Merge branch 'main' into issue_100

.dockerignore

@@ -1,3 +1,2 @@
-# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Ignore build and test binaries.
 bin/
+go.work*

.github/workflows/pr-checks.yaml

@@ -172,6 +172,7 @@ jobs:
           working-directory: ./deployments/nimbus
           run: |
             helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.tag=latest \
             --set image.pullPolicy=Never \
             --set autoDeploy.kubearmor=false \
             --set autoDeploy.kyverno=false \
@@ -232,6 +233,7 @@ jobs:
           working-directory: ./deployments/nimbus
           run: |
             helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.tag=latest \
             --set image.pullPolicy=Never \
             --set autoDeploy.kubearmor=false \
             --set autoDeploy.kyverno=false \
@@ -245,7 +247,7 @@ jobs:
         - name: Install nimbus-netpol
           working-directory: deployments/nimbus-netpol/
           run: |
-            helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-netpol to start
           run: |
@@ -255,7 +257,7 @@ jobs:
         - name: Install nimbus-kubearmor
           working-directory: deployments/nimbus-kubearmor/
           run: |
-            helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-kubearmor to start
           run: |
@@ -265,7 +267,7 @@ jobs:
         - name: Install nimbus-kyverno
           working-directory: deployments/nimbus-kyverno/
           run: |
-            helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-kyverno to start
           run: |

.github/workflows/release-helm-charts.yaml

@@ -0,0 +1,45 @@
+name: Release Helm charts
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag which has to be updated"
+        type: "string"
+        required: true
+
+jobs:
+  release_helm_charts:
+    if: github.repository == '5GSEC/nimbus'
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+          repositories: charts
+
+      - name: Publish Helm chart
+        uses: stefanprodan/helm-gh-pages@master
+        with:
+          # Access token which can push to a different repo in the same org
+          token: ${{ steps.generate-token.outputs.token }}
+          charts_dir: deployments/
+          # repo where charts would be published
+          owner: 5GSEC
+          repository: charts
+          branch: gh-pages
+          charts_url: https://5gsec.github.io/charts/
+          commit_username: "github-actions[bot]"
+          commit_email: "github-actions[bot]@users.noreply.github.com"
+          dependencies: nimbus-kubearmor,https://5gsec.github.io/charts/;nimbus-netpol,https://5gsec.github.io/charts/;nimbus-kyverno,https://5gsec.github.io/charts/;nimbus-k8tls,https://5gsec.github.io/charts/

.github/workflows/stable-release.yaml

@@ -3,7 +3,10 @@
 
 name: Stable release
 
-on: workflow_dispatch
+on:
+  create:
+    tags:
+      - "v*"
 
 permissions: read-all
 
@@ -25,44 +28,46 @@ jobs:
     if: github.repository == '5GSEC/nimbus'
     strategy:
       matrix:
-        adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ]
+        adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno", "nimbus-k8tls" ]
     name: Build and push ${{ matrix.adapters }} adapter's image
     uses: ./.github/workflows/release-image.yaml
     with:
       WORKING_DIRECTORY: ./pkg/adapter/${{ matrix.adapters }}
       NAME: ${{ matrix.adapters }}
     secrets: inherit
 
-  release_helm_charts:
+  update-image-tags-in-helm-charts:
     if: github.repository == '5GSEC/nimbus'
+    needs: [ release-nimbus-image, release-adapters-image ]
     permissions:
+      pull-requests: write
       contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
 
-      - name: Install Helm
-        uses: azure/setup-helm@v4
+      - name: Get tag
+        id: tag
+        run: |
+          if [ ${{ github.ref }} == "refs/heads/main" ]; then
+            echo "tag=latest" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+          fi
 
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ vars.ACTIONS_APP_ID }}
-          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
-          repositories: charts
+      - name: Update images tag
+        run: |
+          ./scripts/update-image-tag.sh ${{ steps.tag.outputs.tag }}
 
-      - name: Publish Helm chart
-        uses: stefanprodan/helm-gh-pages@master
+      - name: Create PR to update images tag in Helm charts
+        uses: peter-evans/create-pull-request@v7
         with:
-          # Access token which can push to a different repo in the same org
-          token: ${{ steps.generate-token.outputs.token }}
-          charts_dir: deployments/
-          # repo where charts would be published
-          owner: 5GSEC
-          repository: charts
-          branch: gh-pages
-          charts_url: https://5gsec.github.io/charts/
-          commit_username: "github-actions[bot]"
-          commit_email: "github-actions[bot]@users.noreply.github.com"
+          branch: update-helm-${{ steps.tag.outputs.tag }}
+          commit-message: "[skip ci] Update Helm Chart To ${{ steps.update.outputs.STABLE_VERSION }}"
+          committer: "github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
+          author: "github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
+          title: "[skip ci] Update Helm Chart To ${{ steps.update.outputs.STABLE_VERSION }}"
+          base: main
+          signoff: true
+          delete-branch: true

Dockerfile

@@ -1,37 +1,29 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2023 Authors of Nimbus
 
-# Build the manager binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
+# Required to embed build info into binary.
+COPY .git /.git
+
 WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
 
-# Copy the go source
-COPY cmd/main.go cmd/main.go
-COPY api/ api/
-COPY internal/ internal/
-COPY pkg/processor/ pkg/processor/
+COPY . .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/bin/nimbus .
 USER 65532:65532
 
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/nimbus"]

Makefile

@@ -8,6 +8,8 @@ TAG ?= latest
 
 TEST_DIR ?= tests/controllers
 
+BINARY_NAME ?= nimbus
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -46,6 +48,8 @@ all: build
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.DEFAULT_GOAL := help
+
 ##@ Development
 
 .PHONY: manifests
@@ -96,12 +100,12 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 ##@ Build
 
 .PHONY: build
-build: manifests generate fmt vet ## Build manager binary.
-	go build -o bin/manager cmd/main.go
+build: fmt vet ## Build manager binary.
+	@go build -ldflags="-s" -o bin/"${BINARY_NAME}" ./cmd
 
 .PHONY: run
-run: manifests generate fmt vet ## Run a controller from your host.
-	go run cmd/main.go
+run: manifests generate fmt vet build ## Run a controller from your host.
+	@./bin/"${BINARY_NAME}"
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.

PROJECT

@@ -10,36 +10,42 @@ repo: github.com/5GSEC/nimbus
 resources:
 - api:
     crdVersion: v1
-    namespaced: true
   controller: true
   domain: security.nimbus.com
   group: intent
   kind: SecurityIntent
-  path: github.com/5GSEC/nimbus/api/v1
-  version: v1
+  path: github.com/5GSEC/nimbus/api/v1alpha1
+  version: v1alpha1
 - api:
     crdVersion: v1
     namespaced: true
   controller: true
   domain: security.nimbus.com
   group: intent
+  kind: SecurityIntentBinding
+  path: github.com/5GSEC/nimbus/api/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: security.nimbus.com
+  group: intent
   kind: NimbusPolicy
-  path: github.com/5GSEC/nimbus/api/v1
-  version: v1
+  path: github.com/5GSEC/nimbus/api/v1alpha1
+  version: v1alpha1
 - api:
     crdVersion: v1
-  controller: true
   domain: security.nimbus.com
   group: intent
   kind: ClusterNimbusPolicy
-  path: github.com/5GSEC/nimbus/api/v1
-  version: v1
+  path: github.com/5GSEC/nimbus/api/v1alpha1
+  version: v1alpha1
 - api:
     crdVersion: v1
   controller: true
   domain: security.nimbus.com
   group: intent
   kind: ClusterSecurityIntentBinding
-  path: github.com/5GSEC/nimbus/api/v1
-  version: v1
+  path: github.com/5GSEC/nimbus/api/v1alpha1
+  version: v1alpha1
 version: "3"

cmd/main.go

@@ -5,11 +5,11 @@ package main
 
 import (
 	"flag"
-	"os"
-
-	"k8s.io/apimachinery/pkg/runtime"
+	"github.com/5GSEC/nimbus/pkg/util"
+	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"os"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/config"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
@@ -24,7 +24,7 @@ import (
 
 // Global variables for scheme registration and setup logging.
 var (
-	scheme   = runtime.NewScheme()        // Scheme for registering API types for client and server.
+	scheme   = k8sruntime.NewScheme()     // Scheme for registering API types for client and server.
 	setupLog = ctrl.Log.WithName("setup") // Logger for setup process.
 )
 
@@ -51,6 +51,7 @@ func main() {
 
 	// Setting the logger with the provided options.
 	ctrl.SetLogger(zap.New())
+	util.LogBuildInfo(ctrl.Log)
 
 	// Creating a new manager which will manage all the controllers.
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{