deckhouse
diff --git a/‎.github/workflows/go_checks.yaml
Lines changed: 4 additions & 158 deletions b/‎.github/workflows/go_checks.yaml
Lines changed: 4 additions & 158 deletions
diff --git a/‎.github/workflows/trivy_image_check.yaml
Lines changed: 39 additions & 24 deletions b/‎.github/workflows/trivy_image_check.yaml
Lines changed: 39 additions & 24 deletions
diff --git a/‎.werf/bundle.yaml
Lines changed: 7 additions & 2 deletions b/‎.werf/bundle.yaml
Lines changed: 7 additions & 2 deletions
diff --git a/‎.werf/choose-edition.yaml
Lines changed: 15 additions & 0 deletions b/‎.werf/choose-edition.yaml
Lines changed: 15 additions & 0 deletions
diff --git a/‎module.yaml
Lines changed: 1 addition & 0 deletions b/‎module.yaml
Lines changed: 1 addition & 0 deletions
diff --git a/‎openapi/values.yaml renamed to ‎openapi/values_ce.yaml b/‎openapi/values.yaml renamed to ‎openapi/values_ce.yaml
diff --git a/‎openapi/values_ee.yaml
Lines changed: 33 additions & 0 deletions b/‎openapi/values_ee.yaml
Lines changed: 33 additions & 0 deletions
diff --git a/‎templates/sds-health-watcher-controller/deployment.yaml
Lines changed: 2 additions & 1 deletion b/‎templates/sds-health-watcher-controller/deployment.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎trivy-silent.yaml
Lines changed: 0 additions & 1 deletion b/‎trivy-silent.yaml
Lines changed: 0 additions & 1 deletion
diff --git a/‎trivy.yaml
Lines changed: 0 additions & 2 deletions b/‎trivy.yaml
Lines changed: 0 additions & 2 deletions
@@ -18,34 +18,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
-      - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/cmd/[email protected]
-
       - name: Run Go lint
-        run: |
-          basedir=$(pwd)
-          failed='false'
-          for i in $(find images -type f -name go.mod);do
-            dir=$(echo $i | sed 's/go.mod$//')
-            cd $basedir/$dir
-            # check all editions
-            for edition in $GO_BUILD_TAGS ;do
-              echo "Running linter in $dir (edition: $edition)"
-              golangci-lint run --build-tags $edition
-              if [ $? -ne 0 ]; then
-                echo "Linter failed in $dir (edition: $edition)"
-                failed='true'
-              fi
-            done
-          done
-          if [ $failed == 'true' ]; then
-            exit 1
-          fi
+        uses: deckhouse/modules-actions/go_linter@v2
 
   go_tests:
     name: Go tests for images
@@ -55,31 +29,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
       - name: Run Go tests
-        run: |
-          basedir=$(pwd)
-          failed='false'
-          for i in $(find images -type f -name '*_test.go');do
-            dir=$(echo $i | sed 's/[a-z_A-Z0-9-]*_test.go$//')
-            cd $basedir/$dir
-            # check all editions
-            for edition in $GO_BUILD_TAGS ;do
-              echo "Running tests in $dir (edition: $edition)"
-              go test -v -tags $edition
-              if [ $? -ne 0 ]; then
-                echo "Tests failed in $dir (edition: $edition)"
-                failed='true'
-              fi
-            done
-          done
-          if [ $failed == 'true' ]; then
-            exit 1
-          fi
+        uses: deckhouse/modules-actions/go_tests@v2
 
   go_test_coverage:
     name: Go test coverage for images
@@ -89,35 +40,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
       - name: Run Go test coverage count
-        run: |
-          if [ ! -d "images" ]; then
-              echo "No images/ directory found. Please run this script from the root of the repository."
-              exit 1
-          fi
-
-          find images/ -type f -name "go.mod" | while read -r gomod; do
-              dir=$(dirname "$gomod")
-              
-              echo "Test coverage in $dir"
-              
-              cd "$dir" || continue
-              
-              for tag in $GO_BUILD_TAGS; do
-                  echo "  Build tag: $tag"
-                  
-                  go test ./... -cover -tags "$tag" 
-              done
-              
-              cd - > /dev/null
-              
-              echo "----------------------------------------"
-          done
+        uses: deckhouse/modules-actions/go_test_coverage@v2
 
