diff --git a/.flake8 b/.flake8 new file mode 100644 index 00000000..ea6646f3 --- /dev/null +++ b/.flake8 @@ -0,0 +1,2 @@ +[flake8] +ignore = E111,E501,E114 diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 00000000..465d3a9a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,49 @@ +--- +name: "🐛 Bug Report" +description: "If something isn't working as expected 🤔." +labels: ["type/bug"] +body: + - type: markdown + attributes: + value: Thanks for taking the time to file a bug report! Please fill out this form as completely as possible. + + - type: input + attributes: + label: Affected version + description: Which version do you see this bug in? + + - type: textarea + attributes: + label: Current and expected behavior + description: A clear and concise description of what the operator is doing and what you would expect. + validations: + required: true + + - type: textarea + attributes: + label: Possible solution + description: "If you have suggestions on a fix for the bug." + + - type: textarea + attributes: + label: Additional context + description: "Add any other context about the problem here. Or a screenshot if applicable." + + - type: textarea + attributes: + label: Environment + description: | + What type of kubernetes cluster you are running aginst (k3s/eks/aks/gke/other) and any other information about your environment? + placeholder: | + Examples: + Output of `kubectl version --short` + + - type: dropdown + attributes: + label: Would you like to work on fixing this bug? + description: | + **NOTE**: Let us know if you would like to submit a PR for this. We are more than happy to help you through the process. + options: + - "yes" + - "no" + - "maybe" diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 00000000..3e9cbccd --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,12 @@ +--- +blank_issues_enabled: true +contact_links: + - name: Feature request + about: 🚀 Suggest an idea for this project + url: https://github.com/stackabletech/secret-operator-operator/discussions/new?category=ideas + - name: 🙋🏾 Question + about: Use this to ask a question about this project + url: https://github.com/stackabletech/secret-operator-operator/discussions/new?category=q-a + - name: Other issue + about: Open an issue that doesn't fit any other category + url: https://github.com/stackabletech/secret-operator-operator/issues/new diff --git a/.github/ISSUE_TEMPLATE/new_version.md b/.github/ISSUE_TEMPLATE/new_version.md new file mode 100644 index 00000000..fb744952 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/new_version.md @@ -0,0 +1,34 @@ +--- +name: New Version +about: Request support for a new product version +title: "[NEW VERSION]" +labels: '' +assignees: '' + +--- + +**Which new version of Stackable Secret Operator should we support?** + +Please specify the version, version range or version numbers to support, please also add these to the issue title + +**Additional information** + +If possible, provide a link to release notes/changelog + +**Changes required** + +Are there any upstream changes that we need to support? +e.g. new features, changed features, deprecated features etc. + + + +**Implementation checklist** + +Please don't change anything in this list. +Not all of these steps are necessary for all versions. + +- [ ] Update the Docker image +- [ ] Update documentation to include supported version(s) +- [ ] Update operator to support the new version (if needed) +- [ ] Update integration tests to test use the new versions (in addition or replacing old versions +- [ ] Update examples to use new versions diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 50eaadb2..00000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,30 +0,0 @@ -# ============= -# This file is automatically generated from the templates in stackabletech/operator-templating -# DON'T MANUALLY EDIT THIS FILE -# ============= ---- -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - labels: - - "type/dependencies" - reviewers: - - "stackabletech/developers" - - - package-ecosystem: "cargo" - directory: "/" - schedule: - interval: "weekly" - labels: - - "type/dependencies" - reviewers: - - "stackabletech/rust-developers" - ignore: - # We never want to be notified about a kube-rs update. - # It often contains breaking changes so it has to be updated manually anyway - # and it needs to be updated together with kube-runtime, kube-derive etc. - - dependency-name: "kube*" - - dependency-name: "k8s-openapi" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 14b10276..660a5e18 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -10,5 +10,6 @@ - [ ] Documentation added (or not applicable) - [ ] Changelog updated (or not applicable) - [ ] Cargo.toml only contains references to git tags (not specific commits or branches) +- [ ] Helm chart can be installed and deployed operator works (or not applicable) Once the review is done, comment `bors r+` (or `bors merge`) to merge. [Further information](https://bors.tech/documentation/getting-started/#reviewing-pull-requests) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..4aa7268e --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,317 @@ +--- +name: Stackable Build Pipeline + +on: + push: + branches: + - main + - staging + - trying + - "renovate/**" + tags: + - "*" + pull_request: + +env: + CARGO_TERM_COLOR: always + CARGO_INCREMENTAL: '0' + CARGO_PROFILE_DEV_DEBUG: '0' + RUSTFLAGS: "-D warnings" + RUSTDOCFLAGS: "-D warnings" + RUST_LOG: "info" + PRODUCT_NAME: "secret-operator" + DEV_REPO_HELM_URL: https://repo.stackable.tech/repository/helm-dev + TEST_REPO_HELM_URL: https://repo.stackable.tech/repository/helm-test + STABLE_REPO_HELM_URL: https://repo.stackable.tech/repository/helm-stable + +jobs: + # Identify unused dependencies + run_udeps: + name: Run Cargo Udeps + runs-on: ubuntu-latest + env: + RUSTC_BOOTSTRAP: 1 + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # renovate: tag=v1.0.7 + with: + profile: minimal + toolchain: stable + override: true + - uses: Swatinem/rust-cache@842ef286fff290e445b90b4002cc9807c3669641 # renovate: tag=v1.3.0 + with: + key: udeps + - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # renovate: tag=v1.0.3 + with: + command: install + args: cargo-udeps --locked + - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # renovate: tag=v1.0.3 + with: + command: udeps + + # This job evaluates the github environment to determine why this action is running and selects the appropriate + # target repository for published Helm charts based on this. + # + # The following scenarios are identified: + # - pull request: + # condition: github.event_name == "pull_request" + # repository: test + # + # - release (aka a tag was created): + # condition: github.event_name == 'create' & github.ref.startswith('refs/tags/') + # repository: stable + # + # - merge of pr to main branch: + # condition: github.event_name == 'push' & github.ref == 'refs/heads/main' + # repository: dev + # + # Any other scenarios will cause the publish step to be skipped, most commonly this is expected to happen for the + # branches that bors uses internally (staging, trying) for which the checks need to run, but we do not want artifacts + # to be published. + select_repo: + name: Select target repository based on action trigger + runs-on: ubuntu-latest + outputs: + repository: ${{ steps.selectrepo.outputs.repo }} + steps: + - id: selectrepo + env: + TRIGGER: ${{ github.event_name }} + GITHUB_REF: ${{ github.ref }} + run: | + if [[ $TRIGGER == "pull_request" ]]; then + echo "exporting test as target repo: ${{ env.TEST_REPO_HELM_URL }}" + echo "::set-output name=repo::${{ env.TEST_REPO_HELM_URL }}" + elif [[ $TRIGGER == "push" && $GITHUB_REF == "refs/heads/main" ]]; then + echo "exporting dev as target repo: ${{ env.DEV_REPO_HELM_URL }}" + echo "::set-output name=repo::${{ env.DEV_REPO_HELM_URL }}" + elif [[ ( $TRIGGER == "create" || $TRIGGER == "push" ) && $GITHUB_REF == refs/tags/* ]]; then + echo "exporting stable as target repo: ${{ env.STABLE_REPO_HELM_URL }}" + echo "::set-output name=repo::${{ env.STABLE_REPO_HELM_URL }}" + else + echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF" + echo "::set-output name=repo::skip" + fi + + run_cargodeny: + name: Run Cargo Deny + runs-on: ubuntu-latest + strategy: + matrix: + checks: + - advisories + - bans licenses sources + + # Prevent sudden announcement of a new advisory from failing ci: + continue-on-error: ${{ matrix.checks == 'advisories' }} + + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: EmbarkStudios/cargo-deny-action@8acbae97b5d01b0481ae14cee8fcd8f5aa9e374d # tag=v1.2.12 + with: + command: check ${{ matrix.checks }} + + run_rustfmt: + name: Run Rustfmt + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # renovate: tag=v1.0.7 + with: + profile: minimal + toolchain: stable + components: rustfmt + override: true + - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # renovate: tag=v1.0.3 + with: + command: fmt + args: --all -- --check + + run_clippy: + name: Run Clippy + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # renovate: tag=v1.0.7 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + - uses: Swatinem/rust-cache@842ef286fff290e445b90b4002cc9807c3669641 # renovate: tag=v1.3.0 + with: + key: clippy + - name: Run clippy action to produce annotations + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: actions-rs/clippy-check@b5b5f21f4797c02da247df37026fcd0a5024aa4d # renovate: tag=v1.0.7 + if: env.GITHUB_TOKEN != null + with: + args: --all-targets -- -D warnings + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run clippy manually without annotations + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + if: env.GITHUB_TOKEN == null + run: cargo clippy --all-targets -- -D warnings + + run_rustdoc: + name: Run RustDoc + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # renovate: tag=v1.0.7 + with: + profile: minimal + toolchain: stable + components: rustfmt + override: true + - uses: Swatinem/rust-cache@842ef286fff290e445b90b4002cc9807c3669641 # renovate: tag=v1.3.0 + with: + key: doc + - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # renovate: tag=v1.0.3 + with: + command: doc + args: --document-private-items + + run_tests: + name: Run Cargo Tests + needs: + - run_cargodeny + - run_clippy + - run_rustfmt + - run_rustdoc + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # renovate: tag=v1.0.7 + with: + profile: minimal + toolchain: stable + override: true + - uses: Swatinem/rust-cache@842ef286fff290e445b90b4002cc9807c3669641 # renovate: tag=v1.3.0 + with: + key: test + - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # renovate: tag=v1.0.3 + with: + command: test + + # This job cleans up the CRDs, Helm charts and Kustomize manifests, followed by rebuilding them + # It then runs a `git diff` and fails the entire workflow, if any difference is encountered. + # + # Since CRD files are generated during the 'cargo build' process we need to run this once after + # removing the CRD files to ensure that the checked in versions match what the code expects. + # + # The reason for this step is, that developers are expected to check in up-to-date