chore: fix vulnerabilities and CI failures

.github/workflows/e2e-build.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - name: Setup buildx instance
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -63,7 +63,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - name: Setup buildx instance
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -105,7 +105,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - name: Setup buildx instance
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -147,7 +147,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - name: Setup buildx instance
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

.github/workflows/e2e-test.yaml

@@ -61,7 +61,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - name: Set env
         run: |

.github/workflows/release-pr.yaml

@@ -25,7 +25,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
 
       - name: Set release version and target branch for vNext

.github/workflows/test.yaml

@@ -52,7 +52,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - name: lint manager
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
@@ -93,7 +93,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
@@ -128,7 +128,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.21"
+          go-version: "1.25"
           check-latest: true
       - name: Check go.mod and manifests
         run: |

.golangci.yaml

@@ -1,40 +1,42 @@
-run:
-  timeout: 5m
-
-linters-settings:
-  gocritic:
-    enabled-tags:
-    - performance
-  gosec:
-    excludes:
-    - G108
-  lll:
-    line-length: 200
+version: "2"
 
-  misspell:
-    locale: US
-  staticcheck:
-    go: "1.21"
+run:
+  go: "1.23"
 
 linters:
-  disable-all: true
+  default: none
   enable:
     - errcheck
-    - exportloopref
+    - copyloopvar # replacement for exportloopref
     - forcetypeassert
     - gocritic
     - goconst
     - godot
-    - gofmt
-    - gofumpt
-    - goimports
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - misspell
-    - revive # replacement for golint
-    - staticcheck
-    - typecheck
+    # - revive # replacement for golint
+    - staticcheck # includes gosimple and staticcheck
     - unused
     - whitespace
+  settings:
+    gocritic:
+      enabled-tags:
+      - performance
+    gosec:
+      excludes:
+      - G108
+    lll:
+      line-length: 200
+    misspell:
+      locale: US
+  exclusions:
+    paths:
+      - "docs/build/assets/files/.*\\.go"
+
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.6
 
 # Default Trivy binary image, overwritten by Makefile
-ARG TRIVY_BINARY_IMG="ghcr.io/aquasecurity/trivy:0.50.0"
+ARG TRIVY_BINARY_IMG="ghcr.io/aquasecurity/trivy:0.67.2"
 ARG BUILDKIT_SBOM_SCAN_STAGE=builder,manager-build,collector-build,remover-build,trivy-scanner-build
 
 FROM --platform=$TARGETPLATFORM $TRIVY_BINARY_IMG AS trivy-binary
@@ -70,5 +70,5 @@ COPY --from=trivy-binary /usr/local/bin/trivy /
 WORKDIR /var/lib/trivy
 ENTRYPOINT ["/trivy-scanner"]
 
-FROM gcr.io/distroless/static:nonroot as non-vulnerable
+FROM gcr.io/distroless/static-debian12:nonroot AS non-vulnerable
 COPY --from=builder /tmp /tmp

Makefile

@@ -9,7 +9,7 @@ REMOVER_TAG ?= ${VERSION}
 TRIVY_SCANNER_REPO ?= ghcr.io/eraser-dev/eraser-trivy-scanner
 TRIVY_SCANNER_IMG ?= ${TRIVY_SCANNER_REPO}:${TRIVY_SCANNER_TAG}
 TRIVY_BINARY_REPO ?= ghcr.io/aquasecurity/trivy
-TRIVY_BINARY_TAG ?= 0.48.3
+TRIVY_BINARY_TAG ?= 0.67.2
 TRIVY_BINARY_IMG ?= ${TRIVY_BINARY_REPO}:${TRIVY_BINARY_TAG}
 MANAGER_REPO ?= ghcr.io/eraser-dev/eraser-manager
 MANAGER_IMG ?= ${MANAGER_REPO}:${MANAGER_TAG}
@@ -293,7 +293,7 @@ ENVTEST = $(shell pwd)/bin/setup-envtest
 envtest: __tooling-image bin/setup-envtest
 
 bin/setup-envtest:
-	docker run --rm -v $(shell pwd)/bin:/go/bin -e GO111MODULE=on eraser-tooling go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	docker run --rm -v $(shell pwd)/bin:/go/bin -e GO111MODULE=on eraser-tooling go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20240320141353-395cfc7486e6
 
 __controller-gen: __tooling-image
 CONTROLLER_GEN=docker run --rm -v $(shell pwd):/eraser eraser-tooling controller-gen

api/v1alpha1/doc.go

@@ -1,2 +1,3 @@
+// Package v1alpha1 contains API Schema definitions for the eraser v1alpha1 API version.
 // +k8s:conversion-gen=github.com/eraser-dev/eraser/api/unversioned
 package v1alpha1

api/v1alpha2/doc.go

@@ -1,2 +1,3 @@
+// Package v1alpha2 contains API Schema definitions for the eraser v1alpha2 API version.
 // +k8s:conversion-gen=github.com/eraser-dev/eraser/api/unversioned
 package v1alpha2

controllers/configmap/configmap.go

@@ -63,7 +63,7 @@ func Add(mgr manager.Manager, cfg *config.Manager) error {
 	}
 
 	err = c.Watch(
-		&source.Kind{Type: &corev1.ConfigMap{}},
+		source.Kind(mgr.GetCache(), &corev1.ConfigMap{}),
 		&handler.EnqueueRequestForObject{},
 		predicate.ResourceVersionChangedPredicate{},
 		predicate.Funcs{

controllers/controller.go

@@ -1,3 +1,4 @@
+// Package controllers implements Kubernetes controllers for eraser resources.
 package controllers
 
 import (

controllers/imagecollector/imagecollector_controller.go

@@ -143,15 +143,15 @@ func add(mgr manager.Manager, r *Reconciler) error {
 	}
 
 	err = c.Watch(
-		&source.Kind{Type: &eraserv1.ImageJob{}},
+		source.Kind(mgr.GetCache(), &eraserv1.ImageJob{}),
 		&handler.EnqueueRequestForObject{}, predicate.Funcs{
 			// Do nothing on Create, Delete, or Generic events
 			CreateFunc:  util.NeverOnCreate,
 			DeleteFunc:  util.NeverOnDelete,
 			GenericFunc: util.NeverOnGeneric,
 			UpdateFunc: func(e event.UpdateEvent) bool {
 				if job, ok := e.ObjectNew.(*eraserv1.ImageJob); ok && util.IsCompletedOrFailed(job.Status.Phase) {
-					return ownerLabel.Matches(labels.Set(job.ObjectMeta.Labels))
+					return ownerLabel.Matches(labels.Set(job.Labels))
 				}
 
 				return false

controllers/imagejob/imagejob_controller.go

@@ -24,13 +24,10 @@ import (
 	"golang.org/x/exp/slices"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/noderesources"
-
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
@@ -102,7 +99,7 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	}
 
 	// Watch for changes to ImageJob
-	err = c.Watch(&source.Kind{Type: &eraserv1.ImageJob{}}, &handler.EnqueueRequestForObject{}, predicate.Funcs{
+	err = c.Watch(source.Kind(mgr.GetCache(), &eraserv1.ImageJob{}), &handler.EnqueueRequestForObject{}, predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {
 			if job, ok := e.ObjectNew.(*eraserv1.ImageJob); ok && controllerUtils.IsCompletedOrFailed(job.Status.Phase) {
 				return false // handled by Owning controller
@@ -120,13 +117,8 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 
 	// Watch for changes to pods created by ImageJob (eraser pods)
 	err = c.Watch(
-		&source.Kind{
-			Type: &corev1.Pod{},
-		},
-		&handler.EnqueueRequestForOwner{
-			OwnerType:    &corev1.PodTemplate{},
-			IsController: true,
-		},
+		source.Kind(mgr.GetCache(), &corev1.Pod{}),
+		handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &corev1.PodTemplate{}),
 		predicate.Funcs{
 			CreateFunc: func(e event.CreateEvent) bool {
 				return e.Object.GetNamespace() == eraserUtils.GetNamespace()
@@ -145,13 +137,8 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 
 	// watch for changes to imagejob podTemplate (owned by controller manager pod)
 	err = c.Watch(
-		&source.Kind{
-			Type: &corev1.PodTemplate{},
-		},
-		&handler.EnqueueRequestForOwner{
-			OwnerType:    &corev1.Pod{},
-			IsController: true,
-		},
+		source.Kind(mgr.GetCache(), &corev1.PodTemplate{}),
+		handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &corev1.Pod{}),
 		predicate.Funcs{
 			CreateFunc: func(e event.CreateEvent) bool {
 				ownerLabels, ok := e.Object.GetLabels()[managerLabelKey]
@@ -174,20 +161,6 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-func checkNodeFitness(pod *corev1.Pod, node *corev1.Node) bool {
-	nodeInfo := framework.NewNodeInfo()
-	nodeInfo.SetNode(node)
-
-	insufficientResource := noderesources.Fits(pod, nodeInfo)
-
-	if len(insufficientResource) != 0 {
-		log.Error(fmt.Errorf("pod %v in namespace %v does not fit in node %v", pod.Name, pod.Namespace, node.Name), "insufficient resource")
-		return false
-	}
-
-	return true
-}
-
 //+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs,verbs=get;list;watch;create;delete
 //+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs/status,verbs=get;update;patch
@@ -421,12 +394,6 @@ func (r *Reconciler) handleNewJob(ctx context.Context, imageJob *eraserv1.ImageJ
 			pod.Labels[imageJobTypeLabelKey] = collectorJobType
 		}
 
-		fitness := checkNodeFitness(pod, &nodeList[i])
-		if !fitness {
-			log.Info(containerName + " pod does not fit on node, skipping")
-			continue
-		}
-
 		err = r.Create(ctx, pod)
 		if err != nil {
 			return err
@@ -437,6 +404,7 @@ func (r *Reconciler) handleNewJob(ctx context.Context, imageJob *eraserv1.ImageJ
 	}
 
 	for _, namespacedName := range namespacedNames {
+		//nolint:staticcheck // SA1019: TODO: Replace with PollUntilContextTimeout in future refactor
 		if err := wait.PollImmediate(time.Nanosecond, time.Minute*5, r.isPodReady(ctx, namespacedName)); err != nil {
 			log.Error(err, "timed out waiting for pod to leave pending state", "pod NamespacedName", namespacedName)
 		}
@@ -509,11 +477,11 @@ nodes:
 			}
 
 			log.V(1).Info("includedLabels", "includedLabels", includedLabels)
-			log.V(1).Info("nodeLabels", "nodeLabels", nodes.Items[i].ObjectMeta.Labels)
-			if includedLabels.Matches(labels.Set(nodes.Items[i].ObjectMeta.Labels)) {
+			log.V(1).Info("nodeLabels", "nodeLabels", nodes.Items[i].Labels)
+			if includedLabels.Matches(labels.Set(nodes.Items[i].Labels)) {
 				log.Info("node is included because it matched the specified labels",
 					"nodeName", nodeName,
-					"labels", nodes.Items[i].ObjectMeta.Labels,
+					"labels", nodes.Items[i].Labels,
 					"specifiedSelectors", includeNodesSelectors,
 				)
 
@@ -543,11 +511,11 @@ nodes:
 			}
 
 			log.V(1).Info("skipLabels", "skipLabels", skipLabels)
-			log.V(1).Info("nodeLabels", "nodeLabels", nodes.Items[i].ObjectMeta.Labels)
-			if skipLabels.Matches(labels.Set(nodes.Items[i].ObjectMeta.Labels)) {
+			log.V(1).Info("nodeLabels", "nodeLabels", nodes.Items[i].Labels)
+			if skipLabels.Matches(labels.Set(nodes.Items[i].Labels)) {
 				log.Info("node will be skipped because it matched the specified labels",
 					"nodeName", nodeName,
-					"labels", nodes.Items[i].ObjectMeta.Labels,
+					"labels", nodes.Items[i].Labels,
 					"specifiedSelectors", skipNodesSelectors,
 				)