From 3db3dcbe05ec203982263986ac58605cf14f8e50 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Wed, 29 Mar 2023 10:25:50 -0600 Subject: [PATCH 01/39] doc: update readme sample code to use v0.4.0 (#286) Update readme and quick start documentation to use version v0.4.0 --- README.md | 2 +- docs/quick-start.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2ae702f6..6a0e595b 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Run the following command to install the cloud sql proxy operator into your kubernetes cluster: ```shell -kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.3.0/cloud-sql-proxy-operator.yaml +kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.4.0/cloud-sql-proxy-operator.yaml ``` Confirm that the operator is installed and running by listing its pods: diff --git a/docs/quick-start.md b/docs/quick-start.md index dfe28539..e8f39e96 100644 --- a/docs/quick-start.md +++ b/docs/quick-start.md @@ -20,7 +20,7 @@ Run the following command to install the cloud sql proxy operator into your kubernetes cluster: ```shell -curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.3.0/install.sh | bash +curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.4.0/install.sh | bash ``` This will use `helm` to install the `cert-manager` operator, a prerequisite. Then From 5d55abb4f39e3fbbfae2fe5394ac021423438508 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Wed, 29 Mar 2023 10:31:44 -0600 Subject: [PATCH 02/39] ci: fix the release build job so that it downloads licenses. (#285) The release job needs to download the license files before running the docker build. --- .build/release.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.build/release.yaml b/.build/release.yaml index e0980132..a800e960 100644 --- a/.build/release.yaml +++ b/.build/release.yaml @@ -16,6 +16,12 @@ # Run this from your dev environment: # gcloud builds submit --project=cloud-sql-connectors --config=.build/release.yaml --substitutions=_TEST_BUILD_ID=0000-dirty-$(date "+%s") steps: + - name: 'golang:1.20' + entrypoint: bash + args: + - '-c' + - 'go run github.com/google/go-licenses@v1.6.0 save --save_path ThirdPartyLicenses .' + id: 'download-licenses' - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk' entrypoint: bash args: From dc9bada57dfa79208a68e5532a9d2dba0fda0b63 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Thu, 30 Mar 2023 20:35:30 -0600 Subject: [PATCH 03/39] chore: omit yaml files in .github/workflows from yaml fmt. (#291) Don't run yaml_fmt on .github/workflows. This is unnecessary and makes the code harder to read. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index d668d39e..56bcb039 100644 --- a/Makefile +++ b/Makefile @@ -125,7 +125,7 @@ go_fmt: # Automatically formats go files go run golang.org/x/tools/cmd/goimports@latest -w . yaml_fmt: # Automatically formats all yaml files - go run github.com/UltiRequiem/yamlfmt@latest -w $(shell find . -iname '*.yaml' -or -iname '*.yml' | grep -v -e '^./bin/') + go run github.com/UltiRequiem/yamlfmt@latest -w $(shell find . -iname '*.yaml' -or -iname '*.yml' | grep -v -e '^./bin/' | grep -v -e '^./.github/workflows/') .PHONY: add_copyright_header add_copyright_header: # Add the copyright header From 84394a26dd620ce1ab347d0975011712b7be6c23 Mon Sep 17 00:00:00 2001 From: Jack Wotherspoon Date: Fri, 31 Mar 2023 13:28:15 -0400 Subject: [PATCH 04/39] ci: add scorecard action (#289) --- .github/workflows/scorecard.yml | 70 +++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..f07b2c4b --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,70 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: OSSF Scorecard +on: + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + schedule: + # weekly on Sunday + - cron: '0 20 * * 0' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + + steps: + - name: "Checkout code" + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 + with: + results_file: results.sarif + results_format: sarif + + - name: Filter SARIF to skip false positives + # filter out DangerousWorkflow alerts as they do not account for safe use of labels to trigger actions + env: + SCORECARD_SKIPPED_RULE_IDS: "DangerousWorkflowID" + run: | + SCORECARD_SKIPPED_RULE_IDS_JSON=$(echo $SCORECARD_SKIPPED_RULE_IDS | jq -cR 'split(",")') + # Trim the SARIF file to remove false positive detections + cat results.sarif | jq '.runs[].results |= map(select(.ruleId as $id | '$SCORECARD_SKIPPED_RULE_IDS_JSON' | all($id != .)))' > resultsFiltered.sarif + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + with: + sarif_file: resultsFiltered.sarif From e2f4057de4588bd89249cad13f5e8ab422a7fa7e Mon Sep 17 00:00:00 2001 From: Jack Wotherspoon Date: Fri, 31 Mar 2023 17:35:28 -0400 Subject: [PATCH 05/39] ci: add codeql action (#288) Co-authored-by: Jonathan Hess (he/him) <103529393+hessjcg@users.noreply.github.com> --- .github/workflows/codeql.yml | 76 ++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..391273e8 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,76 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + paths-ignore: + - '**/*.md' + - '**/*.txt' + pull_request_target: + types: [labeled] + paths-ignore: + - '**/*.md' + - '**/*.txt' + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analyze: + if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + + steps: + - name: Checkout repository + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Setup Go + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + with: + go-version: "1.20" + if: ${{ matrix.language == 'go' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually + - name: Autobuild + uses: github/codeql-action/autobuild@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + with: + category: "/language:${{matrix.language}}" From 4ee0bc8dea526f0d4253d2ae12bf2e4f36a92bbe Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Sat, 1 Apr 2023 22:44:59 +0100 Subject: [PATCH 06/39] chore(deps): update module sigs.k8s.io/controller-runtime to v0.14.6 open --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 59c069f7..33c81c19 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( k8s.io/api