Merge branch 'master' into report-constraint-error

.github/workflows/helm-lint.yaml

@@ -0,0 +1,33 @@
+name: check-helm-lint
+on:
+  push:
+    paths:
+      - "cmd/build/helmify/static/**"
+      - "manifest_staging/**"
+  pull_request:
+    paths:
+      - "cmd/build/helmify/static/**"
+      - "manifest_staging/**"
+
+permissions: read-all
+
+jobs:
+  helm_lint_test:
+    name: "Helm lint"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: Set up Helm
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+      with:
+        version: "3.14.1"
+      id: install
+
+    - name: Lint Helm charts
+      run: |
+        helm lint manifest_staging/charts/gatekeeper/
+        helm lint cmd/build/helmify/static/

Dockerfile

@@ -1,10 +1,4 @@
-ARG BUILDPLATFORM="linux/amd64"
-ARG BUILDERIMAGE="golang:1.22-bookworm"
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot"
-
-FROM --platform=$BUILDPLATFORM $BUILDERIMAGE AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 AS builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS
@@ -24,7 +18,7 @@ COPY . .
 
 RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
 
-FROM $BASEIMAGE
+FROM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65
 
 WORKDIR /
 COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .

build/tooling/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-bookworm@sha256:31dc846dd1bcca84d2fa231bcd16c09ff271bcc1a5ae2c48ff10f13b039688f3
+FROM golang:1.23-bookworm@sha256:1a5326b07cbab12f4fd7800425f2cf25ff2bd62c404ef41b56cb99669a710a83
 
 RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/[email protected]
 RUN GO111MODULE=on go install k8s.io/code-generator/cmd/[email protected]

cmd/build/helmify/static/values.yaml

@@ -224,7 +224,7 @@ controllerManager:
   extraRules: []
   networkPolicy:
     enabled: false
-    ingress: { }
+    ingress: []
       # - from:
       #   - ipBlock:
       #       cidr: 0.0.0.0/0

crd.Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.30.3 AS builder
+FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.31.1 AS builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS

gator.Dockerfile

@@ -1,10 +1,4 @@
-ARG BUILDPLATFORM="linux/amd64"
-ARG BUILDERIMAGE="golang:1.22-bookworm"
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot"
-
-FROM --platform=$BUILDPLATFORM $BUILDERIMAGE AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 AS builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS
@@ -23,7 +17,7 @@ WORKDIR /go/src/github.com/open-policy-agent/gatekeeper/cmd/gator
 
 RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o /gator
 
-FROM --platform=$BUILDPLATFORM $BASEIMAGE AS build
+FROM --platform=$BUILDPLATFORM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65 AS build
 USER 65532:65532
 COPY --from=builder --chown=65532:65532 /gator /gator
 ENTRYPOINT ["/gator"]

manifest_staging/charts/gatekeeper/values.yaml

@@ -224,7 +224,7 @@ controllerManager:
   extraRules: []
   networkPolicy:
     enabled: false
-    ingress: { }
+    ingress: []
       # - from:
       #   - ipBlock:
       #       cidr: 0.0.0.0/0

test/externaldata/dummy-provider/Dockerfile

@@ -1,8 +1,4 @@
-ARG BUILDPLATFORM="linux/amd64"
-ARG BUILDERIMAGE="golang:1.22-bookworm"
-ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot"
-
-FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder
+FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 as builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS
@@ -24,7 +20,7 @@ RUN go mod init && go mod tidy
 
 RUN go build -o provider provider.go
 
-FROM $BASEIMAGE
+FROM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65
 
 WORKDIR /
 

test/image/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-bullseye@sha256:ecef8303ced05b7cd1addf3c8ea98974f9231d4c5a0c230d23b37bb623714a23 as builder
+FROM golang:1.23-bullseye@sha256:45b43371f21ec51276118e6806a22cbb0bca087ddd54c491fdc7149be01035d5 as builder
 
 ARG BATS_VERSION
 ARG ORAS_VERSION

test/pubsub/fake-subscriber/Dockerfile

@@ -1,8 +1,4 @@
-ARG BUILDPLATFORM="linux/amd64"
-ARG BUILDERIMAGE="golang:1.22-bookworm"
-ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot"
-
-FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder
+FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 as builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS
@@ -24,7 +20,7 @@ RUN go mod init && go mod tidy && go mod vendor
 
 RUN go build -o main
 
-FROM $BASEIMAGE
+FROM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65
 
 WORKDIR /
 

website/versioned_docs/version-v3.17.x/install.md

@@ -28,7 +28,7 @@ For either installation method, make sure you have cluster admin permissions:
 If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command:
 
 ```sh
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.0/deploy/gatekeeper.yaml
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.1/deploy/gatekeeper.yaml
 ```
 
 ### Deploying a Release using development image
@@ -92,7 +92,7 @@ You can alter the variables in `charts/gatekeeper/values.yaml` to customize your
 If you used a prebuilt image to deploy Gatekeeper, then you can delete all the Gatekeeper components with the following command:
 
   ```sh
-  kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.0/deploy/gatekeeper.yaml
+  kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.1/deploy/gatekeeper.yaml
   ```
 
 ### Using make