From ae9405aa6d11e10921a4e6dc3df768fcc0405ad7 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 23 Feb 2026 10:09:54 +0100 Subject: [PATCH 01/40] chore: CONTAINER SEC CONTEXT # Conflicts: # internal/testbed/integration/hostmetrics/testdata/collector/daemonset.yaml --- config_examples/collector-helm-values.yaml | 12 ++++++++++++ .../combinedload/testdata/collector/deployment.yaml | 12 ++++++++++++ .../filestorage/testdata/collector/deployment.yaml | 11 ++++++++--- .../k8scluster/testdata/collector/deployment.yaml | 12 ++++++++++++ .../k8scombined/testdata/collector/daemonset.yaml | 12 ++++++++++++ .../k8senrichment/testdata/collector/deployment.yaml | 12 ++++++++++++ .../k8sobjects/testdata/collector/deployment.yaml | 12 ++++++++++++ .../k8spodlogs/testdata/collector/deployment.yaml | 12 ++++++++++++ .../testdata/collector-exporter/deployment.yaml | 12 ++++++++++++ .../kafka/testdata/collector-kafka/deployment.yaml | 12 ++++++++++++ .../testdata/collector-receiver/deployment.yaml | 12 ++++++++++++ .../kubeletstats/testdata/collector/daemonset.yaml | 12 ++++++++++++ .../loadbalancing/testdata/collector/deployment.yaml | 12 ++++++++++++ .../testdata/otlp-receiver/deployment.yaml | 12 ++++++++++++ .../netflow/testdata/collector/deployment.yaml | 12 ++++++++++++ .../prometheus/testdata/collector/deployment.yaml | 12 ++++++++++++ .../redaction/testdata/collector/deployment.yaml | 12 ++++++++++++ .../testdata/collector/deployment.yaml | 12 ++++++++++++ .../testdata/collector/deployment.yaml | 12 ++++++++++++ .../statsd/testdata/collector/deployment.yaml | 12 ++++++++++++ .../zipkin/testdata/collector/deployment.yaml | 12 ++++++++++++ 21 files changed, 248 insertions(+), 3 deletions(-) diff --git a/config_examples/collector-helm-values.yaml b/config_examples/collector-helm-values.yaml index 9567dade0..f71a229ad 100644 --- a/config_examples/collector-helm-values.yaml +++ b/config_examples/collector-helm-values.yaml @@ -4,6 +4,18 @@ image: tag: $TAG command: name: dynatrace-otel-collector +containerSecurityContext: + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + privileged: false extraEnvs: - name: DT_API_TOKEN valueFrom: diff --git a/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml b/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml index f756caef9..f9578c918 100644 --- a/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml @@ -49,6 +49,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml b/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml index 156da44fd..7e7104710 100644 --- a/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml @@ -56,12 +56,17 @@ spec: cpu: 200m memory: 512Mi securityContext: - runAsUser: 10001 - runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault capabilities: drop: - - ALL + - all volumes: - name: config configMap: diff --git a/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml b/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml index aea4374e9..a18d9051a 100644 --- a/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml @@ -49,6 +49,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml b/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml index 1852b80d9..ef1e3bba5 100644 --- a/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml +++ b/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml @@ -56,6 +56,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml b/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml index 17005f7f7..a71e7af8f 100644 --- a/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml @@ -51,6 +51,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml b/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml index 15b1bd693..f763ddfc5 100644 --- a/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml @@ -49,6 +49,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml b/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml index bfaec19ab..9fe5befb7 100644 --- a/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml @@ -49,6 +49,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all - name: logs mountPath: /var/log readOnly: true diff --git a/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml b/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml index b9572fe40..73be3279e 100644 --- a/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml +++ b/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml @@ -44,6 +44,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml b/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml index 678e79ccc..02e6d16b7 100644 --- a/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml +++ b/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml @@ -44,6 +44,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml b/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml index 0d621f39f..e844ea3df 100644 --- a/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml +++ b/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml @@ -44,6 +44,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml b/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml index 3efb00f2a..a90ee290a 100644 --- a/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml +++ b/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml @@ -52,6 +52,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml b/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml index d141f3dc6..c47eaeab8 100644 --- a/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml @@ -49,6 +49,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml b/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml index 4c53dd5b9..22703b451 100644 --- a/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml +++ b/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml @@ -48,6 +48,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/netflow/testdata/collector/deployment.yaml b/internal/testbed/integration/netflow/testdata/collector/deployment.yaml index 0ff9fcd1e..ef713d6f8 100644 --- a/internal/testbed/integration/netflow/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/netflow/testdata/collector/deployment.yaml @@ -52,6 +52,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml b/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml index 636de4b6e..e2b32f4d2 100644 --- a/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml @@ -49,6 +49,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/redaction/testdata/collector/deployment.yaml b/internal/testbed/integration/redaction/testdata/collector/deployment.yaml index 07095b47a..8eef71772 100644 --- a/internal/testbed/integration/redaction/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/redaction/testdata/collector/deployment.yaml @@ -49,6 +49,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml b/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml index 0f61c7eba..ad4b579bd 100644 --- a/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml @@ -51,6 +51,18 @@ spec: name: opentelemetry-collector-configmap - mountPath: /var/lib/dynatrace/enrichment name: dynatrace-enrichment-file + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml b/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml index 1a611fc7f..b4620ba5e 100644 --- a/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml @@ -66,6 +66,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/statsd/testdata/collector/deployment.yaml b/internal/testbed/integration/statsd/testdata/collector/deployment.yaml index 0a21a4460..7d731dd2b 100644 --- a/internal/testbed/integration/statsd/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/statsd/testdata/collector/deployment.yaml @@ -52,6 +52,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml b/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml index aefd03262..70c38b942 100644 --- a/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml @@ -52,6 +52,18 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - all volumes: - name: opentelemetry-collector-configmap configMap: From 97b72ec5551886e87e6d39b9bd16cc436a3b1455 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Tue, 24 Feb 2026 08:49:58 +0100 Subject: [PATCH 02/40] ALL --- .../integration/combinedload/testdata/collector/deployment.yaml | 2 +- .../integration/filestorage/testdata/collector/deployment.yaml | 2 +- .../integration/k8scluster/testdata/collector/deployment.yaml | 2 +- .../integration/k8scombined/testdata/collector/daemonset.yaml | 2 +- .../k8senrichment/testdata/collector/deployment.yaml | 2 +- .../integration/k8sobjects/testdata/collector/deployment.yaml | 2 +- .../integration/k8spodlogs/testdata/collector/deployment.yaml | 2 +- .../kafka/testdata/collector-exporter/deployment.yaml | 2 +- .../integration/kafka/testdata/collector-kafka/deployment.yaml | 2 +- .../kafka/testdata/collector-receiver/deployment.yaml | 2 +- .../integration/kubeletstats/testdata/collector/daemonset.yaml | 2 +- .../loadbalancing/testdata/collector/deployment.yaml | 2 +- .../loadbalancing/testdata/otlp-receiver/deployment.yaml | 2 +- .../integration/netflow/testdata/collector/deployment.yaml | 2 +- .../integration/prometheus/testdata/collector/deployment.yaml | 2 +- .../integration/redaction/testdata/collector/deployment.yaml | 2 +- .../resource-detection/testdata/collector/deployment.yaml | 2 +- .../self-monitoring/testdata/collector/deployment.yaml | 2 +- .../integration/statsd/testdata/collector/deployment.yaml | 2 +- .../integration/zipkin/testdata/collector/deployment.yaml | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml b/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml index f9578c918..3ddd8132a 100644 --- a/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/combinedload/testdata/collector/deployment.yaml @@ -60,7 +60,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml b/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml index 7e7104710..e5403b4b6 100644 --- a/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/filestorage/testdata/collector/deployment.yaml @@ -66,7 +66,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: config configMap: diff --git a/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml b/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml index a18d9051a..80c1936c3 100644 --- a/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8scluster/testdata/collector/deployment.yaml @@ -60,7 +60,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml b/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml index ef1e3bba5..09b3fbf30 100644 --- a/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml +++ b/internal/testbed/integration/k8scombined/testdata/collector/daemonset.yaml @@ -67,7 +67,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml b/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml index a71e7af8f..2366379cf 100644 --- a/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8senrichment/testdata/collector/deployment.yaml @@ -62,7 +62,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml b/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml index f763ddfc5..0c0aa7b9e 100644 --- a/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8sobjects/testdata/collector/deployment.yaml @@ -60,7 +60,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml b/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml index 9fe5befb7..d92d74042 100644 --- a/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml @@ -60,7 +60,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL - name: logs mountPath: /var/log readOnly: true diff --git a/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml b/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml index 73be3279e..c4cd6a738 100644 --- a/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml +++ b/internal/testbed/integration/kafka/testdata/collector-exporter/deployment.yaml @@ -55,7 +55,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml b/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml index 02e6d16b7..0d6b2118f 100644 --- a/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml +++ b/internal/testbed/integration/kafka/testdata/collector-kafka/deployment.yaml @@ -55,7 +55,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml b/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml index e844ea3df..ead5e737a 100644 --- a/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml +++ b/internal/testbed/integration/kafka/testdata/collector-receiver/deployment.yaml @@ -55,7 +55,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml b/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml index a90ee290a..ce967bb6f 100644 --- a/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml +++ b/internal/testbed/integration/kubeletstats/testdata/collector/daemonset.yaml @@ -63,7 +63,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml b/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml index c47eaeab8..387adde6d 100644 --- a/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/loadbalancing/testdata/collector/deployment.yaml @@ -60,7 +60,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml b/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml index 22703b451..412c32a08 100644 --- a/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml +++ b/internal/testbed/integration/loadbalancing/testdata/otlp-receiver/deployment.yaml @@ -59,7 +59,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/netflow/testdata/collector/deployment.yaml b/internal/testbed/integration/netflow/testdata/collector/deployment.yaml index ef713d6f8..36f93b97e 100644 --- a/internal/testbed/integration/netflow/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/netflow/testdata/collector/deployment.yaml @@ -63,7 +63,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml b/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml index e2b32f4d2..b3f38aaa4 100644 --- a/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/prometheus/testdata/collector/deployment.yaml @@ -60,7 +60,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/redaction/testdata/collector/deployment.yaml b/internal/testbed/integration/redaction/testdata/collector/deployment.yaml index 8eef71772..deaee9ece 100644 --- a/internal/testbed/integration/redaction/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/redaction/testdata/collector/deployment.yaml @@ -60,7 +60,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml b/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml index ad4b579bd..dc0f06665 100644 --- a/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/resource-detection/testdata/collector/deployment.yaml @@ -62,7 +62,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml b/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml index b4620ba5e..f4f0059aa 100644 --- a/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/self-monitoring/testdata/collector/deployment.yaml @@ -77,7 +77,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/statsd/testdata/collector/deployment.yaml b/internal/testbed/integration/statsd/testdata/collector/deployment.yaml index 7d731dd2b..64a8ebd21 100644 --- a/internal/testbed/integration/statsd/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/statsd/testdata/collector/deployment.yaml @@ -63,7 +63,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: diff --git a/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml b/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml index 70c38b942..e2eb2e502 100644 --- a/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/zipkin/testdata/collector/deployment.yaml @@ -63,7 +63,7 @@ spec: type: RuntimeDefault capabilities: drop: - - all + - ALL volumes: - name: opentelemetry-collector-configmap configMap: From 4e494c4757666ebbf70771b92d0699e4221f7fcd Mon Sep 17 00:00:00 2001 From: RealAnna Date: Tue, 24 Feb 2026 10:35:07 +0100 Subject: [PATCH 03/40] test github action instead --- .github/tools/render/main.go | 72 +++++++++++++++ .github/workflows/e2e.yaml | 24 ++++- .../policies/collector-securitycontext.yaml | 43 +++++++++ .../scripts/kyverno_check_all_collectors.sh | 90 +++++++++++++++++++ .../testdata/collector/deployment.yaml | 24 ++--- 5 files changed, 239 insertions(+), 14 deletions(-) create mode 100644 .github/tools/render/main.go create mode 100644 .github/workflows/kyverno/policies/collector-securitycontext.yaml create mode 100755 .github/workflows/scripts/kyverno_check_all_collectors.sh diff --git a/.github/tools/render/main.go b/.github/tools/render/main.go new file mode 100644 index 000000000..b6ccf224f --- /dev/null +++ b/.github/tools/render/main.go @@ -0,0 +1,72 @@ +package main + +import ( + "bytes" + "encoding/json" + "flag" + "fmt" + "io/fs" + "os" + "path/filepath" + "strings" + "text/template" +) + +func main() { + inDir := flag.String("in", "", "input dir containing Go-template YAMLs") + outDir := flag.String("out", "", "output dir for rendered YAMLs (mirrors structure)") + dataJSON := flag.String("data", "{}", "JSON object used as template data") + flag.Parse() + + if *inDir == "" || *outDir == "" { + fmt.Fprintln(os.Stderr, "usage: render -in -out -data ") + os.Exit(2) + } + + var data map[string]any + if err := json.Unmarshal([]byte(*dataJSON), &data); err != nil { + fmt.Fprintf(os.Stderr, "invalid -data JSON: %v\n", err) + os.Exit(2) + } + + if err := os.MkdirAll(*outDir, 0o755); err != nil { + fmt.Fprintf(os.Stderr, "mkdir out: %v\n", err) + os.Exit(1) + } + + err := filepath.WalkDir(*inDir, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + if d.IsDir() { + return nil + } + + low := strings.ToLower(d.Name()) + if !(strings.HasSuffix(low, ".yaml") || strings.HasSuffix(low, ".yml")) { + return nil + } + + rel, err := filepath.Rel(*inDir, path) + if err != nil { + return err + } + + outPath := filepath.Join(*outDir, rel) + if err := os.MkdirAll(filepath.Dir(outPath), 0o755); err != nil { + return err + } + + tmpl := template.Must(template.New(filepath.Base(path)).ParseFiles(path)) + var buf bytes.Buffer + if err := tmpl.Execute(&buf, data); err != nil { + return fmt.Errorf("template execute %s: %w", path, err) + } + + return os.WriteFile(outPath, buf.Bytes(), 0o644) + }) + if err != nil { + fmt.Fprintln(os.Stderr, err) + os.Exit(1) + } +} diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index a847e55a6..77d17059e 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -15,6 +15,26 @@ env: GO_VERSION: "1.25.7" jobs: + kyverno-yaml-check: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v6 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Install Kyverno CLI + uses: kyverno/action-install-cli@v0.2.0 + + - name: Render collector YAMLs and validate with Kyverno + run: | + bash "${{ github.workspace }}/.github/workflows/scripts/kyverno_check_all_collectors.sh" \ + "${{ github.workspace }}/internal/testbed/integration" \ + "${{ github.workspace }}/.github/workflows/kyverno/policies" \ + "${{ runner.temp }}/rendered-collectors" + docker-build: runs-on: ubuntu-24.04 steps: @@ -147,8 +167,8 @@ jobs: - name: Run e2e tests run: | - cd internal/testbed/integration/${{ matrix.usecase }} - go test -v --tags=e2e + cd internal/testbed/integration/${{ matrix.usecase }} + go test -v --tags=e2e combined-load-test: if: github.event_name == 'push' && github.ref == 'refs/heads/main' diff --git a/.github/workflows/kyverno/policies/collector-securitycontext.yaml b/.github/workflows/kyverno/policies/collector-securitycontext.yaml new file mode 100644 index 000000000..65f5bd656 --- /dev/null +++ b/.github/workflows/kyverno/policies/collector-securitycontext.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: collector-workloads-securitycontext +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-hardened-securitycontext-on-collector-workloads + match: + any: + - resources: + kinds: + - Deployment + - DaemonSet + - StatefulSet + + preconditions: + all: + - key: "{{ request.object.spec.template.metadata.labels.\"app.kubernetes.io/name\" }}" + operator: Equals + value: opentelemetry-collector + + validate: + message: "Collector workloads must run with hardened container securityContext." + pattern: + spec: + template: + spec: + containers: + - name: "?*" + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL diff --git a/.github/workflows/scripts/kyverno_check_all_collectors.sh b/.github/workflows/scripts/kyverno_check_all_collectors.sh new file mode 100755 index 000000000..c5b927d4f --- /dev/null +++ b/.github/workflows/scripts/kyverno_check_all_collectors.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env bash +set -euo pipefail + +INTEGRATION_ROOT="${1:-internal/testbed/integration}" +POLICIES_DIR="${2:-.github/workflows/kyverno/policies}" +OUT_BASE="${3:-${RUNNER_TEMP:-/tmp}/rendered-collectors}" + +echo "INTEGRATION_ROOT=$INTEGRATION_ROOT" +echo "POLICIES_DIR=$POLICIES_DIR" +echo "OUT_BASE=$OUT_BASE" + +command -v go >/dev/null 2>&1 || { echo "go not found"; exit 2; } +command -v kyverno >/dev/null 2>&1 || { echo "kyverno not found"; exit 2; } + +rm -rf "$OUT_BASE" +mkdir -p "$OUT_BASE" + +# Minimal template data. Keep CollectorConfig simple; we won't pass configmaps to Kyverno anyway. +DATA_JSON='{ + "Name":"otelcol-ci", + "TestID":"ci", + "HostEndpoint":"http://example.invalid", + "ContainerRegistry":"dynatrace", + "CollectorConfig":"receivers: {}\\nexporters: {}\\nservice: { pipelines: {} }\\n", + "K8sCluster":"ci" +}' + +# Find all collector* directories under integration root testdata +COLLECTOR_DIRS=() +while IFS= read -r d; do + COLLECTOR_DIRS+=("$d") +done < <(find "$INTEGRATION_ROOT" -type d -path "*/testdata/*" -name 'collector*' | sort) + +if [ "${#COLLECTOR_DIRS[@]}" -eq 0 ]; then + echo "No collector* directories found under: $INTEGRATION_ROOT" + exit 1 +fi + +echo "Found collector template dirs: ${#COLLECTOR_DIRS[@]}" +printf ' - %s\n' "${COLLECTOR_DIRS[@]}" + +# Render each collector dir into a unique output folder +for d in "${COLLECTOR_DIRS[@]}"; do + safe="${d#"$INTEGRATION_ROOT"/}" + safe="${safe//\//_}" + out="$OUT_BASE/$safe" + mkdir -p "$out" + + go run .github/tools/render/main.go -in "$d" -out "$out" -data "$DATA_JSON" +done + +# Build Kyverno resource args from workload YAMLs only +RES_ARGS=() +while IFS= read -r f; do + # Determine kind cheaply (no full YAML parse needed) + kind="$(grep -m1 '^[[:space:]]*kind:' "$f" | awk '{print $2}' || true)" + case "$kind" in + Deployment|DaemonSet|StatefulSet) + RES_ARGS+=("-r" "$f") + ;; + esac +done < <(find "$OUT_BASE" -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) + +if [ "${#RES_ARGS[@]}" -eq 0 ]; then + echo "No rendered workload YAMLs (Deployment/DaemonSet/StatefulSet) found under: $OUT_BASE" + exit 1 +fi + +echo "Kyverno will validate workload YAMLs:" +for ((i=1; i<${#RES_ARGS[@]}; i+=2)); do + echo " - ${RES_ARGS[i]}" +done + +# Apply policies (pass policies as files + resources as repeated -r) +set +e +kyverno apply "$POLICIES_DIR"/*.yaml "${RES_ARGS[@]}" +rc=$? +set -e + +if [ "$rc" -ne 0 ]; then + echo "Kyverno failed. Dumping first 120 lines of workload YAMLs for debugging:" + for ((i=1; i<${#RES_ARGS[@]}; i+=2)); do + f="${RES_ARGS[i]}" + echo "===== $f =====" + nl -ba "$f" | sed -n '1,120p' + done + exit "$rc" +fi + +echo "Kyverno validation passed." diff --git a/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml b/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml index d92d74042..81a793cf6 100644 --- a/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml +++ b/internal/testbed/integration/k8spodlogs/testdata/collector/deployment.yaml @@ -49,21 +49,21 @@ spec: volumeMounts: - mountPath: /conf name: opentelemetry-collector-configmap - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - name: logs mountPath: /var/log readOnly: true + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL volumes: - name: opentelemetry-collector-configmap configMap: From e43e7bc034edef57dea0e5779a22e218fa875c7b Mon Sep 17 00:00:00 2001 From: RealAnna Date: Wed, 25 Feb 2026 07:57:29 +0100 Subject: [PATCH 04/40] test with bash --- .github/tools/render/main.go | 72 ----------------- .github/workflows/e2e.yaml | 13 +-- .../scripts/kyverno_check_all_collectors.sh | 80 ++++++++++--------- 3 files changed, 47 insertions(+), 118 deletions(-) delete mode 100644 .github/tools/render/main.go diff --git a/.github/tools/render/main.go b/.github/tools/render/main.go deleted file mode 100644 index b6ccf224f..000000000 --- a/.github/tools/render/main.go +++ /dev/null @@ -1,72 +0,0 @@ -package main - -import ( - "bytes" - "encoding/json" - "flag" - "fmt" - "io/fs" - "os" - "path/filepath" - "strings" - "text/template" -) - -func main() { - inDir := flag.String("in", "", "input dir containing Go-template YAMLs") - outDir := flag.String("out", "", "output dir for rendered YAMLs (mirrors structure)") - dataJSON := flag.String("data", "{}", "JSON object used as template data") - flag.Parse() - - if *inDir == "" || *outDir == "" { - fmt.Fprintln(os.Stderr, "usage: render -in -out -data ") - os.Exit(2) - } - - var data map[string]any - if err := json.Unmarshal([]byte(*dataJSON), &data); err != nil { - fmt.Fprintf(os.Stderr, "invalid -data JSON: %v\n", err) - os.Exit(2) - } - - if err := os.MkdirAll(*outDir, 0o755); err != nil { - fmt.Fprintf(os.Stderr, "mkdir out: %v\n", err) - os.Exit(1) - } - - err := filepath.WalkDir(*inDir, func(path string, d fs.DirEntry, err error) error { - if err != nil { - return err - } - if d.IsDir() { - return nil - } - - low := strings.ToLower(d.Name()) - if !(strings.HasSuffix(low, ".yaml") || strings.HasSuffix(low, ".yml")) { - return nil - } - - rel, err := filepath.Rel(*inDir, path) - if err != nil { - return err - } - - outPath := filepath.Join(*outDir, rel) - if err := os.MkdirAll(filepath.Dir(outPath), 0o755); err != nil { - return err - } - - tmpl := template.Must(template.New(filepath.Base(path)).ParseFiles(path)) - var buf bytes.Buffer - if err := tmpl.Execute(&buf, data); err != nil { - return fmt.Errorf("template execute %s: %w", path, err) - } - - return os.WriteFile(outPath, buf.Bytes(), 0o644) - }) - if err != nil { - fmt.Fprintln(os.Stderr, err) - os.Exit(1) - } -} diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 77d17059e..3495842c6 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -20,20 +20,15 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Setup Go - uses: actions/setup-go@v6 - with: - go-version: ${{ env.GO_VERSION }} - - name: Install Kyverno CLI uses: kyverno/action-install-cli@v0.2.0 - name: Render collector YAMLs and validate with Kyverno run: | - bash "${{ github.workspace }}/.github/workflows/scripts/kyverno_check_all_collectors.sh" \ - "${{ github.workspace }}/internal/testbed/integration" \ - "${{ github.workspace }}/.github/workflows/kyverno/policies" \ - "${{ runner.temp }}/rendered-collectors" + bash .github/workflows/scripts/kyverno_check_all_collectors.sh \ + internal/testbed/integration \ + .github/workflows/kyverno/policies \ + "${{ runner.temp }}/rendered-collectors-simple" docker-build: runs-on: ubuntu-24.04 diff --git a/.github/workflows/scripts/kyverno_check_all_collectors.sh b/.github/workflows/scripts/kyverno_check_all_collectors.sh index c5b927d4f..6d2906f71 100755 --- a/.github/workflows/scripts/kyverno_check_all_collectors.sh +++ b/.github/workflows/scripts/kyverno_check_all_collectors.sh @@ -1,31 +1,28 @@ #!/usr/bin/env bash set -euo pipefail +# Usage: +# kyverno_check_all_collectors_simple.sh [INTEGRATION_ROOT] [POLICIES_DIR] [OUT_BASE] +# +# Defaults assume this repo layout: +# - integrations: internal/testbed/integration +# - policies: .github/workflows/kyverno/policies +# - output: $RUNNER_TEMP/rendered-collectors-simple (or /tmp/..) + INTEGRATION_ROOT="${1:-internal/testbed/integration}" POLICIES_DIR="${2:-.github/workflows/kyverno/policies}" -OUT_BASE="${3:-${RUNNER_TEMP:-/tmp}/rendered-collectors}" +OUT_BASE="${3:-${RUNNER_TEMP:-/tmp}/rendered-collectors-simple}" echo "INTEGRATION_ROOT=$INTEGRATION_ROOT" echo "POLICIES_DIR=$POLICIES_DIR" echo "OUT_BASE=$OUT_BASE" -command -v go >/dev/null 2>&1 || { echo "go not found"; exit 2; } -command -v kyverno >/dev/null 2>&1 || { echo "kyverno not found"; exit 2; } +command -v kyverno >/dev/null 2>&1 || { echo "kyverno not found in PATH"; exit 2; } rm -rf "$OUT_BASE" mkdir -p "$OUT_BASE" -# Minimal template data. Keep CollectorConfig simple; we won't pass configmaps to Kyverno anyway. -DATA_JSON='{ - "Name":"otelcol-ci", - "TestID":"ci", - "HostEndpoint":"http://example.invalid", - "ContainerRegistry":"dynatrace", - "CollectorConfig":"receivers: {}\\nexporters: {}\\nservice: { pipelines: {} }\\n", - "K8sCluster":"ci" -}' - -# Find all collector* directories under integration root testdata +# --- find collector template dirs --- COLLECTOR_DIRS=() while IFS= read -r d; do COLLECTOR_DIRS+=("$d") @@ -39,20 +36,44 @@ fi echo "Found collector template dirs: ${#COLLECTOR_DIRS[@]}" printf ' - %s\n' "${COLLECTOR_DIRS[@]}" -# Render each collector dir into a unique output folder +# --- preprocess (simple placeholder substitution) --- +preprocess_dir() { + local in_dir="$1" + local out_dir="$2" + + mkdir -p "$out_dir" + cp -R "$in_dir"/. "$out_dir"/ + + find "$out_dir" -type f \( -name '*.yaml' -o -name '*.yml' \) -print0 | + xargs -0 perl -0777 -pi -e ' + s/\{\{\s*\.Name\s*\}\}/otelcol-ci/g; + s/\{\{\s*\.Namespace\s*\}\}/e2e/g; + s/\{\{\s*\.TestID\s*\}\}/ci/g; + s/\{\{\s*\.HostEndpoint\s*\}\}/http:\/\/example.invalid/g; + s/\{\{\s*\.ContainerRegistry\s*\}\}/dynatrace/g; + s/\{\{\s*\.K8sCluster\s*\}\}/ci/g; + s/\{\{\s*\.CollectorConfig\s*\}\}/receivers: {}\\nexporters: {}\\nservice: { pipelines: {} }\\n/g; + ' + + # Fail if anything template-like remains + if grep -R --line-number "{{" "$out_dir" >/dev/null 2>&1; then + echo "ERROR: Unhandled template expressions remain in $in_dir (preprocessed at $out_dir)." + echo "First occurrences:" + grep -R --line-number "{{" "$out_dir" | head -n 50 + exit 1 + fi +} + for d in "${COLLECTOR_DIRS[@]}"; do safe="${d#"$INTEGRATION_ROOT"/}" safe="${safe//\//_}" out="$OUT_BASE/$safe" - mkdir -p "$out" - - go run .github/tools/render/main.go -in "$d" -out "$out" -data "$DATA_JSON" + preprocess_dir "$d" "$out" done -# Build Kyverno resource args from workload YAMLs only +# --- collect only workload YAMLs (Deployment/DaemonSet/StatefulSet) --- RES_ARGS=() while IFS= read -r f; do - # Determine kind cheaply (no full YAML parse needed) kind="$(grep -m1 '^[[:space:]]*kind:' "$f" | awk '{print $2}' || true)" case "$kind" in Deployment|DaemonSet|StatefulSet) @@ -62,7 +83,7 @@ while IFS= read -r f; do done < <(find "$OUT_BASE" -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) if [ "${#RES_ARGS[@]}" -eq 0 ]; then - echo "No rendered workload YAMLs (Deployment/DaemonSet/StatefulSet) found under: $OUT_BASE" + echo "No workload YAMLs found after preprocessing." exit 1 fi @@ -71,20 +92,5 @@ for ((i=1; i<${#RES_ARGS[@]}; i+=2)); do echo " - ${RES_ARGS[i]}" done -# Apply policies (pass policies as files + resources as repeated -r) -set +e +# --- run kyverno --- kyverno apply "$POLICIES_DIR"/*.yaml "${RES_ARGS[@]}" -rc=$? -set -e - -if [ "$rc" -ne 0 ]; then - echo "Kyverno failed. Dumping first 120 lines of workload YAMLs for debugging:" - for ((i=1; i<${#RES_ARGS[@]}; i+=2)); do - f="${RES_ARGS[i]}" - echo "===== $f =====" - nl -ba "$f" | sed -n '1,120p' - done - exit "$rc" -fi - -echo "Kyverno validation passed." From 39229beb69b89da6f7242adcee52b568e979e72b Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 08:12:47 +0100 Subject: [PATCH 05/40] Try go code --- .github/workflows/e2e.yaml | 29 +- .../scripts/kyverno_check_all_collectors.sh | 96 ----- cmd/rendercollectors/go.mod | 5 + cmd/rendercollectors/main.go | 382 ++++++++++++++++++ 4 files changed, 409 insertions(+), 103 deletions(-) delete mode 100755 .github/workflows/scripts/kyverno_check_all_collectors.sh create mode 100644 cmd/rendercollectors/go.mod create mode 100644 cmd/rendercollectors/main.go diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 3495842c6..9d89016c9 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -13,22 +13,37 @@ env: KUBECONFIG: /tmp/kube-config-collector-e2e-testing # renovate: datasource=golang-version depName=go GO_VERSION: "1.25.7" + OUT_BASE: "${{ runner.temp }}/rendered-collectors-simple" jobs: kyverno-yaml-check: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Setup Go + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 + with: + go-version: ${{ env.GO_VERSION }} + cache-dependency-path: "**/*.sum" - name: Install Kyverno CLI - uses: kyverno/action-install-cli@v0.2.0 + uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - - name: Render collector YAMLs and validate with Kyverno + - name: Render collector YAMLs + shell: bash + run: | + (cd cmd/rendercollectors && go run . \ + -repo-root ../.. \ + -integration-root internal/testbed/integration \ + -out-base "${{ env.OUT_BASE }}") + + - name: Validate with Kyverno + shell: bash run: | - bash .github/workflows/scripts/kyverno_check_all_collectors.sh \ - internal/testbed/integration \ - .github/workflows/kyverno/policies \ - "${{ runner.temp }}/rendered-collectors-simple" + sed 's|^|-r |' "${{ env.OUT_BASE }}/workloads.txt" \ + | xargs kyverno apply .github/workflows/kyverno/policies/*.yaml docker-build: runs-on: ubuntu-24.04 diff --git a/.github/workflows/scripts/kyverno_check_all_collectors.sh b/.github/workflows/scripts/kyverno_check_all_collectors.sh deleted file mode 100755 index 6d2906f71..000000000 --- a/.github/workflows/scripts/kyverno_check_all_collectors.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -# Usage: -# kyverno_check_all_collectors_simple.sh [INTEGRATION_ROOT] [POLICIES_DIR] [OUT_BASE] -# -# Defaults assume this repo layout: -# - integrations: internal/testbed/integration -# - policies: .github/workflows/kyverno/policies -# - output: $RUNNER_TEMP/rendered-collectors-simple (or /tmp/..) - -INTEGRATION_ROOT="${1:-internal/testbed/integration}" -POLICIES_DIR="${2:-.github/workflows/kyverno/policies}" -OUT_BASE="${3:-${RUNNER_TEMP:-/tmp}/rendered-collectors-simple}" - -echo "INTEGRATION_ROOT=$INTEGRATION_ROOT" -echo "POLICIES_DIR=$POLICIES_DIR" -echo "OUT_BASE=$OUT_BASE" - -command -v kyverno >/dev/null 2>&1 || { echo "kyverno not found in PATH"; exit 2; } - -rm -rf "$OUT_BASE" -mkdir -p "$OUT_BASE" - -# --- find collector template dirs --- -COLLECTOR_DIRS=() -while IFS= read -r d; do - COLLECTOR_DIRS+=("$d") -done < <(find "$INTEGRATION_ROOT" -type d -path "*/testdata/*" -name 'collector*' | sort) - -if [ "${#COLLECTOR_DIRS[@]}" -eq 0 ]; then - echo "No collector* directories found under: $INTEGRATION_ROOT" - exit 1 -fi - -echo "Found collector template dirs: ${#COLLECTOR_DIRS[@]}" -printf ' - %s\n' "${COLLECTOR_DIRS[@]}" - -# --- preprocess (simple placeholder substitution) --- -preprocess_dir() { - local in_dir="$1" - local out_dir="$2" - - mkdir -p "$out_dir" - cp -R "$in_dir"/. "$out_dir"/ - - find "$out_dir" -type f \( -name '*.yaml' -o -name '*.yml' \) -print0 | - xargs -0 perl -0777 -pi -e ' - s/\{\{\s*\.Name\s*\}\}/otelcol-ci/g; - s/\{\{\s*\.Namespace\s*\}\}/e2e/g; - s/\{\{\s*\.TestID\s*\}\}/ci/g; - s/\{\{\s*\.HostEndpoint\s*\}\}/http:\/\/example.invalid/g; - s/\{\{\s*\.ContainerRegistry\s*\}\}/dynatrace/g; - s/\{\{\s*\.K8sCluster\s*\}\}/ci/g; - s/\{\{\s*\.CollectorConfig\s*\}\}/receivers: {}\\nexporters: {}\\nservice: { pipelines: {} }\\n/g; - ' - - # Fail if anything template-like remains - if grep -R --line-number "{{" "$out_dir" >/dev/null 2>&1; then - echo "ERROR: Unhandled template expressions remain in $in_dir (preprocessed at $out_dir)." - echo "First occurrences:" - grep -R --line-number "{{" "$out_dir" | head -n 50 - exit 1 - fi -} - -for d in "${COLLECTOR_DIRS[@]}"; do - safe="${d#"$INTEGRATION_ROOT"/}" - safe="${safe//\//_}" - out="$OUT_BASE/$safe" - preprocess_dir "$d" "$out" -done - -# --- collect only workload YAMLs (Deployment/DaemonSet/StatefulSet) --- -RES_ARGS=() -while IFS= read -r f; do - kind="$(grep -m1 '^[[:space:]]*kind:' "$f" | awk '{print $2}' || true)" - case "$kind" in - Deployment|DaemonSet|StatefulSet) - RES_ARGS+=("-r" "$f") - ;; - esac -done < <(find "$OUT_BASE" -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) - -if [ "${#RES_ARGS[@]}" -eq 0 ]; then - echo "No workload YAMLs found after preprocessing." - exit 1 -fi - -echo "Kyverno will validate workload YAMLs:" -for ((i=1; i<${#RES_ARGS[@]}; i+=2)); do - echo " - ${RES_ARGS[i]}" -done - -# --- run kyverno --- -kyverno apply "$POLICIES_DIR"/*.yaml "${RES_ARGS[@]}" diff --git a/cmd/rendercollectors/go.mod b/cmd/rendercollectors/go.mod new file mode 100644 index 000000000..849fd31ed --- /dev/null +++ b/cmd/rendercollectors/go.mod @@ -0,0 +1,5 @@ +module github.com/Dynatrace/dynatrace-otel-collector/cmd/rendercollectors + +go 1.25.7 + +require gopkg.in/yaml.v3 v3.0.1 diff --git a/cmd/rendercollectors/main.go b/cmd/rendercollectors/main.go new file mode 100644 index 000000000..a9d0ad050 --- /dev/null +++ b/cmd/rendercollectors/main.go @@ -0,0 +1,382 @@ +package main + +import ( + "bufio" + "bytes" + "errors" + "flag" + "fmt" + "io" + "io/fs" + "os" + "path/filepath" + "regexp" + "sort" + "strings" + + "gopkg.in/yaml.v3" +) + +var ( + reName = regexp.MustCompile(`\{\{\s*\.Name\s*\}\}`) + reNamespace = regexp.MustCompile(`\{\{\s*\.Namespace\s*\}\}`) + reTestID = regexp.MustCompile(`\{\{\s*\.TestID\s*\}\}`) + reHostEndpoint = regexp.MustCompile(`\{\{\s*\.HostEndpoint\s*\}\}`) + reContainerReg = regexp.MustCompile(`\{\{\s*\.ContainerRegistry\s*\}\}`) + reK8sCluster = regexp.MustCompile(`\{\{\s*\.K8sCluster\s*\}\}`) + reCollectorConfig = regexp.MustCompile(`\{\{\s*\.CollectorConfig\s*\}\}`) +) + +func main() { + var ( + integrationRoot = flag.String("integration-root", "", "Path under repo root, e.g. internal/testbed/integration") + outBase = flag.String("out-base", "", "Output directory, e.g. /tmp/rendered-collectors") + workloadsFile = flag.String("workloads-file", "", "Optional override for workloads list output (default: /workloads.txt)") + ) + flag.Parse() + + if *integrationRoot == "" || *outBase == "" { + fatalf("missing required flags: -integration-root and -out-base") + } + + repoRoot, err := os.Getwd() + if err != nil { + fatalf("getwd: %v", err) + } + + // Ensure integrationRoot is absolute for walking/copying + integrationAbs := filepath.Clean(filepath.Join(repoRoot, *integrationRoot)) + outBaseAbs := filepath.Clean(*outBase) + + if err := os.RemoveAll(outBaseAbs); err != nil { + fatalf("remove out-base: %v", err) + } + if err := os.MkdirAll(outBaseAbs, 0o755); err != nil { + fatalf("mkdir out-base: %v", err) + } + + collectorDirs, err := findCollectorDirs(integrationAbs) + if err != nil { + fatalf("find collector dirs: %v", err) + } + if len(collectorDirs) == 0 { + fatalf("no collector* directories found under: %s", integrationAbs) + } + + fmt.Printf("Found collector template dirs: %d\n", len(collectorDirs)) + for _, d := range collectorDirs { + rel, _ := filepath.Rel(integrationAbs, d) + fmt.Printf(" - %s\n", filepath.ToSlash(rel)) + } + + // Render all + for _, inDir := range collectorDirs { + rel, _ := filepath.Rel(integrationAbs, inDir) + safe := strings.ReplaceAll(filepath.ToSlash(rel), "/", "_") + outDir := filepath.Join(outBaseAbs, safe) + + if err := copyDir(inDir, outDir); err != nil { + fatalf("copy %s -> %s: %v", inDir, outDir, err) + } + if err := preprocessYAMLs(outDir); err != nil { + fatalf("preprocess %s: %v", outDir, err) + } + if err := ensureNoTemplatesRemain(outDir); err != nil { + fatalf("template leftovers in %s: %v", inDir, err) + } + } + + // Collect workload YAMLs and write relative paths (relative to repo root) + workloadAbs, err := collectWorkloadYAMLs(outBaseAbs) + if err != nil { + fatalf("collect workload yamls: %v", err) + } + if len(workloadAbs) == 0 { + fatalf("no workload YAMLs found after preprocessing") + } + + outList := *workloadsFile + if outList == "" { + outList = filepath.Join(outBaseAbs, "workloads.txt") + } + + relList := make([]string, 0, len(workloadAbs)) + for _, p := range workloadAbs { + r, err := filepath.Rel(repoRoot, p) + if err != nil { + fatalf("make relative path for %s: %v", p, err) + } + relList = append(relList, filepath.ToSlash(r)) + } + sort.Strings(relList) + + if err := writeLines(outList, relList); err != nil { + fatalf("write workloads file: %v", err) + } + + fmt.Printf("Wrote %d workload YAMLs to %s\n", len(relList), outList) + // Optional: print a small preview to help CI logs + preview := 20 + if len(relList) < preview { + preview = len(relList) + } + for i := 0; i < preview; i++ { + fmt.Printf(" - %s\n", relList[i]) + } + if len(relList) > preview { + fmt.Printf(" ... (%d more)\n", len(relList)-preview) + } +} + +func findCollectorDirs(integrationAbs string) ([]string, error) { + var dirs []string + + err := filepath.WalkDir(integrationAbs, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + if !d.IsDir() { + return nil + } + + base := filepath.Base(path) + if !strings.HasPrefix(base, "collector") { + return nil + } + + // ".../testdata/collector*" + parent := filepath.Base(filepath.Dir(path)) + if parent != "testdata" { + return nil + } + + dirs = append(dirs, path) + return nil + }) + if err != nil { + return nil, err + } + + sort.Strings(dirs) + return dirs, nil +} + +func copyDir(src, dst string) error { + return filepath.WalkDir(src, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + + rel, _ := filepath.Rel(src, path) + outPath := filepath.Join(dst, rel) + + info, err := d.Info() + if err != nil { + return err + } + + if d.IsDir() { + return os.MkdirAll(outPath, info.Mode().Perm()) + } + + if err := os.MkdirAll(filepath.Dir(outPath), 0o755); err != nil { + return err + } + return copyFile(path, outPath, info.Mode().Perm()) + }) +} + +func copyFile(src, dst string, perm fs.FileMode) error { + in, err := os.Open(src) + if err != nil { + return err + } + + defer in.Close() + + out, err := os.OpenFile(dst, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, perm) + if err != nil { + return err + } + defer func() { _ = out.Close() }() + + if _, err := io.Copy(out, in); err != nil { + return err + } + return out.Close() +} + +func preprocessYAMLs(root string) error { + return filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + if d.IsDir() { + return nil + } + ext := strings.ToLower(filepath.Ext(path)) + if ext != ".yaml" && ext != ".yml" { + return nil + } + + orig, err := os.ReadFile(path) + if err != nil { + return err + } + s := string(orig) + + s = reName.ReplaceAllString(s, "otelcol-ci") + s = reNamespace.ReplaceAllString(s, "e2e") + s = reTestID.ReplaceAllString(s, "ci") + s = reHostEndpoint.ReplaceAllString(s, "http://example.invalid") + s = reContainerReg.ReplaceAllString(s, "dynatrace") + s = reK8sCluster.ReplaceAllString(s, "ci") + s = reCollectorConfig.ReplaceAllString(s, "receivers: {}\nexporters: {}\nservice: { pipelines: {} }\n") + + if s == string(orig) { + return nil + } + + // Preserve existing permissions if possible; fallback to 0644 + mode := fs.FileMode(0o644) + if st, err := os.Stat(path); err == nil { + mode = st.Mode().Perm() + } + return os.WriteFile(path, []byte(s), mode) + }) +} + +func ensureNoTemplatesRemain(root string) error { + var first []string + + err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + if d.IsDir() { + return nil + } + ext := strings.ToLower(filepath.Ext(path)) + if ext != ".yaml" && ext != ".yml" { + return nil + } + + b, err := os.ReadFile(path) + if err != nil { + return err + } + if !bytes.Contains(b, []byte("{{")) { + return nil + } + + sc := bufio.NewScanner(bytes.NewReader(b)) + line := 0 + for sc.Scan() { + line++ + txt := sc.Text() + if strings.Contains(txt, "{{") { + first = append(first, fmt.Sprintf("%s:%d:%s", filepath.ToSlash(path), line, txt)) + if len(first) >= 50 { + break + } + } + } + return nil + }) + if err != nil { + return err + } + if len(first) > 0 { + return fmt.Errorf("unhandled template expressions remain; first occurrences:\n%s", strings.Join(first, "\n")) + } + return nil +} + +func collectWorkloadYAMLs(root string) ([]string, error) { + var out []string + err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + if d.IsDir() { + return nil + } + ext := strings.ToLower(filepath.Ext(path)) + if ext != ".yaml" && ext != ".yml" { + return nil + } + + kinds, err := kindsInFile(path) + if err != nil { + return fmt.Errorf("parse yaml %s: %w", path, err) + } + for _, k := range kinds { + switch k { + case "Deployment", "DaemonSet", "StatefulSet": + out = append(out, path) + return nil + } + } + return nil + }) + if err != nil { + return nil, err + } + sort.Strings(out) + return out, nil +} + +func kindsInFile(path string) ([]string, error) { + b, err := os.ReadFile(path) + if err != nil { + return nil, err + } + + dec := yaml.NewDecoder(bytes.NewReader(b)) + var kinds []string + + for { + var doc map[string]any + if err := dec.Decode(&doc); err != nil { + if errors.Is(err, io.EOF) { + break + } + return nil, err + } + if doc == nil { + continue + } + if k, ok := doc["kind"].(string); ok && k != "" { + kinds = append(kinds, k) + } + } + + return kinds, nil +} + +func writeLines(path string, lines []string) error { + if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil { + return err + } + f, err := os.Create(path) + if err != nil { + return err + } + defer func() { _ = f.Close() }() + + w := bufio.NewWriter(f) + for _, s := range lines { + if _, err := w.WriteString(s + "\n"); err != nil { + return err + } + } + if err := w.Flush(); err != nil { + return err + } + return f.Close() +} + +func fatalf(format string, a ...any) { + fmt.Fprintf(os.Stderr, "ERROR: "+format+"\n", a...) + os.Exit(1) +} From a7179a0e1107dce0fece78bb4095a8b61f740753 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 08:12:54 +0100 Subject: [PATCH 06/40] Try go code --- cmd/rendercollectors/go.sum | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cmd/rendercollectors/go.sum diff --git a/cmd/rendercollectors/go.sum b/cmd/rendercollectors/go.sum new file mode 100644 index 000000000..a62c313c5 --- /dev/null +++ b/cmd/rendercollectors/go.sum @@ -0,0 +1,4 @@ +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From e20cf5772dc19deb37ac5be86294945c613f9d7b Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 08:39:27 +0100 Subject: [PATCH 07/40] Try go code --- .github/workflows/e2e.yaml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 9d89016c9..fd15a46e9 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -26,24 +26,25 @@ jobs: uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version: ${{ env.GO_VERSION }} - cache-dependency-path: "**/*.sum" + cache-dependency-path: | + cmd/rendercollectors/go.sum - name: Install Kyverno CLI uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - - name: Render collector YAMLs + - name: Build renderer shell: bash run: | - (cd cmd/rendercollectors && go run . \ - -repo-root ../.. \ - -integration-root internal/testbed/integration \ - -out-base "${{ env.OUT_BASE }}") + cd cmd/rendercollectors + go build -o "${{ runner.temp }}/rendercollectors" . - - name: Validate with Kyverno + - name: Render collector YAMLs shell: bash run: | - sed 's|^|-r |' "${{ env.OUT_BASE }}/workloads.txt" \ - | xargs kyverno apply .github/workflows/kyverno/policies/*.yaml + "${{ runner.temp }}/rendercollectors" \ + -repo-root "${GITHUB_WORKSPACE}" \ + -integration-root internal/testbed/integration \ + -out-base "${{ env.OUT_BASE }}" docker-build: runs-on: ubuntu-24.04 From 3a21468f692fdb4e2c12fe29b3e20cf1b4709f8e Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 08:45:09 +0100 Subject: [PATCH 08/40] Separate run --- .github/workflows/e2e.yaml | 30 --------------- .github/workflows/yaml-policy-check.yml | 49 +++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 30 deletions(-) create mode 100644 .github/workflows/yaml-policy-check.yml diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index fd15a46e9..b806054fe 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -13,38 +13,8 @@ env: KUBECONFIG: /tmp/kube-config-collector-e2e-testing # renovate: datasource=golang-version depName=go GO_VERSION: "1.25.7" - OUT_BASE: "${{ runner.temp }}/rendered-collectors-simple" jobs: - kyverno-yaml-check: - runs-on: ubuntu-24.04 - steps: - - name: Check out code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Setup Go - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 - with: - go-version: ${{ env.GO_VERSION }} - cache-dependency-path: | - cmd/rendercollectors/go.sum - - - name: Install Kyverno CLI - uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - - - name: Build renderer - shell: bash - run: | - cd cmd/rendercollectors - go build -o "${{ runner.temp }}/rendercollectors" . - - - name: Render collector YAMLs - shell: bash - run: | - "${{ runner.temp }}/rendercollectors" \ - -repo-root "${GITHUB_WORKSPACE}" \ - -integration-root internal/testbed/integration \ - -out-base "${{ env.OUT_BASE }}" docker-build: runs-on: ubuntu-24.04 diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml new file mode 100644 index 000000000..4d427c606 --- /dev/null +++ b/.github/workflows/yaml-policy-check.yml @@ -0,0 +1,49 @@ +name: YAML Policy Check + +on: + pull_request: + branches: [main] + push: + branches: [main] + +defaults: + run: + shell: bash + +env: + GO_VERSION: "1.25.7" + OUT_BASE: "${{ runner.temp }}/rendered-collectors-simple" + +jobs: + kyverno-yaml-check: + runs-on: ubuntu-24.04 + steps: + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Setup Go + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 + with: + go-version: ${{ env.GO_VERSION }} + cache-dependency-path: | + cmd/rendercollectors/go.sum + + - name: Install Kyverno CLI + uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 + + - name: Build renderer + run: | + cd cmd/rendercollectors + go build -o "${{ runner.temp }}/rendercollectors" . + + - name: Render collector YAMLs + run: | + "${{ runner.temp }}/rendercollectors" \ + -repo-root "${GITHUB_WORKSPACE}" \ + -integration-root internal/testbed/integration \ + -out-base "${{ env.OUT_BASE }}" + + - name: Validate with Kyverno + run: | + sed 's|^|-r |' "${{ env.OUT_BASE }}/workloads.txt" \ + | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml From 09f8fb062e978a76dbdead2df16e86192f7c408d Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 08:47:21 +0100 Subject: [PATCH 09/40] Separate run --- .github/workflows/e2e.yaml | 1 - .github/workflows/yaml-policy-check.yml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index b806054fe..e3d3c9ca5 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -15,7 +15,6 @@ env: GO_VERSION: "1.25.7" jobs: - docker-build: runs-on: ubuntu-24.04 steps: diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index 4d427c606..618a65d78 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -1,5 +1,8 @@ name: YAML Policy Check +permissions: + contents: read + on: pull_request: branches: [main] From 693cb8ac4a467466d3b3e6f411e7f9b924fac43f Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 08:51:22 +0100 Subject: [PATCH 10/40] chore: retrigger CI From 0a4f66ffe5dc13de91f5a121b520efc41fe8c951 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 08:56:22 +0100 Subject: [PATCH 11/40] Separate run --- .github/workflows/yaml-policy-check.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index 618a65d78..35a9b2c09 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -15,11 +15,13 @@ defaults: env: GO_VERSION: "1.25.7" - OUT_BASE: "${{ runner.temp }}/rendered-collectors-simple" jobs: kyverno-yaml-check: runs-on: ubuntu-24.04 + env: + OUT_BASE: "${{ runner.temp }}/rendered-collectors-simple" + steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 9732c7af4a5516366c881d264efb17451c09b026 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 09:01:08 +0100 Subject: [PATCH 12/40] Separate run --- .github/workflows/yaml-policy-check.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index 35a9b2c09..36d4c4513 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -15,13 +15,11 @@ defaults: env: GO_VERSION: "1.25.7" + OUT_BASE: "/tmp/rendered-collectors-simple" jobs: kyverno-yaml-check: runs-on: ubuntu-24.04 - env: - OUT_BASE: "${{ runner.temp }}/rendered-collectors-simple" - steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -39,16 +37,16 @@ jobs: - name: Build renderer run: | cd cmd/rendercollectors - go build -o "${{ runner.temp }}/rendercollectors" . + go build -o /tmp/rendercollectors . - name: Render collector YAMLs run: | - "${{ runner.temp }}/rendercollectors" \ - -repo-root "${GITHUB_WORKSPACE}" \ + /tmp/rendercollectors \ + -repo-root "$GITHUB_WORKSPACE" \ -integration-root internal/testbed/integration \ - -out-base "${{ env.OUT_BASE }}" + -out-base "$OUT_BASE" - name: Validate with Kyverno run: | - sed 's|^|-r |' "${{ env.OUT_BASE }}/workloads.txt" \ + sed 's|^|-r |' "$OUT_BASE/workloads.txt" \ | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml From 318a06c752b913eca0238067ceb39ceed8503ba2 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 2 Mar 2026 09:05:19 +0100 Subject: [PATCH 13/40] repoRoot --- cmd/rendercollectors/main.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/cmd/rendercollectors/main.go b/cmd/rendercollectors/main.go index a9d0ad050..fc8d7999b 100644 --- a/cmd/rendercollectors/main.go +++ b/cmd/rendercollectors/main.go @@ -32,6 +32,7 @@ func main() { integrationRoot = flag.String("integration-root", "", "Path under repo root, e.g. internal/testbed/integration") outBase = flag.String("out-base", "", "Output directory, e.g. /tmp/rendered-collectors") workloadsFile = flag.String("workloads-file", "", "Optional override for workloads list output (default: /workloads.txt)") + repoRootFlag = flag.String("repo-root", "", "Repo root directory (used to write relative paths in workloads.txt)") ) flag.Parse() @@ -39,9 +40,17 @@ func main() { fatalf("missing required flags: -integration-root and -out-base") } - repoRoot, err := os.Getwd() + repoRoot := *repoRootFlag + if repoRoot == "" { + var err error + repoRoot, err = os.Getwd() + if err != nil { + fatalf("getwd: %v", err) + } + } + repoRoot, err := filepath.Abs(repoRoot) if err != nil { - fatalf("getwd: %v", err) + fatalf("abs repo-root: %v", err) } // Ensure integrationRoot is absolute for walking/copying From 5846ddfd563a5959a12927b7ea040b5210cc3543 Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Mon, 2 Mar 2026 09:10:03 +0100 Subject: [PATCH 14/40] Apply suggestion from @mowies Co-authored-by: Moritz Wiesinger <6901203+mowies@users.noreply.github.com> --- .github/workflows/e2e.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index e3d3c9ca5..a847e55a6 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -147,8 +147,8 @@ jobs: - name: Run e2e tests run: | - cd internal/testbed/integration/${{ matrix.usecase }} - go test -v --tags=e2e + cd internal/testbed/integration/${{ matrix.usecase }} + go test -v --tags=e2e combined-load-test: if: github.event_name == 'push' && github.ref == 'refs/heads/main' From 61b42c84a1a340dcd0beed7a49cf55d4cf23fcfd Mon Sep 17 00:00:00 2001 From: RealAnna Date: Wed, 4 Mar 2026 10:15:56 +0100 Subject: [PATCH 15/40] move to internal --- cmd/rendercollectors/go.mod | 5 ----- internal/renderworkloads/go.mod | 5 +++++ {cmd/rendercollectors => internal/renderworkloads}/go.sum | 0 {cmd/rendercollectors => internal/renderworkloads}/main.go | 0 4 files changed, 5 insertions(+), 5 deletions(-) delete mode 100644 cmd/rendercollectors/go.mod create mode 100644 internal/renderworkloads/go.mod rename {cmd/rendercollectors => internal/renderworkloads}/go.sum (100%) rename {cmd/rendercollectors => internal/renderworkloads}/main.go (100%) diff --git a/cmd/rendercollectors/go.mod b/cmd/rendercollectors/go.mod deleted file mode 100644 index 849fd31ed..000000000 --- a/cmd/rendercollectors/go.mod +++ /dev/null @@ -1,5 +0,0 @@ -module github.com/Dynatrace/dynatrace-otel-collector/cmd/rendercollectors - -go 1.25.7 - -require gopkg.in/yaml.v3 v3.0.1 diff --git a/internal/renderworkloads/go.mod b/internal/renderworkloads/go.mod new file mode 100644 index 000000000..a13129142 --- /dev/null +++ b/internal/renderworkloads/go.mod @@ -0,0 +1,5 @@ +module github.com/Dynatrace/dynatrace-otel-collector/internal/renderworkloads + +go 1.25.7 + +require gopkg.in/yaml.v3 v3.0.1 diff --git a/cmd/rendercollectors/go.sum b/internal/renderworkloads/go.sum similarity index 100% rename from cmd/rendercollectors/go.sum rename to internal/renderworkloads/go.sum diff --git a/cmd/rendercollectors/main.go b/internal/renderworkloads/main.go similarity index 100% rename from cmd/rendercollectors/main.go rename to internal/renderworkloads/main.go From 0b55f760a46037450d710bc42c9d3f96ad02ebb2 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Wed, 4 Mar 2026 10:16:42 +0100 Subject: [PATCH 16/40] move to internal --- .github/workflows/yaml-policy-check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index 36d4c4513..e98e4e586 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -29,14 +29,14 @@ jobs: with: go-version: ${{ env.GO_VERSION }} cache-dependency-path: | - cmd/rendercollectors/go.sum + internal/renderworkloads/go.sum - name: Install Kyverno CLI uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - name: Build renderer run: | - cd cmd/rendercollectors + cd internal/renderworkloads go build -o /tmp/rendercollectors . - name: Render collector YAMLs From 7c89764c5343e005131e185da56ea64de59b0aee Mon Sep 17 00:00:00 2001 From: RealAnna Date: Wed, 4 Mar 2026 10:41:54 +0100 Subject: [PATCH 17/40] Add README --- internal/renderworkloads/README.md | 76 ++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 internal/renderworkloads/README.md diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md new file mode 100644 index 000000000..c9669fb30 --- /dev/null +++ b/internal/renderworkloads/README.md @@ -0,0 +1,76 @@ +# renderworkloads + +`renderworkloads` is an internal helper used by CI to **render the Kubernetes workload definitions in this repository** +into fully-materialized Kubernetes YAML. + +The rendered output can then be checked with **Kyverno** to enforce a baseline container `securityContext`. This gives us a +regression test that the **components we include in the Dynatrace OTel Collector distribution** remain compatible with +these hardened settings in the deployment scenarios we test, and it provides a guardrail when adding new components. + +## How to use + +### 1) Render workloads (local) + +Build and run the renderer to materialize all Kubernetes workloads used by the integration tests: + +```bash +cd internal/renderworkloads +go build -o /tmp/rendercollectors . + +OUT_BASE="/tmp/rendered-collectors-simple" + +/tmp/rendercollectors \ + -repo-root "$(git rev-parse --show-toplevel)" \ + -integration-root internal/testbed/integration \ + -out-base "$OUT_BASE" +``` + +This produces: +- Rendered YAML workloads under `"$OUT_BASE"` +- A file list at `"$OUT_BASE/workloads.txt"` (one YAML path per line) + +### 2) Validate rendered workloads with Kyverno (local) + +Install the Kyverno CLI: https://kyverno.io/docs/kyverno-cli/ + +Then apply the repo’s policies to the rendered workloads: + +```bash +OUT_BASE="/tmp/rendered-collectors-simple" + +sed 's|^|-r |' "$OUT_BASE/workloads.txt" \ + | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml +``` + +### CI / automation + +The same render + validate steps run in the **YAML Policy Check** workflow: +- Workflow: [.github/workflows/yaml-policy-check.yml]( https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml) + +## Kyverno policies + +Policies live in: +- [`.github/workflows/kyverno/policies/`](https://github.com/Dynatrace/dynatrace-otel-collector/tree/main/.github/workflows/kyverno/policies) + +Policy for the hardened Collector `securityContext`are [here](https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/kyverno/policies/collector-securitycontext.yaml) +These policy enforces the following container security settings: + +- `securityContext.capabilities.drop: ["ALL"]` +- `securityContext.readOnlyRootFilesystem: true` +- `securityContext.allowPrivilegeEscalation: false` +- `securityContext.runAsNonRoot: true` +- `securityContext.runAsUser: 10001` +- `securityContext.runAsGroup: 10001` +- `securityContext.privileged: false` +- `securityContext.seccompProfile.type: RuntimeDefault` + +These are widely recommended Kubernetes hardening defaults. For background, see: +- Kubernetes Security Context docs: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +- Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + +## Notes / scope + +- This is an **internal CI tool** (not part of the shipped Collector artifacts). +- The Kyverno validation applies to the **workloads/scenarios rendered and exercised by this repository’s CI**. It is + intended as a compatibility/regression check and a guardrail for new additions — not a blanket guarantee that every + possible configuration of every component will work under all hardened Kubernetes policies. From a192d0abab39aadffa95aed2da0523fe45d87c70 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Wed, 4 Mar 2026 10:45:21 +0100 Subject: [PATCH 18/40] Add README --- internal/renderworkloads/README.