feat: Add Podman support as drop-in replacement for Docker

.github/workflows/kind-cats.yaml

@@ -37,7 +37,7 @@ jobs:
             --privileged \
             --pid host \
             -v /lib/modules:/lib/modules:ro \
-            alpine sh -c "sysctl -w fs.inotify.max_user_instances=512 && modprobe nfs && modprobe nfsd"
+            alpine sh -c "sysctl -w fs.inotify.max_user_instances=512 && sysctl -w net.ipv4.ip_unprivileged_port_start=80 && modprobe nfs && modprobe nfsd"
       - name: Install dependencies
         if: steps.check_changes.outputs.skip != 'true'
         run: |

.github/workflows/kind-smoke.yaml

@@ -21,114 +21,23 @@ on:
 
 jobs:
   kind-smoke:
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/smoke-run.yaml
     permissions:
       id-token: write
       contents: read
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Check if only ignored paths changed
-        id: check_changes
-        run: |
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
-            CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }})
-            RELEVANT_FILES=$(echo "$CHANGED_FILES" | grep -v -E '.*\.Dockerfile|^releases/.*/files/|^\.github/|^docs/|\.md$|^renovate\.json$' || true)
-            if [ -z "$RELEVANT_FILES" ]; then
-              echo "Only ignored paths were changed. Skipping workflow."
-              echo "skip=true" >> $GITHUB_OUTPUT
-            else
-              echo "skip=false" >> $GITHUB_OUTPUT
-            fi
-          else
-            echo "skip=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Set kernel settings
-        if: steps.check_changes.outputs.skip != 'true'
-        run: |
-          docker run --rm \
-            --privileged \
-            --pid host \
-            alpine sh -c "sysctl -w fs.inotify.max_user_instances=512"
-      - name: Install dependencies
-        if: steps.check_changes.outputs.skip != 'true'
-        run: |
-          mkdir -p $HOME/.local/bin && echo "$HOME/.local/bin" >> "$GITHUB_PATH"
-          curl -L https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-amd64 -o $HOME/.local/bin/kind
-          chmod +x $HOME/.local/bin/kind
-          curl -L https://github.com/helmfile/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_${HELMFILE_VERSION}_linux_amd64.tar.gz | tar -zx
-          mv helmfile $HOME/.local/bin/helmfile
-          curl -L "https://packages.cloudfoundry.org/stable?release=linux64-binary&version=${CF_CLI_VERSION}&source=github" | tar -zx
-          mv cf8 $HOME/.local/bin/cf
-        env:
-          # renovate: dataSource=github-releases depName=cloudfoundry/cli
-          CF_CLI_VERSION: "8.18.3"
-          # renovate: dataSource=github-releases depName=kubernetes-sigs/kind
-          KIND_VERSION: "0.32.0"
-          # renovate: dataSource=github-releases depName=helmfile/helmfile
-          HELMFILE_VERSION: "1.5.3"
-      - name: Use develop versions of cf-deployment
-        id: pre_validation
-        if: steps.check_changes.outputs.skip != 'true' && github.event_name == 'workflow_dispatch' && github.event.inputs.fresh-validation == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          pip3 install -r scripts/requirements.txt
-          python3 scripts/sync-cf-deployment-versions.py --ref develop
-      - name: Run make up (default)
-        if: steps.check_changes.outputs.skip != 'true' && github.event_name == 'pull_request'
-        run: make up
-      - name: Run make up
-        if: steps.check_changes.outputs.skip != 'true' && github.event_name != 'pull_request'
-        run: make up
-        env:
-          INSTALL_OPTIONAL_COMPONENTS: ${{ inputs.minimal }}  
-      - name: Login
-        if: steps.check_changes.outputs.skip != 'true'
-        run: make login
-      - name: Init
-        if: steps.check_changes.outputs.skip != 'true'
-        run: make bootstrap-complete
-      - name: setup CF tests
-        if: steps.check_changes.outputs.skip != 'true'
-        uses: ./.github/actions/setup-cf-tests
-        with:
-          test-repo: cf-smoke-tests
-          test-branch: main
-          config-template: ./.github/smoke-config.tpl
-          config-output: ./.github/smoke-config.json
-      - name: run smoke test
-        if: steps.check_changes.outputs.skip != 'true'
-        env:
-          CONFIG: "${{ github.workspace }}/.github/smoke-config.json"
-          GINKGO_NO_COLOR: "true"
-        run: |
-          ./cf-smoke-tests/bin/test --no-color --github-output --timeout=30m --procs=4 --json-report report.json
-      - name: debug events
-        if: failure()
-        run: kubectl get events -A --sort-by='.lastTimestamp'
-      - name: debug pods
-        if: failure()
-        run: |
-          echo "===== CLOUD_CONTROLLER ====="
-          kubectl get pod -n cf-system -l app.kubernetes.io/name=cloud-controller -o wide
-          kubectl get pod -n cf-system -l app.kubernetes.io/name=cloud-controller -o jsonpath='{.status.containerStatuses[*].state}' | jq
-          kubectl logs -n cf-system -l app.kubernetes.io/name=cloud-controller --all-containers=true
-          echo "===== CC_WORKER ====="
-          kubectl get pod -n cf-system -l app.kubernetes.io/name=cc-worker -o wide
-          kubectl logs -n cf-system -l app.kubernetes.io/name=cc-worker
-          echo "===== CC_UPLOADER ====="
-          kubectl get pod -n cf-system -l app=cc-uploader -o wide
-          kubectl logs -n cf-system -l app=cc-uploader
-          echo "===== CC_DEPLOYMENT_UPDATER ====="
-          kubectl get pod -n cf-system -l app.kubernetes.io/name=cc-deployment-updater -o wide
-          kubectl logs -n cf-system -l app.kubernetes.io/name=cc-deployment-updater
-          echo "===== CC_WORKER_CLOCK ====="
-          kubectl get pod -n cf-system -l app.kubernetes.io/name=cc-worker-clock -o wide
-          kubectl logs -n cf-system -l app.kubernetes.io/name=cc-worker-clock
-      - uses: actions/upload-artifact@v7
-        if: always()
-        with:
-          name: report.json
-          path: ./cf-smoke-tests/report.json
+    with:
+      container-runtime: docker
+      install-optional-components: ${{ github.event_name == 'pull_request' && 'false' || inputs.minimal != true && 'true' || 'false' }}
+      fresh-validation: ${{ inputs.fresh-validation == true }}
+      artifact-name: report.json
+
+  kind-smoke-podman:
+    uses: ./.github/workflows/smoke-run.yaml
+    permissions:
+      id-token: write
+      contents: read
+    with:
+      container-runtime: podman
+      install-optional-components: ${{ github.event_name == 'pull_request' && 'false' || inputs.minimal != true && 'true' || 'false' }}
+      fresh-validation: ${{ inputs.fresh-validation == true }}
+      artifact-name: report-podman.json

