Merge remote-tracking branch 'origin/master' into ci/repatriate/from-…

…v2.4-to-v2.5
emissary-ingress · Sep 21, 2022 · 80eb9c2 · 80eb9c2
2 parents 01867ab + 5dc2077
commit 80eb9c2
Show file tree

Hide file tree

Showing 3,143 changed files with 269,943 additions and 321,371 deletions.
diff --git a/.github/actions/collect-logs/action.yml b/.github/actions/collect-logs/action.yml
@@ -25,12 +25,6 @@ runs:
             /tmp/cov_html \
             /tmp/test-logs/cov_html
         fi
-        if test -d /tmp/test-data; then
-          rsync \
-            --archive \
-            /tmp/test-data_html \
-            /tmp/test-logs/test-data
-        fi
         if test -d ~/.cache/telepresence/logs; then
           rsync \
             --archive \

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,43 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: "/"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gomod
+    directory: "/tools/src/yq/"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gomod
+    directory: "/tools/src/chart-doc-gen"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gomod
+    directory: "/tools/src/crane"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gomod
+    directory: "/tools/src/ct"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gomod
+    directory: "/tools/src/golangci-lint"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gomod
+    directory: "/tools/src/ocibuild"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/execute-tests-and-promote.yml b/.github/workflows/execute-tests-and-promote.yml
@@ -8,7 +8,6 @@ name: job-promote-to-passed
   pull_request: {}
 
 jobs:
-
   lint: ########################################################################
     runs-on: ubuntu-latest
     env:
@@ -20,6 +19,9 @@ jobs:
           fetch-depth: 0
       - name: Install Deps
         uses: ./.github/actions/setup-deps
+      - shell: bash
+        run: |
+          make lint-deps
       - shell: bash
         run: |
           make lint
@@ -115,8 +117,6 @@ jobs:
         run: |
           export DEV_KUBE_NO_PVC=yes
           export KAT_REQ_LIMIT=900
-          export TEST_XML_DIR=/tmp/test-logs/xml/
-          mkdir -p ${TEST_XML_DIR}
           make gotest
       - uses: ./.github/actions/after-job
         if: always()
@@ -134,11 +134,6 @@ jobs:
       matrix:
         test:
           - integration
-          - kat-envoy2-1-of-5
-          - kat-envoy2-2-of-5
-          - kat-envoy2-3-of-5
-          - kat-envoy2-4-of-5
-          - kat-envoy2-5-of-5
           - kat-envoy3-1-of-5
           - kat-envoy3-2-of-5
           - kat-envoy3-3-of-5
@@ -172,10 +167,8 @@ jobs:
 
           export DEV_KUBE_NO_PVC=yes
           export KAT_REQ_LIMIT=900
-          export TEST_XML_DIR=/tmp/test-logs/xml/
           export DEV_KUBECONFIG=~/.kube/config
           export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }}
-          mkdir -p ${TEST_XML_DIR}
           make pytest-${{ matrix.test }}
       - uses: ./.github/actions/after-job
         if: always()
@@ -212,10 +205,9 @@ jobs:
 
           export DEV_KUBE_NO_PVC=yes
           export KAT_REQ_LIMIT=900
-          export TEST_XML_DIR=/tmp/test-logs/xml/
           export DEV_KUBECONFIG=~/.kube/config
           export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }}
-          mkdir -p ${TEST_XML_DIR}
+          export PYTEST_ARGS=' --cov-branch --cov=ambassador --cov-report html:/tmp/cov_html '
           make pytest-${{ matrix.test }}
       - uses: ./.github/actions/after-job
         if: always()
@@ -258,6 +250,8 @@ jobs:
       DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }}
       # See docker/base-python.docker.gen
       BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
+    outputs:
+      image-tag: ${{ steps.build-image.outputs.image-tag }}
     steps:
       - uses: actions/checkout@v2
         with:
@@ -275,13 +269,47 @@ jobs:
         shell: bash
         run: |
           make push
+      - name: "capture image tag"
+        id: build-image
+        shell: bash
+        run: |
+          echo "::set-output name=image-tag::$(tools/build/version.sh)"
       - name: "make push-dev"
         shell: bash
         run: |
           make push-dev
       - uses: ./.github/actions/after-job
         if: always()
 
+  ######################################################################
+  ######################### CVE Scanning ###############################
+  trivy-container-scan:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      # upload of results to github uses git so checkout of code is needed
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: "Log image-tag"
+        shell: bash
+        run: echo ${{needs.build.outputs.image-tag}}
+      - name: Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{secrets.DEV_REGISTRY}}/emissary:${{needs.build.outputs.image-tag}}"
+          format: "sarif"
+          exit-code: 0 # only warn for now until we have backed it into our processes
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+      - name: Upload Scan to GitHub Security Tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+
   ##############################################################################
   pass:
     name: "job-promote-to-passed" # This is the job name that the branch protection looks for
@@ -294,6 +322,7 @@ jobs:
       - check-pytest
       - check-pytest-unit
       - check-chart
+      - trivy-container-scan
     runs-on: ubuntu-latest
     steps:
       - name: No-Op

diff --git a/.github/workflows/generate-base-python.yml b/.github/workflows/generate-base-python.yml
@@ -0,0 +1,44 @@
+name: generate-base-python
+on:
+  schedule:
+    # run 15 minutes after midnight (UTC) weekly on sundays
+    # used https://crontab.guru/ to generate
+    - cron: '15 0 * * SUN'
+jobs:
+  generate: ####################################################################
+      runs-on: ubuntu-latest
+      env:
+        # See docker/base-python.docker.gen
+        BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
+      steps:
+        - uses: actions/checkout@v2
+          with:
+            fetch-depth: 0
+        - name: Install Deps
+          uses: ./.github/actions/setup-deps
+        - name: "Git Login"
+          run: |
+            if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then
+              install -m700 -d ~/.ssh
+              install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}'
+            fi
+        - name: "Docker Login"
+          uses: docker/login-action@v1
+          with:
+            registry: ${{ (!startsWith(secrets.RELEASE_REGISTRY, 'docker.io/')) && secrets.RELEASE_REGISTRY || null }}
+            username: ${{ secrets.GH_DOCKER_RELEASE_USERNAME }}
+            password: ${{ secrets.GH_DOCKER_RELEASE_TOKEN }}
+        - name: "'make generate'"
+          shell: bash
+          run: |
+            make generate
+        - uses: ./.github/actions/git-dirty-check
+          name: "Check Git not dirty from 'make generate'"
+        - name: "'make generate' (again!)"
+          shell: bash
+          run: |
+            make generate
+        - uses: ./.github/actions/git-dirty-check
+          name: "Check Git not dirty from 'make generate' (again!)"
+        - uses: ./.github/actions/after-job
+          if: always()
diff --git a/.gitignore b/.gitignore
@@ -116,3 +116,6 @@ ambassador-secrets-deployment.yaml
 # 2022-01-31
 /docker/container.txt
 /docker/container.txt.stamp
+
+# telepresence
+emissary-agent.env