gravitational · dboslee · Apr 13, 2023 · Apr 19, 2023 · Apr 24, 2023 · Apr 24, 2023
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -1,17 +1,6 @@
 name: Build and Test
-on:
-  push:
-    branches:
-    - "main"
-    - "release/v*"
-    paths-ignore:
-    - "**/*.png"
-  pull_request:
-    branches:
-    - "main"
-    - "release/v*"
-    paths-ignore:
-    - "**/*.png"
+on: workflow_call
+
 jobs:
   lint:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -0,0 +1,74 @@
+name: cd
+on:
+  push:
+    tags:
+    - 'v[0-9]+.[0-9]+.[0-9]+.*'
+    branches:
+    - teleport
+
+permissions:
+  contents: read
+
+jobs: 
+
+  push:
+    name: Build and Push
+    permissions:
+      contents: read
+      checks: read
+      id-token: write
+    env:
+      AWS_REGION: us-west-2
+      ECR_AWS_ROLE: arn:aws:iam::146628656107:role/gateway-api-github-action-ecr-role
+    runs-on: ubuntu-latest
+    needs: [verify, test]
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    - name: Setup Docker Buildx
+      uses: docker/setup-buildx-action@v2
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        aws-region: ${{ env.AWS_REGION }}
+        role-to-assume: ${{ env.ECR_AWS_ROLE }}
+        mask-aws-account-id: 'no'
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v1
+    - name: Setup Docker Buildx
+      uses: docker/setup-buildx-action@v2
+    - name: Build and push gateway
+      run: PLATFORM="linux_amd64" make teleport-push
+    - name: Build and push helm
+      run: make teleport-helm-push
+
+  verify:
+    name: Verify
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v3
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+        cache: true
+    - name: Run Verify
+      run: make teleport-verify
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v3
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+        cache: true
+    - name: Unit Tests
+      run: make teleport-test
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,58 @@
+name: ci
+on:
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - labeled
+    - unlabeled
+
+permissions:
+  contents: read
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [verify, test]
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    - name: Setup Docker Buildx
+      uses: docker/setup-buildx-action@v2
+    - name: Build gateway
+      run: PLATFORM="linux_amd64" make teleport-build
+    - name: Build gateway helm
+      run: CHART_VERSION=v0.0.0-latest TAG=latest make teleport-helm-package
+
+  verify:
+    name: Verify
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v3
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+        cache: true
+    - name: Run Verify
+      run: make teleport-verify
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v3
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+        cache: true
+    - name: Unit Tests
+      run: make teleport-test
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,41 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "teleport" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "teleport" ]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 240
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'python' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -1,15 +1,5 @@
 name: Docs
-on:
-  push:
-    branches:
-      - "main"
-    paths-ignore:
-      - "**/*.png"
-  pull_request:
-    branches:
-      - "main"
-    paths-ignore:
-      - "**/*.png"
+on: workflow_call
 
 jobs:
   docs-lint:

diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml
@@ -1,11 +1,6 @@
 name: Latest Release
 
-on:
-  push:
-    branches:
-    - "main"
-    paths-ignore:
-    - "**/*.png"
+on: workflow_call
 
 jobs:
   latest-release:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,10 +1,7 @@
 name: Release
 
-on:
-  push:
-    # Sequence of patterns matched against refs/tags
-    tags:        
-      - "v*.*.*"
+on: workflow_call
+
 jobs:
   release:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -1,7 +1,4 @@
-on:
-  workflow_dispatch:
-  schedule:
-  - cron: '0 */4 * * *'
+on: workflow_call
 
 jobs:
   prune_stale:

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.4.0-rc.1
+v0.4
diff --git a/api/config/v1alpha1/shared_types.go b/api/config/v1alpha1/shared_types.go
@@ -15,9 +15,9 @@ const (
 	// DefaultDeploymentMemoryResourceRequests for deployment memory resource
 	DefaultDeploymentMemoryResourceRequests = "512Mi"
 	// DefaultEnvoyProxyImage is the default image used by envoyproxy
-	DefaultEnvoyProxyImage = "envoyproxy/envoy-dev:latest"
+	DefaultEnvoyProxyImage = "envoyproxy/envoy:v1.26-latest"
 	// DefaultRateLimitImage is the default image used by ratelimit.
-	DefaultRateLimitImage = "envoyproxy/ratelimit:master"
+	DefaultRateLimitImage = "envoyproxy/ratelimit:542a6047"
 )
 
 // GroupVersionKind unambiguously identifies a Kind.
@@ -75,6 +75,14 @@ type KubernetesPodSpec struct {
 	//
 	// +optional
 	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
+
+	// If specified, the pod's scheduling constraints.
+	// +optional
+	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+
+	// If specified, the pod's tolerations.
+	// +optional
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 
 // KubernetesContainerSpec defines the desired state of the Kubernetes container resource.

diff --git a/api/config/v1alpha1/zz_generated.deepcopy.go b/api/config/v1alpha1/zz_generated.deepcopy.go