   go_modules_check:
     name: Go modules version
@@ -127,83 +51,5 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
       - name: Run Go modules version check
-        run: |
-          search_dir=$(pwd)"/images"
-
-          if [ ! -d "$search_dir" ]; then
-            echo "Directory $search_dir does not exist."
-            exit 1
-          fi
-
-          temp_dir=$(mktemp -d)
-          touch "$temp_dir/incorrect_alert"
-
-          trap 'rm -rf "$temp_dir"' EXIT
-
-          find images/ -type f -name "go.mod" | while read -r gomod; do
-              dir=$(dirname "$gomod")
-              
-              echo "Checking $dir"
-              
-              cd "$dir" || continue
-              
-              go list -m all | grep deckhouse | grep -v '=>' | while IFS= read -r line; do
-                module_name=$(echo "$line" | awk '{print $1}')
-                module_version=$(echo "$line" | awk '{print $2}')
-
-                if [ -z "$module_version" ]; then
-                  echo "  Checking module name $module_name"
-                  correct_module_name="github.com"/"$GITHUB_REPOSITORY"/"$dir"
-                  if [ "$module_name" != "$correct_module_name" ]; then
-                    echo "  Incorrect module name: $module_name, expected: $correct_module_name"
-                    echo "  Incorrect module name: $module_name, expected: $correct_module_name" >> "$temp_dir/incorrect_alert"
-                  else
-                    echo "  Correct module name: $module_name"
-                  fi
-                else
-                  echo "  Checking module tag $module_name"
-                  repository=$(echo "$line" | awk '{print $1}' | awk -F'/' '{ print "https://"$1"/"$2"/"$3".git" }')
-                  pseudo_tag=$(echo "$line" | awk '{print $2}')
-
-                  echo "  Cloning repo $repository into $temp_dir"
-                  if [ ! -d "$temp_dir/$repository" ]; then
-                    git clone "$repository" "$temp_dir/$repository" >/dev/null 2>&1
-                  fi
-
-                  cd "$temp_dir/$repository" || continue
-                  
-                  commit_info=$(git log -1 --pretty=format:"%H %cd" --date=iso-strict -- api/*)
-                  short_hash=$(echo "$commit_info" | awk '{print substr($1,1,12)}')
-                  commit_date=$(echo "$commit_info" | awk '{print $2}')
-                  commit_date=$(date -u -d "$commit_date" +"%Y%m%d%H%M%S")
-                  actual_pseudo_tag="v0.0.0-"$commit_date"-"$short_hash
-                  pseudo_tag_date=$(echo $pseudo_tag | awk -F'-' '{ print $2 }')
-                  echo "  Latest pseudo tag for $repository: $pseudo_tag"
-                  echo "  Actual pseudo tag for $repository: $actual_pseudo_tag"
-
-                  if [[ "$pseudo_tag" != "$actual_pseudo_tag" ]]; then
-                    echo "  Incorrect pseudo tag for repo $repository in file "$go_mod_file" (current: "$pseudo_tag", actual:"$actual_pseudo_tag")"
-                    echo "  Incorrect pseudo tag for repo $repository in file "$go_mod_file" (current: "$pseudo_tag", actual:"$actual_pseudo_tag")" >> $temp_dir"/incorrect_alert"
-                  fi
-                  
-                  cd - >/dev/null 2>&1
-                fi
-              done   
-              
-              cd - > /dev/null
-              
-              echo "----------------------------------------"
-          done
-
-          alert_lines_count=$(cat $temp_dir"/incorrect_alert" | wc -l)
-
-          if [ $alert_lines_count != 0 ]; then
-            echo "We have non-actual pseudo-tags or modules names in repository's go.mod files"
-            exit 1
-          fi
+        uses: deckhouse/modules-actions/go_modules_check@v2
@@ -1,6 +1,8 @@
 name: Build and checks
 
 on:
+  schedule:
+    - cron: "0 01 * * 0,3"
   pull_request:
     types: [opened, reopened, labeled, synchronize]
   push:
@@ -9,7 +11,16 @@ on:
   workflow_dispatch:
     inputs:
       release_branch:
-        description: "release branch name, example: release-1.68"
+        description: "Optional. Set minor version of release you want to scan. e.g.: 1.23"
+        required: false
+      scan_several_lastest_releases:
+        description: "Optional. Whether to scan last several releases or not. true/false. For scheduled pipelines it is always true. Default is: false."
+        required: false
+      latest_releases_amount:
+        description: "Optional. Number of latest releases to scan. Default is: 3"
+        required: false
+      severity:
+        description: "Optional. Vulnerabilities severity to scan. Default is: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
         required: false
 
