Merge branch 'vmware-tanzu:main' into main

.github/workflows/ci.yml

@@ -1,7 +1,7 @@
 name: ci
 
 env:
-  GO_VERSION: 1.19.3
+  GO_VERSION: 1.21.3
 
 on:
   pull_request:
@@ -86,6 +86,28 @@ jobs:
     - name: Lint Go
       run: make lint-go-full
 
+  vulncheck-go:
+    needs:
+    - verify-go-modules
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Install Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: ${{ env.GO_VERSION }}
+        cache: true
+        cache-dependency-path: '**/go.sum'
+    - name: Setup the cache for govulncheck
+      uses: actions/cache@v3
+      with:
+        key: govulncheck-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('go.sum', 'hack/tools/go.sum') }}
+        path: |
+          hack/tools/bin/govulncheck
+    - name: Vulncheck Go
+      run: make vulncheck-go
+
   build-manager:
     needs:
     - verify-go-modules

.github/workflows/testing-needed.yml

@@ -18,8 +18,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
         with:
-          # The pull_request_target event runs in the context of the BASE of the pull request.
-          # We need to checkout the HEAD of the pull request to be able to check the diff.
+          # The pull_request_target event runs in the context of the PR's BASE.
+          # We need to checkout the PR's HEAD to be able to check the diff.
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - name: Check diff
@@ -33,7 +33,8 @@ jobs:
         uses: actions/github-script@v6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          # TODO: Add testing-needed-e2e-full label once the pipeline supports running e2e-full tests.
+          # TODO: Add testing-needed-e2e-full label once the internal pipeline
+          # supports running e2e-full tests with the VM-Operator build from PR.
           script: |
             if (${{ steps.check-diff.outputs.lines_of_change > 99 }}) {
               await github.rest.issues.addLabels({
@@ -81,12 +82,14 @@ jobs:
       - name: do-not-merge
         env:
           LABEL_NAMES: ${{ needs.verify-change.outputs.label_names }}
-        # the step will run if one of the labels is present and the corresponding
+        # This step will run if one of the labels is present and the related
         # label indicating testing is done is not present, ex. the label
-        # testing-needed-e2e-fast is present without also testing-done-e2e-fast
+        # testing-needed-e2e-fast is present without also testing-done-e2e-fast.
+        # Additionally, it should never run if testing-done-e2e-full is present.
         if: |
           contains(env.LABEL_NAMES, format('testing-needed-{0}', matrix.test-type)) &&
-          !contains(env.LABEL_NAMES, format('testing-done-{0}', matrix.test-type))
+          !contains(env.LABEL_NAMES, format('testing-done-{0}', matrix.test-type)) &&
+          !contains(env.LABEL_NAMES, 'testing-done-e2e-full')
         run: |
           echo "Pull request is labeled as 'testing-needed-${{ matrix.test-type }}'"
           exit 1

Dockerfile

@@ -1,5 +1,5 @@
 # Go version used to build the binaries.
-ARG GO_VERSION=1.18.4
+ARG GO_VERSION=1.21.3
 
 ## Docker image used to build the binaries.
 FROM golang:${GO_VERSION} as builder

Makefile

@@ -19,10 +19,15 @@ else # (,$(strip $(shell command -v go 2>/dev/null || true)))
 # Active module mode, as we use go modules to manage dependencies.
 export GO111MODULE := on
 
+# Get the information about the platform on which the tools are built/run.
+GOHOSTOS := $(shell go env GOHOSTOS)
+GOHOSTARCH := $(shell go env GOHOSTARCH)
+GOHOSTOSARCH := $(GOHOSTOS)_$(GOHOSTARCH)
+
 # Default the GOOS and GOARCH values to be the same as the platform on which
 # this Makefile is being executed.
-export GOOS ?= $(shell go env GOHOSTOS)
-export GOARCH ?= $(shell go env GOHOSTARCH)
+export GOOS ?= $(GOHOSTOS)
+export GOARCH ?= $(GOHOSTARCH)
 
