mesosphere · mhrabovcin · Dec 27, 2023 · Dec 21, 2023 · Dec 27, 2023 · Dec 27, 2023
diff --git a/.github/workflows/check-licenses.yaml b/.github/workflows/check-licenses.yaml
@@ -0,0 +1,36 @@
+name: Check licenses.d2iq.yaml
+on:
+  pull_request:
+    types: [opened, reopened]
+  workflow_dispatch: {}
+
+env:
+  # see release.mk
+  IMAGES_TXT_PATH: _build/dkp_catalog_images_whitelisted.txt
+
+jobs:
+  check-license-yaml:
+    runs-on:
+    - self-hosted
+    - small
+    name: Check licenses.d2iq.yaml
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 'stable'
+      - name: Generate image list
+        run: |
+          make release.whitelisted-images
+          cat ${{ env.IMAGES_TXT_PATH }}
+      - name: Run validation
+        uses: docker://mesosphere/dkp-licenses-cli:licenses-v0.0.11
+        with:
+          args: validate container-images-mapping --input=${{ env.IMAGES_TXT_PATH }} --mapping-file=licenses.d2iq.yaml --check-sources --output-format=github
+        env:
+          GITHUB_TOKEN: "${{ secrets.MESOSPHERECI_USER_TOKEN }}"
diff --git a/licenses.d2iq.yaml b/licenses.d2iq.yaml
@@ -0,0 +1,83 @@
+resources:
+  - container_image: docker.io/lachlanevenson/k8s-kubectl:v1.23.2
+    sources:
+      - url: https://github.com/lachie83/k8s-kubectl
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: docker.io/lachlanevenson/k8s-kubectl:v1.25.4
+    sources:
+      - url: https://github.com/lachie83/k8s-kubectl
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: docker.io/mesosphere/zookeeper-operator:0.2.14-d2iq
+    sources:
+      - url: https://github.com/mesosphere/zookeeper-operator
+        ref: v${image_tag}
+        license_path: LICENSE
+  - container_image: docker.io/pravega/zookeeper-operator:0.2.15
+    sources:
+      - url: https://github.com/pravega/zookeeper-operator
+        ref: v${image_tag}
+        license_path: LICENSE
+  - container_image: docker.io/pravega/zookeeper:0.2.13
+    sources:
+      - url: https://github.com/pravega/zookeeper-operator
+        ref: v${image_tag}
+        license_path: LICENSE
+  - container_image: docker.io/pravega/zookeeper:0.2.14
+    sources:
+      - url: https://github.com/pravega/zookeeper-operator
+        ref: v${image_tag}
+        license_path: LICENSE
+  - container_image: docker.io/pravega/zookeeper:0.2.15
+    sources:
+      - url: https://github.com/pravega/zookeeper-operator
+        ref: v${image_tag}
+        license_path: LICENSE
+  - container_image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+    sources:
+      - url: https://github.com/brancz/kube-rbac-proxy
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
+    sources:
+      - url: https://github.com/brancz/kube-rbac-proxy
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: ghcr.io/banzaicloud/cruise-control:2.5.101
+    sources:
+      - url: https://github.com/banzaicloud/docker-cruise-control
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: ghcr.io/banzaicloud/cruise-control:2.5.123
+    sources:
+      - url: https://github.com/banzaicloud/docker-cruise-control
