Merge pull request cert-manager#134 from cert-manager/self-upgrade-main

[CI] Merge self-upgrade-main into main
inteon · May 9, 2024 · e1cd42e · e1cd42e
2 parents 5f3fc87 + 0a3df9c
commit e1cd42e
Show file tree

Hide file tree

Showing 16 changed files with 376 additions and 268 deletions.
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -25,8 +25,6 @@ linters:
     - gocritic
     - gofmt
     - goheader
-    - gomoddirectives
-    - gomodguard
     - goprintffuncname
     - gosec
     - gosimple

diff --git a/Makefile b/Makefile
@@ -60,8 +60,10 @@ MAKECMDGOALS ?=
 # binary may not be available in the PATH yet when the Makefiles are
 # evaluated. HOST_OS and HOST_ARCH only support Linux, *BSD and macOS (M1
 # and Intel).
-HOST_OS ?= $(shell uname -s | tr A-Z a-z)
-HOST_ARCH ?= $(shell uname -m)
+host_os := $(shell uname -s | tr A-Z a-z)
+host_arch := $(shell uname -m)
+HOST_OS ?= $(host_os)
+HOST_ARCH ?= $(host_arch)
 
 ifeq (x86_64, $(HOST_ARCH))
 	HOST_ARCH = amd64
@@ -74,7 +76,8 @@ endif
 # Git and versioning information #
 ##################################
 
-VERSION ?= $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty)
+git_version := $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty)
+VERSION ?= $(git_version)
 IS_PRERELEASE := $(shell git describe --tags --always --match='v*' --abbrev=0 | grep -q '-' && echo true || echo false)
 GITCOMMIT := $(shell git rev-parse HEAD)
 GITEPOCH := $(shell git show -s --format=%ct HEAD)

diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
@@ -11,3 +11,4 @@ aliases:
     - irbekrm
     - sgtcodfish
     - inteon
+    - thatsmrtalbot
diff --git a/klone.yaml b/klone.yaml
@@ -10,65 +10,65 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: b4ffe01c4471ab7ff0ba129bb455445b38ca1221
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/tools
diff --git a/make/_shared/cert-manager/00_mod.mk b/make/_shared/cert-manager/00_mod.mk
@@ -15,14 +15,14 @@
 images_amd64 ?=
 images_arm64 ?=
 
-cert_manager_version := v1.14.4
+cert_manager_version := v1.14.5
 
-images_amd64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:f84edf06327f84ed2ca056776659aa144cf3cc982c5403650c24553c5a44b03d
-images_amd64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:8267563833c31cc428b9ae460b890d079a1da09a4d8d00ec299a47dd613fbd24
-images_amd64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:ba5469d1a77b1cb04a703199b0e69bc25644a00498adc3694a0369c87375b4ca
-images_amd64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:2a1545099cf6386ab08e979a58a6280fe123d091c69f8222bfb22c597003a3f0
+images_amd64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:f37f460aaa7598ba251ff1cbe7438012fd56c4acc94be64245e8a836203c5542
+images_amd64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:6d9ebced61371cc903f7934690923034382456f3ce6e0fe2b692c40dbd67d523
+images_amd64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:ac34b1905a2ff20789fde27115d3e1aa7b3d09f57efba4e91ae2ba1744de4ad2
+images_amd64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:5c74e4e37586dc5c35442515f43ecf222e961b65e954798428ac9239408bc0f3
 
-images_arm64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:39a6e9e699b3dacb8b92538efbaff85c16d4b30343ebeaaf2f35772ff3cebf53
-images_arm64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:956aac21371499fdcc8811b4b5fc8e2e0d6e552b15723c783fe56270347fc9e0
-images_arm64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:8ea8462c1daa7604f4f2e71e0cdeef3dd5d7e0f04341982a05dc296299766126
-images_arm64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:f4cd54540f8813e63a2f53b5b210454ae2a5fe0949b9f55d8f1270162ebad9a8
+images_arm64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:96668890d162a743407c0ef14d7769e970aa16655959b5f5cab0c595167148fa
+images_arm64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:719aec5d99e86377829261451985592bc4129c5ca8dcb7f20b32170742f2b29b
+images_arm64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:874da5701a98e352fa28d88470671eb792a472737a3cf2b7ce9966817e962de8
+images_arm64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:35d35b325b980cc702324e52b443cc7eb1df7211ce4e8e91d96da4eff4b6c894
diff --git a/make/_shared/go/.golangci.override.yaml b/make/_shared/go/.golangci.override.yaml
@@ -25,8 +25,6 @@ linters:
     - gocritic
     - gofmt
     - goheader
-    - gomoddirectives
-    - gomodguard
     - goprintffuncname
     - gosec
     - gosimple

diff --git a/make/_shared/go/01_mod.mk b/make/_shared/go/01_mod.mk
@@ -46,10 +46,11 @@ shared_generate_targets += generate-govulncheck
 # not want new vulnerabilities in existing code to block the merging of PRs.
 # Instead `make verify-govulnecheck` is intended to be run periodically by a CI job.
 verify-govulncheck: | $(NEEDS_GOVULNCHECK)
-	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
-				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${d}'"; \
-				pushd "$${d}" >/dev/null; \
+				target=$$(dirname $${d}); \
+				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
 				GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \
 				popd >/dev/null; \
 				echo ""; \
@@ -73,10 +74,11 @@ shared_generate_targets += generate-golangci-lint-config
 ## Verify all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
 verify-golangci-lint: | $(NEEDS_GO) $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
-	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${d}'"; \
-				pushd "$${d}" >/dev/null; \
+				target=$$(dirname $${d}); \
+				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
 				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout 4m || exit; \
 				popd >/dev/null; \
 				echo ""; \
@@ -87,18 +89,19 @@ shared_verify_targets_dirty += verify-golangci-lint
 .PHONY: fix-golangci-lint
 ## Fix all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
-fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
-	gci write \
+fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/scratch
+	$(GCI) write \
 		-s "standard" \
 		-s "default" \
 		-s "prefix($(repo_name))" \
 		-s "blank" \
 		-s "dot" .
 
-	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${d}'"; \
-				pushd "$${d}" >/dev/null; \
+				target=$$(dirname $${d}); \
+				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
 				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix || exit; \
 				popd >/dev/null; \
 				echo ""; \

diff --git a/make/_shared/kind/00_mod.mk b/make/_shared/kind/00_mod.mk
@@ -15,14 +15,14 @@
 images_amd64 ?=
 images_arm64 ?=
 
-kind_k8s_version := v1.29.0
+kind_k8s_version := v1.29.2
 
 # Goto https://github.com/kubernetes-sigs/kind/releases/tag/<KIND-VERSION> and find the
 # multi-arch digest for the image you want to use. Then use crane to get the platform
 # specific digest. For example (digest is the multi-arch digest from the release page):
-# digest="sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570"
+# digest="sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245"
 # crane digest --platform=linux/amd64 docker.io/kindest/node@$digest
 # crane digest --platform=linux/arm64 docker.io/kindest/node@$digest
 
-images_amd64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:54a50c9354f11ce0aa56a85d2cacb1b950f85eab3fe1caf988826d1f89bf37eb
-images_arm64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:8ccbd8bc4d52c467f3c79eeeb434827c225600a1d7385a4b1c19d9e038c9e0c0
+images_amd64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:acc9e82a5a5bd3dfccfd03117e9ef5f96b46108b55cd647fb5e7d0d1a35c9c6f
+images_arm64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:068aaa834c09ab60d925a8569c6b5f5b9cf46eccf670499176f3267f2ac3189c
diff --git a/make/_shared/oci-build/00_mod.mk b/make/_shared/oci-build/00_mod.mk
@@ -15,11 +15,11 @@
 oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
 
 # Use distroless as minimal base image to package the manager binary
-# To get latest SHA run crane digest quay.io/jetstack/base-static:latest
+# To get latest SHA run "crane digest quay.io/jetstack/base-static:latest"
 base_image_static := quay.io/jetstack/base-static@sha256:ba3cff0a4cacc5ae564e04c1f645000e8c9234c0f4b09534be1dee7874a42141
 
 # Use custom apko-built image as minimal base image to package the manager binary
-# To get latest SHA run crane digest quay.io/jetstack/base-static-csi:latest
+# To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest"
 base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:54bacd13cccc385ef66730dbc7eb13bdb6a9ff8853e7f551d025ccb0e8c6bf83
 
 # Utility functions

diff --git a/make/_shared/oci-build/image_tool/append_layers.go b/make/_shared/oci-build/image_tool/append_layers.go
@@ -30,6 +30,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/match"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
+	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/spf13/cobra"
 )
 
@@ -45,16 +46,33 @@ var CommandAppendLayers = cobra.Command{
 			return
 		}
 
+		path, err := layout.FromPath(oci)
+		must("could not load oci directory", err)
+
+		index, err := path.ImageIndex()
+		must("could not load oci image index", err)
+
+		indexMediaType, err := index.MediaType()
+		must("could not get image index media type", err)
+
+		layerType := types.DockerLayer
+		if indexMediaType == types.OCIImageIndex {
+			layerType = types.OCILayer
+		}
+
 		layers := []v1.Layer{}
 		for _, path := range extra {
-			layers = append(layers, loadLayerFromDirOrTarball(path))
+			layers = append(layers, loadLayerFromDirOrTarball(path, layerType))
 		}
 
-		appendLayersToAllImages(oci, layers...)
+		index = appendLayersToImageIndex(index, layers)
+
+		_, err = layout.Write(oci, index)
+		must("could not write image", err)
 	},
 }
 
-func loadLayerFromDirOrTarball(path string) v1.Layer {
+func loadLayerFromDirOrTarball(path string, mediaType types.MediaType) v1.Layer {
 	stat, err := os.Stat(path)
 	must("could not open directory or tarball", err)
 
@@ -102,31 +120,24 @@ func loadLayerFromDirOrTarball(path string) v1.Layer {
 
 		byts := buf.Bytes()
 
-		layer, err = tarball.LayerFromOpener(func() (io.ReadCloser, error) {
-			return io.NopCloser(bytes.NewReader(byts)), nil
-		})
+		layer, err = tarball.LayerFromOpener(
+			func() (io.ReadCloser, error) {
+				return io.NopCloser(bytes.NewReader(byts)), nil
+			},
+			tarball.WithMediaType(mediaType),
+		)
 
 	} else {
-		layer, err = tarball.LayerFromFile(path)
+		layer, err = tarball.LayerFromFile(
+			path,
+			tarball.WithMediaType(mediaType),
+		)
 	}
 
 	must("could not open directory or tarball", err)
 	return layer
 }
 
-func appendLayersToAllImages(oci string, layers ...v1.Layer) {
-	path, err := layout.FromPath(oci)
-	must("could not load oci directory", err)
-
-	index, err := path.ImageIndex()
-	must("could not load oci image index", err)
-
-	index = appendLayersToImageIndex(index, layers)
-
-	_, err = layout.Write(oci, index)
-	must("could not write image", err)
-}
-
 func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIndex {
 	manifest, err := index.IndexManifest()
 	must("could not load oci image manifest", err)
@@ -145,11 +156,15 @@ func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIn
 			digest, err := img.Digest()
 			must("could not get image digest", err)
 
+			size, err := img.Size()
+			must("could not get image size", err)
+
 			slog.Info("appended layers to image", "old_digest", descriptor.Digest, "digest", digest, "platform", descriptor.Platform)
 
 			index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest))
 
 			descriptor.Digest = digest
+			descriptor.Size = size
 			index = mutate.AppendManifests(index, mutate.IndexAddendum{
 				Add:        img,
 				Descriptor: descriptor,
@@ -159,16 +174,20 @@ func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIn
 			slog.Info("found image index", "digest", descriptor.Digest)
 
 			child, err := index.ImageIndex(descriptor.Digest)
-			must("could not load oci image manifest", err)
+			must("could not load oci index manifest", err)
 
 			child = appendLayersToImageIndex(child, layers)
 
 			digest, err := child.Digest()
-			must("could not get image digest", err)
+			must("could not get index digest", err)
+
+			size, err := child.Size()
+			must("could not get index size", err)
 
 			index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest))
 
 			descriptor.Digest = digest
+			descriptor.Size = size
 			index = mutate.AppendManifests(index, mutate.IndexAddendum{
 				Add:        child,
 				Descriptor: descriptor,

diff --git a/make/_shared/oci-publish/01_mod.mk b/make/_shared/oci-publish/01_mod.mk
@@ -19,8 +19,8 @@ sanitize_target = $(subst :,-,$1)
 registry_for = $(firstword $(subst /, ,$1))
 
 # Utility variables
-current_makefile = $(lastword $(MAKEFILE_LIST))
-current_makefile_directory = $(dir $(current_makefile))
+current_makefile_directory := $(dir $(lastword $(MAKEFILE_LIST)))
+image_exists_script := $(current_makefile_directory)/image-exists.sh
 
 # Validate globals that are required
 $(call fatal_if_undefined,bin_dir)
@@ -78,10 +78,10 @@ $(call sanitize_target,oci-push-$2): oci-build-$1 | $(NEEDS_CRANE)
 
 .PHONY: $(call sanitize_target,oci-maybe-push-$2)
 $(call sanitize_target,oci-maybe-push-$2): oci-build-$1 | $(NEEDS_CRANE)
-	$$(CRANE) $(crane_flags_$1) manifest $2:$(call oci_image_tag_for,$1) > /dev/null 2>&1 || (\
-		$$(CRANE) $(crane_flags_$1) push "$(oci_layout_path_$1)" "$2:$(call oci_image_tag_for,$1)" && \
-		$(if $(filter true,$(oci_sign_on_push_$1)),$(MAKE) $(call sanitize_target,oci-sign-$2)) \
-	)
+	CRANE="$$(CRANE) $(crane_flags_$1)" \
+	source $(image_exists_script) $2:$(call oci_image_tag_for,$1); \
+		$$(CRANE) $(crane_flags_$1) push "$(oci_layout_path_$1)" "$2:$(call oci_image_tag_for,$1)"; \
+		$(if $(filter true,$(oci_sign_on_push_$1)),$(MAKE) $(call sanitize_target,oci-sign-$2))
 
 oci-push-$1: $(call sanitize_target,oci-push-$2)
 oci-maybe-push-$1: $(call sanitize_target,oci-maybe-push-$2)
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,3 +11,4 @@ aliases: @@
         - irbekrm
         - sgtcodfish
         - inteon
+        - thatsmrtalbot