Tidy up the build, standardize domains used for labels etc, fix tests and linting, add kustomize overlays for different environments

Signed-off-by: Kevin Conner <[email protected]>

Author: knrc

.github/workflows/lint.yml

@@ -18,6 +18,6 @@ jobs:
           go-version-file: go.mod
 
       - name: Run linter
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v8
         with:
-          version: v1.63.4
+          version: v2.3.0

.github/workflows/test-e2e.yml

@@ -26,9 +26,25 @@ jobs:
       - name: Verify kind installation
         run: kind version
 
+      - name: Install kubectl
+        run: |
+          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          chmod +x kubectl
+          sudo mv kubectl /usr/local/bin/kubectl
+
+      - name: Verify kubectl installation
+        run: kubectl version --client
+
       - name: Create kind cluster
         run: kind create cluster
 
+      - name: Wait for cluster to be ready
+        run: |
+          echo "Waiting for cluster to be ready..."
+          kubectl wait --for=condition=Ready nodes --all --timeout=300s
+          kubectl wait --for=condition=Ready --namespace=kube-system pod --all --timeout=300s
+          echo "Cluster is ready"
+
       - name: Running Test e2e
         run: |
           go mod tidy

.gitignore

@@ -11,3 +11,7 @@ cover.out
 *~
 .DS_Store
 *.iml
+# Don't include generated manifests
+manifests/*.yaml
+# Don't include generated bundles (will be built in CI/CD at some point)
+bundle/

.golangci.yml

@@ -1,33 +1,17 @@
+version: "2"
+
 run:
   timeout: 5m
   allow-parallel-runners: true
 
-issues:
-  # don't skip warning about doc comments
-  # don't exclude the default set of lint
-  exclude-use-default: false
-  # restore some of the defaults
-  # (fill in the rest as needed)
-  exclude-rules:
-    - path: "api/*"
-      linters:
-        - lll
-    - path: "internal/*"
-      linters:
-        - dupl
-        - lll
 linters:
-  disable-all: true
   enable:
     - dupl
     - errcheck
     - copyloopvar
     - ginkgolinter
     - goconst
     - gocyclo
-    - gofmt
-    - goimports
-    - gosimple
     - govet
     - ineffassign
     - lll
@@ -36,12 +20,11 @@ linters:
     - prealloc
     - revive
     - staticcheck
-    - typecheck
     - unconvert
     - unparam
     - unused
 
-linters-settings:
-  revive:
-    rules:
-      - name: comment-spacings
+formatters:
+  enable:
+    - gofmt
+    - goimports

Containerfile renamed to Dockerfile

@@ -28,8 +28,8 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 # This variable is used to construct full image tags for bundle and catalog images.
 #
 # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
-# sigstore.dev/model-validation-operator-bundle:$VERSION and sigstore.dev/model-validation-operator-catalog:$VERSION.
-IMAGE_TAG_BASE ?= sigstore.dev/model-validation-operator
+# ghcr.io/sigstore/model-validation-operator-bundle:$VERSION and ghcr.io/sigstore/model-validation-operator-catalog:$VERSION.
+IMAGE_TAG_BASE ?= ghcr.io/sigstore/model-validation-operator
 
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
@@ -38,6 +38,9 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 # BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
 BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 
+# BUNDLE_OVERLAY defines which overlay to use for bundle generation (e.g. make bundle BUNDLE_OVERLAY=production)
+BUNDLE_OVERLAY ?= olm
+
 # USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
 # You can enable this value if you would like to use SHA Based Digests
 # To enable set flag to true
@@ -48,7 +51,7 @@ endif
 
 # Set the Operator SDK version to use. By default, what is installed on the system is used.
 # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit.
-OPERATOR_SDK_VERSION ?= v1.40.0
+OPERATOR_SDK_VERSION ?= v1.41.1
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 
@@ -64,6 +67,9 @@ endif
 # scaffolded by default. However, you might want to replace it to use other
 # tools. (i.e. podman)
 CONTAINER_TOOL ?= docker
+# Dockerfile was renamed to Containerfile, presumably for podman support, however
+# this makefile explicitly mentions Dockerfile, so we parameterize it
+CONTAINER_FILE ?= Dockerfile
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
@@ -139,15 +145,44 @@ build: manifests generate fmt vet ## Build manager binary.
 	go build -o bin/manager cmd/main.go
 
 .PHONY: run
-run: manifests generate fmt vet ## Run a controller from your host.
+run: manifests generate fmt vet generate-local-certs ## Run a controller from your host.
 	go run ./cmd/main.go
 
