-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Moritz Wanzenböck <[email protected]>
- Loading branch information
Showing
10 changed files
with
225 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
run: | ||
timeout: 5m | ||
allow-parallel-runners: true | ||
|
||
issues: | ||
# don't skip warning about doc comments | ||
# don't exclude the default set of lint | ||
exclude-use-default: false | ||
# restore some of the defaults | ||
# (fill in the rest as needed) | ||
exclude-rules: | ||
- path: "api/*" | ||
linters: | ||
- lll | ||
- path: "internal/*" | ||
linters: | ||
- dupl | ||
- lll | ||
linters: | ||
disable-all: true | ||
enable: | ||
- dupl | ||
- errcheck | ||
- ginkgolinter | ||
- goconst | ||
- gocyclo | ||
- gofmt | ||
- goimports | ||
- gosimple | ||
- govet | ||
- ineffassign | ||
- lll | ||
- misspell | ||
- nakedret | ||
- prealloc | ||
- revive | ||
- staticcheck | ||
- typecheck | ||
- unconvert | ||
- unparam | ||
- unused | ||
|
||
linters-settings: | ||
revive: | ||
rules: | ||
- name: comment-spacings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -50,7 +50,7 @@ endif | |
# Image URL to use all building/pushing image targets | ||
IMG ?= quay.io/piraeusdatastore/piraeus-operator:v$(VERSION) | ||
# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. | ||
ENVTEST_K8S_VERSION = 1.29 | ||
ENVTEST_K8S_VERSION = 1.30 | ||
# ENVTEST_K8S_COMPAT_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary for | ||
# checking compatibility with older kubernetes versions. | ||
ENVTEST_K8S_COMPAT_VERSION = 1.20 | ||
|
@@ -115,6 +115,15 @@ vet: ## Run go vet against code. | |
test: manifests generate fmt vet envtest ## Run tests. | ||
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out | ||
|
||
.PHONY: lint | ||
lint: golangci-lint ## Run golangci-lint linter | ||
$(GOLANGCI_LINT) run | ||
|
||
.PHONY: lint-fix | ||
lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes | ||
$(GOLANGCI_LINT) run --fix | ||
|
||
|
||
.PHONY: compat-test | ||
compat-test: manifests generate fmt vet envtest-compat ## Run tests. | ||
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use --use-deprecated-gcs $(ENVTEST_K8S_COMPAT_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... | ||
|
@@ -174,46 +183,58 @@ $(LOCALBIN): | |
KUSTOMIZE ?= $(LOCALBIN)/kustomize | ||
CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen | ||
ENVTEST ?= $(LOCALBIN)/setup-envtest | ||
GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint | ||
ENVTEST_COMPAT ?= $(LOCALBIN)/setup-envtest-compat | ||
YQ ?= $(LOCALBIN)/yq | ||
|
||
## Tool Versions | ||
KUSTOMIZE_VERSION ?= v5.5.0 | ||
CONTROLLER_TOOLS_VERSION ?= v0.16.4 | ||
CONTROLLER_TOOLS_VERSION ?= v0.16.5 | ||
ENVTEST_VERSION ?= release-0.18 | ||
ENVTEST_COMPAT_VERSION ?= release-0.17 | ||
GOLANGCI_LINT_VERSION ?= v1.61.0 | ||
YQ_VERSION ?= v4.44.3 | ||
|
||
KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | ||
.PHONY: kustomize | ||
kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. | ||
kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. | ||
$(KUSTOMIZE): $(LOCALBIN) | ||
@if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \ | ||
echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \ | ||
rm -rf $(LOCALBIN)/kustomize; \ | ||
fi | ||
test -s $(LOCALBIN)/kustomize || { curl -Ss $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN); } | ||
$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION)) | ||
|
||
.PHONY: controller-gen | ||
controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. | ||
controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. | ||
$(CONTROLLER_GEN): $(LOCALBIN) | ||
test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ | ||
GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) | ||
|
||
.PHONY: yq | ||
yq: $(YQ) | ||
$(YQ): $(LOCALBIN) | ||
curl -sSLo "$(YQ)~" https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$(shell go env GOOS)_$(shell go env GOARCH) | ||
chmod +x "$(YQ)~" | ||
mv -v "$(YQ)~" $(YQ) | ||
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,$(CONTROLLER_TOOLS_VERSION)) | ||
|
||
.PHONY: envtest | ||
envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. | ||
envtest: $(ENVTEST) ## Download setup-envtest locally if necessary. | ||
$(ENVTEST): $(LOCALBIN) | ||
test -s $@ || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest | ||
$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest,$(ENVTEST_VERSION)) | ||
|
||
.PHONY: envtest-compat | ||
envtest-compat: $(ENVTEST_COMPAT) ## Download envtest-setup locally if necessary. | ||
envtest-compat: $(ENVTEST_COMPAT) ## Download setup-envtest (legacy version) locally if necessary. | ||
$(ENVTEST_COMPAT): $(LOCALBIN) | ||
test -s $@ || GOBIN=$(LOCALBIN) go install -installsuffix -compat sigs.k8s.io/controller-runtime/tools/[email protected] | ||
$(call go-install-tool,$(ENVTEST_COMPAT),sigs.k8s.io/controller-runtime/tools/setup-envtest,$(ENVTEST_COMPAT_VERSION)) | ||
