GitHub actions Build, Test and Release workflows (#94)

* Switching to Github Codeowners

* Generate Codecoverage reports

* Initial Build workflows

* Upgrade to go1.18

* Fix Code Owners

* Swith to ubuntu-latest

* General fixes

* Update to go 1.20

* Initial Dependabot setup

* Upgrade all the things

* Fix up testcoverage check

* Switching to Go-lang/jwt

* Only build the image if lint and tests pass

* Simple Helm lint Test

* Update Dockerfile to alpine:3.17.2

* helm chart fixes (#102)

* Adding Error Counter Metric

* Adding Semver Prefix and fix typo

* Revert "helm chart fixes (#102)" (#103)

This reverts commit 9185224.

* Resolve issue 63 (#101)

* Allow for overriding Token Path (#100)

* Increase the number of Tags fetched for Docker Registries (#99)

* Adding k8s.io support (#98)

* Better support for selfHosted and SSL connections (#95)

* Enable SSL Skip Verify if you're unable to provide a valid certificate bundle

* Allow for additional Certs to be added into the CA Chain

* Update README.md for helm installation

* Adding initial release workflow

* Build multi-arch images

* Fix Dockerfile build artifact

* Tag and Upload to quay.io/jetstack/version-checker instead of docker hub

* Swithcing to main as the default branch changed

* Set up for review

* Switch to using sha for PR builds

Author: davidcollom

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @davidcollom

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0

.github/workflows/build-test.yaml

@@ -0,0 +1,96 @@
+name: Test & Build
+on:
+  pull_request:
+    branches:
+      - 'main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+    name: Lint Go code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Setup Golang
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+        with:
+          version: v1.53
+          args: --timeout 10m --exclude SA5011 --verbose --issues-exit-code=0
+          only-new-issues: true
+
+  test:
+    name: Run unit tests for Go packages
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3 # v3.5.3
+    - name: Setup Go
+      uses: actions/setup-go@v4
+
+    - name: Download and required packages
+      run: |
+        make deps
+
+    - name: Run all unit tests
+      run: make test
+
+    - name: check test coverage
+      uses: vladopajic/go-test-coverage@v2
+      with:
+        config: ./.testcoverage.yml
+
+    - name: Generate code coverage artifacts
+      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      with:
+        name: code-coverage
+        path: coverage.out
+
+  build:
+    needs:
+      - test
+      - lint
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+          - linux/arm/v7
+    name: Build Images
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+      with:
+        platforms: ${{ matrix.platform }}
+
+    - name: Login to Docker Hub
+      uses: docker/login-action@v2
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_USERNAME }}
+        password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+    - name: Build and push
+      uses: docker/build-push-action@v4
+      with:
+        context: .
+        platforms: ${{ matrix.platform }}
+        push: false
+        tags: quay.io/jetstack/version-checker:${{github.sha}}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max

.github/workflows/helm-test.yaml

@@ -0,0 +1,51 @@
+name: Test Helm Chart
+on:
+  pull_request:
+    paths:
+      - 'deploy/charts/version-checker/**'
+    branches:
+      - 'main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - uses: azure/setup-helm@v3
+
+      - run: helm lint deploy/charts/version-checker
+
+  test:
+    name: Run unit tests for Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - uses: azure/setup-helm@v3
+        with:
+          token: ${{ github.token }}
+
+      - name: Install helm Plugins
+        run: |
+          if [ ! -e "${HELM_PLUGINS}/helm-unittest" ]; then
+            helm plugin install https://github.com/helm-unittest/helm-unittest.git
+          fi
+
+      - name: Run Tests
+        run: |
+          if [ ! -e "deploy/charts/verson-checker/tests" ]; then
+            echo "Not running tests, directory doesn't exist: deploy/charts/verson-checker/tests"
+            exit 0
+          fi
+          helm unittest --helm3 --color deploy/charts/verson-checker