v0.26.3 k8s.io/apimachinery v0.26.3 k8s.io/client-go v0.26.3 - sigs.k8s.io/controller-runtime v0.14.4 + sigs.k8s.io/controller-runtime v0.14.6 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index 56262714..5f207d36 100644 --- a/go.sum +++ b/go.sum @@ -604,8 +604,8 @@ k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.14.4 h1:Kd/Qgx5pd2XUL08eOV2vwIq3L9GhIbJ5Nxengbd4/0M= -sigs.k8s.io/controller-runtime v0.14.4/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= +sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= From 0b4def90193842986bcf05ba387169f855f0e3c5 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Sat, 1 Apr 2023 23:10:03 +0100 Subject: [PATCH 07/39] chore(deps): update terraform google to v4.59.0 open --- infra/permissions/main.tf | 2 +- infra/resources/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/permissions/main.tf b/infra/permissions/main.tf index b250c5e5..c3405887 100644 --- a/infra/permissions/main.tf +++ b/infra/permissions/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.58.0" + version = "4.59.0" } } } diff --git a/infra/resources/main.tf b/infra/resources/main.tf index 1a642b04..17194aed 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.58.0" + version = "4.59.0" } google-beta = { source = "hashicorp/google-beta" From 46d1bc4493b024232e50b6aba55f378e59bfeb30 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Sat, 1 Apr 2023 23:25:43 +0100 Subject: [PATCH 08/39] chore(deps): update terraform google-beta to v4.59.0 open --- infra/resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/resources/main.tf b/infra/resources/main.tf index 17194aed..8b6cf449 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -22,7 +22,7 @@ terraform { } google-beta = { source = "hashicorp/google-beta" - version = "4.58.0" + version = "4.59.0" } } } From cbb593841988c5af4ae54be46b19e135722256b0 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Sat, 1 Apr 2023 23:41:31 +0100 Subject: [PATCH 09/39] chore(deps): update module github.com/go-logr/logr to v1.2.4 open --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 33c81c19..8c523b09 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/GoogleCloudPlatform/cloud-sql-proxy-operator go 1.20 require ( - github.com/go-logr/logr v1.2.3 + github.com/go-logr/logr v1.2.4 go.uber.org/zap v1.24.0 k8s.io/api v0.26.3 k8s.io/apimachinery v0.26.3 diff --git a/go.sum b/go.sum index 5f207d36..007b1a12 100644 --- a/go.sum +++ b/go.sum @@ -84,8 +84,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= From 118797811b489bf9bf58e8b67282a90a3882c9d3 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Sat, 1 Apr 2023 23:50:28 +0100 Subject: [PATCH 10/39] chore(deps): update dependency hashicorp/terraform to v1.4.4 open --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 56bcb039..05c060f3 100644 --- a/Makefile +++ b/Makefile @@ -437,7 +437,7 @@ CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs # additional whitespace will break the renovate regex rules. KUBECTL_VERSION=v1.26.3# renovate datasource=github-tags depName=kubernetes/kubernetes -TERRAFORM_VERSION=v1.4.2# renovate datasource=github-tags depName=hashicorp/terraform +TERRAFORM_VERSION=v1.4.4# renovate datasource=github-tags depName=hashicorp/terraform CONTROLLER_TOOLS_VERSION=v0.11.3# renovate datasource=go depName=sigs.k8s.io/controller-tools CRD_REF_DOCS_VERSION=v0.0.8# renovate datasource=go depName=github.com/elastic/crd-ref-docs From ab5961fa1a35fce15cb828bf57f7fd5272cfbee9 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Tue, 11 Apr 2023 09:55:37 -0600 Subject: [PATCH 11/39] ci: setup periodic and continuous test builds (#273) Co-authored-by: Jack Wotherspoon --- .github/workflows/tests-main.yaml | 76 +++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 .github/workflows/tests-main.yaml diff --git a/.github/workflows/tests-main.yaml b/.github/workflows/tests-main.yaml new file mode 100644 index 00000000..92b8a422 --- /dev/null +++ b/.github/workflows/tests-main.yaml @@ -0,0 +1,76 @@ +# Copyright 2023 Google LLC + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: tests-main +on: # at 5:10 UTC every day and on each push to main + schedule: + - cron: "10 5 * * *" + push: + branches: + - 'main' +permissions: read-all +jobs: + unit: + name: unit tests + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + - name: Setup Go + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: '1.20' + - name: Set up build.env with phony secrets. + run: cp build.sample.env build.env + - name: Verify no changes from code generation. + run: "make generate \nif ! git diff --exit-code --quiet ; then \n echo\n echo\n git diff --stat \"HEAD\"\n echo\n echo\n echo 'ERROR: Lint tools caused changes to the working dir. '\n exit 1\nfi\n" + - name: make test + run: make test + e2e: + name: e2e tests + runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' + steps: + - name: Checkout code + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 #v3.5.0 + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 + with: + workload_identity_provider: ${{ secrets.PROVIDER_NAME }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} + access_token_lifetime: 600s + project_id: ${{ secrets.GOOGLE_CLOUD_PROJECT }} + create_credentials_file: true + - name: 'Set up Cloud SDK' + uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 + - name: 'Setup Go' + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: '1.20' + - name: Set up QEMU + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + - id: 'e2e' + name: 'Run E2E Tests' + run: "./tools/e2e_test_job.sh" + env: + ENVIRONMENT_NAME: "ci-main" + NODEPOOL_SERVICEACCOUNT_EMAIL: "${{secrets.NODEPOOL_SERVICEACCOUNT_EMAIL}}" + WORKLOAD_ID_SERVICEACCOUNT_EMAIL: "${{secrets.WORKLOAD_ID_SERVICEACCOUNT_EMAIL}}" + TFSTATE_STORAGE_BUCKET: "${{secrets.TFSTATE_STORAGE_BUCKET}}" + E2E_PROJECT_ID: "${{secrets.GOOGLE_CLOUD_PROJECT}}" From 221c3008e26b12e7c50af6acaf000df4575b9899 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 11 Apr 2023 21:13:53 +0100 Subject: [PATCH 12/39] chore(deps): update terraform google to v4.61.0 open --- infra/permissions/main.tf | 2 +- infra/resources/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/permissions/main.tf b/infra/permissions/main.tf index c3405887..dddb3be6 100644 --- a/infra/permissions/main.tf +++ b/infra/permissions/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.59.0" + version = "4.61.0" } } } diff --git a/infra/resources/main.tf b/infra/resources/main.tf index 8b6cf449..075a1f10 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.59.0" + version = "4.61.0" } google-beta = { source = "hashicorp/google-beta" From 27761e6b154e91e5f9b0fc9f3ac7dfbb1aa01b82 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 12 Apr 2023 03:00:14 +0100 Subject: [PATCH 13/39] chore(deps): update terraform google-beta to v4.61.0 open --- infra/resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/resources/main.tf b/infra/resources/main.tf index 075a1f10..37b07ac1 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -22,7 +22,7 @@ terraform { } google-beta = { source = "hashicorp/google-beta" - version = "4.59.0" + version = "4.61.0" } } } From 464daa299a05d3c4290665b07d723bd78e2bdf05 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 12 Apr 2023 03:10:46 +0100 Subject: [PATCH 14/39] chore(deps): update github/codeql-action action to v2.2.11 open --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 391273e8..90af8ffc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -61,16 +61,16 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + uses: github/codeql-action/init@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 with: languages: ${{ matrix.language }} # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually - name: Autobuild - uses: github/codeql-action/autobuild@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + uses: github/codeql-action/autobuild@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + uses: github/codeql-action/analyze@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f07b2c4b..c1644711 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -65,6 +65,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9 + uses: github/codeql-action/upload-sarif@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 with: sarif_file: resultsFiltered.sarif From c3c36a441130ee72835445dd3db1bc68bd09f29e Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 12 Apr 2023 16:57:15 +0100 Subject: [PATCH 15/39] chore(deps): update dependency cert-manager/cert-manager to v1.11.1 open --- Makefile | 2 +- installer/install.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 05c060f3..145779cf 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ SHELL = /usr/bin/env bash -o pipefail .SHELLFLAGS = -ec ## The version to use for the cert-manager operator -CERT_MANAGER_VERSION=v1.11.0# renovate datasource=github-tags depName=cert-manager/cert-manager +CERT_MANAGER_VERSION=v1.11.1# renovate datasource=github-tags depName=cert-manager/cert-manager ##@ General diff --git a/installer/install.sh b/installer/install.sh index 549376e1..116c93bd 100644 --- a/installer/install.sh +++ b/installer/install.sh @@ -19,8 +19,8 @@ set -euxo # exit 1 from the script when command fails # If CSQL_OPERATOR_VERSION is not set, use the release version: v0.4.0. CSQL_OPERATOR_VERSION="${CSQL_OPERATOR_VERSION:-v0.4.0}" -# If CSQL_CERT_MANAGER_VERSION is not set, use the default: v1.11.0. -CSQL_CERT_MANAGER_VERSION="${CSQL_CERT_MANAGER_VERSION:-v1.11.0}" +# If CSQL_CERT_MANAGER_VERSION is not set, use the default: v1.11.1. +CSQL_CERT_MANAGER_VERSION="${CSQL_CERT_MANAGER_VERSION:-v1.11.1}" # If CSQL_OPERATOR_URL is not set, use the default value from the CSQL_OPERATOR_VERSION CSQL_OPERATOR_URL="${CSQL_OPERATOR_URL:-https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/$CSQL_OPERATOR_VERSION/cloud-sql-proxy-operator.yaml}" From c25a8ee1c97c976bbc31f006f74d00887177fe63 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 12 Apr 2023 17:07:37 +0100 Subject: [PATCH 16/39] chore(deps): update dependency kubernetes/kubernetes to v1.27.0 open --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 145779cf..e6fda947 100644 --- a/Makefile +++ b/Makefile @@ -436,7 +436,7 @@ CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs # Important note: avoid adding spaces in the macro declarations as any # additional whitespace will break the renovate regex rules. -KUBECTL_VERSION=v1.26.3# renovate datasource=github-tags depName=kubernetes/kubernetes +KUBECTL_VERSION=v1.27.0# renovate datasource=github-tags depName=kubernetes/kubernetes TERRAFORM_VERSION=v1.4.4# renovate datasource=github-tags depName=hashicorp/terraform CONTROLLER_TOOLS_VERSION=v0.11.3# renovate datasource=go depName=sigs.k8s.io/controller-tools From be5e03acd8b7927f4fffee03fb44931d9de04e38 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 12 Apr 2023 18:16:51 +0100 Subject: [PATCH 17/39] chore(deps): update actions/checkout action to v3.5.1 open --- .github/workflows/codeql.yml | 2 +- .github/workflows/scorecard.yml | 2 +- .github/workflows/tests-main.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 90af8ffc..56ea3c05 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c1644711..0cc0784d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -35,7 +35,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 with: persist-credentials: false diff --git a/.github/workflows/tests-main.yaml b/.github/workflows/tests-main.yaml index 92b8a422..2f001abe 100644 --- a/.github/workflows/tests-main.yaml +++ b/.github/workflows/tests-main.yaml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 - name: Setup Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: @@ -45,7 +45,7 @@ jobs: id-token: 'write' steps: - name: Checkout code - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 #v3.5.0 + uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 - id: 'auth' name: 'Authenticate to Google Cloud' uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 From 83f6190f9d791a9e81bf6ec1df5a1a8510c61edb Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 12 Apr 2023 21:29:56 +0100 Subject: [PATCH 18/39] chore(deps): update dependency hashicorp/terraform