stolostron patches

- Add OWNERS file
- Enable CGO explicitly
- Update to multi-arch Dockerfile
- Use the `distroless/base-debian12` image for CGO
- Workflow to build/push to quay.io
- Workflow for Sonarcloud scanning
- Add Konflux build file

Signed-off-by: Dale Haiducek <[email protected]>

Author: dhaiducek

.github/renovate.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "dockerfile": {
+    "ignorePaths": [
+      "crd.Dockerfile",
+      "build/tooling/Dockerfile"
+    ]
+  },
+  "packageRules": [
+    {
+      "matchManagers": "helm-values",
+      "enabled": false
+    }
+  ],
+  "schedule": "before 8am on Monday",
+  "timezone": "America/New_York"
+}

.github/workflows/build-push-stolostron.yaml

@@ -0,0 +1,28 @@
+name: build and push to quay
+
+on:
+  push:  
+    tags:
+      - 'v*' # tags matching v*, i.e. v0.0.1, v1.0.0-rc.0
+
+jobs:
+  build:
+    name: Image build and push
+    runs-on: ubuntu-latest  
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: docker/login-action@v2
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_USER }}
+        password: ${{ secrets.QUAY_PASSWORD }}
+
+    - name: build and push
+      run: |
+        REPOSITORY="quay.io/gatekeeper/gatekeeper" \
+        PLATFORM="linux/amd64,linux/arm64,linux/arm/v8" \
+        OUTPUT_TYPE=type=registry GENERATE_ATTESTATIONS=true \
+        make docker-buildx-release
+

.github/workflows/gosec.yaml

@@ -0,0 +1,27 @@
+name: GoSec scan
+
+on:
+  push:
+    branches:
+      - master
+      - release-[0-9]+.[0-9]+
+  pull_request:
+    branches:
+      - master
+      - release-[0-9]+.[0-9]+
+
+jobs:
+  gosec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Gatekeeper
+        uses: actions/checkout@v4
+      - name: Run Gosec Security Scanner
+        uses: securego/[email protected]
+        with:
+          args: -no-fail -fmt sonarqube -out gosec.json -stdout -exclude-dir=.go -exclude-dir=test ./...
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts
+          path: gosec.json

.github/workflows/sonarcloud.yaml

@@ -0,0 +1,14 @@
+name: Sonarcloud scan
+
+on:
+  workflow_run:
+    workflows:
+      - GoSec scan
+    types:
+      - completed
+
+jobs:
+  sonarcloud:
+    uses: stolostron/governance-policy-framework/.github/workflows/sonarcloud.yml@main
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/workflow.yaml

@@ -29,7 +29,7 @@ jobs:
   build_test:
     name: "Build and Test"
     runs-on: ubuntu-22.04
-    timeout-minutes: 15
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
@@ -90,7 +90,7 @@ jobs:
   helm_build_test:
     name: "[Helm] Build and Test"
     runs-on: ubuntu-22.04
-    timeout-minutes: 15
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
@@ -160,7 +160,7 @@ jobs:
   build_test_generator_expansion:
     name: "[Generator Resource Expansion] Build and Test"
     runs-on: ubuntu-22.04
-    timeout-minutes: 15
+    timeout-minutes: 20
 
     steps:
     - name: Harden Runner

.go-version

@@ -1 +1 @@
-1.22.0
+1.23.6

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:3f3b9daa3de608f3e869cd2ff8baf21555cf0fca9fd34251b8f340f9b7c30ec5 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:462f68e1109cc0415f58ba591f11e650b38e193fddc4a683a3b77d29be8bfb2c AS builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS
@@ -8,17 +8,45 @@ ARG LDFLAGS
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}
 
+RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+        apt -y update && apt -y install gcc-aarch64-linux-gnu && apt -y clean all; \
+    elif [ "${TARGETPLATFORM}" = "linux/arm/v8" ]; then \
+        apt -y update && apt -y install gcc-arm-linux-gnueabihf && apt -y clean all; \
+    fi
+
 WORKDIR /go/src/github.com/open-policy-agent/gatekeeper
-COPY . .
 
-RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
+# Copy the Go module manifests and dependencies
+COPY go.mod go.mod
+COPY go.sum go.sum
+COPY vendor/ vendor/
+
+# Copy the source code
+COPY main.go main.go
+COPY apis/ apis/
+COPY pkg/ pkg/
+
+
+# Build the controller
+RUN  if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+        export CC=aarch64-linux-gnu-gcc; \
+    elif [ "${TARGETPLATFORM}" = "linux/arm/v8" ]; then \
+        export CC=arm-linux-gnueabihf-gcc; \
+    fi; \
+    go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
+
 
-FROM gcr.io/distroless/static-debian12@sha256:f4a57e8ffd7ba407bdd0eb315bb54ef1f21a2100a7f032e9102e4da34fe7c196
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+# 
+# CGO_ENABLED requires the 'base' image: 
+# - https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md
+FROM gcr.io/distroless/base-debian12:nonroot
 
 WORKDIR /
 COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .

OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- yiraeChristineKim
+reviewers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- yiraeChristineKim

README.md

@@ -36,3 +36,7 @@ This project is governed by the [CNCF Code of conduct](https://github.com/cncf/f
 ## Security
 
 For details on how to report vulnerabilities and security release process, please refer to [Gatekeeper Security](https://open-policy-agent.github.io/gatekeeper/website/docs/security) for more information.
+
+<!---
+Date: 01/29/2025
+-->

Tiltfile

@@ -17,13 +17,13 @@ if settings.get("trigger_mode", "auto").lower() == "manual":
     trigger_mode(TRIGGER_MODE_MANUAL)
 
 TILT_DOCKERFILE = """
-FROM golang:1.23-bookworm as tilt-helper
+FROM golang:1.23-bookworm AS tilt-helper
 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/tilt-dev/rerun-process-wrapper/60eaa572cdf825c646008e1ea28b635f83cefb38/restart.sh && \
     wget --output-document /start.sh --quiet https://raw.githubusercontent.com/tilt-dev/rerun-process-wrapper/60eaa572cdf825c646008e1ea28b635f83cefb38/start.sh && \
     chmod +x /start.sh && chmod +x /restart.sh
 
-FROM gcr.io/distroless/base:debug as tilt
+FROM gcr.io/distroless/base:debug AS tilt
 WORKDIR /
 COPY --from=tilt-helper /start.sh .
 COPY --from=tilt-helper /restart.sh .
@@ -34,7 +34,7 @@ COPY bin/manager .
 def build_manager():
     cmd = [
         "make tilt-prepare",
-        "GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager",
+        "GO111MODULE=on CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager",
     ]
     local_resource(
         "manager",

build/Dockerfile.rhtap

@@ -0,0 +1,32 @@
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23 AS builder
+ENV LDFLAGS="-X github.com/open-policy-agent/gatekeeper/v3/pkg/version.Version=v3.18.2" \
+    GO111MODULE=on \
+    CGO_ENABLED=1
+
+WORKDIR /go/src/github.com/open-policy-agent/gatekeeper
+
+# Copy the Go module manifests and dependencies
+COPY go.mod go.mod
+COPY go.sum go.sum
+COPY vendor/ vendor/
+
+# Copy the source code
+COPY main.go main.go
+COPY apis/ apis/
+COPY pkg/ pkg/
+
+# Build the controller
+RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
+
+
+# Copy the binary to the UBI-minimal base image
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+WORKDIR /
+COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .
+
+RUN mkdir licenses/
+COPY LICENSE licenses/
+
+USER 65532:65532
+
+ENTRYPOINT ["/manager"]

build/tooling/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-bookworm@sha256:3f3b9daa3de608f3e869cd2ff8baf21555cf0fca9fd34251b8f340f9b7c30ec5
+FROM golang:1.23-bookworm@sha256:462f68e1109cc0415f58ba591f11e650b38e193fddc4a683a3b77d29be8bfb2c
 
 RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/[email protected]
 RUN GO111MODULE=on go install k8s.io/code-generator/cmd/[email protected]

config/manager/manager.yaml

@@ -56,7 +56,7 @@ spec:
             - "--operation=webhook"
             - "--operation=mutation-webhook"
             - "--disable-opa-builtin={http.send}"
-          image: openpolicyagent/gatekeeper:v3.18.2
+          image: quay.io/gatekeeper/gatekeeper:v3.18.2
           imagePullPolicy: Always
           name: manager
           ports:
@@ -151,7 +151,7 @@ spec:
             - --disable-cert-rotation
           command:
             - /manager
-          image: openpolicyagent/gatekeeper:v3.18.2
+          image: quay.io/gatekeeper/gatekeeper:v3.18.2
           env:
             # used by Gatekeeper
             - name: POD_NAMESPACE

gator.Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:3f3b9daa3de608f3e869cd2ff8baf21555cf0fca9fd34251b8f340f9b7c30ec5 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:462f68e1109cc0415f58ba591f11e650b38e193fddc4a683a3b77d29be8bfb2c AS builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS
@@ -7,7 +7,7 @@ ARG TARGETVARIANT=""
 ARG LDFLAGS
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}

go.mod

@@ -1,6 +1,6 @@
 module github.com/open-policy-agent/gatekeeper/v3
 
-go 1.22.0
+go 1.23.6
 
 require (
 	cloud.google.com/go/trace v1.10.11
@@ -94,7 +94,7 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.2.1 // indirect
+	github.com/golang/glog v1.2.4 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/cel-go v0.17.8 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect

go.sum

@@ -173,8 +173,8 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
-github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
+github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

manifest_staging/deploy/gatekeeper.yaml

@@ -5109,7 +5109,7 @@ spec:
           value: manager
         - name: OTEL_RESOURCE_ATTRIBUTES
           value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME)
-        image: openpolicyagent/gatekeeper:v3.18.2
+        image: quay.io/gatekeeper/gatekeeper:v3.18.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -5228,7 +5228,7 @@ spec:
           value: manager
         - name: OTEL_RESOURCE_ATTRIBUTES
           value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME)
-        image: openpolicyagent/gatekeeper:v3.18.2
+        image: quay.io/gatekeeper/gatekeeper:v3.18.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

sonar-project.properties

@@ -0,0 +1,13 @@
+sonar.projectKey=open-cluster-management_gatekeeper
+sonar.projectName=gatekeeper
+sonar.organization=open-cluster-management
+sonar.sources=.
+sonar.exclusions=**/*_test.go,**/*_generated*.go,**/*_generated/**,**/vendor/**,/test/**,/build/**,/vbh/**,/version/**
+sonar.tests=.
+sonar.test.inclusions=**/*_test.go
+sonar.test.exclusions=**/*_generated*.go,**/*_generated/**,**/vendor/**,**/test/e2e/**
+sonar.go.tests.reportPaths=report.json,report_e2e.json,report_unit.json
+sonar.go.coverage.reportPaths=coverage.out,coverage_e2e.out,coverage_unit.out
+sonar.externalIssuesReportPaths=gosec.json
+sonar.qualitygate.wait=true
+sonar.qualitygate.timeout=450

test/externaldata/dummy-provider/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:3f3b9daa3de608f3e869cd2ff8baf21555cf0fca9fd34251b8f340f9b7c30ec5 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:462f68e1109cc0415f58ba591f11e650b38e193fddc4a683a3b77d29be8bfb2c AS builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS

test/image/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-bookworm@sha256:3f3b9daa3de608f3e869cd2ff8baf21555cf0fca9fd34251b8f340f9b7c30ec5 as builder
+FROM golang:1.23-bookworm@sha256:462f68e1109cc0415f58ba591f11e650b38e193fddc4a683a3b77d29be8bfb2c AS builder
 
 ARG BATS_VERSION
 ARG ORAS_VERSION

test/pubsub/fake-subscriber/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:462f68e1109cc0415f58ba591f11e650b38e193fddc4a683a3b77d29be8bfb2c AS builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS