Update GHA config & Fix linter issues

.github/workflows/build.yaml

@@ -0,0 +1,20 @@
+name: Build
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.22.x
+      - name: Build
+        run: ./scripts/build.sh

.github/workflows/lint.yaml

@@ -0,0 +1,22 @@
+name: Lint
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.22.x
+      - name: Analysis
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        with:
+          args: -v

.github/workflows/release.yaml

@@ -0,0 +1,80 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+# GitHub settings / example values:
+#
+# org level vars:
+#   - PUBLIC_REGISTRY: docker.io
+# repo level vars:
+#   - PUBLIC_REGISTRY_REPO: rancher
+# repo level secrets:
+#   - PUBLIC_REGISTRY_USERNAME
+#   - PUBLIC_REGISTRY_PASSWORD
+
+jobs:
+  release:
+    permissions:
+      contents: write # required for creating GH release
+      id-token: write # required for reading vault secrets
+    runs-on: ubuntu-latest
+    steps:
+    - name: Read secrets
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ;
+    - name: Login to DockerHub
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ vars.PUBLIC_REGISTRY }}
+        username: ${{ env.PUBLIC_REGISTRY_USERNAME }}
+        password: ${{ env.PUBLIC_REGISTRY_PASSWORD }}
+    - name: Setup QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Setup Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ github.ref_name}}
+    - name: Build and push all image variations
+      run: |
+        ./scripts/build.sh
+        make image-push
+        TAG="${TAG}-amd64" TARGET_PLATFORMS=linux/amd64 make image-push
+        TAG="${TAG}-arm64" TARGET_PLATFORMS=linux/arm64 make image-push
+      env:
+        TAG: ${{ github.ref_name }}
+        REPO: ${{ vars.PUBLIC_REGISTRY }}/${{ vars.PUBLIC_REGISTRY_REPO }}
+    - name: Create release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for creating GH release
+      id: goreleaser
+      uses: goreleaser/goreleaser-action@v6
+      with:
+        distribution: goreleaser
+        version: "~> v2"
+        args: release --clean --verbose
+    - name: Upload charts to release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for updating GH release
+        REPO: cnrancher/rancher-flat-network-operator # Docker repository to reference in `values.yaml` of the Helm chart release
+        TAG: ${{ github.ref_name }} # image tag to be referenced in `values.yaml` of the Helm chart release
+      run: |
+        version=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.version')
+        echo "Publishing helm charts (version: $version)"
+
+        # Both version and appVersion are set to the same value in the Chart.yaml (excluding the 'v' prefix)
+        CHART_VERSION=$version GIT_TAG=$version make charts
+
+        for f in $(find bin/ -name '*.tgz'); do
+          echo "Uploading $f to GitHub release $TAG"
+          gh release upload $TAG $f
+        done
+        echo "Charts successfully uploaded to GitHub release $TAG"

.github/workflows/unit.yaml

@@ -0,0 +1,18 @@
+name: Unit tests
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.22.x
+    - name: Run tests
+      run: |
+        ./scripts/test.sh

.github/workflows/verify.yaml

@@ -0,0 +1,18 @@
+name: Verify
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.22.x
+    - name: Run validate script
+      run: |
+        ./scripts/validate.sh