to v1.4.5 open --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e6fda947..527f46d4 100644 --- a/Makefile +++ b/Makefile @@ -437,7 +437,7 @@ CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs # additional whitespace will break the renovate regex rules. KUBECTL_VERSION=v1.27.0# renovate datasource=github-tags depName=kubernetes/kubernetes -TERRAFORM_VERSION=v1.4.4# renovate datasource=github-tags depName=hashicorp/terraform +TERRAFORM_VERSION=v1.4.5# renovate datasource=github-tags depName=hashicorp/terraform CONTROLLER_TOOLS_VERSION=v0.11.3# renovate datasource=go depName=sigs.k8s.io/controller-tools CRD_REF_DOCS_VERSION=v0.0.8# renovate datasource=go depName=github.com/elastic/crd-ref-docs From cf01c262444bfeb7a33ddfd6b6de3f49cf403f60 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Wed, 12 Apr 2023 15:32:50 -0600 Subject: [PATCH 19/39] ci: change name of ci environment to 'ci-branch-main' to avoid terraform issues (#301) Terraform has a hard time tearing down and recreating whole environments when they are too far out of date. Instead, this starts a brand new environment named 'ci-branch-main'. Changing name as short-term fix, long-term fix we will want to dynamically change the env name. This work will be tracked by #302 --- .github/workflows/tests-main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-main.yaml b/.github/workflows/tests-main.yaml index 2f001abe..7ad97834 100644 --- a/.github/workflows/tests-main.yaml +++ b/.github/workflows/tests-main.yaml @@ -69,7 +69,7 @@ jobs: name: 'Run E2E Tests' run: "./tools/e2e_test_job.sh" env: - ENVIRONMENT_NAME: "ci-main" + ENVIRONMENT_NAME: "ci-branch-main" NODEPOOL_SERVICEACCOUNT_EMAIL: "${{secrets.NODEPOOL_SERVICEACCOUNT_EMAIL}}" WORKLOAD_ID_SERVICEACCOUNT_EMAIL: "${{secrets.WORKLOAD_ID_SERVICEACCOUNT_EMAIL}}" TFSTATE_STORAGE_BUCKET: "${{secrets.TFSTATE_STORAGE_BUCKET}}" From 57d4ae910b53371462c32393d0055d0eb236a9e4 Mon Sep 17 00:00:00 2001 From: Jack Wotherspoon Date: Thu, 13 Apr 2023 12:21:28 -0400 Subject: [PATCH 20/39] chore: pin actions to SHA and make workflows read-all (#304) --- .github/workflows/release-please-updates.yaml | 9 ++++-- .github/workflows/tests.yaml | 29 ++++++++++++------- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release-please-updates.yaml b/.github/workflows/release-please-updates.yaml index ca78add3..bc0e2499 100644 --- a/.github/workflows/release-please-updates.yaml +++ b/.github/workflows/release-please-updates.yaml @@ -16,18 +16,23 @@ name: Release PR on: pull_request: types: [opened, synchronize, reopened, labeled] +# Declare default permissions as read only. +permissions: read-all jobs: build: name: "Code Generation" runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write if: "${{ github.actor == 'release-please[bot]' }}" steps: - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.20' - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index b60e7df8..23d11cc5 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -17,15 +17,20 @@ on: pull_request: pull_request_target: types: [labeled] +# Declare default permissions as read only. +permissions: read-all jobs: unit: if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" name: unit tests runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - name: Remove PR Label if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@v6 + uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -40,11 +45,11 @@ jobs: console.log('Failed to remove label. Another job may have already removed it!'); } - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.20' - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -62,31 +67,33 @@ jobs: permissions: contents: 'read' id-token: 'write' + issues: write + pull-requests: write steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} - id: 'auth' - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v1.0.0' + name: Authenticate to Google Cloud + uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 with: workload_identity_provider: ${{ secrets.PROVIDER_NAME }} service_account: ${{ secrets.SERVICE_ACCOUNT }} access_token_lifetime: 600s project_id: ${{ secrets.GOOGLE_CLOUD_PROJECT }} create_credentials_file: true - - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@v1' + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 - name: 'Setup Go' - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.20' - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - id: 'e2e' name: 'Run E2E Tests' run: "./tools/e2e_test_job.sh" From dce7922911b35a1f1ea893229e82d900c1a7a808 Mon Sep 17 00:00:00 2001 From: Eno Compton Date: Thu, 13 Apr 2023 10:28:56 -0600 Subject: [PATCH 21/39] chore: add labels (#306) Co-authored-by: Jack Wotherspoon --- .github/labels.yml | 71 +++++++++++++++++++++++++++++++++++ .github/workflows/labels.yaml | 31 +++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 .github/labels.yml create mode 100644 .github/workflows/labels.yaml diff --git a/.github/labels.yml b/.github/labels.yml new file mode 100644 index 00000000..a690a92a --- /dev/null +++ b/.github/labels.yml @@ -0,0 +1,71 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: duplicate + color: ededed + description: "" +- name: 'type: bug' + color: db4437 + description: Error or flaw in code with unintended results or allowing sub-optimal usage patterns. +- name: 'type: cleanup' + color: c5def5 + description: An internal cleanup or hygiene concern. +- name: 'type: docs' + color: 0000A0 + description: Improvement to the documentation for an API. +- name: 'type: feature request' + color: c5def5 + description: ‘Nice-to-have’ improvement, new feature or different behavior or design. +- name: 'type: process' + color: c5def5 + description: A process-related concern. May include testing, release, or the like. +- name: 'type: question' + color: c5def5 + description: Request for information or clarification. +- name: 'priority: p0' + color: b60205 + description: Highest priority. Critical issue. P0 implies highest priority. +- name: 'priority: p1' + color: ffa03e + description: Important issue which blocks shipping the next release. Will be fixed