diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..0318ab1 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,36 @@ +--- +name: goreleaser + +on: + push: + # run only against tags + tags: + - "*" + +permissions: + contents: write + packages: write + +jobs: + goreleaser: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: stable + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + distribution: goreleaser + version: "~> v2" + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + KO_DOCKER_REPO: ghcr.io/${{ github.repository }} diff --git a/.gitignore b/.gitignore index ada68ff..73d94d7 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,5 @@ go.work *.swp *.swo *~ + +dist/ diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..8c3975c --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,75 @@ +--- +version: 2 + +before: + hooks: + - go mod tidy + - go generate ./... + # - go fmt ./... + # - go vet ./... + # - go test ./... + +builds: + - env: + - CGO_ENABLED=0 + main: ./cmd + binary: istio-fortsa + flags: + - -trimpath + ldflags: + - -s -w -X main.Version={{ .Version }} -X main.Commit={{ .Commit }} -X main.CommitDate={{ .CommitDate }} + goos: + - linux + goarch: + - amd64 + +kos: + - base_image: gcr.io/distroless/static:nonroot + repository: ghcr.io/{{ .Env.GITHUB_REPOSITORY }} + tags: + - "{{ .Tag }}" + - latest + platforms: + - linux/amd64 + - linux/arm64 + env: + - CGO_ENABLED=0 + flags: + - -trimpath + ldflags: + - -s + - -w + - -extldflags "-static" + - -X main.Version={{ .Version }} + - -X main.Commit={{ .Commit }} + - -X main.CommitDate={{ .CommitDate }} + bare: true + preserve_import_paths: false + base_import_paths: false + labels: + org.opencontainers.image.title: "{{ .ProjectName }}" + org.opencontainers.image.description: "{{ .ProjectName }}" + org.opencontainers.image.revision: "{{ .FullCommit }}" + org.opencontainers.image.version: "{{ .Version }}" + org.opencontainers.image.url: "{{ .Env.GITHUB_SERVER_URL }}/{{ .Env.GITHUB_REPOSITORY }}" + org.opencontainers.image.source: "{{ .Env.GITHUB_SERVER_URL }}/{{ .Env.GITHUB_REPOSITORY }}" + + +release: + skip_upload: true + footer: | + # Container images + + ``` + ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Tag }} + ``` + +changelog: + sort: asc + filters: + exclude: + - "^docs" + - "^test" + - "^chore" + - "Merge pull request" + - "Merge branch" diff --git a/.ko.yaml b/.ko.yaml new file mode 100644 index 0000000..175c5cc --- /dev/null +++ b/.ko.yaml @@ -0,0 +1,20 @@ +--- +defaultBaseImage: gcr.io/distroless/static:nonroot + +defaultPlatforms: + - linux/amd64 + - linux/arm64 + +defaultEnv: + - CGO_ENABLED=0 + +defaultLdflags: + - -s + - -w + - -extldflags "-static" + - -X main.Version={{ .Git.Tag }} + - -X main.Commit={{ .Git.FullCommit }} + - -X main.CommitDate={{ .Git.CommitDate }} + +builds: + main: ./cmd diff --git a/cmd/main.go b/cmd/main.go index 4a03044..dce91f7 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -20,6 +20,7 @@ import ( "context" "crypto/tls" "flag" + "fmt" "os" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) @@ -42,6 +43,10 @@ import ( ) var ( + Version = "" // set at compile time with -ldflags "-X main.Version=x.y.yz" + Commit = "" // set at compile time with -ldflags "-X main.Commit=..." + CommitDate = "" // set at compile time with -ldflags "-X main.CommitDate=..." + scheme = runtime.NewScheme() setupLog = ctrl.Log.WithName("setup") istioData = istiodata.IstioData{} @@ -59,6 +64,7 @@ func main() { var probeAddr string var secureMetrics bool var enableHTTP2 bool + var version bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -68,12 +74,18 @@ func main() { "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") + flag.BoolVar(&version, "version", false, "Print the version of the tool") opts := zap.Options{ Development: true, } opts.BindFlags(flag.CommandLine) flag.Parse() + if version { + fmt.Printf("%s (%s %s)\n", Version, Commit, CommitDate) + os.Exit(1) + } + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) // if the enable-http2 flag is false (the default), http/2 should be disabled diff --git a/dist/install.yaml b/dist/install.yaml deleted file mode 100644 index c670ab9..0000000 --- a/dist/install.yaml +++ /dev/null @@ -1,332 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - control-plane: controller-manager - name: istio-fortsa-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-leader-election-role - namespace: istio-fortsa-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-fortsa-manager-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - namespaces - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - namespaces/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-leader-election-rolebinding - namespace: istio-fortsa-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-fortsa-leader-election-role -subjects: -- kind: ServiceAccount - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-fortsa-manager-role -subjects: -- kind: ServiceAccount - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-fortsa-proxy-role -subjects: -- kind: ServiceAccount - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - control-plane: controller-manager - name: istio-fortsa-cm-metrics-svc - namespace: istio-fortsa-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - control-plane: controller-manager - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - command: - - /manager - image: sscaffidi/istio-fortsa:0.0.3 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - securityContext: - runAsNonRoot: true - serviceAccountName: istio-fortsa-controller-manager - terminationGracePeriodSeconds: 10