.golangci.yml

@@ -0,0 +1,95 @@
+run:
+  timeout: 5m
+  go: "1.22"
+  skip-files:
+    - "zz_generated_*"
+  tests: false
+  allow-parallel-runners: true
+
+# output:
+#   format: github-actions
+
+linters:
+  disable-all: true
+  enable:
+    - dupl # check duplicated code
+    - goconst # check strings that can turn into constants
+    - gofmt # check fmt
+    - goimports # check imports
+    - gosec # check for security problems
+    - govet # check vet
+    - importas # check consistent import aliasing
+    - ineffassign # check ineffectual assignments
+    - misspell # check for misspelled English words
+    - nakedret # check naked returns in functions
+    - prealloc # check preallocated slice declarations
+    - revive # replacement for golint
+    - unconvert # check redundant type conversions
+    - whitespace # check for trailing whitespace and tabs
+
+linters-settings:
+  revive:
+    rules:
+      # The following rules are recommended https://github.com/mgechev/revive#recommended-configuration
+      - name: blank-imports
+      - name: context-as-argument
+      - name: context-keys-type
+      - name: dot-imports
+      - name: error-return
+      - name: error-strings
+      - name: error-naming
+      - name: exported
+      - name: increment-decrement
+      - name: var-naming
+      - name: var-declaration
+      - name: package-comments
+      - name: range
+      - name: receiver-naming
+      - name: time-naming
+      - name: indent-error-flow
+      - name: errorf
+      - name: empty-block
+      - name: superfluous-else
+      - name: unused-parameter
+      - name: unreachable-code
+      - name: redefines-builtin-id
+      - name: unexported-return
+  importas:
+    no-unaliased: true
+    alias:
+      # Kubernetes
+      - pkg: k8s.io/api/core/v1
+        alias: corev1
+      - pkg: k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+        alias: apiextensionsv1
+      - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+        alias: metav1
+      - pkg: k8s.io/apimachinery/pkg/util/runtime
+        alias: utilruntime
+      - pkg: sigs.k8s.io/controller-runtime/pkg/client
+        alias: runtimeclient
+      # Rancher EKS operator
+      - pkg: github.com/rancher/eks-operator/pkg/apis/eks.cattle.io/v1
+        alias: eksv1
+      - pkg: github.com/rancher/eks-operator/pkg/generated/controllers/eks.cattle.io/v1
+        alias: ekscontrollers
+      - pkg: github.com/rancher/eks-operator/pkg/eks
+        alias: awsservices
+      # Core Rancher
+      - pkg: github.com/rancher/rancher/pkg/apis/management.cattle.io/v3
+        alias: managementv3
+
+issues:
+  exclude-rules:
+  - linters:
+    - revive
+    text: "var-naming: don't use an underscore in package name"
+    path: 'mock(\w+)/doc.go$'
+  - path: 'pkg/cni/types/types.go$'
+    text: "don't use ALL_CAPS in Go names"
+    linters:
+      - revive
+  - path: 'pkg/codegen/main.go'
+    text: "Expect WriteFile permissions to be 0600 or less"
+    linters:
+      - gosec

charts/README.md

@@ -0,0 +1 @@
+# Rancher FlatNetwork Chart Template

pkg/admission/ping.go

@@ -6,11 +6,11 @@ import (
 	"os"
 )
 
-func pingHandler(w http.ResponseWriter, req *http.Request) {
+func pingHandler(w http.ResponseWriter, _ *http.Request) {
 	w.Write([]byte("pong\n"))
 }
 
-func hostnameHandler(w http.ResponseWriter, req *http.Request) {
+func hostnameHandler(w http.ResponseWriter, _ *http.Request) {
 	n, err := os.Hostname()
 	if err != nil {
 		err := fmt.Errorf("failed to get hostname: %w", err)

pkg/admission/server.go

@@ -3,8 +3,11 @@ package admission
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
+	"net"
 	"net/http"
+	"time"
 
 	"github.com/sirupsen/logrus"
 
@@ -53,14 +56,22 @@ func (s *Server) Run(ctx context.Context) error {
 	http.HandleFunc("/hostname", hostnameHandler)
 	http.HandleFunc("/validate", handler.ValidateHandler)
 	httpServer = &http.Server{
+		BaseContext: func(net.Listener) context.Context {
+			return ctx
+		},
 		Addr: addr,
 		TLSConfig: &tls.Config{
 			Certificates: []tls.Certificate{
 				pair,
 			},
+			MinVersion: tls.VersionTLS12,
 		},
+		ReadHeaderTimeout: time.Second * 10,
 	}
 	if err = httpServer.ListenAndServeTLS("", ""); err != nil {
+		if errors.Is(err, http.ErrServerClosed) {
+			return nil
+		}
 		return fmt.Errorf("failed to start admission web server: %w", err)
 	}
 	logrus.Infof("start listen flat-network admission webhook server on %v", addr)