diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml new file mode 100644 index 0000000..88841a5 --- /dev/null +++ b/.github/actions/aqua/action.yaml @@ -0,0 +1,14 @@ +name: "Setup tools" +description: "Setup tools with aqua" +inputs: + github_token: + description: "GitHub Token" + required: true +runs: + using: composite + steps: + - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2 + with: + aqua_version: v2.9.0 + env: + GITHUB_TOKEN: ${{ inputs.github_token }} diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 0000000..04c2eef --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,30 @@ +changelog: + exclude: + labels: + - ignore-for-release + - ci + - documentation + - refactoring + - test + categories: + - title: Features + labels: + - enhancement + - title: Bug Fixes + labels: + - bug + - title: Deprecated + labels: + - deprecate + - title: Removed + labels: + - remove + - title: Security + labels: + - security + - title: Dependencies + labels: + - dependencies + - title: Others + labels: + - "*" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 24f9438..79afca2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -13,14 +13,32 @@ jobs: - uses: actions/setup-go@v3 with: go-version-file: go.mod - cache: true - - run: make setup + - uses: ./.github/actions/aqua + with: + github_token: ${{ secrets.GITHUB_TOKEN }} - run: make lint - run: make check-generate - run: make test - build-image: - name: Build Container Image + dry-run: + name: Dry-run release runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 - - run: docker build -t quay.io/cybozu/pod-security-admission:latest . + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: docker/setup-qemu-action@v2 + - uses: docker/setup-buildx-action@v2 + - name: Setup go + uses: actions/setup-go@v3 + with: + go-version-file: go.mod + - uses: ./.github/actions/aqua + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + - run: make install.yaml + - name: GoReleaser + uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 + with: + version: latest + args: --snapshot --skip-publish --clean diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 495817c..0228f6c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,38 +2,45 @@ name: Release on: push: tags: - - 'v*' -env: - tag: ${GITHUB_REF#refs/tags/v} - prerelease: ${{ contains(github.ref, '-') }} + - 'v*' jobs: - image: - name: Push Container Image - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v3 - - run: docker build -t quay.io/cybozu/pod-security-admission:latest . - - name: Push docker image to Quay.io - run: | - echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USER }} --password-stdin quay.io - echo "pushing image ..." - docker tag quay.io/cybozu/pod-security-admission:latest quay.io/cybozu/pod-security-admission:${{ env.tag }} - docker push quay.io/cybozu/pod-security-admission:${{ env.tag }} - BRANCH=$(echo ${{ env.tag }} | cut -d "." -f 1-2) - docker tag quay.io/cybozu/pod-security-admission:latest quay.io/cybozu/pod-security-admission:$BRANCH - docker push quay.io/cybozu/pod-security-admission:$BRANCH release: - name: Release on GitHub - needs: image runs-on: ubuntu-22.04 - container: - image: quay.io/cybozu/golang:1.20-jammy steps: - - uses: actions/checkout@v3 - - run: make build/install.yaml - - name: Create release + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: docker/setup-qemu-action@v2 + - uses: docker/setup-buildx-action@v2 + - name: GHCR Login + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: quay.io Login + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USER }} + password: ${{ secrets.QUAY_PASSWORD }} + - name: Setup go + uses: actions/setup-go@v3 + with: + go-version-file: go.mod + - uses: ./.github/actions/aqua + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + - name: Set Tag run: | - if ${{ env.prerelease }}; then - PRERELEASE="-prerelease" - fi - ghr -t ${{ secrets.GITHUB_TOKEN }} -u cybozu-go -r pod-security-admission -n v${{ env.tag }} ${PRERELEASE} -b "See [CHANGELOG.md](./CHANGELOG.md) for details." v${{ env.tag }} ./build/ + TAG=${GITHUB_REF#refs/tags/v} + sed -i "s/newTag: .*/newTag: $TAG/g" config/manager/kustomization.yaml + make install.yaml + - name: GoReleaser + uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 + with: + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..3921b23 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,48 @@ +project_name: pod-security-admission +dist: bin/ +builds: + - env: + - CGO_ENABLED=0 + main: ./cmd + binary: pod-security-admission + goos: + - linux + goarch: + - amd64 + ldflags: + - -X github.com/cybozu-go/pod-security-admission.Version={{.Version}} +archives: + - files: + - install.yaml +dockers: + - image_templates: + - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64" + - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64" + use: buildx + dockerfile: Dockerfile + extra_files: + - LICENSE + build_flag_templates: + - "--platform=linux/amd64" + - "--label=org.opencontainers.image.created={{.Date}}" + - "--label=org.opencontainers.image.revision={{.FullCommit}}" + - "--label=org.opencontainers.image.version={{.Version}}" +docker_manifests: + - name_template: "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}" + image_templates: + - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64" + - name_template: "quay.io/cybozu/{{.ProjectName}}:{{ .Major }}.{{ .Minor }}" + image_templates: + - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64" + - name_template: "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}" + image_templates: + - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64" + - name_template: "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Major }}.{{ .Minor }}" + image_templates: + - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64" +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ .Tag }}-next" +changelog: + use: github-native diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index d3e90ca..0000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,88 +0,0 @@ -# Change Log - -All notable changes to this project will be documented in this file. -This project adheres to [Semantic Versioning](http://semver.org/). - -## [Unreleased] - -## [0.6.1] - 2023-05-10 - -### Changed - -- Update for Kubernetes 1.25.9 ([#33](https://github.com/cybozu-go/pod-security-admission/pull/33)) - -## [0.6.0] - 2023-03-31 - -### Changed - -- increase the default number of replicas (#31) - -## [0.5.0] - 2023-02-28 - -### Changed - -- Support Kubernetes 1.25 ([#29](https://github.com/cybozu-go/pod-security-admission/pull/29)) - - Build with go 1.20 - - Update Ubuntu to 22.04 - - Update dependencies - -## [0.4.0] - 2023-01-31 - -### Added - -- Allow net.ipv4.ip_unprivileged_port_start (#27) - -## [0.3.0] - 2022-10-06 - -### Added - -- Support for Ephemeral Container (#25) - -## [0.2.4] - 2022-07-25 - -### Changed - -- Update supported k8s version to 1.24 (#23) -- Build with Go 1.18 (#23) -- Update dependencies (#23) - -## [0.2.3] - 2021-12-10 - -### Changed - -- update supported k8s version to 1.22 (#19) - -## [0.2.2] - 2021-09-17 - -### Changed - -- Update supported k8s to 1.21 (#15) - -## [0.2.1] - 2021-09-02 - -### Changed - -- Deploy in "kube-system" namespace instead of "psa-system" (#12) - -## [0.2.0] - 2021-07-20 - -### Added - -- Add allowedHostPaths configuration (#10) - -## [0.1.0] - 2021-04-08 - -This is the first release. - -[Unreleased]: https://github.com/cybozu-go/pod-security-admission/compare/v0.6.1...HEAD -[0.6.1]: https://github.com/cybozu-go/pod-security-admission/compare/v0.6.0...v0.6.1 -[0.6.0]: https://github.com/cybozu-go/pod-security-admission/compare/v0.5.0...v0.6.0 -[0.5.0]: https://github.com/cybozu-go/pod-security-admission/compare/v0.4.0...v0.5.0 -[0.4.0]: https://github.com/cybozu-go/pod-security-admission/compare/v0.3.0...v0.4.0 -[0.3.0]: https://github.com/cybozu-go/pod-security-admission/compare/v0.2.4...v0.3.0 -[0.2.4]: https://github.com/cybozu-go/pod-security-admission/compare/v0.2.3...v0.2.4 -[0.2.3]: https://github.com/cybozu-go/pod-security-admission/compare/v0.2.2...v0.2.3 -[0.2.2]: https://github.com/cybozu-go/pod-security-admission/compare/v0.2.1...v0.2.2 -[0.2.1]: https://github.com/cybozu-go/pod-security-admission/compare/v0.2.0...v0.2.1 -[0.2.0]: https://github.com/cybozu-go/pod-security-admission/compare/v0.1.0...v0.2.0 -[0.1.0]: https://github.com/cybozu-go/pod-security-admission/compare/1468d8fc5862faccd4c0444b1d7721798ffe6080...v0.1.0 diff --git a/Dockerfile b/Dockerfile index b6ff2af..bf9654a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,9 @@ -# Build the manager binary -FROM quay.io/cybozu/golang:1.20-jammy as builder - -WORKDIR /workspace -# Copy the Go Modules manifests -COPY go.mod go.mod -COPY go.sum go.sum -# cache deps before building and copying source so that we don't need to re-download as much -# and so that source changes don't invalidate our downloaded layer -RUN go mod download - -# Copy the go source -COPY version.go version.go -COPY cmd/ cmd/ -COPY hooks/ hooks/ - -# Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o pod-security-admission cmd/main.go - FROM scratch +LABEL org.opencontainers.image.authors="Cybozu, Inc." \ + org.opencontainers.image.title="pod-security-admission" \ + org.opencontainers.image.source="https://github.com/cybozu-go/pod-security-admission" WORKDIR / -COPY --from=builder /workspace/pod-security-admission . +COPY pod-security-admission / USER 10000:10000 ENTRYPOINT ["/pod-security-admission"] diff --git a/Makefile b/Makefile index d44d488..d7035a5 100644 --- a/Makefile +++ b/Makefile @@ -1,15 +1,11 @@ -CONTROLLER_TOOLS_VERSION = 0.11.3 -KUSTOMIZE_VERSION = 4.5.7 ENVTEST_K8S_VERSION = 1.25.0 # Set the shell used to bash for better error handling. SHELL = /bin/bash .SHELLFLAGS = -e -o pipefail -c BIN_DIR := $(shell pwd)/bin -INSTALL_YAML = build/install.yaml +INSTALL_YAML = install.yaml -KUSTOMIZE = $(BIN_DIR)/kustomize -CONTROLLER_GEN = $(BIN_DIR)/controller-gen STATICCHECK = $(BIN_DIR)/staticcheck # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) @@ -41,12 +37,12 @@ help: ## Display this help. ##@ Development .PHONY: manifests -manifests: $(CONTROLLER_GEN) ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=pod-security-admission webhook paths="./..." +manifests: setup ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. + controller-gen rbac:roleName=pod-security-admission webhook paths="./..." .PHONY: generate -generate: $(CONTROLLER_GEN) ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. - $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." +generate: setup ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. + controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..." .PHONY: check-generate check-generate: @@ -71,16 +67,9 @@ test: setup-envtest manifests generate ## Run tests. build: ## Build binary. CGO_ENABLED=0 go build -o bin/pod-security-admission -ldflags="-w -s" ./cmd -$(INSTALL_YAML): $(KUSTOMIZE) +$(INSTALL_YAML): setup mkdir -p build - $(KUSTOMIZE) build ./config/default > $@ - -$(CONTROLLER_GEN): ## Download controller-gen locally if necessary. - $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v$(CONTROLLER_TOOLS_VERSION)) - -$(KUSTOMIZE): ## Download kustomize locally if necessary. - mkdir -p $(BIN_DIR) - curl -sSLf https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv$(KUSTOMIZE_VERSION)/kustomize_v$(KUSTOMIZE_VERSION)_linux_amd64.tar.gz | tar -xz -C $(BIN_DIR) + kustomize build ./config/default > $@ $(STATICCHECK): $(call go-install-tool,$(STATICCHECK),honnef.co/go/tools/cmd/staticcheck@latest) @@ -92,7 +81,8 @@ setup-envtest: ## Download setup-envtest locally if necessary GOBIN=$(BIN_DIR) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest .PHONY: setup -setup: $(STATICCHECK) $(KUSTOMIZE) $(CONTROLLER_GEN) setup-envtest +setup: + aqua i -l .PHONY: clean clean: diff --git a/aqua.yaml b/aqua.yaml new file mode 100644 index 0000000..9eda0da --- /dev/null +++ b/aqua.yaml @@ -0,0 +1,9 @@ +# aqua - Declarative CLI Version Manager +# https://aquaproj.github.io/ +registries: + - type: standard + ref: v4.23.0 # renovate: depName=aquaproj/aqua-registry +packages: + - name: kubernetes-sigs/kustomize@kustomize/v4.5.7 + - name: kubernetes-sigs/controller-tools/controller-gen@v0.11.3 + - name: goreleaser/goreleaser@v1.19.1 diff --git a/docs/getting-started.md b/docs/getting-started.md index 5ff6b84..fc40fde 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -32,7 +32,10 @@ $ kubectl label namespace/cert-manager pod-security.cybozu.com/policy=privileged Deploy pod-security-admission: ```console -$ kubectl apply -f https://github.com/cybozu-go/pod-security-admission/releases/download/v0.0.1-alpha.0/install.yaml +$ wget https://github.com/cybozu-go/pod-security-admission/releases/download/vx.y.z/pod-security-admission_x.y.z_linux_amd64.tar.gz +$ tar xvzf pod-security-admission_x.y.z_linux_amd64.tar.gz +$ cd pod-security-admission_x.y.z_linux_amd64 +$ kubectl apply -f install.yaml ``` Verification diff --git a/version.go b/version.go index 815bb9d..e94eb42 100644 --- a/version.go +++ b/version.go @@ -1,6 +1,6 @@ package psa -const version = "0.6.1" +var version = "unset" // Version returns the semantic versioning string of pod-security-admission. func Version() string {