From 4562711da27640963966587189586ff690367901 Mon Sep 17 00:00:00 2001 From: LewisKSaint Date: Thu, 12 Sep 2024 13:47:09 -0400 Subject: [PATCH 1/4] DATAGO-84227 | Disable the automatic mounting of service account token --- .github/workflows/build-test-dev.yml | 21 ++++----- .github/workflows/main-branch-only.yml | 2 +- .github/workflows/prep-release.yml | 6 +-- .../workflows/test-broker-chaos-situation.yml | 2 +- .../workflows/test-broker-upgrade-update.yml | 2 +- .github/workflows/test-full-params-ha.yml | 2 +- .github/workflows/test-full-params.yml | 2 +- .github/workflows/test-helm-upgrade.yml | 2 +- .github/workflows/test-minimal-params.yml | 4 +- .github/workflows/vulncheck_periodic.yml | 16 +++---- Dockerfile | 8 ++-- Makefile | 2 +- ci/whitesource/whitesource-agent.config | 4 +- config/manager/kustomization.yaml | 4 +- controllers/statefulset.go | 46 ++++++++++++++++++- go.mod | 2 +- version.go | 2 +- 17 files changed, 84 insertions(+), 43 deletions(-) diff --git a/.github/workflows/build-test-dev.yml b/.github/workflows/build-test-dev.yml index 272b49b..dbfdc10 100644 --- a/.github/workflows/build-test-dev.yml +++ b/.github/workflows/build-test-dev.yml @@ -6,7 +6,7 @@ on: - main env: - VERSION: 1.1.1 + VERSION: 1.2.0-dev IMAGE_NAME: pubsubplus-eventbroker-operator VAULT_ADDR: ${{ secrets.VAULT_ADDR }} GCLOUD_PROJECT_ID_DEV: ${{ secrets.GCLOUD_PROJECT_ID }} @@ -25,12 +25,10 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: "1.21" - env: - GOTOOLCHAIN: go1.21rc3 + go-version: "1.22.7" - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 @@ -59,7 +57,7 @@ jobs: - name: Upload Test coverage Reports if: ${{ startsWith(github.ref_name, 'dev1.') && (github.ref_name != 'main') }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: code-coverage-report path: | @@ -100,7 +98,7 @@ jobs: - name: Checkout SolaceDev/maas-build-actions if: ${{ startsWith(github.ref_name, 'dev1.') && (github.ref_name != 'main') }} - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: repository: SolaceDev/maas-build-actions ref: refs/heads/master @@ -145,7 +143,7 @@ jobs: push: true env: VERSION: ${{ env.VERSION }} - IMAGE_NAME: pubsubplus-eventbroker-operator + IMAGE_NAME: ${{ env.IMAGE_NAME }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} GCLOUD_PROJECT_ID_DEV: ${{ secrets.GCLOUD_PROJECT_ID }} @@ -157,7 +155,7 @@ jobs: if: ${{ startsWith(github.ref_name, 'dev1.') && (github.ref_name != 'main') }} with: docker_image_to_check: gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} - prisma_repository_name: "${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}" + prisma_repository_name: "gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}" project_squad: "launchpad" prisma_jira_check: "False" @@ -183,8 +181,9 @@ jobs: - name: Uploads Trivy Scan Reports if: ${{ startsWith(github.ref_name, 'dev1.') && (github.ref_name != 'main') }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: + name: trivy-results path: | trivy-results.sarif @@ -199,7 +198,7 @@ jobs: - name: Uploads Trivy Scan Reports if: ${{ startsWith(github.ref_name, 'dev1.') && (github.ref_name != 'main') }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: path: | trivy-results.sarif diff --git a/.github/workflows/main-branch-only.yml b/.github/workflows/main-branch-only.yml index 9693049..03e97a2 100644 --- a/.github/workflows/main-branch-only.yml +++ b/.github/workflows/main-branch-only.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v4 - name: Create k8s Kind Cluster uses: helm/kind-action@v1.3.0 diff --git a/.github/workflows/prep-release.yml b/.github/workflows/prep-release.yml index 0f980f9..d108211 100644 --- a/.github/workflows/prep-release.yml +++ b/.github/workflows/prep-release.yml @@ -4,7 +4,7 @@ on: release_tag: description: 'Release tag' required: true - default: '1.1.1' + default: '1.2.0' prep_internal_release: # Need to distinguish between internal and external releases # Internal release: Will use default internal location for created images (ghcr.io) and will tag and push operator candidate there @@ -24,7 +24,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.21 + go-version: 1.22.7 - name: Login to Github Packages uses: docker/login-action@v2 @@ -34,7 +34,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Setup tools run: | diff --git a/.github/workflows/test-broker-chaos-situation.yml b/.github/workflows/test-broker-chaos-situation.yml index 47ffe72..19e30ab 100644 --- a/.github/workflows/test-broker-chaos-situation.yml +++ b/.github/workflows/test-broker-chaos-situation.yml @@ -19,7 +19,7 @@ jobs: echo "TESTNAMESPACE=op-test-chaos-$(date +%s)" >> $GITHUB_ENV - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 diff --git a/.github/workflows/test-broker-upgrade-update.yml b/.github/workflows/test-broker-upgrade-update.yml index 82c92ce..403a4bb 100644 --- a/.github/workflows/test-broker-upgrade-update.yml +++ b/.github/workflows/test-broker-upgrade-update.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 diff --git a/.github/workflows/test-full-params-ha.yml b/.github/workflows/test-full-params-ha.yml index 596ad28..d64cd72 100644 --- a/.github/workflows/test-full-params-ha.yml +++ b/.github/workflows/test-full-params-ha.yml @@ -19,7 +19,7 @@ jobs: echo "TESTNAMESPACE=op-test-full-$(date +%s)" >> $GITHUB_ENV - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 diff --git a/.github/workflows/test-full-params.yml b/.github/workflows/test-full-params.yml index febb3a9..bdd0ee0 100644 --- a/.github/workflows/test-full-params.yml +++ b/.github/workflows/test-full-params.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 diff --git a/.github/workflows/test-helm-upgrade.yml b/.github/workflows/test-helm-upgrade.yml index a71d280..2995749 100644 --- a/.github/workflows/test-helm-upgrade.yml +++ b/.github/workflows/test-helm-upgrade.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 diff --git a/.github/workflows/test-minimal-params.yml b/.github/workflows/test-minimal-params.yml index eea4371..aabb266 100644 --- a/.github/workflows/test-minimal-params.yml +++ b/.github/workflows/test-minimal-params.yml @@ -8,12 +8,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 - env: - GOTOOLCHAIN: go1.21rc3 - name: Create k8s Kind Cluster uses: helm/kind-action@v1.3.0 diff --git a/.github/workflows/vulncheck_periodic.yml b/.github/workflows/vulncheck_periodic.yml index 31079c9..9ecd912 100644 --- a/.github/workflows/vulncheck_periodic.yml +++ b/.github/workflows/vulncheck_periodic.yml @@ -4,7 +4,7 @@ on: - cron: '0 */ * * *' env: - VERSION: 1.1.1 + VERSION: 1.2.0 IMAGE_NAME: pubsubplus-eventbroker-operator VAULT_ADDR: ${{ secrets.VAULT_ADDR }} GCLOUD_PROJECT_ID_DEV: ${{ secrets.GCLOUD_PROJECT_ID }} @@ -27,10 +27,10 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version: "1.22.7" - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v4 - name: Login to Github Packages uses: docker/login-action@v2 @@ -44,7 +44,7 @@ jobs: uses: docker/setup-buildx-action@v2 - name: Checkout SolaceDev/maas-build-actions - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: repository: SolaceDev/maas-build-actions ref: refs/heads/master @@ -65,7 +65,7 @@ jobs: secrets: | secret/data/development/gcp-gcr GCP_SERVICE_ACCOUNT | GCP_DEV_SERVICE_ACCOUNT env: - VERSION: 1.1.1 + VERSION: 1.2.0 IMAGE_NAME: pubsubplus-eventbroker-operator VAULT_ADDR: ${{ secrets.VAULT_ADDR }} GCLOUD_PROJECT_ID_DEV: ${{ secrets.GCLOUD_PROJECT_ID }} @@ -85,7 +85,7 @@ jobs: gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} push: true env: - VERSION: 1.1.1 + VERSION: 1.2.0 IMAGE_NAME: pubsubplus-eventbroker-operator VAULT_ADDR: ${{ secrets.VAULT_ADDR }} GCLOUD_PROJECT_ID_DEV: ${{ secrets.GCLOUD_PROJECT_ID }} @@ -121,7 +121,7 @@ jobs: - name: Uploads Trivy Scan Reports if: ${{ always() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: path: | trivy-results.sarif @@ -136,7 +136,7 @@ jobs: - name: Uploads Trivy Scan Reports if: ${{ !startsWith(github.ref_name, '1.') }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: path: | trivy-results.sarif diff --git a/Dockerfile b/Dockerfile index 0bd1001..d454389 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.21 as builder +FROM golang:1.22.7 as builder WORKDIR /workspace # Copy the Go Modules manifests @@ -19,12 +19,12 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-1194 +FROM registry.access.redhat.com/ubi9-minimal:9.4-1227.1725849298 LABEL name="solace/pubsubplus-eventbroker-operator" LABEL vendor="Solace Corporation" -LABEL version="1.1.1" -LABEL release="1.1.1" +LABEL version="1.2.0" +LABEL release="1.2.0" LABEL summary="Solace PubSub+ Event Broker Kubernetes Operator" LABEL description="The Solace PubSub+ Event Broker Kubernetes Operator deploys and manages the lifecycle of PubSub+ Event Brokers" diff --git a/Makefile b/Makefile index f0b1af9..fb32af4 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 1.1.1 +VERSION ?= 1.2.0 # API_VERSION defines the API version for the PubSubPlusEventBroker CRD API_VERSION ?= v1beta1 diff --git a/ci/whitesource/whitesource-agent.config b/ci/whitesource/whitesource-agent.config index a2d7476..70463a4 100644 --- a/ci/whitesource/whitesource-agent.config +++ b/ci/whitesource/whitesource-agent.config @@ -41,11 +41,11 @@ go.modules.includeTestDependencies=true #userKey= projectName=pubsubplus-kubernetes-operator -projectVersion=v1.1.1 +projectVersion=v1.2.0 projectToken= productName=pubsubplus-kubernetes-operator -productVersion=v1.1.1 +productVersion=v1.2.0 productToken= updateType=OVERRIDE #requesterEmail=user@provider.com diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index f4307df..275ce1e 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -10,5 +10,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: docker.io/solace/pubsubplus-eventbroker-operator - newTag: 1.1.1 + newName: ghcr.io/solacedev/pubsubplus-eventbroker-operator + newTag: 1.2.0 diff --git a/controllers/statefulset.go b/controllers/statefulset.go index ddbd3fd..066568a 100644 --- a/controllers/statefulset.go +++ b/controllers/statefulset.go @@ -340,6 +340,11 @@ func (r *PubSubPlusEventBrokerReconciler) updateStatefulsetForEventBroker(sts *a Name: "data", MountPath: "/var/lib/solace", }, + { + Name: "kube-api-access", + MountPath: "/var/run/secrets/kubernetes.io/serviceaccount", + ReadOnly: true, + }, }, }, }, @@ -400,6 +405,44 @@ func (r *PubSubPlusEventBrokerReconciler) updateStatefulsetForEventBroker(sts *a }, }, }, + { + Name: "kube-api-access", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + DefaultMode: &[]int32{420}[0], // 420 + Sources: []corev1.VolumeProjection{ + { + ServiceAccountToken: &corev1.ServiceAccountTokenProjection{ + ExpirationSeconds: &[]int64{3600}[0], + Path: "token", + }, + }, + { + ConfigMap: &corev1.ConfigMapProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "kube-root-ca.crt", + }, + Items: []corev1.KeyToPath{{ + Key: "ca.crt", + Path: "ca.crt", + }}, + }, + }, + { + DownwardAPI: &corev1.DownwardAPIProjection{ + Items: []corev1.DownwardAPIVolumeFile{{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "v1", + FieldPath: "metadata.namespace", + }, + Path: "namespace", + }}, + }, + }, + }, + }, + }, + }, }, SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: &[]bool{true}[0], // Set to true @@ -407,7 +450,8 @@ func (r *PubSubPlusEventBrokerReconciler) updateStatefulsetForEventBroker(sts *a Type: corev1.SeccompProfileTypeRuntimeDefault, }, }, - ImagePullSecrets: m.Spec.BrokerImage.ImagePullSecrets, + AutomountServiceAccountToken: &[]bool{false}[0], + ImagePullSecrets: m.Spec.BrokerImage.ImagePullSecrets, }, } diff --git a/go.mod b/go.mod index 4fa9421..5c21485 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/SolaceProducts/pubsubplus-operator -go 1.21 +go 1.22.7 require ( github.com/google/gnostic-models v0.6.8 // indirect diff --git a/version.go b/version.go index 13d52fa..ee1072c 100644 --- a/version.go +++ b/version.go @@ -15,4 +15,4 @@ // limitations under the License. package main -const version = "1.1.1" +const version = "1.2.0" From ff1ccd2bf2998b1198762b3dce9318dfb9b97201 Mon Sep 17 00:00:00 2001 From: LewisKSaint Date: Thu, 12 Sep 2024 14:01:52 -0400 Subject: [PATCH 2/4] v1.2.0 prep --- .github/workflows/build-test-dev.yml | 2 +- config/manager/kustomization.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-test-dev.yml b/.github/workflows/build-test-dev.yml index dbfdc10..81f292c 100644 --- a/.github/workflows/build-test-dev.yml +++ b/.github/workflows/build-test-dev.yml @@ -6,7 +6,7 @@ on: - main env: - VERSION: 1.2.0-dev + VERSION: 1.2.0 IMAGE_NAME: pubsubplus-eventbroker-operator VAULT_ADDR: ${{ secrets.VAULT_ADDR }} GCLOUD_PROJECT_ID_DEV: ${{ secrets.GCLOUD_PROJECT_ID }} diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 275ce1e..8ec60eb 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -10,5 +10,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: ghcr.io/solacedev/pubsubplus-eventbroker-operator + newName: docker.io/solace/pubsubplus-eventbroker-operator newTag: 1.2.0 From de80b1bcb92ef05f7a46526249764ae20aad2cdb Mon Sep 17 00:00:00 2001 From: LewisKSaint Date: Thu, 12 Sep 2024 15:52:02 -0400 Subject: [PATCH 3/4] prep for release --- ...lus-eventbroker-operator.clusterserviceversion.yaml | 10 +++++----- .../pubsubplus.solace.com_pubsubpluseventbrokers.yaml | 2 +- deploy/deploy.yaml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml b/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml index 1a6e3c2..b6e017c 100644 --- a/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml +++ b/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml @@ -20,8 +20,8 @@ metadata: certified: "true" com.redhat.delivery.operator.bundle: "true" com.redhat.openshift.versions: v4.10 - containerImage: docker.io/solace/pubsubplus-eventbroker-operator:v1.1.1 - createdAt: "2024-07-31T18:47:51Z" + containerImage: docker.io/solace/pubsubplus-eventbroker-operator:v1.2.0 + createdAt: "2024-09-12T19:47:52Z" description: The Solace PubSub+ Event Broker Operator deploys and manages the lifecycle of PubSub+ Event Brokers operators.openshift.io/valid-subscription: '[]' @@ -29,7 +29,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/SolaceProducts/pubsubplus-kubernetes-quickstart support: Solace Products - name: pubsubplus-eventbroker-operator.v1.1.1 + name: pubsubplus-eventbroker-operator.v1.2.0 namespace: placeholder spec: apiservicedefinitions: {} @@ -296,7 +296,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - image: docker.io/solace/pubsubplus-eventbroker-operator:1.1.1 + image: docker.io/solace/pubsubplus-eventbroker-operator:1.2.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -411,4 +411,4 @@ spec: provider: name: Solace Corporation url: www.solace.com - version: 1.1.1 + version: 1.2.0 diff --git a/bundle/manifests/pubsubplus.solace.com_pubsubpluseventbrokers.yaml b/bundle/manifests/pubsubplus.solace.com_pubsubpluseventbrokers.yaml index 30ad301..c1c3515 100644 --- a/bundle/manifests/pubsubplus.solace.com_pubsubpluseventbrokers.yaml +++ b/bundle/manifests/pubsubplus.solace.com_pubsubpluseventbrokers.yaml @@ -4,7 +4,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: - app.kubernetes.io/version: v1.1.1 + app.kubernetes.io/version: v1.2.0 name: pubsubpluseventbrokers.pubsubplus.solace.com spec: group: pubsubplus.solace.com diff --git a/deploy/deploy.yaml b/deploy/deploy.yaml index 88e6549..309a72e 100644 --- a/deploy/deploy.yaml +++ b/deploy/deploy.yaml @@ -1931,7 +1931,7 @@ spec: env: - name: WATCH_NAMESPACE value: "" - image: docker.io/solace/pubsubplus-eventbroker-operator:1.1.1 + image: docker.io/solace/pubsubplus-eventbroker-operator:1.2.0 imagePullPolicy: Always livenessProbe: httpGet: From 1e96c2c2b3e3d3aa143cab8729169d0d74b6584e Mon Sep 17 00:00:00 2001 From: LewisKSaint Date: Thu, 12 Sep 2024 16:13:15 -0400 Subject: [PATCH 4/4] prep for release --- .../pubsubplus-eventbroker-operator.clusterserviceversion.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml b/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml index b6e017c..fc5ac46 100644 --- a/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml +++ b/bundle/manifests/pubsubplus-eventbroker-operator.clusterserviceversion.yaml @@ -20,7 +20,7 @@ metadata: certified: "true" com.redhat.delivery.operator.bundle: "true" com.redhat.openshift.versions: v4.10 - containerImage: docker.io/solace/pubsubplus-eventbroker-operator:v1.2.0 + containerImage: docker.io/solace/pubsubplus-eventbroker-operator:1.2.0 createdAt: "2024-09-12T19:47:52Z" description: The Solace PubSub+ Event Broker Operator deploys and manages the lifecycle of PubSub+ Event Brokers