diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 5821b06c6..8bb50c701 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -15,6 +15,4 @@ following ourselves these points: - explain what and why in the body, if more than a trivial change, wrapping at 72 characters -If you have any issue or question, reach out us! -https://clastix.slack.com >>> #capsule channel --> diff --git a/.github/actions/exists/action.yaml b/.github/actions/exists/action.yaml new file mode 100644 index 000000000..7f9c6ddc9 --- /dev/null +++ b/.github/actions/exists/action.yaml @@ -0,0 +1,21 @@ +name: Checks if an input is defined + +description: Checks if an input is defined and outputs 'true' or 'false'. + +inputs: + value: + description: value to test + required: true + +outputs: + result: + description: outputs 'true' or 'false' if input value is defined or not + value: ${{ steps.check.outputs.result }} + +runs: + using: composite + steps: + - shell: bash + id: check + run: | + echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/actions/setup-caches/action.yaml b/.github/actions/setup-caches/action.yaml new file mode 100644 index 000000000..622c54d45 --- /dev/null +++ b/.github/actions/setup-caches/action.yaml @@ -0,0 +1,20 @@ +name: Setup caches + +description: Setup caches for go modules and build cache. + +inputs: + build-cache-key: + description: build cache prefix + +runs: + using: composite + steps: + - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} + - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 + if: ${{ inputs.build-cache-key }} + with: + path: ~/.cache/go-build + key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} \ No newline at end of file diff --git a/.github/configs/ct.yaml b/.github/configs/ct.yaml index 29160c1da..af5985757 100644 --- a/.github/configs/ct.yaml +++ b/.github/configs/ct.yaml @@ -1,5 +1,5 @@ remote: origin -target-branch: master +target-branch: main chart-dirs: - charts helm-extra-args: "--timeout 600s" diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..df09b6d72 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: daily + rebase-strategy: disabled + commit-message: + prefix: "feat(deps)" + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + rebase-strategy: disabled + commit-message: + prefix: "ci" diff --git a/.github/workflows/check-actions.yml b/.github/workflows/check-actions.yml new file mode 100644 index 000000000..01eaa4c03 --- /dev/null +++ b/.github/workflows/check-actions.yml @@ -0,0 +1,24 @@ +name: Check actions +permissions: {} + +on: + pull_request: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + check: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4 + with: + # slsa-github-generator requires using a semver tag for reusable workflows. + # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators + allowlist: | + slsa-framework/slsa-github-generator \ No newline at end of file diff --git a/.github/workflows/check-commit.yml b/.github/workflows/check-commit.yml new file mode 100644 index 000000000..0d6b52a26 --- /dev/null +++ b/.github/workflows/check-commit.yml @@ -0,0 +1,23 @@ +name: Check Commit +permissions: {} + +on: + push: + branches: [ "*" ] + pull_request: + branches: [ "*" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + commit_lint: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + - uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3 + with: + firstParent: true diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml new file mode 100644 index 000000000..2d8834e07 --- /dev/null +++ b/.github/workflows/codecov.yml @@ -0,0 +1,38 @@ +name: Codecov +permissions: {} + +on: + pull_request: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + codecov: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: codecov + - name: Check secret + id: checksecret + uses: ./.github/actions/exists + with: + value: ${{ secrets.CODECOV_TOKEN }} + - name: Generate Code Coverage Report + if: steps.checksecret.outputs.result == 'true' + run: make test + - name: Upload Report to Codecov + if: steps.checksecret.outputs.result == 'true' + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 + with: + file: ./coverage.out + fail_ci_if_error: true + verbose: true diff --git a/.github/workflows/ci.yml b/.github/workflows/diff.yml similarity index 61% rename from .github/workflows/ci.yml rename to .github/workflows/diff.yml index cc15c588c..4d4790233 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/diff.yml @@ -1,4 +1,5 @@ -name: CI +name: Diff checks +permissions: {} on: push: @@ -6,35 +7,19 @@ on: pull_request: branches: [ "*" ] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: - commit_lint: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - uses: wagoid/commitlint-github-action@v2 - with: - firstParent: true - golangci: - name: lint - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - name: Run golangci-lint - uses: golangci/golangci-lint-action@v2.3.0 - with: - version: v1.51.2 - only-new-issues: false - args: --timeout 5m --config .golangci.yml diff: name: diff runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 0 - - uses: actions/setup-go@v2 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: '1.19' - run: make installer diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 000000000..b62eb2ac6 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,33 @@ +name: Build images +permissions: {} + +on: + pull_request: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build-images: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: build-images + - name: ko build + run: REPOSITORY=${GITHUB_REPOSITORY} make ko-build-all + - name: Trivy Scan Image + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml deleted file mode 100644 index da2cbec04..000000000 --- a/.github/workflows/docker-ci.