Merge branch 'master' into default-subnet-custom-vpc

kubeovn · Jul 24, 2024 · f6d38a5 · f6d38a5
2 parents 58a4b80 + af95247
commit f6d38a5
Show file tree

Hide file tree

Showing 158 changed files with 6,327 additions and 2,378 deletions.
diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml
@@ -23,9 +23,9 @@ concurrency:
 env:
   GO_VERSION: ''
   KIND_VERSION: v0.23.0
-  GOSEC_VERSION: '2.20.0'
-  HELM_VERSION: v3.14.4
-  SUBMARINER_VERSION: '0.17.1'
+  GOLANGCI_LINT_VERSION: 'v1.59.1'
+  HELM_VERSION: v3.15.3
+  SUBMARINER_VERSION: '0.18.0'
 
 jobs:
   build-kube-ovn-base:
@@ -167,14 +167,9 @@ jobs:
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
           make ut
 
-      - name: Install gosec
+      - name: Install golangci-lint
         run: |
-          tmp=$(mktemp -d)
-          archive="gosec_${{ env.GOSEC_VERSION }}_$(go env GOHOSTOS)_$(go env GOHOSTARCH).tar.gz"
-          wget -q -O "$tmp/$archive" https://github.com/securego/gosec/releases/download/v${{ env.GOSEC_VERSION }}/$archive
-          tar --no-same-owner -C "$tmp" -xzf "$tmp/$archive"
-          install "$tmp/gosec" /usr/local/bin
-          rm -rf $tmp
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GOLANGCI_LINT_VERSION
 
       - name: Download base images
         if: needs.build-kube-ovn-base.outputs.build-base == 1
@@ -1165,7 +1160,7 @@ jobs:
           done
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   kube-ovn-ic-conformance-e2e:
     name: Kube-OVN IC Conformance E2E
@@ -1573,7 +1568,7 @@ jobs:
         run: make check-kube-ovn-pod-restarts
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   no-ovn-lb-test:
     name: Disable OVN LB Test
@@ -1623,7 +1618,7 @@ jobs:
         run: make check-kube-ovn-pod-restarts
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   no-np-test:
     name: Disable Network Policy Test
@@ -1673,7 +1668,7 @@ jobs:
         run: make check-kube-ovn-pod-restarts
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   lb-svc-e2e:
     name: LB Service E2E
@@ -1991,7 +1986,7 @@ jobs:
           path: installation-compatibility-test-ko-log.tar.gz
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   cilium-chaining-e2e:
     name: Cilium Chaining E2E
@@ -2151,7 +2146,7 @@ jobs:
         run: make check-kube-ovn-pod-restarts
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   kube-ovn-ha-e2e:
     name: Kube-OVN HA E2E
@@ -2284,7 +2279,7 @@ jobs:
         run: make check-kube-ovn-pod-restarts
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   kube-ovn-submariner-conformance-e2e:
     name: Kube-OVN Submariner Conformance E2E
@@ -2377,7 +2372,7 @@ jobs:
         run: make check-kube-ovn-pod-restarts
 
       - name: Cleanup
-        run: sh -x dist/images/cleanup.sh
+        run: timeout -k 10 180 sh -x dist/images/cleanup.sh
 
   iptables-vpc-nat-gw-conformance-e2e:
     name: Iptables VPC NAT Gateway E2E

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
diff --git a/.golangci.yml b/.golangci.yml
@@ -15,6 +15,13 @@ linters:
     - unconvert
     - unused
     - errcheck
+    - gosec
+    - govet
+    - perfsprint
+    - usestdlibvars
+    - loggercheck
+    - whitespace
+    - errorlint
 
 issues:
   max-same-issues: 0
@@ -31,10 +38,20 @@ issues:
     - linters:
         - revive
       text: "VpcDnsList should be VpcDNSList" # api param not change
+    - linters:
+        - gosec
+      path: _test\.go
+    - linters:
+        - gosec
+      path: test/
 
 linters-settings:
   goimports:
     local-prefixes: github.com/kubeovn/kube-ovn
   gofumpt:
     extra-rules: true
+  perfsprint:
+    strconcat: false
+  errorlint:
+    asserts: false
 
diff --git a/Makefile b/Makefile
@@ -27,21 +27,21 @@ endif
 
 CONTROL_PLANE_TAINTS = node-role.kubernetes.io/master node-role.kubernetes.io/control-plane
 
