Merge branch 'main' into 3661-appRepoCustomInterval and resolve

conflicts

.github/actions/srp-source-provenance/action.yml

@@ -0,0 +1,89 @@
+# Copyright 2018-2022 the Kubeapps contributors.
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: SRP Report
+description: Install SRP CLI and Submit Provenance
+inputs:
+  SRP_CLI_VERSION:
+    description: Version of the SRP CLI tool
+    required: false
+    default: latest
+  SRP_CLIENT_ID:
+    description: ID for SRP API Credentials
+    required: true
+  SRP_CLIENT_SECRET:
+    description: SECRET for SRP API Credentials
+    required: true
+  VERSION:
+    description: Release Version
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Download SRP CLI
+      shell: bash
+      env:
+        SRP_CLI_VERSION: ${{ inputs.SRP_CLI_VERSION }}
+      run: |
+        set -u
+        mkdir -p /tmp/srp-cli
+        if [[ "${SRP_CLI_VERSION}" == "latest" ]]; then
+          curl https://srp-cli.s3.amazonaws.com/srp-cli-latest.tgz -o /tmp/srp-cli/srp-cli-latest.tgz
+          tar xvzf /tmp/srp-cli/srp-cli-latest.tgz -C /tmp/srp-cli/
+        else
+          wget "https://vmwaresaas.jfrog.io/artifactory/srp-tools/srpcli/${SRP_CLI_VERSION}/linux/srp" -O /tmp/srp-cli/srp
+        fi
+        chmod +x /tmp/srp-cli/srp
+        sudo mv /tmp/srp-cli/srp /usr/local/bin/.
+        srp --version
+    - name: Configure SRP
+      env:
+        SRP_CLIENT_ID: ${{ inputs.SRP_CLIENT_ID }}
+        SRP_CLIENT_SECRET: ${{ inputs.SRP_CLIENT_SECRET }}
+      shell: bash
+      run: |
+        set -u
+        srp config auth --client-id=${SRP_CLIENT_ID} --client-secret=${SRP_CLIENT_SECRET}
+    - name: Create Source Provenance File
+      env:
+        VERSION: ${{ inputs.VERSION }}
+      shell: bash
+      run: |
+        set -eu
+        export GITHUB_FQDN=$(echo "${GITHUB_SERVER_URL}" | sed -e "s/^https:\/\///")
+        export BUILD_ID=${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT}
+        export COMP_UID="uid.obj.build.github(instance='${GITHUB_FQDN}',namespace='${GITHUB_REPOSITORY}',ref='${GITHUB_REF}',action='${GITHUB_ACTION}',build_id='$BUILD_ID')"
+        echo "COMP_UID=$COMP_UID" >> $GITHUB_ENV
+        echo "COMP_UID=$COMP_UID"
+        mkdir -p /tmp/provenance
+        sudo srp provenance source \
+        --verbose \
+        --scm-type git \
+        --name "kubeapps" \
+        --path ./ \
+        --saveto /tmp/provenance/source.json \
+        --comp-uid ${COMP_UID} \
+        --build-number ${BUILD_ID} \
+        --version ${VERSION} \
+        --all-ephemeral true \
+        --build-type release
+    - name: Validate and submit the source provenance files to the SRP Metadata service
+      shell: bash
+      run: |
+        echo "COMP_UID: $COMP_UID"
+        export COMP_UID=${COMP_UID//\//\%2f}
+        export SRP_UID="uid.mtd.provenance_2_5.fragment(obj_uid=$COMP_UID,revision='')"
+        echo "SRP_UID: ${SRP_UID}"
+        cat /tmp/provenance/source.json
+        srp uid validate ${SRP_UID}
+        srp metadata submit \
+        --verbose \
+        --url https://apigw.vmware.com/v1/s1/api/helix-beta \
+        --uid "${SRP_UID}" \
+        --path /tmp/provenance/source.json
+    - name: Upload SRP file as a build artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: srp-source-provenance-file
+        path: /tmp/provenance/source.json