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: docker-ci - -on: - push: - tags: - - "v*" - -jobs: - docker-ci: - runs-on: ubuntu-20.04 - steps: - - - name: Checkout - uses: actions/checkout@v2 - - - name: Generate build-args - id: build-args - run: | - # Declare vars for internal use - VERSION=$(git describe --abbrev=0 --tags) - GIT_HEAD_COMMIT=$(git rev-parse --short HEAD) - GIT_TAG_COMMIT=$(git rev-parse --short $VERSION) - GIT_MODIFIED_1=$(git diff $GIT_HEAD_COMMIT $GIT_TAG_COMMIT --quiet && echo "" || echo ".dev") - GIT_MODIFIED_2=$(git diff --quiet && echo "" || echo ".dirty") - # Export to GH_ENV - echo "GIT_LAST_TAG=$VERSION" >> $GITHUB_ENV - echo "GIT_HEAD_COMMIT=$GIT_HEAD_COMMIT" >> $GITHUB_ENV - echo "GIT_TAG_COMMIT=$GIT_TAG_COMMIT" >> $GITHUB_ENV - echo "GIT_MODIFIED=$(echo "$GIT_MODIFIED_1""$GIT_MODIFIED_2")" >> $GITHUB_ENV - echo "GIT_REPO=$(git config --get remote.origin.url)" >> $GITHUB_ENV - echo "BUILD_DATE=$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_ENV - - - name: Docker meta - id: meta - uses: docker/metadata-action@v3 - with: - images: | - quay.io/${{ github.repository }} - docker.io/${{ github.repository }} - tags: | - type=semver,pattern={{raw}} - flavor: | - latest=false - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@v1 - with: - platforms: arm64,arm - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - install: true - - - name: Inspect builder - run: | - echo "Name: ${{ steps.buildx.outputs.name }}" - echo "Endpoint: ${{ steps.buildx.outputs.endpoint }}" - echo "Status: ${{ steps.buildx.outputs.status }}" - echo "Flags: ${{ steps.buildx.outputs.flags }}" - echo "Platforms: ${{ steps.buildx.outputs.platforms }}" - - - name: Login to quay.io Container Registry - uses: docker/login-action@v1 - with: - registry: quay.io - username: ${{ github.repository_owner }}+github - password: ${{ secrets.BOT_QUAY_IO }} - - - name: Login to docker.io Container Registry - uses: docker/login-action@v1 - with: - registry: docker.io - username: ${{ secrets.USER_DOCKER_IO }} - password: ${{ secrets.BOT_DOCKER_IO }} - - - name: Build and push - id: build-release - uses: docker/build-push-action@v2 - with: - file: Dockerfile - context: . - platforms: linux/amd64,linux/arm64,linux/arm - push: true - tags: ${{ steps.meta.outputs.tags }} - build-args: | - GIT_HEAD_COMMIT=${{ env.GIT_HEAD_COMMIT }} - GIT_TAG_COMMIT=${{ env.GIT_TAG_COMMIT }} - GIT_REPO=${{ env.GIT_REPO }} - GIT_LAST_TAG=${{ env.GIT_LAST_TAG }} - GIT_MODIFIED=${{ env.GIT_MODIFIED }} - BUILD_DATE=${{ env.BUILD_DATE }} - - - name: Image digest - run: echo ${{ steps.build-release.outputs.digest }} diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 000000000..ed7d8d0cb --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,69 @@ +name: Publish images +permissions: {} + +on: + push: + tags: + - "v*" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + publish-images: + runs-on: ubuntu-latest + permissions: + packages: write + id-token: write + outputs: + capsule-digest: ${{ steps.publish-capsule.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: publish-images + - name: Run Trivy vulnerability (Repo) + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Install Cosign + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - name: Publish Capsule + id: publish-capsule + uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1 + with: + makefile-target: ko-publish-capsule + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: capsule + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./ + env: + REPOSITORY: ${{ github.repository }} + generate-capsule-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + with: + image: ghcr.io/${{ github.repository_owner }}/capsule + digest: "${{ needs.publish-images.outputs.capsule-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/docs-lint.yml b/.github/workflows/docs-lint.yml index 168ece40a..3876d20ac 100644 --- a/.github/workflows/docs-lint.yml +++ b/.github/workflows/docs-lint.yml @@ -1,4 +1,5 @@ name: docs-lint +permissions: {} on: push: @@ -12,15 +13,19 @@ on: - '.github/workflows/docs-lint.yml' - 'docs/content/**' +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: spelling: name: Spell Check runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 18 - run: make docs-lint \ No newline at end of file diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 618404641..f4cf72f8e 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -1,4 +1,5 @@ name: e2e +permissions: {} on: push: @@ -26,6 +27,10 @@ on: - 'main.go' - 'Makefile' +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: kind: name: Kubernetes @@ -35,10 +40,10 @@ jobs: k8s-version: ['v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2'] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 0 - - uses: actions/setup-go@v2 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: '1.19' - run: make manifests @@ -46,11 +51,11 @@ jobs: run: test -z "$(git diff 2> /dev/null)" - name: Checking if manifests generated untracked files run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)" - - uses: engineerd/setup-kind@v0.5.0 + - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 with: skipClusterCreation: true version: v0.14.0 - - uses: azure/setup-helm@v1 + - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 with: version: 3.3.4 - name: e2e testing diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index e1d363249..75ed8ddf1 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -1,4 +1,5 @@ name: FOSSA +permissions: {} on: push: @@ -6,20 +7,29 @@ on: pull_request: branches: [ "*" ] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: fossa-scan: runs-on: ubuntu-20.04 steps: - name: "Checkout Code" - uses: actions/checkout@v3 - + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Check secret + id: checksecret + uses: ./.github/actions/exists + with: + value: ${{ secrets.FOSSA_API_KEY }} - name: "Run FOSSA Scan" - uses: fossas/fossa-action@v1.3.1 + if: steps.checksecret.outputs.result == 'true' + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: api-key: ${{ secrets.FOSSA_API_KEY }} - - name: "Run FOSSA Test" - uses: fossas/fossa-action@v1.3.1 + if: steps.checksecret.outputs.result == 'true' + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: api-key: ${{ secrets.FOSSA_API_KEY }} run-tests: true diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml index 6c886d207..a0df44a74 100644 --- a/.github/workflows/gosec.yml +++ b/.github/workflows/gosec.yml @@ -1,9 +1,15 @@ name: CI gosec +permissions: {} on: push: branches: [ "*" ] pull_request: branches: [ "*" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: tests: runs-on: ubuntu-20.04 @@ -11,8 +17,8 @@ jobs: GO111MODULE: on steps: - name: Checkout Source - uses: actions/checkout@v2 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - name: Run Gosec Security Scanner - uses: securego/gosec@master + uses: securego/gosec@0ec6cd95d7bf02aef4ec2786e884868e0044875b # v2.18.1 with: args: ./... diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml new file mode 100644 index 000000000..1b1eb35cc --- /dev/null +++ b/.github/workflows/helm-publish.yml @@ -0,0 +1,64 @@ +name: Publish charts +permissions: read-all +on: + push: + tags: [ "helm-v*" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + publish-helm: + # Skip this Release on forks + if: github.repository_owner == 'capsuleproject' + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Publish Helm chart + uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 + with: + token: "${{ secrets.GITHUB_TOKEN }}" + linting: off + charts_dir: charts + charts_url: https://${{ github.repository_owner }}.github.io/charts + owner: ${{ github.repository_owner }} + repository: charts + branch: gh-pages + commit_username: ${{ github.actor }} + publish-helm-oci: + runs-on: ubuntu-20.04 + permissions: + contents: write + id-token: write + packages: write + outputs: + chart-digest: ${{ steps.helm_publish.outputs.digest }} + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - name: Helm | Publish + id: helm_publish + uses: oliverbaehler/github-actions/helm-oci-chart@8dfd42735c85f6c58d5d4d6f3232cd0e39d1fe73 # v0.1.0 + with: + registry: ghcr.io + repository: ${{ github.repository_owner }}/charts + name: "capsule" + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + update-dependencies: 'true' # Defaults to false + sign-image: 'true' + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + helm-provenance: + needs: publish-helm-oci + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + with: + image: ghcr.io/${{ github.repository_owner }}/charts/capsule + digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml new file mode 100644 index 000000000..a7a61b63d --- /dev/null +++ b/.github/workflows/helm-test.yml @@ -0,0 +1,69 @@ +name: Test charts +permissions: {} + +on: + pull_request: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lint: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 + - name: Linting Chart + run: helm lint ./charts/capsule + - name: Setup Chart Linting + id: lint + uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0 + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config ./.github/configs/ct.yaml) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + - name: Run chart-testing (lint) + run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml + - name: Run docs-testing (helm-docs) + id: helm-docs + run: | + make helm-docs + if [[ $(git diff --stat) != '' ]]; then + echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌' + git diff --color + exit 1 + else + echo -e '\033[0;32mDocumentation up to date\033[0m ✔' + fi + + # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs + # With this workflow the current docker image is build and loaded into kind, otherwise the install fails + # In the future this must be removed and the chart-testing-action must be used + - name: Run chart-testing (install) + run: make helm-test + if: steps.list-changed.outputs.changed == 'true' + + ## Create KIND Cluster + - name: Create kind cluster + uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 + if: steps.list-changed.outputs.changed == 'true' + # Install Required Operators/CRDs + - name: Prepare Cluster Operators/CRDs + run: | + # Cert-Manager CRDs + kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml + + # Prometheus CRDs + kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml + if: steps.list-changed.outputs.changed == 'true' + # Install Charts + - name: Run chart-testing (install) + run: ct install --debug --config ./.github/configs/ct.yaml + if: steps.list-changed.outputs.changed == 'true' diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml deleted file mode 100644 index 539dd1a44..000000000 --- a/.github/workflows/helm.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Helm Chart - -on: - push: - branches: [ "*" ] - tags: [ "helm-v*" ] - pull_request: - branches: [ "*" ] - -jobs: - lint: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - uses: azure/setup-helm@v1 - with: - version: 3.3.4 - - name: Linting Chart - run: helm lint ./charts/capsule - - name: Setup Chart Linting - id: lint - uses: helm/chart-testing-action@v2.3.0 - - name: Run chart-testing (list-changed) - id: list-changed - run: | - changed=$(ct list-changed --config ./.github/configs/ct.yaml) - if [[ -n "$changed" ]]; then - echo "::set-output name=changed::true" - fi - - name: Run chart-testing (lint) - run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml - - name: Run docs-testing (helm-docs) - id: helm-docs - run: | - make helm-docs - if [[ $(git diff --stat) != '' ]]; then - echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌' - git diff --color - exit 1 - else - echo -e '\033[0;32mDocumentation up to date\033[0m ✔' - fi - - # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs - # With this workflow the current docker image is build and loaded into kind, otherwise the install fails - # In the future this must be removed and the chart-testing-action must be used - - name: Run chart-testing (install) - run: make helm-test - if: steps.list-changed.outputs.changed == 'true' - - ## Create KIND Cluster - #- name: Create kind cluster - # uses: helm/kind-action@v1.2.0 - # if: steps.list-changed.outputs.changed == 'true' - ## Install Required Operators/CRDs - #- name: Prepare Cluster Operators/CRDs - # run: | - # # Cert-Manager CRDs - # kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml - # - # # Prometheus CRDs - # kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml - # if: steps.list-changed.outputs.changed == 'true' - ## Install Charts - #- name: Run chart-testing (install) - # run: ct install --debug --config ./.github/configs/ct.yaml - # if: steps.list-changed.outputs.changed == 'true' - release: - if: startsWith(github.ref, 'refs/tags/helm-v') - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - name: Publish Helm chart - uses: stefanprodan/helm-gh-pages@master - with: - token: ${{ secrets.BOT_GITHUB_TOKEN }} - charts_dir: charts - charts_url: https://clastix.github.io/charts - owner: clastix - repository: charts - branch: gh-pages - target_dir: . - commit_username: prometherion - commit_email: dario@tranchitella.eu diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 000000000..ae0f11b89 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,25 @@ +name: Linting +permissions: {} + +on: + push: + branches: [ "*" ] + pull_request: + branches: [ "*" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + golangci: + name: lint + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Run golangci-lint + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + with: + version: v1.51.2 + only-new-issues: false + args: --timeout 5m --config .golangci.yml diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml new file mode 100644 index 000000000..e7a7b2cdf --- /dev/null +++ b/.github/workflows/releaser.yml @@ -0,0 +1,36 @@ +name: Go Release + +permissions: {} +on: + push: + tags: + - 'v*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + create-release: + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 + - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 + - name: Install Cosign + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + version: latest + args: release --clean --timeout 90m --debug + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..df7953b04 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,42 @@ +name: Scorecards supply-chain security +permissions: {} + +on: + schedule: + - cron: '0 0 * * 5' + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + analysis: + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + persist-credentials: false + - name: Run analysis + uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 + with: + results_file: results.sarif + results_format: sarif + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + publish_results: true + - name: Upload artifact + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/.gitignore b/.gitignore index be2d64823..59d273ea6 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ *.so *.dylib bin +dist/ # Test binary, build with `go test -c` *.test diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 000000000..c945625ca --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,83 @@ +project_name: capsule +env: + - COSIGN_EXPERIMENTAL=true + - GO111MODULE=on +before: + hooks: + - go mod download +gomod: + proxy: false +builds: + - main: . + binary: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}" + env: + - CGO_ENABLED=0 + goarch: + - amd64 + - arm64 + goos: + - linux + flags: + - -trimpath + mod_timestamp: '{{ .CommitTimestamp }}' + ldflags: + - >- + -X main.Version={{ .Tag }} + -X main.GitCommit={{ .Commit }} + -X main.GitTag={{ .Tag }} + -X main.GitTreeState={{ .Date }} + -X main.BuildDate={{ .Date }} + -X main.GitRepo={{ .ProjectName }} +release: + prerelease: auto + footer: | + Thanks to all the contributors! + + **Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }} + + **Docker Images** + - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}` + - `ghcr.io/projectcapsule/{{ .ProjectName }}:latest` +checksum: + name_template: 'checksums.txt' +changelog: + sort: asc + use: github + filters: + exclude: + - '^test:' + - '^chore' + - '^rebase:' + - 'merge conflict' + - Merge pull request + - Merge remote-tracking branch + - Merge branch + groups: + # https://github.com/conventional-changelog/commitlint/tree/master/%40commitlint/config-conventional + - title: '🛠 Dependency updates' + regexp: '^.*?(feat|fix)\(deps\)!?:.