-FRR_VERSION = 9.0.2
+FRR_VERSION = 9.1.1
 FRR_IMAGE = quay.io/frrouting/frr:$(FRR_VERSION)
 
-CLAB_IMAGE = ghcr.io/srl-labs/clab:0.54.2
+CLAB_IMAGE = ghcr.io/srl-labs/clab:0.56.0
 
 MULTUS_VERSION = v4.0.2
 MULTUS_IMAGE = ghcr.io/k8snetworkplumbingwg/multus-cni:$(MULTUS_VERSION)-thick
 MULTUS_YAML = https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/$(MULTUS_VERSION)/deployments/multus-daemonset-thick.yml
 
-METALLB_VERSION = 0.14.5
+METALLB_VERSION = 0.14.7
 METALLB_CHART_REPO = https://metallb.github.io/metallb
 METALLB_CONTROLLER_IMAGE = quay.io/metallb/controller:v$(METALLB_VERSION)
 METALLB_SPEAKER_IMAGE = quay.io/metallb/speaker:v$(METALLB_VERSION)
 
-KUBEVIRT_VERSION = v1.2.1
+KUBEVIRT_VERSION = v1.3.0
 KUBEVIRT_OPERATOR_IMAGE = quay.io/kubevirt/virt-operator:$(KUBEVIRT_VERSION)
 KUBEVIRT_API_IMAGE = quay.io/kubevirt/virt-api:$(KUBEVIRT_VERSION)
 KUBEVIRT_CONTROLLER_IMAGE = quay.io/kubevirt/virt-controller:$(KUBEVIRT_VERSION)
@@ -50,16 +50,16 @@ KUBEVIRT_LAUNCHER_IMAGE = quay.io/kubevirt/virt-launcher:$(KUBEVIRT_VERSION)
 KUBEVIRT_OPERATOR_YAML = https://github.com/kubevirt/kubevirt/releases/download/$(KUBEVIRT_VERSION)/kubevirt-operator.yaml
 KUBEVIRT_CR_YAML = https://github.com/kubevirt/kubevirt/releases/download/$(KUBEVIRT_VERSION)/kubevirt-cr.yaml
 
-CILIUM_VERSION = 1.15.5
+CILIUM_VERSION = 1.15.7
 CILIUM_IMAGE_REPO = quay.io/cilium
 
-CERT_MANAGER_VERSION = v1.14.5
+CERT_MANAGER_VERSION = v1.15.1
 CERT_MANAGER_CONTROLLER = quay.io/jetstack/cert-manager-controller:$(CERT_MANAGER_VERSION)
 CERT_MANAGER_CAINJECTOR = quay.io/jetstack/cert-manager-cainjector:$(CERT_MANAGER_VERSION)
 CERT_MANAGER_WEBHOOK = quay.io/jetstack/cert-manager-webhook:$(CERT_MANAGER_VERSION)
 CERT_MANAGER_YAML = https://github.com/cert-manager/cert-manager/releases/download/$(CERT_MANAGER_VERSION)/cert-manager.yaml
 
-SUBMARINER_VERSION = $(shell echo $${SUBMARINER_VERSION:-0.17.1})
+SUBMARINER_VERSION = $(shell echo $${SUBMARINER_VERSION:-0.18.0})
 SUBMARINER_OPERATOR = quay.io/submariner/submariner-operator:$(SUBMARINER_VERSION)
 SUBMARINER_GATEWAY = quay.io/submariner/submariner-gateway:$(SUBMARINER_VERSION)
 SUBMARINER_LIGHTHOUSE_AGENT = quay.io/submariner/lighthouse-agent:$(SUBMARINER_VERSION)
@@ -78,7 +78,7 @@ DEEPFLOW_GRAFANA_NODE_PORT = 30080
 DEEPFLOW_MAPPED_PORTS = $(DEEPFLOW_SERVER_NODE_PORT),$(DEEPFLOW_SERVER_GRPC_PORT),$(DEEPFLOW_SERVER_HTTP_PORT),$(DEEPFLOW_GRAFANA_NODE_PORT)
 DEEPFLOW_CTL_URL = https://deepflow-ce.oss-cn-beijing.aliyuncs.com/bin/ctl/$(DEEPFLOW_VERSION)/linux/$(shell arch | sed 's|x86_64|amd64|' | sed 's|aarch64|arm64|')/deepflow-ctl
 
-KWOK_VERSION = v0.5.2
+KWOK_VERSION = v0.6.0
 KWOK_IMAGE = registry.k8s.io/kwok/kwok:$(KWOK_VERSION)
 
 VPC_NAT_GW_IMG = $(REGISTRY)/vpc-nat-gateway:$(VERSION)
@@ -972,16 +972,7 @@ uninstall:
 
 .PHONY: lint
 lint:
-	@gofmt -d .
-	@if [ $$(gofmt -l . | wc -l) -ne 0 ]; then \
-		echo "Code differs from gofmt's style" 1>&2 && exit 1; \
-	fi
-	@GOOS=linux go vet ./...
-	@GOOS=linux gosec -exclude-dir=test -exclude-dir=pkg/client ./...
-
-.PHONY: gofumpt
-gofumpt:
-	gofumpt -w -extra .
+	golangci-lint run -v
 
 .PHONY: lint-windows
 lint-windows:
@@ -1026,3 +1017,9 @@ clean:
 .PHONY: changelog
 changelog:
 	./hack/changelog.sh > CHANGELOG.md
+
+.PHONY: local-dev
+local-dev: build-go
+	docker buildx build --platform linux/amd64 -t $(REGISTRY)/kube-ovn:$(RELEASE_TAG) --build-arg VERSION=$(RELEASE_TAG) -o type=docker -f dist/images/Dockerfile dist/images/
+	docker buildx build --platform linux/amd64 -t $(REGISTRY)/vpc-nat-gateway:$(RELEASE_TAG) -o type=docker -f dist/images/vpcnatgateway/Dockerfile dist/images/vpcnatgateway
+	@$(MAKE) kind-init kind-install
diff --git a/charts/kube-ovn/templates/central-deploy.yaml b/charts/kube-ovn/templates/central-deploy.yaml
@@ -45,10 +45,15 @@ spec:
           image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: 
+          - bash
           - /kube-ovn/start-db.sh
           securityContext:
+            runAsUser: 0
+            privileged: false
             capabilities:
-              add: ["SYS_NICE"]
+              add:
+                - NET_BIND_SERVICE
+                - SYS_NICE
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"

diff --git a/charts/kube-ovn/templates/controller-deploy.yaml b/charts/kube-ovn/templates/controller-deploy.yaml
@@ -116,13 +116,24 @@ spec:
           - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }}
           - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
           - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
+          - --secure-serving={{- .Values.func.SECURE_SERVING }}
+          securityContext:
+            runAsUser: 0
+            privileged: false
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"
             - name: POD_NAME
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             - name: KUBE_NAMESPACE
               valueFrom:
                 fieldRef:
@@ -133,6 +144,10 @@ spec:
                   fieldPath: spec.nodeName
             - name: OVN_DB_IPS
               value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: POD_IPS
               valueFrom:
                 fieldRef:
@@ -154,12 +169,14 @@ spec:
             exec:
               command:
                 - /kube-ovn/kube-ovn-controller-healthcheck
+                - --tls={{- .Values.func.SECURE_SERVING }}
             periodSeconds: 3
             timeoutSeconds: 45
           livenessProbe:
             exec:
               command:
                 - /kube-ovn/kube-ovn-controller-healthcheck
+                - --tls={{- .Values.func.SECURE_SERVING }}
             initialDelaySeconds: 300
             periodSeconds: 7
             failureThreshold: 5

diff --git a/charts/kube-ovn/templates/monitor-deploy.yaml b/charts/kube-ovn/templates/monitor-deploy.yaml
@@ -44,6 +44,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/kube-ovn/start-ovn-monitor.sh"]
           args:
+          - --secure-serving={{- .Values.func.SECURE_SERVING }}
           - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
           - --logtostderr=false
           - --alsologtostderr=true
@@ -58,6 +59,18 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: POD_IPS
               valueFrom:
                 fieldRef: