From 1ae18256ccd04edeac52a7f1f7b102a66f24433e Mon Sep 17 00:00:00 2001 From: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> Date: Tue, 18 Jul 2023 13:37:32 -0400 Subject: [PATCH] `stolostron` patches - Add OWNERS - Enable CGO explicitly - Set TLS minimum version to 1.2 - Remove TestCongifurewebhookServer - Bump to Go 1.21 - Workflow to build/push to quay/gatekeeper --- .github/workflows/build-push-stolostron.yaml | 34 +++++++++++++++++++ Dockerfile | 2 +- OWNERS | 12 +++++++ Tiltfile | 3 +- charts/gatekeeper/values.yaml | 2 +- cmd/build/helmify/static/values.yaml | 2 +- gator.Dockerfile | 2 +- go.mod | 2 +- go.sum | 5 +++ .../charts/gatekeeper/values.yaml | 2 +- pkg/webhook/common.go | 2 +- 11 files changed, 60 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/build-push-stolostron.yaml create mode 100644 OWNERS diff --git a/.github/workflows/build-push-stolostron.yaml b/.github/workflows/build-push-stolostron.yaml new file mode 100644 index 00000000000..20fd41af9d1 --- /dev/null +++ b/.github/workflows/build-push-stolostron.yaml @@ -0,0 +1,34 @@ +name: build and push to quay + +on: + push: + tags: + - 'v*' # tags matching v*, i.e. v0.0.1, v1.0.0-rc.0 + +env: + VERSION_TAG: ${{ github.ref_name }} + REPOSITORY: quay.io/gatekeeper/gatekeeper + +jobs: + build: + name: Image build and push + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USER }} + password: ${{ secrets.QUAY_PASSWORD }} + + - name: build + run: | + REPOSITORY=${{env.REPOSITORY}} VERSION=${{env.VERSION_TAG}} \ + PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" OUTPUT_TYPE=type=registry GENERATE_ATTESTATIONS=true make docker-buildx-release + + - name: push + run: | + docker push ${{env.REPOSITORY}}:${{env.VERSION_TAG}} + \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index d4db5c85f79..0e26d65ff5b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ ARG LDFLAGS ARG BUILDKIT_SBOM_SCAN_STAGE=true ENV GO111MODULE=on \ - CGO_ENABLED=0 \ + CGO_ENABLED=1 \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ GOARM=${TARGETVARIANT} diff --git a/OWNERS b/OWNERS new file mode 100644 index 00000000000..e9dcaed4090 --- /dev/null +++ b/OWNERS @@ -0,0 +1,12 @@ +approvers: +- dhaiducek +- gparvin +- JustinKuli +- mprahl +- yiraeChristineKim +reviewers: +- dhaiducek +- gparvin +- JustinKuli +- mprahl +- yiraeChristineKim diff --git a/Tiltfile b/Tiltfile index a141bec7557..6ec4cc7e97f 100644 --- a/Tiltfile +++ b/Tiltfile @@ -34,7 +34,8 @@ COPY bin/manager . def build_manager(): cmd = [ "make tilt-prepare", - "GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager", + "GO111MODULE=on CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod vendor -a -ldflags \"" + + LDFLAGS + "\" -o .tiltbuild/bin/manager", ] local_resource( "manager", diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index 60041d9a7d4..1a0c68e1fa1 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -164,7 +164,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false - tlsMinVersion: 1.3 + tlsMinVersion: 1.2 clientCertName: "" strategyType: RollingUpdate affinity: diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 60041d9a7d4..1a0c68e1fa1 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -164,7 +164,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false - tlsMinVersion: 1.3 + tlsMinVersion: 1.2 clientCertName: "" strategyType: RollingUpdate affinity: diff --git a/gator.Dockerfile b/gator.Dockerfile index 907c1b8f528..20f9d66419c 100644 --- a/gator.Dockerfile +++ b/gator.Dockerfile @@ -13,7 +13,7 @@ ARG TARGETVARIANT="" ARG LDFLAGS ENV GO111MODULE=on \ - CGO_ENABLED=0 \ + CGO_ENABLED=1 \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ GOARM=${TARGETVARIANT} diff --git a/go.mod b/go.mod index bc073d32518..c8aa82e06ae 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/open-policy-agent/gatekeeper/v3 -go 1.20 +go 1.21 // We are forking from commit 116a1b831fffe7ccc3c8145306c3e1a3b1b14ffa (tag: v0.15.0) to enable dynamic informer caching replace sigs.k8s.io/controller-runtime => ./third_party/sigs.k8s.io/controller-runtime diff --git a/go.sum b/go.sum index 2d68e1ffe4d..19842905598 100644 --- a/go.sum +++ b/go.sum @@ -78,6 +78,7 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= @@ -114,6 +115,7 @@ github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2Vvl github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= @@ -229,6 +231,7 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -271,6 +274,7 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -531,6 +535,7 @@ gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.28.6 h1:yy6u9CuIhmg55YvF/BavPBBXB+5QicB64njJXxVnzLo= diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 60041d9a7d4..1a0c68e1fa1 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -164,7 +164,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false - tlsMinVersion: 1.3 + tlsMinVersion: 1.2 clientCertName: "" strategyType: RollingUpdate affinity: diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index 32f6db53d56..c2b139fc124 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -56,7 +56,7 @@ var ( serviceaccount = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName) VwhName = flag.String("validating-webhook-configuration-name", "gatekeeper-validating-webhook-configuration", "name of the ValidatingWebhookConfiguration") MwhName = flag.String("mutating-webhook-configuration-name", "gatekeeper-mutating-webhook-configuration", "name of the MutatingWebhookConfiguration") - TLSMinVersion = flag.String("tls-min-version", "1.3", "minimum version of TLS supported") + TLSMinVersion = flag.String("tls-min-version", "1.2", "minimum version of TLS supported") ClientCAName = flag.String("client-ca-name", "", "name of the certificate authority bundle to authenticate the Kubernetes API server requests against") CertCNName = flag.String("client-cn-name", "kube-apiserver", "expected CN name on the client certificate attached by apiserver in requests to the webhook") )