|
||
.PHONY: golangci-lint | ||
golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary. | ||
$(GOLANGCI_LINT): $(LOCALBIN) | ||
$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION)) | ||
|
||
# go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist | ||
# $1 - target path with name of binary (ideally with version) | ||
# $2 - package url which can be installed | ||
# $3 - specific version of package | ||
define go-install-tool | ||
@[ -f "$(1)-$(3)" ] || { \ | ||
set -e; \ | ||
package=$(2)@$(3) ;\ | ||
echo "Downloading $${package}" ;\ | ||
rm -f $(1) || true ;\ | ||
GOBIN=$(LOCALBIN) go install $${package} ;\ | ||
mv $(1) $(1)-$(3) ;\ | ||
} ;\ | ||
ln -sf $(1)-$(3) $(1) | ||
endef | ||
|
||
.PHONY: bundle | ||
bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,6 +17,7 @@ limitations under the License. | |
package main | ||
|
||
import ( | ||
"crypto/tls" | ||
"flag" | ||
"os" | ||
"time" | ||
|
@@ -29,6 +30,7 @@ import ( | |
utilruntime "k8s.io/apimachinery/pkg/util/runtime" | ||
clientgoscheme "k8s.io/client-go/kubernetes/scheme" | ||
"sigs.k8s.io/controller-runtime/pkg/cache" | ||
"sigs.k8s.io/controller-runtime/pkg/metrics/filters" | ||
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" | ||
"sigs.k8s.io/controller-runtime/pkg/webhook" | ||
|
||
|
@@ -66,16 +68,24 @@ func main() { | |
var metricsAddr string | ||
var enableLeaderElection bool | ||
var probeAddr string | ||
var secureMetrics bool | ||
var enableHTTP2 bool | ||
var namespace string | ||
var pullSecret string | ||
var imageConfigMapName string | ||
var linstorApiQps float64 | ||
var nodeCacheDuration time.Duration | ||
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") | ||
var tlsOpts []func(*tls.Config) | ||
flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ | ||
"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") | ||
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") | ||
flag.BoolVar(&enableLeaderElection, "leader-elect", false, | ||
"Enable leader election for controller manager. "+ | ||
"Enabling this will ensure there is only one active controller manager.") | ||
flag.BoolVar(&secureMetrics, "metrics-secure", true, | ||
"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") | ||
flag.BoolVar(&enableHTTP2, "enable-http2", false, | ||
"If set, HTTP/2 will be enabled for the metrics and webhook servers") | ||
flag.StringVar(&namespace, "namespace", os.Getenv("NAMESPACE"), "The namespace to create resources in.") | ||
flag.StringVar(&pullSecret, "pull-secret", os.Getenv("PULL_SECRET"), "The pull secret to use for all containers") | ||
flag.StringVar(&imageConfigMapName, "image-config-map-name", os.Getenv("IMAGE_CONFIG_MAP_NAME"), "Config map holding default images to use") | ||
|
@@ -104,10 +114,47 @@ func main() { | |
|
||
ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) | ||
|
||
// if the enable-http2 flag is false (the default), http/2 should be disabled | ||
// due to its vulnerabilities. More specifically, disabling http/2 will | ||
// prevent from being vulnerable to the HTTP/2 Stream Cancellation and | ||
// Rapid Reset CVEs. For more information see: | ||
// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 | ||
// - https://github.com/advisories/GHSA-4374-p667-p6c8 | ||
disableHTTP2 := func(c *tls.Config) { | ||
setupLog.Info("disabling http/2") | ||
c.NextProtos = []string{"http/1.1"} | ||
} | ||
|
||
if !enableHTTP2 { | ||
tlsOpts = append(tlsOpts, disableHTTP2) | ||
} | ||
|
||
webhookServer := webhook.NewServer(webhook.Options{ | ||
TLSOpts: tlsOpts, | ||
}) | ||
|
||
// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. | ||
// More info: | ||
// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server | ||
// - https://book.kubebuilder.io/reference/metrics.html | ||
metricsServerOptions := metricsserver.Options{ | ||
BindAddress: metricsAddr, | ||
SecureServing: secureMetrics, | ||
TLSOpts: tlsOpts, | ||
} | ||
|
||
if secureMetrics { | ||
// FilterProvider is used to protect the metrics endpoint with authn/authz. | ||
// These configurations ensure that only authorized users and service accounts | ||
// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: | ||
// https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization | ||
metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization | ||
} | ||
|
||
mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ | ||
Scheme: scheme, | ||
Metrics: metricsserver.Options{BindAddress: metricsAddr}, | ||
WebhookServer: webhook.NewServer(webhook.Options{Port: 9443}), | ||
Metrics: metricsServerOptions, | ||
WebhookServer: webhookServer, | ||
HealthProbeBindAddress: probeAddr, | ||
LeaderElection: enableLeaderElection, | ||
LeaderElectionID: vars.OperatorName, | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
config/crd/bases/piraeus.io_linstorsatelliteconfigurations.yaml
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.