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: ghcr.io/banzaicloud/jmx-javaagent:0.16.1
+    sources:
+      - url: https://github.com/banzaicloud/docker-jmx-exporter
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: ghcr.io/banzaicloud/kafka-operator:v0.23.0-dev.0
+    sources:
+      - url: https://github.com/banzaicloud/koperator
+        ref: ${image_tag}
+        license_path: LICENSE
+        notice_path: NOTICE
+  - container_image: ghcr.io/banzaicloud/kafka-operator:v0.25.1
+    sources:
+      - url: https://github.com/banzaicloud/koperator
+        ref: ${image_tag}
+        license_path: LICENSE
+        notice_path: NOTICE
+  - container_image: ghcr.io/banzaicloud/kafka:2.13-3.1.0
+    sources:
+      - url: https://github.com/banzaicloud/docker-kafka
+        ref: ${image_tag}
+        license_path: LICENSE
+  - container_image: ghcr.io/banzaicloud/kafka:2.13-3.1.2
+    sources:
+      - url: https://github.com/banzaicloud/docker-kafka
+        ref: ${image_tag}
+        license_path: LICENSE
diff --git a/make/release.mk b/make/release.mk
@@ -3,6 +3,7 @@ IMAGE_TAR_FILE := $(BUILD_DIR)/dkp-catalog-applications-image-bundle.tar
 REPO_ARCHIVE_FILE := $(BUILD_DIR)/dkp-catalog-applications.tar.gz
 CHART_BUNDLE := $(BUILD_DIR)/dkp-catalog-applications-chart-bundle.tar.gz
 CATALOG_IMAGES_TXT := $(BUILD_DIR)/dkp_catalog_images.txt
+CATALOG_IMAGES_TXT_WHITELISTED := $(BUILD_DIR)/dkp_catalog_images_whitelisted.txt
 RELEASE_S3_BUCKET ?= downloads.mesosphere.io
 
 CATALOG_APPLICATIONS_VERSION ?= ""
@@ -20,17 +21,24 @@ release.save-images.tar:
 	@$(MINDTHEGAP_BIN) create image-bundle --platform linux/amd64 --images-file $(CATALOG_IMAGES_TXT) --output-file $(IMAGE_TAR_FILE)
 	@ls -latrh $(IMAGE_TAR_FILE)
 
+
+.PHONY: release.whitelisted-images
+release.whitelisted-images: $(GOJQ_BIN) $(BUILD_DIR)
+release.whitelisted-images:
+	$(call print-target)
+	$(GOJQ_BIN) -r --yaml-input \
+		--argjson whitelist '$(shell $(GOJQ_BIN) -rc --yaml-input '.' hack/cve/whitelist.yaml)' \
+		'with_entries( select( .key | IN($$whitelist[]) ) ) | flatten | sort | unique' hack/images.yaml > $(CATALOG_IMAGES_TXT_WHITELISTED)
+
 .PHONY: cve-reporter.push-images
-cve-reporter.push-images: $(GOJQ_BIN) $(BUILD_DIR)
+cve-reporter.push-images: $(GOJQ_BIN)
+cve-reporter.push-images: release.whitelisted-images 
 cve-reporter.push-images: CVE_REPORTER_PROJECT_VERSION ?= main
 cve-reporter.push-images:
 	$(call print-target)
-	$(GOJQ_BIN) -r --yaml-input \
-		--argjson whitelist '$(shell $(GOJQ_BIN) -rc --yaml-input '.' hack/cve/whitelist.yaml)' \
-		'with_entries( select( .key | IN($$whitelist[]) ) ) | flatten | sort | unique' hack/images.yaml > $(CATALOG_IMAGES_TXT)
 	TMP_IMAGES_JSON=$$(mktemp) && \
 	$(GOJQ_BIN) --arg DKP_CATALOG_VERSION $(CVE_REPORTER_PROJECT_VERSION) \
-		-r -f ./hack/cve/convert-images-json.jq $(CATALOG_IMAGES_TXT) > $$TMP_IMAGES_JSON && \
+		-r -f ./hack/cve/convert-images-json.jq $(CATALOG_IMAGES_TXT_WHITELISTED) > $$TMP_IMAGES_JSON && \
 	CVE_REPORTER_PROJECT_VERSION=$(CVE_REPORTER_PROJECT_VERSION) ./hack/cve/push-images.sh $$TMP_IMAGES_JSON && \
 	rm -f $$TMP_IMAGES_JSON