From 8e0f2fe1e4d8c33b3f0542592291d70e6d13229c Mon Sep 17 00:00:00 2001
From: Mykola Morhun <mmorhun@redhat.com>
Date: Wed, 13 Sep 2023 12:35:54 +0300
Subject: [PATCH] Add kube-linter check (#63)

* Add kube-linter check

* Fix kube-linter errors
---
 .github/.kube-linter-config.yaml   |  7 ++++
 .github/workflows/kube-linter.yaml | 54 ++++++++++++++++++++++++++++++
 config/manager/kustomization.yaml  |  1 +
 config/manager/manager.yaml        | 13 ++-----
 4 files changed, 65 insertions(+), 10 deletions(-)
 create mode 100644 .github/.kube-linter-config.yaml
 create mode 100644 .github/workflows/kube-linter.yaml

diff --git a/.github/.kube-linter-config.yaml b/.github/.kube-linter-config.yaml
new file mode 100644
index 0000000..a9f5240
--- /dev/null
+++ b/.github/.kube-linter-config.yaml
@@ -0,0 +1,7 @@
+checks:
+  # include explicitly adds checks, by name. You can reference any of the built-in checks.
+  # Note that customChecks defined above are included automatically.
+  include: [ ]
+  # exclude explicitly excludes checks, by name. exclude has the highest priority: if a check is
+  # in exclude, then it is not considered, even if it is in include as well.
+  exclude: [ ]
diff --git a/.github/workflows/kube-linter.yaml b/.github/workflows/kube-linter.yaml
new file mode 100644
index 0000000..3b2e661
--- /dev/null
+++ b/.github/workflows/kube-linter.yaml
@@ -0,0 +1,54 @@
+name: Check Kubernetes YAMLs with kube-linter
+
+on:
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'config/default/**.ya?ml'
+      - 'config/crd/**.ya?ml'
+      - 'config/rbac/**.ya?ml'
+      - 'config/manager/**.ya?ml'
+      - 'config/registry_image_pruner/**.ya?ml'
+
+jobs:
+  kube-linter:
+    name: Kube linter
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create ../kube-linter/ for deployment yaml files
+        shell: bash
+        run: mkdir -p ../kube-linter/
+
+      - name: Generate Image Controller operator deployment configuration
+        shell: bash
+        run: kustomize build config/default/ >  ../kube-linter/image-controller.yaml
+
+      - name: Scan yaml files with kube-linter
+        uses: stackrox/kube-linter-action@v1
+        id: kube-linter-action-scan
+        with:
+          # Where to do scanning
+          directory: ../kube-linter/
+          # Where to search for kube-linter config. Removing the setting make using the default config.
+          config: ./.github/.kube-linter-config.yaml
+          # The following two settings make kube-linter produce scan analysis in SARIF format
+          # which would then be made available in GitHub UI via upload-sarif action below.
+          format: sarif
+          output-file: ../kube-linter/kube-linter.sarif
+        # The following line prevents aborting the workflow immediately in case your files fail kube-linter checks.
+        # This allows the following upload-sarif action to still upload the results to your GitHub repo.
+        continue-on-error: true
+
+      - name: Upload SARIF report files to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ../kube-linter/kube-linter.sarif
+
+      # Ensure the workflow eventually fails if files did not pass kube-linter checks.
+      - name: Verify kube-linter-action succeeded
+        shell: bash
+        run: |
+          echo "If this step fails, kube-linter found issues. Check the output of the scan step above."
+          [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]]
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index b5873c5..3d7a973 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -13,3 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/redhat-appstudio/image-controller
+  newTag: next
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 8caab6f..ad8335e 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -26,13 +26,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        # TODO(user): For common cases that do not require escalating privileges
-        # it is recommended to ensure that all your Pods/Containers are restrictive.
-        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
-        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
-        # seccompProfile:
-        #   type: RuntimeDefault
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
       - name: quaytoken
         secret:
@@ -46,7 +41,7 @@ spec:
         - /manager
         args:
         - --leader-elect
-        image: quay.io/redhat-appstudio/image-controller
+        image: controller:latest
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
@@ -66,8 +61,6 @@ spec:
             port: 8081
           initialDelaySeconds: 5
           periodSeconds: 10
-        # TODO(user): Configure the resources accordingly based on the project requirements.
-        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
         resources:
           limits:
             cpu: 500m