+.PHONY: generate-certs
+generate-certs: ## Generate TLS certificates to specified directory (use CERT_DIR=path)
+	@if [ -z "$(CERT_DIR)" ]; then \
+		echo "Error: CERT_DIR must be specified. Usage: make generate-certs CERT_DIR=/path/to/certs"; \
+		exit 1; \
+	fi
+	@echo "Generating TLS certificates in $(CERT_DIR)..."
+	@if command -v cfssl &> /dev/null && [[ -f "generate-tls.sh" ]]; then \
+		echo "Using cfssl-based certificate generation"; \
+		./generate-tls.sh $(CERT_DIR); \
+	elif [[ -f "generate-tls-openssl.sh" ]]; then \
+		echo "Using OpenSSL-based certificate generation"; \
+		./generate-tls-openssl.sh $(CERT_DIR); \
+	else \
+		echo "Error: No TLS generation script found. Either install cfssl or ensure generate-tls-openssl.sh exists."; \
+		exit 1; \
+	fi
+
+.PHONY: generate-local-certs
+generate-local-certs: ## Generate TLS certificates for local development
+	@echo "Generating local webhook certificates..."
+	@CERT_DIR=$$(mktemp -d) && \
+	$(MAKE) generate-certs CERT_DIR=$$CERT_DIR && \
+	mkdir -p "$$TMPDIR/k8s-webhook-server/serving-certs" && \
+	cp $$CERT_DIR/tls.crt "$$TMPDIR/k8s-webhook-server/serving-certs/" && \
+	cp $$CERT_DIR/tls.key "$$TMPDIR/k8s-webhook-server/serving-certs/" && \
+	echo "Certificates generated and placed in $$TMPDIR/k8s-webhook-server/serving-certs/" && \
+	echo "You can now run 'make run' to start the controller with webhook support"
+
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: docker-build
-docker-build: ## Build docker image with the manager.
-	$(CONTAINER_TOOL) build -f Containerfile -t ${IMG} .
+docker-build: test ## Build docker image with the manager.
+	$(CONTAINER_TOOL) build -t ${IMG} -f ${CONTAINER_FILE} .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
@@ -163,18 +198,17 @@ PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
 .PHONY: docker-buildx
 docker-buildx: ## Build and push docker image for the manager for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
-	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' ${CONTAINER_FILE} > ${CONTAINER_FILE}.cross
 	- $(CONTAINER_TOOL) buildx create --name model-validation-operator-builder
 	$(CONTAINER_TOOL) buildx use model-validation-operator-builder
-	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
+	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f ${CONTAINER_FILE}.cross .
 	- $(CONTAINER_TOOL) buildx rm model-validation-operator-builder
-	rm Dockerfile.cross
+	rm ${CONTAINER_FILE}.cross
 
 .PHONY: build-installer
-build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment.
-	mkdir -p dist
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default > dist/install.yaml
+build-installer: manifests ## Generate a consolidated YAML with CRDs and deployment.
+	./scripts/generate-manifests.sh production dist
+	mv dist/production.yaml dist/install.yaml
 
 ##@ Deployment
 
@@ -192,12 +226,13 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
+	cd config/overlays/production && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/overlays/production && $(KUSTOMIZE) edit set replicas controller-manager=1
+	$(KUSTOMIZE) build config/overlays/production | $(KUBECTL) apply -f -
 
 .PHONY: undeploy
 undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
+	$(KUSTOMIZE) build config/overlays/production | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 
 ##@ Dependencies
 
@@ -215,13 +250,12 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.6.0
-CONTROLLER_TOOLS_VERSION ?= v0.17.2
-#ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20)
+KUSTOMIZE_VERSION ?= v5.7.0
+CONTROLLER_TOOLS_VERSION ?= v0.18.0
 ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
 #ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31)
 ENVTEST_K8S_VERSION ?= $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}')
-GOLANGCI_LINT_VERSION ?= v1.63.4
+GOLANGCI_LINT_VERSION ?= v2.3.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -239,7 +273,7 @@ setup-envtest: envtest ## Download the binaries required for ENVTEST in the loca
 	@$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path || { \
 		echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \
 		exit 1; \
-	}
+	} ; echo
 
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download setup-envtest locally if necessary.
@@ -249,7 +283,7 @@ $(ENVTEST): $(LOCALBIN)
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION))
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION))
 
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
@@ -285,42 +319,49 @@ endif
 endif
 
 .PHONY: bundle
-bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
+bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata from $(BUNDLE_OVERLAY) overlay, then validate generated files.
 	$(OPERATOR_SDK) generate kustomize manifests -q
-	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
-	$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS)
+	cd config/overlays/$(BUNDLE_OVERLAY) && $(KUSTOMIZE) edit set image controller=$(IMG)
+	$(KUSTOMIZE) build config/overlays/$(BUNDLE_OVERLAY) | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS)
+	# Fix webhook configuration in CSV
+	@if [ -f bundle/manifests/model-validation-operator.clusterserviceversion.yaml ]; then \
+		sed -i.bak 's/deploymentName: webhook/deploymentName: model-validation-controller-manager/' bundle/manifests/model-validation-operator.clusterserviceversion.yaml && \
+		sed -i.bak2 's/deploymentName: model-validation-controller-manager/deploymentName: model-validation-controller-manager\n    serviceName: model-validation-webhook/' bundle/manifests/model-validation-operator.clusterserviceversion.yaml && \
+		rm -f bundle/manifests/model-validation-operator.clusterserviceversion.yaml.bak bundle/manifests/model-validation-operator.clusterserviceversion.yaml.bak2; \
+	fi
 	$(OPERATOR_SDK) bundle validate ./bundle
 
 .PHONY: bundle-build
 bundle-build: ## Build the bundle image.
-	$(CONTAINER_TOOL) build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
+	$(CONTAINER_TOOL) build -f bundle.${CONTAINER_FILE} -t $(BUNDLE_IMG) .
 
 .PHONY: bundle-push
 bundle-push: ## Push the bundle image.
 	$(MAKE) docker-push IMG=$(BUNDLE_IMG)
 
 .PHONY: opm
 OPM = $(LOCALBIN)/opm
+OPM_VERSION=v1.56.0
 opm: ## Download opm locally if necessary.
 ifeq (,$(wildcard $(OPM)))
 ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
 	OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$${OS}-$${ARCH}-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/${OPM_VERSION}/$${OS}-$${ARCH}-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
 OPM = $(shell which opm)
 endif
 endif
 
-# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0).
+# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=ghcr.io/sigstore/model-validation-operator-bundle:v0.1.0,ghcr.io/sigstore/model-validation-operator-bundle:v0.2.0).
 # These images MUST exist in a registry and be pull-able.
 BUNDLE_IMGS ?= $(BUNDLE_IMG)
 
-# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0).
+# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=ghcr.io/sigstore/model-validation-operator-catalog:v0.2.0).
 CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION)
 
 # Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image.
@@ -333,9 +374,48 @@ endif
 # https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator
 .PHONY: catalog-build
 catalog-build: opm ## Build a catalog image.
-	$(OPM) index add --container-tool $(CONTAINER_TOOL) --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)
+	$(OPM) index add --container-tool ${CONTAINER_TOOL} --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)
 
 # Push the catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+##@ Overlay Deployment
+
+# Define available environments
+ENVIRONMENTS := testing production development olm
+
+# Generic deployment target using generate-manifests script
+define deploy-environment
+.PHONY: deploy-$(1)
+deploy-$(1): manifests ## Deploy to $(1) environment
+	./scripts/generate-manifests.sh $(1) manifests
+	kubectl apply -f manifests/$(1).yaml
+endef
+
+# Generic undeployment target
+define undeploy-environment
+.PHONY: undeploy-$(1)
+undeploy-$(1): ## Undeploy from $(1) environment
+	kubectl delete -f manifests/$(1).yaml --ignore-not-found=true
+endef
+
+# Generate targets for all environments
+$(foreach env,$(ENVIRONMENTS),$(eval $(call deploy-environment,$(env))))
+$(foreach env,$(ENVIRONMENTS),$(eval $(call undeploy-environment,$(env))))
+
+# Convenience targets for all environments
+.PHONY: deploy-all
+deploy-all: $(addprefix deploy-,$(ENVIRONMENTS)) ## Deploy to all environments (use with caution)
+
+.PHONY: undeploy-all
+undeploy-all: $(addprefix undeploy-,$(ENVIRONMENTS)) ## Undeploy from all environments
+
+# Generate manifests using script (replaces removed render targets)
+.PHONY: generate-manifests
+generate-manifests: manifests ## Generate manifests for all environments using generate-manifests script
+	@for env in $(ENVIRONMENTS); do \
+		echo "Generating manifests for $$env environment..."; \
+		./scripts/generate-manifests.sh $$env manifests; \
+	done