stolostron patches

- Add OWNERS file - Enable CGO explicitly - Set TLS minimum version to 1.2 - Bump to Go 1.21 - Update to multi-arch Dockerfile - Workflow to build/push to quay.io - Workflow for Sonarcloud scanning - Address vulnerability scans Signed-off-by: Dale Haiducek <[email protected]>
dhaiducek · Apr 8, 2024 · a98dcfd · a98dcfd
1 parent 3350319
commit a98dcfd
Show file tree

Hide file tree

Showing 131 changed files with 5,144 additions and 1,444 deletions.
diff --git a/.github/workflows/build-push-stolostron.yaml b/.github/workflows/build-push-stolostron.yaml
@@ -0,0 +1,28 @@
+name: build and push to quay
+
+on:
+  push:  
+    tags:
+      - 'v*' # tags matching v*, i.e. v0.0.1, v1.0.0-rc.0
+
+jobs:
+  build:
+    name: Image build and push
+    runs-on: ubuntu-latest  
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: docker/login-action@v2
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_USER }}
+        password: ${{ secrets.QUAY_PASSWORD }}
+
+    - name: build and push
+      run: |
+        REPOSITORY="quay.io/gatekeeper/gatekeeper" \
+        PLATFORM="linux/amd64,linux/arm64,linux/arm/v8" \
+        OUTPUT_TYPE=type=registry GENERATE_ATTESTATIONS=true \
+        make docker-buildx-release
+
diff --git a/.github/workflows/gosec.yaml b/.github/workflows/gosec.yaml
@@ -0,0 +1,27 @@
+name: GoSec scan
+
+on:
+  push:
+    branches:
+      - master
+      - release-[0-9]+.[0-9]+
+  pull_request:
+    branches:
+      - master
+      - release-[0-9]+.[0-9]+
+
+jobs:
+  gosec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Gatekeeper
+        uses: actions/checkout@v4
+      - name: Run Gosec Security Scanner
+        uses: securego/[email protected]
+        with:
+          args: -no-fail -fmt sonarqube -out gosec.json -stdout -exclude-dir=.go -exclude-dir=test ./...
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifacts
+          path: gosec.json
diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml
@@ -0,0 +1,14 @@
+name: Sonarcloud scan
+
+on:
+  workflow_run:
+    workflows:
+      - GoSec scan
+    types:
+      - completed
+
+jobs:
+  sonarcloud:
+    uses: stolostron/governance-policy-framework/.github/workflows/sonarcloud.yml@main
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ ARG BUILDPLATFORM="linux/amd64"
 ARG BUILDERIMAGE="golang:1.21-bullseye"
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-ARG BASEIMAGE="gcr.io/distroless/static:nonroot"
+ARG BASEIMAGE="gcr.io/distroless/cc-debian11:nonroot"
 
 FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder
 
@@ -14,15 +14,27 @@ ARG LDFLAGS
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}
 
+RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+        apt -y update && apt -y install gcc-aarch64-linux-gnu && apt -y clean all; \
+    elif [ "${TARGETPLATFORM}" = "linux/arm/v8" ]; then \
+        apt -y update && apt -y install gcc-arm-linux-gnueabihf && apt -y clean all; \
+    fi
+
 WORKDIR /go/src/github.com/open-policy-agent/gatekeeper
 COPY . .
 
-RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
+RUN  if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+        export CC=aarch64-linux-gnu-gcc; \
+    elif [ "${TARGETPLATFORM}" = "linux/arm/v8" ]; then \
+        export CC=arm-linux-gnueabihf-gcc; \
+    fi; \
+    go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
+
 
 FROM $BASEIMAGE
 

diff --git a/OWNERS b/OWNERS
@@ -0,0 +1,12 @@
+approvers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- mprahl
+- yiraeChristineKim
+reviewers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- mprahl
+- yiraeChristineKim
diff --git a/Tiltfile b/Tiltfile
@@ -34,7 +34,7 @@ COPY bin/manager .
 def build_manager():
     cmd = [
         "make tilt-prepare",
-        "GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager",
+        "GO111MODULE=on CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager",
     ]
     local_resource(
         "manager",

diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml
@@ -164,7 +164,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   strategyType: RollingUpdate
   affinity:

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -164,7 +164,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   strategyType: RollingUpdate
   affinity:

diff --git a/gator.Dockerfile b/gator.Dockerfile
@@ -13,7 +13,7 @@ ARG TARGETVARIANT=""
 ARG LDFLAGS
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/open-policy-agent/gatekeeper/v3
 
-go 1.20
+go 1.21
 
 // We are forking from commit 116a1b831fffe7ccc3c8145306c3e1a3b1b14ffa (tag: v0.15.0) to enable dynamic informer caching
 replace sigs.k8s.io/controller-runtime => ./third_party/sigs.k8s.io/controller-runtime
@@ -33,12 +33,12 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.19.0
 	go.uber.org/automaxprocs v1.5.3
 	go.uber.org/zap v1.24.0
-	golang.org/x/net v0.19.0
+	golang.org/x/net v0.23.0 // GO-2024-2611; >=v0.23.0
 	golang.org/x/oauth2 v0.13.0
 	golang.org/x/sync v0.5.0
 	golang.org/x/time v0.5.0
 	google.golang.org/grpc v1.60.1
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/protobuf v1.33.0 // GO-2024-2687; >=v1.33.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.28.6
@@ -143,10 +143,10 @@ require (
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/api v0.149.0 // indirect