From 37b735042449a5354826412714d0e289f1c50fed Mon Sep 17 00:00:00 2001 From: John Strunk Date: Thu, 9 May 2024 11:11:36 -0400 Subject: [PATCH 1/3] Upgrade operator-sdk to v1.32.0 Signed-off-by: John Strunk --- Makefile | 2 +- config/scorecard/patches/basic.config.yaml | 2 +- config/scorecard/patches/olm.config.yaml | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 3e730a23..ab0c34a7 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ GOLANGCI_VERSION := v1.58.1 HELM_VERSION := v3.14.4 KUSTOMIZE_VERSION := v5.4.1 KUTTL_VERSION := 0.16.0 -OPERATOR_SDK_VERSION := v1.31.0 +OPERATOR_SDK_VERSION := v1.32.0 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index 04b59f3a..472a9882 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.31.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index 8f1c9521..343c6d8d 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.31.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.31.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.31.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.31.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.31.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-status-descriptors-test From 2d8b981db310e80d36d2ca4abf52fde32c945abe Mon Sep 17 00:00:00 2001 From: John Strunk Date: Thu, 9 May 2024 11:41:16 -0400 Subject: [PATCH 2/3] Upgrade operator-sdk to v1.33.0 Signed-off-by: John Strunk --- .dockerignore | 1 - .gitignore | 3 +- Dockerfile | 6 +- Makefile | 37 +++-- PROJECT | 2 +- main.go => cmd/main.go | 4 +- config/crd/kustomization.yaml | 6 +- .../cainjection_in_snapshotschedules.yaml | 2 +- config/default/kustomization.yaml | 134 ++++++++++++++---- config/default/manager_auth_proxy_patch.yaml | 16 --- config/manifests/kustomization.yaml | 2 +- config/rbac/service_account.yaml | 2 +- config/samples/kustomization.yaml | 2 +- config/scorecard/patches/basic.config.yaml | 2 +- config/scorecard/patches/olm.config.yaml | 10 +- hack/boilerplate.go.txt | 32 ----- .../controller}/snapshots_expire.go | 2 +- .../controller}/snapshots_expire_test.go | 2 +- .../snapshotschedule_controller.go | 2 +- .../controller}/snapshotschedule_test.go | 2 +- .../controller}/suite_test.go | 8 +- 21 files changed, 154 insertions(+), 123 deletions(-) rename main.go => cmd/main.go (97%) delete mode 100644 hack/boilerplate.go.txt rename {controllers => internal/controller}/snapshots_expire.go (99%) rename {controllers => internal/controller}/snapshots_expire_test.go (99%) rename {controllers => internal/controller}/snapshotschedule_controller.go (99%) rename {controllers => internal/controller}/snapshotschedule_test.go (99%) rename {controllers => internal/controller}/suite_test.go (94%) diff --git a/.dockerignore b/.dockerignore index b9ea3275..ec2daccb 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,4 +2,3 @@ # Ignore all files which are not go type /bin /docs -/testbin diff --git a/.gitignore b/.gitignore index 8c511ad5..8c91144f 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,7 @@ *.dll *.so *.dylib -bin +bin/* # Test binary, build with `go test -c` *.test @@ -19,6 +19,7 @@ bin # editor and IDE paraphernalia .idea +.vscode *.swp *.swo *~ diff --git a/Dockerfile b/Dockerfile index 73e05afc..f3059f26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,13 +12,13 @@ COPY go.sum go.sum RUN go mod download # Copy the go source -COPY main.go main.go +COPY cmd/main.go cmd/main.go COPY api/ api/ -COPY controllers/ controllers/ +COPY internal/controller/ internal/controller/ # Build ARG version="(unknown)" -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager -ldflags -X=main.snapschedulerVersion=${version} main.go +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager -ldflags -X=main.snapschedulerVersion=${version} cmd/main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details diff --git a/Makefile b/Makefile index ab0c34a7..da45a434 100644 --- a/Makefile +++ b/Makefile @@ -8,12 +8,12 @@ BUILDDATE := $(shell date -u '+%Y-%m-%dT%H:%M:%S.%NZ') ## Tool versions CONTROLLER_TOOLS_VERSION := v0.15.0 -ENVTEST_K8S_VERSION = 1.26.0 +ENVTEST_K8S_VERSION = 1.27.1 GOLANGCI_VERSION := v1.58.1 HELM_VERSION := v3.14.4 KUSTOMIZE_VERSION := v5.4.1 KUTTL_VERSION := 0.16.0 -OPERATOR_SDK_VERSION := v1.32.0 +OPERATOR_SDK_VERSION := v1.33.0 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") @@ -66,6 +66,12 @@ else GOBIN=$(shell go env GOBIN) endif +# CONTAINER_TOOL defines the container tool to be used for building images. +# Be aware that the target commands are only tested with Docker which is +# scaffolded by default. However, you might want to replace it to use other +# tools. (i.e. podman) +CONTAINER_TOOL ?= docker + # Setting SHELL to bash allows bash commands to be executed by recipes. # Options are set to exit when a recipe line exits non-zero or a piped command fails. SHELL = /usr/bin/env bash -o pipefail @@ -107,7 +113,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. - $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." + $(CONTROLLER_GEN) object paths="./..." .PHONY: lint lint: golangci-lint ## lint source code @@ -133,19 +139,19 @@ test-e2e: kuttl ## Run e2e tests. Requires cluster w/ SnapScheduler already runn .PHONY: build build: manifests generate lint ## Build manager binary. - go build -o bin/manager -ldflags -X=main.snapschedulerVersion=$(VERSION) main.go + go build -o bin/manager -ldflags -X=main.snapschedulerVersion=$(VERSION) cmd/main.go .PHONY: run run: manifests generate lint ## Run a controller from your host. - go run -ldflags -X=main.snapschedulerVersion=$(VERSION) ./main.go + go run -ldflags -X=main.snapschedulerVersion=$(VERSION) ./cmd/main.go .PHONY: docker-build docker-build: ## Build docker image with the manager. - docker build --build-arg "version=$(VERSION)" --build-arg "builddate=$(BUILDDATE)" -t ${IMG} . + $(CONTAINER_TOOL) build --build-arg "version=$(VERSION)" --build-arg "builddate=$(BUILDDATE)" -t ${IMG} . .PHONY: docker-push docker-push: ## Push docker image with the manager. - docker push ${IMG} + $(CONTAINER_TOOL) push ${IMG} # PLATFORMS defines the target platforms for the manager image be build to provide support to multiple # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: @@ -158,10 +164,10 @@ PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le docker-buildx: test ## Build and push docker image for the manager for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - - docker buildx create --name project-v3-builder - docker buildx use project-v3-builder - - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . - - docker buildx rm project-v3-builder + - $(CONTAINER_TOOL) buildx create --name project-v3-builder + $(CONTAINER_TOOL) buildx use project-v3-builder + - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - $(CONTAINER_TOOL) buildx rm project-v3-builder rm Dockerfile.cross ##@ Deployment @@ -172,20 +178,20 @@ endif .PHONY: install install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl apply -f - + $(KUSTOMIZE) build config/crd | $(KUBECTL) apply -f - .PHONY: uninstall uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - + $(KUSTOMIZE) build config/crd | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - $(KUSTOMIZE) build config/default | kubectl apply -f - + $(KUSTOMIZE) build config/default | $(KUBECTL) apply -f - .PHONY: undeploy undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - + $(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - ##@ Build Dependencies @@ -197,6 +203,7 @@ $(LOCALBIN): ## Tool Binaries CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest +KUBECTL ?= kubectl KUSTOMIZE ?= $(LOCALBIN)/kustomize GINKGO := $(LOCALBIN)/ginkgo GOLANGCILINT := $(LOCALBIN)/golangci-lint diff --git a/PROJECT b/PROJECT index 6a1d1779..4555da00 100644 --- a/PROJECT +++ b/PROJECT @@ -4,7 +4,7 @@ # More info: https://book.kubebuilder.io/reference/project-config.html domain: backube layout: -- go.kubebuilder.io/v3 +- go.kubebuilder.io/v4 plugins: manifests.sdk.operatorframework.io/v2: {} scorecard.sdk.operatorframework.io/v2: {} diff --git a/main.go b/cmd/main.go similarity index 97% rename from main.go rename to cmd/main.go index ceebc7dc..eb318831 100644 --- a/main.go +++ b/cmd/main.go @@ -39,7 +39,7 @@ import ( ctrlMetrics "sigs.k8s.io/controller-runtime/pkg/metrics/server" snapschedulerv1 "github.com/backube/snapscheduler/api/v1" - "github.com/backube/snapscheduler/controllers" + "github.com/backube/snapscheduler/internal/controller" //+kubebuilder:scaffold:imports ) @@ -94,7 +94,7 @@ func main() { os.Exit(1) } - if err = (&controllers.SnapshotScheduleReconciler{ + if err = (&controller.SnapshotScheduleReconciler{ Client: mgr.GetClient(), Scheme: mgr.GetScheme(), }).SetupWithManager(mgr); err != nil { diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index dae882fe..00d4c84e 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -5,15 +5,15 @@ resources: - bases/snapscheduler.backube_snapshotschedules.yaml #+kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_snapshotschedules.yaml +#- path: patches/webhook_in_snapshotschedules.