From 2b7ae827ebd405f2c12d21254fbd97a2d4de1de1 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Thu, 7 Apr 2022 09:37:40 +0200 Subject: [PATCH] Upgrade to legacy 0.51.0 (#294) --- .github/dependabot.yml | 7 +- .github/workflows/check_values_schema.yaml | 40 --------- .../zz_generated.check_values_schema.yaml | 49 +++++++++++ .../zz_generated.create_release.yaml | 47 +++++++---- .../zz_generated.create_release_pr.yaml | 82 ++++++++++++++++--- .github/workflows/zz_generated.gitleaks.yaml | 4 +- CHANGELOG.md | 5 ++ helm/nginx-ingress-controller-app/Chart.yaml | 2 +- .../templates/_helpers.tpl | 4 +- helm/nginx-ingress-controller-app/values.yaml | 2 +- 10 files changed, 162 insertions(+), 80 deletions(-) delete mode 100644 .github/workflows/check_values_schema.yaml create mode 100644 .github/workflows/zz_generated.check_values_schema.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 233e2aa1..46b4a70d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@4.10.0 +# devctl@5.0.0 # version: 2 updates: @@ -10,15 +10,12 @@ updates: interval: weekly time: "04:00" open-pull-requests-limit: 10 - reviewers: - - giantswarm/team-cabbage ignore: - dependency-name: zricethezav/gitleaks-action + - dependency-name: actions/setup-go - package-ecosystem: pip directory: "/" schedule: interval: weekly time: "04:00" open-pull-requests-limit: 10 - reviewers: - - giantswarm/team-cabbage diff --git a/.github/workflows/check_values_schema.yaml b/.github/workflows/check_values_schema.yaml deleted file mode 100644 index 8dccbc0e..00000000 --- a/.github/workflows/check_values_schema.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: 'check if values schema file has been updated' -on: pull_request - -jobs: - check: - name: 'check files in PR' - runs-on: ubuntu-latest - steps: - - name: 'checkout' - uses: actions/checkout@v2 - - id: files - uses: jitterbit/get-changed-files@v1 - - name: 'show changed files in PR' - run: echo "${{ steps.files.outputs.all }}" - - name: 'check if values.schema.json was updated' - run: | - VALUES_FILE_CHANGED="false" - SCHEMA_FILE_CHANGED="false" - - if git ls-tree -r ${{ github.ref }} | grep -q "values.schema.json" ; then - - if grep -q "values.yaml" <<< "${{ steps.files.outputs.all }}" ; then - VALUES_FILE_CHANGED="true" - fi - - if grep -q "values.schema.json" <<< "${{ steps.files.outputs.all }}" ; then - SCHEMA_FILE_CHANGED="true" - fi - - if [ $VALUES_FILE_CHANGED != $SCHEMA_FILE_CHANGED ]; then - echo "FAILED: values.yaml was updated but values.schema.json hasn't been regenerated" - echo "Please refer to this doc: https://intranet.giantswarm.io/docs/organizational-structure/teams/halo/app-updates/helm-values-schema/" - exit 1 - fi - - echo "PASSED: values.yaml and values.schema.json both appear to have been updated" - exit 0 - fi - - echo "INFO: values.schema.json not present in this repo - nothing to do" diff --git a/.github/workflows/zz_generated.check_values_schema.yaml b/.github/workflows/zz_generated.check_values_schema.yaml new file mode 100644 index 00000000..80889364 --- /dev/null +++ b/.github/workflows/zz_generated.check_values_schema.yaml @@ -0,0 +1,49 @@ +# DO NOT EDIT. Generated with: +# +# devctl@5.0.0 +# +name: 'Check if values schema file has been updated' +on: pull_request + +jobs: + check: + name: 'Check values.yaml and its schema in PR' + runs-on: ubuntu-latest + steps: + - name: 'Checkout' + uses: actions/checkout@v3 + - name: 'Check if values.schema.json was updated' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VALUES_FILE_CHANGED="false" + SCHEMA_FILE_CHANGED="false" + + base_ref=${GITHUB_BASE_REF##*/} + head_ref=${GITHUB_HEAD_REF##*/} + + echo "Comparing ${base_ref}...${head_ref}" + + changed_files=$(gh api repos/{owner}/{repo}/compare/${base_ref}...