versions of charts + # and manifests, as we'd otherwise have to build these in CI and commit them back to the PR, which + # creates all kinds of problems. + # Therefor this failsafe simply aborts anything that has not had charts and manifests rebuilt before pushing. + check_charts: + name: Check if committed Helm & Kustomize Charts were up to date + needs: + - run_cargodeny + - run_clippy + - run_rustfmt + - run_rustdoc + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - name: Set up Helm + uses: azure/setup-helm@a517f2ff6560563a369e16ca7c7d136b6164423f # renovate: tag=v2.0 + with: + version: v3.6.2 + - name: Set up cargo + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # renovate: tag=v1.0.7 + with: + profile: minimal + toolchain: stable + override: true + - name: Set up rust-cache + uses: Swatinem/rust-cache@842ef286fff290e445b90b4002cc9807c3669641 # renovate: tag=v1.3.0 + with: + key: charts + - name: Regenerate charts + run: make regenerate-charts + - name: Check if committed charts were up to date + run: git diff --exit-code + - name: Git Diff showed uncommitted changes + if: ${{ failure() }} + uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e # tag=v6 + with: + script: | + core.setFailed('Committed charts were not up to date, please regenerate and re-commit!') + + test_charts: + name: Run Chart Tests + needs: + - check_charts + - run_tests + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - name: placeholder + run: echo Tests will go here + + tests_passed: + name: All tests passed + needs: + - test_charts + - run_udeps + runs-on: ubuntu-latest + steps: + - name: log + run: echo All tests have passed! + + package_and_publish: + name: Package Charts, Build Docker Image and publish them + needs: + - tests_passed + - select_repo + runs-on: ubuntu-latest + env: + NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} + REPO: ${{ needs.select_repo.outputs.repository }} + if: needs.select_repo.outputs.repository != 'skip' + steps: + - name: Checkout + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions/setup-python@0ebf233433c08fb9061af664d501c3f3ff0e9e20 # tag=v3 + if: ${{ github.event_name == 'pull_request' }} + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # renovate: tag=v1.0.7 + with: + profile: minimal + toolchain: stable + components: rustfmt + override: true + - name: Install requirements for version tool + if: ${{ github.event_name == 'pull_request' }} + run: pip install -r python/requirements.txt + + # This step checks if the current run was triggered by a push to a pr (or a pr being created). + # If this is the case it changes the version of this project in all Cargo.toml files to include the suffix + # "-pr" so that the published artifacts can be linked to this PR. + - name: Update version if PR + if: ${{ github.event_name == 'pull_request' }} + run: python/cargo_version.py -m pr${{ github.event.pull_request.number }} + + # Recreate charts with changed version if needed + - name: Clean charts + if: ${{ github.event_name == 'pull_request' }} + run: make chart-clean clean-manifests compile-chart generate-manifests + + # Package and publish charts + - name: Package Chart + run: mkdir -p target/helm && helm package --destination target/helm deploy/helm/${{ env.PRODUCT_NAME }}-operator + - name: Build Docker image + if: env.NEXUS_PASSWORD != null # pragma: allowlist secret + run: make docker + - name: Publish Chart + if: env.NEXUS_PASSWORD != null # pragma: allowlist secret + run: >- + /usr/bin/curl + --fail + -u 'github:${{ secrets.NEXUS_PASSWORD }}' + --upload-file "./$(find target/helm/ -name '*.tgz')" + "${{ env.REPO }}/" diff --git a/.github/workflows/daily_security.yml b/.github/workflows/daily_security.yml index 850a3f4d..b6397e24 100644 --- a/.github/workflows/daily_security.yml +++ b/.github/workflows/daily_security.yml @@ -14,7 +14,7 @@ jobs: audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.4.0 - - uses: actions-rs/audit-check@v1.2.0 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # renovate: tag=v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/helm_tests.yml b/.github/workflows/helm_tests.yml deleted file mode 100644 index 017edeef..00000000 --- a/.github/workflows/helm_tests.yml +++ /dev/null @@ -1,53 +0,0 @@ -name: Lint and Test Helm Charts - -on: - push: - branches: ["main"] - pull_request: - -env: - CT_CONFIG: deploy/helm/ct.yaml - -jobs: - lint-test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2.4.0 - with: - fetch-depth: 0 - submodules: true - - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: v3.7.2 - - - uses: actions/setup-python@v2 - with: - python-version: 3.7 - - - name: Compile chart - run: make compile-chart - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.2.0 - - - name: Run chart-testing (lint) - run: ct lint --config "${CT_CONFIG}" - - - name: Run chart-testing (list-changed) - id: list-changed - run: | - changed=$(ct list-changed --config "${CT_CONFIG}") - if [[ -n "$changed" ]]; then - echo "::set-output name=changed::true" - fi - - - name: Create kind cluster - uses: helm/kind-action@v1.2.0 - if: steps.list-changed.outputs.changed == 'true' - - - name: Run chart-testing (install) - run: ct install --config "${CT_CONFIG}" - if: steps.list-changed.outputs.changed == 'true' diff --git a/.github/workflows/pr_generate_manifests.yml b/.github/workflows/pr_generate_manifests.yml deleted file mode 100644 index 3846104d..00000000 --- a/.github/workflows/pr_generate_manifests.yml +++ /dev/null @@ -1,40 +0,0 @@ -# ============= -# This file is automatically generated from the templates in