syncing release 1.4 with internal repo

.github/workflows/presubmit.yaml

@@ -43,7 +43,29 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Setup Go Version
+        run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: "**/go.sum"
       - name: Install `govulncheck`
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
       - name: Run `govulncheck`
         run: ~/go/bin/govulncheck ./...
+  static-security-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go Version
+        run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: "**/go.sum"
+      - name: Install `gosec`
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+      - name: Run Gosec Security Scanner
+        run: ~/go/bin/gosec -exclude-dir test -exclude-generated -severity medium -exclude=G108,G114 ./...
+

.go-version

@@ -0,0 +1 @@
+1.22.5

Dockerfile

@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 ARG BUILD_IMAGE
-ARG ARCH=amd64
+ARG ARCH
 # Build the controller binary
 FROM $BUILD_IMAGE as builder
 
@@ -24,17 +24,18 @@ COPY webhooks/ webhooks/
 
 # Version package for passing the ldflags
 ENV VERSION_PKG=github.com/aws/amazon-vpc-resource-controller-k8s/pkg/version
+ENV GOARCH $ARCH
 # Build
 RUN GIT_VERSION=$(git describe --tags --always) && \
         GIT_COMMIT=$(git rev-parse HEAD) && \
         BUILD_DATE=$(date +%Y-%m-%dT%H:%M:%S%z) && \
-        CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} GO111MODULE=on go build \
+        CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build \
         -ldflags="-X ${VERSION_PKG}.GitVersion=${GIT_VERSION} -X ${VERSION_PKG}.GitCommit=${GIT_COMMIT} -X ${VERSION_PKG}.BuildDate=${BUILD_DATE}" -a -o controller main.go
 
 FROM $BASE_IMAGE
 
 WORKDIR /
-COPY --from=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.9.0-eks-1-21-4 /usr/local/bin/go-runner /usr/local/bin/go-runner
+COPY --from=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.15.0-eks-1-27-3 /go-runner /usr/local/bin/go-runner
 COPY --from=builder /workspace/controller .
 
 ENTRYPOINT ["/controller"]

Makefile

@@ -12,10 +12,14 @@ MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
 VERSION ?= $(GIT_VERSION)
 IMAGE ?= $(REPO):$(VERSION)
 BASE_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:latest.2
-BUILD_IMAGE ?= public.ecr.aws/bitnami/golang:1.21.3
+GOLANG_VERSION ?= $(shell cat .go-version)
+BUILD_IMAGE ?= public.ecr.aws/bitnami/golang:$(GOLANG_VERSION)
 GOARCH ?= amd64
 PLATFORM ?= linux/amd64
 
+export GOSUMDB = sum.golang.org
+export GOTOOLCHAIN = go$(GOLANG_VERSION)
+
 help: ## Display help
 	@awk 'BEGIN {FS = ":.*##"; printf "Usage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
@@ -28,7 +32,7 @@ verify:
 	go generate ./...
 	go vet ./...
 	go fmt ./...
-	controller-gen crd:trivialVersions=true rbac:roleName=controller-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	controller-gen crd rbac:roleName=controller-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	controller-gen object:headerFile="scripts/templates/boilerplate.go.txt" paths="./..."
 	@git diff --quiet ||\
 	{ echo "New file modification detected in the Git working tree. Please check in before commit."; git --no-pager diff --name-only | uniq | awk '{print "  - " $$0}'; \
@@ -38,7 +42,7 @@ verify:
 
 ## Run unit tests
 test: verify
-	go test ./pkg/... ./controllers/... ./webhooks/... -coverprofile cover.out
+	go test -race ./pkg/... ./controllers/... ./webhooks/... -coverprofile cover.out
 
 test-e2e:
 	KUBE_CONFIG_PATH=${KUBE_CONFIG_PATH} REGION=${AWS_REGION} CLUSTER_NAME=${CLUSTER_NAME} ./scripts/test/run-integration-tests.sh
@@ -50,7 +54,7 @@ toolchain: ## Install developer toolchain
 	./hack/toolchain.sh
 
 apply: image check-deployment-env check-env ## Deploy controller to ~/.kube/config
-	eksctl create iamserviceaccount vpc-resource-controller --namespace kube-system --cluster ${CLUSTER_NAME} \
+	eksctl create iamserviceaccount vpc-resource-controller --namespace kube-system --cluster ${CLUSTER_NAME} --region ${AWS_REGION} \
 		--role-name VPCResourceControllerRole \
 		--attach-policy-arn=arn:aws:iam::aws:policy/AdministratorAccess \
 		--override-existing-serviceaccounts \
@@ -63,7 +67,7 @@ apply: image check-deployment-env check-env ## Deploy controller to ~/.kube/conf
 
 delete: ## Delete controller from ~/.kube/config
 	kustomize build config/default | kubectl delete --ignore-not-found -f -
-	eksctl delete iamserviceaccount vpc-resource-controller --namespace kube-system --cluster ${CLUSTER_NAME}
+	eksctl delete iamserviceaccount vpc-resource-controller --namespace kube-system --cluster ${CLUSTER_NAME} --region ${AWS_REGION}
 	kubectl patch rolebinding eks-vpc-resource-controller-rolebinding -n kube-system --patch '{"subjects":[{"kind":"ServiceAccount","name":"eks-vpc-resource-controller","namespace":"kube-system"},{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"eks:vpc-resource-controller"}]}'
 	kubectl create clusterrolebinding vpc-resource-controller-rolebinding --clusterrole vpc-resource-controller-role --serviceaccount kube-system:eks-vpc-resource-controller --user eks:vpc-resource-controller
 
@@ -73,7 +77,7 @@ docker-buildx: check-env test
 
 # Build the docker image
 docker-build: check-env test
-	docker build --build-arg BASE_IMAGE=$(BASE_IMAGE) --build-arg BUILD_IMAGE=$(BUILD_IMAGE) . -t ${IMAGE}
+	docker build --build-arg BASE_IMAGE=$(BASE_IMAGE) --build-arg ARCH=$(GOARCH) --build-arg BUILD_IMAGE=$(BUILD_IMAGE) . -t ${IMAGE}
 
 # Push the docker image
 docker-push: check-env

PROJECT

@@ -1,8 +1,27 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: k8s.aws
+layout:
+- go.kubebuilder.io/v3
 multigroup: true
+projectName: amazon-vpc-resource-controller-k8s
 repo: github.com/aws/amazon-vpc-resource-controller-k8s
 resources:
-- group: vpcresources
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: k8s.aws
+  group: vpcresources
   kind: SecurityGroupPolicy
+  path: github.com/aws/amazon-vpc-resource-controller-k8s/apis/v1beta1
   version: v1beta1
-version: "2"
+- api:
+    crdVersion: v1
+  domain: k8s.aws
+  group: vpcresources
+  kind: CNINode
+  path: github.com/aws/amazon-vpc-resource-controller-k8s/apis/v1alpha1
+  version: v1alpha1
+version: "3"

README.md

@@ -8,6 +8,8 @@
 
 Controller running on EKS Control Plane for managing Branch & Trunk Network Interface for [Kubernetes Pod](https://kubernetes.io/docs/concepts/workloads/pods/) using the [Security Group for Pod](https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html) feature and IPv4 Address Management(IPAM) of [Windows Nodes](https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html).
 
+The controller broadcasts its version to nodes. Describing any node will provide the version information in node `Events`. The mapping between the controller's version and the cluster's platform version is also available in release notes.
+
 ## Security Group for Pods
 
 The controller only manages the Trunk/Branch Network Interface for EKS Cluster using the Security Group for Pods feature. The Networking on the host is setup by [amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) plugin.
@@ -40,6 +42,10 @@ The controller supports the following modes for IPv4 address management on Windo
 
 Please follow this [guide](https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html) for enabling Windows Support on your EKS cluster.
 
+## Configuring the controller via amazon-vpc-cni configmap
+
+The controller supports various configuration options for managing security groups for pods and Windows nodes which can be set via the EKS-managed configmap `amazon-vpc-cni`. For more details, refer to the security group for pods configuration options [here](docs/sgp/sgp_config_options.md) and Windows IPAM/PD related configuration options [here](docs/windows/prefix_delegation_config_options.md)
+
 ## Troubleshooting
 For troubleshooting issues related to Security group for pods or Windows IPv4 address management, please visit our troubleshooting guide [here](docs/troubleshooting.md).
 

apis/vpcresources/v1alpha1/cninode_types.go

@@ -39,8 +39,7 @@ type CNINodeSpec struct {
 
 // CNINodeStatus defines the managed VPC resources.
 type CNINodeStatus struct {
-	//TODO: add VPS resources which will be managed by this CRD and its finalizer
-
+	//TODO: add VPC resources which will be managed by this CRD and its finalizer
 }
 
 // +kubebuilder:object:root=true

config/controller/controller.yaml

@@ -31,8 +31,8 @@ spec:
       - args:
           - --cluster-name=CLUSTER_NAME
           - --role-arn=USER_ROLE_ARN
-          - --enable-leader-election
-          - --metrics-addr=:8443
+          - --leader-elect
+          - --metrics-bind-address=:8443
         image: controller:latest
         name: controller
         resources:

config/crd/bases/vpcresources.k8s.aws_cninodes.yaml

@@ -1,11 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: cninodes.vpcresources.k8s.aws
 spec:
   group: vpcresources.k8s.aws
@@ -28,20 +26,26 @@ spec:
       openAPIV3Schema:
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
-            description: 'Important: Run "make" to regenerate code after modifying
-              this file CNINodeSpec defines the desired state of CNINode'
+            description: |-
+              Important: Run "make" to regenerate code after modifying this file
+              CNINodeSpec defines the desired state of CNINode
             properties:
               features:
                 items:
@@ -65,9 +69,3 @@ spec:
     served: true
     storage: true
     subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []