diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..99860b9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,34 @@ +--- +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + open-pull-requests-limit: 20 + schedule: + interval: "weekly" + commit-message: + prefix: ":github:" + + # Maintain dependencies for Docker + - package-ecosystem: "docker" + directory: / + open-pull-requests-limit: 20 + schedule: + interval: "daily" + commit-message: + prefix: ":whale:" + + # Maintain dependencies for go + - package-ecosystem: "gomod" + directory: "/" + open-pull-requests-limit: 20 + schedule: + interval: "daily" + commit-message: + prefix: ":seedling:" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..5f70639 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,61 @@ +--- +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} + cancel-in-progress: true + +on: # yamllint disable-line rule:truthy + push: + branches: + - main + - master + pull_request: + # The branches below must be a subset of the branches above + branches: + - main + - master + schedule: + - cron: '19 18 * * 5' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + language: ['go'] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..42a4431 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +--- +name: 'Dependency Review' + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} + cancel-in-progress: true + +on: # yamllint disable-line rule:truthy + - pull_request + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@v3 diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..155c5d3 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,43 @@ +--- +name: ci + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} + cancel-in-progress: true + +on: # yamllint disable-line rule:truthy + push: + branches: + - 'master' + - 'main' + +permissions: + contents: read + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: redradrat/aws-iam-operator:latest + cache-from: type=registry,ref=redradrat/aws-iam-operator:buildcache + cache-to: type=registry,ref=redradrat/aws-iam-operator:buildcache,mode=max diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml new file mode 100644 index 0000000..13dbb14 --- /dev/null +++ b/.github/workflows/goreleaser.yml @@ -0,0 +1,62 @@ +--- +name: GoReleaser + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} + cancel-in-progress: true + +on: # yamllint disable-line rule:truthy + push: + tags: + - '*' + +permissions: + contents: write + packages: write +# issues: write + +jobs: + goreleaser: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + with: + install: true + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + check-latest: true + cache: true + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + distribution: goreleaser + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml new file mode 100644 index 0000000..c3fe836 --- /dev/null +++ b/.github/workflows/hadolint.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: + - main + - master + pull_request: + # The branches below must be a subset of the branches above + branches: + - main + - master + schedule: + - cron: '27 20 * * 1' + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} + cancel-in-progress: true + +permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..c977a9f --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,72 @@ +--- +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} + cancel-in-progress: true + + +on: # yamllint disable-line rule:truthy + push: + branches: + - main + - master + pull_request: + # The branches below must be a subset of the branches above + branches: + - main + - master + schedule: + - cron: '19 0 * * 3' + +permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + +jobs: + scan: + name: Build + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner with rootfs command + uses: aquasecurity/trivy-action@master + with: + scan-type: 'rootfs' + scan-ref: '/github/workspace/' + ignore-unfixed: false + format: 'sarif' + output: 'trivy-rootfs.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-rootfs.sarif' + category: 'trivy-rootfs' + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/redradrat/aws-iam-operator:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'docker.io/redradrat/aws-iam-operator:${{ github.sha }}' + format: 'sarif' + output: 'trivy-oci-image.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-oci-image.sarif' + category: 'trivy-oci-image' diff --git a/.goreleaser.yml b/.goreleaser.yml index b0a3417..fc6e4c2 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,8 +1,11 @@ +--- # This is an example goreleaser.yaml file with some sane defaults. # Make sure to check the documentation at http://goreleaser.com +project_name: aws-iam-operator before: hooks: # You may remove this if you don't use go modules. + - go mod tidy - go mod download # you may remove this if you don't need go generate - go generate ./... @@ -13,64 +16,121 @@ builds: - linux - windows - darwin + goarch: + - amd64 + - arm64 + - arm + goarm: + - "7" + - "6" ldflags: - -s -w # strip symbols, reduces binary size - -X main.operatorversion={{.Version}} - -X main.operatorbuilddate={{.Date}} + archives: - - name_template: >- - {{- .ProjectName }}_ - {{- .Version }}_ - {{- title .Os }}_ - {{- if eq .Arch "amd64" }}x86_64 - {{- else if eq .Arch "386" }}i386 - {{- else }}{{ .Arch }}{{ end }} + - id: default + format_overrides: + - goos: windows + format: zip + dockers: - - image_templates: - - "redradrat/aws-iam-operator:{{ .Tag }}-amd64" - - "redradrat/aws-iam-operator:latest-amd64" - - "ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:{{ .Tag }}-amd64" - - "ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:latest-amd64" + - use: buildx goos: linux goarch: amd64 - use: buildx + dockerfile: goreleaser.Dockerfile + image_templates: + - redradrat/{{ .ProjectName }}:{{ .Tag }}-amd64 + - redradrat/{{ .ProjectName }}:latest-amd64 + - ghcr.io/redradrat/{{ .ProjectName }}:{{ .Tag }}-amd64 + - ghcr.io/redradrat/{{ .ProjectName }}:latest-amd64 build_flag_templates: - - "--platform=linux/amd64" - - "--builder=desktop-linux" - dockerfile: goreleaser_Dockerfile - - image_templates: - - "redradrat/aws-iam-operator:{{ .Tag }}-arm64" - - "redradrat/aws-iam-operator:latest-arm64" - - "ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:{{ .Tag }}-arm64" - - "ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:latest-arm64" - use: buildx + - --pull + - --platform=linux/amd64 + - --label=org.opencontainers.image.description="An operator that enables AWS IAM management via Kubernetes custom resources" + - --label=org.opencontainers.image.created="{{ .Date }}" + - --label=org.opencontainers.image.source="https://github.com/redradrat/aws-iam-operator" + - --label=org.opencontainers.image.url="https://github.com/redradrat/aws-iam-operator" + - --label=org.opencontainers.image.authors="redradrat" + - --label=org.opencontainers.image.created="{{ .Date }}" + - --label=org.opencontainers.image.title="{{ .ProjectName }}" + - --label=org.opencontainers.image.revision="{{ .FullCommit }}" + - --label=org.opencontainers.image.version="{{ .Version }}" + - use: buildx goos: linux goarch: arm64 + dockerfile: goreleaser.Dockerfile + image_templates: + - redradrat/{{ .ProjectName }}:{{ .Tag }}-arm64 + - redradrat/{{ .ProjectName }}:latest-arm64 + - ghcr.io/redradrat/{{ .ProjectName }}:{{ .Tag }}-arm64 + - ghcr.io/redradrat/{{ .ProjectName }}:latest-arm64 + build_flag_templates: + - --pull + - --platform=linux/amd64 + - --label=org.opencontainers.image.description="An operator that enables AWS IAM management via Kubernetes custom resources" + - --label=org.opencontainers.image.created="{{ .Date }}" + - --label=org.opencontainers.image.source="https://github.com/redradrat/aws-iam-operator" + - --label=org.opencontainers.image.url="https://github.com/redradrat/aws-iam-operator" + - --label=org.opencontainers.image.authors="redradrat" + - --label=org.opencontainers.image.created="{{ .Date }}" + - --label=org.opencontainers.image.title="{{ .ProjectName }}" + - --label=org.opencontainers.image.revision="{{ .FullCommit }}" + - --label=org.opencontainers.image.version="{{ .Version }}" + - use: buildx + goos: linux + goarch: arm + goarm: "7" + dockerfile: "goreleaser.Dockerfile" + image_templates: + - redradrat/{{ .ProjectName }}:{{ .Tag }}-armv7 + - redradrat/{{ .ProjectName }}:latest-armv7 + - ghcr.io/redradrat/{{ .ProjectName }}:{{ .Tag }}-armv7 + - ghcr.io/redradrat/{{ .ProjectName }}:latest-armv7 build_flag_templates: - - "--platform=linux/arm64" - - "--builder=desktop-linux" - dockerfile: goreleaser_Dockerfile + - --pull + - --platform=linux/arm/v7 + - --label=org.opencontainers.image.description="An operator that enables AWS IAM management via Kubernetes custom resources" + - --label=org.opencontainers.image.created="{{ .Date }}" + - --label=org.opencontainers.image.source="https://github.com/redradrat/aws-iam-operator" + - --label=org.opencontainers.image.url="https://github.com/redradrat/aws-iam-operator" + - --label=org.opencontainers.image.authors="redradrat" + - --label=org.opencontainers.image.created="{{ .Date }}" + - --label=org.opencontainers.image.title="{{ .ProjectName }}" + - --label=org.opencontainers.image.revision="{{ .FullCommit }}" + - --label=org.opencontainers.image.version="{{ .Version }}" + docker_manifests: - - name_template: redradrat/aws-iam-operator:{{ .Tag }} + - name_template: redradrat/{{ .ProjectName }}:{{ .Tag }} image_templates: - - redradrat/aws-iam-operator:{{ .Tag }}-arm64 - - redradrat/aws-iam-operator:{{ .Tag }}-amd64 - - name_template: redradrat/aws-iam-operator:latest + - redradrat/{{ .ProjectName }}:{{ .Tag }}-arm64 + - redradrat/{{ .ProjectName }}:{{ .Tag }}-amd64 + - name_template: redradrat/{{ .ProjectName }}:latest image_templates: - - redradrat/aws-iam-operator:latest-arm64 - - redradrat/aws-iam-operator:latest-amd64 - - name_template: ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:{{ .Tag }} + - redradrat/{{ .ProjectName }}:latest-arm64 + - redradrat/{{ .ProjectName }}:latest-amd64 + - name_template: ghcr.io/redradrat/{{ .ProjectName }}:{{ .Tag }} image_templates: - - ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:{{ .Tag }}-arm64 - - ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:{{ .Tag }}-amd64 - - name_template: ghcr.io/redradrat/aws-iam-operator:latest + - ghcr.io/redradrat/{{ .ProjectName }}:{{ .Tag }}-arm64 + - ghcr.io/redradrat/{{ .ProjectName }}:{{ .Tag }}-amd64 + - name_template: ghcr.io/redradrat/{{ .ProjectName }}:latest image_templates: - - ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:latest-arm64 - - ghcr.io/redradrat/aws-iam-operator/aws-iam-operator:latest-amd64 + - ghcr.io/redradrat/{{ .ProjectName }}:latest-arm64 + - ghcr.io/redradrat/{{ .ProjectName }}:latest-amd64 + checksum: name_template: 'checksums.txt' snapshot: - name_template: "{{ .Tag }}-next" + name_template: "{{ incpatch .Tag}}-devel" + +gomod: + proxy: true + env: + - GOPROXY=https://proxy.golang.org,direct + - GOSUMDB=sum.golang.org + mod: mod + gobinary: go + changelog: sort: asc filters: diff --git a/Dockerfile b/Dockerfile index 1c0b947..bbe856a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.21 as builder +FROM docker.io/library/golang:1.21 as builder WORKDIR /workspace # Copy the Go Modules manifests @@ -15,7 +15,7 @@ COPY api/ api/ COPY controllers/ controllers/ # Build -RUN CGO_ENABLED=0 GOOS=linux go build -a -o manager main.go +RUN CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w" -o manager main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details diff --git a/goreleaser_Dockerfile b/goreleaser.Dockerfile similarity index 100% rename from goreleaser_Dockerfile rename to goreleaser.Dockerfile