prior to next release. +- name: 'priority: p2' + color: fef2c0 + description: Moderately-important priority. Fix may not be included in next release. +- name: 'priority: p3' + color: ffffc7 + description: Desirable enhancement or fix. May not be included in next release. +- name: do not merge + color: d93f0b + description: Indicates a pull request not ready for merge, due to either quality or timing. +- name: 'autorelease: pending' + color: ededed + description: Release please needs to do its work on this. +- name: 'autorelease: triggered' + color: ededed + description: Release please has triggered a release for this. +- name: 'autorelease: tagged' + color: ededed + description: Release please has completed a release for this. +- name: 'tests: run' + color: 3DED97 + description: Label to trigger Github Action tests. +- name: 'flakybot: flaky' + color: 86d9d7 + description: Tells the Flaky Bot not to close or comment on this issue. +- name: 'flakybot: quiet' + color: 86d9d7 + description: Tells the Flaky Bot to comment less. +- name: 'flakybot: issue' + color: a9f9f7 + description: An issue filed by the Flaky Bot. Should not be added manually. diff --git a/.github/workflows/labels.yaml b/.github/workflows/labels.yaml new file mode 100644 index 00000000..9f08d6ad --- /dev/null +++ b/.github/workflows/labels.yaml @@ -0,0 +1,31 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Sync labels +on: + push: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From c9556233a361f981e7da3124a3d41aac331c98fe Mon Sep 17 00:00:00 2001 From: Jack Wotherspoon Date: Fri, 14 Apr 2023 09:50:36 -0400 Subject: [PATCH 22/39] chore: pin Dockerfile images to SHA (#309) --- Dockerfile | 2 +- Dockerfile-operator | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 04c44926..cc66a890 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot +FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec # For multi-arch builds, use automatic platform build arguments # see https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope diff --git a/Dockerfile-operator b/Dockerfile-operator index c98c6bed..6f17b87f 100644 --- a/Dockerfile-operator +++ b/Dockerfile-operator @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Use the latest stable golang 1.x to compile to a binary +# Use the latest stable golang 1.20 to compile to a binary FROM --platform=$BUILDPLATFORM golang:1.20 as build WORKDIR /work @@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \ # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot +FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec # For multi-arch builds, use automatic platform build arguments # see https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope From d32c79dcf502b74ac05b39ffbc5791f19aa11c9f Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 20:01:37 +0200 Subject: [PATCH 23/39] chore(deps): update actions/checkout action to v3.5.2 open --- .github/workflows/codeql.yml | 2 +- .github/workflows/labels.yaml | 2 +- .github/workflows/scorecard.yml | 2 +- .github/workflows/tests-main.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 56ea3c05..1882e820 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} diff --git a/.github/workflows/labels.yaml b/.github/workflows/labels.yaml index 9f08d6ad..8b5c74bb 100644 --- a/.github/workflows/labels.yaml +++ b/.github/workflows/labels.yaml @@ -25,7 +25,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0cc0784d..99b69d0c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -35,7 +35,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: persist-credentials: false diff --git a/.github/workflows/tests-main.yaml b/.github/workflows/tests-main.yaml index 7ad97834..c7bf0044 100644 --- a/.github/workflows/tests-main.yaml +++ b/.github/workflows/tests-main.yaml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: @@ -45,7 +45,7 @@ jobs: id-token: 'write' steps: - name: Checkout code - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - id: 'auth' name: 'Authenticate to Google Cloud' uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 From 9ded961a44c0e1dde28b7195ea098b2e24adf091 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 20:11:55 +0200 Subject: [PATCH 24/39] chore(deps): update github/codeql-action action to v2.2.12 open --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1882e820..9b4fc0ab 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -61,16 +61,16 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 + uses: github/codeql-action/init@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 with: languages: ${{ matrix.language }} # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually - name: Autobuild - uses: github/codeql-action/autobuild@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 + uses: github/codeql-action/autobuild@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 + uses: github/codeql-action/analyze@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 99b69d0c..71f007a9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -65,6 +65,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 + uses: github/codeql-action/upload-sarif@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 with: sarif_file: resultsFiltered.sarif From de07f7b360ce47a8604dd128b6e2b5c212812263 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 20:22:12 +0200 Subject: [PATCH 25/39] chore(deps): update actions/github-script action to v6.4.1 open --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 23d11cc5..000b3309 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Remove PR Label if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | From 22d05541f39edee37d99da6f3adef6ca5580d847 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 20:43:03 +0200 Subject: [PATCH 26/39] chore(deps): update dependency kubernetes/kubernetes to v1.27.1 open --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 527f46d4..949043e8 100644 --- a/Makefile +++ b/Makefile @@ -436,7 +436,7 @@ CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs # Important note: avoid adding spaces in the macro declarations as any # additional whitespace