diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 882e6863..eda9c432 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -17,6 +17,8 @@ jobs: govulncheck: runs-on: ubuntu-latest + if: github.repository_owner == 'cert-manager' + steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Adding `fetch-depth: 0` makes sure tags are also fetched. We need diff --git a/.golangci.yaml b/.golangci.yaml index c2705216..7940a719 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,35 +1,40 @@ -issues: - exclude-rules: - - linters: - - bodyclose - - dupword - - errcheck - - errchkjson - - forbidigo - - gci - - gocritic - - gofmt - - gosec - - gosimple - - govet - - misspell - - musttag - - nilerr - - staticcheck - - noctx - - unconvert - - unparam - - usestdlibvars - - predeclared - text: ".*" +version: "2" linters: - # Explicitly define all enabled linters - disable-all: true + default: none + exclusions: + generated: lax + presets: [comments, common-false-positives, legacy, std-error-handling] + rules: + - linters: + - bodyclose + - dupword + - errcheck + - errchkjson + - forbidigo + - gocritic + - gosec + - govet + - misspell + - musttag + - nilerr + - noctx + - predeclared + - staticcheck + - unconvert + - unparam + - usestdlibvars + text: .* + paths: [third_party$, builtin$, examples$] + warn-unused: true + settings: + staticcheck: + checks: ["all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008"] enable: - asasalint - asciicheck - bidichk - bodyclose + - canonicalheader - contextcheck - copyloopvar - decorder @@ -40,23 +45,22 @@ linters: - errchkjson - errname - exhaustive + - exptostd - forbidigo - - gci - ginkgolinter - gocheckcompilerdirectives - gochecksumtype - gocritic - - gofmt - goheader - goprintffuncname - gosec - - gosimple - gosmopolitan - govet - grouper - importas - ineffassign - interfacebloat + - intrange - loggercheck - makezero - mirror @@ -74,19 +78,23 @@ linters: - sloglint - staticcheck - tagalign - - tenv - testableexamples - - typecheck - unconvert - unparam - unused - usestdlibvars + - usetesting - wastedassign -linters-settings: - gci: - sections: - - standard # Standard section: captures all standard packages. - - default # Default section: contains all imports that could not be matched to another section type. - - prefix(github.com/jetstack/preflight) # Custom section: groups all imports with the specified Prefix. - - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. - - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. +formatters: + enable: [gci, gofmt] + settings: + gci: + sections: + - standard # Standard section: captures all standard packages. + - default # Default section: contains all imports that could not be matched to another section type. + - prefix(github.com/jetstack/preflight) # Custom section: groups all imports with the specified Prefix. + - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. + - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. + exclusions: + generated: lax + paths: [third_party$, builtin$, examples$] diff --git a/api/cluster_test.go b/api/cluster_test.go index 071fd6fb..30eca441 100644 --- a/api/cluster_test.go +++ b/api/cluster_test.go @@ -43,7 +43,7 @@ func TestClusterSummaryUnmarshalJSON(t *testing.T) { FailureCount: 4, SuccessCount: 1, Reports: []*ReportSummary{ - &ReportSummary{ + { ID: "exampleReport1", Package: "examplePackage.ID.1", Cluster: "exampleCluster", @@ -51,7 +51,7 @@ func TestClusterSummaryUnmarshalJSON(t *testing.T) { FailureCount: 2, SuccessCount: 1, }, - &ReportSummary{ + { ID: "exampleReport2", Package: "examplePackage.ID.2", Cluster: "exampleCluster", diff --git a/klone.yaml b/klone.yaml index b75a1e36..f9535290 100644 --- a/klone.yaml +++ b/klone.yaml @@ -10,50 +10,50 @@ targets: - folder_name: generate-verify repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/generate-verify - folder_name: go repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/go - folder_name: helm repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/helm - folder_name: help repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/help - folder_name: kind repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/kind - folder_name: klone repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/klone - folder_name: oci-build repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/oci-build - folder_name: oci-publish repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/oci-publish - folder_name: repository-base repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/repository-base - folder_name: tools repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a + repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc repo_path: modules/tools diff --git a/make/_shared/generate-verify/util/verify.sh b/make/_shared/generate-verify/util/verify.sh index d6ff1637..feb53bfe 100755 --- a/make/_shared/generate-verify/util/verify.sh +++ b/make/_shared/generate-verify/util/verify.sh @@ -53,7 +53,7 @@ trap "cleanup" EXIT SIGINT # 2. rsync on macOS 15.4 and newer is actually openrsync, which has different permissions and throws errors when copying git objects # # So, we use find to list all files except _bin, and then copy each in turn -find . -maxdepth 1 -not \( -path "./_bin" -prune \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/" +find . -maxdepth 1 -not \( -path "./_bin" \) -not \( -path "." \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/" pushd "${tmp}" >/dev/null diff --git a/make/_shared/go/.golangci.override.yaml b/make/_shared/go/.golangci.override.yaml index a40c8deb..f787d6a4 100644 --- a/make/_shared/go/.golangci.override.yaml +++ b/make/_shared/go/.golangci.override.yaml @@ -1,11 +1,20 @@ +version: "2" linters: - # Explicitly define all enabled linters - disable-all: true + default: none + exclusions: + generated: lax + presets: [ comments, common-false-positives, legacy, std-error-handling ] + paths: [ third_party$, builtin$, examples$ ] + warn-unused: true + settings: + staticcheck: + checks: [ "all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008" ] enable: - asasalint - asciicheck - bidichk - bodyclose + - canonicalheader - contextcheck - copyloopvar - decorder @@ -16,23 +25,22 @@ linters: - errchkjson - errname - exhaustive + - exptostd - forbidigo - - gci - ginkgolinter - gocheckcompilerdirectives - gochecksumtype - gocritic - - gofmt - goheader - goprintffuncname - gosec - - gosimple - gosmopolitan - govet - grouper - importas - ineffassign - interfacebloat + - intrange - loggercheck - makezero - mirror @@ -50,19 +58,23 @@ linters: - sloglint - staticcheck - tagalign - - tenv - testableexamples - - typecheck - unconvert - unparam - unused - usestdlibvars + - usetesting - wastedassign -linters-settings: - gci: - sections: - - standard # Standard section: captures all standard packages. - - default # Default section: contains all imports that could not be matched to another section type. - - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix. - - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. - - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. +formatters: + enable: [ gci, gofmt ] + settings: + gci: + sections: + - standard # Standard section: captures all standard packages. + - default # Default section: contains all imports that could not be matched to another section type. + - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix. + - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. + - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. + exclusions: + generated: lax + paths: [ third_party$, builtin$, examples$ ] diff --git a/make/_shared/go/01_mod.mk b/make/_shared/go/01_mod.mk index d01931d2..81681ddd 100644 --- a/make/_shared/go/01_mod.mk +++ b/make/_shared/go/01_mod.mk @@ -101,7 +101,12 @@ ifdef golangci_lint_config .PHONY: generate-golangci-lint-config ## Generate a golangci-lint configuration file ## @category [shared] Generate/ Verify -generate-golangci-lint-config: | $(NEEDS_YQ) $(bin_dir)/scratch +generate-golangci-lint-config: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch + if [ "$$($(YQ) eval 'has("version") | not' $(golangci_lint_config))" == "true" ]; then \ + $(GOLANGCI-LINT) migrate -c $(golangci_lint_config); \ + rm $(basename $(golangci_lint_config)).bck$(suffix $(golangci_lint_config)); \ + fi + cp $(golangci_lint_config) $(bin_dir)/scratch/golangci-lint.yaml.tmp $(YQ) -i 'del(.linters.enable)' $(bin_dir)/scratch/golangci-lint.yaml.tmp $(YQ) eval-all -i '. as $$item ireduce ({}; . * $$item)' $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_override) @@ -119,9 +124,9 @@ verify-golangci-lint: | $(NEEDS_GO) $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir @find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \ | while read d; do \ target=$$(dirname $${d}); \ - echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \ + echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint run -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \ pushd "$${target}" >/dev/null; \ - $(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \ + GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) run -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \ popd >/dev/null; \ echo ""; \ done @@ -132,21 +137,12 @@ shared_verify_targets_dirty += verify-golangci-lint ## Fix all Go modules using golangci-lint ## @category [shared] Generate/ Verify fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/scratch - $(GCI) write \ - --skip-generated \ - --skip-vendor \ - -s "standard" \ - -s "default" \ - -s "prefix($(repo_name))" \ - -s "blank" \ - -s "dot" . - @find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \ | while read d; do \ target=$$(dirname $${d}); \ - echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${target}'"; \ + echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint fmt -c $(CURDIR)/$(golangci_lint_config)' in directory '$${target}'"; \ pushd "$${target}" >/dev/null; \ - $(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix || exit; \ + GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) fmt -c $(CURDIR)/$(golangci_lint_config) || exit; \ popd >/dev/null; \ echo ""; \ done diff --git a/make/_shared/go/base/.github/workflows/govulncheck.yaml b/make/_shared/go/base/.github/workflows/govulncheck.yaml index 882e6863..eda9c432 100644 --- a/make/_shared/go/base/.github/workflows/govulncheck.yaml +++ b/make/_shared/go/base/.github/workflows/govulncheck.yaml @@ -17,6 +17,8 @@ jobs: govulncheck: runs-on: ubuntu-latest + if: github.repository_owner == 'cert-manager' + steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Adding `fetch-depth: 0` makes sure tags are also fetched. We need diff --git a/make/_shared/helm/helm.mk b/make/_shared/helm/helm.mk index 020e43bc..cc02cfa1 100644 --- a/make/_shared/helm/helm.mk +++ b/make/_shared/helm/helm.mk @@ -178,3 +178,16 @@ verify-helm-lint: $(helm_chart_archive) | $(NEEDS_HELM) $(HELM) lint $(helm_chart_archive) shared_verify_targets_dirty += verify-helm-lint + +.PHONY: verify-helm-kubeconform +## Verify that the Helm chart passes a strict check using kubeconform +## @category [shared] Generate/ Verify +verify-helm-kubeconform: $(helm_chart_archive) | $(NEEDS_KUBECONFORM) + @$(HELM) template $(helm_chart_archive) $(INSTALL_OPTIONS) \ + | $(KUBECONFORM) \ + -schema-location default \ + -schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}/{{.ResourceKind}}.json" \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" \ + -strict + +shared_verify_targets_dirty += verify-helm-kubeconform diff --git a/make/_shared/kind/00_kind_image_versions.mk b/make/_shared/kind/00_kind_image_versions.mk index a91230a2..987a4aa2 100755 --- a/make/_shared/kind/00_kind_image_versions.mk +++ b/make/_shared/kind/00_kind_image_versions.mk @@ -25,6 +25,8 @@ kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.6@sha256:37d52dc19f59 kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.6@sha256:4e6223faa19178922d30e7b62546c5464fdf9bc66a3df64073424a51ab44f2ab kind_image_kube_1.32_amd64 := docker.io/kindest/node:v1.32.2@sha256:a37b679ad8c1cfa7c64aca1734cc4299dc833258d6c131ed0204c8cd2bd56ff7 kind_image_kube_1.32_arm64 := docker.io/kindest/node:v1.32.2@sha256:4d0e1b60f1da0d1349996a9778f8bace905189af5e05e04618eae0a155dd9f9c +kind_image_kube_1.33_amd64 := docker.io/kindest/node:v1.33.0@sha256:c9ec7bf998c310c5a6c903d66c2e595fb3e2eb53fb626cd53d07a3a5499de412 +kind_image_kube_1.33_arm64 := docker.io/kindest/node:v1.33.0@sha256:96ae3b980f87769e0117c2a89ec74fc660b84eedb573432abd2a682af3eccc02 -kind_image_latest_amd64 := $(kind_image_kube_1.32_amd64) -kind_image_latest_arm64 := $(kind_image_kube_1.32_arm64) +kind_image_latest_amd64 := $(kind_image_kube_1.33_amd64) +kind_image_latest_arm64 := $(kind_image_kube_1.33_arm64) diff --git a/make/_shared/kind/00_mod.mk b/make/_shared/kind/00_mod.mk index a4489159..f8b1de02 100644 --- a/make/_shared/kind/00_mod.mk +++ b/make/_shared/kind/00_mod.mk @@ -17,5 +17,17 @@ include $(dir $(lastword $(MAKEFILE_LIST)))/00_kind_image_versions.mk images_amd64 ?= images_arm64 ?= +# K8S_VERSION can be used to specify a specific +# kubernetes version to use with Kind. +K8S_VERSION ?= +ifeq ($(K8S_VERSION),) images_amd64 += $(kind_image_latest_amd64) images_arm64 += $(kind_image_latest_arm64) +else +fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set)) +$(call fatal_if_undefined,kind_image_kube_$(K8S_VERSION)_amd64) +$(call fatal_if_undefined,kind_image_kube_$(K8S_VERSION)_arm64) + +images_amd64 += $(kind_image_kube_$(K8S_VERSION)_amd64) +images_arm64 += $(kind_image_kube_$(K8S_VERSION)_arm64) +endif diff --git a/make/_shared/kind/kind-image-preload.mk b/make/_shared/kind/kind-image-preload.mk index 0435915c..a876bbdb 100644 --- a/make/_shared/kind/kind-image-preload.mk +++ b/make/_shared/kind/kind-image-preload.mk @@ -27,50 +27,43 @@ endif ########################################## images := $(images_$(HOST_ARCH)) -images_files := $(foreach image,$(images),$(subst :,+,$(image))) images_tar_dir := $(bin_dir)/downloaded/containers/$(HOST_ARCH) -images_tars := $(images_files:%=$(images_tar_dir)/%.tar) +images_tars := $(foreach image,$(images),$(images_tar_dir)/$(subst :,+,$(image)).tar) # Download the images as tarballs. After downloading the image using -# its digest, we untar the image and modify the .[0].RepoTags[0] value in +# its digest, we use image-tool to modify the .[0].RepoTags[0] value in # the manifest.json file to have the correct tag (instead of "i-was-a-digest" # which is set when the image is pulled using its digest). This tag is used # to reference the image after it has been imported using docker or kind. Otherwise, # the image would be imported with the tag "i-was-a-digest" which is not very useful. # We would have to use digests to reference the image everywhere which might # not always be possible and does not match the default behavior of eg. our helm charts. -# Untarring and modifying manifest.json is a hack and we hope that crane adds an option -# in the future that allows setting the tag on images that are pulled by digest. # NOTE: the tag is fully determined based on the input, we fully allow the remote # tag to point to a different digest. This prevents CI from breaking due to upstream # changes. However, it also means that we can incorrectly combine digests with tags, # hence caution is advised. -$(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_CRANE) $(NEEDS_GOJQ) +$(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_IMAGE-TOOL) $(NEEDS_CRANE) $(NEEDS_GOJQ) @$(eval full_image=$(subst +,:,$*)) @$(eval bare_image=$(word 1,$(subst :, ,$(full_image)))) @$(eval digest=$(word 2,$(subst @, ,$(full_image)))) @$(eval tag=$(word 2,$(subst :, ,$(word 1,$(subst @, ,$(full_image)))))) - @mkdir -p $@.tmp.unpacked - $(CRANE) pull "$(bare_image)@$(digest)" $@.tmp --platform=linux/$(HOST_ARCH) - @tar xf $@.tmp -C $@.tmp.unpacked - @rm -rf $@.tmp - @$(GOJQ) '.[0].RepoTags[0] |= rtrimstr("i-was-a-digest") + "$(tag)"' $@.tmp.unpacked/manifest.json > $@.tmp.unpacked/manifest.json.new - @mv $@.tmp.unpacked/manifest.json.new $@.tmp.unpacked/manifest.json - @find $@.tmp.unpacked \( -type f -o -type d \) -printf "%P\n" | tar -cf $@ --no-recursion -C $@.tmp.unpacked -T - - @rm -rf $@.tmp.unpacked + @mkdir -p $(dir $@) + $(CRANE) pull "$(bare_image)@$(digest)" $@ --platform=linux/$(HOST_ARCH) + $(IMAGE-TOOL) tag-docker-tar $@ "$(bare_image):$(tag)" -images_tar_envs := $(images_files:%=env-%) +# $1 = image +# $2 = image:tag@sha256:digest +define image_variables +$1.TAR := $(images_tar_dir)/$(subst :,+,$2).tar +$1.REPO := $1 +$1.TAG := $(word 2,$(subst :, ,$(word 1,$(subst @, ,$2)))) +$1.FULL := $(word 1,$(subst @, ,$2)) +endef -.PHONY: $(images_tar_envs) -$(images_tar_envs): env-%: $(images_tar_dir)/%.tar | $(NEEDS_GOJQ) - @$(eval image_without_tag=$(shell cut -d+ -f1 <<<"$*")) - @$(eval $(image_without_tag).TAR="$(images_tar_dir)/$*.tar") - @$(eval $(image_without_tag).REPO=$(shell tar xfO "$(images_tar_dir)/$*.tar" manifest.json | $(GOJQ) '.[0].RepoTags[0]' -r | cut -d: -f1)) - @$(eval $(image_without_tag).TAG=$(shell tar xfO "$(images_tar_dir)/$*.tar" manifest.json | $(GOJQ) '.[0].RepoTags[0]' -r | cut -d: -f2)) - @$(eval $(image_without_tag).FULL=$($(image_without_tag).REPO):$($(image_without_tag).TAG)) +$(foreach image,$(images),$(eval $(call image_variables,$(word 1,$(subst :, ,$(image))),$(image)))) .PHONY: images-preload ## Preload images. ## @category [shared] Kind cluster -images-preload: | $(images_tar_envs) +images-preload: | $(images_tars) diff --git a/make/_shared/oci-build/00_mod.mk b/make/_shared/oci-build/00_mod.mk index 96a7bfb7..5b577648 100644 --- a/make/_shared/oci-build/00_mod.mk +++ b/make/_shared/oci-build/00_mod.mk @@ -16,11 +16,11 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le # Use distroless as minimal base image to package the manager binary # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest" -base_image_static := quay.io/jetstack/base-static@sha256:713aaf3b2c45b103d37778943f2c384120eabb97b9097eea4b5cbbd32880b86d +base_image_static := quay.io/jetstack/base-static@sha256:16a5a64b918592f5c38fa73721a87f8585a3a501d261087e7b953f8b59279cd0 # Use custom apko-built image as minimal base image to package the manager binary # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest" -base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:3499c6d3073503bd13e015c27b039e58a790e5623906af1cf42ebbf85a8ff7f6 +base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:fb97fc098aabdfb5b9b01475d3531b688a9c2219f4bbc143816d3e47a267be6d # Utility functions fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set)) @@ -128,7 +128,7 @@ ko_config_targets := $(build_names:%=ko-config-%) # - oci_digest_path_$(build_name) = path to the file that will contain the digests # - ko_config_path_$(build_name) = path to the ko config file # - docker_tarball_path_$(build_name) = path that the docker tarball that the docker-tarball-$(build_name) will produce -$(foreach build_name,$(build_names),$(eval oci_layout_path_$(build_name) := $(bin_dir)/scratch/image/oci-layout-$(build_name).$(oci_$(build_name)_image_tag))) +$(foreach build_name,$(build_names),$(eval oci_layout_path_$(build_name) := $(bin_dir)/scratch/image/oci-layout-$(build_name))) $(foreach build_name,$(build_names),$(eval oci_digest_path_$(build_name) := $(CURDIR)/$(oci_layout_path_$(build_name)).digests)) $(foreach build_name,$(build_names),$(eval ko_config_path_$(build_name) := $(CURDIR)/$(oci_layout_path_$(build_name)).ko_config.yaml)) $(foreach build_name,$(build_names),$(eval docker_tarball_path_$(build_name) := $(CURDIR)/$(oci_layout_path_$(build_name)).docker.tar)) diff --git a/make/_shared/oci-build/01_mod.mk b/make/_shared/oci-build/01_mod.mk index 1eaa8037..726ad13c 100644 --- a/make/_shared/oci-build/01_mod.mk +++ b/make/_shared/oci-build/01_mod.mk @@ -12,17 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Utility variables -current_makefile = $(lastword $(MAKEFILE_LIST)) -current_makefile_directory = $(dir $(current_makefile)) - -# Build the image tool -image_tool_dir := $(current_makefile_directory:/=)/image_tool -IMAGE_TOOL := $(CURDIR)/$(bin_dir)/tools/image_tool -NEEDS_IMAGE_TOOL := $(bin_dir)/tools/image_tool -$(NEEDS_IMAGE_TOOL): $(wildcard $(image_tool_dir)/*.go) | $(NEEDS_GO) - cd $(image_tool_dir) && GOWORK=off GOBIN=$(CURDIR)/$(dir $@) $(GO) install . - $(bin_dir)/scratch/image: @mkdir -p $@ @@ -52,7 +41,7 @@ $(foreach build_name,$(build_names),$(eval $(call ko_config_target,$(build_name) .PHONY: $(oci_build_targets) ## Build the OCI image. ## @category [shared] Build -$(oci_build_targets): oci-build-%: ko-config-% | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(NEEDS_IMAGE_TOOL) $(bin_dir)/scratch/image +$(oci_build_targets): oci-build-%: ko-config-% | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(NEEDS_IMAGE-TOOL) $(bin_dir)/scratch/image rm -rf $(CURDIR)/$(oci_layout_path_$*) GOWORK=off \ KO_DOCKER_REPO=$(oci_$*_image_name_development) \ @@ -70,11 +59,11 @@ $(oci_build_targets): oci-build-%: ko-config-% | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS --push=false \ --bare - $(IMAGE_TOOL) append-layers \ + $(IMAGE-TOOL) append-layers \ $(CURDIR)/$(oci_layout_path_$*) \ $(oci_$*_additional_layers) - $(IMAGE_TOOL) list-digests \ + $(IMAGE-TOOL) list-digests \ $(CURDIR)/$(oci_layout_path_$*) \ > $(oci_digest_path_$*) @@ -92,5 +81,5 @@ endif ## @category [shared] Build .PHONY: $(docker_tarball_targets) $(docker_tarball_targets): oci_platforms := "linux/$(HOST_ARCH)" -$(docker_tarball_targets): docker-tarball-%: oci-build-% | $(NEEDS_GO) $(NEEDS_IMAGE_TOOL) - $(IMAGE_TOOL) convert-to-docker-tar $(CURDIR)/$(oci_layout_path_$*) $(docker_tarball_path_$*) $(oci_$*_image_name_development):$(oci_$*_image_tag) \ No newline at end of file +$(docker_tarball_targets): docker-tarball-%: oci-build-% | $(NEEDS_GO) $(NEEDS_IMAGE-TOOL) + $(IMAGE-TOOL) convert-to-docker-tar $(CURDIR)/$(oci_layout_path_$*) $(docker_tarball_path_$*) $(oci_$*_image_name_development):$(oci_$*_image_tag) diff --git a/make/_shared/oci-build/image_tool/append_layers.go b/make/_shared/oci-build/image_tool/append_layers.go deleted file mode 100644 index 6af65e85..00000000 --- a/make/_shared/oci-build/image_tool/append_layers.go +++ /dev/null @@ -1,220 +0,0 @@ -/* -Copyright 2023 The cert-manager Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "archive/tar" - "bytes" - "io" - "io/fs" - "log/slog" - "os" - "path/filepath" - - v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/layout" - "github.com/google/go-containerregistry/pkg/v1/match" - "github.com/google/go-containerregistry/pkg/v1/mutate" - "github.com/google/go-containerregistry/pkg/v1/tarball" - "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/spf13/cobra" -) - -var CommandAppendLayers = cobra.Command{ - Use: "append-layers oci-path [path-to-tarball...]", - Short: "Appends a tarball or directory to every image in an OCI index.", - Args: cobra.MinimumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { - oci := args[0] - extra := args[1:] - - if len(extra) == 0 { - return - } - - path, err := layout.FromPath(oci) - must("could not load oci directory", err) - - index, err := path.ImageIndex() - must("could not load oci image index", err) - - layers := []untypedLayer{} - for _, path := range extra { - layers = append(layers, newUntypedLayerFromPath(path)) - } - - index = mutateImage(index, func(img v1.Image) v1.Image { - imgMediaType, err := img.MediaType() - must("could not get image media type", err) - - layerType := types.DockerLayer - if imgMediaType == types.OCIManifestSchema1 { - layerType = types.OCILayer - } - - for _, untypedLayer := range layers { - layer, err := untypedLayer.ToLayer(layerType) - must("could not load image layer", err) - - img, err = mutate.AppendLayers(img, layer) - must("could not append layer", err) - } - - return img - }) - - _, err = layout.Write(oci, index) - must("could not write image", err) - }, -} - -type untypedLayer struct { - tarball tarball.Opener -} - -func newUntypedLayer(tarball tarball.Opener) untypedLayer { - return untypedLayer{tarball: tarball} -} - -func newUntypedLayerFromPath(path string) untypedLayer { - stat, err := os.Stat(path) - must("could not open directory or tarball", err) - - var layer untypedLayer - if stat.IsDir() { - var buf bytes.Buffer - - tw := tar.NewWriter(&buf) - - filepath.Walk(path, func(target string, info fs.FileInfo, err error) error { - must("walk error", err) - - header, err := tar.FileInfoHeader(info, info.Name()) - must("could not create tar header", err) - - name, err := filepath.Rel(path, target) - must("could not build relative path", err) - - // Write simplified header, this removes all fields that would cause - // the build to be non-reproducible (like modtime for example) - err = tw.WriteHeader(&tar.Header{ - Typeflag: header.Typeflag, - Name: name, - Mode: header.Mode, - Linkname: header.Linkname, - Size: header.Size, - }) - - must("could not write tar header", err) - - if !info.IsDir() { - file, err := os.Open(target) - must("could not write tar contents", err) - - defer file.Close() - - _, err = io.Copy(tw, file) - must("could not write tar contents", err) - } - - return nil - }) - - tw.Close() - - byts := buf.Bytes() - - layer = newUntypedLayer( - func() (io.ReadCloser, error) { - return io.NopCloser(bytes.NewReader(byts)), nil - }, - ) - } else { - layer = newUntypedLayer( - func() (io.ReadCloser, error) { - return os.Open(path) - }, - ) - } - - return layer -} - -func (ul untypedLayer) ToLayer(mediaType types.MediaType) (v1.Layer, error) { - return tarball.LayerFromOpener(ul.tarball, tarball.WithMediaType(mediaType)) -} - -type imageMutateFn func(index v1.Image) v1.Image - -func mutateImage(index v1.ImageIndex, fn imageMutateFn) v1.ImageIndex { - manifest, err := index.IndexManifest() - must("could not load oci image manifest", err) - - for _, descriptor := range manifest.Manifests { - switch { - case descriptor.MediaType.IsImage(): - slog.Info("found image", "digest", descriptor.Digest, "platform", descriptor.Platform) - - img, err := index.Image(descriptor.Digest) - must("could not load oci image with digest", err) - - img = fn(img) - - digest, err := img.Digest() - must("could not get image digest", err) - - size, err := img.Size() - must("could not get image size", err) - - slog.Info("appended layers to image", "old_digest", descriptor.Digest, "digest", digest, "platform", descriptor.Platform) - - index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest)) - - descriptor.Digest = digest - descriptor.Size = size - index = mutate.AppendManifests(index, mutate.IndexAddendum{ - Add: img, - Descriptor: descriptor, - }) - - case descriptor.MediaType.IsIndex(): - slog.Info("found image index", "digest", descriptor.Digest) - - child, err := index.ImageIndex(descriptor.Digest) - must("could not load oci index manifest", err) - - child = mutateImage(child, fn) - - digest, err := child.Digest() - must("could not get index digest", err) - - size, err := child.Size() - must("could not get index size", err) - - index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest)) - - descriptor.Digest = digest - descriptor.Size = size - index = mutate.AppendManifests(index, mutate.IndexAddendum{ - Add: child, - Descriptor: descriptor, - }) - } - } - - return index -} diff --git a/make/_shared/oci-build/image_tool/convert_to_docker_tar.go b/make/_shared/oci-build/image_tool/convert_to_docker_tar.go deleted file mode 100644 index c6e1e269..00000000 --- a/make/_shared/oci-build/image_tool/convert_to_docker_tar.go +++ /dev/null @@ -1,97 +0,0 @@ -/* -Copyright 2023 The cert-manager Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "runtime" - - "github.com/google/go-containerregistry/pkg/name" - v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/layout" - "github.com/google/go-containerregistry/pkg/v1/match" - "github.com/google/go-containerregistry/pkg/v1/tarball" - "github.com/spf13/cobra" -) - -var CommandConvertToDockerTar = cobra.Command{ - Use: "convert-to-docker-tar oci-path output image-name", - Short: "Reads the OCI directory and outputs a tarball that is compatible with \"docker load\"", - Args: cobra.ExactArgs(3), - Run: func(cmd *cobra.Command, args []string) { - path := args[0] - output := args[1] - imageName := args[2] - - ociLayout, err := layout.FromPath(path) - must("could not load oci directory", err) - - index, err := ociLayout.ImageIndex() - must("could not load oci image index", err) - - images := getImagesFromIndex(index, func(desc v1.Descriptor) bool { - return desc.Platform != nil && desc.Platform.Architecture == runtime.GOARCH - }) - - switch { - case len(images) == 0: - fail("no matching images found") - case len(images) > 1: - fail("multiple matching images found") - } - - ref, err := name.ParseReference(imageName) - must("invalid image name", err) - - err = tarball.WriteToFile(output, ref, images[0]) - must("could not write tarball", err) - }, -} - -func getImagesFromIndex(index v1.ImageIndex, matcher match.Matcher) (images []v1.Image) { - manifest, err := index.IndexManifest() - must("could not load oci index manifest", err) - - for _, descriptor := range manifest.Manifests { - switch { - case descriptor.MediaType.IsImage(): - // If the platform is not part of the index manifest, attempt to - // load it from the image config - if descriptor.Platform == nil { - img, err := index.Image(descriptor.Digest) - must("could not load image", err) - - cfg, err := img.ConfigFile() - must("could not load image config", err) - - descriptor.Platform = cfg.Platform() - } - - if matcher(descriptor) { - img, err := index.Image(descriptor.Digest) - must("could not load image", err) - images = append(images, img) - } - - case descriptor.MediaType.IsIndex(): - idx, err := index.ImageIndex(descriptor.Digest) - must("could not load image index", err) - images = append(images, getImagesFromIndex(idx, matcher)...) - } - } - - return -} diff --git a/make/_shared/oci-build/image_tool/go.mod b/make/_shared/oci-build/image_tool/go.mod deleted file mode 100644 index 51f647bf..00000000 --- a/make/_shared/oci-build/image_tool/go.mod +++ /dev/null @@ -1,19 +0,0 @@ -module image_tool - -go 1.21 - -require ( - github.com/google/go-containerregistry v0.20.2 - github.com/spf13/cobra v1.8.1 -) - -require ( - github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect - github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/klauspost/compress v1.16.5 // indirect - github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc3 // indirect - github.com/spf13/pflag v1.0.5 // indirect - github.com/vbatts/tar-split v0.11.3 // indirect - golang.org/x/sync v0.2.0 // indirect -) diff --git a/make/_shared/oci-build/image_tool/go.sum b/make/_shared/oci-build/image_tool/go.sum deleted file mode 100644 index 56873bb9..00000000 --- a/make/_shared/oci-build/image_tool/go.sum +++ /dev/null @@ -1,58 +0,0 @@ -github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= -github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= -github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= -github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= -github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= -github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= -github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= -github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= -github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= -github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= -github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8= -github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/sirupsen/logrus v1.9.1 h1:Ou41VVR3nMWWmTiEUnj0OlsgOSCUFgsPAOl6jRIcVtQ= -github.com/sirupsen/logrus v1.9.1/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= -github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= -github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= -github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= -golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/make/_shared/oci-build/image_tool/list_digests.go b/make/_shared/oci-build/image_tool/list_digests.go deleted file mode 100644 index e08d9489..00000000 --- a/make/_shared/oci-build/image_tool/list_digests.go +++ /dev/null @@ -1,46 +0,0 @@ -/* -Copyright 2023 The cert-manager Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "fmt" - - "github.com/google/go-containerregistry/pkg/v1/layout" - "github.com/spf13/cobra" -) - -var CommandListDigests = cobra.Command{ - Use: "list-digests oci-path", - Short: "Outputs the digests for images found inside the tarball", - Args: cobra.ExactArgs(1), - Run: func(cmd *cobra.Command, args []string) { - path := args[0] - - ociLayout, err := layout.FromPath(path) - must("could not load oci directory", err) - - imageIndex, err := ociLayout.ImageIndex() - must("could not load oci image index", err) - - indexManifest, err := imageIndex.IndexManifest() - must("could not load oci index manifest", err) - - for _, man := range indexManifest.Manifests { - fmt.Println(man.Digest) - } - }, -} diff --git a/make/_shared/oci-build/image_tool/main.go b/make/_shared/oci-build/image_tool/main.go deleted file mode 100644 index 507281e7..00000000 --- a/make/_shared/oci-build/image_tool/main.go +++ /dev/null @@ -1,46 +0,0 @@ -/* -Copyright 2023 The cert-manager Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "fmt" - "os" - - "github.com/spf13/cobra" -) - -var CommandRoot = cobra.Command{ - Use: "image-tool", -} - -func main() { - CommandRoot.AddCommand(&CommandAppendLayers) - CommandRoot.AddCommand(&CommandConvertToDockerTar) - CommandRoot.AddCommand(&CommandListDigests) - must("error running command", CommandRoot.Execute()) -} - -func must(msg string, err error) { - if err != nil { - fail(msg+": %w", err) - } -} - -func fail(msg string, a ...any) { - fmt.Fprintf(os.Stderr, msg+"\n", a...) - os.Exit(1) -} diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk index ba7bc8c3..14565a50 100644 --- a/make/_shared/tools/00_mod.mk +++ b/make/_shared/tools/00_mod.mk @@ -18,8 +18,17 @@ endif ########################################## -export DOWNLOAD_DIR ?= $(CURDIR)/$(bin_dir)/downloaded -export GOVENDOR_DIR ?= $(CURDIR)/$(bin_dir)/go_vendor +default_shared_dir := $(CURDIR)/$(bin_dir) +# If $(HOME) is set and $(CI) is not, use the $(HOME)/.cache +# folder to store downloaded binaries. +ifneq ($(shell printenv HOME),) +ifeq ($(shell printenv CI),) +default_shared_dir := $(HOME)/.cache/makefile-modules +endif +endif + +export DOWNLOAD_DIR ?= $(default_shared_dir)/downloaded +export GOVENDOR_DIR ?= $(default_shared_dir)/go_vendor $(bin_dir)/tools $(DOWNLOAD_DIR)/tools: @mkdir -p $@ @@ -118,12 +127,14 @@ tools += goreleaser=v1.26.2 tools += syft=v1.22.0 # https://github.com/cert-manager/helm-tool/releases tools += helm-tool=v0.5.3 +# https://github.com/cert-manager/image-tool/releases +tools += image-tool=v0.0.2 # https://github.com/cert-manager/cmctl/releases tools += cmctl=v2.1.1 # https://pkg.go.dev/github.com/cert-manager/release/cmd/cmrel?tab=versions tools += cmrel=e3cbe5171488deda000145003e22567bdce622ea -# https://pkg.go.dev/github.com/golangci/golangci-lint/cmd/golangci-lint?tab=versions -tools += golangci-lint=v1.64.8 +# https://pkg.go.dev/github.com/golangci/golangci-lint/v2/cmd/golangci-lint?tab=versions +tools += golangci-lint=v2.1.2 # https://pkg.go.dev/golang.org/x/vuln?tab=versions tools += govulncheck=v1.1.4 # https://pkg.go.dev/github.com/operator-framework/operator-sdk/cmd/operator-sdk?tab=versions @@ -136,6 +147,8 @@ tools += preflight=1.12.1 tools += gci=v0.13.6 # https://github.com/google/yamlfmt/releases tools += yamlfmt=v0.16.0 +# https://github.com/yannh/kubeconform/releases +tools += kubeconform=v0.6.7 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions K8S_CODEGEN_VERSION := v0.32.3 @@ -334,14 +347,16 @@ go_dependencies += defaulter-gen=k8s.io/code-generator/cmd/defaulter-gen go_dependencies += conversion-gen=k8s.io/code-generator/cmd/conversion-gen go_dependencies += openapi-gen=k8s.io/kube-openapi/cmd/openapi-gen go_dependencies += helm-tool=github.com/cert-manager/helm-tool +go_dependencies += image-tool=github.com/cert-manager/image-tool go_dependencies += cmctl=github.com/cert-manager/cmctl/v2 go_dependencies += cmrel=github.com/cert-manager/release/cmd/cmrel -go_dependencies += golangci-lint=github.com/golangci/golangci-lint/cmd/golangci-lint +go_dependencies += golangci-lint=github.com/golangci/golangci-lint/v2/cmd/golangci-lint go_dependencies += govulncheck=golang.org/x/vuln/cmd/govulncheck go_dependencies += operator-sdk=github.com/operator-framework/operator-sdk/cmd/operator-sdk go_dependencies += gh=github.com/cli/cli/v2/cmd/gh go_dependencies += gci=github.com/daixiang0/gci go_dependencies += yamlfmt=github.com/google/yamlfmt/cmd/yamlfmt +go_dependencies += kubeconform=github.com/yannh/kubeconform/cmd/kubeconform ################# # go build tags # diff --git a/pkg/client/client_api_token.go b/pkg/client/client_api_token.go index 3d3e042f..ec8d1a41 100644 --- a/pkg/client/client_api_token.go +++ b/pkg/client/client_api_token.go @@ -10,9 +10,10 @@ import ( "path/filepath" "time" + "k8s.io/client-go/transport" + "github.com/jetstack/preflight/api" "github.com/jetstack/preflight/pkg/version" - "k8s.io/client-go/transport" ) type ( diff --git a/pkg/client/client_oauth.go b/pkg/client/client_oauth.go index 7192a331..b8f3f5bd 100644 --- a/pkg/client/client_oauth.go +++ b/pkg/client/client_oauth.go @@ -190,7 +190,7 @@ func (c *OAuthClient) renewAccessToken(ctx context.Context) error { if err != nil { return errors.WithStack(err) } - req.Header.Add("content-type", "application/x-www-form-urlencoded") + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") version.SetUserAgent(req) res, err := http.DefaultClient.Do(req) diff --git a/pkg/datagatherer/k8s/client_test.go b/pkg/datagatherer/k8s/client_test.go index 77aa9343..31dd0e95 100644 --- a/pkg/datagatherer/k8s/client_test.go +++ b/pkg/datagatherer/k8s/client_test.go @@ -54,7 +54,7 @@ func TestNewDiscoveryClient_InferredKubeconfig(t *testing.T) { } func writeConfigToFile(t *testing.T, cfg clientcmdapi.Config) string { - f, err := os.CreateTemp("", "testcase-*") + f, err := os.CreateTemp(t.TempDir(), "testcase-*") if err != nil { t.Fatal(err) } diff --git a/pkg/datagatherer/k8s/fieldfilter_test.go b/pkg/datagatherer/k8s/fieldfilter_test.go index c94a63cd..b518f3ee 100644 --- a/pkg/datagatherer/k8s/fieldfilter_test.go +++ b/pkg/datagatherer/k8s/fieldfilter_test.go @@ -4,10 +4,11 @@ import ( "encoding/json" "testing" - "github.com/jetstack/preflight/pkg/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + + "github.com/jetstack/preflight/pkg/testutil" ) func TestSelect(t *testing.T) { diff --git a/pkg/echo/echo_test.go b/pkg/echo/echo_test.go index bf21b759..b023ae5e 100644 --- a/pkg/echo/echo_test.go +++ b/pkg/echo/echo_test.go @@ -30,7 +30,7 @@ func TestEchoServerRequestResponse(t *testing.T) { }, DataGatherTime: time.Now(), DataReadings: []*api.DataReading{ - &api.DataReading{ + { ClusterID: "test_suite_cluster", DataGatherer: "dummy", Timestamp: api.Time{Time: time.Now()}, diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 5ebe6cf7..903b8f86 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -13,9 +13,10 @@ import ( "k8s.io/component-base/featuregate" "k8s.io/component-base/logs" logsapi "k8s.io/component-base/logs/api/v1" - _ "k8s.io/component-base/logs/json/register" "k8s.io/klog/v2" ctrlruntimelog "sigs.k8s.io/controller-runtime/pkg/log" + + _ "k8s.io/component-base/logs/json/register" ) // venafi-kubernetes-agent follows [Kubernetes Logging Conventions] and writes diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index c903fc47..b474fa33 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -15,13 +15,14 @@ import ( "testing" "time" - _ "github.com/Venafi/vcert/v5" "github.com/spf13/pflag" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "k8s.io/klog/v2" "github.com/jetstack/preflight/pkg/logs" + + _ "github.com/Venafi/vcert/v5" ) // TestLogs demonstrates how the logging flags affect the logging output. diff --git a/pkg/testutil/envtest.go b/pkg/testutil/envtest.go index e8d5f4e6..62b26d7c 100644 --- a/pkg/testutil/envtest.go +++ b/pkg/testutil/envtest.go @@ -200,10 +200,10 @@ func FakeVenafiCloud(t *testing.T) (_ *httptest.Server, _ *x509.Certificate, set } accessToken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ") - apiKey := r.Header.Get("tppl-api-key") + apiKey := r.Header.Get("Tppl-Api-Key") if accessToken != "VALID_ACCESS_TOKEN" && apiKey != "VALID_API_KEY" { w.WriteHeader(http.StatusUnauthorized) - w.Write([]byte(`{"error":"expected header 'Authorization: Bearer VALID_ACCESS_TOKEN' or 'tppl-api-key: VALID_API_KEY', but got Authorization=` + r.Header.Get("Authorization") + ` and tppl-api-key=` + r.Header.Get("tppl-api-key"))) + w.Write([]byte(`{"error":"expected header 'Authorization: Bearer VALID_ACCESS_TOKEN' or 'tppl-api-key: VALID_API_KEY', but got Authorization=` + r.Header.Get("Authorization") + ` and tppl-api-key=` + r.Header.Get("Tppl-Api-Key"))) return } if r.URL.Path == "/v1/tlspk/upload/clusterdata/no" { diff --git a/pkg/testutil/undent.go b/pkg/testutil/undent.go index b2b4ba15..13c79f59 100644 --- a/pkg/testutil/undent.go +++ b/pkg/testutil/undent.go @@ -68,7 +68,7 @@ func Undent(s string) string { } curLineIndent := 0 // Number of tabs or spaces in the current line. - for pos := 0; pos < len(s); pos++ { + for pos := range s { if s[pos] == '\n' { if pos+1 < len(s) { lineOffsets = append(lineOffsets, pos+1) @@ -102,7 +102,7 @@ func Undent(s string) string { // Extract each line without indentation. out := make([]byte, 0, len(s)-(indentsPerLine*indentedLinesCnt)) - for line := 0; line < len(lineOffsets); line++ { + for line := range lineOffsets { first := lineOffsets[line] // Index of the last character of the line. It is often the '\n'