Merge branch 'open-policy-agent:master' into master

sozercan · Nov 12, 2021 · a8474ac · a8474ac
2 parents df00d44 + f43223e
commit a8474ac
Show file tree

Hide file tree

Showing 281 changed files with 16,614 additions and 11,244 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -8,4 +8,9 @@ Fixes #
 Helm chart is auto-generated in Gatekeeper. If you have any changes in `charts` directory, they will get clobbered when we do a new release. Please see [contributing changes doc](charts/../../charts/gatekeeper/README.md#contributing-changes) for modifying the Helm chart.
 -->
 
-**Special notes for your reviewer**:
+<!--
+**Are you making changes to Gatekeeper docs?**
+Gatekeeper auto-generates versioned docs. If you have any doc changes for a particular version, please update in `website/docs` as well as in `website/versioned_docs/version-[Gatekeeper version]` directory. If the change is for next release, please update in `website/docs`, then the change will be part of next versioned doc when we do a new release.
+-->
+
+**Special notes for your reviewer**:
diff --git a/.github/workflows/upgrade.yaml b/.github/workflows/upgrade.yaml
@@ -8,6 +8,9 @@ on:
     paths:
       - "manifest_staging/charts/**"
 
+permissions:
+  contents: read
+
 env:
   BASE_RELEASE: 3.4.0
   BASE_BRANCH: release-3.4

diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml
@@ -8,6 +8,9 @@ on:
       - ".github/workflows/website.yaml"
       - "website/**"
 
+permissions:
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -20,7 +23,7 @@ jobs:
       - name: Setup Node
         uses: actions/[email protected]
         with:
-          node-version: "12.x"
+          node-version: "16"
 
       - name: Get yarn cache
         id: yarn-cache

diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -33,6 +33,8 @@ jobs:
     name: "Lint"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v2
       # source: https://github.com/golangci/golangci-lint-action
@@ -46,6 +48,8 @@ jobs:
     name: "Unit test"
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Set up Go 1.17
         uses: actions/setup-go@v2
@@ -75,6 +79,8 @@ jobs:
     name: "Build and Test"
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     strategy:
       matrix:
         KUBERNETES_VERSION: ["1.20.7", "1.21.1", "1.22.0"]
@@ -102,6 +108,7 @@ jobs:
           make test-e2e
 
       - name: Save logs
+        if: ${{ always() }}
         run: |
           kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
           kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
@@ -118,6 +125,8 @@ jobs:
     name: "[Helm] Build and Test"
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     strategy:
       matrix:
         HELM_VERSION: ["3.4.2"]
@@ -136,9 +145,10 @@ jobs:
         run: |
           make e2e-build-load-image IMG=gatekeeper-e2e-helm:latest CRD_IMG=gatekeeper-crds:latest
           make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }} GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
-          make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} ENABLE_MUTATION_TESTS=1
+          make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
 
       - name: Save logs
+        if: ${{ always() }}
         run: |
           kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json
           kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json
@@ -147,7 +157,54 @@ jobs:
         uses: actions/upload-artifact@v2
         if: ${{ always() }}
         with:
-          name: logs
+          name: helm-logs
+          path: |
+            logs-*.json
+
+  build_test_externaldata:
+    name: "[External Data] Build and Test"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        KUBERNETES_VERSION: ["1.22.0"]
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Set up Go 1.17
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: Bootstrap e2e
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+          make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}
+
+      - name: Run e2e
+        run: |
+          make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest
+          make e2e-build-load-externaldata-image
+          make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_EXTERNAL_DATA=true
+          # there should be no additional manifest changes
+          git diff --exit-code
+          make test-e2e ENABLE_EXTERNAL_DATA_TESTS=1
+
+      - name: Save logs
+        if: ${{ always() }}
+        run: |
+          kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-externaldata-controller.json
+          kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-externaldata-audit.json
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        if: ${{ always() }}
+        with:
+          name: externaldata-logs
           path: |
             logs-*.json
 
@@ -157,6 +214,8 @@ jobs:
     if: (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-')) && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
     needs: [lint, test, build_test, helm_build_test]
     timeout-minutes: 30
+    permissions:
+      contents: read
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
@@ -190,6 +249,8 @@ jobs:
   tagged-release:
     name: "Tagged Release"
     runs-on: "ubuntu-latest"
+    permissions:
+      contents: write
     if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper'
     needs: [lint, test, build_test, helm_build_test]
     timeout-minutes: 30
@@ -206,7 +267,6 @@ jobs:
         id: get_version
         run: |
           echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          echo $TAG
 
       - name: Publish release
         run: |
@@ -244,11 +304,41 @@ jobs:
         run: |
           make e2e-verify-release IMG=${{ env.IMAGE_REPO }}:${TAG} USE_LOCAL_IMG=false
 
+      - name: Build gator-cli
+        run: |
+          build() {
+            export GOOS="$(echo ${1} | cut -d '-' -f 1)"
+            export GOARCH="$(echo ${1} | cut -d '-' -f 2)"
+            FILENAME=${GITHUB_WORKSPACE}/_dist/gator-${TAG}-${GOOS}-${GOARCH}
+            # build the binary
+            make bin/gator-${GOOS}-${GOARCH}
+            # rename the binary to gator
+            tmp_dir=$(mktemp -d)
+            cp bin/gator-${GOOS}-${GOARCH} ${tmp_dir}/gator
+            pushd ${tmp_dir}
+            tar -czf ${FILENAME}.tar.gz gator*
+            popd
+          }
+          mkdir -p _dist
+          for os_arch_extension in $PLATFORMS; do
+            build ${os_arch_extension} &
+          done
+          wait
+          pushd _dist
+          # consolidate tar's sha256sum into a single file
+          find . -type f -name '*.tar.gz' | sort | xargs sha256sum >> sha256sums.txt
+          popd
+        env:
+          PLATFORMS: "linux-amd64 linux-arm64 darwin-amd64 darwin-arm64"
+
       - name: Create GitHub release
         uses: "marvinpinto/[email protected]"
         with:
           repo_token: "${{ secrets.GITHUB_TOKEN }}"
           prerelease: false
+          files: |
+            _dist/sha256sums.txt
+            _dist/*.tar.gz
 
       - name: Publish Helm chart
         uses: stefanprodan/[email protected]

diff --git a/.gitignore b/.gitignore
@@ -9,6 +9,7 @@
 *.so
 *.dylib
 bin
+_dist
 
 # Test binary, build with `go test -c`
 *.test

diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ ARG BUILDPLATFORM="linux/amd64"
 ARG BUILDERIMAGE="golang:1.17"
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-ARG BASEIMAGE="gcr.io/distroless/static:nonroot-amd64"
+ARG BASEIMAGE="gcr.io/distroless/static:nonroot"
 
 FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder
 
@@ -35,6 +35,6 @@ WORKDIR /
 
 COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .
 
-USER nonroot:nonroot
+USER 65532:65532
 
 ENTRYPOINT ["/manager"]
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ @@
     *.so
     *.dylib
     bin
+    _dist
     # Test binary, build with `go test -c`
     *.test
@@ Expand Down @@