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md index c9669fb30..65b57239c 100644 --- a/internal/renderworkloads/README.md +++ b/internal/renderworkloads/README.md @@ -44,16 +44,13 @@ sed 's|^|-r |' "$OUT_BASE/workloads.txt" \ ### CI / automation -The same render + validate steps run in the **YAML Policy Check** workflow: -- Workflow: [.github/workflows/yaml-policy-check.yml]( https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml) +The same render + validate steps run in the **YAML Policy Check** workflow [.github/workflows/yaml-policy-check.yml]( https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml) ## Kyverno policies -Policies live in: -- [`.github/workflows/kyverno/policies/`](https://github.com/Dynatrace/dynatrace-otel-collector/tree/main/.github/workflows/kyverno/policies) - -Policy for the hardened Collector `securityContext`are [here](https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/kyverno/policies/collector-securitycontext.yaml) -These policy enforces the following container security settings: +Policies live in: [`.github/workflows/kyverno/policies/`](https://github.com/Dynatrace/dynatrace-otel-collector/tree/main/.github/workflows/kyverno/policies) +The policy for the hardened Collector `securityContext`is [here](https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/kyverno/policies/collector-securitycontext.yaml) +It enforces the following container security settings: - `securityContext.capabilities.drop: ["ALL"]` - `securityContext.readOnlyRootFilesystem: true` From 7d2361a20671e7d52eacfbb2ffa28ce22e05eca9 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 11:25:41 +0100 Subject: [PATCH 19/40] Add version with goreleaser and Makefile # Conflicts: # internal/tools/go.mod # internal/tools/go.sum # Conflicts: # internal/tools/go.mod # internal/tools/go.sum --- .github/workflows/kyverno/README.md | 42 ++ .github/workflows/yaml-policy-check.yml | 20 +- Makefile | 25 +- Makefile.Common | 3 +- internal/renderworkloads/README.md | 80 ++-- internal/renderworkloads/go.mod | 22 +- internal/renderworkloads/go.sum | 54 +++ internal/renderworkloads/main.go | 457 ++++++++-------------- internal/renderworkloads/render-vars.json | 11 + internal/tools/tools.go | 7 +- 10 files changed, 352 insertions(+), 369 deletions(-) create mode 100644 .github/workflows/kyverno/README.md create mode 100644 internal/renderworkloads/render-vars.json diff --git a/.github/workflows/kyverno/README.md b/.github/workflows/kyverno/README.md new file mode 100644 index 000000000..302f3530c --- /dev/null +++ b/.github/workflows/kyverno/README.md @@ -0,0 +1,42 @@ +### Validate rendered workloads with Kyverno (local) + +Install the Kyverno CLI: https://kyverno.io/docs/kyverno-cli/ + +Then apply the repo’s policies to the rendered workloads. ( see [renderworkloads README](../../../internal/renderworkloads/README.md) for how to render the workloads in the first place) + +```bash +OUT_BASE="/tmp/rendered-collectors-simple" + +sed 's|^|-r |' "$OUT_BASE/workloads.txt" \ + | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml +``` + +### CI / automation + +The same render + validate steps run in the **YAML Policy Check** workflow [.github/workflows/yaml-policy-check.yml]( https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml) + +## Kyverno policies + +Policies live in: [`.github/workflows/kyverno/policies/`](./policies) +The policy for the hardened Collector `securityContext`is [here](./policies/collector-securitycontext.yaml) +It enforces the following container security settings: + +- `securityContext.capabilities.drop: ["ALL"]` +- `securityContext.readOnlyRootFilesystem: true` +- `securityContext.allowPrivilegeEscalation: false` +- `securityContext.runAsNonRoot: true` +- `securityContext.runAsUser: 10001` +- `securityContext.runAsGroup: 10001` +- `securityContext.privileged: false` +- `securityContext.seccompProfile.type: RuntimeDefault` + +These are widely recommended Kubernetes hardening defaults. For background, see: +- Kubernetes Security Context docs: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +- Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/ + +## Notes / scope + +- This is an **internal CI tool** (not part of the shipped Collector artifacts). +- The Kyverno validation applies to the **workloads/scenarios rendered and exercised by this repository’s CI**. It is + intended as a compatibility/regression check and a guardrail for new additions — not a blanket guarantee that every + possible configuration of every component will work under all hardened Kubernetes policies. diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index e98e4e586..5d6151b78 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -15,7 +15,7 @@ defaults: env: GO_VERSION: "1.25.7" - OUT_BASE: "/tmp/rendered-collectors-simple" + OUT_BASE: "/tmp/rendered-collectors-workloads" jobs: kyverno-yaml-check: @@ -30,23 +30,15 @@ jobs: go-version: ${{ env.GO_VERSION }} cache-dependency-path: | internal/renderworkloads/go.sum + internal/tools/go.sum - name: Install Kyverno CLI uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - - name: Build renderer + - name: Install build tools run: | - cd internal/renderworkloads - go build -o /tmp/rendercollectors . + make install-tools - - name: Render collector YAMLs + - name: Render workloads and validate with Kyverno run: | - /tmp/rendercollectors \ - -repo-root "$GITHUB_WORKSPACE" \ - -integration-root internal/testbed/integration \ - -out-base "$OUT_BASE" - - - name: Validate with Kyverno - run: | - sed 's|^|-r |' "$OUT_BASE/workloads.txt" \ - | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml + make kyverno-workloads OUT_BASE="${OUT_BASE}" diff --git a/Makefile b/Makefile index 19d0e0ef8..b2076152e 100644 --- a/Makefile +++ b/Makefile @@ -51,7 +51,8 @@ snapshot: .goreleaser.yaml $(GORELEASER) $(GORELEASER) release --snapshot --clean --skip archive,sbom --fail-fast $(TOOLS_BIN_NAMES): $(TOOLS_MOD_DIR)/go.mod | $(TOOLS_BIN_DIR) - cd $(TOOLS_MOD_DIR) && go build -o $@ -trimpath $(filter %/$(notdir $@),$(TOOLS_PKG_NAMES)) + cd $(TOOLS_MOD_DIR) && $(GOCMD) build -trimpath -o $(abspath $@) \ + $(filter %/$(notdir $@),$(TOOLS_PKG_NAMES)) $(BIN): .goreleaser.yaml $(GORELEASER) $(MAIN) $(SOURCES) $(GORELEASER) build --single-target --snapshot --clean -o $(BIN) @@ -102,3 +103,25 @@ for-all-target: $(INTERNAL_MODS) .PHONY: gomoddownload gomoddownload: $(MAKE) --no-print-directory for-all-target TARGET="moddownload" + +OUT_BASE ?= /tmp/rendered-collectors-workloads +REPO_ROOT := $(shell git rev-parse --show-toplevel) + +RENDERWORKLOADS_MOD_DIR := internal/renderworkloads + +.PHONY: render-workloads kyverno-workloads + +render-workloads: $(GOMPLATE) + @echo "Rendering workloads to $(OUT_BASE)" + @cd "$(REPO_ROOT)/$(RENDERWORKLOADS_MOD_DIR)" && go run . \ + -repo-root "$(REPO_ROOT)" \ + -in-root internal/testbed/integration \ + -out-base "$(OUT_BASE)" \ + -vars-file internal/renderworkloads/render-vars.json \ + -gomplate "$(abspath $(GOMPLATE))" + + +kyverno-workloads: render-workloads + @echo "Running Kyverno against rendered workloads from $(OUT_BASE)/workloads.txt" + @cd "$(REPO_ROOT)" && sed 's|^|-r |' "$(OUT_BASE)/workloads.txt" \ + | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml diff --git a/Makefile.Common b/Makefile.Common index 0646f703d..6bc772b24 100644 --- a/Makefile.Common +++ b/Makefile.Common @@ -18,7 +18,8 @@ GORELEASER := $(TOOLS_BIN_DIR)/goreleaser BUILDER := $(TOOLS_BIN_DIR)/builder CHLOGGEN := $(TOOLS_BIN_DIR)/chloggen COSIGN := $(TOOLS_BIN_DIR)/cosign -GOJUNIT := $(TOOLS_BIN_DIR)/v2 +GOJUNIT := $(TOOLS_BIN_DIR)/go-junit-report +GOMPLATE := $(TOOLS_BIN_DIR)/gomplate # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro GORELEASER_PRO_VERSION ?= v2.14.3 diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md index 65b57239c..c05a2db74 100644 --- a/internal/renderworkloads/README.md +++ b/internal/renderworkloads/README.md @@ -1,73 +1,47 @@ -# renderworkloads +```md +# renderworkloads -`renderworkloads` is an internal helper used by CI to **render the Kubernetes workload definitions in this repository** +`renderworkloads` is an internal helper used by CI to **render the Kubernetes collector workload definitions in this repository** into fully-materialized Kubernetes YAML. -The rendered output can then be checked with **Kyverno** to enforce a baseline container `securityContext`. This gives us a -regression test that the **components we include in the Dynatrace OTel Collector distribution** remain compatible with -these hardened settings in the deployment scenarios we test, and it provides a guardrail when adding new components. +The rendered output is then checked with **Kyverno** to enforce a baseline container `securityContext`. This provides: +- a regression test that the **components included in the Dynatrace OTel Collector distribution** remain compatible with hardened settings +- a guardrail when adding/changing components or manifests -## How to use +## How to use (local) -### 1) Render workloads (local) +### Render workloads -Build and run the renderer to materialize all Kubernetes workloads used by the integration tests: +This renders the collector workloads (Deployments/DaemonSets/StatefulSets) into an output directory and writes an index file. ```bash -cd internal/renderworkloads -go build -o /tmp/rendercollectors . - -OUT_BASE="/tmp/rendered-collectors-simple" - -/tmp/rendercollectors \ - -repo-root "$(git rev-parse --show-toplevel)" \ - -integration-root internal/testbed/integration \ - -out-base "$OUT_BASE" +OUT_BASE="/tmp/rendered-collectors-workloads" +make render-workloads OUT_BASE="$OUT_BASE" ``` This produces: -- Rendered YAML workloads under `"$OUT_BASE"` -- A file list at `"$OUT_BASE/workloads.txt"` (one YAML path per line) - -### 2) Validate rendered workloads with Kyverno (local) +- Rendered workload YAMLs under `"$OUT_BASE"` (paths preserved relative to repo root) +- A file list at `"$OUT_BASE/workloads.txt"` (one rendered YAML path per line) -Install the Kyverno CLI: https://kyverno.io/docs/kyverno-cli/ +### Run Kyverno checks -Then apply the repo’s policies to the rendered workloads: +This runs the Kyverno policies against the rendered workloads listed in `workloads.txt`. ```bash -OUT_BASE="/tmp/rendered-collectors-simple" - -sed 's|^|-r |' "$OUT_BASE/workloads.txt" \ - | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml +OUT_BASE="/tmp/rendered-collectors-workloads" +make kyverno-workloads OUT_BASE="$OUT_BASE" ``` -### CI / automation - -The same render + validate steps run in the **YAML Policy Check** workflow [.github/workflows/yaml-policy-check.yml]( https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml) +Expected output looks like: -## Kyverno policies - -Policies live in: [`.github/workflows/kyverno/policies/`](https://github.com/Dynatrace/dynatrace-otel-collector/tree/main/.github/workflows/kyverno/policies) -The policy for the hardened Collector `securityContext`is [here](https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/kyverno/policies/collector-securitycontext.yaml) -It enforces the following container security settings: - -- `securityContext.capabilities.drop: ["ALL"]` -- `securityContext.readOnlyRootFilesystem: true` -- `securityContext.allowPrivilegeEscalation: false` -- `securityContext.runAsNonRoot: true` -- `securityContext.runAsUser: 10001` -- `securityContext.runAsGroup: 10001` -- `securityContext.privileged: false` -- `securityContext.seccompProfile.type: RuntimeDefault` - -These are widely recommended Kubernetes hardening defaults. For background, see: -- Kubernetes Security Context docs: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -- Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +```text +Applying 1 policy rule(s) to N resource(s)... +pass: N, fail: 0, warn: 0, error: 0, skip: 0 +``` -## Notes / scope +## Notes -- This is an **internal CI tool** (not part of the shipped Collector artifacts). -- The Kyverno validation applies to the **workloads/scenarios rendered and exercised by this repository’s CI**. It is - intended as a compatibility/regression check and a guardrail for new additions — not a blanket guarantee that every - possible configuration of every component will work under all hardened Kubernetes policies. +- `kyverno-workloads` depends on `render-workloads` and will re-render before running Kyverno. +- If `workloads.txt` is empty, the Kyverno target will fail (to avoid silently doing nothing). +- You need `gomplate` and `kyverno` available in your `PATH`. +``` \ No newline at end of file diff --git a/internal/renderworkloads/go.mod b/internal/renderworkloads/go.mod index a13129142..d8609bc46 100644 --- a/internal/renderworkloads/go.mod +++ b/internal/renderworkloads/go.mod @@ -2,4 +2,24 @@ module github.com/Dynatrace/dynatrace-otel-collector/internal/renderworkloads go 1.25.7 -require gopkg.in/yaml.v3 v3.0.1 +require k8s.io/apimachinery v0.35.2 + +require ( + github.com/fxamacker/cbor/v2 v2.9.0 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect + github.com/x448/float16 v0.8.4 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/text v0.31.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect + sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect + sigs.k8s.io/randfill v1.0.0 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect +) diff --git a/internal/renderworkloads/go.sum b/internal/renderworkloads/go.sum index a62c313c5..032d33e8b 100644 --- a/internal/renderworkloads/go.sum +++ b/internal/renderworkloads/go.sum @@ -1,4 +1,58 @@ +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= +golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= +golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8= +k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= +sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/internal/renderworkloads/main.go b/internal/renderworkloads/main.go index fc8d7999b..af4c0f2bb 100644 --- a/internal/renderworkloads/main.go +++ b/internal/renderworkloads/main.go @@ -1,7 +1,14 @@ +// internal/renderworkloads/main.go +// +// Renders YAML templates (using gomplate) under a given input root, writing ONLY rendered +// collector workload YAMLs (Deployment/DaemonSet/StatefulSet) to an output directory while +// preserving relative paths. +// Also writes workloads.txt containing paths to rendered workload YAMLs. +// +// Values are provided via a JSON file (default: render-vars.json) located in -repo-root. package main import ( - "bufio" "bytes" "errors" "flag" @@ -9,383 +16,239 @@ import ( "io" "io/fs" "os" + "os/exec" "path/filepath" - "regexp" - "sort" "strings" - "gopkg.in/yaml.v3" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + k8syaml "k8s.io/apimachinery/pkg/util/yaml" ) -var ( - reName = regexp.MustCompile(`\{\{\s*\.Name\s*\}\}`) - reNamespace = regexp.MustCompile(`\{\{\s*\.Namespace\s*\}\}`) - reTestID = regexp.MustCompile(`\{\{\s*\.TestID\s*\}\}`) - reHostEndpoint = regexp.MustCompile(`\{\{\s*\.HostEndpoint\s*\}\}`) - reContainerReg = regexp.MustCompile(`\{\{\s*\.ContainerRegistry\s*\}\}`) - reK8sCluster = regexp.MustCompile(`\{\{\s*\.K8sCluster\s*\}\}`) - reCollectorConfig = regexp.MustCompile(`\{\{\s*\.CollectorConfig\s*\}\}`) -) +const ( + defaultOutBase = "/tmp/rendered" + defaultGomplate = "gomplate" + defaultVarsFile = "render-vars.json" -func main() { - var ( - integrationRoot = flag.String("integration-root", "", "Path under repo root, e.g. internal/testbed/integration") - outBase = flag.String("out-base", "", "Output directory, e.g. /tmp/rendered-collectors") - workloadsFile = flag.String("workloads-file", "", "Optional override for workloads list output (default: /workloads.txt)") - repoRootFlag = flag.String("repo-root", "", "Repo root directory (used to write relative paths in workloads.txt)") - ) - flag.Parse() + collectorLabelKey = "app.kubernetes.io/name" + collectorLabelValue = "opentelemetry-collector" - if *integrationRoot == "" || *outBase == "" { - fatalf("missing required flags: -integration-root and -out-base") - } + workloadsIndexName = "workloads.txt" +) - repoRoot := *repoRootFlag - if repoRoot == "" { - var err error - repoRoot, err = os.Getwd() - if err != nil { - fatalf("getwd: %v", err) - } - } - repoRoot, err := filepath.Abs(repoRoot) - if err != nil { - fatalf("abs repo-root: %v", err) - } +var workloadKinds = map[string]struct{}{ + "Deployment": {}, + "DaemonSet": {}, + "StatefulSet": {}, +} - // Ensure integrationRoot is absolute for walking/copying - integrationAbs := filepath.Clean(filepath.Join(repoRoot, *integrationRoot)) - outBaseAbs := filepath.Clean(*outBase) +type Options struct { + RepoRoot string + InRoot string + OutBase string + Gomplate string + VarsFile string + WriteIndex bool + Verbose bool +} - if err := os.RemoveAll(outBaseAbs); err != nil { - fatalf("remove out-base: %v", err) - } - if err := os.MkdirAll(outBaseAbs, 0o755); err != nil { - fatalf("mkdir out-base: %v", err) - } +func main() { + opt := parseFlags() - collectorDirs, err := findCollectorDirs(integrationAbs) - if err != nil { - fatalf("find collector dirs: %v", err) - } - if len(collectorDirs) == 0 { - fatalf("no collector* directories found under: %s", integrationAbs) + if opt.RepoRoot == "" || opt.InRoot == "" { + fatalf("error: -repo-root and -in-root are required\n") } - fmt.Printf("Found collector template dirs: %d\n", len(collectorDirs)) - for _, d := range collectorDirs { - rel, _ := filepath.Rel(integrationAbs, d) - fmt.Printf(" - %s\n", filepath.ToSlash(rel)) + repoRoot := mustAbs(opt.RepoRoot) + + inRoot := mustAbs(filepath.Join(repoRoot, opt.InRoot)) + if _, err := os.Stat(inRoot); err != nil { + fatalf("error: input root does not exist: %s: %v\n", inRoot, err) } - // Render all - for _, inDir := range collectorDirs { - rel, _ := filepath.Rel(integrationAbs, inDir) - safe := strings.ReplaceAll(filepath.ToSlash(rel), "/", "_") - outDir := filepath.Join(outBaseAbs, safe) + outBase := mustAbs(opt.OutBase) + if err := os.MkdirAll(outBase, 0o755); err != nil { + fatalf("error: cannot create out-base %s: %v\n", outBase, err) + } - if err := copyDir(inDir, outDir); err != nil { - fatalf("copy %s -> %s: %v", inDir, outDir, err) - } - if err := preprocessYAMLs(outDir); err != nil { - fatalf("preprocess %s: %v", outDir, err) - } - if err := ensureNoTemplatesRemain(outDir); err != nil { - fatalf("template leftovers in %s: %v", inDir, err) - } + varsPath := mustAbs(filepath.Join(repoRoot, opt.VarsFile)) + if _, err := os.Stat(varsPath); err != nil { + fatalf("error: vars file not found: %s: %v\n", varsPath, err) } - // Collect workload YAMLs and write relative paths (relative to repo root) - workloadAbs, err := collectWorkloadYAMLs(outBaseAbs) + workloads, err := renderCollectorWorkloads(repoRoot, inRoot, outBase, varsPath, opt) if err != nil { - fatalf("collect workload yamls: %v", err) - } - if len(workloadAbs) == 0 { - fatalf("no workload YAMLs found after preprocessing") + // mirror the behavior you saw (panic-ish), but with a clearer message + fatalf("panic: %v\n", err) } - outList := *workloadsFile - if outList == "" { - outList = filepath.Join(outBaseAbs, "workloads.txt") - } + if opt.WriteIndex { + indexPath := filepath.Join(outBase, workloadsIndexName) - relList := make([]string, 0, len(workloadAbs)) - for _, p := range workloadAbs { - r, err := filepath.Rel(repoRoot, p) - if err != nil { - fatalf("make relative path for %s: %v", p, err) + content := strings.Join(workloads, "\n") + if len(content) > 0 { + content += "\n" } - relList = append(relList, filepath.ToSlash(r)) - } - sort.Strings(relList) - if err := writeLines(outList, relList); err != nil { - fatalf("write workloads file: %v", err) + if err := os.WriteFile(indexPath, []byte(content), 0o644); err != nil { + fatalf("error: writing workloads index: %v\n", err) + } + fmt.Printf("Wrote workload index: %s\n", indexPath) } - fmt.Printf("Wrote %d workload YAMLs to %s\n", len(relList), outList) - // Optional: print a small preview to help CI logs - preview := 20 - if len(relList) < preview { - preview = len(relList) - } - for i := 0; i < preview; i++ { - fmt.Printf(" - %s\n", relList[i]) - } - if len(relList) > preview { - fmt.Printf(" ... (%d more)\n", len(relList)-preview) - } + fmt.Printf("Rendered collector workloads from %s to %s\n", inRoot, outBase) } -func findCollectorDirs(integrationAbs string) ([]string, error) { - var dirs []string +func parseFlags() Options { + var opt Options + flag.StringVar(&opt.RepoRoot, "repo-root", "", "Repository root (used to compute relative paths and locate vars file)") + flag.StringVar(&opt.InRoot, "in-root", "", "Input root directory (relative to -repo-root) to scan for YAML templates") + flag.StringVar(&opt.OutBase, "out-base", defaultOutBase, "Output base directory") + flag.StringVar(&opt.Gomplate, "gomplate", defaultGomplate, "Path to gomplate binary") + flag.StringVar(&opt.VarsFile, "vars-file", defaultVarsFile, "Vars JSON file name (resolved relative to -repo-root)") + flag.BoolVar(&opt.WriteIndex, "write-index", true, "Write workloads.txt with rendered workload YAML paths") + flag.BoolVar(&opt.Verbose, "verbose", false, "Verbose output (print gomplate commands)") + flag.Parse() + return opt +} - err := filepath.WalkDir(integrationAbs, func(path string, d fs.DirEntry, err error) error { - if err != nil { - return err - } - if !d.IsDir() { - return nil +func renderCollectorWorkloads(repoRoot, inRoot, outBase, varsPath string, opt Options) ([]string, error) { + workloads := make([]string, 0, 128) + + err := filepath.WalkDir(inRoot, func(path string, d fs.DirEntry, walkErr error) error { + if walkErr != nil { + return walkErr } - base := filepath.Base(path) - if !strings.HasPrefix(base, "collector") { - return nil + if d.IsDir() { + switch filepath.Base(path) { + case ".git", "vendor": + return filepath.SkipDir + default: + return nil + } } - // ".../testdata/collector*" - parent := filepath.Base(filepath.Dir(path)) - if parent != "testdata" { + if !isYAMLFile(path) { return nil } - dirs = append(dirs, path) - return nil - }) - if err != nil { - return nil, err - } - - sort.Strings(dirs) - return dirs, nil -} - -func copyDir(src, dst string) error { - return filepath.WalkDir(src, func(path string, d fs.DirEntry, err error) error { + relToRepo, err := filepath.Rel(repoRoot, path) if err != nil { return err } + outPath := filepath.Join(outBase, relToRepo) - rel, _ := filepath.Rel(src, path) - outPath := filepath.Join(dst, rel) - - info, err := d.Info() + rendered, err := gomplateRenderFile(opt.Gomplate, varsPath, path, opt.Verbose) if err != nil { return err } - if d.IsDir() { - return os.MkdirAll(outPath, info.Mode().Perm()) + // Render/write ONLY collector workloads; skip everything else. + if !isCollectorWorkloadYAML(rendered) { + return nil } if err := os.MkdirAll(filepath.Dir(outPath), 0o755); err != nil { return err } - return copyFile(path, outPath, info.Mode().Perm()) - }) -} - -func copyFile(src, dst string, perm fs.FileMode) error { - in, err := os.Open(src) - if err != nil { - return err - } - - defer in.Close() - - out, err := os.OpenFile(dst, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, perm) - if err != nil { - return err - } - defer func() { _ = out.Close() }() - - if _, err := io.Copy(out, in); err != nil { - return err - } - return out.Close() -} - -func preprocessYAMLs(root string) error { - return filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error { - if err != nil { + if err := os.WriteFile(outPath, rendered, 0o644); err != nil { return err } - if d.IsDir() { - return nil - } - ext := strings.ToLower(filepath.Ext(path)) - if ext != ".yaml" && ext != ".yml" { - return nil - } - orig, err := os.ReadFile(path) - if err != nil { - return err + if opt.WriteIndex { + workloads = append(workloads, outPath) } - s := string(orig) - s = reName.ReplaceAllString(s, "otelcol-ci") - s = reNamespace.ReplaceAllString(s, "e2e") - s = reTestID.ReplaceAllString(s, "ci") - s = reHostEndpoint.ReplaceAllString(s, "http://example.invalid") - s = reContainerReg.ReplaceAllString(s, "dynatrace") - s = reK8sCluster.ReplaceAllString(s, "ci") - s = reCollectorConfig.ReplaceAllString(s, "receivers: {}\nexporters: {}\nservice: { pipelines: {} }\n") + return nil + }) - if s == string(orig) { - return nil - } + return workloads, err +} - // Preserve existing permissions if possible; fallback to 0644 - mode := fs.FileMode(0o644) - if st, err := os.Stat(path); err == nil { - mode = st.Mode().Perm() - } - return os.WriteFile(path, []byte(s), mode) - }) +func isYAMLFile(path string) bool { + ext := strings.ToLower(filepath.Ext(path)) + return ext == ".yaml" || ext == ".yml" } -func ensureNoTemplatesRemain(root string) error { - var first []string +func gomplateRenderFile(gomplateBin, varsAbsPath, inFile string, verbose bool) ([]byte, error) { + // gomplate v5: --context expects alias=URL form; '.' sets root context. + // For an absolute Unix path, "file://" + "/Users/..." => "file:///Users/..." + ctxURL := "file://" + filepath.ToSlash(varsAbsPath) - err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error { - if err != nil { - return err - } - if d.IsDir() { - return nil - } - ext := strings.ToLower(filepath.Ext(path)) - if ext != ".yaml" && ext != ".yml" { - return nil - } + cmd := exec.Command( + gomplateBin, + "-c", ".="+ctxURL, + "-f", inFile, + ) - b, err := os.ReadFile(path) - if err != nil { - return err - } - if !bytes.Contains(b, []byte("{{")) { - return nil - } + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr - sc := bufio.NewScanner(bytes.NewReader(b)) - line := 0 - for sc.Scan() { - line++ - txt := sc.Text() - if strings.Contains(txt, "{{") { - first = append(first, fmt.Sprintf("%s:%d:%s", filepath.ToSlash(path), line, txt)) - if len(first) >= 50 { - break - } - } - } - return nil - }) - if err != nil { - return err - } - if len(first) > 0 { - return fmt.Errorf("unhandled template expressions remain; first occurrences:\n%s", strings.Join(first, "\n")) + if verbose { + fmt.Fprintf(os.Stderr, "gomplate cmd: %q\n", cmd.Args) } - return nil -} -func collectWorkloadYAMLs(root string) ([]string, error) { - var out []string - err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error { - if err != nil { - return err - } - if d.IsDir() { - return nil - } - ext := strings.ToLower(filepath.Ext(path)) - if ext != ".yaml" && ext != ".yml" { - return nil - } - - kinds, err := kindsInFile(path) - if err != nil { - return fmt.Errorf("parse yaml %s: %w", path, err) - } - for _, k := range kinds { - switch k { - case "Deployment", "DaemonSet", "StatefulSet": - out = append(out, path) - return nil - } - } - return nil - }) - if err != nil { - return nil, err + if err := cmd.Run(); err != nil { + return nil, fmt.Errorf( + "gomplate render failed for %s: %w: %s", + inFile, + err, + strings.TrimSpace(stderr.String()), + ) } - sort.Strings(out) - return out, nil + return stdout.Bytes(), nil } -func kindsInFile(path string) ([]string, error) { - b, err := os.ReadFile(path) - if err != nil { - return nil, err - } - - dec := yaml.NewDecoder(bytes.NewReader(b)) - var kinds []string +func isCollectorWorkloadYAML(b []byte) bool { + dec := k8syaml.NewYAMLOrJSONDecoder(bytes.NewReader(b), 4096) for { - var doc map[string]any - if err := dec.Decode(&doc); err != nil { + var u unstructured.Unstructured + if err := dec.Decode(&u); err != nil { if errors.Is(err, io.EOF) { - break + return false } - return nil, err + // Invalid YAML: treat as non-workload (safer than accidentally including it). + return false + } + + // Skip empty YAML docs + if len(u.Object) == 0 { + continue } - if doc == nil { + + if !isWorkloadKind(u.GetKind()) { continue } - if k, ok := doc["kind"].(string); ok && k != "" { - kinds = append(kinds, k) + + // Check object labels + if u.GetLabels()[collectorLabelKey] == collectorLabelValue { + return true + } + + // Check pod template labels (common case for workloads) + lbls, found, _ := unstructured.NestedStringMap(u.Object, "spec", "template", "metadata", "labels") + if found && lbls[collectorLabelKey] == collectorLabelValue { + return true } } +} - return kinds, nil +func isWorkloadKind(kind string) bool { + _, ok := workloadKinds[kind] + return ok } -func writeLines(path string, lines []string) error { - if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil { - return err - } - f, err := os.Create(path) +func mustAbs(p string) string { + a, err := filepath.Abs(p) if err != nil { - return err - } - defer func() { _ = f.Close() }() - - w := bufio.NewWriter(f) - for _, s := range lines { - if _, err := w.WriteString(s + "\n"); err != nil { - return err - } - } - if err := w.Flush(); err != nil { - return err + fatalf("error: cannot resolve path %q: %v\n", p, err) } - return f.Close() + return a } -func fatalf(format string, a ...any) { - fmt.Fprintf(os.Stderr, "ERROR: "+format+"\n", a...) +func fatalf(format string, args ...any) { + fmt.Fprintf(os.Stderr, format, args...) os.Exit(1) } diff --git a/internal/renderworkloads/render-vars.json b/internal/renderworkloads/render-vars.json new file mode 100644 index 000000000..f60244eee --- /dev/null +++ b/internal/renderworkloads/render-vars.json @@ -0,0 +1,11 @@ +{ + "Name": "otelcol-e2e", + "Namespace": "e2e", + "TestID": "123", + "HostEndpoint": "host.docker.internal", + "ContainerRegistry": "ghcr.io/dynatrace/", + "K8sCluster": "kind", + "CollectorConfig": "relay", + "OTLPEndpoint": "4317", + "DataType" : "testtype" +} diff --git a/internal/tools/tools.go b/internal/tools/tools.go index 1f84c9e3f..b71d10a9d 100644 --- a/internal/tools/tools.go +++ b/internal/tools/tools.go @@ -1,8 +1,11 @@ +//go:build tools + package tools import ( + _ "github.com/hairyhenderson/gomplate/v5/cmd/gomplate" + _ "github.com/jstemmer/go-junit-report/v2" + _ "github.com/sigstore/cosign/v3/cmd/cosign" _ "go.opentelemetry.io/build-tools/chloggen" _ "go.opentelemetry.io/collector/cmd/builder" - _ "github.com/sigstore/cosign/v3/cmd/cosign" - _ "github.com/jstemmer/go-junit-report/v2" ) From aa7c04ed8d8fa59adf1b4b6ff3973393e4be32fa Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 11:30:17 +0100 Subject: [PATCH 20/40] Add version with goreleaser and Makefile --- Makefile.Common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.Common b/Makefile.Common index 6bc772b24..b353cef45 100644 --- a/Makefile.Common +++ b/Makefile.Common @@ -18,7 +18,7 @@ GORELEASER := $(TOOLS_BIN_DIR)/goreleaser BUILDER := $(TOOLS_BIN_DIR)/builder CHLOGGEN := $(TOOLS_BIN_DIR)/chloggen COSIGN := $(TOOLS_BIN_DIR)/cosign -GOJUNIT := $(TOOLS_BIN_DIR)/go-junit-report +GOJUNIT := $(TOOLS_BIN_DIR)/v2 GOMPLATE := $(TOOLS_BIN_DIR)/gomplate # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro From 0200989dfd67e03995bee52f8a94eb6dfeeb4330 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 11:39:52 +0100 Subject: [PATCH 21/40] Add version with goreleaser and Makefile --- .github/workflows/e2e.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index a847e55a6..5fde5b50e 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -30,7 +30,7 @@ jobs: - name: Install tools run: | mkdir -p .tools - make install-tools + make install-tools TOOLS_BIN_NAMES_EFFECTIVE=$PWD/.tools/gomplate - name: Generate source files run: make generate From a2cdc085c74e1c6ad51d178815198ad6f8912493 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 11:40:42 +0100 Subject: [PATCH 22/40] Add version with goreleaser and Makefile --- .github/workflows/e2e.yaml | 2 +- .github/workflows/yaml-policy-check.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 5fde5b50e..a847e55a6 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -30,7 +30,7 @@ jobs: - name: Install tools run: | mkdir -p .tools - make install-tools TOOLS_BIN_NAMES_EFFECTIVE=$PWD/.tools/gomplate + make install-tools - name: Generate source files run: make generate diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index 5d6151b78..b3422b1f6 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -37,7 +37,7 @@ jobs: - name: Install build tools run: | - make install-tools + make install-tools TOOLS_BIN_NAMES_EFFECTIVE=$PWD/.tools/gomplate - name: Render workloads and validate with Kyverno run: | From 8288b3efd15e4a3ff8da48b4d0d583314ff3eeed Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 11:51:29 +0100 Subject: [PATCH 23/40] Add version with goreleaser and Makefile --- .github/workflows/yaml-policy-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index b3422b1f6..5d6151b78 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -37,7 +37,7 @@ jobs: - name: Install build tools run: | - make install-tools TOOLS_BIN_NAMES_EFFECTIVE=$PWD/.tools/gomplate + make install-tools - name: Render workloads and validate with Kyverno run: | From a439190d124720a9aba656b956955bda2d57a03c Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 11:57:10 +0100 Subject: [PATCH 24/40] READMES --- .github/workflows/kyverno/README.md | 17 ++++++++++------- internal/renderworkloads/README.md | 8 +++++--- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/kyverno/README.md b/.github/workflows/kyverno/README.md index 302f3530c..8185b6b57 100644 --- a/.github/workflows/kyverno/README.md +++ b/.github/workflows/kyverno/README.md @@ -1,19 +1,22 @@ -### Validate rendered workloads with Kyverno (local) +### Validate rendered workloads with Kyverno Install the Kyverno CLI: https://kyverno.io/docs/kyverno-cli/ -Then apply the repo’s policies to the rendered workloads. ( see [renderworkloads README](../../../internal/renderworkloads/README.md) for how to render the workloads in the first place) - +Install gomplate: https://gomplate.ca/install/ or run ```bash -OUT_BASE="/tmp/rendered-collectors-simple" +make instal-tools +``` -sed 's|^|-r |' "$OUT_BASE/workloads.txt" \ - | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml +Then run the Kyverno checks against the rendered workloads: + +```bash +make kyverno-workloads ``` ### CI / automation -The same render + validate steps run in the **YAML Policy Check** workflow [.github/workflows/yaml-policy-check.yml]( https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml) +The same render + validate steps run in the **YAML Policy Check** workflow: +https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml ## Kyverno policies diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md index c05a2db74..d87250924 100644 --- a/internal/renderworkloads/README.md +++ b/internal/renderworkloads/README.md @@ -10,13 +10,15 @@ The rendered output is then checked with **Kyverno** to enforce a baseline conta ## How to use (local) -### Render workloads +Install gomplate: https://gomplate.ca/install/ or from root repo run +```bash +make install-tools +``` This renders the collector workloads (Deployments/DaemonSets/StatefulSets) into an output directory and writes an index file. ```bash -OUT_BASE="/tmp/rendered-collectors-workloads" -make render-workloads OUT_BASE="$OUT_BASE" +make render-workloads ``` This produces: From a8270d0b23f1cd01e7fdd8b87411a8f0e43093a0 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 12:16:07 +0100 Subject: [PATCH 25/40] ratelimited excluded --- .github/workflows/kyverno/README.md | 2 +- internal/renderworkloads/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/kyverno/README.md b/.github/workflows/kyverno/README.md index 8185b6b57..2aa67da30 100644 --- a/.github/workflows/kyverno/README.md +++ b/.github/workflows/kyverno/README.md @@ -2,7 +2,7 @@ Install the Kyverno CLI: https://kyverno.io/docs/kyverno-cli/ -Install gomplate: https://gomplate.ca/install/ or run +Install gomplate: https://docs.gomplate.ca/installing/ or run ```bash make instal-tools ``` diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md index d87250924..4662e43d5 100644 --- a/internal/renderworkloads/README.md +++ b/internal/renderworkloads/README.md @@ -10,7 +10,7 @@ The rendered output is then checked with **Kyverno** to enforce a baseline conta ## How to use (local) -Install gomplate: https://gomplate.ca/install/ or from root repo run +Install gomplate: https://docs.gomplate.ca/installing/ or from root repo run ```bash make install-tools ``` From fa3fee523b529973672341ca54079b13709f8ec5 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 5 Mar 2026 12:26:31 +0100 Subject: [PATCH 26/40] ratelimited excluded --- .github/workflows/kyverno/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/kyverno/README.md b/.github/workflows/kyverno/README.md index 2aa67da30..150130d15 100644 --- a/.github/workflows/kyverno/README.md +++ b/.github/workflows/kyverno/README.md @@ -15,8 +15,7 @@ make kyverno-workloads ### CI / automation -The same render + validate steps run in the **YAML Policy Check** workflow: -https://github.com/Dynatrace/dynatrace-otel-collector/blob/main/.github/workflows/yaml-policy-check.yml +The same render + validate steps run in the **YAML Policy Check** workflow "[yaml-policy-check.yml](../yaml-policy-check.yml)" ## Kyverno policies From 8d8b27f08458517077f27f01f416aeb1fd795ce7 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Wed, 11 Mar 2026 07:48:03 +0100 Subject: [PATCH 27/40] rebase --- internal/tools/go.mod | 80 ++++++++++- internal/tools/go.sum | 319 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 398 insertions(+), 1 deletion(-) diff --git a/internal/tools/go.mod b/internal/tools/go.mod index 379b539cb..484191949 100644 --- a/internal/tools/go.mod +++ b/internal/tools/go.mod @@ -3,6 +3,7 @@ module github.com/Dynatrace/dynatrace-otel-collector/internal/tools go 1.25.7 require ( + github.com/hairyhenderson/gomplate/v5 v5.0.0 github.com/jstemmer/go-junit-report/v2 v2.1.0 github.com/sigstore/cosign/v3 v3.0.5 go.opentelemetry.io/build-tools/chloggen v0.29.0 @@ -10,6 +11,7 @@ require ( ) require ( + cel.dev/expr v0.25.1 // indirect cloud.google.com/go v0.123.0 // indirect cloud.google.com/go/auth v0.18.1 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect @@ -17,8 +19,11 @@ require ( cloud.google.com/go/iam v1.5.3 // indirect cloud.google.com/go/kms v1.25.0 // indirect cloud.google.com/go/longrunning v0.8.0 // indirect + cloud.google.com/go/monitoring v1.24.3 // indirect + cloud.google.com/go/storage v1.59.1 // indirect cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 // indirect cuelang.org/go v0.15.4 // indirect + dario.cat/mergo v1.0.1 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 // indirect @@ -26,6 +31,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4 // indirect github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 // indirect @@ -33,10 +39,18 @@ require ( github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect + github.com/Azure/go-autorest/autorest/to v0.4.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/ProtonMail/go-crypto v1.1.6 // indirect + github.com/Shopify/ejson v1.5.4 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect github.com/agnivade/levenshtein v1.2.1 // indirect github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect @@ -50,20 +64,31 @@ require ( github.com/alibabacloud-go/tea-utils v1.4.5 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.3.2 // indirect + github.com/armon/go-metrics v0.4.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/aws/aws-sdk-go v1.55.8 // indirect github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect github.com/aws/aws-sdk-go-v2/config v1.32.7 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.19.7 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.17 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17 // indirect + github.com/aws/aws-sdk-go-v2/service/ec2 v1.279.2 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.51.2 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.49.5 // indirect + github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1 // indirect + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.1 // indirect github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssm v1.67.8 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect @@ -81,11 +106,14 @@ require ( github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect + github.com/cloudflare/circl v1.6.1 // indirect + github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect github.com/cockroachdb/apd/v3 v3.2.1 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect github.com/coreos/go-oidc/v3 v3.17.0 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect + github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect @@ -95,12 +123,20 @@ require ( github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.4 // indirect github.com/dustin/go-humanize v1.0.1 // indirect + github.com/dustin/gojson v0.0.0-20160307161227-2e71ec9dd5ad // indirect github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/emicklei/proto v1.14.2 // indirect + github.com/emirpasic/gods v1.18.1 // indirect + github.com/envoyproxy/go-control-plane/envoy v1.35.0 // indirect + github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect + github.com/fatih/color v1.18.