.github/workflows/smoke-run.yaml

@@ -0,0 +1,173 @@
+name: Smoke Run (reusable)
+
+on:
+  workflow_call:
+    inputs:
+      container-runtime:
+        description: 'Container runtime to use (docker or podman)'
+        type: string
+        required: true
+      install-optional-components:
+        description: 'Whether to install optional CF components'
+        type: string
+        required: true
+      artifact-name:
+        description: 'Name of the uploaded test report artifact'
+        type: string
+        required: true
+      fresh-validation:
+        description: 'Use versions of cf-deployment from the develop branch'
+        type: boolean
+        required: false
+        default: false
+
+jobs:
+  smoke-run:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Check if only ignored paths changed
+        id: check_changes
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }})
+            RELEVANT_FILES=$(echo "$CHANGED_FILES" | grep -v -E '.*\.Dockerfile|^releases/.*/files/|^\.github/|^docs/|\.md$|^renovate\.json$' || true)
+            if [ -z "$RELEVANT_FILES" ]; then
+              echo "Only ignored paths were changed. Skipping workflow."
+              echo "skip=true" >> $GITHUB_OUTPUT
+            else
+              echo "skip=false" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "skip=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Pin nip.io domains to localhost
+        if: steps.check_changes.outputs.skip != 'true'
+        run: |
+          # nip.io is an external DNS service; CI runners sometimes can't resolve it.
+          printf '127.0.0.1 api.127-0-0-1.nip.io\n127.0.0.1 uaa.127-0-0-1.nip.io\n127.0.0.1 login.127-0-0-1.nip.io\n127.0.0.1 apps.127-0-0-1.nip.io\n127.0.0.1 doppler.127-0-0-1.nip.io\n127.0.0.1 log-stream.127-0-0-1.nip.io\n' | sudo tee -a /etc/hosts
+      - name: Set kernel settings
+        if: steps.check_changes.outputs.skip != 'true'
+        run: |
+          sudo sysctl -w fs.inotify.max_user_instances=512
+          sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
+      - name: Set kernel settings (Podman extras)
+        if: steps.check_changes.outputs.skip != 'true' && inputs.container-runtime == 'podman'
+        run: |
+          # Mount BPF filesystem on the host (needed by kindnet on some kernels)
+          sudo mount bpffs /sys/fs/bpf -t bpf -o nosuid,nodev,noexec,relatime || true
+      - name: Install podman-compose
+        if: steps.check_changes.outputs.skip != 'true' && inputs.container-runtime == 'podman'
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y podman-compose
+          # Ensure podman-compose is used instead of the docker-compose plugin shim
+          sudo ln -sf /usr/bin/podman-compose /usr/local/bin/podman-compose
+      - name: Install dependencies
+        if: steps.check_changes.outputs.skip != 'true'
+        run: |
+          mkdir -p $HOME/.local/bin && echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          curl -L https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-linux-amd64 -o $HOME/.local/bin/kind
+          chmod +x $HOME/.local/bin/kind
+          curl -L https://github.com/helmfile/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_${HELMFILE_VERSION}_linux_amd64.tar.gz | tar -zx
+          mv helmfile $HOME/.local/bin/helmfile
+          curl -L "https://packages.cloudfoundry.org/stable?release=linux64-binary&version=${CF_CLI_VERSION}&source=github" | tar -zx
+          mv cf8 $HOME/.local/bin/cf
+        env:
+          # renovate: dataSource=github-releases depName=cloudfoundry/cli
+          CF_CLI_VERSION: "8.18.3"
+          # renovate: dataSource=github-releases depName=kubernetes-sigs/kind
+          KIND_VERSION: "0.32.0"
+          # renovate: dataSource=github-releases depName=helmfile/helmfile
+          HELMFILE_VERSION: "1.5.3"
+      - name: Use develop versions of cf-deployment
+        id: pre_validation
+        if: steps.check_changes.outputs.skip != 'true' && inputs.fresh-validation == true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip3 install -r scripts/requirements.txt
+          python3 scripts/sync-cf-deployment-versions.py --ref develop
+      - name: Run make up
+        if: steps.check_changes.outputs.skip != 'true'
