PPD-1452

.dockerignore

@@ -1,4 +1,3 @@
 # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Ignore build and test binaries.
-bin/
+# Ignore test binaries.
 testbin/

.github/workflows/bulwark-gitleaks-pr-validation.yaml

@@ -0,0 +1,40 @@
+name: BulwarkGitLeaks
+on: [pull_request]
+
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gitleaks-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_CONFIG: config.toml
+    steps:
+
+      - name: run-bulwark-gitleaks-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: /workspace/bulwark -name CodeSASTGitLeaks -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=./$REPO/gitleaks.json
+          if ! [ -f $resultPath ]; then
+            echo "GitLeaks validation check skipped"
+            exit 0
+          fi
+          cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\:
+          total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l`
+          if [ "$total_failed_tests" -gt 0 ]; then
+            echo "GitLeaks validation check failed with above findings..."
+            exit 1
+          else 
+            echo "GitLeaks validation check passed"
+          fi

.gitignore

@@ -20,14 +20,17 @@ testbin/*
 
 # editor and IDE paraphernalia
 .idea
+.vscode
 *.swp
 *.swo
 *~
 
 # release dir where infrastructure-components.yaml and other release artifacts will be created
 /release/
 
-# devlopment tmp files
+# development tmp files
 /.devspace/
 devvalues.yaml
-kubeconfig.yaml
+kubeconfig.yaml
+
+config/manager/secret.yaml

Dockerfile

@@ -1,21 +1,23 @@
+ARG BUILDER_GOLANG_VERSION
+ARG BUILDER_3RDPARTY_VERSION
 # Build the manager binary
-FROM golang:1.18 as builder
+FROM --platform=$TARGETPLATFORM gcr.io/spectro-images-public/builders/spectro-third-party:${BUILDER_3RDPARTY_VERSION} as thirdparty
+FROM --platform=linux/amd64 gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as builder
+
+ENV BIN_TYPE=${CRYPTO_LIB:+vertex}
+ENV BIN_TYPE=${BIN_TYPE:-palette}
 
 ARG TARGETOS
 ARG TARGETARCH
 
 WORKDIR /workspace
 
+# Copy binaries
+COPY --from=thirdparty /binaries/helm/latest/$BIN_TYPE/$TARGETARCH/helm helm
+
 # Install Delve for debugging
 RUN if [ "${TARGETARCH}" = "amd64" ]; then go install github.com/go-delve/delve/cmd/dlv@latest; fi
 
-# Install Helm 3
-RUN curl -s https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz > helm3.tar.gz \
- && tar -zxvf helm3.tar.gz linux-amd64/helm \
- && chmod +x linux-amd64/helm \
- && mv linux-amd64/helm $PWD/helm \
- && rm helm3.tar.gz \
- && rm -R linux-amd64
 
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -30,15 +32,19 @@ COPY api/ api/
 COPY controllers/ controllers/
 COPY pkg/ pkg/
 
+# Copy vCluster charts
+COPY charts/ /charts/
+
 # Build
-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -a -o manager main.go
+RUN CGO_ENABLED=0 go build -a -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
 COPY --from=builder /workspace/helm .
+COPY --from=builder /charts/ /charts/
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]

Dockerfile.dev

@@ -0,0 +1,21 @@
+# Build the manager binary
+FROM golang:alpine3.16 as builder
+
+RUN apk add --no-cache gcc g++ bash curl tar
+
+# Install Delve for debugging
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
+
+ARG HELM=./bin/helm-linux-amd64
+
+WORKDIR /
+
+# Copy binaries
+COPY ${HELM} helm
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download

Makefile

@@ -1,16 +1,35 @@
+# If you update this file, please follow:
+# https://suva.sh/posts/well-documented-makefiles/
+
+.DEFAULT_GOAL:=help
+
+VERSION_SUFFIX ?= -dev
+PROD_VERSION ?= 4.4.0${VERSION_SUFFIX}
+BUILDER_GOLANG_VERSION ?= 1.22
+TARGETARCH ?= amd64
+BUILDER_3RDPARTY_VERSION ?= $(shell echo $(PROD_VERSION) | cut -d. -f1,2)
+BUILD_DATE:=$(shell date +%Y%m%d)
+IMG_NAME ?= cluster-api-virtual-controller
+# IMG_URL ?= gcr.io/spectro-images-public/release/cluster-api-virtual/
+IMG_URL ?= gcr.io/spectro-dev-public/${USER}/cluster-api-virtual
+IMG_TAG ?= v0.1.3-spectro-${BUILD_DATE}
+IMG ?= $(IMG_URL)/$(IMG_NAME):$(IMG_TAG)
+BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION} --build-arg BUILDER_3RDPARTY_VERSION=${BUILDER_3RDPARTY_VERSION}
 
-TAG ?= main
-# Image URL to use all building/pushing image targets
-IMG ?= docker.io/loftsh/cluster-api-provider-vcluster:$(TAG)
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.23
+# HELM_VERSION = 3.12.0
+HELM_VERSION = 3.11.2-20230627
+VCLUSTER_CHART_VERSION = 0.18.1
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
 else
 GOBIN=$(shell go env GOBIN)
 endif
+GOARCH ?= $(shell go env GOARCH)
+GOOS ?= $(shell go env GOOS)
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # This is a requirement for 'setup-envtest.sh' in the test target.
@@ -21,6 +40,12 @@ SHELL = /usr/bin/env bash -o pipefail
 .PHONY: all
 all: build
 
+BIN_DIR ?= ./bin
+CHARTS_DIR ?= ./charts
+bin-dir:
+	test -d $(BIN_DIR) || mkdir $(BIN_DIR)
+	test -d $(CHARTS_DIR) || mkdir $(CHARTS_DIR)
+
 ##@ General
 
 # The help target prints out all targets with their descriptions organized
@@ -71,13 +96,21 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 .PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
-	docker build -t ${IMG} .
+docker-build: binaries ## Build docker image with the manager.
+	docker build --platform linux/${TARGETARCH} ${BUILD_ARGS} -t ${IMG} .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	docker push ${IMG}
 
+.PHONY: docker
+docker: binaries docker-build docker-push ## Build & push docker image with the manager.
+
+.PHONY: docker-build-dev
+docker-build-dev: binaries ## Build & push docker dev image with the manager.
+	docker build -f ./Dockerfile.dev -t ${IMG} .
+	docker push ${IMG}
+
 ##@ Deployment
 
 ifndef ignore-not-found
@@ -142,4 +175,17 @@ release: manifests kustomize ## Builds the manifests to publish with a release.
 # revert the values back to development ones 
 	sed -i'' -e 's@image: .*@image: docker.io/loftsh/cluster-api-provider-vcluster:main@' ./config/default/manager_image_patch.yaml
 	sed -i'' -e 's@imagePullPolicy: '"$(PULL_POLICY)"'@imagePullPolicy: IfNotPresent@' ./config/default/manager_pull_policy_patch.yaml
-	sed -i'' -e 's@name: $${CLUSTER_ROLE:=cluster-admin}@name: cluster-admin@' ./config/rbac/provider_role_binding.yaml
+	sed -i'' -e 's@name: $${CLUSTER_ROLE:=cluster-admin}@name: cluster-admin@' ./config/rbac/provider_role_binding.yaml
+
+##@ Binaries
+
+.PHONY: binaries
+binaries: download-chart ## Download binaries
+
+HELM=$(BIN_DIR)/helm-$(GOOS)-$(GOARCH)
+
+.PHONY: download-chart
+download-chart: bin-dir ## Download vcluster chart
+	helm repo add loft https://charts.loft.sh
+	helm pull loft/vcluster --version $(VCLUSTER_CHART_VERSION) -d $(CHARTS_DIR)
+	helm pull loft/vcluster-k8s --version $(VCLUSTER_CHART_VERSION) -d $(CHARTS_DIR)

PROJECT

@@ -13,4 +13,8 @@ resources:
   kind: VCluster
   path: github.com/loft-sh/cluster-api-provider-vcluster/api/v1alpha1
   version: v1alpha1
+  webhooks:
+    defaulting: true
+    validation: true
+    webhookVersion: v1
 version: "3"