will break the renovate regex rules. -KUBECTL_VERSION=v1.27.0# renovate datasource=github-tags depName=kubernetes/kubernetes +KUBECTL_VERSION=v1.27.1# renovate datasource=github-tags depName=kubernetes/kubernetes TERRAFORM_VERSION=v1.4.5# renovate datasource=github-tags depName=hashicorp/terraform CONTROLLER_TOOLS_VERSION=v0.11.3# renovate datasource=go depName=sigs.k8s.io/controller-tools From b37def5979bde509f0b7a78ffd2b50e2b9cdfb21 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 21:13:19 +0200 Subject: [PATCH 27/39] chore(deps): update terraform google to v4.62.0 open --- infra/permissions/main.tf | 2 +- infra/resources/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/permissions/main.tf b/infra/permissions/main.tf index dddb3be6..892b6fbd 100644 --- a/infra/permissions/main.tf +++ b/infra/permissions/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.61.0" + version = "4.62.0" } } } diff --git a/infra/resources/main.tf b/infra/resources/main.tf index 37b07ac1..dc7fe62a 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.61.0" + version = "4.62.0" } google-beta = { source = "hashicorp/google-beta" From 14181a456efd7e7c5c61d3baeb1379838d30ff09 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 21:25:44 +0200 Subject: [PATCH 28/39] chore(deps): update terraform google-beta to v4.62.0 open --- infra/resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/resources/main.tf b/infra/resources/main.tf index dc7fe62a..1823ac98 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -22,7 +22,7 @@ terraform { } google-beta = { source = "hashicorp/google-beta" - version = "4.61.0" + version = "4.62.0" } } } From 207f63b06a96510f2c4c900b5e820ffda50bf602 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 21:36:00 +0200 Subject: [PATCH 29/39] chore(deps): update google-github-actions/auth action to v1.1.0 open --- .github/workflows/tests-main.yaml | 2 +- .github/workflows/tests.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests-main.yaml b/.github/workflows/tests-main.yaml index c7bf0044..d10a8625 100644 --- a/.github/workflows/tests-main.yaml +++ b/.github/workflows/tests-main.yaml @@ -48,7 +48,7 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - id: 'auth' name: 'Authenticate to Google Cloud' - uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 + uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0 with: workload_identity_provider: ${{ secrets.PROVIDER_NAME }} service_account: ${{ secrets.SERVICE_ACCOUNT }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 000b3309..134d4881 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -77,7 +77,7 @@ jobs: repository: ${{ github.event.pull_request.head.repo.full_name }} - id: 'auth' name: Authenticate to Google Cloud - uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 + uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0 with: workload_identity_provider: ${{ secrets.PROVIDER_NAME }} service_account: ${{ secrets.SERVICE_ACCOUNT }} From f11ffeebc86857bcb047044ba0cda4b93b5a0358 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 18 Apr 2023 21:53:11 +0200 Subject: [PATCH 30/39] chore(deps): update gcr.io/cloud-sql-connectors/cloud-sql-proxy docker tag to v2.2.0 open --- internal/workload/podspec_updates.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go index b49ec8ff..7e650f52 100644 --- a/internal/workload/podspec_updates.go +++ b/internal/workload/podspec_updates.go @@ -39,7 +39,7 @@ const ( // DefaultProxyImage is the latest version of the proxy as of the release // of this operator. This is managed as a dependency. We update this constant // when the Cloud SQL Auth Proxy releases a new version. - DefaultProxyImage = "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.1.2" + DefaultProxyImage = "gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.2.0" // DefaultFirstPort is the first port number chose for an instance listener by the // proxy. From 4387e0132d8e02da872870d119fd766ecabdd398 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Wed, 19 Apr 2023 08:55:24 -0600 Subject: [PATCH 31/39] doc: improve code comment in FindMatchingAuthProxyWorkloads (#308) Fixes #294 --- internal/workload/podspec_updates.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go index 7e650f52..25e5f211 100644 --- a/internal/workload/podspec_updates.go +++ b/internal/workload/podspec_updates.go @@ -169,7 +169,9 @@ var defaultContainerResources = corev1.ResourceRequirements{ // updates the workload's containers. This does not save the updated workload. func (u *Updater) FindMatchingAuthProxyWorkloads(pl *cloudsqlapi.AuthProxyWorkloadList, wl *PodWorkload, owners []Workload) []*cloudsqlapi.AuthProxyWorkload { - // if a wl has an owner, then ignore it. + // starting with this pod, traverse the pod and its owners, and + // fill wls with a list of workload resources that match an AuthProxyWorkload + // in the pl. wls := u.filterMatchingInstances(pl, wl.Object()) for _, owner := range owners { wls = append(wls, u.filterMatchingInstances(pl, owner.Object())...) From fbfa00444da0f310f52c61ed4665a5153bebe2c4 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Wed, 19 Apr 2023 11:34:45 -0600 Subject: [PATCH 32/39] fix: The e2e k8s node pool version should match the master version (#319) This fixes a bug in the e2e test landscape where the latest node version reported by the GKE API is 1.26.* while the latest master version reported by the GKE API is 1.25.*. This mismatch in minor version caused an error. --- infra/permissions/main.tf | 10 ++++++++-- infra/resources/gke_cluster.tf | 2 +- infra/resources/private_gke_cluster.tf | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/infra/permissions/main.tf b/infra/permissions/main.tf index 892b6fbd..7ea39bba 100644 --- a/infra/permissions/main.tf +++ b/infra/permissions/main.tf @@ -27,16 +27,21 @@ terraform { provider "google" { user_project_override = true billing_project = var.project_id + project = var.project_id + region = var.gcloud_region + zone = var.gcloud_zone } # Enable gcloud project APIs locals { project_services = toset([ + "artifactregistry.googleapis.com", + "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "container.googleapis.com", - "artifactregistry.googleapis.com", "deploymentmanager.googleapis.com", "dns.googleapis.com", + "iam.