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_snapshotschedules.yaml +#- path: patches/cainjection_in_snapshotschedules.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/config/crd/patches/cainjection_in_snapshotschedules.yaml b/config/crd/patches/cainjection_in_snapshotschedules.yaml index 04d32ad4..72812c61 100644 --- a/config/crd/patches/cainjection_in_snapshotschedules.yaml +++ b/config/crd/patches/cainjection_in_snapshotschedules.yaml @@ -3,5 +3,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME name: snapshotschedules.snapscheduler.backube diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 85c80c18..22ebba54 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -9,10 +9,12 @@ namespace: snapscheduler-system namePrefix: snapscheduler- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue -bases: +resources: - ../crd - ../rbac - ../manager @@ -39,32 +41,102 @@ patchesStrategicMerge: # 'CERTMANAGER' needs to be enabled to use ca injection #- webhookcainjection_patch.yaml -# the following config is for teaching kustomize how to do var substitution -vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldref: -# fieldpath: metadata.namespace -#- name: CERTIFICATE_NAME -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -#- name: SERVICE_NAMESPACE # namespace of the service -# objref: -# kind: Service -# version: v1 -# name: webhook-service -# fieldref: -# fieldpath: metadata.namespace -#- name: SERVICE_NAME -# objref: -# kind: Service -# version: v1 -# name: webhook-service +# Uncomment the following replacements to add the cert-manager CA injection annotations +#replacements: +# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # namespace of the certificate CR +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - source: # Add cert-manager annotation to the webhook Service +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name # namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace # namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 1fae719a..9370035c 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -8,22 +8,6 @@ metadata: spec: template: spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - # - arm64 - # - ppc64le - # - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - name: kube-rbac-proxy securityContext: diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 83125de2..6b514f5e 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -20,7 +20,7 @@ resources: # # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. # # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. # - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 +# path: /spec/template/spec/containers/0/volumeMounts/0 # # Remove the "cert" volume, since OLM will create and mount a set of certs. # # Update the indices in this path if adding or removing volumes in the manager's Deployment. # - op: remove diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 99aa068e..3c27545c 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -3,7 +3,7 @@ kind: ServiceAccount metadata: labels: app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: controller-manager + app.kubernetes.io/instance: controller-manager-sa app.kubernetes.io/component: rbac app.kubernetes.io/created-by: snapscheduler app.kubernetes.io/part-of: snapscheduler diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index efc90da9..69c3c508 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,4 +1,4 @@ -## Append samples you want in your CSV to this file as resources ## +## Append samples of your project ## resources: - snapscheduler_v1_snapshotschedule.yaml #+kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index 472a9882..a2f15894 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.32.0 + image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index 343c6d8d..9b7ca41b 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.32.0 + image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.32.0 + image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.32.0 + image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.32.0 + image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.32.0 + image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt deleted file mode 100644 index 3faf82e9..00000000 --- a/hack/boilerplate.go.txt +++ /dev/null @@ -1,32 +0,0 @@ -/* -Copyright 2021 The snapscheduler authors. - -This file may be used, at your option, according to either the GNU AGPL 3.0 or -the Apache V2 license. - ---- -This program is free software: you can redistribute it and/or modify it under -the terms of the GNU Affero General Public License as published by the Free -Software Foundation, either version 3 of the License, or (at your option) any -later version. - -This program is distributed in the hope that it will be useful, but WITHOUT ANY -WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A -PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License along -with this program. If not, see . - ---- -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ diff --git a/controllers/snapshots_expire.go b/internal/controller/snapshots_expire.go similarity index 99% rename from controllers/snapshots_expire.go rename to internal/controller/snapshots_expire.go index 0992b6a0..f106c3d8 100644 --- a/controllers/snapshots_expire.go +++ b/internal/controller/snapshots_expire.go @@ -15,7 +15,7 @@ You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ -package controllers +package controller import ( "context" diff --git a/controllers/snapshots_expire_test.go b/internal/controller/snapshots_expire_test.go similarity index 99% rename from controllers/snapshots_expire_test.go rename to internal/controller/snapshots_expire_test.go index 4840d68a..e48cc42d 100644 --- a/controllers/snapshots_expire_test.go +++ b/internal/controller/snapshots_expire_test.go @@ -16,7 +16,7 @@ along with this program. If not, see . */ // nolint funlen // Long test functions ok -package controllers +package controller import ( "context" diff --git a/controllers/snapshotschedule_controller.go b/internal/controller/snapshotschedule_controller.go similarity index 99% rename from controllers/snapshotschedule_controller.go rename to internal/controller/snapshotschedule_controller.go index 7c4b86b3..8a00dd3b 100644 --- a/controllers/snapshotschedule_controller.go +++ b/internal/controller/snapshotschedule_controller.go @@ -15,7 +15,7 @@ You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ -package controllers +package controller import ( "context" diff --git a/controllers/snapshotschedule_test.go b/internal/controller/snapshotschedule_test.go similarity index 99% rename from controllers/snapshotschedule_test.go rename to internal/controller/snapshotschedule_test.go index ed9d7656..02daab10 100644 --- a/controllers/snapshotschedule_test.go +++ b/internal/controller/snapshotschedule_test.go @@ -16,7 +16,7 @@ along with this program. If not, see . */ // nolint funlen // Long test functions ok -package controllers +package controller import ( "context" diff --git a/controllers/suite_test.go b/internal/controller/suite_test.go similarity index 94% rename from controllers/suite_test.go rename to internal/controller/suite_test.go index 1aff1485..04e5f77b 100644 --- a/controllers/suite_test.go +++ b/internal/controller/suite_test.go @@ -15,7 +15,7 @@ You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ -package controllers +package controller import ( "context" @@ -48,7 +48,7 @@ var k8sClient client.Client var testEnv *envtest.Environment var cancel context.CancelFunc -func TestAPIs(t *testing.T) { +func TestControllers(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Controller Suite") @@ -63,8 +63,8 @@ var _ = BeforeSuite(func() { By("bootstrapping test environment") testEnv = &envtest.Environment{ CRDDirectoryPaths: []string{ - filepath.Join("..", "config", "crd", "bases"), - filepath.Join("..", "hack", "crds"), + filepath.Join("..", "..", "config", "crd", "bases"), + filepath.Join("..", "..", "hack", "crds"), }, ErrorIfCRDPathMissing: true, } From 84b78442a8d8d7c78576f09beff6b072510e10bd Mon Sep 17 00:00:00 2001 From: John Strunk Date: Thu, 9 May 2024 13:45:34 -0400 Subject: [PATCH 3/3] Upgrade to operator-sdk v1.34.1 Signed-off-by: John Strunk --- .gitignore | 6 ++-- .golangci.yml | 4 ++- Dockerfile | 2 +- Makefile | 10 +++--- api/v1/zz_generated.deepcopy.go | 33 ------------------ cmd/main.go | 34 ++++++++++++++++++- ...apscheduler.backube_snapshotschedules.yaml | 4 ++- config/crd/kustomization.yaml | 6 ++-- .../cainjection_in_snapshotschedules.yaml | 7 ---- .../patches/webhook_in_snapshotschedules.yaml | 16 --------- config/default/kustomization.yaml | 8 ++--- config/scorecard/patches/basic.config.yaml | 2 +- config/scorecard/patches/olm.config.yaml | 10 +++--- ...apscheduler.backube_snapshotschedules.yaml | 4 ++- 14 files changed, 66 insertions(+), 80 deletions(-) delete mode 100644 config/crd/patches/cainjection_in_snapshotschedules.yaml delete mode 100644 config/crd/patches/webhook_in_snapshotschedules.yaml diff --git a/.gitignore b/.gitignore index 8c91144f..fdfc1ac3 100644 --- a/.gitignore +++ b/.gitignore @@ -7,14 +7,16 @@ *.dylib bin/* -# Test binary, build with `go test -c` +# Test binary, built with `go test -c` *.test # Output of the go coverage tool, specifically when used with LiteIDE *.out -# Kubernetes Generated files - skip generated files, except for vendored files +# Go workspace file +go.work +# Kubernetes Generated files - skip generated files, except for vendored files !vendor/**/zz_generated.* # editor and IDE paraphernalia diff --git a/.golangci.yml b/.golangci.yml index ae909cb5..dee13f4f 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -2,7 +2,8 @@ # https://golangci-lint.run/usage/configuration/#config-file run: - timeout: 30m + allow-parallel-runners: true + timeout: 10m # skip-files: output: sort-results: true @@ -31,6 +32,7 @@ linters: - makezero - misspell - nakedret + - prealloc - revive - staticcheck - typecheck diff --git a/Dockerfile b/Dockerfile index f3059f26..3610af1e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.22@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 as builder +FROM golang:1.22@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS builder ARG TARGETOS ARG TARGETARCH diff --git a/Makefile b/Makefile index da45a434..809bd4fb 100644 --- a/Makefile +++ b/Makefile @@ -8,12 +8,12 @@ BUILDDATE := $(shell date -u '+%Y-%m-%dT%H:%M:%S.%NZ') ## Tool versions CONTROLLER_TOOLS_VERSION := v0.15.0 -ENVTEST_K8S_VERSION = 1.27.1 +ENVTEST_K8S_VERSION = 1.28.3 GOLANGCI_VERSION := v1.58.1 HELM_VERSION := v3.14.4 KUSTOMIZE_VERSION := v5.4.1 KUTTL_VERSION := 0.16.0 -OPERATOR_SDK_VERSION := v1.33.0 +OPERATOR_SDK_VERSION := v1.34.1 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") @@ -84,7 +84,7 @@ all: build # The help target prints out all targets with their descriptions organized # beneath their categories. The categories are represented by '##@' and the -# target descriptions by '##'. The awk commands is responsible for reading the +# target descriptions by '##'. The awk command is responsible for reading the # entire set of makefiles included in this invocation, looking for lines of the # file as xyz: ## something, and then pretty-format the target and help. Then, # if there's a line with ##@ something, that gets pretty-printed as a category. @@ -161,7 +161,7 @@ docker-push: ## Push docker image with the manager. # To properly provided solutions that supports more than one platform you should use this option. PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le .PHONY: docker-buildx -docker-buildx: test ## Build and push docker image for the manager for cross-platform support +docker-buildx: ## Build and push docker image for the manager for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - $(CONTAINER_TOOL) buildx create --name project-v3-builder @@ -254,7 +254,7 @@ bundle-push: ## Push the bundle image. $(MAKE) docker-push IMG=$(BUNDLE_IMG) .PHONY: opm -OPM = ./bin/opm +OPM = $(LOCALBIN)/opm opm: ## Download opm locally if necessary. ifeq (,$(wildcard $(OPM))) ifeq (,$(shell which opm 2>/dev/null)) diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index b6455f42..008a180d 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -1,38 +1,5 @@ //go:build !ignore_autogenerated -/* -Copyright 2021 The snapscheduler authors. - -This file may be used, at your option, according to either the GNU AGPL 3.0 or -the Apache V2 license. - ---- -This program is free software: you can redistribute it and/or modify it under -the terms of the GNU Affero General Public License as published by the Free -Software Foundation, either version 3 of the License, or (at your option) any -later version. - -This program is distributed in the hope that it will be useful, but WITHOUT ANY -WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A -PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License along -with this program. If not, see . - ---- -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - // Code generated by controller-gen. DO NOT EDIT. package v1 diff --git a/cmd/main.go b/cmd/main.go index eb318831..dbafbe7f 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -18,6 +18,7 @@ along with this program. If not, see . package main import ( + "crypto/tls" "flag" "fmt" "os" @@ -37,6 +38,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" ctrlMetrics "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" snapschedulerv1 "github.com/backube/snapscheduler/api/v1" "github.com/backube/snapscheduler/internal/controller" @@ -57,15 +59,22 @@ func init() { //+kubebuilder:scaffold:scheme } +// nolint: funlen func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "If set the metrics endpoint is served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, TimeEncoder: zapcore.RFC3339NanoTimeEncoder, @@ -79,15 +88,38 @@ func main() { setupLog.Info(fmt.Sprintf("Go Version: %s", runtime.Version())) setupLog.Info(fmt.Sprintf("Go OS/Arch: %s/%s", runtime.GOOS, runtime.GOARCH)) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, Metrics: ctrlMetrics.Options{ - BindAddress: metricsAddr, + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, }, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "cd2d8e9f.backube", LeaderElectionReleaseOnCancel: true, + WebhookServer: webhookServer, }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/config/crd/bases/snapscheduler.backube_snapshotschedules.yaml b/config/crd/bases/snapscheduler.backube_snapshotschedules.yaml index 698788d3..349f713d 100644 --- a/config/crd/bases/snapscheduler.backube_snapshotschedules.yaml +++ b/config/crd/bases/snapscheduler.backube_snapshotschedules.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: snapshotschedules.snapscheduler.backube spec: group: snapscheduler.backube @@ -85,11 +85,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 00d4c84e..f2b5b6f8 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -16,6 +16,8 @@ patches: #- path: patches/cainjection_in_snapshotschedules.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch +# [WEBHOOK] To enable webhook, uncomment the following section # the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml + +#configurations: +#- kustomizeconfig.yaml diff --git a/config/crd/patches/cainjection_in_snapshotschedules.yaml b/config/crd/patches/cainjection_in_snapshotschedules.yaml deleted file mode 100644 index 72812c61..00000000 --- a/config/crd/patches/cainjection_in_snapshotschedules.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME - name: snapshotschedules.snapscheduler.backube diff --git a/config/crd/patches/webhook_in_snapshotschedules.yaml b/config/crd/patches/webhook_in_snapshotschedules.yaml deleted file mode 100644 index e5d90cc3..00000000 --- a/config/crd/patches/webhook_in_snapshotschedules.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: snapshotschedules.snapscheduler.backube -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 22ebba54..f2880e73 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -26,20 +26,20 @@ resources: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml +- path: manager_auth_proxy_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml -#- manager_webhook_patch.yaml +#- path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml +#- path: webhookcainjection_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index a2f15894..78ad61a4 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index 9b7ca41b..69dda63f 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-status-descriptors-test diff --git a/helm/snapscheduler/templates/snapscheduler.backube_snapshotschedules.yaml b/helm/snapscheduler/templates/snapscheduler.backube_snapshotschedules.yaml index c14f5200..45abbe08 100644 --- a/helm/snapscheduler/templates/snapscheduler.backube_snapshotschedules.yaml +++ b/helm/snapscheduler/templates/snapscheduler.backube_snapshotschedules.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: snapshotschedules.snapscheduler.backube spec: group: snapscheduler.backube @@ -86,11 +86,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string