 jobs:
@@ -19,40 +30,44 @@ jobs:
     secrets: inherit
   cve_scan_on_pr:
     if: github.event_name == 'pull_request'
-    name: Trivy images check
+    name: CVE scan for PR
     runs-on: [self-hosted, regular]
     needs: [build_dev]
     steps:
       - uses: actions/checkout@v4
-      - uses: deckhouse/modules-actions/cve_scan@v2
+      - uses: deckhouse/modules-actions/cve_scan@v4
         with:
-          image: ${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}
           tag: pr${{ github.event.number }}
           module_name: ${{ vars.MODULE_NAME }}
-          dd_url: ${{secrets.DEFECTDOJO_HOST}}
-          dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}}
-          trivy_registry: ${{ vars.PROD_REGISTRY }}
-          trivy_registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
-          trivy_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
-          deckhouse_private_repo: ${{secrets.DECKHOUSE_PRIVATE_REPO}}
+          dd_url: ${{ secrets.DEFECTDOJO_HOST }}
+          dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
+          prod_registry: "registry.deckhouse.io"
+          prod_registry_user: "license-token"
+          prod_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
+          dev_registry: ${{ vars.DEV_REGISTRY }}
+          dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+          dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+          deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
+          severity: "HIGH,CRITICAL"
   cve_scan:
     if: github.event_name != 'pull_request'
-    name: Trivy images check
+    name: Regular CVE scan
     runs-on: [self-hosted, regular]
     steps:
       - uses: actions/checkout@v4
-      - name: Sets env vars for manual run
-        run: |
-          echo "MODULE_IMAGE_TAG=${{ github.event.inputs.release_branch || 'main' }}" >> $GITHUB_ENV
-        if: github.event_name != 'workflow_dispatch'
-      - uses: deckhouse/modules-actions/cve_scan@v2
+      - uses: deckhouse/modules-actions/cve_scan@v4
         with:
-          image: ${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}
-          tag: ${{ env.MODULE_IMAGE_TAG || 'main' }}
+          tag: ${{ github.event.inputs.release_branch || github.event.repository.default_branch }}
           module_name: ${{ vars.MODULE_NAME }}
-          dd_url: ${{secrets.DEFECTDOJO_HOST}}
-          dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}}
-          trivy_registry: ${{ vars.PROD_REGISTRY }}
-          trivy_registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
-          trivy_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
-          deckhouse_private_repo: ${{secrets.DECKHOUSE_PRIVATE_REPO}}
+          dd_url: ${{ secrets.DEFECTDOJO_HOST }}
+          dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
+          prod_registry: "registry.deckhouse.io"
+          prod_registry_user: "license-token"
+          prod_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
+          dev_registry: ${{ vars.DEV_REGISTRY }}
+          dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+          dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+          deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
+          scan_several_lastest_releases: ${{ github.event.inputs.scan_several_lastest_releases }}
+          latest_releases_amount: ${{ github.event.inputs.latest_releases_amount || '3' }}
+          severity: ${{ github.event.inputs.severity }}
@@ -2,6 +2,7 @@
 ---
 image: bundle
 fromImage: builder/scratch
+
 import:
   # Rendering .werf/images-digests.yaml is required!
   - image: images-digests
@@ -18,6 +19,11 @@ import:
     add: /usr/local/bin/go-hooks
     to: /hooks/go-hooks
     after: setup
+  # Rendering .werf/choose-edition.yaml is required!
+  - image: choose-edition
+    add: /openapi
+    to: /openapi
+    after: setup
 git:
   - add: /
     to: /
@@ -30,7 +36,6 @@ git:
       - docs
       - hooks
       - monitoring
-      - openapi
-      - module.yaml
       - templates
       - Chart.yaml
+      - module.yaml
@@ -0,0 +1,15 @@
+---
+image: choose-edition
+fromImage: builder/alt
+fromCacheVersion: {{ div .Commit.Date.Unix (mul 60 60 24 30) }}
+
+git:
+  - add: /
+    to: /
+    includePaths:
+      - openapi
+shell:
+  setup:
+    - cd /openapi
+    - if [[ {{ .MODULE_EDITION }} == "ce" ]]; then cp -v values_ce.yaml values.yaml; else cp -v values_ee.yaml values.yaml; fi
+    - rm -rf values_*.yaml
@@ -4,4 +4,5 @@ descriptions:
   en: "sds node configurator module"
 requirements:
   bootstrapped: true
+  deckhouse: ">= 1.67"
 namespace: "d8-sds-node-configurator"
@@ -0,0 +1,33 @@
+x-extend:
+  schema: config-values.yaml
+type: object
+properties:
+  internal:
+    type: object
+    default: {}
+    properties:
+      pythonVersions:
+        type: array
+        default: []
+        items:
+          type: string
+      customWebhookCert:
+        type: object
+        default: {}
+        x-required-for-helm:
+          - crt
+          - key
+          - ca
+        properties:
+          crt:
+            type: string
+            x-examples: ["YjY0ZW5jX3N0cmluZwo="]
+          key:
+            type: string
+            x-examples: ["YjY0ZW5jX3N0cmluZwo="]
+          ca:
+            type: string
+            x-examples: ["YjY0ZW5jX3N0cmluZwo="]
+  registry:
+    type: object
+    description: "System field, overwritten by Deckhouse. Don't use"
@@ -47,8 +47,8 @@ metadata:
   namespace: d8-{{ .Chart.Name }}
   {{- include "helm_lib_module_labels" (list . (dict "app" "sds-health-watcher-controller")) | nindent 2 }}
 spec:
-  {{- include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" . | nindent 2 }}
   revisionHistoryLimit: 2
+  {{- include "helm_lib_deployment_strategy_and_replicas_for_ha" . | nindent 2 }}
   selector:
     matchLabels:
       app: sds-health-watcher-controller
@@ -61,6 +61,7 @@ spec:
       {{- include "helm_lib_node_selector" (tuple . "system") | nindent 6 }}
       {{- include "helm_lib_tolerations" (tuple . "system") | nindent 6 }}
       {{- include "helm_lib_module_pod_security_context_run_as_user_nobody" . | nindent 6 }}
+      {{- include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "sds-health-watcher-controller")) | nindent 6 }}
       imagePullSecrets:
         - name: {{ .Chart.Name }}-module-registry
       serviceAccountName: sds-health-watcher-controller