.github/workflows/release.yaml

@@ -0,0 +1,103 @@
+name: Version-Checker Release
+
+on:
+  push:
+    branches:
+      - 'release-.*'
+    tags:
+        - '*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  helm-release:
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout our Repo
+      - uses: actions/checkout@v3
+        with:
+          path: version-checker
+
+      - name: checkout jetstack-charts
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.JETSTACK_CHARTS_PAT }}
+          repository: jetstack/jetstack-charts
+          ref: main
+          path: jetstack-charts
+
+      - uses: azure/setup-helm@v3
+        with:
+          token: ${{ github.token }}
+
+      - name: package helm chart
+        run: |
+          helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/
+
+      - name: Creating PR
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.JETSTACK_CHARTS_PAT }}
+          title: "Release version-checker ${{github.ref_name }}"
+          commit-message: "Release version-checker ${{github.ref_name }}"
+          branch: version-checker/${{github.ref_name}}
+          path: jetstack-charts
+          add-paths: charts/*.tgz
+          delete-branch: true
+          signoff: true
+          base: main
+          draft: ${{ contains('-rc', github.ref_name) || !startsWith(github.ref, 'refs/tags/') }}
+
+  docker-release:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+          - linux/arm/v7
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          platforms: ${{ matrix.platform }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+      - name: Build and push (if applicable)
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: ${{ matrix.platform }}
+          push: ${{ !startsWith(github.ref, 'refs/tags/') }}
+          tags: quay.io/jetstack/version-checker:${{github.ref_name}}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+
+  github-release:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Create Release / Change Logs
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: ${{ !startsWith(github.ref, 'refs/tags/') }}
+          prerelease: ${{ contains('-rc', github.ref_name) || !startsWith(github.ref, 'refs/tags/') }}
+          generate_release_notes: true

.gitignore

@@ -1 +1,2 @@
 /bin
+coverage.out

.testcoverage.yml

@@ -0,0 +1,38 @@
+# (mandatory)
+# Path to coverprofile file (output of `go test -coverprofile` command)
+profile: coverage.out
+
+# (optional)
+# When specified reported file paths will not contain local prefix in the output
+# local-prefix: "github.com/org/project"
+
+# Holds coverage thresholds percentages, values should be in range [0-100]
+threshold:
+  # (optional; default 0)
+  # The minimum coverage that each file should have
+  file: 0
+
+  # (optional; default 0)
+  # The minimum coverage that each package should have
+  package: 0
+
+  # (optional; default 0)
+  # The minimum total coverage project should have
+  total: 0
+
+# Holds regexp rules which will override thresholds for matched files or packages
+# override:
+#   # Increase coverage threshold to 100% for `foo` package (default is 80, as configured above)
+#   - threshold: 100
+#     path: ^pkg/lib/foo$
+
+# Holds regexp rules which will exclude matched files or packages from coverage statistics
+# exclude:
+#   # Exclude files or packages matching their paths
+#   paths:
+#     - \.pb\.go$    # excludes all protobuf generated files
+#     - ^pkg/bar     # exclude package `pkg/bar`
+
+# NOTES:
+# - symbol `/` in all path regexps will be replaced by
+#   current OS file path separator to properly work on Windows

Dockerfile

@@ -1,8 +1,18 @@
-FROM alpine:3.12
+FROM golang:1.20-alpine as builder
+
+RUN apk --no-cache add make
+
+COPY . /app/
+WORKDIR /app/
+
+RUN make build
+
+
+FROM alpine:3.18.2
 LABEL description="Kubernetes utility for exposing used image versions compared to the latest version, as metrics."
 
 RUN apk --no-cache add ca-certificates
 
-COPY ./bin/version-checker-linux /usr/bin/version-checker
+COPY --from=builder /app/bin/version-checker /usr/bin/version-checker
 
 ENTRYPOINT ["/usr/bin/version-checker"]

Makefile

@@ -6,17 +6,21 @@ help:  ## display this help
 
 .PHONY: help build image all clean
 
-test: ## test version-checker
-	go test ./...
+deps: ## Download all Dependencies
+	go mod download
 
-build: ## build version-checker
+test: deps ## test version-checker
+	go test ./... -coverprofile=coverage.out
+
+$(BINDIR):
 	mkdir -p $(BINDIR)
+
+build: deps $(BINDIR) ## build version-checker
 	CGO_ENABLED=0 go build -o ./bin/version-checker ./cmd/.
 
 verify: test build ## tests and builds version-checker
 
 image: ## build docker image
-	GOARCH=$(ARCH) GOOS=linux CGO_ENABLED=0 go build -o ./bin/version-checker-linux ./cmd/.
 	docker build -t quay.io/jetstack/version-checker:v0.2.2 .
 
 clean: ## clean up created files

OWNERS

@@ -7,10 +7,6 @@ alert cluster operators.
 
 > This tool is currently experimental.
 
-If you're interested in this tool, version checking is a built-in feature
-in our [Preflight](https://preflight.jetstack.io/) product. You may want to 
-check it out if you would like multi-cluster component version checking.
-
 ## Registries
 
 version-checker supports the following registries:
@@ -40,8 +36,15 @@ $ kubectl apply -k ./deploy/yaml
 Or through helm;
 
 ```sh
-$ cd ./deploy/charts/version-checker && kubectl create namespace version-checker
-$ helm install version-checker . -n version-checker
+$ helm repo add jetstack https://charts.jetstack.io
+"jetstack" has been added to your repositories
+$ helm install version-checker jetstack/version-checker
+NAME: version-checker
+LAST DEPLOYED: Wed Jul 12 17:47:41 2023
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
 ```
 
 The helm chart supports creating a Prometheus/ServiceMonitor to expose the

README.md

@@ -1,6 +1,6 @@
 apiVersion: v1
 appVersion: "v0.2.2"
-version: 0.2.3
+version: v0.2.3
 description: A Helm chart for version-checker
 home: https://github.com/jetstack/verison-checker
 name: version-checker

deploy/charts/version-checker/Chart.yaml

@@ -1,31 +1,96 @@
 module github.com/jetstack/version-checker
 
-go 1.15
+go 1.20
+
+// Do not remove this comment:
+// please place any replace statements here at the top for visibility and add a
+// comment to it as to when it can be removed
 
 require (
-	cloud.google.com/go v0.57.0 // indirect
-	github.com/Azure/go-autorest/autorest v0.10.2
-	github.com/Azure/go-autorest/autorest/adal v0.8.3
-	github.com/aws/aws-sdk-go v1.34.10
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/google/go-github/v44 v44.0.0
-	github.com/hashicorp/go-retryablehttp v0.6.8
-	github.com/hashicorp/golang-lru v0.5.3 // indirect
-	github.com/imdario/mergo v0.3.9 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/prometheus/client_golang v1.7.1
-	github.com/sirupsen/logrus v1.6.0
-	github.com/spf13/cobra v1.0.0
+	github.com/Azure/go-autorest/autorest v0.11.29
+	github.com/Azure/go-autorest/autorest/adal v0.9.23
+	github.com/aws/aws-sdk-go v1.44.298
+	github.com/golang-jwt/jwt/v5 v5.0.0
+	github.com/google/gnostic v0.6.9 // indirect
+	github.com/google/go-github/v53 v53.2.0
+	github.com/hashicorp/go-retryablehttp v0.7.4
+	github.com/prometheus/client_golang v1.16.0
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cobra v1.6.0
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	gopkg.in/yaml.v2 v2.3.0 // indirect
-	k8s.io/api v0.19.0
-	k8s.io/apimachinery v0.19.0
-	k8s.io/cli-runtime v0.19.0
-	k8s.io/client-go v0.19.0
-	k8s.io/component-base v0.19.0
-	k8s.io/utils v0.0.0-20200729134348-d5654de09c73
+	golang.org/x/oauth2 v0.10.0
+	k8s.io/api v0.27.3
+	k8s.io/apimachinery v0.27.3
+	k8s.io/cli-runtime v0.27.3
+	k8s.io/client-go v0.27.3
+	k8s.io/component-base v0.27.3
+	k8s.io/utils v0.0.0-20230505201702-9f6742963106
+)
+
+require (
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/btree v1.0.1 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/imdario/mergo v0.3.9 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/xlab/treeprint v1.1.0 // indirect
+	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.90.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/kustomize/api v0.13.2 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )

go.mod

@@ -12,7 +12,7 @@ import (
 
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/adal"
-	"github.com/dgrijalva/jwt-go"
+	jwt "github.com/golang-jwt/jwt/v5"
 
 	"github.com/jetstack/version-checker/pkg/api"
 	"github.com/jetstack/version-checker/pkg/client/util"
@@ -241,15 +241,18 @@ func (c *Client) getAccessTokenClient(ctx context.Context, host string) (*acrCli
 	}, nil
 }
 
-func getTokenExpiration(token string) (time.Time, error) {
-	parser := jwt.Parser{SkipClaimsValidation: true}
+func getTokenExpiration(tokenString string) (time.Time, error) {
 
-	claims := make(jwt.MapClaims)
-	_, _, err := parser.ParseUnverified(token, claims)
+	token, err := jwt.Parse(tokenString, nil, jwt.WithoutClaimsValidation())
 	if err != nil {
 		return time.Time{}, err
 	}
 
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return time.Time{}, fmt.Errorf("failed to process claims in access token")
+	}
+
 	if exp, ok := claims["exp"].(float64); ok {
 		timestamp := time.Unix(int64(exp), 0)
 		return timestamp, nil

go.sum

@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/google/go-github/v44/github"
+	"github.com/google/go-github/v53/github"
 	"github.com/jetstack/version-checker/pkg/api"
 	"golang.org/x/oauth2"
 )