+        run: make up
+        env:
+          CONTAINER_RUNTIME: ${{ inputs.container-runtime }}
+          INSTALL_OPTIONAL_COMPONENTS: ${{ inputs.install-optional-components }}
+      - name: Login
+        if: steps.check_changes.outputs.skip != 'true'
+        run: make login
+      - name: Init
+        if: steps.check_changes.outputs.skip != 'true'
+        run: make bootstrap-complete
+      - name: setup CF tests
+        if: steps.check_changes.outputs.skip != 'true'
+        uses: ./.github/actions/setup-cf-tests
+        with:
+          test-repo: cf-smoke-tests
+          test-branch: main
+          config-template: ./.github/smoke-config.tpl
+          config-output: ./.github/smoke-config.json
+      - name: run smoke test
+        if: steps.check_changes.outputs.skip != 'true'
+        env:
+          CONFIG: "${{ github.workspace }}/.github/smoke-config.json"
+          GINKGO_NO_COLOR: "true"
+        run: |
+          ./cf-smoke-tests/bin/test --no-color --github-output --timeout=30m --procs=4 --json-report report.json
+      - name: debug events
+        if: failure()
+        run: kubectl get events -A --sort-by='.lastTimestamp'
+      - name: debug cilium
+        if: failure() && inputs.container-runtime == 'podman'
+        run: |
+          echo "===== CILIUM PODS ====="
+          kubectl get pod -n kube-system -l k8s-app=cilium -o wide
+          echo "===== CILIUM AGENT LOGS (all pods) ====="
+          for pod in $(kubectl get pod -n kube-system -l k8s-app=cilium -o jsonpath='{.items[*].metadata.name}'); do
+            echo "--- $pod ---"
+            kubectl logs -n kube-system "$pod" --all-containers=true --previous 2>/dev/null || kubectl logs -n kube-system "$pod" --all-containers=true 2>/dev/null || true
+          done
+          echo "===== CILIUM OPERATOR LOGS ====="
+          kubectl logs -n kube-system -l name=cilium-operator --all-containers=true 2>/dev/null || true
+          echo "===== CILIUM STATUS ====="
+          kubectl exec -n kube-system $(kubectl get pod -n kube-system -l k8s-app=cilium -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) -- cilium status 2>/dev/null || true
+      - name: debug pods
+        if: failure()
+        run: |
+          echo "===== CLOUD_CONTROLLER ====="
+          kubectl get pod -n cf-system -l app.kubernetes.io/name=cloud-controller -o wide
+          kubectl get pod -n cf-system -l app.kubernetes.io/name=cloud-controller -o jsonpath='{.status.containerStatuses[*].state}' | jq
+          kubectl logs -n cf-system -l app.kubernetes.io/name=cloud-controller --all-containers=true
+          echo "===== CC_WORKER ====="
+          kubectl get pod -n cf-system -l app.kubernetes.io/name=cc-worker -o wide
+          kubectl logs -n cf-system -l app.kubernetes.io/name=cc-worker
+          echo "===== CC_UPLOADER ====="
+          kubectl get pod -n cf-system -l app=cc-uploader -o wide
+          kubectl logs -n cf-system -l app=cc-uploader
+          echo "===== CC_DEPLOYMENT_UPDATER ====="
+          kubectl get pod -n cf-system -l app.kubernetes.io/name=cc-deployment-updater -o wide
+          kubectl logs -n cf-system -l app.kubernetes.io/name=cc-deployment-updater
+          echo "===== CC_WORKER_CLOCK ====="
+          kubectl get pod -n cf-system -l app.kubernetes.io/name=cc-worker-clock -o wide
+          kubectl logs -n cf-system -l app.kubernetes.io/name=cc-worker-clock
+      - name: debug pods (Podman extras)
+        if: failure() && inputs.container-runtime == 'podman'
+        run: |
+          echo "===== CF_TCP_ROUTER ====="
+          kubectl get pod -n cf-system -l app=cf-tcp-router -o wide
+          kubectl get pod -n cf-system -l app=cf-tcp-router -o jsonpath='{.items[*].status.containerStatuses[*].state}' | jq 2>/dev/null || true
+          kubectl logs -n cf-system -l app=cf-tcp-router --all-containers=true 2>/dev/null || true
+          echo "===== ROUTING_API ====="
+          kubectl get pod -n cf-system -l app=routing-api -o wide
+          kubectl logs -n cf-system -l app=routing-api --all-containers=true 2>/dev/null || true
+      - uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: ${{ inputs.artifact-name }}
+          path: ./cf-smoke-tests/report.json

