Merge branch 'main' into dependabot/go_modules/github.com/onsi/ginkgo…

…/v2-2.20.2
kyma-project · Sep 10, 2024 · b4e8419 · b4e8419
2 parents a44e379 + c9900b4
commit b4e8419
Show file tree

Hide file tree

Showing 15 changed files with 581 additions and 258 deletions.
diff --git a/.github/workflows/build_kim.yaml b/.github/workflows/build_kim.yaml
@@ -0,0 +1,133 @@
+name: KIM
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+-*"
+    paths-ignore:
+      - .reuse
+      - hack/
+      - LICENSES/
+      - LICENSE
+      - .gitignore
+      - "**.md"
+
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - .reuse
+      - hack/
+      - LICENSES/
+      - LICENSE
+      - .gitignore
+      - "**.md"
+
+env:
+  trivy-table: trivy-table.txt
+
+permissions:
+  id-token: write # This is required for requesting the JWT token
+  contents: read # This is required for actions/checkout
+
+jobs:
+  setup:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - id: tag
+        if: github.event_name == 'push' && github.ref_type == 'tag'
+        run: echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+
+  trivy:
+    permissions:
+      contents: read
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Install trivy
+        run: |
+          mkdir ./trivy
+          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar xvz --directory=./trivy
+          ./trivy/trivy --version
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+
+          exit-code: 1
+          severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+          ignore-unfixed: false
+          timeout: "5m0s"
+          vuln-type: "os,library"
+
+          format: table
+          output: ${{ env.trivy-table }}
+
+      - name: Upload trivy table
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.trivy-table }}
+          path: ${{ env.trivy-table }}
+
+      - name: Print trivy table
+        if: success() || failure()
+        run: cat ${{ env.trivy-table }}
+
+  build-image:
+    needs: setup
+    uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main # Usage: kyma-project/test-infra/.github/workflows/image-builder.yml@main
+    with:
+      name: infrastructure-manager
+      dockerfile: Dockerfile
+      context: .
+      tags: ${{ needs.setup.outputs.tag }}
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: [build-image, trivy]
+    if: success() || failure()
+    steps:
+      - name: "Download trivy log"
+        uses: actions/download-artifact@v4
+        continue-on-error: true
+        with:
+          name: ${{ env.trivy-table }}
+      - name: "Generate summary"
+        run: |
+          {
+            echo '# Kyma Infrastructure Manager'
+            # if trivy results table exists
+            if [ -f ${{ env.trivy-table }} ]; then
+              echo '## Trivy'
+              printf '\n```txt\n'
+              cat ${{ env.trivy-table }}
+              printf '\n```\n'
+            fi
+
+            # if build-image was successful
+            if [ "${{ needs.build-image.result }}" == "success" ]; then
+              printf '\n\n## Image\n'
+              printf '\n```json\n'
+              echo '${{ needs.build-image.outputs.images }}' | jq
+              printf '\n```\n'
+            fi
+          } >> $GITHUB_STEP_SUMMARY
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.22.5 as builder
+FROM golang:1.23.0-alpine3.20 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -79,6 +79,7 @@ spec:
           capabilities:
             drop:
               - "ALL"
+          readOnlyRootFilesystem: true
         ports:
           - containerPort: 8080
             name: metrics

diff --git a/internal/auditlogging/auditlogging.go b/internal/auditlogging/auditlogging.go
@@ -125,7 +125,7 @@ func (al *AuditLog) Enable(ctx context.Context, shoot *gardener.Shoot) (bool, er
 		}
 	}
 
-	return true, nil
+	return annotated, nil
 }
 
 func ApplyAuditLogConfig(shoot *gardener.Shoot, auditConfigFromFile map[string]map[string]AuditLogData, providerType string) (bool, error) {
-Original file line number
+Diff line change
@@ Expand Up @@
     		}
     	}
-    	return true, nil
+    	return annotated, nil
     }
     func ApplyAuditLogConfig(shoot *gardener.Shoot, auditConfigFromFile map[string]map[string]AuditLogData, providerType string) (bool, error) {
@@ Expand Down @@