Linting, Refactoring and Badges (we all love badges!)

.github/workflows/coverage-badge.yaml

@@ -0,0 +1,54 @@
+name: Generate code coverage badge
+
+on:
+  workflow_dispatch: # Here for Testing
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Update coverage badge
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token.
+          fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
+
+      - name: Setup go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Run Test
+        run: |
+          go test -v ./... -covermode=count -coverprofile=coverage.out
+          go tool cover -func=coverage.out -o=coverage.out
+
+      - name: Go Coverage Badge  # Pass the `coverage.out` output to this action
+        uses: tj-actions/coverage-badge-go@v2
+        with:
+          filename: coverage.out
+
+      - name: Verify Changed files
+        uses: tj-actions/verify-changed-files@v16
+        id: verify-changed-files
+        with:
+          files: README.md
+
+      - name: Commit changes
+        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"
+          git add README.md
+          git commit -m "docs: Updated coverage badge."
+
+      - name: Push changes
+        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ github.token }}
+          branch: ${{ github.head_ref }}

.github/workflows/helm-docs.yaml

@@ -64,4 +64,4 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           branch: ${{ github.head_ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}

.github/workflows/release.yaml

@@ -34,6 +34,13 @@ jobs:
           replace: "${{steps.release_number.outputs.substring}}"
           include: "deploy/charts/version-checker/Chart.yaml"
           regex: true
+      - name: Find and Replace Helm Chart README
+        uses: jacobtomlinson/gha-find-replace@v3
+        with:
+          find: 'v(\d+)\.(\d+)\.(\d+)(-rc(\d)+)?'
+          replace: "${{steps.release_number.outputs.substring}}"
+          include: "deploy/charts/version-checker/README.md"
+          regex: true
       - name: Find and Replace Kubernetes Manifests
         uses: jacobtomlinson/gha-find-replace@v3
         with:

README.md

@@ -1,5 +1,10 @@
 # version-checker
 
+![GitHub Release](https://img.shields.io/github/v/release/jetstack/version-checker)
+[![Go Report Card](https://goreportcard.com/badge/github.com/jetstack/version-checker)](https://goreportcard.com/report/github.com/jetstack/version-checker)
+[![Tests](https://github.com/jetstack/version-checker/actions/workflows/build-test.yaml/badge.svg)](https://github.com/jetstack/version-checker/actions/workflows/build-test.yaml?query=branch%3Amain)
+![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/jetstack/version-checker)
+
 version-checker is a Kubernetes utility for observing the current versions of
 images running in the cluster, as well as the latest available upstream. These
 checks get exposed as Prometheus metrics to be viewed on a dashboard, or _soft_

cmd/app/app.go

@@ -27,7 +27,7 @@ func NewCommand(ctx context.Context) *cobra.Command {
 		Use:   "version-checker",
 		Short: helpOutput,
 		Long:  helpOutput,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			opts.complete()
 
 			logLevel, err := logrus.ParseLevel(opts.LogLevel)

cmd/app/options.go

@@ -60,7 +60,7 @@ var (
 	selfhostedInsecureReg = regexp.MustCompile("^VERSION_CHECKER_SELFHOSTED_INSECURE_(.*)")
 )
 
-// Options is a struct to hold options for the version-checker
+// Options is a struct to hold options for the version-checker.
 type Options struct {
 	MetricsServingAddress string
 	DefaultTestAll        bool
@@ -88,7 +88,7 @@ func (o *Options) addFlags(cmd *cobra.Command) {
 		return nil
 	})
 
-	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
+	cmd.SetHelpFunc(func(cmd *cobra.Command, _ []string) {
 		fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
 		cliflag.PrintSections(cmd.OutOrStdout(), nfs, 0)
 	})
@@ -329,55 +329,53 @@ func (o *Options) assignSelfhosted(envs []string) {
 		}
 	}
 