 # The directory in which this Makefile is located. Please note this will not
 # behave correctly if the path to any Makefile in the list contains any spaces.
@@ -48,7 +53,7 @@ endif # ifeq (,$(strip $(shell command -v go 2>/dev/null || true)))
 # Directories
 BIN_DIR       := bin
 TOOLS_DIR     := hack/tools
-TOOLS_BIN_DIR := $(TOOLS_DIR)/bin
+TOOLS_BIN_DIR := $(TOOLS_DIR)/bin/$(GOHOSTOSARCH)
 UPGRADE_DIR   := upgrade
 export PATH := $(abspath $(BIN_DIR)):$(abspath $(TOOLS_BIN_DIR)):$(PATH)
 export KUBEBUILDER_ASSETS := $(abspath $(TOOLS_BIN_DIR))
@@ -71,6 +76,7 @@ KUBE_APISERVER     := $(TOOLS_BIN_DIR)/kube-apiserver
 KUBEBUILDER        := $(TOOLS_BIN_DIR)/kubebuilder
 KUBECTL            := $(TOOLS_BIN_DIR)/kubectl
 ETCD               := $(TOOLS_BIN_DIR)/etcd
+GOVULNCHECK        := $(TOOLS_BIN_DIR)/govulncheck
 
 # Allow overriding manifest generation destination directory
 MANIFEST_ROOT     ?= config
@@ -140,18 +146,18 @@ test-nocover: ## Run Tests (without code coverage)
 	hack/test-unit.sh
 
 .PHONY: test
-test: | $(GOCOVMERGE)
+test: $(GOCOVMERGE)
 test: ## Run tests
 	@rm -f $(COVERAGE_FILE)
 	hack/test-unit.sh $(COVERAGE_FILE)
 
 .PHONY: test-integration
-test-integration: | $(ETCD) $(KUBE_APISERVER)
+test-integration: $(ETCD) $(KUBE_APISERVER)
 test-integration: ## Run integration tests
 	KUBECONFIG=$(KUBECONFIG) hack/test-integration.sh $(INT_COV_FILE)
 
 .PHONY: coverage
-coverage-merge: | $(GOCOVMERGE) $(GOCOV) $(GOCOV_XML)
+coverage-merge: $(GOCOVMERGE) $(GOCOV) $(GOCOV_XML)
 coverage-merge: ## Merge the coverage from unit and integration tests
 	$(GOCOVMERGE) $(COVERAGE_FILE) $(INT_COV_FILE) >$(FULL_COV_FILE)
 	gocov convert "$(FULL_COV_FILE)" | gocov-xml >"$(FULL_COV_FILE:.out=.xml)"
@@ -193,9 +199,8 @@ web-console-validator: prereqs generate lint-go web-console-validator-only ## Bu
 TOOLING_BINARIES := $(CRD_REF_DOCS) $(CONTROLLER_GEN) $(CONVERSION_GEN) \
                     $(GOLANGCI_LINT) $(KUSTOMIZE) \
                     $(KUBE_APISERVER) $(KUBEBUILDER) $(KUBECTL) $(ETCD) \
-                    $(GINKGO) $(GOCOVMERGE) $(GOCOV) $(GOCOV_XML)
+                    $(GINKGO) $(GOCOVMERGE) $(GOCOV) $(GOCOV_XML) $(GOVULNCHECK)
 tools: $(TOOLING_BINARIES) ## Build tooling binaries
-.PHONY: $(TOOLING_BINARIES)
 $(TOOLING_BINARIES):
 	make -C $(TOOLS_DIR) $(@F)
 
@@ -211,7 +216,7 @@ lint: ## Run all the lint targets
 
 GOLANGCI_LINT_FLAGS ?= --fast=true
 .PHONY: lint-go
-lint-go: | $(GOLANGCI_LINT)
+lint-go: $(GOLANGCI_LINT)
 lint-go: ## Lint codebase
 	$(GOLANGCI_LINT) run -v $(GOLANGCI_LINT_FLAGS)
 
@@ -261,14 +266,14 @@ generate: ## Generate code
 #	$(MAKE) generate-api-docs
 
 .PHONY: generate-go
-generate-go: | $(CONTROLLER_GEN)
+generate-go: $(CONTROLLER_GEN)
 generate-go: ## Generate deepcopy
 	$(CONTROLLER_GEN) \
 		paths=github.com/vmware-tanzu/vm-operator/api/... \
 		object:headerFile=./hack/boilerplate/boilerplate.generatego.txt
 
 .PHONY: generate-manifests
-generate-manifests: | $(CONTROLLER_GEN)
+generate-manifests: $(CONTROLLER_GEN)
 generate-manifests: ## Generate manifests e.g. CRD, RBAC etc.
 	$(CONTROLLER_GEN) \
 		paths=github.com/vmware-tanzu/vm-operator/api/... \
@@ -287,7 +292,7 @@ generate-manifests: ## Generate manifests e.g. CRD, RBAC etc.
 		rbac:roleName=manager-role
 
 .PHONY: generate-external-manifests
-generate-external-manifests: | $(CONTROLLER_GEN)
+generate-external-manifests: $(CONTROLLER_GEN)
 generate-external-manifests: ## Generate manifests for the external types for testing
 	API_MOD_DIR=$(shell go mod download -json $(IMG_REGISTRY_OP_API_SLUG) | grep '"Dir":' | awk '{print $$2}' | tr -d '",') && \
 	$(CONTROLLER_GEN) \
@@ -311,7 +316,7 @@ ifneq (,$(ROOT_DIR_IN_GOPATH))
 # statement ensures that there is not an order-only dependency on CONVERSION_GEN
 # if it already exists.
 ifeq (,$(strip $(wildcard $(CONVERSION_GEN))))
-generate-go-conversions: | $(CONVERSION_GEN)
+generate-go-conversions: $(CONVERSION_GEN)
 endif
 
 generate-go-conversions:
@@ -411,7 +416,7 @@ generate-go-conversions:
 endif
 
 .PHONY: generate-api-docs
-generate-api-docs: | $(CRD_REF_DOCS)
+generate-api-docs: $(CRD_REF_DOCS)
 generate-api-docs: ## Generate API documentation
 	$(CRD_REF_DOCS) \
 	  --renderer=markdown \
@@ -443,13 +448,13 @@ kustomize-x:
 .PHONY: kustomize-local
 kustomize-local: CONFIG_TYPE=local
 kustomize-local: YAML_OUT=$(LOCAL_YAML)
-kustomize-local: prereqs generate-manifests | $(KUSTOMIZE)
+kustomize-local: prereqs generate-manifests $(KUSTOMIZE)
 kustomize-local: kustomize-x ## Kustomize for local cluster
 
 .PHONY: kustomize-local-vcsim
 kustomize-local-vcsim: CONFIG_TYPE=local-vcsim
 kustomize-local-vcsim: YAML_OUT=$(LOCAL_YAML)
-kustomize-local-vcsim: prereqs generate-manifests | $(KUSTOMIZE)
+kustomize-local-vcsim: prereqs generate-manifests $(KUSTOMIZE)
 kustomize-local-vcsim: kustomize-x ## Kustomize for local-vcsim cluster
 
 
@@ -552,6 +557,15 @@ docker-remove: ## Remove the docker image
 	fi
 
 
+## --------------------------------------
+## Vulnerability Checks
+## --------------------------------------
+
+.PHONY: vulncheck-go
+vulncheck-go: $(GOVULNCHECK)
+	$(GOVULNCHECK) ./...
+
+
 ## --------------------------------------
 ## Clean and verify
 ## --------------------------------------

api/go.mod

@@ -56,11 +56,12 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	// per the following dependabot alerts:
 	// * https://github.com/vmware-tanzu/vm-operator/security/dependabot/20
 	// * https://github.com/vmware-tanzu/vm-operator/security/dependabot/21
+	// * https://github.com/vmware-tanzu/vm-operator/security/dependabot/32
+	// * https://github.com/vmware-tanzu/vm-operator/security/dependabot/34
+	// * https://github.com/vmware-tanzu/vm-operator/security/dependabot/36
 	golang.org/x/net v0.7.0 // indirect
-	// per the following dependabot alerts:
 	// * https://github.com/vmware-tanzu/vm-operator/security/dependabot/22
 	golang.org/x/text v0.7.0 // indirect; per
 	gopkg.in/inf.v0 v0.9.1 // indirect

api/v1alpha1/condition_conversion.go

@@ -17,6 +17,12 @@ func Convert_v1alpha1_Condition_To_v1_Condition(in *Condition, out *metav1.Condi
 	out.Reason = in.Reason
 	out.Message = in.Message
 
+	// The metav1.Condition requires the reason to be non-empty, when it was not in our prior v1a1 Condition.
+	// We don't have any great options as to what we can fill this in as.
+	if out.Reason == "" {
+		out.Reason = string(out.Status)
+	}
+
 	// TODO: out.ObservedGeneration =
 
 	return nil

api/v1alpha1/conversion_test.go

@@ -9,7 +9,6 @@ import (
 	fuzz "github.com/google/gofuzz"
 	. "github.com/onsi/gomega"
 	"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
-	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
@@ -125,7 +124,6 @@ func overrideVirtualMachineFieldsFuncs(codecs runtimeserializer.CodecFactory) []
 
 			vmSpec.ReadinessGates = nil
 			vmSpec.ReadinessProbe.GuestInfo = nil
-			vmSpec.Advanced.BootDiskCapacity = resource.Quantity{}
 		},
 		func(vmStatus *v1alpha1.VirtualMachineStatus, c fuzz.Continue) {
 			c.Fuzz(vmStatus)