Merge branch 'devfile:main' into contribute

Author: kernelpanic77

.github/workflows/code-coverage.yml

@@ -0,0 +1,50 @@
+name: Code Coverage Report
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  coverage-report:
+    name: Check Code Coverage
+    runs-on: ubuntu-20.04
+    steps:
+    -
+      name: Set up Go 1.x
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.16.6
+    -
+      name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    -
+      name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+    -
+      name: Cache go modules
+      id: cache-mod
+      uses: actions/cache@v2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+    -
+      name: Download dependencies
+      run: go mod download
+      if: steps.cache-mod.outputs.cache-hit != 'true'
+    -
+      name: Run Go Tests
+      run: |
+        python -m pip install --upgrade pip yq
+        make test
+    - 
+      name: Build Codecov report
+      uses: codecov/codecov-action@v1
+      with:
+        files: cover.out

Makefile

@@ -29,7 +29,7 @@ export PROJECT_CLONE_IMG ?= quay.io/devfile/project-clone:next
 export PULL_POLICY ?= Always
 export DEFAULT_ROUTING ?= basic
 export KUBECONFIG ?= ${HOME}/.kube/config
-export DEVWORKSPACE_API_VERSION ?= 32cae1f8e42c22035138ef6ee93080bc47d751c6
+export DEVWORKSPACE_API_VERSION ?= fe7c10eaa530b12b19cfb0e22e221e753391304c
 
 # Enable using Podman instead of Docker
 export DOCKER ?= docker

README.md

@@ -1,5 +1,7 @@
 # Dev Workspace Operator
 
+[![codecov](https://codecov.io/gh/devfile/devworkspace-operator/branch/main/graph/badge.svg)](https://codecov.io/gh/devfile/devworkspace-operator)
+
 Dev Workspace operator repository that contains the controller for the DevWorkspace Custom Resource. The Kubernetes API of the DevWorkspace is defined in the https://github.com/devfile/api repository.
 
 ## DevWorkspace CR
@@ -79,7 +81,7 @@ In order to build a custom bundle, the following env vars should be set:
 
 To build the index image and register its catalogsource to the cluster, run
 ```
-make generate_olm_bundle_yaml build_bundle_image build_index_image register_catalogsource
+make generate_olm_bundle_yaml build_bundle_and_index register_catalogsource
 ```
 
 Note that setting `DEFAULT_DWO_IMG` while generating sources will result in local changes to the repo which should be `git restored` before committing. This can also be done by unsetting the `DEFAULT_DWO_IMG` env var and re-running `make generate_olm_bundle_yaml`
@@ -180,3 +182,5 @@ This will delete all custom resource definitions created for the controller, as
 #### GitHub actions
 
 - [Next Dockerimage](https://github.com/devfile/devworkspace-operator/blob/main/.github/workflows/dockerimage-next.yml) action builds main branch and pushes it to [quay.io/devfile/devworkspace-controller:next](https://quay.io/repository/devfile/devworkspace-controller?tag=latest&tab=tags)
+
+- [Code Coverage Report](./.github/workflows/code-coverage.yml) action creates a code coverage report using [codecov.io](https://about.codecov.io/). 

apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go

@@ -79,6 +79,21 @@ type StorageSizes struct {
 	PerWorkspace *resource.Quantity `json:"perWorkspace,omitempty"`
 }
 
+type ServiceAccountConfig struct {
+	// ServiceAccountName defines a fixed name to be used for all DevWorkspaces. If set, the DevWorkspace
+	// Operator will not generate a separate ServiceAccount for each DevWorkspace, and will instead create
+	// a ServiceAccount with the specified name in each namespace where DevWorkspaces are created. If specified,
+	// the created ServiceAccount will not be removed when DevWorkspaces are deleted and must be cleaned up manually.
+	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	// +kubebuilder:validation:MaxLength=63
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+	// Disable creation of DevWorkspace ServiceAccounts by the DevWorkspace Operator. If set to true, the serviceAccountName
+	// field must also be set. If ServiceAccount creation is disabled, it is assumed that the specified ServiceAccount already
+	// exists in any namespace where a workspace is created. If a suitable ServiceAccount does not exist, starting DevWorkspaces
+	// will fail.
+	DisableCreation *bool `json:"disableCreation,omitempty"`
+}
+
 type WorkspaceConfig struct {
 	// ImagePullPolicy defines the imagePullPolicy used for containers in a DevWorkspace
 	// For additional information, see Kubernetes documentation for imagePullPolicy. If
@@ -95,6 +110,9 @@ type WorkspaceConfig struct {
 	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 	// +kubebuilder:validation:MaxLength=63
 	PVCName string `json:"pvcName,omitempty"`
+	// ServiceAccount defines configuration options for the ServiceAccount used for
+	// DevWorkspaces.
+	ServiceAccount *ServiceAccountConfig `json:"serviceAccount,omitempty"`
 	// StorageClassName defines an optional storageClass to use for persistent
 	// volume claims created to support DevWorkspaces
 	StorageClassName *string `json:"storageClassName,omitempty"`
@@ -124,10 +142,13 @@ type WorkspaceConfig struct {
 	// but the objects will be left on the cluster). The default value is false.
 	CleanupOnStop *bool `json:"cleanupOnStop,omitempty"`
 	// PodSecurityContext overrides the default PodSecurityContext used for all workspace-related
-	// pods created by the DevWorkspace Operator when running on Kubernetes. On OpenShift, this
-	// configuration option is ignored. If set, the entire pod security context is overridden;
-	// values are not merged.
+	// pods created by the DevWorkspace Operator. If set, defined values are merged into the default
+	// configuration
 	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
+	// ContainerSecurityContext overrides the default ContainerSecurityContext used for all
+	// workspace-related containers created by the DevWorkspace Operator. If set, defined
+	// values are merged into the default configuration
+	ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
 	// DefaultTemplate defines an optional DevWorkspace Spec Template which gets applied to the workspace
 	// if the workspace's Template Spec Components are not defined. The DefaultTemplate will overwrite the existing
 	// Template Spec, with the exception of Projects (if any are defined).

apis/controller/v1alpha1/zz_generated.deepcopy.go

@@ -14,7 +14,7 @@
 #
 
 # https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/ubi8/go-toolset
-FROM registry.access.redhat.com/ubi8/go-toolset:1.17.7-13.1655148239 as builder
+FROM registry.access.redhat.com/ubi8/go-toolset:1.17.12-11 as builder
 ENV GOPATH=/go/
 USER root
 WORKDIR /devworkspace-operator
@@ -34,7 +34,7 @@ RUN make compile-devworkspace-controller
 RUN make compile-webhook-server
 
 # https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/ubi8-minimal
-FROM registry.access.redhat.com/ubi8-minimal:8.6-751.1655117800
+FROM registry.access.redhat.com/ubi8-minimal:8.6-994
 RUN microdnf -y update && microdnf clean all && rm -rf /var/cache/yum && echo "Installed Packages" && rpm -qa | sort -V && echo "End Of Installed Packages"
 WORKDIR /
 COPY --from=builder /devworkspace-operator/_output/bin/devworkspace-controller /usr/local/bin/devworkspace-controller

build/Dockerfile

@@ -67,6 +67,13 @@ _store_tls_cert:
 	  $(K8S_CLI) get secret devworkspace-webhookserver-tls -n $(NAMESPACE) -o json | jq -r '.data["tls.key"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.key
   endif
 
+_check_controller_running:
+	REPLICAS=$$($(K8S_CLI) get deploy devworkspace-controller-manager -n $(NAMESPACE) -o=json | jq -r '.spec.replicas')
+	if [ "$$REPLICAS" != "0" ]; then \
+	  echo "Controller is already running in cluster, cannot run locally. Scale controller to 0 first." ;\
+	  exit 1 ;\
+	fi
+
 ### install: Install controller in the configured Kubernetes cluster in ~/.kube/config
 install: _print_vars _check_cert_manager _init_devworkspace_crds _create_namespace generate_deployment
   ifeq ($(PLATFORM),kubernetes)
@@ -124,9 +131,15 @@ _check_cert_manager:
   endif
 
 _login_with_devworkspace_sa:
-	$(eval SA_TOKEN := $(shell $(K8S_CLI) get secrets -o=json -n $(NAMESPACE) | jq -r '[.items[] | select (.type == "kubernetes.io/service-account-token" and .metadata.annotations."kubernetes.io/service-account.name" == "$(DEVWORKSPACE_CTRL_SA)")][0].data.token' | base64 --decode ))
-	echo "Logging as controller's SA in $(NAMESPACE)"
-	oc login --token=$(SA_TOKEN) --kubeconfig=$(BUMPED_KUBECONFIG)
+  # Kubernetes 1.23 and below: get SA token from service-account-token secret; Kubernetes 1.24 and above, use `kubectl create token`
+	SA_TOKEN=$$($(K8S_CLI) get secrets -o=json -n $(NAMESPACE) \
+	  | jq -r '[.items[] | select (.type == "kubernetes.io/service-account-token" and .metadata.annotations."kubernetes.io/service-account.name" == "$(DEVWORKSPACE_CTRL_SA)")][0].data.token' \
+	  | base64 --decode ); \
+	if [[ "$$SA_TOKEN" == $$(echo 'null' | base64 -d) ]]; then \
+	  SA_TOKEN=$$($(K8S_CLI) create token -n "$(NAMESPACE)" "$(DEVWORKSPACE_CTRL_SA)"); \
+	fi; \
+	echo "Logging as controller's SA in $(NAMESPACE)"; \
+	oc login --token="$$SA_TOKEN" --kubeconfig=$(BUMPED_KUBECONFIG)
 
 ### install_cert_manager: Installs Cert Mananger v1.5.4 on the cluster
 install_cert_manager:
@@ -143,15 +156,15 @@ _bump_kubeconfig:
 	cp $(CONFIG_FILE) $(BUMPED_KUBECONFIG)
 
 ### run: Runs against the configured Kubernetes cluster in ~/.kube/config
-run: _print_vars _gen_configuration_env _bump_kubeconfig _login_with_devworkspace_sa _store_tls_cert
+run: _print_vars _gen_configuration_env _bump_kubeconfig _login_with_devworkspace_sa _store_tls_cert _check_controller_running
 	source $(CONTROLLER_ENV_FILE)
 	export KUBECONFIG=$(BUMPED_KUBECONFIG)
 	CONTROLLER_SERVICE_ACCOUNT_NAME=$(DEVWORKSPACE_CTRL_SA) \
 	  WATCH_NAMESPACE=$(NAMESPACE) \
 	  go run ./main.go
 
 ### debug: Runs the controller locally with debugging enabled, watching cluster defined in ~/.kube/config
-debug: _print_vars _gen_configuration_env _bump_kubeconfig _login_with_devworkspace_sa _store_tls_cert
+debug: _print_vars _gen_configuration_env _bump_kubeconfig _login_with_devworkspace_sa _store_tls_cert _check_controller_running
 	source $(CONTROLLER_ENV_FILE)
 	export KUBECONFIG=$(BUMPED_KUBECONFIG)
 	CONTROLLER_SERVICE_ACCOUNT_NAME=$(DEVWORKSPACE_CTRL_SA) \

build/make/deploy.mk

@@ -10,4 +10,4 @@ spec:
   displayName: DevWorkspace Operator Catalog
   updateStrategy:
     registryPoll:
-      interval: 1d
+      interval: 5m

catalog-source.yaml

@@ -0,0 +1,2 @@
+github_checks:
+    annotations: false

codecov.yml

@@ -57,7 +57,8 @@ func (s *BasicSolver) Finalize(*controllerv1alpha1.DevWorkspaceRouting) error {
 func (s *BasicSolver) GetSpecObjects(routing *controllerv1alpha1.DevWorkspaceRouting, workspaceMeta DevWorkspaceMetadata) (RoutingObjects, error) {
 	routingObjects := RoutingObjects{}
 
-	routingSuffix := config.Routing.ClusterHostSuffix
+	// TODO: Use workspace-scoped ClusterHostSuffix to allow overriding
+	routingSuffix := config.GetGlobalConfig().Routing.ClusterHostSuffix
 	if routingSuffix == "" {
 		return routingObjects, &RoutingInvalid{"basic routing requires .config.routing.clusterHostSuffix to be set in operator config"}
 	}