dodevops · dploeger · Jun 27, 2024 · Nov 15, 2023 · Dec 6, 2023 · Dec 7, 2023
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @dodevops/codeowners
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,24 @@
+# Set update schedule for GitHub Actions
+# open-pull-requests-limit is set to 0 because we only want security updates and those override this limit
+# see https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file
+version: 2
+updates:
+    - package-ecosystem: "gomod"
+      directory: "/"
+      schedule:
+          interval: "daily"
+      allow:
+          - dependency-type: "direct"
+      open-pull-requests-limit: 0
+    - package-ecosystem: "npm"
+      directory: "/ccc-client"
+      schedule:
+          interval: "daily"
+      allow:
+          - dependency-type: "direct"
+      open-pull-requests-limit: 0
+    - package-ecosystem: "github-actions"
+      directory: "/"
+      schedule:
+          interval: "weekly"
+      open-pull-requests-limit: 0
diff --git a/.github/workflows/check_commits.yml b/.github/workflows/check_commits.yml
@@ -24,10 +24,10 @@ jobs:
                 uses: tim-actions/[email protected]
                 with:
                     commits: ${{ steps.get-pr-commits.outputs.commits }}
-                    pattern: '^(Merge pull request #[0-9]+ from dodevops/develop)|(Merge branch ''main'' into develop)|(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test){1}(\([\w\-\.]+\))?(!)?: ([\w ])+([\s\S]*)'
+                    pattern: '^(Merge pull request #[0-9]+)|(Merge branch ''main'' into develop)|(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test){1}(\([\w\-\.]+\))?(!)?: ([\w ])+([\s\S]*)'
                     error: 'Commit messages do not follow https://www.conventionalcommits.org/en/v1.0.0/'
             -   name: Get Changed Files
-                uses: tj-actions/changed-files@v35.5.6
+                uses: tj-actions/changed-files@v41.0.0
             -   name: Check if CHANGELOG wasn't included
                 run: |
                     if echo ${{ steps.changed-files.outputs.all_changed_files }} | grep CHANGELOG.md; then

diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -2,9 +2,6 @@ name: "Build Images"
 
 on:
     push:
-        branches:
-            - main
-            - develop
     release:
         types:
             - published
@@ -22,7 +19,7 @@ jobs:
                     - name: aws
                       platforms: "linux/amd64,linux/arm64"
                     - name: azure
-                      platforms: "linux/amd64"
+                      platforms: "linux/amd64,linux/arm64"
                     - name: gcloud
                       platforms: "linux/amd64,linux/arm64"
                     - name: simple
@@ -39,7 +36,7 @@ jobs:
                 uses: actions/checkout@v2
 
             -   name: Install cosign
-                uses: sigstore/cosign-installer@v2.8.1
+                uses: sigstore/cosign-installer@v3.5.0
 
             # Set up QEMU to be able to build to multiple architectures
             -   name: Set up QEMU
@@ -67,18 +64,27 @@ jobs:
                         type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
 
             -   name: Prepare build
+                id: prepare
                 run: |
+                    export BUILD_DATE=$(date -Iseconds)
+                    export FLAVOUR=${{ matrix.flavour.name }}
+
                     cat build/Dockerfile.prefix > Dockerfile
                     cat "flavour/${{ matrix.flavour.name }}/Dockerfile.flavour" >> Dockerfile
 
                     # Download mo
                     curl -sSL https://raw.githubusercontent.com/tests-always-included/mo/master/mo -o mo
                     chmod +x mo
 
-                    cat build/Dockerfile.suffix.mo | BUILD_DATE=$(date -Iseconds) FLAVOUR=${{ matrix.flavour.name }} ./mo > build/Dockerfile.suffix
-
+                    cat build/Dockerfile.suffix.mo | ./mo > build/Dockerfile.suffix
                     cat build/Dockerfile.suffix >> Dockerfile
 
+                    {
+                        echo 'labels<<EOF'
+                        cat build/labels.txt.mo | ./mo | sed -re "s/^/                    /gm" # Add whitespace to insert it as annotations
+                        echo EOF
+                    } >> "$GITHUB_OUTPUT"
+
                     rm mo
                 env:
                     FLAVOUR: "${{ matrix.flavour.name }}"
@@ -89,17 +95,17 @@ jobs:
 
             - name: Build and push Docker image
               id: build-and-push
-              uses: docker/build-push-action@v4.0.0
+              uses: docker/build-push-action@v5.3.0
               with:
                   context: .
                   push: true
                   pull: true
                   tags: ${{ steps.meta.outputs.tags }}
                   labels: ${{ steps.meta.outputs.labels }}
+                  annotations: |
+                    ${{ steps.prepare.outputs.labels }}
                   no-cache: true
                   platforms:  ${{ matrix.flavour.platforms }}
 
             - name: Sign the published Docker image
-              env:
-                  COSIGN_EXPERIMENTAL: "true"
-              run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+              run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,14 +4,38 @@ on:
     - pull_request
 
 env:
-    GOSSVERSION: v0.3.21
+    GOSSVERSION: v0.4.4
 
 jobs:
+    notify:
+        runs-on: ubuntu-latest
+        if: ${{ github.event.pull_request.head.repo.fork }}
+        steps:
+            - name: Notifiy about skips on forks
+              run: |
+                  echo "::notice title=Skipping cloud tests::Because we're running from a fork, we'll skip cloud tests."
+    build-exclude:
+        runs-on: ubuntu-latest
+        outputs:
+            jobs: ${{ steps.build-exclude.outputs.jobs }}
+        steps:
+            - id: build-exclude
+              run: |
+                  cat <<EOT > tmp.js
+                  exclude=[{"flavour": "tanzu", "arch": "linux/arm64"}]
+                  if (${{ github.event.pull_request.head.repo.fork }}) {
+                    exclude = exclude.concat([{"flavour": "aws"}, {"flavour": "azure"}, {"flavour": "gcloud"}])
+                  }
+                  console.log(JSON.stringify(exclude))
+                  EOT
+                  echo "jobs=$(node tmp.js)" >> "$GITHUB_OUTPUT"
     test:
+        needs: build-exclude
         strategy:
             matrix:
                 flavour:
-                    - aws
+                    # Commented for pricing reasons
+                    #- aws
                     - azure
                     # Commented until gcloud playground exists
                     #- gcloud
@@ -21,12 +45,7 @@ jobs:
                     - linux/amd64
                     # Commented until Github supports arm64 runners
                     #- linux/arm64
-                exclude:
-                    - flavour: "azure"
-                      arch: "linux/arm64"
-                    - flavour: "tanzu"
-                      arch: "linux/arm64"
-
+                exclude: ${{ fromJSON(needs.build-exclude.outputs.jobs) }}
 
         runs-on: ubuntu-latest
 
@@ -107,7 +126,7 @@ jobs:
                     curl -sL "https://github.com/goss-org/goss/releases/download/${{ env.GOSSVERSION }}/goss-${GOSS_ARCH}" -o goss
                     chmod +x goss
                     go build cmd/tests/test-features.go
-                    ./test-features -f ${{ matrix.flavour }} -i test-image-${{ matrix.flavour }}-${{ matrix.arch}}:local -p ${{ matrix.arch }} -t ${PWD}/.testbed -g ${PWD}/goss -l debug
+                    ./test-features -c -f ${{ matrix.flavour }} -i test-image-${{ matrix.flavour }}-${{ matrix.arch }}:local -p ${{ matrix.arch }} -t ${PWD}/.testbed -g ${PWD}/goss -l debug
             -   name: Cleanup
                 run: |
                     rm -rf .testbed

@@ -10,25 +10,27 @@ required and configured to manage modern cloud infrastructures.
 The toolbox comes in different "flavours" depending on what cloud you are working in.
 Currently supported cloud flavours are:
 * [AWS](https://github.com/dodevops/cloudcontrol/pkgs/container/cloudcontrol-aws) (based on [amazon/aws-cli](https://hub.docker.com/r/amazon/aws-cli)) [linux/amd64, linux/arm64]
-* [Azure](https://github.com/dodevops/cloudcontrol/pkgs/container/cloudcontrol-azure) (based on [mcr.microsoft.com/azure-cli](https://hub.docker.com/_/microsoft-azure-cli)) [linux/amd64]
+* [Azure](https://github.com/dodevops/cloudcontrol/pkgs/container/cloudcontrol-azure) (based on [mcr.microsoft.com/azure-cli](https://hub.docker.com/_/microsoft-azure-cli)) [linux/amd64, linux/arm64]
 * [Google Cloud](https://github.com/dodevops/cloudcontrol/pkgs/container/cloudcontrol-gcloud) (based on [google-cloud-cli](https://console.cloud.google.com/gcr/images/google.com:cloudsdktool/GLOBAL/google-cloud-cli)) [linux/amd64, linux/arm64]
 * [Simple](https://github.com/dodevops/cloudcontrol/pkgs/container/cloudcontrol-simple) (based on [alpine](https://hub.docker.com/_/alpine)) [linux/amd64, linux/arm64]
 * [Tanzu](https://github.com/dodevops/cloudcontrol/pkgs/container/cloudcontrol-tanzu) (based on [alpine](https://hub.docker.com/_/alpine)) [linux/amd64]
 
 Following features and tools are supported:
 * 🐟 Fish Shell
 * 📷 AzCopy
-* 🔐 Bitwarden
 * 🪪 Certificates
 * ⚙️ Direnv
 * ⛵️ Helm
 * 🛠 JQ
+* 🐾 k9s
 * ⌨️ kc Quick Kubernetes Context switch
+* 🟦 krew
 * 🐚 Kubectlnodeshell
 * 🐳 Kubernetes
 * 📦 Packages
 * 📦 Packer
 * 👟 Run
+* 🔑 sops
 * 📜 Stern
 * 🌏 Terraform
 * 🐗 Terragrunt
@@ -51,17 +53,19 @@ Following features and tools are supported:
 * [Features](#features)
     * [Fish Shell](#_fish)
     * [AzCopy](#azcopy)
-    * [Bitwarden](#bitwarden)
     * [Certificates](#certificates)
     * [Direnv](#direnv)
     * [Helm](#helm)
     * [JQ](#jq)
+    * [k9s](#k9s)
     * [kc Quick Kubernetes Context switch](#kc)
+    * [krew](#krew)
     * [Kubectlnodeshell](#kubectlnodeshell)
     * [Kubernetes](#kubernetes)
     * [Packages](#packages)
     * [Packer](#packer)
     * [Run](#run)
+    * [sops](#sops)
     * [Stern](#stern)
     * [Terraform](#terraform)
     * [Terragrunt](#terragrunt)
@@ -307,12 +311,17 @@ To start a new session in the CloudControl context, run `createSession <token>`
 
 Can be used to connect to infrastructure in the Azure cloud. Because we're using a container,
 a device login will happen, requiring the user to go to a website, enter a code and login.
-This only happens once during initialization phase.
+
+The azure login tokens usually expire after some time. You can run the `azure-relogin` script
+(located in ~/bin, thus available without path) to re-execute the same login commands as the 
+initialization process does.
 
 #### Configuration
 
-* Environment AZ_SUBSCRIPTION: The Azure subscription to use in this container
-* Environment AZ_TENANTID: The Azure tenant id to log into (optional)
+* Environment AZ_SUBSCRIPTION: The Azure subscription to use in this container (deprecated)
+* Environment ARM_SUBSCRIPTION_ID: The Azure subscription to use in this container
+* Environment AZ_TENANTID: The Azure tenant id to log into (optional, deprecated)
+* Environment ARM_TENANT_ID: The Azure tenant id to log into (optional)
 * Environment AZ_USE_ARM_SPI: Uses the environment variables ARM_CLIENT_ID and ARM_CLIENT_SECRET for service principal auth [false]
 
 ### <a id="gcloud"></a> gcloud
@@ -368,15 +377,6 @@ Installs [AzCopy](https://github.com/Azure/azure-storage-azcopy)
 * USE_azcopy: Enable this feature
 * DEBUG_azcopy: Debug this feature
 
-### <a id="bitwarden"></a> Bitwarden
-
-Installs the [Bitwarden CLI](https://bitwarden.com/help/cli/)
-
-#### Configuration
-
-* USE_bitwarden: Enable this feature
-* DEBUG_bitwarden: Debug this feature
-
 ### <a id="certificates"></a> Certificates
 
 Adds specified trusted certificate authorities into the container
@@ -423,6 +423,16 @@ Installs the [JSON parser and processor jq](https://stedolan.github.io/jq/)
 * USE_jq: Enable this feature
 * DEBUG_jq: Debug this feature
 
+### <a id="k9s"></a> k9s
+
+Installs [k9s](https://k9scli.io/)
+
+#### Configuration
+
+* USE_k9s: Enable this feature
+* DEBUG_k9s: Debug this feature
+* Environment K9S_VERSION (optional): Valid k9s version to install (defaults to latest)
+
 ### <a id="kc"></a> kc Quick Kubernetes Context switch
 
 Installs [kc](https://github.com/dodevops/cloudcontrol/blob/master/feature/kc/kc.sh), a quick context switcher for kubernetes.
@@ -433,6 +443,17 @@ Installs [kc](https://github.com/dodevops/cloudcontrol/blob/master/feature/kc/kc
 * USE_kc: Enable this feature
 * DEBUG_kc: Debug this feature
 
+### <a id="krew"></a> krew
+
+Installs [Krew](https://krew.sigs.k8s.io/)
+
+#### Configuration
+
+* USE_krew: Enable this feature
+* DEBUG_krew: Debug this feature
+* Environment KREW_VERSION (optional): Valid Krew version to install (defaults to latest)
+* Environment KREW_PLUGINS (optional): A comma separated list of kubectl plugins to install via krew
+
 ### <a id="kubectlnodeshell"></a> Kubectlnodeshell
 
 Installs [kubectl node-shell](https://github.com/kvaps/kubectl-node-shell)
@@ -521,6 +542,17 @@ Runs commands inside the shell when entering the cloud control container
 * DEBUG_run: Debug this feature
 * Environment RUN_COMMANDS: Valid shell commands to run
 
+### <a id="sops"></a> sops
+
+Installs [sops](https://github.com/getsops/sops)
+
+#### Configuration
+
+* USE_sops: Enable this feature
+* DEBUG_sops: Debug this feature
+* Environment SOPS_VERSION (required): Valid sops version (e.g. 3.8.1)
+* Environment specific for the key you use, see [sops documentation](https://github.com/getsops/sops?tab=readme-ov-file#22encrypting-using-age)
+
 ### <a id="stern"></a> Stern
 
 Installs [stern](https://github.com/stern/stern), a multi pod and container log tailing for Kubernetes
@@ -712,20 +744,19 @@ To build all flavours with the same tag, use
 ## Testing
 
 To run the test suite for a specific flavour, you need to create a local directory that holds flavour-specific data
-(e.g. keys for authentication) and optionally an .env-file with flavour-specific environment variables.
+(e.g. keys for authentication) and optionally an .env-file with flavour-specific environment variables. This is called
+ a "testbed" directory.
 
 First, you need to compile the test runner:
 
-    cd tests
-    docker run --rm -e GOOS=[os, e.g. darwin, linux, windows] -e GOARCH=[architecture, e.g. arm64, amd64] -v "$PWD":/usr/src/myapp -w /usr/src/myapp golang:1.19-alpine go build -o test-features
+    docker run --rm -e GOOS=[os, e.g. darwin, linux, windows] -e GOARCH=[architecture, e.g. arm64, amd64] -v "$PWD":/usr/src/myapp -w /usr/src/myapp golang:1.19-alpine go build -o test-features cmd/tests/test-features
 
 After that, download the latest goss binary for the target architecture you will test (linux/amd64 or linux/arm64) from
 the [Goss site](https://github.com/goss-org/goss) and put it somewhere local.
 
 Once that is done, run the tests like following:
 
-    cd tests
-    ./test-features -f [flavour] -i [image:tag] -t [path to flavour-data] -p [test architecture, e.g. linux/amd64] -g [path to the goss binary]
+    ./test-features -f [flavour] -i [image:tag] -t [path to testbed directory] -p [test architecture, e.g. linux/amd64] -g [path to the goss binary]
 
 This will run the tests of all features that supply a test suite one by one and, if all succeed, will test all
 features together for integration testing. Check out `test-features --help` for other options.
@@ -739,12 +770,19 @@ When the testrunner encounters such file it will check if CloudControl fails to
 
 You can add a regular expression pattern into `.will-fail` to test if the container or command output matches it.
 
+### Unstable tests
+
+As we're dealing with a lot of moving targets in the features, sometimes a test might not be reliable. For these
+situations we support a .might-fail file. Just add it as a text file into the test suite subdirectory and put some text
+into it describing the problem. Failed test won't fail the test suite then but instead the description will be shown.
+
 ### Test debugging
 
-To check why a test failed, run the test-runner using the -x bash parameter to see the different commands it issues.
+To check why a test failed, use the -l parameter to enable debug logging. Additionally, you can use the -n parameter
+to specify the specific feature to test and use the -x parameter to stop testing if one test fails.
 
-Then, take the failing command and instead of `dgoss run` execute `docker run` with the same arguments to analyze the
-tests locally.
+When a test fails, the test container will not be removed automatically (unless you specified the -c parameter), so
+you can inspect the failing container as well.
 
 ## Building documentation ##
 
@@ -774,7 +812,3 @@ flowchart TD
     click F "https://github.com/dodevops/cloudcontrol/blob/develop/.github/workflows/test.yml" "Test workflow"
     click H "https://github.com/dodevops/cloudcontrol/blob/develop/.github/workflows/release.yml" "Release workflow"
 ```mermaid
-github.com/dodevops/cloudcontrol/blob/develop/.github/workflows/release.yml" "Release workflow"
-```mermaid
-maid
-