These enable scanning of each of our container images on linux/amd64
to check for vulnerabilities. These targets can then be used in CI as
an indicator that we might need to take a look at upgrading dependencies
or base images.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
I also took the opportunity to document the three most important "build"
variables in "make help".
Manually rebased to adopt $(BINDIR) changes
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This adds multiple retries on every attempt we make to use curl, which
should help to reduce flakes. Uses a $(CURL) variable where possible so
that we have the same invocation everywhere.
Also switches to using the more verbose curl arguments, in an attempt to
make it easier to reason about how curl is configured.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
previously we'd relied on rosetta because these tools hadn't been built
for darwin-arm64, but now they've started to be built and we can use
arm64 versions directly
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
we don't _need_ to remove these and we can keep them around for
longer, but we don't need them to be in files we actually use and edit.
putting the targets in a separate file feels cleaner!
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This uses cmctl instead of kubectl_cert-manager, uses make instead of
bazel and fixes an incorrect container name in
test/fixtures/upgrade/overlay/cainjector-ops.yaml
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
this allows us to maintain the bazel build files until they're removed,
but tries to avoid accidentally encouraging their use
`make update-all` implementes a non-bazel version of
`hack/update-all.sh`, with `hack/update-all.sh` now calling make but
also doing the bazel stuff it used to.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
We only use python in one place and probably won't start using it more
without some kind of policy change. We don't need to require that everyone
has it installed, and can instead only require it for people who're running
the boilerplate check
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Uses go-licenses to create a CSV file which replaces LICENSES.
The replacement is much smaller and easier to parse for both humans
and for machines.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
- includes a run of make update-crds which causes some trivial changes
- updates version of YQ to latest
- makes hack/update-crds.sh just call make
- makes hack/verify-crds.sh just call make
- moves functionality of hack/verify-crds.sh to hack/check-crds.sh,
using the makefile for generating alternative CRDs for comparison
- removes the bazel test associated with CRDs
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
- runs "make update-codegen"
- adds codegen verification to make tests
- changes hack/(update|verify)-codegen.sh to just call make
- removes bazel codegen test so it's not automatically run in CI
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This is needed because go and other tools will ignore directories
starting with "_" or "." but would treat a dir called "bin" as a regular
directory.
This in turn meant that when we vendored Go in bin, these tools would by
default scan the whole stdlib included with the bundled vendored go.
See https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns for details
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