stackabletech/operator-templating -# DON'T MANUALLY EDIT THIS FILE -# ============= -name: Update Manifest files - -on: - pull_request: - -jobs: - manifests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - token: ${{ secrets.STACKY_MC_STACKFACE_TOKEN }} - submodules: true - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: v3.6.2 - - name: update manifests - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - run: make generate-manifests - - name: Add & Commit - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - uses: EndBug/add-and-commit@v7 - with: - default_author: user_info - author_name: Stacky McStackface - author_email: stackable-bot@users.noreply.github.com - pathspec_error_handling: exitImmediately - pull: NO-PULL - add: 'deploy' - message: 'Github Actions: Generated k8s manifest files' diff --git a/.github/workflows/publish_main_artifacts.yml b/.github/workflows/publish_main_artifacts.yml deleted file mode 100644 index 6001d61e..00000000 --- a/.github/workflows/publish_main_artifacts.yml +++ /dev/null @@ -1,60 +0,0 @@ -# ============= -# This file is automatically generated from the templates in stackabletech/operator-templating -# DON'T MANUALLY EDIT THIS FILE -# ============= ---- -name: Publish nightly artifacts from main branch - -on: - push: - branches: - - main - schedule: - - cron: '30 4 * * *' - workflow_dispatch: - -env: - PRODUCT_NAME: secret-operator - CARGO_TERM_COLOR: always - CARGO_INCREMENTAL: '0' - CARGO_PROFILE_DEV_DEBUG: '0' - RUSTFLAGS: "-D warnings" - REPO_HELM_URL: https://repo.stackable.tech/repository/helm-dev - -jobs: - helm: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - submodules: true - - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: v3.6.2 - - - name: Build Docker image - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - run: make docker - - - name: Compile chart - run: make compile-chart - - - name: Package Chart - run: mkdir -p target/helm && helm package --destination target/helm deploy/helm/secret-operator - - - name: Publish Chart - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - run: >- - /usr/bin/curl - --fail - -u 'github:${{ secrets.NEXUS_PASSWORD }}' - --upload-file "./$(find target/helm/ -name '*.tgz')" - "${{ env.REPO_HELM_URL }}/" diff --git a/.github/workflows/publish_pr_artifacts.yml b/.github/workflows/publish_pr_artifacts.yml deleted file mode 100644 index b0818303..00000000 --- a/.github/workflows/publish_pr_artifacts.yml +++ /dev/null @@ -1,63 +0,0 @@ -# ============= -# This file is automatically generated from the templates in stackabletech/operator-templating -# DON'T MANUALLY EDIT THIS FILE -# ============= ---- -name: Publish pull-request artifacts - -on: - pull_request: - -env: - PRODUCT_NAME: secret-operator - CARGO_TERM_COLOR: always - CARGO_INCREMENTAL: '0' - CARGO_PROFILE_DEV_DEBUG: '0' - RUSTFLAGS: "-D warnings" - REPO_HELM_URL: https://repo.stackable.tech/repository/helm-test - -jobs: - helm: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - submodules: true - - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: v3.6.2 - - - name: Set up Python and update cargo version. - uses: actions/setup-python@v2 - with: - python-version: '3.x' - - - run: pip install -r ./python/requirements.txt - - run: python ./python/cargo_version.py -m pr${{ github.event.number }} - - - name: Build Docker image - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - run: make docker - - - name: Compile chart - run: make compile-chart - - - name: Package Chart - run: mkdir -p target/helm && helm package --destination target/helm deploy/helm/secret-operator - - - name: Publish Chart - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - run: >- - /usr/bin/curl - --fail - -u 'github:${{ secrets.NEXUS_PASSWORD }}' - --upload-file "./$(find target/helm/ -name '*.tgz')" - "${{ env.REPO_HELM_URL }}/" diff --git a/.github/workflows/publish_release_artifacts.yml b/.github/workflows/publish_release_artifacts.yml deleted file mode 100644 index 781a8310..00000000 --- a/.github/workflows/publish_release_artifacts.yml +++ /dev/null @@ -1,57 +0,0 @@ -# ============= -# This file is automatically generated from the templates in stackabletech/operator-templating -# DON'T MANUALLY EDIT THIS FILE -# ============= ---- -name: Publish release artifacts - -on: - push: - tags: - - "*" - -env: - PRODUCT_NAME: secret-operator - CARGO_TERM_COLOR: always - CARGO_INCREMENTAL: '0' - CARGO_PROFILE_DEV_DEBUG: '0' - RUSTFLAGS: "-D warnings" - REPO_HELM_URL: https://repo.stackable.tech/repository/helm-stable - -jobs: - helm: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - submodules: true - - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: v3.6.2 - - - name: Build Docker image - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - run: make docker-release - - - name: Compile chart - run: make compile-chart - - - name: Package Chart - run: mkdir -p target/helm && helm package --destination target/helm deploy/helm/secret-operator - - - name: Publish Chart - env: - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - if: env.NEXUS_PASSWORD != null - run: >- - /usr/bin/curl - --fail - -u 'github:${{ secrets.NEXUS_PASSWORD }}' - --upload-file "./$(find target/helm/ -name '*.tgz')" - "${{ env.REPO_HELM_URL }}/" diff --git a/.github/workflows/reviewdog.yaml b/.github/workflows/reviewdog.yaml new file mode 100644 index 00000000..31e3585f --- /dev/null +++ b/.github/workflows/reviewdog.yaml @@ -0,0 +1,70 @@ +--- +name: reviewdog +on: + pull_request + +permissions: + contents: read + checks: write + pull-requests: write + issues: write + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: reviewdog/action-actionlint@b5e56751b84f345bfd33e15703d7db0bb7451eb7 # tag=v1.20.