+$' + order: 300 + - title: '✨ New Features' + regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$' + order: 100 + - title: '🐛 Bug fixes' + regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$' + order: 200 + - title: '📖 Documentation updates' + regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$ + order: 400 + - title: '🚀 Build process updates' + regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$ + order: 400 + - title: '📦 Other work' + order: 9999 +sboms: + - artifacts: archive +signs: +- cmd: cosign + args: + - "sign-blob" + - "--output-signature=${signature}" + - "${artifact}" + - "--yes" + artifacts: all \ No newline at end of file diff --git a/.ko.yaml b/.ko.yaml new file mode 100644 index 000000000..9f61007b4 --- /dev/null +++ b/.ko.yaml @@ -0,0 +1,8 @@ +defaultPlatforms: +- linux/arm64 +- linux/amd64 +builds: +- id: capsule + main: ./ + ldflags: + - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..03bf8c905 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,58 @@ +# Contributing + +All contributions are welcome! If you find a bug or have a feature request, please open an issue or submit a pull request. + + +## Guidelines + + +## Pull Requests + + +## Commits + +Commit messages should indicate the change and it's impact. The general format for commit messages is the following: + + feat(ui): Add `Button` component + ^ ^ ^ + | | |__ Subject + | |_______ Scope + |____________ Type + + The commits are checked on pull-request. If the commit message does not follow the format, the workflow will fail. See the [Types](#types) and [Scopes](#scopes) sections for more information. + +## Types + +The following types are allowed for commits and pull requests: + + * `ci` or `build`: changes to buillding process/workflows + * `docs`: changes to documentation + * `feat`: new features + * `fix`: bug fixes + +## Scopes + +The following types are allowed for commits and pull requests: + + * `all`: changes that affect all components + * `chart`: changes to the Helm chart + * `operator`: changes to the operator + * `docs`: changes to the documentation + * `website`: changes to the website + * `ci`: changes to the CI/CD workflows + * `build`: changes to the build process + * `test`: changes to the testing process + * `release`: changes to the release process + * `deps`: dependency updates + +### Sign-Off + +Developer Certificate of Origin (DCO) Sign off +For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work which indicates you agree to the DCO found here. + +To sign your work, just add a line like this at the end of your commit message: + +Signed-off-by: Random J Developer +This can easily be done with the -s command line option to append this automatically to your commit message. + +git commit -s -m 'This is my commit message' diff --git a/Makefile b/Makefile index 5a59045ff..9745dd388 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,23 @@ -# Current Operator version -VERSION ?= $$(git describe --abbrev=0 --tags --match "v*") +# Version +VERSION ?= $(shell git describe --abbrev=0 --tags --match "v*") +ifndef VERSION +VERSION = $(GIT_HEAD_COMMIT) +endif + +# Defaults +REGISTRY ?= ghcr.io +REPOSITORY ?= projectcapsule/capsule +GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD) +GIT_TAG_COMMIT ?= $(shell git rev-parse --short $(VERSION)) +GIT_MODIFIED_1 ?= $(shell git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev") +GIT_MODIFIED_2 ?= $(shell git diff --quiet && echo "" || echo ".dirty") +GIT_MODIFIED ?= $(shell echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)") +GIT_REPO ?= $(shell git config --get remote.origin.url) +BUILD_DATE ?= $(shell git log -1 --format="%at" | xargs -I{} sh -c 'if [ "$(shell uname)" = "Darwin" ]; then date -r {} +%Y-%m-%dT%H:%M:%S; else date -d @{} +%Y-%m-%dT%H:%M:%S; fi') +IMG_BASE ?= $(REPOSITORY) +IMG ?= $(IMG_BASE):$(VERSION) +CAPSULE_IMG ?= $(REGISTRY)/$(IMG_BASE) -# Default bundle image tag -BUNDLE_IMG ?= clastix/capsule:$(VERSION)-bundle # Options for 'bundle-build' ifneq ($(origin CHANNELS), undefined) BUNDLE_CHANNELS := --channels=$(CHANNELS) @@ -12,9 +27,6 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) endif BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) -# Image URL to use all building/pushing image targets -IMG ?= clastix/capsule:$(VERSION) - # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) GOBIN=$(shell go env GOPATH)/bin @@ -22,20 +34,16 @@ else GOBIN=$(shell go env GOBIN) endif -# Get information about git current status -GIT_HEAD_COMMIT ?= $$(git rev-parse --short HEAD) -GIT_TAG_COMMIT ?= $$(git rev-parse --short $(VERSION)) -GIT_MODIFIED_1 ?= $$(git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev") -GIT_MODIFIED_2 ?= $$(git diff --quiet && echo "" || echo ".dirty") -GIT_MODIFIED ?= $$(echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)") -GIT_REPO ?= $$(git config --get remote.origin.url) -BUILD_DATE ?= $$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S) - all: manager # Run tests -test: generate manifests - go test ./... -coverprofile cover.out +.PHONY: test +test: test-clean generate manifests test-clean + @GO111MODULE=on go test -v ./... -coverprofile coverage.out + +.PHONY: test-clean +test-clean: ## Clean tests cache + @go clean -testcache # Build manager binary manager: generate golint @@ -47,7 +55,7 @@ run: generate manifests # Creates the single file to install Capsule without any external dependency installer: manifests kustomize - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG} $(KUSTOMIZE) build config/default > config/install.yaml # Install CRDs into a cluster @@ -86,12 +94,13 @@ helm-docs: HELMDOCS_VERSION := v1.11.0 helm-docs: docker @docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs -helm-lint: ct - @ct lint --config $(SRC_ROOT)/.github/configs/ct.yaml --lint-conf $(SRC_ROOT)/.github/configs/lintconf.yaml --all --debug +helm-lint: CT_VERSION := v3.3.1 +helm-lint: docker + @docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug" -helm-test: kind ct docker-build +helm-test: kind ct ko-build-all @kind create cluster --wait=60s --name capsule-charts - @kind load docker-image --name capsule-charts ${IMG} + @kind load docker-image --name capsule-charts $(LOCAL_CAPSULE_IMG) @kubectl create ns capsule-system @ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug @kind delete cluster --name capsule-charts @@ -166,42 +175,97 @@ dev-setup: ]"; -# Build the docker image -docker-build: test - docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \ - --build-arg GIT_TAG_COMMIT=$(GIT_TAG_COMMIT) \ - --build-arg GIT_MODIFIED=$(GIT_MODIFIED) \ - --build-arg GIT_REPO=$(GIT_REPO) \ - --build-arg GIT_LAST_TAG=$(VERSION) \ - --build-arg BUILD_DATE=$(BUILD_DATE) +#################### +# -- Docker +#################### + +KOCACHE ?= /tmp/ko-cache +KO_REGISTRY := ko.local +KO_TAGS ?= "latest,$(VERSION)" +LD_FLAGS := "-X main.Version=$(VERSION) \ + -X main.GitCommit=$(GIT_HEAD_COMMIT) \ + -X main.GitTag=$(VERSION) \ + -X main.GitTreeState=$(GIT_MODIFIED) \ + -X main.BuildDate=$(BUILD_DATE) \ + -X main.GitRepo=$(GIT_REPO)" + +# Docker Image Build +# ------------------ + +.PHONY: ko-build-capsule +LOCAL_CAPSULE_IMG_BASE := github.com/$(REPOSITORY) +LOCAL_CAPSULE_IMG := $(KO_REGISTRY)/$(LOCAL_CAPSULE_IMG_BASE) +ko-build-capsule: ko + @echo Building Capsule $(KO_TAGS) >&2 + @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \ + $(KO) build ./ --preserve-import-paths --tags=$(KO_TAGS) --push=false + +.PHONY: ko-build-all +ko-build-all: ko-build-capsule + +# Docker Image Publish +# ------------------ -# Push the docker image -docker-push: - docker push ${IMG} +REGISTRY_PASSWORD ?= dummy +REGISTRY_USERNAME ?= dummy -CONTROLLER_GEN = $(shell pwd)/bin/controller-gen +.PHONY: ko-login +ko-login: ko + @$(KO) login $(REGISTRY) --username $(REGISTRY_USERNAME) --password $(REGISTRY_PASSWORD) + +.PHONY: ko-publish-capsule +ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko) + @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \ + $(KO) build ./ --bare --tags=$(KO_TAGS) + +.PHONY: ko-publish-all +ko-publish-all: ko-publish-capsule + +#################### +# -- Binaries +#################### + +CONTROLLER_GEN := $(shell pwd)/bin/controller-gen +CONTROLLER_GEN_VERSION := v0.10.0 controller-gen: ## Download controller-gen locally if necessary. - $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0) + $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION)) -APIDOCS_GEN = $(shell pwd)/bin/crdoc +APIDOCS_GEN := $(shell pwd)/bin/crdoc +APIDOCS_GEN_VERSION := latest apidocs-gen: ## Download crdoc locally if necessary. - $(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@latest) + $(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION)) -GINKGO = $(shell pwd)/bin/ginkgo +GINKGO := $(shell pwd)/bin/ginkgo +GINGKO_VERSION := v2.9.5 ginkgo: ## Download ginkgo locally if necessary. - $(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@v2.9.5) + $(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION)) -CT = $(shell pwd)/bin/ct +CT := $(shell pwd)/bin/ct +CT_VERSION := v3.7.1 ct: ## Download ct locally if necessary. - $(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@v3.7.1) + $(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION)) -KIND = $(shell pwd)/bin/kind +KIND := $(shell pwd)/bin/kind +KIND_VERSION := v0.17.0 kind: ## Download kind locally if necessary. - $(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@v0.17.0) + $(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION)) -KUSTOMIZE = $(shell pwd)/bin/kustomize +KUSTOMIZE := $(shell pwd)/bin/kustomize +KUSTOMIZE_VERSION := 3.8.7 kustomize: ## Download kustomize locally if necessary. - $(call install-kustomize,$(KUSTOMIZE),3.8.7) + $(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION)) + +KO = $(shell pwd)/bin/ko +KO_VERSION = v0.14.1 +ko: + $(call go-install-tool,$(KO),github.com/google/ko@v0.14.1) + +#################### +# -- Helpers +#################### +pull-upstream: + git remote add upstream https://github.com/capsuleproject/capsule.git + git fetch --all && git pull upstream define install-kustomize @[ -f $(1) ] || { \ @@ -218,7 +282,6 @@ PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) define go-install-tool @[ -f $(1) ] || { \ set -e ;\ -echo "Installing $(2)" ;\ GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\ } endef @@ -229,10 +292,6 @@ bundle: manifests kustomize build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) operator-sdk bundle validate ./bundle -# Build the bundle image. -bundle-build: - docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . - # Sorting imports .PHONY: goimports goimports: @@ -254,8 +313,11 @@ e2e/%: ginkgo e2e-build/%: kind create cluster --wait=60s --name capsule --image=kindest/node:$* - make docker-build - kind load docker-image --nodes capsule-control-plane --name capsule $(IMG) + make e2e-load-image + make e2e-install + +.PHONY: e2e-install +e2e-install: helm upgrade \ --debug \ --install \ @@ -264,15 +326,23 @@ e2e-build/%: --set 'manager.image.pullPolicy=Never' \ --set 'manager.resources=null'\ --set "manager.image.tag=$(VERSION)" \ + --set 'manager.image.registry=$(KO_REGISTRY)' \ + --set 'manager.image.repository=$(LOCAL_CAPSULE_IMG_BASE)' \ --set 'manager.livenessProbe.failureThreshold=10' \ --set 'manager.readinessProbe.failureThreshold=10' \ --set 'podSecurityContext.seccompProfile=null' \ capsule \ ./charts/capsule +.PHONY: e2e-load-image +e2e-load-image: ko-build-all + kind load docker-image --nodes capsule-control-plane --name capsule $(LOCAL_CAPSULE_IMG):$(VERSION) + +.PHONY: e2e-exec e2e-exec: ginkgo $(GINKGO) -v -tags e2e ./e2e +.PHONY: e2e-destroy e2e-destroy: kind delete cluster --name capsule diff --git a/README.md b/README.md index 7f28e7bf8..012e325bc 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,9 @@ + + +

diff --git a/charts/capsule/README.md b/charts/capsule/README.md index ac6bd2b0b..23813f9da 100644 --- a/charts/capsule/README.md +++ b/charts/capsule/README.md @@ -22,11 +22,15 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 1. Add this repository: - $ helm repo add clastix https://clastix.github.io/charts + $ helm repo add projectcapsule https://projectcapsule.github.io/charts 2. Install the Chart: - $ helm install capsule clastix/capsule -n capsule-system --create-namespace + $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace + + or + + $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace 3. Show the status: @@ -34,7 +38,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 4. Upgrade the Chart - $ helm upgrade capsule clastix/capsule -n capsule-system + $ helm upgrade capsule projectcapsule/capsule -n capsule-system + + or + + $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7 5. Uninstall the Chart @@ -68,6 +76,7 @@ Here the values you can override: | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart | | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. | | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job | +| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job | | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job | | jobs.image.tag | string | `""` | Set the image tag of the helm chart job | | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks | @@ -94,11 +103,12 @@ Here the values you can override: |-----|------|---------|-------------| | manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working | | manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. | -| manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. | +| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. | +| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. | | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. | | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec | -| manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups | +| manager.options.capsuleUserGroups | list | `["capsule.projectcapsule.io"]` | Override the Capsule user groups | | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash | | manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator | | manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 | @@ -196,7 +206,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio You can enable the generation of certificates using `cert-manager` as follows. ``` -helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \ +helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \ --set "certManager.generateCertificates=true" \ --set "tls.create=false" \ --set "tls.enableController=false" diff --git a/charts/capsule/README.md.gotmpl b/charts/capsule/README.md.gotmpl index 273f99899..377491a94 100644 --- a/charts/capsule/README.md.gotmpl +++ b/charts/capsule/README.md.gotmpl @@ -22,11 +22,15 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 1. Add this repository: - $ helm repo add clastix https://clastix.github.io/charts + $ helm repo add projectcapsule https://projectcapsule.github.io/charts 2. Install the Chart: - $ helm install capsule clastix/capsule -n capsule-system --create-namespace + $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace + + or + + $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace 3. Show the status: @@ -34,7 +38,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 4. Upgrade the Chart - $ helm upgrade capsule clastix/capsule -n capsule-system + $ helm upgrade capsule projectcapsule/capsule -n capsule-system + + or + + $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7 5. Uninstall the Chart @@ -132,7 +140,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio You can enable the generation of certificates using `cert-manager` as follows. ``` -helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \ +helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \ --set "certManager.generateCertificates=true" \ --set "tls.create=false" \ --set "tls.enableController=false" diff --git a/charts/capsule/templates/_helpers.tpl b/charts/capsule/templates/_helpers.tpl index 80d8a2e6e..64680fdcb 100644 --- a/charts/capsule/templates/_helpers.tpl +++ b/charts/capsule/templates/_helpers.tpl @@ -80,7 +80,7 @@ Create the name of the service account to use Create the manager fully-qualified Docker image to use */}} {{- define "capsule.managerFullyQualifiedDockerImage" -}} -{{- printf "%s:%s" .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}} +{{- printf "%s/%s:%s" .Values.manager.image.registry .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}} {{- end }} {{/* @@ -106,9 +106,9 @@ Create the jobs fully-qualified Docker image to use */}} {{- define "capsule.jobsFullyQualifiedDockerImage" -}} {{- if .Values.jobs.image.tag }} -{{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}} +{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}} {{- else }} -{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}} +{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}} {{- end }} {{- end }} diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml index 780876ed5..d20cb20d6 100644 --- a/charts/capsule/templates/deployment.yaml +++ b/charts/capsule/templates/deployment.yaml @@ -60,8 +60,6 @@ spec: secretName: {{ include "capsule.secretTlsName" . }} containers: - name: manager - command: - - /manager args: - --webhook-port={{ .Values.manager.webhookPort }} - --enable-leader-election diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml index 29b72e3b5..32456d2c3 100644 --- a/charts/capsule/values.yaml +++ b/charts/capsule/values.yaml @@ -18,8 +18,10 @@ manager: kind: Deployment image: - # -- Set the image repository of the capsule. - repository: clastix/capsule + # -- Set the image registry of capsule. + registry: ghcr.io + # -- Set the image repository of capsule. + repository: projectcapsule/capsule # -- Set the image pull policy. pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. @@ -135,6 +137,8 @@ podSecurityPolicy: jobs: image: + # -- Set the image repository of the helm chart job + registry: docker.io # -- Set the image repository of the helm chart job repository: clastix/kubectl # -- Set the image pull policy of the helm chart job diff --git a/config/install.yaml b/config/install.yaml index dc3feea3c..d753fe848 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -2762,14 +2762,12 @@ spec: - --zap-encoder=console - --zap-log-level=debug - --configuration-name=capsule-default - command: - - /manager env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: clastix/capsule:v0.3.3 + image: ghcr.io/projectcapsule/capsule imagePullPolicy: IfNotPresent name: manager ports: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 5274894d4..150cf7a0f 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -6,5 +6,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: clastix/capsule - newTag: v0.3.3 + newName: ghcr.io/projectcapsule/capsule diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index dd3edde40..139dda6aa 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -23,9 +23,7 @@ spec: control-plane: controller-manager spec: containers: - - command: - - /manager - args: + - args: - --enable-leader-election - --zap-encoder=console - --zap-log-level=debug diff --git a/dist/config.yaml b/dist/config.yaml new file mode 100644 index 000000000..de7b732f4 --- /dev/null +++ b/dist/config.yaml @@ -0,0 +1,174 @@ +project_name: capsule +env: + - COSIGN_EXPERIMENTAL=true + - GO111MODULE=on +release: + github: + owner: buttahtoast + name: capsule + prerelease: auto + name_template: '{{.Tag}}' + footer: | + Thanks to all the contributors! + + **Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }} + + **Docker Images** + - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}` + - `ghcr.io/projectcapsule/{{ .ProjectName }}:latest` +scoop: + name: capsule + commit_author: + name: goreleaserbot + email: bot@goreleaser.com + commit_msg_template: Scoop update for {{ .ProjectName }} version {{ .Tag }} + goamd64: v1 +builds: + - id: capsule + goos: + - linux + goarch: + - amd64 + - arm64 + goarm: + - "6" + gomips: + - hardfloat + goamd64: + - v1 + targets: + - linux_amd64_v1 + - linux_arm64 + dir: . + main: . + binary: '{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}' + builder: go + mod_timestamp: '{{ .CommitTimestamp }}' + gobinary: go + command: build + ldflags: + - -X main.Version={{ .Tag }} -X main.GitCommit={{ .Commit }} -X main.GitTag={{ .Tag }} -X main.GitTreeState={{ .Date }} -X main.BuildDate={{ .Date }} -X main.GitRepo={{ .ProjectName }} + flags: + - -trimpath + env: + - CGO_ENABLED=0 +archives: + - id: default + name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}' + format: tar.gz + files: + - src: license* + - src: LICENSE* + - src: readme* + - src: README* + - src: changelog* + - src: CHANGELOG* +snapshot: + name_template: '{{ .Version }}-SNAPSHOT-{{ .ShortCommit }}' +checksum: + name_template: checksums.txt + algorithm: sha256 +changelog: + filters: + exclude: + - '^test:' + - ^chore + - '^rebase:' + - merge conflict + - Merge pull request + - Merge remote-tracking branch + - Merge branch + sort: asc + use: github + groups: + - title: "\U0001F6E0 Dependency updates" + regexp: ^.*?(feat|fix)\(deps\)!?:.+$ + order: 300 + - title: ✨ New Features + regexp: ^.*?feat(\([[:word:]]+\))??!?:.+$ + order: 100 + - title: "\U0001F41B Bug fixes" + regexp: ^.*?fix(\([[:word:]]+\))??!?:.+$ + order: 200 + - title: "\U0001F4D6 Documentation updates" + regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$ + order: 400 + - title: "\U0001F680 Build process updates" + regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$ + order: 400 + - title: "\U0001F4E6 Other work" + order: 9999 +dist: dist +signs: + - id: default + cmd: cosign + args: + - sign-blob + - --output-signature=${signature} + - ${artifact} + - --yes + signature: ${artifact}.sig + artifacts: all +env_files: + github_token: ~/.config/goreleaser/github_token + gitlab_token: ~/.config/goreleaser/gitlab_token + gitea_token: ~/.config/goreleaser/gitea_token +before: + hooks: + - go mod download +source: + name_template: '{{ .ProjectName }}-{{ .Version }}' + format: tar.gz +gomod: + gobinary: go +announce: + twitter: + message_template: '{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}' + reddit: + title_template: '{{ .ProjectName }} {{ .Tag }} is out!' + url_template: '{{ .ReleaseURL }}' + slack: + message_template: '{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}' + username: GoReleaser + discord: + message_template: '{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}' + author: GoReleaser + color: "3888754" + icon_url: https://goreleaser.com/static/avatar.png + teams: + title_template: '{{ .ProjectName }} {{ .Tag }} is out!' + message_template: '{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}' + color: '#2D313E' + icon_url: https://goreleaser.com/static/avatar.png + smtp: + subject_template: '{{ .ProjectName }} {{ .Tag }} is out!' + body_template: 'You can view details from: {{ .ReleaseURL }}' + mattermost: + message_template: '{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}' + title_template: '{{ .ProjectName }} {{ .Tag }} is out!' + username: GoReleaser + linkedin: + message_template: '{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}' + telegram: + message_template: '{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}' + webhook: + message_template: '{ "message": "{{ .ProjectName }} {{ .Tag }} is out! Check it out at {{ .ReleaseURL }}"}' + content_type: application/json; charset=utf-8 +sboms: + - id: default + cmd: syft + env: + - SYFT_FILE_METADATA_CATALOGER_ENABLED=true + args: + - $artifact + - --file + - $document + - --output + - spdx-json + documents: + - '{{ .ArtifactName }}.sbom' + artifacts: archive +github_urls: + download: https://github.com +gitlab_urls: + download: https://gitlab.com