chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <[email protected]>

.github/workflows/coverage.yml

@@ -0,0 +1,102 @@
+name: Coverage
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches:
+      - "main"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  compliance:
+    name: "License Compliance"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: "Checkout Code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Scan"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Test"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          run-tests: true
+  sast:
+    name: "SAST"
+    runs-on: ubuntu-24.04
+    env:
+      GO111MODULE: on
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
+        with:
+          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40
+        with:
+          sarif_file: gosec.sarif
+  unit_tests:
+    name: "Unit tests"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Unit Test
+        run: make test
+      - name: Upload Coverage Results
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
+        with:
+          name: code-coverage
+          path: coverage.out
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload Report to Codecov
+        if: steps.checksecret.outputs.result == 'true'
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+        with:
+          file: ./coverage.out
+          fail_ci_if_error: true
+          verbose: true
+  coverage_upload:
+    name: "Code coverage report"
+    if: github.event_name == 'pull_request' # Do not run when workflow is triggered by push to main branch
+    runs-on: ubuntu-24.04
+    needs: unit_tests # Depends on the artifact uploaded by the "unit_tests" job
+    permissions:
+      contents: read
+      actions: read  # to download code coverage results from "test" job
+      pull-requests: write # write permission needed to comment on PR
+    steps:
+      - uses: fgrosse/go-coverage-report@8c1d1a09864211d258937b1b1a5b849f7e4f2682 # Consider using a Git revision for maximum security
+        with:
+          coverage-artifact-name: "code-coverage" # can be omitted if you used this default value
+          coverage-file-name: "coverage.txt" #

.golangci.yml

@@ -57,11 +57,10 @@ linters:
     - deadcode
     - ifshort
     - nonamedreturns
-service:
-  golangci-lint-version: 1.56.x
 run:
   timeout: 3m
-  go: '1.21'
+  allow-parallel-runners: true
+  tests: false
   skip-files:
     - "zz_.*\\.go$"
     - ".+\\.generated.go"

.pre-commit-config.yaml

@@ -35,23 +35,24 @@ repos:
     entry: make helm-lint
     language: system
     files: ^charts/
-  - id: golangci-lint
-    name: Execute golangci-lint
-    entry: make golint
-    language: system
-    files: \.go$
-- repo: https://github.com/tekwizely/pre-commit-golang
-  rev: v1.0.0-rc.1
-  hooks:
-  - id: go-vet
-  - id: go-vet-mod
-  - id: go-vet-pkg
-  - id: go-vet-repo-mod
-  - id: go-vet-repo-pkg
-  - id: go-revive
-  - id: go-revive-mod
-  - id: go-revive-repo-mod
-  - id: go-sec-mod
-  - id: go-sec-pkg
-  - id: go-sec-repo-mod
-  - id: go-sec-repo-pkg
+  # Currently too slow smw
+  # - id: golangci-lint
+  #   name: Execute golangci-lint
+  #   entry: make golint
+  #   language: system
+  #   files: \.go$
+# - repo: https://github.com/tekwizely/pre-commit-golang
+#  rev: v1.0.0-rc.1
+#  hooks:
+#  - id: go-vet
+#  - id: go-vet-mod
+#  - id: go-vet-pkg
+#  - id: go-vet-repo-mod
+#  - id: go-vet-repo-pkg
+#  - id: go-revive
+#  - id: go-revive-mod
+#  - id: go-revive-repo-mod
+#  - id: go-sec-mod
+#  - id: go-sec-pkg
+#  - id: go-sec-repo-mod
+#  - id: go-sec-repo-pkg

Makefile

@@ -58,8 +58,8 @@ run: generate manifests
 	go run .
 
 # Generate manifests e.g. CRD, RBAC etc.
-manifests: controller-gen
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule/crds
+manifests: generate
+	$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=charts/capsule/crds
 
 # Generate code
 generate: controller-gen
@@ -216,7 +216,7 @@ goimports:
 # Linting code as PR is expecting
 .PHONY: golint
 golint: golangci-lint
-	$(GOLANGCI_LINT) run -c .golangci.yml
+	$(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
 
 # Running e2e tests in a KinD instance
 .PHONY: e2e

pkg/webhook/route/cordoning.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/cordoning,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=create;update;delete,versions="*",name=cordoning.tenant.projectcapsule.dev
-
 type cordoning struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/defaults.go

@@ -7,10 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=pod.defaults.projectcapsule.dev
-// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=storage.defaults.projectcapsule.dev
-// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.defaults.projectcapsule.dev
-
 type defaults struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/ingresses.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/ingresses,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io;extensions,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.projectcapsule.dev
-
 type ingress struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/namespaces.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/namespaces,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update;delete,versions=v1,name=namespaces.projectcapsule.dev
-
 type namespace struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/networkpolicies.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/networkpolicies,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="networking.k8s.io",resources=networkpolicies,verbs=update;delete,versions=v1,name=networkpolicies.projectcapsule.dev
-
 type networkPolicy struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/node.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/nodes,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=nodes,verbs=update,versions=v1,name=nodes.projectcapsule.dev
-
 type node struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/ownerreference.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/namespace-owner-reference,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update,versions=v1,name=owner.namespace.projectcapsule.dev
-
 type webhook struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/pods.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/pods,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=pods.projectcapsule.dev
-
 type pod struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/pvc.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/persistentvolumeclaims,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=pvc.projectcapsule.dev
-
 type pvc struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/services.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/services,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1,name=services.projectcapsule.dev
-
 type service struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/tenantresource_objs.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/tenantresource-objects,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=update;delete,versions="*",name=resource-objects.tenant.projectcapsule.dev
-
 type tntResourceObjs struct {
 	handlers []capsulewebhook.Handler
 }

pkg/webhook/route/tenants.go

@@ -7,8 +7,6 @@ import (
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 )
 
-// +kubebuilder:webhook:path=/tenants,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="capsule.clastix.io",resources=tenants,verbs=create;update;delete,versions=v1beta2,name=tenants.projectcapsule.dev
-
 type tenant struct {
 	handlers []capsulewebhook.Handler
 }