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-chi/chi/v5 v5.2.4 // indirect + github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect + github.com/go-git/go-billy/v5 v5.7.0 // indirect + github.com/go-git/go-git/v5 v5.16.4 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-jose/go-jose/v4 v4.1.3 // indirect github.com/go-logr/logr v1.4.3 // indirect @@ -132,6 +168,7 @@ require ( github.com/goccy/go-json v0.10.5 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect github.com/golang-jwt/jwt/v5 v5.3.0 // indirect + github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/certificate-transparency-go v1.3.2 // indirect github.com/google/gnostic-models v0.7.0 // indirect @@ -141,25 +178,50 @@ require ( github.com/google/go-querystring v1.2.0 // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/uuid v1.6.0 // indirect + github.com/google/wire v0.7.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect github.com/googleapis/gax-go/v2 v2.17.0 // indirect + github.com/gosimple/slug v1.15.0 // indirect + github.com/gosimple/unidecode v1.0.1 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.5 // indirect + github.com/hack-pad/hackpadfs v0.2.4 // indirect + github.com/hairyhenderson/go-fsimpl v0.3.3 // indirect + github.com/hairyhenderson/toml v0.4.2-0.20210923231440-40456b8e66cf // indirect + github.com/hairyhenderson/xignore v0.3.3-0.20230403012150-95fe86932830 // indirect + github.com/hairyhenderson/yaml v0.0.0-20220618171115-2d35fca545ce // indirect + github.com/hashicorp/consul/api v1.33.2 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-hclog v1.6.3 // indirect + github.com/hashicorp/go-immutable-radix v1.3.1 // indirect + github.com/hashicorp/go-metrics v0.5.4 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-retryablehttp v0.7.8 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect + github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.7 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect + github.com/hashicorp/golang-lru v1.0.2 // indirect github.com/hashicorp/hcl v1.0.1-vault-7 // indirect + github.com/hashicorp/serf v0.10.2 // indirect github.com/hashicorp/vault/api v1.22.0 // indirect + github.com/hashicorp/vault/api/auth/approle v0.11.0 // indirect + github.com/hashicorp/vault/api/auth/aws v0.11.0 // indirect + github.com/hashicorp/vault/api/auth/userpass v0.11.0 // indirect github.com/in-toto/attestation v1.1.2 // indirect github.com/in-toto/in-toto-golang v0.9.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/itchyny/gojq v0.12.18 // indirect + github.com/itchyny/timefmt-go v0.1.7 // indirect + github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/jellydator/ttlcache/v3 v3.4.0 // indirect + github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect + github.com/joho/godotenv v1.5.1 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.18.2 // indirect github.com/knadh/koanf/maps v0.1.2 // indirect github.com/knadh/koanf/parsers/yaml v1.1.0 // indirect @@ -177,7 +239,10 @@ require ( github.com/lestrrat-go/option v1.0.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/letsencrypt/boulder v0.20251110.0 // indirect + github.com/lmittmann/tint v1.1.2 // indirect github.com/manifoldco/promptui v0.9.0 // indirect + github.com/mattn/go-colorable v0.1.14 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/miekg/pkcs11 v1.1.2 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -198,8 +263,10 @@ require ( github.com/opencontainers/image-spec v1.1.1 // indirect github.com/pborman/uuid v1.2.1 // indirect github.com/pelletier/go-toml/v2 v2.2.4 // indirect + github.com/pjbgf/sha1cd v0.3.2 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/prometheus/client_golang v1.23.2 // indirect github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.67.5 // indirect @@ -212,6 +279,7 @@ require ( github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/secure-systems-lab/go-securesystemslib v0.10.0 // indirect github.com/segmentio/asm v1.2.1 // indirect + github.com/sergi/go-diff v1.4.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/sigstore/fulcio v1.8.5 // indirect github.com/sigstore/protobuf-specs v0.5.0 // indirect @@ -225,6 +293,7 @@ require ( github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4 // indirect github.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect github.com/sirupsen/logrus v1.9.4 // indirect + github.com/skeema/knownhosts v1.3.1 // indirect github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect github.com/spf13/afero v1.15.0 // indirect github.com/spf13/cast v1.10.0 // indirect @@ -242,28 +311,35 @@ require ( github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect github.com/transparency-dev/merkle v0.0.2 // indirect + github.com/ugorji/go/codec v1.3.1 // indirect github.com/valyala/fastjson v1.6.4 // indirect github.com/vbatts/tar-split v0.12.2 // indirect github.com/vektah/gqlparser/v2 v2.5.31 // indirect github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 // indirect github.com/x448/float16 v0.8.4 // indirect + github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect gitlab.com/gitlab-org/api/client-go v1.25.0 // indirect go.mongodb.org/mongo-driver v1.17.6 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect + go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect go.opentelemetry.io/otel v1.42.0 // indirect go.opentelemetry.io/otel/metric v1.42.0 // indirect - go.opentelemetry.io/otel/sdk v1.39.0 // indirect + go.opentelemetry.io/otel/sdk v1.42.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect go.opentelemetry.io/otel/trace v1.42.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.1 // indirect go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect + gocloud.dev v0.44.0 // indirect golang.org/x/crypto v0.47.0 // indirect + golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect golang.org/x/mod v0.33.0 // indirect golang.org/x/net v0.49.0 // indirect golang.org/x/oauth2 v0.35.0 // indirect @@ -272,6 +348,7 @@ require ( golang.org/x/term v0.39.0 // indirect golang.org/x/text v0.33.0 // indirect golang.org/x/time v0.14.0 // indirect + golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect google.golang.org/api v0.267.0 // indirect google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect @@ -281,6 +358,7 @@ require ( gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.1 // indirect + gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.35.1 // indirect k8s.io/apimachinery v0.35.1 // indirect diff --git a/internal/tools/go.sum b/internal/tools/go.sum index 88fb97868..c9f2b7ccd 100644 --- a/internal/tools/go.sum +++ b/internal/tools/go.sum @@ -1,6 +1,9 @@ al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeXHA= al.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890= +cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4= +cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE= cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU= cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs= @@ -13,12 +16,25 @@ cloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc= cloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU= cloud.google.com/go/kms v1.25.0 h1:gVqvGGUmz0nYCmtoxWmdc1wli2L1apgP8U4fghPGSbQ= cloud.google.com/go/kms v1.25.0/go.mod h1:XIdHkzfj0bUO3E+LvwPg+oc7s58/Ns8Nd8Sdtljihbk= +cloud.google.com/go/logging v1.13.1 h1:O7LvmO0kGLaHY/gq8cV7T0dyp6zJhYAOtZPX4TF3QtY= +cloud.google.com/go/logging v1.13.1/go.mod h1:XAQkfkMBxQRjQek96WLPNze7vsOmay9H5PqfsNYDqvw= cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8= cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk= +cloud.google.com/go/monitoring v1.24.3 h1:dde+gMNc0UhPZD1Azu6at2e79bfdztVDS5lvhOdsgaE= +cloud.google.com/go/monitoring v1.24.3/go.mod h1:nYP6W0tm3N9H/bOw8am7t62YTzZY+zUeQ+Bi6+2eonI= +cloud.google.com/go/pubsub v1.50.1 h1:fzbXpPyJnSGvWXF1jabhQeXyxdbCIkXTpjXHy7xviBM= +cloud.google.com/go/pubsub/v2 v2.3.0 h1:DgAN907x+sP0nScYfBzneRiIhWoXcpCD8ZAut8WX9vs= +cloud.google.com/go/pubsub/v2 v2.3.0/go.mod h1:O5f0KHG9zDheZAd3z5rlCRhxt2JQtB+t/IYLKK3Bpvw= +cloud.google.com/go/storage v1.59.1 h1:DXAZLcTimtiXdGqDSnebROVPd9QvRsFVVlptz02Wk58= +cloud.google.com/go/storage v1.59.1/go.mod h1:cMWbtM+anpC74gn6qjLh+exqYcfmB9Hqe5z6adx+CLI= +cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U= +cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s= cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 h1:4k1yAtPvZJZQTu8DRY8muBo0LHv6TqtrE0AO5n6IPYs= cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084/go.mod h1:4WWeZNxUO1vRoZWAHIG0KZOd6dA25ypyWuwD3ti0Tdc= cuelang.org/go v0.15.4 h1:lrkTDhqy8dveHgX1ZLQ6WmgbhD8+rXa0fD25hxEKYhw= cuelang.org/go v0.15.4/go.mod h1:NYw6n4akZcTjA7QQwJ1/gqWrrhsN4aZwhcAL0jv9rZE= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw= filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg= @@ -35,10 +51,14 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+ github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 h1:E4MgwLBGeVB5f2MdcIVD3ELVAWpr+WD6MUe1i+tM/PA= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0/go.mod h1:Y2b/1clN4zsAoUd/pgNAQHjLDnTis/6ROkUfyob6psM= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA= +github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4 h1:jWQK1GI+LeGGUKBADtcH2rRqPxYB1Ljwms5gFA2LqrM= +github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4/go.mod h1:8mwH4klAm9DUgR2EEHyEEAQlRDvLPyg5fQry3y+cDew= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= @@ -60,6 +80,8 @@ github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSY github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= +github.com/Azure/go-autorest/autorest/to v0.4.1 h1:CxNHBqdzTr7rLtdrtb5CMjJcDut+WNGCVv7OmS5+lTc= +github.com/Azure/go-autorest/autorest/to v0.4.1/go.mod h1:EtaofgU4zmtvn1zT2ARsjRFdq9vXx0YWtmElwL+GZ9M= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= @@ -69,14 +91,35 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mo github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs= github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0 h1:lhhYARPUu3LmHysQ/igznQphfzynnqI3D75oUyw1HXk= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0/go.mod h1:l9rva3ApbBpEJxSNYnwT9N4CDLrWgtq3u8736C5hyJw= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.54.0 h1:xfK3bbi6F2RDtaZFtUdKO3osOBIhNb+xTs8lFW6yx9o= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.54.0/go.mod h1:vB2GH9GAYYJTO3mEn8oYwzEdhlayZIdQz6zdzgUIRvA= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 h1:s0WlVbf9qpvkh1c/uDAPElam0WrL7fHRIidgZJ7UqZI= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw= +github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/Shopify/ejson v1.5.4 h1:rE3THgxBjdSUcJTNTn1SYaAzaGyxvjkEssAZEJ+zD+s= +github.com/Shopify/ejson v1.5.4/go.mod h1:GZg88n4LpYqp92+tzWjvj+1aaiDJn7F1uWebQb4HbeQ= github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM= github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= @@ -121,38 +164,63 @@ github.com/aliyun/credentials-go v1.3.2 h1:L4WppI9rctC8PdlMgyTkF8bBsy9pyKQEzBD1b github.com/aliyun/credentials-go v1.3.2/go.mod h1:tlpz4uys4Rn7Ik4/piGRrTbXy2uLKvePgQJJduE+Y5c= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= +github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= +github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ= github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk= github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU= github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4= github.com/aws/aws-sdk-go-v2/config v1.32.7 h1:vxUyWGUwmkQ2g19n7JY/9YL8MfAIl7bTesIUykECXmY= github.com/aws/aws-sdk-go-v2/config v1.32.7/go.mod h1:2/Qm5vKUU/r7Y+zUk/Ptt2MDAEKAfUtKc1+3U1Mo3oY= github.com/aws/aws-sdk-go-v2/credentials v1.19.7 h1:tHK47VqqtJxOymRrNtUXN5SP/zUTvZKeLx4tH6PGQc8= github.com/aws/aws-sdk-go-v2/credentials v1.19.7/go.mod h1:qOZk8sPDrxhf+4Wf4oT2urYJrYt3RejHSzgAquYeppw= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.17 h1:fODjlj9c1zIfZYFxdC6Z4GX/plrZUYI/5EklgA/24Hw= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.17/go.mod h1:CEyBu8kavY5Tc8i/8A810DuKydd19Lrx2/TmcNdjOAk= github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 h1:xOLELNKGp2vsiteLsvLPwxC+mYmO6OZ8PYgiuPJzF8U= github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17/go.mod h1:5M5CI3D12dNOtH3/mk6minaRwI2/37ifCURZISxA/IQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 h1:WWLqlh79iO48yLkj1v3ISRNiv+3KdQoZ6JWyfcsyQik= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17/go.mod h1:EhG22vHRrvF8oXSTYStZhJc1aUgKtnJe+aOiFEV90cM= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17 h1:JqcdRG//czea7Ppjb+g/n4o8i/R50aTBHkA7vu0lK+k= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17/go.mod h1:CO+WeGmIdj/MlPel2KwID9Gt7CNq4M65HUfBW97liM0= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.279.2 h1:MG12Z/W1zzJLkw2gCU2gKZ872rqLM0pi9LdkZ/z3FHc= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.279.2/go.mod h1:Uy+C+Sc58jozdoL1McQr8bDsEvNFx+/nBY+vpO1HVUY= github.com/aws/aws-sdk-go-v2/service/ecr v1.51.2 h1:aq2N/9UkbEyljIQ7OFcudEgUsJzO8MYucmfsM/k/dmc= github.com/aws/aws-sdk-go-v2/service/ecr v1.51.2/go.mod h1:1NVD1KuMjH2GqnPwMotPndQaT/MreKkWpjkF12d6oKU= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.2 h1:9fe6w8bydUwNAhFVmjo+SRqAJjbBMOyILL/6hTTVkyA= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.2/go.mod h1:x7gU4CAyAz4BsM9hlRkhHiYw2GIr1QCmN45uwQw9l/E= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8 h1:Z5EiPIzXKewUQK0QTMkutjiaPVeVYXX7KIqhXu/0fXs= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8/go.mod h1:FsTpJtvC4U1fyDXk7c71XoDv3HlRm8V3NiYLeYLh5YE= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 h1:RuNSMoozM8oXlgLG/n6WLaFGoea7/CddrCfIiSA+xdY= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17/go.mod h1:F2xxQ9TZz5gDWsclCtPQscGpP0VUOc8RqgFM3vDENmU= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17 h1:bGeHBsGZx0Dvu/eJC0Lh9adJa3M1xREcndxLNZlve2U= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17/go.mod h1:dcW24lbU0CzHusTE8LLHhRLI42ejmINN8Lcr22bwh/g= github.com/aws/aws-sdk-go-v2/service/kms v1.49.5 h1:DKibav4XF66XSeaXcrn9GlWGHos6D/vJ4r7jsK7z5CE= github.com/aws/aws-sdk-go-v2/service/kms v1.49.5/go.mod h1:1SdcmEGUEQE1mrU2sIgeHtcMSxHuybhPvuEPANzIDfI= +github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1 h1:C2dUPSnEpy4voWFIq3JNd8gN0Y5vYGDo44eUE58a/p8= +github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1/go.mod h1:5jggDlZ2CLQhwJBiZJb4vfk4f0GxWdEDruWKEJ1xOdo= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.1 h1:72DBkm/CCuWx2LMHAXvLDkZfzopT3psfAeyZDIt1/yE= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.1/go.mod h1:A+oSJxFvzgjZWkpM0mXs3RxB5O1SD6473w3qafOC9eU= github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y= github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M= +github.com/aws/aws-sdk-go-v2/service/ssm v1.67.8 h1:31Llf5VfrZ78YvYs7sWcS7L2m3waikzRc6q1nYenVS4= +github.com/aws/aws-sdk-go-v2/service/ssm v1.67.8/go.mod h1:/jgaDlU1UImoxTxhRNxXHvBAPqPZQ8oCjcPbbkR6kac= github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 h1:v6EiMvhEYBoHABfbGB4alOYmCIrcgyPPiBE1wZAEbqk= github.com/aws/aws-sdk-go-v2/service/sso v1.30.9/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 h1:gd84Omyu9JLriJVCbGApcLzVR3XtmC4ZDPcAI6Ftvds= @@ -163,6 +231,8 @@ github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk= github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.11.0 h1:GOPttfOAf5qAgx7r6b+zCWZrvCsfKffkL4H6mSYx1kA= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.11.0/go.mod h1:a2HN6+p7k0JLDO8514sMr0l4cnrR52z4sWoZ/Uc82ho= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= @@ -182,6 +252,7 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4= @@ -195,10 +266,14 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04= github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/clbanning/mxj/v2 v2.5.5/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s= github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME= github.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= +github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f h1:Y8xYupdHxryycyPlc9Y+bSQAYZnetRJ70VMVKm5CKI0= github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f/go.mod h1:HlzOvOjVBOfTGSRXRyY0OiCS/3J1akRGQQpRO/7zyF4= @@ -213,10 +288,13 @@ github.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDs github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc= github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.19 h1:tUN6H7LWqNx4hQVxomd0CVsDwaDr9gaRQaI4GpSmrsA= github.com/creack/pty v1.1.19/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h1:uX1JmpONuD549D73r6cgnxyUu18Zb7yHAy5AYU0Pm4Q= github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= +github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= +github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ= github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -248,18 +326,28 @@ github.com/docker/docker-credential-helpers v0.9.4 h1:76ItO69/AP/V4yT9V4uuuItG0B github.com/docker/docker-credential-helpers v0.9.4/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/dustin/gojson v0.0.0-20160307161227-2e71ec9dd5ad h1:Qk76DOWdOp+GlyDKBAG3Klr9cn7N+LcYc82AZ2S7+cA= +github.com/dustin/gojson v0.0.0-20160307161227-2e71ec9dd5ad/go.mod h1:mPKfmRa823oBIgl2r20LeMSpTAteW5j7FLkc0vjmzyQ= +github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o= +github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/proto v1.14.2 h1:wJPxPy2Xifja9cEMrcA/g08art5+7CGJNFNk35iXC1I= github.com/emicklei/proto v1.14.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329 h1:K+fnvUM0VZ7ZFJf0n4L/BRlnsb9pL/GuDG6FqaH+PwM= +github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329/go.mod h1:Alz8LEClvR7xKsrq3qzoc4N0guvVNSS8KmSChGYr9hs= github.com/envoyproxy/go-control-plane/envoy v1.35.0 h1:ixjkELDE+ru6idPxcHLj8LBVc2bFP7iBytj353BoHUo= github.com/envoyproxy/go-control-plane/envoy v1.35.0/go.mod h1:09qwbGVuSWWAyN5t/b3iyVfz5+z8QWGrzkoqm/8SbEs= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= +github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= @@ -275,14 +363,32 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/fsouza/fake-gcs-server v1.52.3 h1:hXddOPMGDKq5ENmttw6xkodVJy0uVhf7HhWvQgAOH6g= +github.com/fsouza/fake-gcs-server v1.52.3/go.mod h1:A0XtSRX+zz5pLRAt88j9+Of0omQQW+RMqipFbvdNclQ= github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= +github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU= github.com/go-chi/chi/v5 v5.2.4 h1:WtFKPHwlywe8Srng8j2BhOD9312j9cGUxG1SP4V2cR4= github.com/go-chi/chi/v5 v5.2.4/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= +github.com/go-git/go-billy/v5 v5.7.0 h1:83lBUJhGWhYp0ngzCMSgllhUSuoHP1iEWYjsPl9nwqM= +github.com/go-git/go-billy/v5 v5.7.0/go.mod h1:/1IUejTKH8xipsAcdfcSAlUlo2J7lkYV8GTKxAT/L3E= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= +github.com/go-git/go-git/v5 v5.16.4 h1:7ajIEZHZJULcyJebDLo99bGgS0jRrOxzZG4uCk2Yb2Y= +github.com/go-git/go-git/v5 v5.16.4/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -342,8 +448,10 @@ github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA= github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg= +github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo= github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= @@ -358,6 +466,7 @@ github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4= github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ= github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= @@ -366,8 +475,11 @@ github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= @@ -376,12 +488,15 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/certificate-transparency-go v1.3.2 h1:9ahSNZF2o7SYMaKaXhAumVEzXB2QaayzII9C8rv7v+A= github.com/google/certificate-transparency-go v1.3.2/go.mod h1:H5FpMUaGa5Ab2+KCYsxg6sELw3Flkl7pGZzWdBoYLXs= github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q= @@ -392,6 +507,7 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -403,12 +519,20 @@ github.com/google/go-github/v73 v73.0.0 h1:aR+Utnh+Y4mMkS+2qLQwcQ/cF9mOTpdwnzlaw github.com/google/go-github/v73 v73.0.0/go.mod h1:fa6w8+/V+edSU0muqdhCVY7Beh1M8F1IlQPZIANKIYw= github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0= github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU= +github.com/google/go-replayers/grpcreplay v1.3.0 h1:1Keyy0m1sIpqstQmgz307zhiJ1pV4uIlFds5weTmxbo= +github.com/google/go-replayers/grpcreplay v1.3.0/go.mod h1:v6NgKtkijC0d3e3RW8il6Sy5sqRVUwoQa4mHOGEy8DI= +github.com/google/go-replayers/httpreplay v1.2.0 h1:VM1wEyyjaoU53BwrOnaf9VhAyQQEEioJvFYxYcLRKzk= +github.com/google/go-replayers/httpreplay v1.2.0/go.mod h1:WahEFFZZ7a1P4VM1qEeHy+tME4bwyqPcwWbNlUI1Mcg= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc= +github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20250602020802-c6617b811d0e h1:FJta/0WsADCe1r9vQjdHbd3KuiLPu7Y9WlyLGwMUNyE= github.com/google/pprof v0.0.0-20250602020802-c6617b811d0e/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= +github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg= +github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4= github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= github.com/google/trillian v1.7.2 h1:EPBxc4YWY4Ak8tcuhyFleY+zYlbCDCa4Sn24e1Ka8Js= @@ -416,41 +540,100 @@ github.com/google/trillian v1.7.2/go.mod h1:mfQJW4qRH6/ilABtPYNBerVJAJ/upxHLX81z github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/wire v0.7.0 h1:JxUKI6+CVBgCO2WToKy/nQk0sS+amI9z9EjVmdaocj4= +github.com/google/wire v0.7.0/go.mod h1:n6YbUQD9cPKTnHXEBN2DXlOp/mVADhVErcMFb0v3J18= github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao= github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8= github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc= github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25dO0g= +github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= +github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= +github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo= +github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ= +github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o= +github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.5 h1:jP1RStw811EvUDzsUQ9oESqw2e4RqCjSAD9qIL8eMns= github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.5/go.mod h1:WXNBZ64q3+ZUemCMXD9kYnr56H7CgZxDBHCVwstfl3s= +github.com/hack-pad/hackpadfs v0.2.4 h1:7pmzQGR6JsGq/uB0JWxd3wTBi7I85f46CHGvcfrJsiE= +github.com/hack-pad/hackpadfs v0.2.4/go.mod h1:2XDioLb2NwaQzRYo+cpgNx1iMALzBQ4bQoLhHpArQZM= +github.com/hairyhenderson/go-fsimpl v0.3.3 h1:OATuo2eMxBlSVsluV1SKPPmDEWyojk3cgTwnyVUtntY= +github.com/hairyhenderson/go-fsimpl v0.3.3/go.mod h1:jjD9rydecqkg+fuUev7snOddDRlvqlwFUHbwwfz73/0= +github.com/hairyhenderson/gomplate/v5 v5.0.0 h1:Y4tub12t4oo7dx/WbbWTlAH76xaRfP7uSzD69tQQ6VY= +github.com/hairyhenderson/gomplate/v5 v5.0.0/go.mod h1:cJbGaYsZyfK1JAeTQQpqv58pJ0hqJY5n1u5Evvm8SgU= +github.com/hairyhenderson/toml v0.4.2-0.20210923231440-40456b8e66cf h1:I1sbT4ZbIt9i+hB1zfKw2mE8C12TuGxPiW7YmtLbPa4= +github.com/hairyhenderson/toml v0.4.2-0.20210923231440-40456b8e66cf/go.mod h1:jDHmWDKZY6MIIYltYYfW4Rs7hQ50oS4qf/6spSiZAxY= +github.com/hairyhenderson/xignore v0.3.3-0.20230403012150-95fe86932830 h1:f+VnmDFJqYgkq1PRraUsYEzJ7bFr36CmzOb/xfV5Q9s= +github.com/hairyhenderson/xignore v0.3.3-0.20230403012150-95fe86932830/go.mod h1:UqUZ8CHnVcV2/rb26Ydn+PQO7bAI8kFONU/vaK1Q/WU= +github.com/hairyhenderson/yaml v0.0.0-20220618171115-2d35fca545ce h1:cVkYhlWAxwuS2/Yp6qPtcl0fGpcWxuZNonywHZ6/I+s= +github.com/hairyhenderson/yaml v0.0.0-20220618171115-2d35fca545ce/go.mod h1:7TyiGlHI+IO+iJbqRZ82QbFtvgj/AIcFm5qc9DLn7Kc= +github.com/hashicorp/consul/api v1.33.2 h1:Q6mE0WZsUTJerlnl9TuXzqrtZ0cKdOCsxcZhj5mKbMs= +github.com/hashicorp/consul/api v1.33.2/go.mod h1:K3yoL/vnIBcQV/25NeMZVokRvPPERiqp2Udtr4xAfhs= +github.com/hashicorp/consul/sdk v0.17.1 h1:LumAh8larSXmXw2wvw/lK5ZALkJ2wK8VRwWMLVV5M5c= +github.com/hashicorp/consul/sdk v0.17.1/go.mod h1:EngiixMhmw9T7wApycq6rDRFXXVUwjjf7HuLiGMH/Sw= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= +github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-metrics v0.5.4 h1:8mmPiIJkTPPEbAiV97IxdAGNdRdaWwVap1BU6elejKY= +github.com/hashicorp/go-metrics v0.5.4/go.mod h1:CG5yz4NZ/AI/aQt9Ucm/vdBnbh7fvmv4lxZ350i+QQI= +github.com/hashicorp/go-msgpack v0.5.5 h1:i9R9JSrqIz0QVLz3sz+i3YJdT7TTSLcfLLzJi9aZTuI= +github.com/hashicorp/go-msgpack/v2 v2.1.2 h1:4Ee8FTp834e+ewB71RDrQ0VKpyFdrKOjvYtnQ/ltVj0= +github.com/hashicorp/go-msgpack/v2 v2.1.2/go.mod h1:upybraOAblm4S7rx0+jeNy+CWWhzywQsSRV5033mMu4= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48= github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 h1:I8bynUKMh9I7JdwtW9voJ0xmHvBpxQtLjrMFDYmhOxY= +github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg= github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 h1:U+kC2dOhMFQctRfhK0gRctKAPTloZdMU5ZJxaesJ/VM= github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9dbT+Fw= github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= +github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I= github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= +github.com/hashicorp/memberlist v0.5.2 h1:rJoNPWZ0juJBgqn48gjy59K5H4rNgvUoM1kUD7bXiuI= +github.com/hashicorp/memberlist v0.5.2/go.mod h1:Ri9p/tRShbjYnpNf4FFPXG7wxEGY4Nrcn6E7jrVa//4= +github.com/hashicorp/serf v0.10.2 h1:m5IORhuNSjaxeljg5DeQVDlQyVkhRIjJDimbkCa8aAc= +github.com/hashicorp/serf v0.10.2/go.mod h1:T1CmSGfSeGfnfNy/w0odXQUR1rfECGd2Qdsp84DjOiY= github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0= github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM= +github.com/hashicorp/vault/api/auth/approle v0.11.0 h1:ViUvgqoSTqHkMi1L1Rr/LnQ+PWiRaGUBGvx4UPfmKOw= +github.com/hashicorp/vault/api/auth/approle v0.11.0/go.mod h1:v8ZqBRw+GP264ikIw2sEBKF0VT72MEhLWnZqWt3xEG8= +github.com/hashicorp/vault/api/auth/aws v0.11.0 h1:lWdUxrzvPotg6idNr62al4w97BgI9xTDdzMCTViNH2s= +github.com/hashicorp/vault/api/auth/aws v0.11.0/go.mod h1:PWqdH/xqaudapmnnGP9ip2xbxT/kRW2qEgpqiQff6Gc= +github.com/hashicorp/vault/api/auth/userpass v0.11.0 h1:iPw1PL6vzQTn2w14quKd0ZnJV+cfPe+p5CA22M45jsA= +github.com/hashicorp/vault/api/auth/userpass v0.11.0/go.mod h1:FZ/baZ5rhruevb6kED9eh9KhorGtwM+xxVBvtXSxZsY= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -461,6 +644,10 @@ github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/itchyny/gojq v0.12.18 h1:gFGHyt/MLbG9n6dqnvlliiya2TaMMh6FFaR2b1H6Drc= +github.com/itchyny/gojq v0.12.18/go.mod h1:4hPoZ/3lN9fDL1D+aK7DY1f39XZpY9+1Xpjz8atrEkg= +github.com/itchyny/timefmt-go v0.1.7 h1:xyftit9Tbw+Dc/huSSPJaEmX1TVL8lw5vxjJLK4GMMA= +github.com/itchyny/timefmt-go v0.1.7/go.mod h1:5E46Q+zj7vbTgWY8o5YkMeYb4I6GeWLFnetPy5oBrAI= github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= @@ -469,20 +656,39 @@ github.com/jackc/pgx/v5 v5.7.5 h1:JHGfMnQY+IEtGM63d+NGMjoRpysB2JBwDr5fsngwmJs= github.com/jackc/pgx/v5 v5.7.5/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E= github.com/jellydator/ttlcache/v3 v3.4.0 h1:YS4P125qQS0tNhtL6aeYkheEaB/m8HCqdMMP4mnWdTY= github.com/jellydator/ttlcache/v3 v3.4.0/go.mod h1:Hw9EgjymziQD3yGsQdf1FqFdpp7YjFMd4Srg5EJlgD4= +github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY= github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI= +github.com/johannesboyne/gofakes3 v0.0.0-20250106100439-5c39aecd6999 h1:CMbkEl1h9JvRURFFprSbyy2f4Gf71SFz9h74iSAETGo= +github.com/johannesboyne/gofakes3 v0.0.0-20250106100439-5c39aecd6999/go.mod h1:t6osVdP++3g4v2awHz4+HFccij23BbdT1rX3W7IijqQ= +github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0= +github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report/v2 v2.1.0 h1:X3+hPYlSczH9IMIpSC9CQSZA0L+BipYafciZUWHEmsc= github.com/jstemmer/go-junit-report/v2 v2.1.0/go.mod h1:mgHVr7VUo5Tn8OLVr1cKnLuEy0M92wdRntM99h7RkgQ= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU= github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k= github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk= @@ -499,6 +705,11 @@ github.com/knadh/koanf/providers/fs v1.0.0 h1:tvn4MrduLgdOSUqqEHULUuIcELXf6xDOpH github.com/knadh/koanf/providers/fs v1.0.0/go.mod h1:FksHET+xXFNDozvj8ZCdom54OnZ6eGKJtC5FhZJKx/8= github.com/knadh/koanf/v2 v2.3.2 h1:Ee6tuzQYFwcZXQpc2MiVeC6qHMandf5SMUJJNoFp/c4= github.com/knadh/koanf/v2 v2.3.2/go.mod h1:gRb40VRAbd4iJMYYD5IxZ6hfuopFcXBpc9bbQpZwo28= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -527,12 +738,19 @@ github.com/letsencrypt/boulder v0.20251110.0 h1:J8MnKICeilO91dyQ2n5eBbab24neHzUp github.com/letsencrypt/boulder v0.20251110.0/go.mod h1:ogKCJQwll82m7OVHWyTuf8eeFCjuzdRQlgnZcCl0V+8= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lmittmann/tint v1.1.2 h1:2CQzrL6rslrsyjqLDwD11bZ5OpLBPU+g3G/r5LSfS8w= +github.com/lmittmann/tint v1.1.2/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE= github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA= github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg= +github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= @@ -562,6 +780,8 @@ github.com/mozillazg/docker-credential-acr-helper v0.4.0 h1:Uoh3Z9CcpEDnLiozDx+D github.com/mozillazg/docker-credential-acr-helper v0.4.0/go.mod h1:2kiicb3OlPytmlNC9XGkLvVC+f0qTiJw3f/mhmeeQBg= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A= github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= @@ -595,44 +815,73 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= +github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4= +github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/xattr v0.4.10 h1:Qe0mtiNFHQZ296vRgUjRCoPHPqH7VdTOrZx3g0T+pGA= +github.com/pkg/xattr v0.4.10/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= +github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= +github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= +github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4= github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= +github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws= github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw= github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 h1:s1LvMaU6mVwoFtbxv/rCZKE7/fwDmDY684FfUe4c1Io= github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91/go.mod h1:JSbkp0BviKovYYt9XunS95M3mLPibE9bGg+Y95DsEEY= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/ryszard/goskiplist v0.0.0-20150312221310-2dfbae5fcf46 h1:GHRpF1pTW19a8tTFrMLUcfWwyC0pnifVo2ClaLq+hP8= +github.com/ryszard/goskiplist v0.0.0-20150312221310-2dfbae5fcf46/go.mod h1:uAQ5PCi+MFsC7HjREoAz1BU+Mq60+05gifQSsHSDG/8= github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc= github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik= github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/secure-systems-lab/go-securesystemslib v0.10.0 h1:l+H5ErcW0PAehBNrBxoGv1jjNpGYdZ9RcheFkB2WI14= github.com/secure-systems-lab/go-securesystemslib v0.10.0/go.mod h1:MRKONWmRoFzPNQ9USRF9i1mc7MvAVvF1LlW8X5VWDvk= github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0= @@ -665,11 +914,21 @@ github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4 h1:KVavYMPfSf5 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4/go.mod h1:J7CA1AaBkyK8dYq6EdQANhj+8oEcsA7PrIp088qgPiY= github.com/sigstore/timestamp-authority/v2 v2.0.4 h1:65IBa4LUeFWDQu9hiTt5lBpi/F5jonJWZtH6VLn4InU= github.com/sigstore/timestamp-authority/v2 v2.0.4/go.mod h1:EXJLiMDBqRPlzC02hPiFSiYTCqSuUpU68a4vr0DFePM= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w= github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= +github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= +github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= +github.com/smarty/assertions v1.15.0 h1:cR//PqUBUiQRakZWqBiFFQ9wb8emQGDb0HeGdqGByCY= +github.com/smarty/assertions v1.15.0/go.mod h1:yABtdzeQs6l1brC900WlRNwj6ZR55d7B+E8C6HtKdec= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/goconvey v1.8.1 h1:qGjIddxOk4grTu9JPOU31tVfq3cNdBlNa5sSznIX1xY= +github.com/smartystreets/goconvey v1.8.1/go.mod h1:+/u4qLyY6x1jReYOp7GOM2FSt8aP9CzCZL03bI28W60= github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw= github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U= github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I= @@ -686,12 +945,15 @@ github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjb github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -730,6 +992,9 @@ github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c h1:5a2XDQ github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c/go.mod h1:g85IafeFJZLxlzZCDRu4JLpfS7HKzR+Hw9qRh3bVzDI= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY= +github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4= github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4= @@ -740,6 +1005,8 @@ github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 h1:+dBg5k7nuTE38 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1/go.mod h1:nmuySobZb4kFgFy6BptpXp/BBw+xFSyvVPP6auoJB4k= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= +github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= @@ -766,12 +1033,16 @@ gitlab.com/gitlab-org/api/client-go v1.25.0 h1:9YVk2o1CjZWKh2/KGOsNbOReBSxFIdBv6 gitlab.com/gitlab-org/api/client-go v1.25.0/go.mod h1:r060AandE8Md/L5oKdUVjljL8YQprOAxKzUnpqWqP3A= go.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss= go.mongodb.org/mongo-driver v1.17.6/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/build-tools/chloggen v0.29.0 h1:0HnDE47uJNlst1XtCukHB7sQYtUlJjmvdhWVdJn+GBU= go.opentelemetry.io/build-tools/chloggen v0.29.0/go.mod h1:eby4AVJQF5uanGCnErZdhDYBSW/EJ0iqejBFNJMN4DQ= go.opentelemetry.io/collector/cmd/builder v0.147.0 h1:5oX+85nxDeSjBRv6JdV4v6v2XMgdB1P026wVZteFPV0= go.opentelemetry.io/collector/cmd/builder v0.147.0/go.mod h1:oP+JvKxz7BWGPQUPa/AmoIamZvk6kQtz8XHBJVuy3h4= +go.opentelemetry.io/contrib/detectors/gcp v1.38.0 h1:ZoYbqX7OaA/TAikspPl3ozPI6iY6LiIY9I8cUfm+pJs= +go.opentelemetry.io/contrib/detectors/gcp v1.38.0/go.mod h1:SU+iU7nu5ud4oCb3LQOhIZ3nRLj6FNVrKgtflbaf2ts= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= @@ -784,6 +1055,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 h1:Ckwye2FpXkYgiHX7fyVrN1uA/UYd9ounqqTuSNAv0k4= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0/go.mod h1:teIFJh5pW2y+AN7riv6IBPX2DuesS3HgP39mwOspKwU= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w= go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4= go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI= go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo= @@ -794,6 +1067,8 @@ go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4Len go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc= go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= +go.shabbyrobe.org/gocovmerge v0.0.0-20230507111327-fa4f82cfbf4d h1:Ns9kd1Rwzw7t0BR8XMphenji4SmIoNZPn8zhYmaVKP8= +go.shabbyrobe.org/gocovmerge v0.0.0-20230507111327-fa4f82cfbf4d/go.mod h1:92Uoe3l++MlthCm+koNi0tcUCX3anayogF0Pa/sp24k= go.step.sm/crypto v0.76.0 h1:K23BSaeoiY7Y5dvvijTeYC9EduDBetNwQYMBwMhi1aA= go.step.sm/crypto v0.76.0/go.mod h1:PXYJdKkK8s+GHLwLguFaLxHNAFsFL3tL1vSBrYfey5k= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -806,6 +1081,11 @@ go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= +go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M= +go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y= +gocloud.dev v0.44.0 h1:iVyMAqFl2r6xUy7M4mfqwlN+21UpJoEtgHEcfiLMUXs= +gocloud.dev v0.44.0/go.mod h1:ZmjROXGdC/eKZLF1N+RujDlFRx3D+4Av2thREKDMVxY= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -814,6 +1094,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= @@ -821,6 +1102,8 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY= +golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -833,13 +1116,18 @@ golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= @@ -855,43 +1143,63 @@ golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200509044756-6aff5f38e54f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -936,6 +1244,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY= +golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE= @@ -966,10 +1276,14 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= @@ -980,10 +1294,15 @@ gopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k= gopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= From 014b9e4ecfc19dd2bf1d09107007008211c589ff Mon Sep 17 00:00:00 2001 From: RealAnna Date: Wed, 11 Mar 2026 07:50:40 +0100 Subject: [PATCH 28/40] rebase --- internal/tools/go.mod | 2 +- internal/tools/go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/tools/go.mod b/internal/tools/go.mod index 484191949..904cc242e 100644 --- a/internal/tools/go.mod +++ b/internal/tools/go.mod @@ -136,7 +136,7 @@ require ( github.com/go-chi/chi/v5 v5.2.4 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.7.0 // indirect - github.com/go-git/go-git/v5 v5.16.4 // indirect + github.com/go-git/go-git/v5 v5.16.5 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-jose/go-jose/v4 v4.1.3 // indirect github.com/go-logr/logr v1.4.3 // indirect diff --git a/internal/tools/go.sum b/internal/tools/go.sum index c9f2b7ccd..716aa6053 100644 --- a/internal/tools/go.sum +++ b/internal/tools/go.sum @@ -379,6 +379,8 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= github.com/go-git/go-git/v5 v5.16.4 h1:7ajIEZHZJULcyJebDLo99bGgS0jRrOxzZG4uCk2Yb2Y= github.com/go-git/go-git/v5 v5.16.4/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s= +github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= From 0cbef35bf71f922337c37f06b3641a72adc55938 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Thu, 12 Mar 2026 10:22:21 +0100 Subject: [PATCH 29/40] review --- .github/workflows/yaml-policy-check.yml | 7 ++++--- Makefile | 7 +++---- internal/renderworkloads/README.md | 3 +-- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index 5d6151b78..ded17d295 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -14,6 +14,7 @@ defaults: shell: bash env: + # renovate: datasource=golang-version depName=go GO_VERSION: "1.25.7" OUT_BASE: "/tmp/rendered-collectors-workloads" @@ -35,9 +36,9 @@ jobs: - name: Install Kyverno CLI uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - - name: Install build tools - run: | - make install-tools +# - name: Install build tools +# run: | +# make install-tools - name: Render workloads and validate with Kyverno run: | diff --git a/Makefile b/Makefile index b2076152e..983d9f716 100644 --- a/Makefile +++ b/Makefile @@ -105,7 +105,6 @@ gomoddownload: $(MAKE) --no-print-directory for-all-target TARGET="moddownload" OUT_BASE ?= /tmp/rendered-collectors-workloads -REPO_ROOT := $(shell git rev-parse --show-toplevel) RENDERWORKLOADS_MOD_DIR := internal/renderworkloads @@ -113,8 +112,8 @@ RENDERWORKLOADS_MOD_DIR := internal/renderworkloads render-workloads: $(GOMPLATE) @echo "Rendering workloads to $(OUT_BASE)" - @cd "$(REPO_ROOT)/$(RENDERWORKLOADS_MOD_DIR)" && go run . \ - -repo-root "$(REPO_ROOT)" \ + @cd "$(SRC_ROOT)/$(RENDERWORKLOADS_MOD_DIR)" && go run . \ + -repo-root "$(SRC_ROOT)" \ -in-root internal/testbed/integration \ -out-base "$(OUT_BASE)" \ -vars-file internal/renderworkloads/render-vars.json \ @@ -123,5 +122,5 @@ render-workloads: $(GOMPLATE) kyverno-workloads: render-workloads @echo "Running Kyverno against rendered workloads from $(OUT_BASE)/workloads.txt" - @cd "$(REPO_ROOT)" && sed 's|^|-r |' "$(OUT_BASE)/workloads.txt" \ + @cd "$(SRC_ROOT)" && sed 's|^|-r |' "$(OUT_BASE)/workloads.txt" \ | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md index 4662e43d5..2a3d426e0 100644 --- a/internal/renderworkloads/README.md +++ b/internal/renderworkloads/README.md @@ -1,4 +1,4 @@ -```md + # renderworkloads `renderworkloads` is an internal helper used by CI to **render the Kubernetes collector workload definitions in this repository** @@ -46,4 +46,3 @@ pass: N, fail: 0, warn: 0, error: 0, skip: 0 - `kyverno-workloads` depends on `render-workloads` and will re-render before running Kyverno. - If `workloads.txt` is empty, the Kyverno target will fail (to avoid silently doing nothing). - You need `gomplate` and `kyverno` available in your `PATH`. -``` \ No newline at end of file From 11a7cf29283bb1360ab8dcb70c530dcef65684a2 Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Thu, 12 Mar 2026 10:23:18 +0100 Subject: [PATCH 30/40] Update .github/workflows/kyverno/README.md Co-authored-by: Moritz Wiesinger <6901203+mowies@users.noreply.github.com> --- .github/workflows/kyverno/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kyverno/README.md b/.github/workflows/kyverno/README.md index 150130d15..bf25120df 100644 --- a/.github/workflows/kyverno/README.md +++ b/.github/workflows/kyverno/README.md @@ -4,7 +4,7 @@ Install the Kyverno CLI: https://kyverno.io/docs/kyverno-cli/ Install gomplate: https://docs.gomplate.ca/installing/ or run ```bash -make instal-tools +make install-tools ``` Then run the Kyverno checks against the rendered workloads: From 6fde7dbb54c6129895a9284702786b2dc4e7be4d Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 16 Mar 2026 08:05:43 +0100 Subject: [PATCH 31/40] get rid of gomplate --- .github/workflows/kyverno/README.md | 5 - Makefile | 3 +- Makefile.Common | 1 - internal/renderworkloads/README.md | 7 -- internal/renderworkloads/main.go | 144 +++++++++++++++++++++------- internal/tools/go.mod | 1 - internal/tools/tools.go | 1 - 7 files changed, 111 insertions(+), 51 deletions(-) diff --git a/.github/workflows/kyverno/README.md b/.github/workflows/kyverno/README.md index bf25120df..962a6e4e8 100644 --- a/.github/workflows/kyverno/README.md +++ b/.github/workflows/kyverno/README.md @@ -2,11 +2,6 @@ Install the Kyverno CLI: https://kyverno.io/docs/kyverno-cli/ -Install gomplate: https://docs.gomplate.ca/installing/ or run -```bash -make install-tools -``` - Then run the Kyverno checks against the rendered workloads: ```bash diff --git a/Makefile b/Makefile index 983d9f716..0f7fae4df 100644 --- a/Makefile +++ b/Makefile @@ -110,14 +110,13 @@ RENDERWORKLOADS_MOD_DIR := internal/renderworkloads .PHONY: render-workloads kyverno-workloads -render-workloads: $(GOMPLATE) +render-workloads: @echo "Rendering workloads to $(OUT_BASE)" @cd "$(SRC_ROOT)/$(RENDERWORKLOADS_MOD_DIR)" && go run . \ -repo-root "$(SRC_ROOT)" \ -in-root internal/testbed/integration \ -out-base "$(OUT_BASE)" \ -vars-file internal/renderworkloads/render-vars.json \ - -gomplate "$(abspath $(GOMPLATE))" kyverno-workloads: render-workloads diff --git a/Makefile.Common b/Makefile.Common index b353cef45..0646f703d 100644 --- a/Makefile.Common +++ b/Makefile.Common @@ -19,7 +19,6 @@ BUILDER := $(TOOLS_BIN_DIR)/builder CHLOGGEN := $(TOOLS_BIN_DIR)/chloggen COSIGN := $(TOOLS_BIN_DIR)/cosign GOJUNIT := $(TOOLS_BIN_DIR)/v2 -GOMPLATE := $(TOOLS_BIN_DIR)/gomplate # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro GORELEASER_PRO_VERSION ?= v2.14.3 diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md index 2a3d426e0..c2b0c9943 100644 --- a/internal/renderworkloads/README.md +++ b/internal/renderworkloads/README.md @@ -10,13 +10,6 @@ The rendered output is then checked with **Kyverno** to enforce a baseline conta ## How to use (local) -Install gomplate: https://docs.gomplate.ca/installing/ or from root repo run -```bash -make install-tools -``` - -This renders the collector workloads (Deployments/DaemonSets/StatefulSets) into an output directory and writes an index file. - ```bash make render-workloads ``` diff --git a/internal/renderworkloads/main.go b/internal/renderworkloads/main.go index af4c0f2bb..b4c79ff58 100644 --- a/internal/renderworkloads/main.go +++ b/internal/renderworkloads/main.go @@ -1,8 +1,8 @@ // internal/renderworkloads/main.go // -// Renders YAML templates (using gomplate) under a given input root, writing ONLY rendered -// collector workload YAMLs (Deployment/DaemonSet/StatefulSet) to an output directory while -// preserving relative paths. +// Renders YAML templates (using Go's built-in text/template) under a given input root, +// writing ONLY rendered collector workload YAMLs (Deployment/DaemonSet/StatefulSet) to an +// output directory while preserving relative paths. // Also writes workloads.txt containing paths to rendered workload YAMLs. // // Values are provided via a JSON file (default: render-vars.json) located in -repo-root. @@ -10,23 +10,24 @@ package main import ( "bytes" + "encoding/json" "errors" "flag" "fmt" "io" "io/fs" "os" - "os/exec" "path/filepath" "strings" + "text/template" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" k8syaml "k8s.io/apimachinery/pkg/util/yaml" + "sigs.k8s.io/yaml" ) const ( defaultOutBase = "/tmp/rendered" - defaultGomplate = "gomplate" defaultVarsFile = "render-vars.json" collectorLabelKey = "app.kubernetes.io/name" @@ -45,7 +46,6 @@ type Options struct { RepoRoot string InRoot string OutBase string - Gomplate string VarsFile string WriteIndex bool Verbose bool @@ -75,9 +75,13 @@ func main() { fatalf("error: vars file not found: %s: %v\n", varsPath, err) } - workloads, err := renderCollectorWorkloads(repoRoot, inRoot, outBase, varsPath, opt) + vars, err := loadVarsJSON(varsPath) + if err != nil { + fatalf("error: reading vars file %s: %v\n", varsPath, err) + } + + workloads, err := renderCollectorWorkloads(repoRoot, inRoot, outBase, vars, opt) if err != nil { - // mirror the behavior you saw (panic-ish), but with a clearer message fatalf("panic: %v\n", err) } @@ -103,15 +107,14 @@ func parseFlags() Options { flag.StringVar(&opt.RepoRoot, "repo-root", "", "Repository root (used to compute relative paths and locate vars file)") flag.StringVar(&opt.InRoot, "in-root", "", "Input root directory (relative to -repo-root) to scan for YAML templates") flag.StringVar(&opt.OutBase, "out-base", defaultOutBase, "Output base directory") - flag.StringVar(&opt.Gomplate, "gomplate", defaultGomplate, "Path to gomplate binary") flag.StringVar(&opt.VarsFile, "vars-file", defaultVarsFile, "Vars JSON file name (resolved relative to -repo-root)") flag.BoolVar(&opt.WriteIndex, "write-index", true, "Write workloads.txt with rendered workload YAML paths") - flag.BoolVar(&opt.Verbose, "verbose", false, "Verbose output (print gomplate commands)") + flag.BoolVar(&opt.Verbose, "verbose", false, "Verbose output (print files being rendered)") flag.Parse() return opt } -func renderCollectorWorkloads(repoRoot, inRoot, outBase, varsPath string, opt Options) ([]string, error) { +func renderCollectorWorkloads(repoRoot, inRoot, outBase string, vars map[string]any, opt Options) ([]string, error) { workloads := make([]string, 0, 128) err := filepath.WalkDir(inRoot, func(path string, d fs.DirEntry, walkErr error) error { @@ -138,7 +141,11 @@ func renderCollectorWorkloads(repoRoot, inRoot, outBase, varsPath string, opt Op } outPath := filepath.Join(outBase, relToRepo) - rendered, err := gomplateRenderFile(opt.Gomplate, varsPath, path, opt.Verbose) + if opt.Verbose { + fmt.Fprintf(os.Stderr, "render: %s\n", path) + } + + rendered, err := goTemplateRenderFile(path, vars) if err != nil { return err } @@ -170,34 +177,103 @@ func isYAMLFile(path string) bool { return ext == ".yaml" || ext == ".yml" } -func gomplateRenderFile(gomplateBin, varsAbsPath, inFile string, verbose bool) ([]byte, error) { - // gomplate v5: --context expects alias=URL form; '.' sets root context. - // For an absolute Unix path, "file://" + "/Users/..." => "file:///Users/..." - ctxURL := "file://" + filepath.ToSlash(varsAbsPath) +func loadVarsJSON(varsAbsPath string) (map[string]any, error) { + b, err := os.ReadFile(varsAbsPath) + if err != nil { + return nil, err + } + var v map[string]any + if err := json.Unmarshal(b, &v); err != nil { + return nil, err + } + return v, nil +} - cmd := exec.Command( - gomplateBin, - "-c", ".="+ctxURL, - "-f", inFile, - ) +func goTemplateRenderFile(inFile string, vars map[string]any) ([]byte, error) { + src, err := os.ReadFile(inFile) + if err != nil { + return nil, err + } - var stdout, stderr bytes.Buffer - cmd.Stdout = &stdout - cmd.Stderr = &stderr + tpl, err := template.New(filepath.Base(inFile)). + Option("missingkey=error"). + Funcs(templateFuncs()). + Parse(string(src)) + if err != nil { + return nil, fmt.Errorf("template parse failed for %s: %w", inFile, err) + } - if verbose { - fmt.Fprintf(os.Stderr, "gomplate cmd: %q\n", cmd.Args) + var out bytes.Buffer + if err := tpl.Execute(&out, vars); err != nil { + return nil, fmt.Errorf("template execute failed for %s: %w", inFile, err) } + return out.Bytes(), nil +} + +func templateFuncs() template.FuncMap { + return template.FuncMap{ + // Strings/formatting + "indent": indent, + "nindent": nindent, + + // Defaults (minimal) + "default": defaultValue, + + // Serialization helpers + "toYaml": toYAML, + "toJson": toJSON, + } +} - if err := cmd.Run(); err != nil { - return nil, fmt.Errorf( - "gomplate render failed for %s: %w: %s", - inFile, - err, - strings.TrimSpace(stderr.String()), - ) +func indent(spaces int, s string) string { + if spaces <= 0 || s == "" { + return s + } + pad := strings.Repeat(" ", spaces) + lines := strings.Split(s, "\n") + for i := range lines { + // keep trailing empty line empty (common after yaml.Marshal) + if lines[i] == "" && i == len(lines)-1 { + continue + } + lines[i] = pad + lines[i] + } + return strings.Join(lines, "\n") +} + +func nindent(spaces int, s string) string { + if s == "" { + return "" + } + return "\n" + indent(spaces, s) +} + +// defaultValue is intentionally minimal (not "deep empty") to avoid overdoing semantics. +// It only treats nil and "" as empty. +func defaultValue(def, v any) any { + if v == nil { + return def + } + if s, ok := v.(string); ok && s == "" { + return def + } + return v +} + +func toYAML(v any) (string, error) { + b, err := yaml.Marshal(v) + if err != nil { + return "", err + } + return string(b), nil +} + +func toJSON(v any) (string, error) { + b, err := json.Marshal(v) + if err != nil { + return "", err } - return stdout.Bytes(), nil + return string(b), nil } func isCollectorWorkloadYAML(b []byte) bool { diff --git a/internal/tools/go.mod b/internal/tools/go.mod index 904cc242e..c76a011f2 100644 --- a/internal/tools/go.mod +++ b/internal/tools/go.mod @@ -3,7 +3,6 @@ module github.com/Dynatrace/dynatrace-otel-collector/internal/tools go 1.25.7 require ( - github.com/hairyhenderson/gomplate/v5 v5.0.0 github.com/jstemmer/go-junit-report/v2 v2.1.0 github.com/sigstore/cosign/v3 v3.0.5 go.opentelemetry.io/build-tools/chloggen v0.29.0 diff --git a/internal/tools/tools.go b/internal/tools/tools.go index b71d10a9d..c4c323575 100644 --- a/internal/tools/tools.go +++ b/internal/tools/tools.go @@ -3,7 +3,6 @@ package tools import ( - _ "github.com/hairyhenderson/gomplate/v5/cmd/gomplate" _ "github.com/jstemmer/go-junit-report/v2" _ "github.com/sigstore/cosign/v3/cmd/cosign" _ "go.opentelemetry.io/build-tools/chloggen" From d45bd33c311d8b4270f888a8289677fc98a8da8c Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 16 Mar 2026 08:06:25 +0100 Subject: [PATCH 32/40] get rid of gomplate --- .github/workflows/yaml-policy-check.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/yaml-policy-check.yml b/.github/workflows/yaml-policy-check.yml index ded17d295..f96efb7ae 100644 --- a/.github/workflows/yaml-policy-check.yml +++ b/.github/workflows/yaml-policy-check.yml @@ -31,15 +31,10 @@ jobs: go-version: ${{ env.GO_VERSION }} cache-dependency-path: | internal/renderworkloads/go.sum - internal/tools/go.sum - name: Install Kyverno CLI uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 -# - name: Install build tools -# run: | -# make install-tools - - name: Render workloads and validate with Kyverno run: | make kyverno-workloads OUT_BASE="${OUT_BASE}" From 6f0a487769c1ef815d27c7a86e773d6194b5e209 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 16 Mar 2026 08:22:57 +0100 Subject: [PATCH 33/40] get rid of gomplate --- internal/tools/go.mod | 8 ++++---- internal/tools/go.sum | 8 ++++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/internal/tools/go.mod b/internal/tools/go.mod index c76a011f2..4a3d82273 100644 --- a/internal/tools/go.mod +++ b/internal/tools/go.mod @@ -162,7 +162,7 @@ require ( github.com/go-openapi/swag/yamlutils v0.25.4 // indirect github.com/go-openapi/validate v0.25.1 // indirect github.com/go-piv/piv-go/v2 v2.4.0 // indirect - github.com/go-viper/mapstructure/v2 v2.4.0 // indirect + github.com/go-viper/mapstructure/v2 v2.5.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect @@ -227,7 +227,7 @@ require ( github.com/knadh/koanf/providers/env/v2 v2.0.0 // indirect github.com/knadh/koanf/providers/file v1.2.1 // indirect github.com/knadh/koanf/providers/fs v1.0.0 // indirect - github.com/knadh/koanf/v2 v2.3.2 // indirect + github.com/knadh/koanf/v2 v2.3.3 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lestrrat-go/blackmagic v1.0.4 // indirect github.com/lestrrat-go/dsig v1.0.0 // indirect @@ -339,11 +339,11 @@ require ( gocloud.dev v0.44.0 // indirect golang.org/x/crypto v0.47.0 // indirect golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect - golang.org/x/mod v0.33.0 // indirect + golang.org/x/mod v0.34.0 // indirect golang.org/x/net v0.49.0 // indirect golang.org/x/oauth2 v0.35.0 // indirect golang.org/x/sync v0.19.0 // indirect - golang.org/x/sys v0.41.0 // indirect + golang.org/x/sys v0.42.0 // indirect golang.org/x/term v0.39.0 // indirect golang.org/x/text v0.33.0 // indirect golang.org/x/time v0.14.0 // indirect diff --git a/internal/tools/go.sum b/internal/tools/go.sum index 716aa6053..2109b02e1 100644 --- a/internal/tools/go.sum +++ b/internal/tools/go.sum @@ -462,6 +462,8 @@ github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro= +github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4= @@ -707,6 +709,8 @@ github.com/knadh/koanf/providers/fs v1.0.0 h1:tvn4MrduLgdOSUqqEHULUuIcELXf6xDOpH github.com/knadh/koanf/providers/fs v1.0.0/go.mod h1:FksHET+xXFNDozvj8ZCdom54OnZ6eGKJtC5FhZJKx/8= github.com/knadh/koanf/v2 v2.3.2 h1:Ee6tuzQYFwcZXQpc2MiVeC6qHMandf5SMUJJNoFp/c4= github.com/knadh/koanf/v2 v2.3.2/go.mod h1:gRb40VRAbd4iJMYYD5IxZ6hfuopFcXBpc9bbQpZwo28= +github.com/knadh/koanf/v2 v2.3.3 h1:jLJC8XCRfLC7n4F+ZKKdBsbq1bfXTpuFhf4L7t94D94= +github.com/knadh/koanf/v2 v2.3.3/go.mod h1:gRb40VRAbd4iJMYYD5IxZ6hfuopFcXBpc9bbQpZwo28= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= @@ -1115,6 +1119,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8= golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w= +golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= +golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1207,6 +1213,8 @@ golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= From ebed800b127e84cbe499aee42b2325c029b1bdff Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Mon, 16 Mar 2026 08:47:56 +0100 Subject: [PATCH 34/40] Update config_examples/collector-helm-values.yaml Co-authored-by: odubajDT <93584209+odubajDT@users.noreply.github.com> --- config_examples/collector-helm-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config_examples/collector-helm-values.yaml b/config_examples/collector-helm-values.yaml index f71a229ad..5f602cdd0 100644 --- a/config_examples/collector-helm-values.yaml +++ b/config_examples/collector-helm-values.yaml @@ -9,7 +9,7 @@ containerSecurityContext: type: RuntimeDefault capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true From bfc3b4fd461fecd19cf260628e6dec954636494e Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Mon, 16 Mar 2026 08:55:15 +0100 Subject: [PATCH 35/40] Update Makefile Co-authored-by: odubajDT <93584209+odubajDT@users.noreply.github.com> --- Makefile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 0f7fae4df..3e7823221 100644 --- a/Makefile +++ b/Makefile @@ -120,6 +120,8 @@ render-workloads: kyverno-workloads: render-workloads - @echo "Running Kyverno against rendered workloads from $(OUT_BASE)/workloads.txt" - @cd "$(SRC_ROOT)" && sed 's|^|-r |' "$(OUT_BASE)/workloads.txt" \ - | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml + @echo "Running Kyverno against rendered workloads from $(OUT_BASE)/workloads.txt" + @cd "$(SRC_ROOT)" && \ + { test -s "$(OUT_BASE)/workloads.txt" || { echo "ERROR: workloads.txt is empty"; exit 1; }; } && \ + sed 's|^|-r |' "$(OUT_BASE)/workloads.txt" \ + | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml From 362c40c874d4ac52832bfcb3cd0db750eb4e1c18 Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Mon, 16 Mar 2026 08:56:43 +0100 Subject: [PATCH 36/40] Update README.md --- internal/renderworkloads/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/renderworkloads/README.md b/internal/renderworkloads/README.md index c2b0c9943..826657ba4 100644 --- a/internal/renderworkloads/README.md +++ b/internal/renderworkloads/README.md @@ -38,4 +38,4 @@ pass: N, fail: 0, warn: 0, error: 0, skip: 0 - `kyverno-workloads` depends on `render-workloads` and will re-render before running Kyverno. - If `workloads.txt` is empty, the Kyverno target will fail (to avoid silently doing nothing). -- You need `gomplate` and `kyverno` available in your `PATH`. +- You need `kyverno` available in your `PATH`. From fdbca1c331d4fd00bce837cd473bf66d7403b95f Mon Sep 17 00:00:00 2001 From: RealAnna Date: Mon, 16 Mar 2026 09:09:06 +0100 Subject: [PATCH 37/40] remove journald example --- Makefile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 3e7823221..a7284d560 100644 --- a/Makefile +++ b/Makefile @@ -120,8 +120,8 @@ render-workloads: kyverno-workloads: render-workloads - @echo "Running Kyverno against rendered workloads from $(OUT_BASE)/workloads.txt" - @cd "$(SRC_ROOT)" && \ - { test -s "$(OUT_BASE)/workloads.txt" || { echo "ERROR: workloads.txt is empty"; exit 1; }; } && \ - sed 's|^|-r |' "$(OUT_BASE)/workloads.txt" \ - | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml + @echo "Running Kyverno against rendered workloads from $(OUT_BASE)/workloads.txt" + @cd "$(SRC_ROOT)" && \ + { test -s "$(OUT_BASE)/workloads.txt" || { echo "ERROR: workloads.txt is empty"; exit 1; }; } && \ + sed 's|^|-r |' "$(OUT_BASE)/workloads.txt" \ + | xargs -n 1000 kyverno apply .github/workflows/kyverno/policies/*.yaml From 0c24381e4440784d5c0dc9cbfe7cfd86d53a99d2 Mon Sep 17 00:00:00 2001 From: RealAnna Date: Tue, 17 Mar 2026 10:21:25 +0100 Subject: [PATCH 38/40] added new policy for hostmetrics --- .../policies/collector-securitycontext.yaml | 6 ++- .../policies/hostmetrics-securitycontext.yaml | 39 +++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/kyverno/policies/hostmetrics-securitycontext.yaml diff --git a/.github/workflows/kyverno/policies/collector-securitycontext.yaml b/.github/workflows/kyverno/policies/collector-securitycontext.yaml index 65f5bd656..1f8865da5 100644 --- a/.github/workflows/kyverno/policies/collector-securitycontext.yaml +++ b/.github/workflows/kyverno/policies/collector-securitycontext.yaml @@ -14,7 +14,11 @@ spec: - Deployment - DaemonSet - StatefulSet - + # Exempt all matching resources in this namespace + exclude: + resources: + namespaces: + - e2ehostmetrics preconditions: all: - key: "{{ request.object.spec.template.metadata.labels.\"app.kubernetes.io/name\" }}" diff --git a/.github/workflows/kyverno/policies/hostmetrics-securitycontext.yaml b/.github/workflows/kyverno/policies/hostmetrics-securitycontext.yaml new file mode 100644 index 000000000..38e14cafb --- /dev/null +++ b/.github/workflows/kyverno/policies/hostmetrics-securitycontext.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: collector-hostmetrics-securitycontext +spec: + validationFailureAction: Enforce + background: false + rules: + - name: enforce-hostmetrics-daemonset-securitycontext + match: + resources: + kinds: + - DaemonSet + namespaces: + - e2ehostmetrics + + preconditions: + all: + - key: "{{ request.object.spec.template.metadata.labels.\"app.kubernetes.io/name\" }}" + operator: Equals + value: opentelemetry-collector + + validate: + message: "Host-metrics DaemonSet must use the approved securityContext for journal/host access." + pattern: + spec: + template: + spec: + containers: + - name: "?*" + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL From 4d91e9b2e44d7378cd61f326cb21272242b137d9 Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Wed, 18 Mar 2026 07:27:26 +0100 Subject: [PATCH 39/40] Update .github/workflows/kyverno/README.md Co-authored-by: Moritz Wiesinger <6901203+mowies@users.noreply.github.com> --- .github/workflows/kyverno/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kyverno/README.md b/.github/workflows/kyverno/README.md index 962a6e4e8..783155586 100644 --- a/.github/workflows/kyverno/README.md +++ b/.github/workflows/kyverno/README.md @@ -10,7 +10,7 @@ make kyverno-workloads ### CI / automation -The same render + validate steps run in the **YAML Policy Check** workflow "[yaml-policy-check.yml](../yaml-policy-check.yml)" +The same render + validate steps run in the **YAML Policy Check** workflow "[yaml-policy-check.yml](../yaml-policy-check.yml)" ## Kyverno policies From eeb62d9ac94e30ac7a5263fe81a48b19be5f43c8 Mon Sep 17 00:00:00 2001 From: RealAnna <89971034+RealAnna@users.noreply.github.com> Date: Wed, 18 Mar 2026 07:27:36 +0100 Subject: [PATCH 40/40] Update Makefile Co-authored-by: Moritz Wiesinger <6901203+mowies@users.noreply.github.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a7284d560..71dc26886 100644 --- a/Makefile +++ b/Makefile @@ -104,7 +104,7 @@ for-all-target: $(INTERNAL_MODS) gomoddownload: $(MAKE) --no-print-directory for-all-target TARGET="moddownload" -OUT_BASE ?= /tmp/rendered-collectors-workloads +OUT_BASE ?= /tmp/rendered-collectors-workloads RENDERWORKLOADS_MOD_DIR := internal/renderworkloads