Merge branch 'main' into license

kyverno · Jan 23, 2024 · f5560ed · f5560ed
2 parents ccbadea + a13cbe6
commit f5560ed
Show file tree

Hide file tree

Showing 17 changed files with 210 additions and 107 deletions.
diff --git a/.github/workflows/codeql._yaml b/.github/workflows/codeql._yaml
@@ -0,0 +1,44 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# name: CodeQL
+
+# permissions: {}
+
+# on:
+#   pull_request:
+#     branches:
+#       - main
+#   push:
+#     branches:
+#       - main
+
+# concurrency:
+#   group: ${{ github.workflow }}-${{ github.ref }}
+#   cancel-in-progress: true
+
+# jobs:
+#   required:
+#     runs-on: ubuntu-latest
+#     permissions:
+#       security-events: write
+#     steps:
+#       - name: Checkout
+#         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+#         with:
+#           fetch-depth: 0
+#       - name: Run Trivy vulnerability scanner in repo mode
+#         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+#         with:
+#           scan-type: fs
+#           ignore-unfixed: false
+#           format: sarif
+#           output: trivy-results.sarif
+#           severity: CRITICAL,HIGH,MEDIUM
+#           scanners: vuln,secret
+#           exit-code: '0'
+#           vuln-type: os,library
+#       - name: Upload Trivy scan results to GitHub Security tab
+#         uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+#         with:
+#           sarif_file: trivy-results.sarif
+#           category: code
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
diff --git a/.github/workflows/tests._yaml b/.github/workflows/tests._yaml
@@ -0,0 +1,49 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# name: Tests
+
+# permissions: {}
+
+# on:
+#   pull_request:
+#     branches:
+#     - main
+#   push:
+#     branches:
+#     - main
+
+# concurrency:
+#   group: ${{ github.workflow }}-${{ github.ref }}
+#   cancel-in-progress: true
+
+# jobs:
+#   unit-tests:
+#     runs-on: ubuntu-latest
+#     steps:
+#     - name: Checkout
+#       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+#     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+#       with:
+#         go-version-file: go.mod
+#         cache-dependency-path: go.sum
+#     # - name: Create test cluster
+#     #   run: |
+#     #     set -e
+#     #     make kind-cluster
+#     - name: Run tests
+#       run: |
+#         set -e
+#         make tests
+#     - name: Upload Report to Codecov
+#       uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+#       with:
+#         file: ./coverage.out
+#         fail_ci_if_error: true
+#         verbose: true
+
+#   required:
+#     needs:
+#     - unit-tests
+#     runs-on: ubuntu-latest
+#     steps:
+#     - run: echo "Required jobs success!"
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,49 @@
+linters:
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - containedctx
+    - decorder
+    - dogsled
+    - durationcheck
+    - errcheck
+    - errname
+    - exportloopref
+    - gci
+    # - gochecknoinits
+    - gofmt
+    - gofumpt
+    - goimports
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - makezero
+    - misspell
+    - noctx
+    - nolintlint
+    - nosprintfhostport
+    # - paralleltest
+    - staticcheck
+    - tenv
+    - thelper
+    - tparallel
+    - typecheck
+    - unconvert
+    - unused
+    - wastedassign
+    - whitespace
+
+run:
+  timeout: 15m
+  skip-files:
+    - ".+\\.generated.go"
+
+output:
+  format: colored-line-number
+  sort-results: true
diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,7 @@ COPY . ./
 # ARG ARCH
 # ARG GIT_COMMIT
 # ARG GIT_TAG
-RUN GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o policy-reports ./cmd/main.go
+RUN GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o policy-reports ./main.go
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	k8s.io/apiserver v0.29.0
 	k8s.io/client-go v0.29.0
 	k8s.io/component-base v0.29.0
-	k8s.io/klog/v2 v2.110.1
+	k8s.io/klog/v2 v2.120.1
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
 	sigs.k8s.io/wg-policy-prototypes v0.0.0-20231226153523-db3ef51d230f
 )
@@ -31,7 +31,7 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect

diff --git a/go.sum b/go.sum
@@ -115,8 +115,8 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
@@ -691,8 +691,8 @@ k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUc
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
-k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
+k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kms v0.29.0 h1:KJ1zaZt74CgvgV3NR7tnURJ/mJOKC5X3nwon/WdwgxI=
 k8s.io/kms v0.29.0/go.mod h1:mB0f9HLxRXeXUfHfn1A7rpwOlzXI1gIWu86z6buNoYA=
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=

diff --git a/cmd/main.go → main.go b/cmd/main.go → main.go
@@ -4,19 +4,17 @@ import (
 	"os"
 	"runtime"
 
-	"github.com/kyverno/policy-reports/cmd/app"
+	"github.com/kyverno/policy-reports/pkg/app"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/component-base/logs"
 )
 
 func main() {
 	logs.InitLogs()
 	defer logs.FlushLogs()
-
 	if len(os.Getenv("GOMAXPROCS")) == 0 {
 		runtime.GOMAXPROCS(runtime.NumCPU())
 	}
-
 	cmd := app.NewPolicyServer(genericapiserver.SetupSignalHandler())
 	if err := cmd.Execute(); err != nil {
 		panic(err)

diff --git a/pkg/api/cpolr.go b/pkg/api/cpolr.go
@@ -116,11 +116,12 @@ func (c *cpolrStore) Create(ctx context.Context, obj runtime.Object, createValid
 	}
 
 	if !isDryRun {
-		err := c.createCpolr(cpolr)
-		if err != nil {
+		if err := c.createCpolr(cpolr); err != nil {
 			return &v1alpha2.ClusterPolicyReport{}, errors.NewBadRequest(fmt.Sprintf("cannot create cluster policy report: %s", err.Error()))
 		}
-		c.broadcaster.Action(watch.Added, obj)
+		if err := c.broadcaster.Action(watch.Added, obj); err != nil {
+			klog.ErrorS(err, "failed to broadcast event")
+		}
 	}
 
 	return obj, nil
@@ -133,8 +134,12 @@ func (c *cpolrStore) Update(ctx context.Context, name string, objInfo rest.Updat
 		oldObj, _ := c.getCpolr(name)
 		updatedObject, _ := objInfo.UpdatedObject(ctx, oldObj)
 		cpolr := updatedObject.(*v1alpha2.ClusterPolicyReport)
-		c.updatePolr(cpolr, true)
-		c.broadcaster.Action(watch.Added, updatedObject)
+		if err := c.updatePolr(cpolr, true); err != nil {
+			klog.ErrorS(err, "failed to update resource")
+		}
+		if err := c.broadcaster.Action(watch.Added, updatedObject); err != nil {
+			klog.ErrorS(err, "failed to broadcast event")
+		}
 		return updatedObject, true, nil
 	}
 
@@ -167,11 +172,12 @@ func (c *cpolrStore) Update(ctx context.Context, name string, objInfo rest.Updat
 	}
 
 	if !isDryRun {
-		err := c.createCpolr(cpolr)
-		if err != nil {
+		if err := c.createCpolr(cpolr); err != nil {
 			return &v1alpha2.ClusterPolicyReport{}, false, errors.NewBadRequest(fmt.Sprintf("cannot create cluster policy report: %s", err.Error()))
 		}
-		c.broadcaster.Action(watch.Modified, updatedObject)
+		if err := c.broadcaster.Action(watch.Modified, updatedObject); err != nil {
+			klog.ErrorS(err, "failed to broadcast event")
+		}
 	}
 
 	return updatedObject, true, nil
@@ -193,12 +199,13 @@ func (c *cpolrStore) Delete(ctx context.Context, name string, deleteValidation r
 	}
 
 	if !isDryRun {
-		err = c.deletePolr(cpolr)
-		if err != nil {
+		if err = c.deletePolr(cpolr); err != nil {
 			klog.ErrorS(err, "failed to delete cpolr", "name", name)
 			return &v1alpha2.ClusterPolicyReport{}, false, errors.NewBadRequest(fmt.Sprintf("failed to delete clusterpolicyreport: %s", err.Error()))
 		}
-		c.broadcaster.Action(watch.Deleted, cpolr)
+		if err := c.broadcaster.Action(watch.Deleted, cpolr); err != nil {
+			klog.ErrorS(err, "failed to broadcast event")
+		}
 	}
 
 	return cpolr, true, nil // TODO: Add protobuf in wgpolicygroup
@@ -226,7 +233,9 @@ func (c *cpolrStore) DeleteCollection(ctx context.Context, deleteValidation rest
 				klog.ErrorS(err, "Failed to delete cpolr", "name", cpolr.GetName())
 				return &v1alpha2.ClusterPolicyReportList{}, errors.NewBadRequest(fmt.Sprintf("Failed to delete cluster policy report: %s", cpolr.GetName()))
 			}
-			c.broadcaster.Action(watch.Deleted, obj)
+			if err := c.broadcaster.Action(watch.Deleted, obj); err != nil {
+				klog.ErrorS(err, "failed to broadcast event")
+			}
 		}
 	}
 	return cpolrList, nil

diff --git a/pkg/api/install.go b/pkg/api/install.go
@@ -23,7 +23,6 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
-
 	"sigs.k8s.io/wg-policy-prototypes/policy-report/pkg/api/wgpolicyk8s.io/v1alpha2"
 )
 

diff --git a/pkg/api/monitoring.go b/pkg/api/monitoring.go
@@ -4,17 +4,15 @@ import (
 	"k8s.io/component-base/metrics"
 )
 
-var (
-	metricFreshness = metrics.NewHistogramVec(
-		&metrics.HistogramOpts{
-			Namespace: "reports_server",
-			Subsystem: "api",
-			Name:      "reports_server_export_time",
-			Help:      "serve of reports exported",
-			Buckets:   metrics.ExponentialBuckets(1, 1.364, 20),
-		},
-		[]string{},
-	)
+var metricFreshness = metrics.NewHistogramVec(
+	&metrics.HistogramOpts{
+		Namespace: "reports_server",
+		Subsystem: "api",
+		Name:      "reports_server_export_time",
+		Help:      "serve of reports exported",
+		Buckets:   metrics.ExponentialBuckets(1, 1.364, 20),
+	},
+	[]string{},
 )
 
 func RegisterAPIMetrics(registrationFunc func(metrics.Registerable) error) error {