diff --git a/.builder-image-version.txt b/.builder-image-version.txt index afaf360d3..9084fa2f7 100644 --- a/.builder-image-version.txt +++ b/.builder-image-version.txt @@ -1 +1 @@ -1.0.0 \ No newline at end of file +1.1.0 diff --git a/.envrc.sample b/.envrc.sample index 62be91163..5acf01bcd 100644 --- a/.envrc.sample +++ b/.envrc.sample @@ -1,3 +1,4 @@ +export PATH="$(pwd)/hack/tools/bin/:$PATH" export KUBECONFIG=$PWD/.mgt-cluster-kubeconfig.yaml export K8S_VERSION=1-27 export GIT_PROVIDER_B64=Z2l0aHVi diff --git a/.github/workflows/main-promote-builder-image.yml b/.github/workflows/main-promote-builder-image.yml deleted file mode 100644 index 831d7484a..000000000 --- a/.github/workflows/main-promote-builder-image.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Promote Latest tag to cso Builder Image -on: # yamllint disable-line rule:truthy - push: - branches: - - main - paths: - - "images/builder/Dockerfile" -jobs: - promote-build-image: - name: Promote Latest tag to cso Builder Image - runs-on: ubuntu-latest - container: - image: ghcr.io/sovereigncloudstack/cso-builder:1.0.1 - credentials: - username: ${{ github.actor }} - password: ${{ secrets.github_token }} - steps: - - name: Checkout repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: Fixup git permissions - # https://github.com/actions/checkout/issues/766 - shell: bash - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Promote Latest tag to cso Builder Image - env: - PASSWORD: ${{ secrets.GITHUB_TOKEN }} - USERNAME: ${{ github.actor }} - run: make builder-image-promote-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a0cc4c6da..fb2bf1eae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -126,6 +126,12 @@ jobs: release: name: Create draft release runs-on: ubuntu-latest + permissions: + packages: read + contents: write + defaults: + run: + shell: bash needs: - manager-image steps: diff --git a/.golangci.yaml b/.golangci.yaml index dc3be253d..eb96277e6 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -104,6 +104,10 @@ linters-settings: revive: enable-all-rules: true rules: + - name: import-alias-naming + disabled: true + - name: redundant-import-alias + disabled: true - name: dot-imports disabled: true # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#add-constant diff --git a/Makefile b/Makefile index 85d7f2c10..b8bd4d2e2 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,7 @@ IMAGE_PREFIX ?= ghcr.io/sovereigncloudstack STAGING_IMAGE = $(CONTROLLER_SHORT)-staging BUILDER_IMAGE = $(IMAGE_PREFIX)/$(CONTROLLER_SHORT)-builder BUILDER_IMAGE_VERSION = $(shell cat .builder-image-version.txt) +HACK_TOOLS_BIN_VERSION = $(shell cat ./hack/tools/bin/version.txt) SHELL = /usr/bin/env bash -o pipefail .SHELLFLAGS = -ec @@ -80,16 +81,19 @@ MGT_CLUSTER_KUBECONFIG ?= ".mgt-cluster-kubeconfig.yaml" # Kubebuilder. export KUBEBUILDER_ENVTEST_KUBERNETES_VERSION ?= 1.25.0 +# versions +CTLPTL_VERSION := 0.8.25 ##@ Binaries ############ # Binaries # ############ +# need in CI for releasing CONTROLLER_GEN := $(abspath $(TOOLS_BIN_DIR)/controller-gen) -controller-gen: $(CONTROLLER_GEN) ## Build a local copy of controller-gen $(CONTROLLER_GEN): # Build controller-gen from tools folder. go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.12.0 +# need this in CI for releasing KUSTOMIZE := $(abspath $(TOOLS_BIN_DIR)/kustomize) kustomize: $(KUSTOMIZE) ## Build a local copy of kustomize $(KUSTOMIZE): # Build kustomize from tools folder. @@ -114,24 +118,10 @@ $(SETUP_ENVTEST): # Build setup-envtest from tools folder. CTLPTL := $(abspath $(TOOLS_BIN_DIR)/ctlptl) ctlptl: $(CTLPTL) ## Build a local copy of ctlptl $(CTLPTL): - go install github.com/tilt-dev/ctlptl/cmd/ctlptl@v0.8.20 - -CLUSTERCTL := $(abspath $(TOOLS_BIN_DIR)/clusterctl) -clusterctl: $(CLUSTERCTL) ## Build a local copy of clusterctl -$(CLUSTERCTL): - curl -sSLf https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.5.0/clusterctl-$$(go env GOOS)-$$(go env GOARCH) -o $(CLUSTERCTL) - chmod a+rx $(CLUSTERCTL) - -KIND := $(abspath $(TOOLS_BIN_DIR)/kind) -kind: $(KIND) ## Build a local copy of kind -$(KIND): - go install sigs.k8s.io/kind@v0.20.0 + curl -sSL https://github.com/tilt-dev/ctlptl/releases/download/v$(CTLPTL_VERSION)/ctlptl.