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com", "oslogin.googleapis.com", @@ -48,7 +53,8 @@ locals { "servicenetworking.googleapis.com", "sql-component.googleapis.com", "sqladmin.googleapis.com", - "storage-api.googleapis.com"]) + "storage-api.googleapis.com" + ]) } resource "google_project_service" "project" { diff --git a/infra/resources/gke_cluster.tf b/infra/resources/gke_cluster.tf index f20e218d..f70fb2e8 100644 --- a/infra/resources/gke_cluster.tf +++ b/infra/resources/gke_cluster.tf @@ -49,7 +49,7 @@ resource "google_container_node_pool" "primary_preemptible_nodes" { name = "operator-test-nodes-${var.environment_name}" cluster = google_container_cluster.primary.id initial_node_count = var.workers_count - version = data.google_container_engine_versions.supported.latest_node_version + version = data.google_container_engine_versions.supported.latest_master_version location = var.gcloud_zone autoscaling { diff --git a/infra/resources/private_gke_cluster.tf b/infra/resources/private_gke_cluster.tf index ff1c8617..b61e4f10 100644 --- a/infra/resources/private_gke_cluster.tf +++ b/infra/resources/private_gke_cluster.tf @@ -47,7 +47,7 @@ resource "google_container_node_pool" "private_preemptible_nodes" { name = "operator-private-nodes-${var.environment_name}" cluster = google_container_cluster.private.id initial_node_count = var.workers_count - version = data.google_container_engine_versions.supported.latest_node_version + version = data.google_container_engine_versions.supported.latest_master_version location = var.gcloud_zone autoscaling { From 548a9222d54b6c85dd45dc5983beebac5e7f08ef Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Thu, 20 Apr 2023 10:01:32 -0600 Subject: [PATCH 33/39] feat: Make proxy container healthchecks more resilient. (#321) This brings the healthchecks added to the proxy container in line with the recommendations in the cloud-sql-proxy healthcheck docs. --- internal/workload/podspec_updates.go | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go index 25e5f211..0f7652d6 100644 --- a/internal/workload/podspec_updates.go +++ b/internal/workload/podspec_updates.go @@ -741,21 +741,18 @@ func (s *updateState) addHealthCheck(p *cloudsqlapi.AuthProxyWorkload, c *corev1 Port: intstr.IntOrString{IntVal: port}, Path: "/startup", }}, - PeriodSeconds: 30, - } - c.ReadinessProbe = &corev1.Probe{ - ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{ - Port: intstr.IntOrString{IntVal: port}, - Path: "/readiness", - }}, - PeriodSeconds: 30, + PeriodSeconds: 1, + FailureThreshold: 60, + TimeoutSeconds: 10, } c.LivenessProbe = &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{ Port: intstr.IntOrString{IntVal: port}, Path: "/liveness", }}, - PeriodSeconds: 30, + PeriodSeconds: 10, + FailureThreshold: 3, + TimeoutSeconds: 10, } // Add a port that is associated with the proxy, but not a specific db instance s.addProxyPort(port, p) From dc8911e3a0db5e32bc4c611ddbdcb875dbcc51e3 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Thu, 20 Apr 2023 11:07:43 -0600 Subject: [PATCH 34/39] feat: Improve security posture of proxy containers. (#322) This adds additional controls on the security context for pod containers to address these common k8s security best practices: - Run as a non-root user - Mount container's root filesystem as read only - Restrict Container from acquiring additional privileges --- internal/workload/podspec_updates.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go index 0f7652d6..6532970b 100644 --- a/internal/workload/podspec_updates.go +++ b/internal/workload/podspec_updates.go @@ -482,7 +482,7 @@ func (s *updateState) update(wl *PodWorkload, matches []*cloudsqlapi.AuthProxyWo inst := matches[i] newContainer := corev1.Container{} - s.updateContainer(inst, wl, &newContainer) + s.updateContainer(inst, &newContainer) containers = append(containers, newContainer) // Add pod annotation for each instance @@ -515,9 +515,7 @@ func (s *updateState) update(wl *PodWorkload, matches []*cloudsqlapi.AuthProxyWo } // updateContainer Creates or updates the proxy container in the workload's PodSpec -func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, wl Workload, c *corev1.Container) { - l.Info("Updating wl {{wl}}, no update needed.", "name", client.ObjectKeyFromObject(wl.Object())) - +func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, c *corev1.Container) { // if the c was fully overridden, just use that c. if p.Spec.AuthProxyContainer != nil && p.Spec.AuthProxyContainer.Container != nil { p.Spec.AuthProxyContainer.Container.DeepCopyInto(c) @@ -629,8 +627,19 @@ func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, wl Workl // applyContainerSpec applies settings from cloudsqlapi.AuthProxyContainerSpec // to the container func (s *updateState) applyContainerSpec(p *cloudsqlapi.AuthProxyWorkload, c *corev1.Container) { + t := true + var f bool c.Image = s.defaultProxyImage() c.Resources = defaultContainerResources + c.SecurityContext = &corev1.SecurityContext{ + // The default Cloud SQL Auth Proxy image runs as the + // "nonroot" user and group (uid: 65532) by default. + RunAsNonRoot: &t, + // Use a read-only filesystem + ReadOnlyRootFilesystem: &t, + // Do not allow privilege escalation + AllowPrivilegeEscalation: &f, + } if p.Spec.AuthProxyContainer == nil { return From 4252f3181b623d17e5cd1b49764cb29aa7ca7539 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Mon, 24 Apr 2023 21:56:39 +0200 Subject: [PATCH 35/39] chore(deps): update terraform google to v4.63.0 open --- infra/permissions/main.tf | 2 +- infra/resources/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/permissions/main.tf b/infra/permissions/main.tf index 7ea39bba..158caba2 100644 --- a/infra/permissions/main.tf +++ b/infra/permissions/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.62.0" + version = "4.63.0" } } } diff --git a/infra/resources/main.tf b/infra/resources/main.tf index 1823ac98..ed5a86a4 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "4.62.0" + version = "4.63.0" } google-beta = { source = "hashicorp/google-beta" From 10b5a1cf6f4dafc5008282ec4559baa4b268efb9 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Mon, 24 Apr 2023 22:07:01 +0200 Subject: [PATCH 36/39] chore(deps): update terraform google-beta to v4.63.0 open --- infra/resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/resources/main.tf b/infra/resources/main.tf index ed5a86a4..85411f84 100644 --- a/infra/resources/main.tf +++ b/infra/resources/main.tf @@ -22,7 +22,7 @@ terraform { } google-beta = { source = "hashicorp/google-beta" - version = "4.62.0" + version = "4.63.0" } } } From 78872207146bbd98d1e4e8eec26d6f6fec64b0f4 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 25 Apr 2023 19:56:41 +0200 Subject: [PATCH 37/39] chore(deps): update github/codeql-action action to v2.3.0 open --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9b4fc0ab..c7fedfb1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -61,16 +61,16 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 + uses: github/codeql-action/init@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 with: languages: ${{ matrix.language }} # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually - name: Autobuild - uses: github/codeql-action/autobuild@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 + uses: github/codeql-action/autobuild@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 + uses: github/codeql-action/analyze@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 71f007a9..d8e7e426 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -65,6 +65,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12 + uses: github/codeql-action/upload-sarif@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0 with: sarif_file: resultsFiltered.sarif From 5aeb27b100ca186bf74c4952a9252718cd43b60b Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Wed, 26 Apr 2023 10:51:58 -0600 Subject: [PATCH 38/39] chore: Prepare release 0.5.0 (#327) Release-As: 0.5.0 From b0730337b68b5793bd7b40b152e9c4dd681bdd53 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 26 Apr 2023 15:36:32 -0600 Subject: [PATCH 39/39] chore(main): release 0.5.0 (#320) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Jonathan Hess --- CHANGELOG.md | 18 ++++++++++++++++++ README.md | 2 +- docs/quick-start.md | 2 +- installer/cloud-sql-proxy-operator.yaml | 2 +- installer/install.sh | 4 ++-- version.txt | 2 +- 6 files changed, 24 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1c2cd13..c17a7df6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,23 @@ # Changelog +## [0.5.0](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/compare/v0.4.0...v0.5.0) (2023-04-26) + + +### Features + +* Improve security posture of proxy containers. ([#322](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/322)) ([dc8911e](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/dc8911e3a0db5e32bc4c611ddbdcb875dbcc51e3)) +* Make proxy container healthchecks more resilient. ([#321](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/321)) ([548a922](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/548a9222d54b6c85dd45dc5983beebac5e7f08ef)) + + +### Bug Fixes + +* The e2e k8s node pool version should match the master version ([#319](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/319)) ([fbfa004](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/fbfa00444da0f310f52c61ed4665a5153bebe2c4)) + + +### Miscellaneous Chores + +* Prepare release 0.5.0 ([#327](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/issues/327)) ([5aeb27b](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/commit/5aeb27b100ca186bf74c4952a9252718cd43b60b)) + ## [0.4.0](https://github.com/GoogleCloudPlatform/cloud-sql-proxy-operator/compare/v0.3.0...v0.4.0) (2023-03-28) diff --git a/README.md b/README.md index 6a0e595b..53118638 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Run the following command to install the cloud sql proxy operator into your kubernetes cluster: ```shell -kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.4.0/cloud-sql-proxy-operator.yaml +kubectl apply -f https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.5.0/cloud-sql-proxy-operator.yaml ``` Confirm that the operator is installed and running by listing its pods: diff --git a/docs/quick-start.md b/docs/quick-start.md index e8f39e96..fdc629ca 100644 --- a/docs/quick-start.md +++ b/docs/quick-start.md @@ -20,7 +20,7 @@ Run the following command to install the cloud sql proxy operator into your kubernetes cluster: ```shell -curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.4.0/install.sh | bash +curl https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy-operator/v0.5.0/install.sh | bash ``` This will use `helm` to install the `cert-manager` operator, a prerequisite. Then diff --git a/installer/cloud-sql-proxy-operator.yaml b/installer/cloud-sql-proxy-operator.yaml index 0124c7a0..b527e8d9 100644 --- a/installer/cloud-sql-proxy-operator.yaml +++ b/installer/cloud-sql-proxy-operator.yaml @@ -1465,7 +1465,7 @@ spec: - --leader-elect command: - /manager - image: gcr.io/cloud-sql-connectors/cloud-sql-operator/cloud-sql-proxy-operator:0.4.0 + image: gcr.io/cloud-sql-connectors/cloud-sql-operator/cloud-sql-proxy-operator:0.5.0 livenessProbe: httpGet: path: /healthz diff --git a/installer/install.sh b/installer/install.sh index 116c93bd..ed1865c9 100644 --- a/installer/install.sh +++ b/installer/install.sh @@ -16,8 +16,8 @@ set -euxo # exit 1 from the script when command fails -# If CSQL_OPERATOR_VERSION is not set, use the release version: v0.4.0. -CSQL_OPERATOR_VERSION="${CSQL_OPERATOR_VERSION:-v0.4.0}" +# If CSQL_OPERATOR_VERSION is not set, use the release version: v0.5.0. +CSQL_OPERATOR_VERSION="${CSQL_OPERATOR_VERSION:-v0.5.0}" # If CSQL_CERT_MANAGER_VERSION is not set, use the default: v1.11.1. CSQL_CERT_MANAGER_VERSION="${CSQL_CERT_MANAGER_VERSION:-v1.11.1}" diff --git a/version.txt b/version.txt index 1d0ba9ea..8f0916f7 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.4.0 +0.5.0