${head_ref} --jq ".files[] | .filename") + + if grep -q "values.schema.json" <<< $(git ls-tree -r --name-only ${GITHUB_SHA}); then + + if grep -q "values.yaml" <<< "${changed_files}" ; then + VALUES_FILE_CHANGED="true" + fi + + if grep -q "values.schema.json" <<< "${changed_files}" ; then + SCHEMA_FILE_CHANGED="true" + fi + + if [ $VALUES_FILE_CHANGED != $SCHEMA_FILE_CHANGED ]; then + echo "FAILED: values.yaml was updated but values.schema.json hasn't been regenerated" + echo "Please refer to this document: https://intranet.giantswarm.io/docs/organizational-structure/teams/cabbage/app-updates/helm-values-schema/" + exit 1 + fi + + echo "PASSED: values.yaml and values.schema.json both appear to have been updated" + exit 0 + fi + + echo "INFO: values.schema.json not present in this repo - nothing to do" diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml index 4dc2a2b7..7ba58f8c 100644 --- a/.github/workflows/zz_generated.create_release.yaml +++ b/.github/workflows/zz_generated.create_release.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@4.10.0 +# devctl@5.0.0 # name: Create Release on: @@ -33,7 +33,10 @@ jobs: - name: Get version id: get_version run: | - title="$(echo "${{ github.event.head_commit.message }}" | head -n 1 -)" + title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - + ${{ github.event.head_commit.message }} + COMMIT_MESSAGE_END + )" # Matches strings like: # # - "Release v1.2.3" @@ -42,15 +45,15 @@ jobs: # - "Release v1.2.3-r4 (#56)" # # And outputs version part (1.2.3). - if echo $title | grep -iqE '^Release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then - version=$(echo $title | cut -d ' ' -f 2) + if echo "${title}" | grep -iqE '^Release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then + version=$(echo "${title}" | cut -d ' ' -f 2) fi version="${version#v}" # Strip "v" prefix. - echo "version=\"$version\"" + echo "version=\"${version}\"" echo "::set-output name=version::${version}" - name: Checkout code if: ${{ steps.get_version.outputs.version != '' }} - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Get project.go path id: get_project_go_path if: ${{ steps.get_version.outputs.version != '' }} @@ -64,18 +67,21 @@ jobs: - name: Check if reference version id: ref_version run: | - title="$(echo "${{ github.event.head_commit.message }}" | head -n 1 -)" - if echo $title | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then - version=$(echo $title | cut -d ' ' -f 2) + title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - + ${{ github.event.head_commit.message }} + COMMIT_MESSAGE_END + )" + if echo "${title}" | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then + version=$(echo "${title}" | cut -d ' ' -f 2) fi - version=$(echo $title | cut -d ' ' -f 2) + version=$(echo "${title}" | cut -d ' ' -f 2) version="${version#v}" # Strip "v" prefix. refversion=false if [[ "${version}" =~ ^[0-9]+.[0-9]+.[0-9]+-[0-9]+$ ]]; then refversion=true fi - echo "refversion =\"$refversion\"" - echo "::set-output name=refversion::$refversion" + echo "refversion =\"${refversion}\"" + echo "::set-output name=refversion::${refversion}" update_project_go: name: Update project.go runs-on: ubuntu-20.04 @@ -87,17 +93,17 @@ jobs: uses: giantswarm/install-binary-action@v1.0.0 with: binary: "architect" - version: "5.2.0" + version: "6.1.0" - name: Install semver uses: giantswarm/install-binary-action@v1.0.0 with: binary: "semver" - version: "3.0.0" + version: "3.2.0" download_url: "https://github.com/fsaintjacques/${binary}-tool/archive/${version}.tar.gz" tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Update project.go id: update_project_go env: @@ -146,7 +152,7 @@ jobs: upload_url: ${{ steps.create_gh_release.outputs.upload_url }} steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: ref: ${{ github.sha }} - name: Ensure correct version in project.go @@ -155,6 +161,12 @@ jobs: file="${{ needs.gather_facts.outputs.project_go_path }}" version="${{ needs.gather_facts.outputs.version }}" grep -qE "version[[:space:]]*=[[:space:]]*\"$version\"" $file + - name: Get Changelog Entry + id: changelog_reader + uses: mindsers/changelog-reader-action@v2 + with: + version: ${{ needs.gather_facts.outputs.version }} + path: ./CHANGELOG.md - name: Create tag run: | version="${{ needs.gather_facts.outputs.version }}" @@ -171,6 +183,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: + body: ${{ steps.changelog_reader.outputs.changes }} tag_name: "v${{ needs.gather_facts.outputs.version }}" release_name: "v${{ needs.gather_facts.outputs.version }}" @@ -190,7 +203,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Check out the repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 # Clone the whole history, not just the most recent commit. - name: Fetch all tags and branches diff --git a/.github/workflows/zz_generated.create_release_pr.yaml b/.github/workflows/zz_generated.create_release_pr.yaml index 5242199c..35c11e2a 100644 --- a/.github/workflows/zz_generated.create_release_pr.yaml +++ b/.github/workflows/zz_generated.create_release_pr.