Merge branch 'main' into gabedos/add-startup-probe

Author: gabedos

.github/workflows/build.yml

@@ -3,9 +3,16 @@ env:
   GO_VERSION: 1.22.7
 on:
   push:
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
 jobs:
   build-linux-binary:
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -23,10 +30,13 @@ jobs:
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
-          version: latest
+          version: 2.4.1
           args: build --skip=validate --config .goreleaser-for-linux.yaml
   build-darwin-binary:
     runs-on: macos-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -44,6 +54,9 @@ jobs:
           args: build --skip=validate --config .goreleaser-for-darwin.yaml
   build-windows-binary:
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
     steps:
       - uses: actions/checkout@v3
         with:

.github/workflows/codeql-analysis.yml

@@ -7,6 +7,8 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ main ]
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/main.yml

@@ -1,5 +1,9 @@
 name: validation
 on: [push, pull_request]
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
 env:
   PROJECTNAME: "datadog-operator"
   GO_VERSION: 1.22.7

.github/workflows/pr-linter.yml

@@ -2,21 +2,30 @@ name: pull request linter
 on:
   pull_request_target:
    types: [opened, labeled, unlabeled, synchronize]
+
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v1
     - name: Verify Pull Request Labels
-      uses: jesusvasquez333/verify-pr-label-action@v1.3.1
+      uses: jesusvasquez333/verify-pr-label-action@v1.4.0
       with:
         github-token: '${{ secrets.GITHUB_TOKEN }}'
         valid-labels: 'bug, enhancement, refactoring, documentation, tooling, dependencies'
         pull-request-number: '${{ github.event.pull_request.number }}'
+        disable-reviews: true
   check-milestone:
     name: Check Milestone
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - if: github.event.pull_request.milestone == null && !contains(toJson(github.event.pull_request.labels.*.name), 'qa/skip-qa')
         run: echo "::error::Missing milestone or \`qa/skip-qa\` label" && exit 1

.github/workflows/release.yaml

@@ -6,12 +6,21 @@ on:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
 env:
   GO_VERSION: 1.22.7
 jobs:
   build-linux-binary:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
+      # actions/upload-artifact@v3
+      actions: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -36,7 +45,7 @@ jobs:
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
-          version: latest
+          version: 2.4.1
           args: release --skip=publish --config .goreleaser-for-linux.yaml
         env:
           GORELEASER_PREVIOUS_TAG: ${{steps.latest_version.outputs.release}}
@@ -51,6 +60,11 @@ jobs:
   build-darwin-binary:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: macos-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
+      # actions/upload-artifact@v3
+      actions: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -85,6 +99,11 @@ jobs:
   build-windows-binary:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
+      # actions/upload-artifact@v3
+      actions: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -120,6 +139,14 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     needs: [build-linux-binary, build-darwin-binary, build-windows-binary]
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      # https://github.com/softprops/action-gh-release?tab=readme-ov-file#permissions 
+      contents: write
+      # actions/download-artifact@v3
+      actions: read
+      # rajatjindal/[email protected]
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.gitlab-ci.yml

@@ -2,10 +2,9 @@ image: registry.ddbuild.io/images/mirror/golang:1.22.7
 variables:
   PROJECTNAME: "datadog-operator"
   PROJECTNAME_CHECK: "datadog-operator-check"
-  GOPATH: "$CI_PROJECT_DIR/.cache"
   BUILD_DOCKER_REGISTRY: "486234852809.dkr.ecr.us-east-1.amazonaws.com/ci"
   E2E_DOCKER_REGISTRY: "669783387624.dkr.ecr.us-east-1.amazonaws.com/operator"
-  JOB_DOCKER_IMAGE: "486234852809.dkr.ecr.us-east-1.amazonaws.com/ci-containers-project:v46356103-16ecadd-v3.0.0"
+  JOB_DOCKER_IMAGE: "registry.ddbuild.io/ci-containers-project:v46367840-16ecadd-v3.0.0"
   DOCKER_REGISTRY_LOGIN_SSM_KEY: docker_hub_login
   DOCKER_REGISTRY_PWD_SSM_KEY: docker_hub_pwd
   DOCKER_REGISTRY_URL: docker.io
@@ -21,8 +20,7 @@ variables:
 cache: &global_cache
   key: ${CI_COMMIT_REF_SLUG}
   paths:
-    - .cache
-  policy: pull-push
+    - /go/pkg/mod
 
 stages:
   - build
@@ -79,8 +77,14 @@ stages:
 build:
   stage: build
   tags: ["arch:amd64"]
+  variables:
+    KUBERNETES_MEMORY_REQUEST: 16Gi
+    KUBERNETES_MEMORY_LIMIT: 16Gi
+    KUBERNETES_CPU_REQUEST: 4
+    KUBERNETES_CPU_LIMIT: 4
+    GOMEMLIMIT: 15GiB
+    GOMAXPROCS: 4
   before_script:
-    - mkdir -p .cache
     - make install-tools
   script:
     - make build
@@ -92,8 +96,14 @@ unit_tests:
     - if: '$DDR == "true"'
       when: never
     - when: on_success
+  variables:
+    KUBERNETES_MEMORY_REQUEST: 16Gi
+    KUBERNETES_MEMORY_LIMIT: 16Gi
+    KUBERNETES_CPU_REQUEST: 4
+    KUBERNETES_CPU_LIMIT: 4
+    GOMEMLIMIT: 15GiB
+    GOMAXPROCS: 4
   before_script:
-    - mkdir -p .cache
     - make install-tools
   script:
     - make test
@@ -102,7 +112,6 @@ check-golang-version:
   stage: test
   tags: ["arch:amd64"]
   before_script:
-    - mkdir -p .cache
     - make install-tools
   script:
     - make update-golang
@@ -116,7 +125,6 @@ generate_code:
       when: never
     - when: on_success
   before_script:
-    - mkdir -p .cache
     - make install-tools
   script:
     - make generate manifests
@@ -457,7 +465,6 @@ publish_community_operators:
   tags: [ "runner:docker", "size:large" ]
   image: $JOB_DOCKER_IMAGE
   before_script:
-    - mkdir -p .cache
     - make install-tools
   script:
     # Set version
@@ -522,12 +529,11 @@ publish_nightly_workflow:
     CONDUCTOR_TARGET: $CONDUCTOR_TARGET
     DDR_WORKFLOW_ID: $DDR_WORKFLOW_ID
 
-# On success, this will cause CNAB to trigger a Deployment to Release Candidate clusters
+# On success, this will cause CNAB to trigger a Deployment to Release Candidate clusters and open a corresponding pull request
 publish_release_candidate_workflow:
   stage: deploy
   rules:
     - if: $CI_COMMIT_TAG
-      when: manual # TODO: change this to on_success when feeling confident
     - when: never
   needs:
     - trigger_internal_operator_image

.golangci.toml

@@ -1,6 +1,6 @@
 [run]
-  deadline = "5m"
   tests = false
+  timeout = "10m"
 
 [linters-settings]
 

.goreleaser-for-darwin.yaml

@@ -1,3 +1,4 @@
+version: 2
 before:
   hooks:
     - go mod download

.goreleaser-for-linux.yaml

@@ -1,3 +1,4 @@
+version: 2
 before:
   hooks:
     - go mod download

.goreleaser-for-windows.yaml

@@ -1,3 +1,4 @@
+version: 2
 before:
   hooks:
     - go mod download

.goreleaser.yml

@@ -1,3 +1,4 @@
+version: 2
 before:
   hooks:
     - go mod download

LICENSE-3rdparty.csv

@@ -1,6 +1,8 @@
 Component,Origin,License
+core,github.com/DataDog/appsec-internal-go,Apache-2.0
 core,github.com/DataDog/datadog-agent/pkg/config/model,Apache-2.0
 core,github.com/DataDog/datadog-agent/pkg/config/remote,Apache-2.0
+core,github.com/DataDog/datadog-agent/pkg/obfuscate,Apache-2.0
 core,github.com/DataDog/datadog-agent/pkg/proto,Apache-2.0
 core,github.com/DataDog/datadog-agent/pkg/remoteconfig/state,Apache-2.0
 core,github.com/DataDog/datadog-agent/pkg/util/backoff,Apache-2.0
@@ -14,8 +16,11 @@ core,github.com/DataDog/datadog-api-client-go/v2,Apache-2.0
 core,github.com/DataDog/datadog-go/v5/statsd,MIT
 core,github.com/DataDog/datadog-operator,Apache-2.0
 core,github.com/DataDog/extendeddaemonset/api/v1alpha1,Apache-2.0
+core,github.com/DataDog/go-libddwaf/v3,Apache-2.0
+core,github.com/DataDog/go-sqllexer,MIT
 core,github.com/DataDog/go-tuf,BSD-3-Clause
 core,github.com/DataDog/gostackparse,Apache-2.0
+core,github.com/DataDog/sketches-go/ddsketch,Apache-2.0
 core,github.com/DataDog/viper,MIT
 core,github.com/DataDog/zstd,BSD-3-Clause
 core,github.com/Masterminds/semver,MIT
@@ -26,9 +31,12 @@ core,github.com/cenkalti/backoff,MIT
 core,github.com/cespare/xxhash/v2,MIT
 core,github.com/cihub/seelog,BSD-3-Clause
 core,github.com/davecgh/go-spew/spew,ISC
+core,github.com/dustin/go-humanize,MIT
+core,github.com/ebitengine/purego,Apache-2.0
 core,github.com/emicklei/go-restful/v3,MIT
 core,github.com/evanphx/json-patch/v5,BSD-3-Clause
 core,github.com/fsnotify/fsnotify,BSD-3-Clause
+core,github.com/fxamacker/cbor/v2,MIT
 core,github.com/go-logr/logr,Apache-2.0
 core,github.com/go-logr/zapr,Apache-2.0
 core,github.com/go-openapi/jsonpointer,Apache-2.0
@@ -51,12 +59,13 @@ core,github.com/josharian/intern,MIT
 core,github.com/json-iterator/go,MIT
 core,github.com/magiconair/properties,BSD-2-Clause
 core,github.com/mailru/easyjson,MIT
-core,github.com/matttproud/golang_protobuf_extensions/pbutil,Apache-2.0
 core,github.com/mitchellh/mapstructure,MIT
 core,github.com/modern-go/concurrent,Apache-2.0
 core,github.com/modern-go/reflect2,Apache-2.0
 core,github.com/mohae/deepcopy,MIT
 core,github.com/munnerz/goautoneg,BSD-3-Clause
+core,github.com/outcaste-io/ristretto,Apache-2.0
+core,github.com/outcaste-io/ristretto/z,MIT
 core,github.com/patrickmn/go-cache,MIT
 core,github.com/pelletier/go-toml,Apache-2.0
 core,github.com/philhofer/fwd,MIT
@@ -65,7 +74,6 @@ core,github.com/pmezard/go-difflib/difflib,BSD-3-Clause
 core,github.com/prometheus/client_golang/prometheus,Apache-2.0
 core,github.com/prometheus/client_model/go,Apache-2.0
 core,github.com/prometheus/common,Apache-2.0
-core,github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg,BSD-3-Clause
 core,github.com/prometheus/procfs,Apache-2.0
 core,github.com/richardartoul/molecule,MIT
 core,github.com/richardartoul/molecule/src/codec,Apache-2.0
@@ -80,18 +88,21 @@ core,github.com/spf13/pflag,BSD-3-Clause
 core,github.com/stretchr/objx,MIT
 core,github.com/stretchr/testify,MIT
 core,github.com/tinylib/msgp/msgp,MIT
+core,github.com/x448/float16,MIT
 core,github.com/zorkian/go-datadog-api,BSD-3-Clause
 core,go.etcd.io/bbolt,MIT
 core,go.uber.org/atomic,MIT
 core,go.uber.org/multierr,MIT
 core,go.uber.org/zap,MIT
 core,golang.org/x/exp,BSD-3-Clause
+core,golang.org/x/mod/semver,BSD-3-Clause
 core,golang.org/x/net,BSD-3-Clause
 core,golang.org/x/oauth2,BSD-3-Clause
 core,golang.org/x/sys/unix,BSD-3-Clause
 core,golang.org/x/term,BSD-3-Clause
 core,golang.org/x/text,BSD-3-Clause
 core,golang.org/x/time/rate,BSD-3-Clause
+core,golang.org/x/xerrors,BSD-3-Clause
 core,gomodules.xyz/jsonpatch/v2,Apache-2.0
 core,google.golang.org/genproto/googleapis/api,Apache-2.0
 core,google.golang.org/genproto/googleapis/rpc/status,Apache-2.0
@@ -107,7 +118,6 @@ core,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions,Apache-2.0
 core,k8s.io/apimachinery/pkg,Apache-2.0
 core,k8s.io/apimachinery/third_party/forked/golang,BSD-3-Clause
 core,k8s.io/client-go,Apache-2.0
-core,k8s.io/component-base/config,Apache-2.0
 core,k8s.io/klog/v2,Apache-2.0
 core,k8s.io/kube-aggregator/pkg/apis/apiregistration,Apache-2.0
 core,k8s.io/kube-openapi/pkg,Apache-2.0
@@ -118,4 +128,5 @@ core,k8s.io/utils/internal/third_party/forked/golang/net,BSD-3-Clause
 core,sigs.k8s.io/controller-runtime,Apache-2.0
 core,sigs.k8s.io/json,Apache-2.0
 core,sigs.k8s.io/structured-merge-diff/v4,Apache-2.0
-core,sigs.k8s.io/yaml,MIT
+core,sigs.k8s.io/yaml,Apache-2.0
+core,sigs.k8s.io/yaml/goyaml.v2,Apache-2.0