.com/kairos-io/kairos-sdk v0.0.15
+	github.com/kairos-io/kcrypt v0.7.0
 	github.com/kairos-io/tpm-helpers v0.0.0-20240123063624-f7a3fcc66199
 	github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5
-	github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82
-	github.com/mudler/yip v1.16.3
-	github.com/onsi/ginkgo/v2 v2.23.4
-	github.com/onsi/gomega v1.37.0
+	github.com/mudler/go-processmanager v0.0.0-20220724164624-c45b5c61312d
+	github.com/mudler/yip v1.3.0
+	github.com/onsi/ginkgo/v2 v2.11.0
+	github.com/onsi/gomega v1.27.8
 	github.com/pkg/errors v0.9.1
-	github.com/spectrocloud/peg v0.0.0-20240405075800-c5da7125e30f
+	github.com/spectrocloud/peg v0.0.0-20230407121159-2e15270c4a46
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.27.2
-	k8s.io/apimachinery v0.27.4
+	k8s.io/apimachinery v0.27.2
 	k8s.io/client-go v0.27.2
 	sigs.k8s.io/controller-runtime v0.15.0
 )

 require (
-	atomicgo.dev/cursor v0.2.0 // indirect
+	atomicgo.dev/cursor v0.1.3 // indirect
 	atomicgo.dev/keyboard v0.2.9 // indirect
-	atomicgo.dev/schedule v0.1.0 // indirect
-	dario.cat/mergo v1.0.1 // indirect
+	atomicgo.dev/schedule v0.0.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
-	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.12.9 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/hcsshim v0.11.1 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
 	github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bramvdbogaerde/go-scp v1.2.1 // indirect
 	github.com/cavaliergopher/grab/v3 v3.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9 // indirect
 	github.com/codingsince1985/checksum v1.2.6 // indirect
-	github.com/containerd/cgroups/v3 v3.0.5 // indirect
-	github.com/containerd/console v1.0.4 // indirect
-	github.com/containerd/containerd v1.7.27 // indirect
-	github.com/containerd/continuity v0.4.5 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/cgroups v1.1.0 // indirect
+	github.com/containerd/console v1.0.3 // indirect
+	github.com/containerd/containerd v1.7.7 // indirect
+	github.com/containerd/continuity v0.4.2 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
-	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/denisbrodbeck/machineid v1.0.1 // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v27.5.0+incompatible // indirect
-	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v27.5.1+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.2 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/cli v23.0.5+incompatible // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker v23.0.5+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-logr/zapr v1.2.4 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/go-containerregistry v0.20.3 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-containerregistry v0.15.2 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
 	github.com/google/go-tpm-tools v0.3.10 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
+	github.com/google/pprof v0.0.0-20230228050547-1710fef4ab10 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/gookit/color v1.5.4 // indirect
+	github.com/gookit/color v1.5.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/ipfs/go-log v1.0.5 // indirect
 	github.com/ipfs/go-log/v2 v2.5.1 // indirect
-	github.com/itchyny/gojq v0.12.17 // indirect
-	github.com/itchyny/timefmt-go v0.1.6 // indirect
+	github.com/itchyny/gojq v0.12.13 // indirect
+	github.com/itchyny/timefmt-go v0.1.5 // indirect
 	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
-	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/miekg/dns v1.1.55 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/miekg/dns v1.1.41 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/sys/sequential v0.6.0 // indirect
-	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 // indirect
-	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/prometheus/client_golang v1.20.2 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/pterm/pterm v0.12.80 // indirect
+	github.com/prometheus/client_golang v1.15.1 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/pterm/pterm v0.12.63 // indirect
 	github.com/qeesung/image2ascii v1.0.1 // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rs/zerolog v1.33.0 // indirect
-	github.com/shirou/gopsutil/v4 v4.24.7 // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
-	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
-	github.com/tklauser/numcpus v0.6.1 // indirect
-	github.com/twpayne/go-vfs/v4 v4.3.0 // indirect
-	github.com/vbatts/tar-split v0.11.6 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/twpayne/go-vfs v1.7.2 // indirect
+	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/oauth2 v0.29.0 // indirect
-	golang.org/x/sync v0.13.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/term v0.31.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.32.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/net v0.13.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250212204824-5a70512c5d8b // indirect
-	google.golang.org/grpc v1.70.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20230323212658-478b75c54725 // indirect
+	google.golang.org/grpc v1.54.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	howett.net/plist v1.0.0 // indirect
 	k8s.io/apiextensions-apiserver v0.27.2 // indirect
@ -178,5 +160,5 @@ require (
 	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/renovate.json
+++ b/renovate.json
@ -9,8 +9,6 @@
    "every weekend"
  ],
  "timezone": "Europe/Brussels",
-  "rebaseWhen": "behind-base-branch",
-  "reviewers": [ "team:maintainers" ],
  "packageRules": [
    {
      "matchUpdateTypes": [
--- a/scripts/e2e-tests.sh
+++ b/scripts/e2e-tests.sh
@ -34,8 +34,10 @@ trap cleanup EXIT
 k3d cluster create "$CLUSTER_NAME" --k3s-arg "--cluster-cidr=10.49.0.1/16@server:0" --k3s-arg "--service-cidr=10.48.0.1/16@server:0" -p '80:80@server:0' -p '443:443@server:0' --image "$K3S_IMAGE"
 k3d kubeconfig get "$CLUSTER_NAME" > "$KUBECONFIG"

-# Import the controller image that we built at the start into to the cluster
-# this image has to exists and be available in the local docker
+# Build the docker image
+IMG=controller:latest make docker-build
+
+# Import the image to the cluster
 k3d image import -c "$CLUSTER_NAME" controller:latest

 # Install cert manager