Merge branch 'master' into cruizen-patch-1

platform9 · Nov 8, 2023 · 71f8e2b · 71f8e2b
2 parents d59d5bc + e8e59ea
commit 71f8e2b
Show file tree

Hide file tree

Showing 123 changed files with 8,393 additions and 375 deletions.
diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml
@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.  For more information on the Anchore scan action usage
+# and parameters, see https://github.com/anchore/scan-action. For more
+# information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+name: Anchore Grype vulnerability scan
+
+on:
+  push:
+    branches: [ "master", "platform9-v*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '44 8 * * 4'
+
+permissions:
+  contents: read
+
+jobs:
+  Anchore-Build-Scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out the code
+      uses: actions/checkout@v4
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag platform9/luigi_dev:latest
+    - name: Run the Anchore Grype scan action
+      uses: anchore/scan-action@v3
+      id: scan
+      with:
+        image: "platform9/luigi_dev:latest"
+        fail-build: false
+        severity-cutoff: critical
+    - name: Upload vulnerability report
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,52 @@
+name: Unit Tests and Build
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  lint:
+    environment: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          go-version: 1.19
+          check-latest: true
+          cache: true
+      - name: Print the version of golang
+        run: go version
+#      - name: Run golangci-lint
+#        uses: golangci/[email protected]
+#        with:
+#          skip-pkg-cache: true
+#          args: --timeout=5m
+  build_and_unit_test:
+    environment: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          go-version: 1.19
+          check-latest: true
+          cache: true
+      - name: Print the version of golang
+        run: go version
+      - name: Run unit tests with code coverage
+        run: make test
+      - name: Build
+        run: make build
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          files: ./cover.out
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -0,0 +1,19 @@
+name: Vuln check
+on:
+  pull_request:
+    branches:
+      - "main"
+      - "v**"
+  schedule: 
+    - cron: '* * * * *'
+permissions: 
+  security-events: write
+
+jobs:
+  vuln-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Golang Vulncheck
+        uses: Templum/[email protected]
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: trivy_scan
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '42 17 * * 0'
+
+permissions:
+  contents: read
+
+jobs:
+  build_image:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Build
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/platform9/luigi:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        with:
+          image-ref: 'docker.io/platform9/luigi:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/Dockerfile b/Dockerfile
@@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 #FROM gcr.io/distroless/static:nonroot
 
-FROM alpine:3.15
+FROM alpine:3.16
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /workspace/manager .

diff --git a/Makefile b/Makefile
@@ -14,10 +14,14 @@ GOBIN=$(shell go env GOBIN)
 endif
 
 SRCROOT = $(abspath $(dir $(lastword $(MAKEFILE_LIST)))/)
+BUILD_DIR :=$(SRCROOT)/bin
 BUILD_ROOT = $(SRCROOT)/build
 OS=$(shell go env GOOS)
 ARCH=$(shell go env GOARCH)
 
+$(BUILD_DIR):
+	mkdir -p $@
+
 $(BUILD_ROOT):
 	mkdir -p $@
 	mkdir -p $@/luigi
@@ -143,17 +147,17 @@ $(ENVTEST): $(LOCALBIN)
 	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
 
 img-test:
-	docker run --rm  -v $(SRCROOT):/luigi -w /luigi golang:1.17.7-bullseye  bash -c "make test"
+	docker run --rm  -v $(SRCROOT):/luigi -w /luigi golang:1.19.1-bullseye  bash -c "GOFLAGS=-buildvcs=false make test"
 
-img-build: img-test $(BUILD_ROOT)
+img-build: $(BUILD_DIR) img-test 
 	docker build --network host . -t ${IMG}
-	echo ${IMG} > $(BUILD_ROOT)/container-tag
+	echo ${IMG} > $(BUILD_DIR)/container-tag
 
 img-build-push: img-build
 	docker login
 	docker push ${IMG}
-	echo ${IMG} > $(BUILD_ROOT)/container-tag
+	echo ${IMG} > $(BUILD_DIR)/container-tag
 