.gitignore

@@ -1,2 +1,2 @@
 temp/
-
+.idea

Makefile

@@ -3,19 +3,40 @@ TARGET_ARCH ?= $(if $(filter true,$(LOCAL)),$(shell go env GOARCH),amd64)
 # renovate: dataSource=github-releases depName=helmfile/helmfile
 HELMFILE_VERSION ?= "1.5.3"
 
+build:
+	@ . ./scripts/detect-runtime.sh; \
+	if [ "$$CONTAINER_RUNTIME" = "podman" ]; then \
+		echo "Building with Podman is not yet supported via docker-bake.hcl."; \
+		echo "Use 'podman build' manually with the Dockerfiles in releases/."; \
+		exit 1; \
+	fi; \
+	docker buildx bake --file docker-bake.hcl --set "*.platform=linux/$(TARGET_ARCH)" $(BAKE_TARGETS)
+
 init: temp/certs/ca.key temp/certs/ca.crt temp/certs/ssh_key temp/certs/ssh_key.pub temp/secrets.sh temp/secrets.env
 
 temp/certs/ca.key temp/certs/ca.crt temp/certs/ssh_key temp/certs/ssh_key.pub temp/secrets.sh temp/secrets.env:
 	@ ./scripts/init.sh
 
 install:
-	kind get kubeconfig --name cfk8s > temp/kubeconfig
-	docker run --rm --net=host --env-file temp/secrets.env \
+	@ . ./scripts/detect-runtime.sh; \
+	if [ "$$IS_PODMAN" = "true" ]; then export SKIP_CILIUM="true"; fi; \
+	kind get kubeconfig --name cfk8s > temp/kubeconfig; \
+	$$CONTAINER_RUNTIME run --rm --net=host --env-file temp/secrets.env \
 		--env INSTALL_OPTIONAL_COMPONENTS \
+		--env CILIUM_EXTRA_VALUES \
+		--env SKIP_CILIUM \
 		-v "$$PWD/temp/certs:/certs" -v "$$PWD/temp/kubeconfig:/helm/.kube/config:ro" -v "$$PWD:/wd" --workdir /wd ghcr.io/helmfile/helmfile:v$(HELMFILE_VERSION) helmfile sync
 
 login:
-	@ . temp/secrets.sh; \
+	@ echo "Waiting for CF API to become ready..."; \
+	for i in $$(seq 1 60); do \
+		status=$$(curl -sk -o /dev/null -w "%{http_code}" https://api.127-0-0-1.nip.io/v2/info); \
+		if [ "$$status" = "200" ]; then echo "CF API is ready."; break; fi; \
+		echo "  attempt $$i/60: HTTP $$status – retrying in 10s..."; \
+		sleep 10; \
+	done; \
+	if [ "$$status" != "200" ]; then echo "ERROR: CF API did not become ready after 10 minutes." >&2; exit 1; fi; \
+	. temp/secrets.sh; \
 	cf login -a https://api.127-0-0-1.nip.io -u ccadmin -p "$$CC_ADMIN_PASSWORD" --skip-ssl-validation
 
 create-kind:
@@ -33,12 +54,12 @@ create-org:
 bootstrap: create-org
 	@ ./scripts/upload_buildpacks.sh
 
-bootstrap-complete: create-org 
+bootstrap-complete: create-org
 	@ ALL_BUILDPACKS=true ./scripts/upload_buildpacks.sh
 
 up: create-kind init install
 
 down: delete-kind
 	@ rm -rf temp
 
-PHONY: install login create-kind delete-kind up down create-org bootstrap bootstrap-complete
+.PHONY: build install login create-kind delete-kind up down create-org bootstrap bootstrap-complete