.github/workflows/add-issues-to-project.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 the Kubeapps contributors
+# Copyright 2022 the Kubeapps contributors.
 # SPDX-License-Identifier: Apache-2.0
 
 ---

.github/workflows/codeql-reusable.yml → .github/workflows/codeql-analysis.yml

@@ -1,14 +1,16 @@
-# Copyright 2022 the Kubeapps contributors
+# Copyright 2022 the Kubeapps contributors.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
+name: CodeQL Analysis
+
 on:
-  workflow_call:
-    inputs:
-      golang_version:
-        type: string
-        required: false
-        default: "1.19"
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "0 5 * * *"
 
 jobs:
   analyze:
@@ -36,7 +38,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ inputs.golang_version }}
+          go-version: 1.19
         if: ${{ matrix.language == 'go' }}
 
       # Initializes the CodeQL tools for scanning.

.github/workflows/kubeapps-full-integration.yaml

@@ -6,13 +6,16 @@ name: Full Integration Pipeline
 
 on:
   workflow_dispatch:
+  schedule:
+    # At 04:00 on Monday, Wednesday, and Saturday.
+    - cron: "0 4 * * 1,3,6"
 
 concurrency:
   group: ${{ github.head_ref || github.ref_name }}_full
   cancel-in-progress: true
 
 jobs:
-  main:
+  CI:
     uses: ./.github/workflows/kubeapps-general.yaml
     secrets: inherit
     with:

.github/workflows/kubeapps-general.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 the Kubeapps contributors
+# Copyright 2022 the Kubeapps contributors.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -71,6 +71,7 @@ env:
   GKE_ZONE: "us-east1-c"
   GKE_PROJECT: "vmware-kubeapps-ci"
   GKE_CLUSTER: "kubeapps-test"
+  SRP_CLI_VERSION: "0.2.20220825211752-571e676-57"
 
 jobs:
   setup:
@@ -124,7 +125,7 @@ jobs:
             echo "version=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
           else
             echo "img_prod_tag=latest" >> $GITHUB_OUTPUT
-            echo "version=" >> $GITHUB_OUTPUT
+            echo "version=${GITHUB_SHA}" >> $GITHUB_OUTPUT
           fi;
 
           if [[ ${GITHUB_REF_NAME} == ${BRANCH_KUBEAPPS_REPO} ]]; then
@@ -139,7 +140,14 @@ jobs:
             echo "running_on_tag=false" >> $GITHUB_OUTPUT
           fi
 
-          echo "dev_mode=${DEV_MODE}" >> $GITHUB_OUTPUT
+          # TODO(bjesus) Once we've properly tested the release job, we can/should remove this hack, just leave the content from the else branch
+          if [[ ${GITHUB_REF_TYPE} == "tag" &&  ${GITHUB_REF_NAME} == 'test-'* ]]; then
+            echo "DEV_MODE=true" >> $GITHUB_ENV
+            echo "dev_mode=true" >> $GITHUB_OUTPUT
+          else
+            echo "dev_mode=${DEV_MODE}" >> $GITHUB_OUTPUT
+          fi
+
           echo "golang_version=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
           echo "ssh_key_kubeapps_deploy_filename=${SSH_KEY_KUBEAPPS_DEPLOY_FILENAME}" >> $GITHUB_OUTPUT
           echo "ssh_key_forked_charts_deploy_filename=${SSH_KEY_FORKED_CHARTS_DEPLOY_FILENAME}" >> $GITHUB_OUTPUT
@@ -172,6 +180,15 @@ jobs:
     with:
       golang_version: ${{ needs.setup.outputs.golang_version }}
 
+  linters_result:
+    if: inputs.run_linters && always()
+    needs: linters
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Check all linters result"
+        if: needs.linters.result != 'success'
+        run: exit 1
+
   test_go:
     needs:
       - setup
@@ -430,13 +447,21 @@ jobs:
           - multicluster-nokubeapps
           - carvel
           - operator
+        timeout_minutes:
+          - 4
+        include: # Override the default timeout for the operators group, to avoid flaky tests
+          - tests_group: operator
+            timeout_minutes: 6
+        exclude:
+          - tests_group: operator
+            timeout_minutes: 4
     env:
       DEFAULT_DEX_IP: "172.18.0.2"
       IMG_PREFIX: ${{ needs.setup.outputs.img_prefix }}
       TESTS_GROUP: ${{ matrix.tests_group }}
       TEST_OPERATORS: "1"
       TEST_UPGRADE: "1"
-      TEST_TIMEOUT_MINUTES: 4  # Timeout minutes for each test
+      TEST_TIMEOUT_MINUTES: ${{ matrix.timeout_minutes }}  # Timeout minutes for each test
       USE_MULTICLUSTER_OIDC_ENV: "true"
     steps:
       - uses: actions/checkout@v3
@@ -518,6 +543,20 @@ jobs:
           name: e2e_tests_${{ matrix.tests_group }}_reports
           path: integration/reports
 
+  # We need this job to aggregate the result of the local_e2e_tests matrix and summarize it. We don't need it because of
+  # GHA itself, but because in GH branch protection rules, we cannot check the status for a job matrix, and would have
+  # require the status for each job in the matrix (eg. local_e2e_tests(carvel)).
+  # See https://github.com/orgs/community/discussions/26822
+  local_e2e_tests_result:
+    needs:
+      - local_e2e_tests
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - name: "Check local_e2e_tests matrix status"
+        if: needs.local_e2e_tests.result != 'success'
+        run: exit 1
+
   push_images:
     if: needs.setup.outputs.running_on_main == 'true' || needs.setup.outputs.running_on_tag == 'true'
     runs-on: ubuntu-latest
@@ -564,6 +603,20 @@ jobs:
             docker push $prod_image
           done
 
+  srp_report:
+    needs:
+      - setup
+      - push_images
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/srp-source-provenance
+        with:
+          SRP_CLI_VERSION: ${{env.SRP_CLI_VERSION}}
+          SRP_CLIENT_ID: ${{secrets.SRP_CLIENT_ID}}
+          SRP_CLIENT_SECRET: ${{secrets.SRP_CLIENT_SECRET}}
+          VERSION: ${{needs.setup.outputs.version}}
+
   sync_chart_from_bitnami:
     needs:
       - setup

.github/workflows/kubeapps-main.yaml

@@ -6,6 +6,10 @@ name: Main Pipeline
 
 on:
   push:
+    branches:
+      - main
+    tags-ignore:
+      - '*'
   pull_request:
     branches:
       - main
@@ -15,6 +19,6 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  main:
+  CI:
     uses: ./.github/workflows/kubeapps-general.yaml
     secrets: inherit

.github/workflows/kubeapps-release.yml

@@ -8,13 +8,15 @@ on:
   push:
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+'
+      # TODO(bjesus) Remove the following line once we have tested the release process
+      - 'test-.*'
 
 concurrency:
-  group: ${{ github.head_ref || github.ref_name }}
+  group: ${{ github.head_ref || github.ref_name }}_release
   cancel-in-progress: true
 
 jobs:
-  main:
+  CI:
     uses: ./.github/workflows/kubeapps-general.yaml
     secrets: inherit
     with:

.github/workflows/linters.yml

@@ -47,8 +47,3 @@ jobs:
       - uses: actions/checkout@v3
       - name: Check license Headers
         uses: apache/skywalking-eyes/header@v0.4.0
-
-  CodeQL:
-    uses: ./.github/workflows/codeql-reusable.yml
-    with:
-      golang_version: ${{ inputs.golang_version }}

.licenserc.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 VMware, Inc.
+# Copyright 2022 the Kubeapps contributors.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -16,6 +16,7 @@ header:
     - LICENSE
     - NOTICE
     - open_source_licenses.txt
+    - dashboard/src/setupProxy.js
     - "**/*.css"
     - "**/*.dccache"
     - "**/*.html"

.yamllint.yml

@@ -5,12 +5,12 @@
 extends: default
 ignore: |
   #  Ignore folders
-  chart/kubeapps/
-  integration/charts/simplechart/
-  dashboard/node_modules/
-  devel/
+  **/chart/kubeapps/
+  **/integration/charts/simplechart/
+  **/dashboard/node_modules/
+  **/devel/
   #  Ignore files
-  cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/testdata/charts/single-package-template.yaml
+  **/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/testdata/charts/single-package-template.yaml
 rules:
   line-length: disable
   comments: disable

Makefile

@@ -65,4 +65,9 @@ fmt:
 vet:
 	$(GO) vet $(GO_PACKAGES)
 
-.PHONY: default all test-all test test-dashboard fmt vet
+lint:
+	./script/linters/license-linter.sh
+	./script/linters/yaml-linter.sh
+	./script/linters/golang-linter.sh
+
+.PHONY: default all test-all test test-dashboard fmt vet lint install-tools

README.md

@@ -1,6 +1,9 @@
 # <img src="site/content/docs/latest/img/logo.svg" width="40" align="left"/> Kubeapps
 
 [![CircleCI](https://circleci.com/gh/vmware-tanzu/kubeapps/tree/main.svg?style=svg)](https://circleci.com/gh/vmware-tanzu/kubeapps/tree/main)
+[![Main Pipeline](https://github.com/vmware-tanzu/kubeapps/actions/workflows/kubeapps-main.yaml/badge.svg)](https://github.com/vmware-tanzu/kubeapps/actions/workflows/kubeapps-main.yaml)
+[![Full Integration Pipeline](https://github.com/vmware-tanzu/kubeapps/actions/workflows/kubeapps-full-integration.yaml/badge.svg)](https://github.com/vmware-tanzu/kubeapps/actions/workflows/kubeapps-full-integration.yaml)
+[![CodeQL](https://github.com/vmware-tanzu/kubeapps/actions/workflows/codeql-scheduled.yml/badge.svg)](https://github.com/vmware-tanzu/kubeapps/actions/workflows/codeql-scheduled.yml)
 [![Netlify Status](https://api.netlify.com/api/v1/badges/7e0e2833-1d75-43f6-b006-632d359bb83b/deploy-status)](https://app.netlify.com/sites/kubeapps-dev/deploys)
 
 ## Overview

chart/kubeapps/README.md

@@ -470,6 +470,7 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
 | `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace`           | Default global packaging namespace                                                                                                                                         | `kapp-controller-packaging-global` |
 | `kubeappsapis.pluginConfig.flux.packages.v1alpha1.defaultUpgradePolicy`                         | Default upgrade policy generating version constraints                                                                                                                      | `none`                             |
 | `kubeappsapis.pluginConfig.flux.packages.v1alpha1.userManagedSecrets`                           | Default policy for handling repository secrets, either managed by the user or by kubeapps-apis                                                                             | `false`                            |
+| `kubeappsapis.pluginConfig.flux.packages.v1alpha1.noCrossNamespaceRefs`                           | Enable this flag to disallow cross-namespace references, useful when running Flux on multi-tenant clusters                                                                             | `false`                            |
 | `kubeappsapis.pluginConfig.resources.packages.v1alpha1.trustedNamespaces.headerName`            | Optional header name for trusted namespaces                                                                                                                                | `""`                               |
 | `kubeappsapis.pluginConfig.resources.packages.v1alpha1.trustedNamespaces.headerPattern`         | Optional header pattern for trusted namespaces                                                                                                                             | `""`                               |
 | `kubeappsapis.image.registry`                                                                   | Kubeapps-APIs image registry                                                                                                                                               | `docker.io`                        |

chart/kubeapps/values.yaml

@@ -1541,6 +1541,8 @@ kubeappsapis:
           defaultUpgradePolicy: none
           ## @param kubeappsapis.pluginConfig.flux.packages.v1alpha1.userManagedSecrets Default policy for handling repository secrets, either managed by the user or by kubeapps-apis
           userManagedSecrets: false
+            ## @param kubeappsapis.pluginConfig.flux.packages.v1alpha1.noCrossNamespaceRefs Enable this flag to disallow cross-namespace references, useful when running Flux on multi-tenant clusters
+          noCrossNamespaceRefs: false
     resources:
       packages:
         v1alpha1: