DRAFT : DoNotMerge: v0.4.4 <-- V0.5.6

.github/workflows/anchore.yml

@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.  For more information on the Anchore scan action usage
+# and parameters, see https://github.com/anchore/scan-action. For more
+# information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+name: Anchore Grype vulnerability scan
+
+on:
+  push:
+    branches: [ "master", "platform9-v*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '44 8 * * 4'
+
+permissions:
+  contents: read
+
+jobs:
+  Anchore-Build-Scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out the code
+      uses: actions/checkout@v4
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag platform9/luigi_dev:latest
+    - name: Run the Anchore Grype scan action
+      uses: anchore/scan-action@v3
+      id: scan
+      with:
+        image: "platform9/luigi_dev:latest"
+        fail-build: false
+        severity-cutoff: critical
+    - name: Upload vulnerability report
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/ci.yml

@@ -13,12 +13,12 @@ jobs:
     environment: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          go-version: 1.17
+          go-version: 1.21
           check-latest: true
           cache: true
       - name: Print the version of golang
@@ -32,12 +32,12 @@ jobs:
     environment: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          go-version: 1.17
+          go-version: 1.21
           check-latest: true
           cache: true
       - name: Print the version of golang
@@ -47,6 +47,6 @@ jobs:
       - name: Build
         run: make build
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           files: ./cover.out

.github/workflows/govulncheck.yml

@@ -0,0 +1,19 @@
+name: Vuln check
+on:
+  pull_request:
+    branches:
+      - "main"
+      - "v**"
+  schedule: 
+    - cron: '* * * * *'
+permissions: 
+  security-events: write
+
+jobs:
+  vuln-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Golang Vulncheck
+        uses: Templum/govulncheck-action@v1.0.0

.github/workflows/trivy.yml

@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: trivy_scan
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '42 17 * * 0'
+
+permissions:
+  contents: read
+
+jobs:
+  build_image:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Build
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/platform9/luigi:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        with:
+          image-ref: 'docker.io/platform9/luigi:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.17 as builder
+FROM golang:1.21 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 #FROM gcr.io/distroless/static:nonroot
 
-FROM alpine:3.15
+FROM alpine:3.18
 RUN apk add --no-cache bash
 WORKDIR /
 COPY --from=builder /workspace/manager .

Makefile

@@ -1,10 +1,16 @@
 SHELL=/bin/bash
 # Image URL to use all building/pushing image targets
 #IMG ?= controller:latest
-VER_LABEL=$(shell ./get-label.bash)
-IMG ?= platform9/luigi-plugins:$(VER_LABEL)
+
+ifndef OVERRIDE_LUIGI_VERSION
+IMG_TAG = $(shell ./get-label.bash)
+else
+IMG_TAG ?= $(OVERRIDE_LUIGI_VERSION)
+endif
+
+IMG = platform9/luigi-plugins:$(IMG_TAG)
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.23
+ENVTEST_K8S_VERSION = 1.27
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -14,10 +20,14 @@ GOBIN=$(shell go env GOBIN)
 endif
 
 SRCROOT = $(abspath $(dir $(lastword $(MAKEFILE_LIST)))/)
+BUILD_DIR :=$(SRCROOT)/bin
 BUILD_ROOT = $(SRCROOT)/build
 OS=$(shell go env GOOS)
 ARCH=$(shell go env GOARCH)
 
+$(BUILD_DIR):
+	mkdir -p $@
+
 $(BUILD_ROOT):
 	mkdir -p $@
 	mkdir -p $@/luigi
@@ -140,20 +150,20 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20230216140739-c98506dc3b8e
 
 img-test:
-	docker run --rm  -v $(SRCROOT):/luigi -w /luigi golang:1.17.7-bullseye  bash -c "make test"
+	docker run --rm  -v $(SRCROOT):/luigi -w /luigi golang:1.21  bash -c "GOFLAGS=-buildvcs=false make test"
 
-img-build: img-test $(BUILD_ROOT)
+img-build: $(BUILD_DIR) img-test
 	docker build --network host . -t ${IMG}
-	echo ${IMG} > $(BUILD_ROOT)/container-tag
+	echo ${IMG} > $(BUILD_DIR)/container-tag
 
 img-build-push: img-build
 	docker login
 	docker push ${IMG}
-	echo ${IMG} > $(BUILD_ROOT)/container-tag
+	echo ${IMG} > $(BUILD_DIR)/container-tag
 
-scan: 
-	docker run -v $(BUILD_ROOT)/luigi:/out -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.trivy:/root/.cache  aquasec/trivy image -s CRITICAL,HIGH -f json  --vuln-type library -o /out/library_vulnerabilities.json --exit-code 22 ${IMG}
-	docker run -v $(BUILD_ROOT)/luigi:/out -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.trivy:/root/.cache  aquasec/trivy image -s CRITICAL,HIGH -f json  --vuln-type os -o /out/os_vulnerabilities.json --exit-code 22 ${IMG}
+scan: $(BUILD_ROOT)
+	docker run -v $(BUILD_ROOT)/luigi:/out -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.trivy:/root/.cache  aquasec/trivy image -s CRITICAL,HIGH -f json --scanners vuln --vuln-type library -o /out/library_vulnerabilities.json --exit-code 22 ${IMG}
+	docker run -v $(BUILD_ROOT)/luigi:/out -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.trivy:/root/.cache  aquasec/trivy image -s CRITICAL,HIGH -f json --scanners vuln --vuln-type os -o /out/os_vulnerabilities.json --exit-code 22 ${IMG}

PROJECT

@@ -1,7 +1,6 @@
 domain: k8s.pf9.io
 layout:
 - go.kubebuilder.io/v3
-multigroup: true
 projectName: luigi
 repo: github.com/platform9/luigi
 resources:
@@ -14,4 +13,7 @@ resources:
   kind: NetworkPlugins
   path: github.com/platform9/luigi/api/v1
   version: v1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

README.md

@@ -1,37 +1,61 @@
 # Luigi
+
 Luigi is a Kubernetes Operator to deploy, manage, and upgrade advanced networking plugins. The default Kubernetes networking model with one CNI and cluster-wide network can be too restrictive for many advanced networking use cases like NFV or virtualization
 
 There are many discrete plugins and solutions, but knowing which ones to use, deploying and managing them can be tedious. Secondary CNIs? Multus? SRIOV? Device plugins? OVS? Which IPAM? What's the current Linux networking state of my nodes? How do I configure my nodes in order to support all of these?
 
-# How to deploy
-This will require an already working K8s cluster with DNS and a primary CNI up and running. 
+## How to deploy
+
+This will require an already working K8s cluster with DNS and a primary CNI up and running.
 Deploy the manifest found in samples in this repo:
-```
+
+```shell
 kubectl apply -f https://raw.githubusercontent.com/platform9/luigi/master/samples/luigi-plugins-operator.yaml
 ```
+
 A deployment of 1 replica will be created in the luigi-system namespace.
 
 Or, To get started sign up for Platform9 Managed Kubernetes(PMK) for free at platform9.com/signup, see more about our Telco 5G offerings at platform9.com/solutions/telco-5g or contact us at platform9.com/contact. With PMK, Luigi will already be deployed and managed itself
 
-# Plugins supported
+## How to build
+
+Platform9 publishes the images to Docker Hub under platform9 organisation.
+
+- Luigi image is published as
+  `platform9/luigi-plugins:<version tag>`
+- Hostplumber image is published as
+  `platform9/hostplumber:<version tag>`
+
+The version tag is set to the git tag in git repository.
+In the absence of a tag, it is set to [git branch]-pmk-[git revision id]
+
+Override the version tag using env variable
+
+- For Luigi:
+  `OVERRIDE_LUIGI_VERSION`
+- For Hostplumber:
+  `OVERRIDE_HOSTPLUMBER_VERSION`
+
+## Plugins supported
+
 The scope of each plugin is beyond this documentation. But if you know you need it, luigi will deploy the following:
 
- - HostPlumber: A subset of Luigi, an operator to configure/prep networking on the node and retrieve node details
-	 - See: https://github.com/platform9/luigi/blob/master/hostplumber/README.md
-	 - Use to create SRIOV VFs, configure OVS, create VLAN interfaces, etc...
-	 - Recommended unless you have your own tooling to configure nodes
- - Multus
-	 - Almost always required - the only way K8S can support multiple CNIs and networks
- - SRIOV CNI
- - SRIOV Device Plugin
- - OpenVSwitch daemon & CLI tools
- - OVS CNI plugin
- - Macvlan, IPvlan
- - Whereabouts IPAM driver
-	 - Required for dynamic IP assignment without an external DHCP service.
- - Node Feature Discovery
-
-# Configuration:
+- HostPlumber: A subset of Luigi, an operator to configure/prep networking on the node and retrieve node details
+  - See: [README.md](https://github.com/platform9/luigi/blob/master/hostplumber/README.md)
+  - Use to create SRIOV VFs, configure OVS, create VLAN interfaces, etc...
+  - Recommended unless you have your own tooling to configure nodes
+- Multus
+  - Almost always required - the only way K8S can support multiple CNIs and networks
+- SRIOV CNI
+  - SRIOV Device Plugin
+- OpenVSwitch daemon & CLI tools
+  - OVS CNI plugin
+  - Macvlan, IPvlan
+- Whereabouts IPAM driver
+  - Required for dynamic IP assignment without an external DHCP service.
+- Node Feature Discovery
+
+## Configuration
 
 **namespace**: Each plugin will take in a namespace override to deploy, default namespace otherwise
 
@@ -42,21 +66,23 @@ The scope of each plugin is beyond this documentation. But if you know you need
 **privateRegistryBase**: Some airgapped env's may have a custom container registry. If this is specified, it will replace the public container registry URL (docker.io, gcr.io, quay, etc..) with this path
 
 Each plugin may or may not have some further specific configuration. Here are the current options as of release v0.3:
- - HostPlumber - none
- - Multus - none
- - SRIOV - none
- - Node-feature-discovery - none
- - OVS - none
- - Whereabouts
-	 - ipReconcilerSchedule - specify the CronJob schedule of the whereabouts IP cleanup Job
-	 - ipReconcilerNodeSelector - specify the nodeSelector Labels on which to schedule the ip-reconciler
-
-# NetworkPlugins CRD:
+
+- HostPlumber - none
+- Multus - none
+- SRIOV - none
+- Node-feature-discovery - none
+- OVS - none
+- Whereabouts
+  - ipReconcilerSchedule - specify the CronJob schedule of the whereabouts IP cleanup Job
+  - ipReconcilerNodeSelector - specify the nodeSelector Labels on which to schedule the ip-reconciler
+
+## NetworkPlugins CRD
+
 In it's current phase, only one instance of the CRD is supported. It will reflect the final, desired state of all plugins to be deployed.
 
 If it is present, Luigi will ensure that the plugin is deployed and upgraded. If missing and re-applied, Luigi will remove the plugin if it was previously managing it.
 
-```
+```YAML
 apiVersion: plumber.k8s.pf9.io/v1
 kind: NetworkPlugins
 metadata:
@@ -70,8 +96,6 @@ spec:
     multus: {}
     whereabouts:
       ipReconcilerSchedule: "*/1 * * * *"
-      ipReconcilerNodeSelector:
-         foo: bar
     # SRIOV actually consists of two plugins - the CNI, and the device-plugin
     # Use HostPlumber to create the actual VFs
     sriov: {}
@@ -80,7 +104,7 @@ spec:
 
 The above will deploy all the plugins specified in the default namespace. To override the namespace, and deploy in kube-system:
 
-```
+```YAML
 apiVersion: plumber.k8s.pf9.io/v1
 kind: NetworkPlugins
 metadata:
@@ -100,4 +124,9 @@ spec:
       namespace: "kube-system"
 ```
 
-That is it! Now that you have the secondary CNIs and other related plugins deployed, you may need to prep the nodes before you can actually create Multus Networks and assign them to Pods. In order to do so, use Luigi's own HostPlumber plugin: https://github.com/platform9/luigi/blob/master/hostplumber/README.md
+That is it! Now that you have the secondary CNIs and other related plugins deployed, you may need to prep the nodes before you can actually create Multus Networks and assign them to Pods. In order to do so, use Luigi's own HostPlumber plugin. See [README for HostPlumber](https://github.com/platform9/luigi/blob/master/hostplumber/README.md)
+
+## Dev note
+
+This project needs to migrate to Kubebuilder/v4.
+webhooks where added manually `make generate && make manifestes` will not add required field for webhook in crds and luigi deployment. refer `samples/luigi-plugins-operator-v2.yaml`