-scan: 
+scan: $(BUILD_ROOT)
 	docker run -v $(BUILD_ROOT)/luigi:/out -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.trivy:/root/.cache  aquasec/trivy image -s CRITICAL,HIGH -f json  --vuln-type library -o /out/library_vulnerabilities.json --exit-code 22 ${IMG}
 	docker run -v $(BUILD_ROOT)/luigi:/out -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.trivy:/root/.cache  aquasec/trivy image -s CRITICAL,HIGH -f json  --vuln-type os -o /out/os_vulnerabilities.json --exit-code 22 ${IMG}
diff --git a/PROJECT b/PROJECT
@@ -1,7 +1,6 @@
 domain: k8s.pf9.io
 layout:
 - go.kubebuilder.io/v3
-multigroup: true
 projectName: luigi
 repo: github.com/platform9/luigi
 resources:
@@ -14,4 +13,7 @@ resources:
   kind: NetworkPlugins
   path: github.com/platform9/luigi/api/v1
   version: v1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"
diff --git a/README.md b/README.md
@@ -101,3 +101,8 @@ spec:
 ```
 
 That is it! Now that you have the secondary CNIs and other related plugins deployed, you may need to prep the nodes before you can actually create Multus Networks and assign them to Pods. In order to do so, use Luigi's own HostPlumber plugin: https://github.com/platform9/luigi/blob/master/hostplumber/README.md
+
+
+##### Dev note
+This project needs to migrate to Kubebuilder/v4.
+webhooks where added manually `make generate && make manifestes` will not add required feild for webhook in crds and luigi deployment. refer `samples/luigi-plugins-operator-v2.yaml`
diff --git a/api/v1/networkplugins_types.go b/api/v1/networkplugins_types.go
@@ -48,6 +48,14 @@ type Ovs struct {
 	OVSImage        string `json:"ovsImage,omitempty"`
 	CNIImage        string `json:"cniImage,omitempty"`
 	MarkerImage     string `json:"markerImage,omitempty"`
+	DPDK            *Dpdk  `json:"dpdk,omitempty"`
+}
+
+type Dpdk struct {
+	LcoreMask      string `json:"lcoreMask"`
+	SocketMem      string `json:"socketMem"`
+	PmdCpuMask     string `json:"pmdCpuMask"`
+	HugepageMemory string `json:"hugepageMemory"`
 }
 
 type NodeFeatureDiscovery struct {
@@ -85,8 +93,11 @@ type Sriov struct {
 }
 
 type DhcpController struct {
-	ImagePullPolicy     string `json:"imagePullPolicy,omitempty"`
-	DhcpControllerImage string `json:"DHCPControllerImage,omitempty"`
+	KubemacpoolNamespace  string `json:"kubemacpoolnamespace,omitempty"`
+	ImagePullPolicy       string `json:"imagePullPolicy,omitempty"`
+	DhcpControllerImage   string `json:"DHCPControllerImage,omitempty"`
+	KubemacpoolRangeStart string `json:"kubemacpoolRangeStart,omitempty"`
+	KubemacpoolRangeEnd   string `json:"kubemacpoolRangeEnd,omitempty"`
 }
 
 // NetworkPluginsStatus defines the observed state of NetworkPlugins

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/plumber.k8s.pf9.io_networkplugins.yaml b/config/crd/bases/plumber.k8s.pf9.io_networkplugins.yaml
@@ -43,6 +43,12 @@ spec:
                         type: string
                       imagePullPolicy:
                         type: string
+                      kubemacpoolRangeEnd:
+                        type: string
+                      kubemacpoolRangeStart:
+                        type: string
+                      kubemacpoolnamespace:
+                        type: string
                     type: object
                   hostPlumber:
                     properties:
@@ -75,6 +81,22 @@ spec:
                     properties:
                       cniImage:
                         type: string
+                      dpdk:
+                        properties:
+                          hugepageMemory:
+                            type: string
+                          lcoreMask:
+                            type: string
+                          pmdCpuMask:
+                            type: string
+                          socketMem:
+                            type: string
+                        required:
+                        - hugepageMemory
+                        - lcoreMask
+                        - pmdCpuMask
+                        - socketMem
+                        type: object
                       imagePullPolicy:
                         type: string
                       markerImage:

diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -8,12 +8,12 @@ resources:
 patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-#- patches/webhook_in_networkplugins.yaml
+- patches/webhook_in_networkplugins.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_networkplugins.yaml
+- patches/cainjection_in_networkplugins.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.