-	for _, env := range envs {
-		pair := strings.SplitN(env, "=", 2)
-		if len(pair) != 2 || len(pair[1]) == 0 {
-			continue
-		}
-
-		if matches := selfhostedHostReg.FindStringSubmatch(strings.ToUpper(pair[0])); len(matches) == 2 {
+	regexActions := map[*regexp.Regexp]func(matches []string, value string){
+		selfhostedHostReg: func(matches []string, value string) {
 			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Host = pair[1]
-			continue
-		}
-
-		if matches := selfhostedUsernameReg.FindStringSubmatch(strings.ToUpper(pair[0])); len(matches) == 2 {
+			o.Client.Selfhosted[matches[1]].Host = value
+		},
+		selfhostedUsernameReg: func(matches []string, value string) {
 			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Username = pair[1]
-			continue
-		}
-
-		if matches := selfhostedPasswordReg.FindStringSubmatch(strings.ToUpper(pair[0])); len(matches) == 2 {
+			o.Client.Selfhosted[matches[1]].Username = value
+		},
+		selfhostedPasswordReg: func(matches []string, value string) {
 			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Password = pair[1]
-			continue
-		}
-
-		if matches := selfhostedTokenPath.FindStringSubmatch(strings.ToUpper(pair[0])); len(matches) == 2 {
+			o.Client.Selfhosted[matches[1]].Password = value
+		},
+		selfhostedTokenPath: func(matches []string, value string) {
 			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].TokenPath = pair[1]
-			continue
-		}
-
-		if matches := selfhostedTokenReg.FindStringSubmatch(strings.ToUpper(pair[0])); len(matches) == 2 {
+			o.Client.Selfhosted[matches[1]].TokenPath = value
+		},
+		selfhostedTokenReg: func(matches []string, value string) {
 			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Bearer = pair[1]
-			continue
-		}
-
-		if matches := selfhostedInsecureReg.FindStringSubmatch(strings.ToUpper(pair[0])); len(matches) == 2 {
+			o.Client.Selfhosted[matches[1]].Bearer = value
+		},
+		selfhostedInsecureReg: func(matches []string, value string) {
 			initOptions(matches[1])
-			val, err := strconv.ParseBool(pair[1])
-			if err == nil {
+			if val, err := strconv.ParseBool(value); err == nil {
 				o.Client.Selfhosted[matches[1]].Insecure = val
 			}
+		},
+		selfhostedCAPath: func(matches []string, value string) {
+			initOptions(matches[1])
+			o.Client.Selfhosted[matches[1]].CAPath = value
+		},
+	}
+
+	for _, env := range envs {
+		pair := strings.SplitN(env, "=", 2)
+		if len(pair) != 2 || len(pair[1]) == 0 {
 			continue
 		}
 
-		if matches := selfhostedCAPath.FindStringSubmatch(strings.ToUpper(pair[0])); len(matches) == 2 {
-			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].CAPath = pair[1]
-			continue
+		key := strings.ToUpper(pair[0])
+		value := pair[1]
+
+		for regex, action := range regexActions {
+			if matches := regex.FindStringSubmatch(key); len(matches) == 2 {
+				action(matches, value)
+				break
+			}
 		}
 	}
 

cmd/app/options_test.go

@@ -73,7 +73,7 @@ func TestComplete(t *testing.T) {
 					Token: "quay-token",
 				},
 				Selfhosted: map[string]*selfhosted.Options{
-					"FOO": &selfhosted.Options{
+					"FOO": {
 						Host:     "docker.joshvanl.com",
 						Username: "joshvanl",
 						Password: "password",
@@ -141,21 +141,21 @@ func TestComplete(t *testing.T) {
 					Token: "quay-token",
 				},
 				Selfhosted: map[string]*selfhosted.Options{
-					"FOO": &selfhosted.Options{
+					"FOO": {
 						Host:     "docker.joshvanl.com",
 						Username: "joshvanl",
 						Password: "password",
 						Bearer:   "my-token",
 						Insecure: true,
 					},
-					"BAR": &selfhosted.Options{
+					"BAR": {
 						Host:     "bar.docker.joshvanl.com",
 						Username: "bar.joshvanl",
 						Password: "bar-password",
 						Bearer:   "my-bar-token",
 						Insecure: false,
 					},
-					"BUZZ": &selfhosted.Options{
+					"BUZZ": {
 						Host:     "buzz.docker.jetstack.io",
 						Username: "buzz.davidcollom",
 						Password: "buzz-password",
@@ -208,7 +208,7 @@ func TestAssignSelfhosted(t *testing.T) {
 			},
 			expOptions: client.Options{
 				Selfhosted: map[string]*selfhosted.Options{
-					"FOO": &selfhosted.Options{
+					"FOO": {
 						Host:     "docker.joshvanl.com",
 						Username: "joshvanl",
 						Password: "password",
@@ -228,13 +228,13 @@ func TestAssignSelfhosted(t *testing.T) {
 			},
 			expOptions: client.Options{
 				Selfhosted: map[string]*selfhosted.Options{
-					"FOO": &selfhosted.Options{
+					"FOO": {
 						Host:     "docker.joshvanl.com",
 						Username: "joshvanl",
 						Password: "password",
 						Bearer:   "my-token",
 					},
-					"BAR": &selfhosted.Options{
+					"BAR": {
 						Host:   "hello.world.com",
 						Bearer: "my-bar-token",
 					},
@@ -253,14 +253,14 @@ func TestAssignSelfhosted(t *testing.T) {
 			},
 			expOptions: client.Options{
 				Selfhosted: map[string]*selfhosted.Options{
-					"FOO": &selfhosted.Options{
+					"FOO": {
 						Host:      "docker.joshvanl.com",
 						Username:  "joshvanl",
 						Password:  "password",
 						Bearer:    "my-token",
 						TokenPath: "/artifactory/api/security/token",
 					},
-					"BAR": &selfhosted.Options{
+					"BAR": {
 						Host:   "hello.world.com",
 						Bearer: "my-bar-token",
 					},
@@ -281,17 +281,17 @@ func TestAssignSelfhosted(t *testing.T) {
 			},
 			expOptions: client.Options{
 				Selfhosted: map[string]*selfhosted.Options{
-					"FOO": &selfhosted.Options{
+					"FOO": {
 						Host:     "docker.joshvanl.com",
 						Username: "joshvanl",
 						Password: "password",
 						Bearer:   "my-token",
 					},
-					"BAR": &selfhosted.Options{
+					"BAR": {
 						Host:   "hello.world.com",
 						Bearer: "my-bar-token",
 					},
-					"JOSHVANL": &selfhosted.Options{
+					"JOSHVANL": {
 						Host: "joshvanl.com",
 					},
 				},
@@ -301,7 +301,6 @@ func TestAssignSelfhosted(t *testing.T) {
 
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-
 			o := new(Options)
 			o.assignSelfhosted(test.envs)
 

deploy/charts/version-checker/README.md

@@ -1,6 +1,6 @@
 # version-checker
 
-![Version: v0.7.0](https://img.shields.io/badge/Version-v0.7.0-informational?style=flat-square) ![AppVersion: v0.7.0](https://img.shields.io/badge/AppVersion-v0.7.0-informational?style=flat-square)
+![Version: v0.8.0](https://img.shields.io/badge/Version-v0.8.0-informational?style=flat-square) ![AppVersion: v0.8.0](https://img.shields.io/badge/AppVersion-v0.8.0-informational?style=flat-square)
 
 A Helm chart for version-checker
 
@@ -55,7 +55,13 @@ A Helm chart for version-checker
 | readinessProbe.periodSeconds | int | `3` | How often (in seconds) to perform the readinessProbe. |
 | replicaCount | int | `1` | Replica Count for version-checker |
 | resources | object | `{}` | Setup version-checkers resource requests/limits |
-| securityContext | object | `{}` | Set container-level security context |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Set container-level security context |
+| securityContext.allowPrivilegeEscalation | bool | `false` | Prevent the container from PrivilegeEscalation |
+| securityContext.capabilities | object | `{"drop":["ALL"]}` | Ensure that we run with the capabilities we explicitly need to run |
+| securityContext.readOnlyRootFilesystem | bool | `true` | Readonly Filesystem |
+| securityContext.runAsNonRoot | bool | `true` | Ensure we don't run as root |
+| securityContext.runAsUser | int | `65534` | Specify UID to run under |
+| securityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | SeccomProfile to use |
 | selfhosted | []{name: "", host: "", username:"", password:"", token:""}] | `[]` | Setup a number of SelfHosted Repositories and their credentials |
 | service.annotations | object | `{}` | Additional annotations to add to the service |
 | service.labels | object | `{}` | Additional labels to add to the service |

deploy/charts/version-checker/templates/_helpers.tpl

@@ -32,4 +32,4 @@ Common selector
 {{- define "version-checker.selector" -}}
 app.kubernetes.io/name: {{ include "version-checker.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end -}}
+{{- end -}}

deploy/charts/version-checker/values.yaml

@@ -127,13 +127,19 @@ resources:
 
 # -- Set container-level security context
 securityContext:
+  # -- Prevent the container from PrivilegeEscalation
   allowPrivilegeEscalation: false
+  # -- Ensure that we run with the capabilities we explicitly need to run
   capabilities:
     drop:
       - ALL
+  # -- Readonly Filesystem
   readOnlyRootFilesystem: true
+  # -- Ensure we don't run as root
   runAsNonRoot: true
+  # -- Specify UID to run under
   runAsUser: 65534
+  # -- SeccomProfile to use
   seccompProfile:
     type: RuntimeDefault