$(CTLPTL_VERSION).linux.x86_64.tar.gz | tar xz -C $(TOOLS_BIN_DIR) ctlptl KUBECTL := $(abspath $(TOOLS_BIN_DIR)/kubectl) -kubectl: $(KUBECTL) ## Build a local copy of kubectl -$(KUBECTL): - curl -fsSL "https://dl.k8s.io/release/v1.27.3/bin/$$(go env GOOS)/$$(go env GOARCH)/kubectl" -o $(KUBECTL) - chmod a+rx $(KUBECTL) + HELM := $(abspath $(TOOLS_BIN_DIR)/helm) helm: $(HELM) ## Build a local copy of helm @@ -181,7 +171,7 @@ $(GOTESTSUM): go install gotest.tools/gotestsum@v1.10.0 -all-tools: $(KIND) $(KUBECTL) $(CLUSTERCTL) $(CTLPTL) $(SETUP_ENVTEST) $(ENVSUBST) $(KUSTOMIZE) $(CONTROLLER_GEN) +all-tools: get-dependencies $(CTLPTL) $(SETUP_ENVTEST) $(ENVSUBST) $(KUSTOMIZE) $(CONTROLLER_GEN) echo 'done' ##@ Development @@ -197,7 +187,7 @@ delete-bootstrap-cluster: $(CTLPTL) ## Deletes Kind-dev Cluster $(CTLPTL) delete registry cso-registry .PHONY: cluster -cluster: $(CTLPTL) $(KUBECTL) ## Creates kind-dev Cluster +cluster: get-dependencies $(CTLPTL) $(KUBECTL) ## Creates kind-dev Cluster @# Fail early. Background: After Tilt started, changing .envrc has no effect for processes @# started via Tilt. That's why this should fail early. ./hack/kind-dev.sh @@ -282,12 +272,6 @@ set-manifest-pull-policy: $(info Updating kustomize pull policy file for default resource) sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' $(TARGET_RESOURCE) -builder-image-promote-latest: - ./hack/ensure-env-variables.sh USERNAME PASSWORD - skopeo copy --src-creds=$(USERNAME):$(PASSWORD) --dest-creds=$(USERNAME):$(PASSWORD) \ - docker://$(BUILDER_IMAGE):$(BUILDER_IMAGE_VERSION) \ - docker://$(BUILDER_IMAGE):latest - ##@ Binary ########## # Binary # @@ -545,5 +529,31 @@ create-workload-cluster-docker: $(ENVSUBST) $(KUBECTL) cat .cluster.yaml | $(ENVSUBST) - | $(KUBECTL) apply -f - .PHONY: tilt-up -tilt-up: env-vars-for-wl-cluster $(ENVSUBST) $(KUBECTL) $(KUSTOMIZE) $(TILT) cluster ## Start a mgt-cluster & Tilt. Installs the CRDs and deploys the controllers +tilt-up: env-vars-for-wl-cluster get-dependencies $(ENVSUBST) $(TILT) cluster ## Start a mgt-cluster & Tilt. Installs the CRDs and deploys the controllers EXP_CLUSTER_RESOURCE_SET=true $(TILT) up --port=10351 + +BINARIES = clusterctl controller-gen helm kind kubectl kustomize trivy +get-dependencies: +ifeq ($(BUILD_IN_CONTAINER),true) + docker run --rm -t -i \ + -v $(shell pwd):/src/cluster-stack-operator \ + $(BUILDER_IMAGE):$(BUILDER_IMAGE_VERSION) $@; +else + @if [ "$(HACK_TOOLS_BIN_VERSION)" != "$(BUILDER_IMAGE_VERSION)" ]; then \ + echo "Updating binaries"; \ + rm -rf hack/tools/bin; \ + mkdir -p $(TOOLS_BIN_DIR); \ + cp ./.builder-image-version.txt $(TOOLS_BIN_DIR)/version.txt; \ + for tool in $(BINARIES); do \ + if command -v $$tool > /dev/null; then \ + cp `command -v $$tool` $(TOOLS_BIN_DIR); \ + echo "copied $$tool to $(TOOLS_BIN_DIR)"; \ + else \ + echo "$$tool not found"; \ + fi; \ + done; \ + else \ + echo "No action required"; \ + echo "Binaries are up to date"; \ + fi +endif diff --git a/images/builder/Dockerfile b/images/builder/Dockerfile index c52487149..d92df1e46 100644 --- a/images/builder/Dockerfile +++ b/images/builder/Dockerfile @@ -17,20 +17,48 @@ # If you make changes to this Dockerfile run `make builder-image-push`. # Install Lychee -FROM docker.io/library/alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as lychee -# update: datasource=github-tags depName=lycheeverse/lychee versioning=semver -ENV LYCHEE_VERSION="v0.11.1" +FROM docker.io/library/alpine:3.19.0@sha256:13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd as lychee # hadolint ignore=DL3018 +# update: datasource=github-tags depName=lycheeverse/lychee versioning=semver +ENV LYCHEE_VERSION="v0.14.3" RUN apk add --no-cache curl && \ curl -L -o /tmp/lychee-${LYCHEE_VERSION}.tgz https://github.com/lycheeverse/lychee/releases/download/${LYCHEE_VERSION}/lychee-${LYCHEE_VERSION}-x86_64-unknown-linux-gnu.tar.gz && \ tar -xz -C /tmp -f /tmp/lychee-${LYCHEE_VERSION}.tgz && \ mv /tmp/lychee /usr/bin/lychee && \ rm -rf /tmp/linux-amd64 /tmp/lychee-${LYCHEE_VERSION}.tgz +FROM cgr.dev/chainguard/wolfi-base:latest as wolfi + +# renovate: datasource=github-tags depName=kubernetes-sigs/cluster-api +ARG CLUSTERCTL_VERSION="v1.6.2" +# renovate: datasource=github-tags depName=helm/helm +ENV HELM_VERSION="v3.14.1" +# renovate: datasource=github-tags depName=kubernetes-sigs/kind +ARG KIND_VERSION="v0.20.0" +# renovate: datasource=github-tags depName=kubernetes/kubernetes +ARG KUBECTL_VERSION="v1.27.3" +# renovate: datasource=github-tags depName=kubernetes-sigs/kustomize extractVersion=^kustomize\/v(?.+)$ +ARG KUSTOMIZE_VERSION="v5.3.0" +# renovate: datasource=github-tags depName=aquasecurity/trivy +ARG TRIVY_VERSION="v0.48.3" +# renovate: datasource=github-tags depName=kubernetes-sigs/controller-tools +ARG CONTROLLER_GEN_VERSION="v0.14.0" + +# hadolint ignore=DL3018 +RUN apk add -U --no-cache \ + curl \ + clusterctl=~${CLUSTERCTL_VERSION#v} \ + controller-gen=~${CONTROLLER_GEN_VERSION#v} \ + helm=~${HELM_VERSION#v} \ + kind=~${KIND_VERSION#v} \ + kubectl=~${KUBECTL_VERSION#v} \ + kustomize=~${KUSTOMIZE_VERSION#v} \ + trivy=~${TRIVY_VERSION#v} + # Install Golang CI Lint -FROM docker.io/library/alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as golangci +FROM docker.io/library/alpine:3.19.1 as golangci # update: datasource=github-tags depName=golangci/golangci-lint versioning=semver -ENV GOLANGCI_VERSION="v1.52.2" +ENV GOLANGCI_VERSION="v1.55.2" WORKDIR / # hadolint ignore=DL3018,DL4006 RUN apk add --no-cache curl && \ @@ -39,18 +67,13 @@ RUN apk add --no-cache curl && \ # Install Hadolint FROM docker.io/hadolint/hadolint:v2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 as hadolint -# Install Trivy -FROM docker.io/aquasec/trivy:0.39.0@sha256:ab281f43ee11b8ea5443ca8897641441f04f14e8832fefd103d32b4acd7055e1 as trivy - ############################ # CSO Build Image Base # ############################ -FROM docker.io/library/golang:1.20.2-bullseye@sha256:2101aa981e68ab1e06e3d4ac35ae75ed122f0380e5331e3ae4ba7e811bf9d256 +FROM docker.io/library/golang:1.21.6-bullseye -# update: datasource=repology depName=debian_11/skopeo versioning=loose -ENV SKOPEO_VERSION="1.2.2+dfsg1-1+b6" # update: datasource=github-tags depName=adrienverge/yamllint versioning=semver -ENV YAMLLINT_VERSION="v1.30.0" +ENV YAMLLINT_VERSION="v1.33.0" # update: datasource=github-tags depName=opt-nc/yamlfixer versioning=semver ENV YAMLFIXER_VERSION="0.9.15" @@ -59,17 +82,22 @@ RUN apt-get update && \ apt-get install -qy --no-install-recommends \ gnupg python3 python3-pip \ file zip unzip jq gettext \ - skopeo=${SKOPEO_VERSION} \ libsystemd-dev jq && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ pip install --no-cache-dir \ yamllint==${YAMLLINT_VERSION} \ yamlfixer-opt-nc==${YAMLFIXER_VERSION} +COPY --from=wolfi /usr/bin/clusterctl /usr/bin/clusterctl +COPY --from=wolfi /usr/bin/controller-gen /usr/bin/controller-gen +COPY --from=wolfi /usr/bin/helm /usr/bin/helm +COPY --from=wolfi /usr/bin/kubectl /usr/bin/kubectl +COPY --from=wolfi /usr/bin/kind /usr/bin/kind +COPY --from=wolfi /usr/bin/kustomize /usr/bin/kustomize +COPY --from=wolfi /usr/bin/trivy /usr/bin/trivy COPY --from=lychee /usr/bin/lychee /usr/bin/lychee COPY --from=golangci /bin/golangci-lint /usr/local/bin COPY --from=hadolint /bin/hadolint /usr/bin/hadolint -COPY --from=trivy /usr/local/bin/trivy /usr/bin/trivy ENV GOCACHE=/go/cache