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@4.10.0 +# devctl@5.0.0 # name: Create Release PR on: @@ -8,10 +8,25 @@ on: branches: - 'legacy#release#v*.*.*' - 'main#release#v*.*.*' + - 'main#release#major' + - 'main#release#minor' + - 'main#release#patch' - 'master#release#v*.*.*' + - 'master#release#major' + - 'master#release#minor' + - 'master#release#patch' + - 'release#v*.*.*' + - 'release#major' + - 'release#minor' + - 'release#patch' - 'release-v*.*.x#release#v*.*.*' # "!" negates previous positive patterns so it has to be at the end. - '!release-v*.x.x#release#v*.*.*' + workflow_call: + inputs: + branch: + required: true + type: string jobs: debug_info: name: Debug info @@ -26,6 +41,8 @@ jobs: name: Gather facts runs-on: ubuntu-20.04 outputs: + repo_name: ${{ steps.gather_facts.outputs.repo_name }} + branch: ${{ steps.gather_facts.outputs.branch }} base: ${{ steps.gather_facts.outputs.base }} skip: ${{ steps.pr_exists.outputs.skip }} version: ${{ steps.gather_facts.outputs.version }} @@ -33,13 +50,50 @@ jobs: - name: Gather facts id: gather_facts run: | - head="${{ github.event.ref }}" + head="${{ inputs.branch || github.event.ref }}" + echo "::set-output name=branch::${head}" + head="${head#refs/heads/}" # Strip "refs/heads/" prefix. - base="$(echo $head | cut -d '#' -f 1)" + if [[ $(echo "$head" | grep -o '#' | wc -l) -gt 1 ]]; then + base="$(echo $head | cut -d '#' -f 1)" + else + base="${{ github.event.base_ref }}" + fi + base="${base#refs/heads/}" # Strip "refs/heads/" prefix. - version="$(echo $head | cut -d '#' -f 3)" - version="${version#v}" # Strip "v" prefix. - echo "base=\"$base\" head=\"$head\" version=\"$version\"" + + version="$(echo $head | awk -F# '{print $NF}')" + if [[ $version =~ ^major|minor|patch$ ]]; then + gh auth login --with-token <<<$(echo -n ${{ secrets.GITHUB_TOKEN }}) + version_parts=($(gh api "repos/${{ github.repository }}/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')) + version_major=${version_parts[0]} + version_minor=${version_parts[1]} + version_patch=${version_parts[2]} + case ${version} in + patch) + version_patch=$((version_patch+1)) + ;; + minor) + version_minor=$((version_minor+1)) + version_patch=0 + ;; + major) + version_major=$((version_major+1)) + version_minor=0 + version_patch=0 + ;; + *) + echo "Unknown Semver level provided" + exit 1 + ;; + esac + version="${version_major}.${version_minor}.${version_patch}" + else + version="${version#v}" # Strip "v" prefix. + fi + repo_name="$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" + echo "repo_name=\"$repo_name\" base=\"$base\" head=\"$head\" version=\"$version\"" + echo "::set-output name=repo_name::${repo_name}" echo "::set-output name=base::${base}" echo "::set-output name=head::${head}" echo "::set-output name=version::${version}" @@ -48,8 +102,8 @@ jobs: env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | - if gh pr view --repo ${{ github.repository }} ${{ github.event.ref }} | grep -i 'state:[[:space:]]*open' >/dev/null; then - gh pr view --repo ${{ github.repository }} ${{ github.event.ref }} + if gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} | grep -i 'state:[[:space:]]*open' >/dev/null; then + gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} echo "::set-output name=skip::true" else echo "::set-output name=skip::false" @@ -61,15 +115,17 @@ jobs: - gather_facts if: ${{ needs.gather_facts.outputs.skip != 'true' }} env: - architect_flags: "--organisation ${{ github.repository_owner }} --project ${{ github.event.repository.name }}" + architect_flags: "--organisation ${{ github.repository_owner }} --project ${{ needs.gather_facts.outputs.repo_name }}" steps: - name: Install architect uses: giantswarm/install-binary-action@v1.0.0 with: binary: "architect" - version: "3.4.0" + version: "6.1.0" - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 + with: + ref: ${{ needs.gather_facts.outputs.branch }} - name: Prepare release changes run: | architect prepare-release ${{ env.architect_flags }} --version "${{ needs.gather_facts.outputs.version }}" @@ -85,11 +141,11 @@ jobs: env: remote_repo: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" run: | - git push "${remote_repo}" HEAD:${{ github.ref }} + git push "${remote_repo}" HEAD:${{ needs.gather_facts.outputs.branch }} - name: Create PR env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" base: "${{ needs.gather_facts.outputs.base }}" version: "${{ needs.gather_facts.outputs.version }}" run: | - hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ github.event.ref }} + hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }} diff --git a/.github/workflows/zz_generated.gitleaks.yaml b/.github/workflows/zz_generated.gitleaks.yaml index b01152cb..5ba4f390 100644 --- a/.github/workflows/zz_generated.gitleaks.yaml +++ b/.github/workflows/zz_generated.gitleaks.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@4.10.0 +# devctl@5.0.0 # name: gitleaks @@ -10,7 +10,7 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: '0' - name: gitleaks-action diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a43c04a..a52d8341 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s ## [Unreleased] +### Changed + +- Update controller container image to [`v0.51.0`](https://github.com/kubernetes/ingress-nginx/blob/legacy/Changelog.md#0510) to fix [CVE-2022-0778](https://github.com/kubernetes/ingress-nginx/issues/8339) in OpenSSL and [CVE-2022-23308](https://github.com/kubernetes/ingress-nginx/issues/8321) in libxml2. It also upgrades Alpine to 3.14.4 and nginx to 1.19.10. ([#294](https://github.com/giantswarm/nginx-ingress-controller-app/pull/294)) +- Added team ownership to default labels. ([#294](https://github.com/giantswarm/nginx-ingress-controller-app/pull/294)) + ## [2.1.3] - 2021-12-20 ### Changed diff --git a/helm/nginx-ingress-controller-app/Chart.yaml b/helm/nginx-ingress-controller-app/Chart.yaml index 4ae1fa75..f7c4e066 100644 --- a/helm/nginx-ingress-controller-app/Chart.yaml +++ b/helm/nginx-ingress-controller-app/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: v0.50.0 +appVersion: v0.51.0 description: The most popular ingress controller for Kubernetes, based on NGINX home: https://github.com/giantswarm/nginx-ingress-controller-app icon: https://s.giantswarm.io/app-icons/1/png/nginx-ingress-controller-app-light.png diff --git a/helm/nginx-ingress-controller-app/templates/_helpers.tpl b/helm/nginx-ingress-controller-app/templates/_helpers.tpl index d48f467f..102a7ed0 100644 --- a/helm/nginx-ingress-controller-app/templates/_helpers.tpl +++ b/helm/nginx-ingress-controller-app/templates/_helpers.tpl @@ -23,8 +23,10 @@ app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/name: {{ include "name" . | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +app.kubernetes.io/part-of: {{ template "name" . }} giantswarm.io/service-type: "managed" helm.sh/chart: {{ include "chart" . | quote }} +application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }} {{- end -}} {{/* @@ -50,4 +52,4 @@ Election ID. */}} {{- define "controller.leader.election.id" -}} {{ include "resource.default.name" . }}-leader -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/helm/nginx-ingress-controller-app/values.yaml b/helm/nginx-ingress-controller-app/values.yaml index 3de62b2f..bf768523 100644 --- a/helm/nginx-ingress-controller-app/values.yaml +++ b/helm/nginx-ingress-controller-app/values.yaml @@ -79,7 +79,7 @@ controller: # controller.image.tag # When updating tag make sure to also keep appVersion in Chart.yaml in sync - tag: v0.50.0 + tag: v0.51.0 # controller.containerPort containerPort: