diff --git a/.github/workflows/dlc.yml b/.github/workflows/dlc.yml new file mode 100644 index 000000000..a8c5f5047 --- /dev/null +++ b/.github/workflows/dlc.yml @@ -0,0 +1,64 @@ +name: Dependency License Checks + +on: + push: + branches: + - main + - release-* + paths: + - "go.mod" + pull_request: + paths: + - "go.mod" + workflow_dispatch: {} +env: + # Common versions + GO_VERSION: '1.17' + GOLANGCI_VERSION: 'v1.42.1' + KUBERNETES_VERSION: '1.23.x' + DOCKER_BUILDX_VERSION: 'v0.4.2' + + # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run + # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether + # credentials have been provided before trying to run steps that need them. + GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} + + # Sonar + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + +jobs: + license-check: + runs-on: ubuntu-18.04 + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Go + uses: actions/setup-go@v3 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Find the Go Cache + id: go + run: | + echo "::set-output name=build-cache::$(go env GOCACHE)" + echo "::set-output name=mod-cache::$(go env GOMODCACHE)" + + - name: Cache the Go Build Cache + uses: actions/cache@v3 + with: + path: ${{ steps.go.outputs.build-cache }} + key: ${{ runner.os }}-build-check-diff-${{ hashFiles('**/go.sum') }} + restore-keys: ${{ runner.os }}-build-check-diff- + + - name: Cache Go Dependencies + uses: actions/cache@v3 + with: + path: ${{ steps.go.outputs.mod-cache }} + key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }} + restore-keys: ${{ runner.os }}-pkg- + + - name: License Checks + run: | + go install github.com/google/go-licenses@latest + make license.check \ No newline at end of file diff --git a/Makefile b/Makefile index 603480459..8bb466699 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,8 @@ all: $(addprefix build-,$(ARCH)) # Image registry for build/push image targets export IMAGE_REGISTRY ?= ghcr.io/external-secrets/external-secrets +#Valid licenses for license.check +LICENSES ?= Apache-2.0|MIT|BSD-3-Clause|ISC|MPL-2.0|BSD-2-Clause|Unknown BUNDLE_DIR ?= deploy/crds CRD_DIR ?= config/crds @@ -68,6 +70,19 @@ FAIL = (echo ${TIME} ${RED}[FAIL]${CNone} && false) reviewable: generate helm.generate lint ## Ensure a PR is ready for review. @go mod tidy +golicenses.check: ## Check install of go-licenses + @if ! go-licenses >> /dev/null 2>&1; then \ + echo -e "\033[0;33mgo-licenses is not installed: run go install github.com/google/go-licenses@latest" ; \ + exit 1; \ + fi + +license.check: golicenses.check + @$(INFO) running dependency license checks + @ok=0; go-licenses csv github.com/external-secrets/external-secrets 2>/dev/null | \ + grep -v -E '${LICENSES}' | \ + tr "," " " | awk '{print "Invalid License " $$3 " for dependency " $$1 }'|| ok=1; \ + if [[ $$ok -eq 1 ]]; then $(OK) dependencies are compliant; else $(FAIL); fi + check-diff: reviewable ## Ensure branch is clean. @$(INFO) checking that branch is clean @test -z "$$(git status --porcelain)" || (echo "$$(git status --porcelain)" && $(FAIL)) diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md index 729773e16..7e2fb475e 100644 --- a/deploy/charts/external-secrets/README.md +++ b/deploy/charts/external-secrets/README.md @@ -115,7 +115,7 @@ The command removes all the Kubernetes components associated with the chart and | webhook.podAnnotations | object | `{}` | Annotations to add to Pod | | webhook.podLabels | object | `{}` | | | webhook.podSecurityContext | object | `{}` | | -| webhook.port | int | `443` | The port the webhook will listen to | +| webhook.port | int | `10250` | The port the webhook will listen to | | webhook.priorityClassName | string | `""` | Pod priority class name. | | webhook.prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics | | webhook.prometheus.service.port | int | `8080` | |