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + detect-secrets: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: reviewdog/action-detect-secrets@0034e2d330af20c02fb6d9b3a813404a4ef6ba12 # tag=v0.8.0 + with: + github_token: ${{ secrets.github_token }} + + flake8: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: actions/setup-python@0ebf233433c08fb9061af664d501c3f3ff0e9e20 # tag=v3 + with: + python-version: "3.9" + - uses: reviewdog/action-flake8@29b3cb2cb65b42f0d6bf5597a5fe6d610f376328 # tag=v3.3.1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + hadolint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: reviewdog/action-hadolint@2f36e7ddb63420bac655b14287cb6d6b82dd84e2 # tag=v1.28.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + markdownlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: reviewdog/action-markdownlint@40f5a7a4afc06d314a2c3a72f42c387b5187deaa # renovate: tag=v0.3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: reviewdog/action-shellcheck@96c6653098ad696d9441d726c0593866671872f2 # tag=v1.14.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + yamllint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + - uses: reviewdog/action-yamllint@aabd7aef24430a8da23122ca6711faec445dfcf6 # renovate: tag=v1.4.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml deleted file mode 100644 index b33462a6..00000000 --- a/.github/workflows/rust.yml +++ /dev/null @@ -1,132 +0,0 @@ -# ============= -# This file is automatically generated from the templates in stackabletech/operator-templating -# DON'T MANUALLY EDIT THIS FILE -# ============= ---- -name: Rust checks - -on: - push: - branches: - - main - - staging - - trying - pull_request: - -env: - CARGO_TERM_COLOR: always - CARGO_INCREMENTAL: '0' - CARGO_PROFILE_DEV_DEBUG: '0' - RUSTFLAGS: "-D warnings" - RUSTDOCFLAGS: "-D warnings" - RUST_LOG: "info" - -jobs: - - test: - name: Run tests - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.4.0 - with: - submodules: true - - uses: actions-rs/toolchain@v1.0.7 - with: - profile: minimal - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v1.3.0 - with: - key: test - - uses: actions-rs/cargo@v1.0.3 - with: - command: test - - rustfmt: - name: Run rustfmt - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.4.0 - - uses: actions-rs/toolchain@v1.0.7 - with: - profile: minimal - toolchain: stable - components: rustfmt - override: true - - uses: actions-rs/cargo@v1.0.3 - with: - command: fmt - args: --all -- --check - - doc: - name: Run rustdoc - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.4.0 - with: - submodules: true - - uses: actions-rs/toolchain@v1.0.7 - with: - profile: minimal - toolchain: stable - components: rustfmt - override: true - - uses: Swatinem/rust-cache@v1.3.0 - with: - key: doc - - uses: actions-rs/cargo@v1.0.3 - with: - command: doc - args: --document-private-items - - clippy: - name: Run clippy - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.4.0 - with: - submodules: true - - uses: actions-rs/toolchain@v1.0.7 - with: - profile: minimal - toolchain: stable - components: clippy - override: true - - uses: Swatinem/rust-cache@v1.3.0 - with: - key: clippy - # We need this due to: https://github.com/actions-rs/clippy-check/issues/2 - - name: Check workflow permissions - id: check_permissions - uses: scherermichael-oss/action-has-permission@1.0.6 - with: - required-permission: write - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run clippy action to produce annotations - uses: actions-rs/clippy-check@v1.0.7 - if: steps.check_permissions.outputs.has-permission - with: - args: --all-targets -- -D warnings - token: ${{ secrets.GITHUB_TOKEN }} - - name: Run clippy manually without annotations - if: ${{ !steps.check_permissions.outputs.has-permission }} - run: cargo clippy --all-targets -- -D warnings - - cargo-deny: - name: Run cargo deny - runs-on: ubuntu-latest - strategy: - matrix: - checks: - - advisories - - bans licenses sources - - # Prevent sudden announcement of a new advisory from failing ci: - continue-on-error: ${{ matrix.checks == 'advisories' }} - - steps: - - uses: actions/checkout@v2.4.0 - - uses: EmbarkStudios/cargo-deny-action@v1.2.12 - with: - command: check ${{ matrix.checks }} diff --git a/.gitignore b/.gitignore index 4fd566b8..891289d9 100644 --- a/.gitignore +++ b/.gitignore @@ -7,7 +7,3 @@ target/ *.iml *.tgz - -Cargo.nix -crate-hashes.json -result* \ No newline at end of file diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 00000000..dbfa4558 --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,20 @@ +--- +# All defaults or options can be checked here: +# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml + +# Default state for all rules +default: true + +# MD013/line-length - Line length +MD013: + # Number of characters + line_length: 9999 + # Number of characters for headings + heading_line_length: 9999 + # Number of characters for code blocks + code_block_line_length: 9999 + +# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content +MD024: + # Only check sibling headings + siblings_only: true diff --git a/.yamllint.yaml b/.yamllint.yaml index 91a7fec6..23a5a686 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -8,3 +8,5 @@ rules: line-length: disable truthy: check-keys: false + comments: + min-spaces-from-content: 1 # Needed due to https://github.com/adrienverge/yamllint/issues/443 diff --git a/Makefile b/Makefile index e3746465..36322191 100644 --- a/Makefile +++ b/Makefile @@ -39,6 +39,10 @@ version: yq eval -i '.version = ${VERSION} | .appVersion = ${VERSION}' deploy/helm/secret-operator/Chart.yaml config: + if [ -d "deploy/config-spec/" ]; then\ + mkdir -p deploy/helm/secret-operator/configs;\ + cp -r deploy/config-spec/* deploy/helm/secret-operator/configs;\ + fi crds: mkdir -p deploy/helm/secret-operator/crds @@ -55,4 +59,4 @@ clean-manifests: generate-manifests: clean-manifests compile-chart ./scripts/generate-manifests.sh -regenerate-charts: chart-clean clean-manifests crds compile-chart generate-manifests +regenerate-charts: chart-clean clean-manifests compile-chart generate-manifests diff --git a/bors.toml b/bors.toml index 4f305075..420d30c8 100644 --- a/bors.toml +++ b/bors.toml @@ -1,12 +1,9 @@ status = [ - 'Run tests', - 'Run rustfmt', - 'Run rustdoc', - 'Run clippy', - 'Run cargo deny (bans licenses sources)' + 'All tests passed' ] delete_merged_branches = true use_squash_merge = true pr_status = [ 'license/cla' ] timeout_sec = 7200 cut_body_after = "" +required_approvals = 1 diff --git a/deny.toml b/deny.toml index 4f5ba74f..98368630 100644 --- a/deny.toml +++ b/deny.toml @@ -26,13 +26,18 @@ allow = [ "Apache-2.0", "BSD-3-Clause", "CC0-1.0", + "ISC", + "LicenseRef-ring", + "LicenseRef-webpki", "MIT", "Zlib" ] exceptions = [ + { name = "stackable-secret-operator-crd", allow = ["OSL-3.0"] }, { name = "stackable-secret-operator", allow = ["OSL-3.0"] }, -] + { name = "stackable-secret-operator-binary", allow = ["OSL-3.0"] }, + ] [[licenses.clarify]] name = "ring" @@ -53,4 +58,4 @@ unknown-registry = "deny" unknown-git = "deny" [sources.allow-org] -github = ["stackabletech", "teozkr"] +github = ["stackabletech"] diff --git a/deploy/DO_NOT_EDIT.md b/deploy/DO_NOT_EDIT.md index da37bf18..d6535b04 100644 --- a/deploy/DO_NOT_EDIT.md +++ b/deploy/DO_NOT_EDIT.md @@ -1,4 +1,10 @@ These Helm charts and manifests are automatically generated. -Please do not edit anything in this directory manually. +Please do not edit anything except for files explicitly mentioned below in this +directory manually. -The details are in-motion but check this repository for a few details: https://github.com/stackabletech/operator-templating +The following files are ok to edit: + +- helm/secret-operator-operator/templates/roles.yaml + +The details are in-motion but check this repository for a few details: + diff --git a/deploy/helm/secret-operator/README.md b/deploy/helm/secret-operator/README.md index cc0904a1..63d618ff 100644 --- a/deploy/helm/secret-operator/README.md +++ b/deploy/helm/secret-operator/README.md @@ -1,15 +1,13 @@ -# Helm Chart for Stackable Secret Operator - -This Helm Chart can be used to install Custom Resource Definitions and the Stackable Secret Operator. +# Helm Chart for Stackable Operator for Stackable Secret Operator +This Helm Chart can be used to install Custom Resource Definitions and the Operator for Stackable Secret Operator provided by Stackable. ## Requirements - Create a [Kubernetes Cluster](../Readme.md) - Install [Helm](https://helm.sh/docs/intro/install/) - -## Install the Stackable Secret Operator +## Install the Stackable Operator for Stackable Secret Operator ```bash # From the root of the operator repository @@ -18,16 +16,13 @@ make compile-chart helm install secret-operator deploy/helm/secret-operator ``` - ## Usage of the CRDs The usage of this operator and its CRDs is described in the [documentation](https://docs.stackable.tech/secret-operator/index.html) The operator has example requests included in the [`/examples`](https://github.com/stackabletech/secret-operator/tree/main/examples) directory. - ## Links https://github.com/stackabletech/secret-operator - diff --git a/deploy/helm/secret-operator/templates/configmap.yaml b/deploy/helm/secret-operator/templates/configmap.yaml new file mode 100644 index 00000000..7fa8613d --- /dev/null +++ b/deploy/helm/secret-operator/templates/configmap.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +data: +{{ (.Files.Glob "configs/*").AsConfig | indent 2 }} +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-configmap + labels: + {{- include "operator.labels" . | nindent 4 }} diff --git a/deploy/helm/secret-operator/templates/deployment.yaml b/deploy/helm/secret-operator/templates/deployment.yaml new file mode 100644 index 00000000..a5c58dd7 --- /dev/null +++ b/deploy/helm/secret-operator/templates/deployment.yaml @@ -0,0 +1 @@ +# Templated Deployment disabled for this operator diff --git a/deploy/helm/secret-operator/values.yaml b/deploy/helm/secret-operator/values.yaml index acc683a2..47c16bf2 100644 --- a/deploy/helm/secret-operator/values.yaml +++ b/deploy/helm/secret-operator/values.yaml @@ -22,10 +22,7 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: - # secret-operator requires root permissions - runAsUser: 0 - privileged: true +securityContext: {} # capabilities: # drop: # - ALL diff --git a/deploy/manifests/configmap.yaml b/deploy/manifests/configmap.yaml new file mode 100644 index 00000000..6885a53c --- /dev/null +++ b/deploy/manifests/configmap.yaml @@ -0,0 +1,14 @@ +--- +# Source: secret-operator/templates/configmap.yaml +apiVersion: v1 +data: + {} +kind: ConfigMap +metadata: + name: secret-operator-configmap + labels: + helm.sh/chart: secret-operator-0.3.0-nightly + app.kubernetes.io/name: secret-operator + app.kubernetes.io/instance: secret-operator + app.kubernetes.io/version: "0.3.0-nightly" + app.kubernetes.io/managed-by: Helm diff --git a/deploy/manifests/crds.yaml b/deploy/manifests/crds.yaml index f2788cf8..f49507a5 100644 --- a/deploy/manifests/crds.yaml +++ b/deploy/manifests/crds.yaml @@ -1,4 +1,5 @@ --- +# Source: secret-operator/crds/crds.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -88,3 +89,4 @@ spec: served: true storage: true subresources: {} + diff --git a/deploy/manifests/csidriver.yaml b/deploy/manifests/csidriver.yaml index bafea851..5797e3a3 100644 --- a/deploy/manifests/csidriver.yaml +++ b/deploy/manifests/csidriver.yaml @@ -1,4 +1,5 @@ --- +# Source: secret-operator/templates/csidriver.yaml apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: @@ -8,4 +9,4 @@ spec: podInfoOnMount: true fsGroupPolicy: File volumeLifecycleModes: - - Ephemeral + - Ephemeral diff --git a/deploy/manifests/daemonset.yaml b/deploy/manifests/daemonset.yaml index d05daa42..ee0f023b 100644 --- a/deploy/manifests/daemonset.yaml +++ b/deploy/manifests/daemonset.yaml @@ -1,12 +1,15 @@ --- +# Source: secret-operator/templates/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: secret-operator-daemonset labels: + helm.sh/chart: secret-operator-0.3.0-nightly app.kubernetes.io/name: secret-operator app.kubernetes.io/instance: secret-operator app.kubernetes.io/version: "0.3.0-nightly" + app.kubernetes.io/managed-by: Helm spec: selector: matchLabels: @@ -19,15 +22,16 @@ spec: app.kubernetes.io/instance: secret-operator spec: serviceAccountName: secret-operator-serviceaccount - securityContext: {} + securityContext: + {} containers: - name: secret-operator securityContext: - privileged: true - runAsUser: 0 + {} image: "docker.stackable.tech/stackable/secret-operator:0.3.0-nightly" imagePullPolicy: IfNotPresent - resources: {} + resources: + {} env: - name: CSI_ENDPOINT value: /csi/csi.sock diff --git a/deploy/manifests/deployment.yaml b/deploy/manifests/deployment.yaml new file mode 100644 index 00000000..9b29a4aa --- /dev/null +++ b/deploy/manifests/deployment.yaml @@ -0,0 +1,3 @@ +--- +# Source: secret-operator/templates/deployment.yaml +# Templated Deployment disabled for this operator diff --git a/deploy/manifests/roles.yaml b/deploy/manifests/roles.yaml index f57e4294..1ad15e63 100644 --- a/deploy/manifests/roles.yaml +++ b/deploy/manifests/roles.yaml @@ -1,4 +1,5 @@ --- +# Source: secret-operator/templates/roles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/deploy/manifests/secretclasses.yaml b/deploy/manifests/secretclasses.yaml index e6f27e9b..eca98c9d 100644 --- a/deploy/manifests/secretclasses.yaml +++ b/deploy/manifests/secretclasses.yaml @@ -1,4 +1,5 @@ --- +# Source: secret-operator/templates/secretclasses.yaml apiVersion: secrets.stackable.tech/v1alpha1 kind: SecretClass metadata: diff --git a/deploy/manifests/serviceaccount.yaml b/deploy/manifests/serviceaccount.yaml index 8b78a4d8..7a9dcaa4 100644 --- a/deploy/manifests/serviceaccount.yaml +++ b/deploy/manifests/serviceaccount.yaml @@ -1,22 +1,28 @@ --- +# Source: secret-operator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: secret-operator-serviceaccount labels: + helm.sh/chart: secret-operator-0.3.0-nightly app.kubernetes.io/name: secret-operator app.kubernetes.io/instance: secret-operator app.kubernetes.io/version: "0.3.0-nightly" + app.kubernetes.io/managed-by: Helm --- +# Source: secret-operator/templates/serviceaccount.yaml apiVersion: rbac.authorization.k8s.io/v1 # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. kind: ClusterRoleBinding metadata: name: secret-operator-clusterrolebinding labels: + helm.sh/chart: secret-operator-0.3.0-nightly app.kubernetes.io/name: secret-operator app.kubernetes.io/instance: secret-operator app.kubernetes.io/version: "0.3.0-nightly" + app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount name: secret-operator-serviceaccount diff --git a/python/cargo_version.py b/python/cargo_version.py index c783ce58..aa67cb01 100755 --- a/python/cargo_version.py +++ b/python/cargo_version.py @@ -3,7 +3,9 @@ # Utility for viewing and managing versions of cargo workspaces and crates. # For workspaces, it assumes that all crate members use a single shared version. # -# usage: cargo_version.py [-h] [-p PROJECT] [-r] [-n {major,minor,patch}] [-s SET] [-o] +# usage: +# cargo_version.py [-h] [-p PROJECT] [-r] [-n {major,minor,patch}] +# [-s SET] [-o] [-m PRERELEASE] # # Change versions of cargo projects. # @@ -16,6 +18,9 @@ # Version # -s SET, --set SET Version # -o, --show Version +# -m PRERELEASE, --prerelease PRERELEASE +# Set pre-prelease string. +# import argparse import semver @@ -39,35 +44,42 @@ def finalize(cls, version): @classmethod def bump_level(cls, version, level): - v = semver.VersionInfo.parse(version) + parsed_version = semver.VersionInfo.parse(version) if level == 'major': - return str(v.bump_major()) + return str(parsed_version.bump_major()) if level == 'minor': - return str(v.bump_minor()) + return str(parsed_version.bump_minor()) if level == 'patch': - return str(v.bump_patch()) - else: - return str(v.bump_prerelease('nightly'))[:-2] ### remove the .1 suffix that semver always adds to the prererelease. + return str(parsed_version.bump_patch()) + + ### remove the .1 suffix that semver always adds to the prererelease before returning + return str(parsed_version.bump_prerelease('nightly'))[:-2] @classmethod def prerelease(cls, version, prerelease): - v = semver.VersionInfo.parse(version) - return str(semver.VersionInfo(v.major, v.minor, v.patch, prerelease)) + parsed_version = semver.VersionInfo.parse(version) + return str(semver.VersionInfo(parsed_version.major, parsed_version.minor, + parsed_version.patch, prerelease)) def finalize_version(self): - return Crate(self.path, self.name, Crate.finalize(self.version), self.dependencies.copy()) + return Crate(self.path, self.name, Crate.finalize(self.version), + self.dependencies.copy()) def bump_version(self, level): - return Crate(self.path, self.name, Crate.bump_level(self.version, level), self.dependencies.copy()) + return Crate(self.path, self.name, Crate.bump_level(self.version, level), + self.dependencies.copy()) def set_version(self, version): return Crate(self.path, self.name, version, self.dependencies.copy()) def set_prerelease(self, prerelease): - return Crate(self.path, self.name, Crate.prerelease(self.version, prerelease), self.dependencies.copy()) + return Crate(self.path, self.name, Crate.prerelease(self.version, prerelease), + self.dependencies.copy()) def next_version(self): - return Crate(self.path, self.name, str(semver.VersionInfo.parse(self.version).next_version('patch')), self.dependencies.copy()) + return Crate(self.path, self.name, + str(semver.VersionInfo.parse(self.version).next_version('patch')), + self.dependencies.copy()) def show_version(self): return self.version @@ -75,8 +87,8 @@ def show_version(self): def save(self, previous): contents = [] cargo_file = f"{self.path}/Cargo.toml" - with open(cargo_file, 'r') as r: - for line in r.readlines(): + with open(cargo_file, mode='r', encoding='utf-8') as cargo_file_read: + for line in cargo_file_read.readlines(): if line.startswith("version"): line = line.replace(previous.version, self.version) else: @@ -85,8 +97,8 @@ def save(self, previous): line = line.replace(previous.dependencies[dname], dversion) contents.append(line) - with open(cargo_file, 'w') as w: - w.write(''.join(contents)) + with open(cargo_file, mode='w', encoding='utf-8') as cargo_file_write: + cargo_file_write.write(''.join(contents)) def __str__(self): return f'Crate({self.path}, {self.name}, {self.version}, {self.dependencies})' @@ -94,7 +106,7 @@ def __str__(self): class Workspace: def __init__(self, crates): - names = set([c.name for c in crates]) + names = {c.name for c in crates} self.crates = {c.name: c.with_dependencies(names) for c in crates} def finalize_version(self): @@ -118,8 +130,8 @@ def next_version(self): return Workspace(Workspace.update_dependencies(crates).values()) def show_version(self): - for c in self.crates.values(): - return c.show_version() + for crate in self.crates.values(): + return crate.show_version() return "0.0.0" @classmethod @@ -133,16 +145,21 @@ def __str__(self): return f'Workspace({[str(c) for c in self.crates.values()]})' def save(self, previous): - for cn in self.crates.keys(): - self.crates[cn].save(previous.crates[cn]) + for crate_key in self.crates.keys(): + self.crates[crate_key].save(previous.crates[crate_key]) def load(root): - r = toml.load(f"{root}/Cargo.toml") - if "workspace" in r: - return Workspace([load(f"{root}/{path}") for path in r["workspace"]["members"]]) - - return Crate(path=root, name=r["package"]["name"], version=r["package"]["version"], dependencies={dn: r["dependencies"][dn]["version"] for dn in r["dependencies"] if "version" in r["dependencies"][dn]}) + root_cargo_file = toml.load(f"{root}/Cargo.toml") + if "workspace" in root_cargo_file: + return Workspace([load(f"{root}/{path}") + for path in root_cargo_file["workspace"]["members"]]) + + return Crate(path=root, name=root_cargo_file["package"]["name"], + version=root_cargo_file["package"]["version"], + dependencies={dn: root_cargo_file["dependencies"][dn]["version"] + for dn in root_cargo_file["dependencies"] + if "version" in root_cargo_file["dependencies"][dn]}) def parse_args(): diff --git a/renovate.json b/renovate.json new file mode 100644 index 00000000..df34602d --- /dev/null +++ b/renovate.json @@ -0,0 +1,32 @@ +{ + "extends": [ + "helpers:pinGitHubActionDigests" + ], + "labels": [ + "dependencies" + ], + "prCreation": "not-pending", + "reviewers": [ + "team:developers" + ], + "rollbackPrs": true, + "schedule": [ + "after 5:00 and before 6:00 every weekday" + ], + "timezone": "Europe/Berlin", + "packageRules": [ + { + "matchUpdateTypes": [ + "patch" + ], + "groupName": "All dependencies (patch only)" + } + ], + "lockFileMaintenance": { + "enabled": true, + "schedule": [ + "after 5:00 and before 6:00 every weekday" + ] + }, + "ignorePaths": [".github/workflows/build.yml", ".github/workflows/daily_security.yml", ".github/workflows/reviewdog.yaml"] +} diff --git a/scripts/generate-manifests.sh b/scripts/generate-manifests.sh index 9c1ad0f3..6011ad8b 100755 --- a/scripts/generate-manifests.sh +++ b/scripts/generate-manifests.sh @@ -1,22 +1,22 @@ -#!/bin/bash +#!/usr/bin/env bash # This script reads a Helm chart from deploy/helm/secret-operator-operator and # generates manifest files into deploy/manifestss set -e tmp=$(mktemp -d ./manifests-XXXXX) -helm template --output-dir $tmp \ +helm template --output-dir "$tmp" \ --include-crds \ --name-template secret-operator \ deploy/helm/secret-operator -for file in $(find $tmp -type f) +while IFS= read -r -d '' file do - yq eval -i 'del(.. | select(has("app.kubernetes.io/managed-by")) | ."app.kubernetes.io/managed-by")' $file - yq eval -i 'del(.. | select(has("helm.sh/chart")) | ."helm.sh/chart")' $file - sed -i '/# Source: .*/d' $file -done + yq eval -i 'del(.. | select(has("app.kubernetes.io/managed-by")) | ."app.kubernetes.io/managed-by")' "$file" + yq eval -i 'del(.. | select(has("helm.sh/chart")) | ."helm.sh/chart")' "$file" + sed -i '/# Source: .*/d' "$file" +done < <(find "$tmp" -type f) -cp -r $tmp/secret-operator/*/* deploy/manifests/ +cp -r "$tmp"/secret-operator/*/* deploy/manifests/ -rm -rf $tmp +rm -rf "$tmp"