[pull] master from ca-gip:master #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
- Renamed 'ca-gip' folder to 'cagip' - Updated GroupName by removing '-' to avoid code-gen issues - Generated new code using Kubernetes codegen 0.24.13 BREAKING CHANGE: Imports can now be done via 'github.com/ca-gip/kubi/pkg/apis/cagip/v1'
🎨 ⬆️ Refactor structure and upgrade to v0.24.13
- Upgraded go version to 1.19 - Upgraded goreleaser and other github actions
⬆️ Update github actions build and release
…Server Configuration.
--- Nous définissons la valeur à 1000 pour être conforme à la valeur maximale par défaut configuré côté LDAP Serveur pour éviter la création de pages inutiles engendrant forcément un requêtage moins performant.
Upgrade from 1.19 to 1.21
⬆️ Upgrade to support Kubernetes 1.26
Dans l'objectif de remplacer les podSecurityPolicy en prévision du passage en Kubernetes 1.26, il est nécessaire de mettre en place les nouvelles règles de sécurité. Nous mettons en place par défaut un enforce sur la policy "restricted", avec un warning emis dès lors que l'applicatif ne respecte pas la policy "restricted" et réalisons par défaut l'émission d'un event d'audit lorsque la policy ne respecte pas le niveau "restricted". Le choix restricted a été fait dans l'objectif d'avoir une politique sécurisée par défaut. En raison de projets clients devant être en privileged, nous rendons possible l'ajout d'une liste de namespaces devant être valorisés à privileged. Nous émettons un log de type Warn pour souligner à un administrateur la particularité de configuration d'un namespace en particulier dans les logs de l'opérateur. Sans cette modification tous les namespaces clients sont considérés comme héritant de la politique par défaut. La configuration est appliquée à travers le configmap de Kubi car c'est là qu'est toute la configuration du composant. Par conséquent, une modification de la configuration nécessite forcément un redémarrage de l'opérateur. (Peut être réalisé via Stakater).
✨ Mise en place des PodSecurityAdmission sur les namespaces clients
Update des packages actions/* et version de go pour builder l'image
⬆️ Upgrade packages for Kube 1.28
Ce fix est nécessaire pour que la status soit mis à jour lors de la création des projets. Actuellement le code de l'opérateur ne fait pas usage de la subresource status. Pour que les status se mettent à jour à la suite de cette modification, les projets doivent etre supprimés et il suffit alors de relancer l'opérateur. Cela n'a aucun impact.
✏️ Fix Status Field into Kubi CRD
Sans ce changement les nouveaux projects ne sont jamais créés si au moins un projet est présent dans le blacklist et que la fonctionnalité whitelist n'est pas activée
vu que nous avons adapter la fonction sur le précédent commit pour qu'il soit mieux testable, nous modifions ici les tests unitaires de la fonctions GenerateProject
🔨 fix blackWhiteList feature
FIX DEPLOYEMENT AND LDAP FILES ADD DEVELOPPEMENT GUIDE ADD CONTRIBUTING GUIDE
This file should not be present in the code.
Without this, we will fail on staticcheck, due to outdated practices. This is a problem, as it does not allow to improve our test coverage and reliability. This fixes it by: - Ensuring ioutil is not used; - Ensuring defers to closing connections are done if the conn was really created; - Cleaning up error messages and their formatting; - Start using errors for roleBinding method, and fixing a logic error (incrementing the counter of successful rolebinding creations even on failure); - Be explicit about the fact we ignore errors (handling errors should not be done in this commit); - Remove hasEnv, as it was not used; - Removed templating of strings which do not need templating; - Cleaned up to remove the useless returns or non idiomatic returns.
This is a first cleanup, tackling the absence of errors. This is not a problem right now, but will most likely fail linting in the future. This fixes it by simply adding basic error != nil pattern, and does NOT rethink the whole error handling. It is therefore a temporary workaround to cleanup the code. The whole error handling needs better treatment later, for example: - Removing the multiple useless wrappers to come back to simpler error management - Rethink the signature of the functions to take errors as first citizens - Cleanup code to better handle failures. These points are NOT included in this commit, and should be done in a later commit.
Without this, some parameters need to be passed around the different tooling at different point of the lifecycle (e.g. during the building of the containers). The current code is therefore stuck to amd64. This is a problem, as it makes it far less efficient to run on macos arm processors (we have to use a vm, cannot run locally). This fixes it by making sure the images will be able to be built on all os and architectures by using the 'goreleaser' abstracting tool. This tool was introduced into the repository and maintained but not configured in 2021 [1]. By configuring goreleaser, we can pick architectures (arm64 and amd64_v1 chosen), and we define ldflags+timestamp for generating reproducible builds. With the name of the binaries being generated, it then made sense to use a single dockerfile to build all those images, instead of keeping the 3 dockerfiles. However, this might impact readability, so I am open to revert this sub-part of the commit. At the same time, it fixes an issue of the tests NEVER running in CI, by ensuring the make test is ran before even building the image. This should weed out a few issues and help maintainance. [1]: a2bfca6 Signed-off-by: Jean-Philippe Evrard <[email protected]>
Staticcheck fixing
Use goreleaser everywhere
Without this, we use different versions of goreleaser in CI (github actions) and locally. This is a problem, as it leads to discrepencies between github actions and our code: More recent versions of goreleaser have changed their config file syntax. This fixes it by pinning the version in github actions.
Updates goreleaser to a more recent version.
Set goreleaser version
Without this, goreleaser is broken, and does not properly push neither on PR or on tag. This is due to a premature merge of a previous MR. This fixes it by ensuring the workflow works. It might need a few iterations to test the tag system is working as expected.
Use goreleaser to push release
Something went wrong in the commit updating the version for goreleaser (04785e1). The Makefile was not appropriately updated. This is a problem, as the goreleaser is not using the right version, and could lead to failures. On top of that, the Makefile did not have all the phony inputs appropriately adapted and goreleaser did not include the right name of the image... (all of which was supposedly added in that commit). This fixes it by cleaning up all the code linked to goreleaser.
The current Dockerfile is using a templated string at runtime, instead of build time. This is inconvenient and does not work. This fixes it by using a single binary name. The alternative would be to use CMD.
Fix goreleaser
Upgrade kubernetes 1.30+Upgrade packages+Upgrade go 1.23.3
with that, we are no longer dependent on ozzo packages which is an external package and is no longer maintained without this, we are dependent on a external package that is very old
Remove go-ozzo/ozzo-validation package
Revert "Remove go-ozzo/ozzo-validation package"
Without this, the docker tag will fail with unknown image name. This is a problem, as it breaks our releasing. This fixes it by both listing the available images to tag but also removing the incorrect dash on the image names.
Fix incorrect name of releasable image
We never used dashes in the docker hub repository. Yet, we have - in the code for releasing. This is a problem, as this fails the publishing. This fixes it by removing the dash, fixing the previous commit 8aef4c9.
Remove dashes in the dockerhub repositories
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )