feat: Use latest operator-sdk (#170)

* Baseline migration to newest operator-sdk version

* Migrate stuff to internal

* Fix broken tests + rename files

* Remove cyclic deps

* Update Kustomize patches

* Update Makefile + remove unneeded perm

* Fix build folder + use decoder

* Remove unneeded aliases + fix test folders

* Fix broken tests

* Update helm chart with latest operator-sdk output

* Remove all references to kubeRbacProxy

* Update tests to use SetupWithManager

* Update Makefile

* Update coverage profile to include all files in src

* Update coverage profile to include all files in src

* Remove duplicate gitignore entry

.gitignore

@@ -1,5 +1,31 @@
-bin/
-tmp/
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+bin/*
+tmp/*
+Dockerfile.cross
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Go workspace file
+go.work
+
+# Kubernetes Generated files - skip generated files, except for vendored files
+!vendor/**/zz_generated.*
+
+# editor and IDE paraphernalia
+.idea
+.vscode
+*.swp
+*.swo
+*~
 
 # Downloaded chart dependencies
 **/charts/*.tgz

Dockerfile

@@ -3,11 +3,14 @@
 FROM --platform=$BUILDPLATFORM golang:1.23.3-bookworm@sha256:3f3b9daa3de608f3e869cd2ff8baf21555cf0fca9fd34251b8f340f9b7c30ec5 AS builder
 
 WORKDIR /app
-
+# Copy the Go Modules manifests
 COPY go.mod go.sum ./
 COPY ./interop/ ./interop/
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
+# Copy the go source
 COPY ./src/ ./src/
 COPY Makefile .
 
@@ -19,8 +22,8 @@ ARG K8S_AGENTS_OPERATOR_VERSION="development"
 
 RUN make build K8S_AGENTS_OPERATOR_VERSION="${K8S_AGENTS_OPERATOR_VERSION}"
 
-# Use minimal base image to package the operator
-# Source: https://github.com/GoogleContainerTools/distroless
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /bin
 COPY --from=builder /app/bin/operator .

Makefile

@@ -1,5 +1,4 @@
 # Directories
-GO_DIR = ./src
 BIN_DIR = ./bin
 TMP_DIR = $(shell pwd)/tmp
 
@@ -12,19 +11,19 @@ K8S_AGENTS_OPERATOR_VERSION = ""
 .DEFAULT_GOAL := help
 
 # Go packages to test
-TEST_PACKAGES = ./src/internal/config \
+TEST_PACKAGES = ./src/internal/apm \
+                ./src/internal/autodetect \
+				./src/internal/config \
+				./src/internal/instrumentation \
+				./src/internal/migrate/upgrade \
                 ./src/internal/version \
-                ./src/internal/webhookhandler \
-				./src/api/v1alpha2 \
-				./src/autodetect \
-				./src/instrumentation/ \
-				./src/instrumentation/upgrade \
-                ./src/apm
+                ./src/internal/webhook \
+                ./src/api/v1alpha2
 
 # Kubebuilder variables
 SETUP_ENVTEST             = $(LOCALBIN)/setup-envtest
 SETUP_ENVTEST_VERSION     ?= release-0.19
-SETUP_ENVTEST_K8S_VERSION ?= 1.29.0
+SETUP_ENVTEST_K8S_VERSION ?= 1.30.0
 ALL_SETUP_ENVTEST_K8S_VERSIONS ?= 1.30.0 1.29.3 1.28.3 1.27.1 1.26.1 #https://storage.googleapis.com/kubebuilder-tools
 
 ## Tool Versions
@@ -89,13 +88,13 @@ coverprofile: $(TMP_DIR)/cover.out ## Generate coverage report
 go-test: $(SETUP_ENVTEST) $(TMP_DIR) ## Run Go tests with k8s version specified by $SETUP_ENVTEST_K8S_VERSION
 	@chmod -R 755 $(LOCALBIN)/k8s
 	KUBEBUILDER_ASSETS="$(shell $(SETUP_ENVTEST) use $(SETUP_ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" \
-		go test -v -cover -covermode=count -coverprofile=$(TMP_DIR)/cover.out $(TEST_PACKAGES)
+		go test -v -cover -covermode=count -coverprofile=$(TMP_DIR)/cover.out -coverpkg=./src/... $(TEST_PACKAGES)
 
 .PHONY: go-test-race
 go-test-race: $(SETUP_ENVTEST) $(TMP_DIR) ## Run Go tests with k8s version specified by $SETUP_ENVTEST_K8S_VERSION with race detector
 	@chmod -R 755 $(LOCALBIN)/k8s
 	KUBEBUILDER_ASSETS="$(shell $(SETUP_ENVTEST) use $(SETUP_ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" \
-		go test -v -race -cover -covermode=atomic -coverprofile=$(TMP_DIR)/cover.out $(TEST_PACKAGES)
+		go test -v -race -cover -covermode=atomic -coverprofile=$(TMP_DIR)/cover.out -coverpkg=./src/... $(TEST_PACKAGES)
 
 .PHONY: all-go-tests
 all-go-tests: ## Run go tests with all k8s versions specified by $ALL_SETUP_ENVTEST_K8S_VERSIONS
@@ -160,10 +159,10 @@ go-format: ## Format all go files
 
 .PHONY: build
 build: ## Build the go binary
-	CGO_ENABLED=0 go build -ldflags="-X 'github.com/newrelic/k8s-agents-operator/src/internal/version.version=$(K8S_AGENTS_OPERATOR_VERSION)' -X 'github.com/newrelic/k8s-agents-operator/src/internal/version.buildDate=$(shell date)'" -o $(BIN_DIR)/operator $(GO_DIR)
+	CGO_ENABLED=0 go build -ldflags="-X 'github.com/newrelic/k8s-agents-operator/src/internal/version.version=$(K8S_AGENTS_OPERATOR_VERSION)' -X 'github.com/newrelic/k8s-agents-operator/src/internal/version.buildDate=$(shell date)'" -o $(BIN_DIR)/operator src/main.go
 
-.PHONY: dockerbuild
-dockerbuild: ## Build the docker image
+.PHONY: docker-build
+docker-build: ## Build the docker image
 	DOCKER_BUILDKIT=1 docker build -t k8s-agent-operator:latest \
 	  --platform=linux/amd64,linux/arm64,linux/arm \
       .
@@ -226,7 +225,7 @@ generate: controller-gen ## Generate stuff
 	$(CONTROLLER_GEN) object:headerFile="boilerplate.txt"  paths="./..."
 
 .PHONY: manifests
-manifests: generate controller-gen
+manifests: generate controller-gen ## Generate manifests
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) webhook paths="./..." \
 	  rbac:roleName=manager-role output:rbac:artifacts:config=config/rbac \
 	  output:webhook:artifacts:config=config/webhook \
@@ -237,5 +236,4 @@ manifests: generate controller-gen
 run-helmify: manifests helmify kustomize ## Generate the CRD with kustomize and helmify from the manifests
 	@# could we do more here?
 	$(KUSTOMIZE) build config/default | $(HELMIFY) tmp/k8s-agents-operator
-	cp ./tmp/k8s-agents-operator/templates/instrumentation-crd.yaml ./charts/k8s-agents-operator/templates/instrumentation-crd.yaml
 	printf "\nIMPORTANT: The generated chart needs to be transformed!\n- deployment.yaml is split into deployment.yaml and service-account.yaml\n- mutating-webhook-configuration.yaml and validating-webhook-configuration.yaml are merged into service-account.yaml\n- Documents generated are missing several config options (i.e. labels)\n"

charts/k8s-agents-operator/README.md

@@ -245,18 +245,13 @@ If you want to see a list of all available charts and releases, check [index.yam
 | admissionWebhooks.keyFile | string | `""` | Path to your own PEM-encoded private key. |
 | affinity | object | `{}` | Sets all pods' affinities. Can be configured also with `global.affinity` |
 | containerSecurityContext | object | `{}` | Sets all security context (at container level). Can be configured also with `global.securityContext.container` |
-| controllerManager.kubeRbacProxy.containerSecurityContext | object | `{}` | Sets security context (at container level) for kubeRbacProxy. Overrides `containerSecurityContext` and `global.containerSecurityContext` |
-| controllerManager.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Sets the repository and image to use for kube-rbac-proxy. Please ensure you're using a trusted image. |
-| controllerManager.kubeRbacProxy.image.version | string | `"sha256:771a9a173e033a3ad8b46f5c00a7036eaa88c8d8d1fbd89217325168998113ea"` | Sets the kube-rbac-proxy image version to retrieve. Could be a tag i.e. "v0.16.0" or a SHA digest i.e. "sha256:771a9a173e033a3ad8b46f5c00a7036eaa88c8d8d1fbd89217325168998113ea" |
-| controllerManager.kubeRbacProxy.resources.limits.cpu | string | `"500m"` |  |
-| controllerManager.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` |  |
-| controllerManager.kubeRbacProxy.resources.requests.cpu | string | `"5m"` |  |
-| controllerManager.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` |  |
-| controllerManager.manager.containerSecurityContext | object | `{}` | Sets security context (at container level) for the manager. Overrides `containerSecurityContext` and `global.containerSecurityContext` |
+| controllerManager.manager.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | Sets security context (at container level) for the manager. Overrides `containerSecurityContext` and `global.containerSecurityContext` |
 | controllerManager.manager.image.pullPolicy | string | `nil` |  |
 | controllerManager.manager.image.repository | string | `"newrelic/k8s-agents-operator"` | Sets the repository and image to use for the manager. Please ensure you're using trusted New Relic images. |
 | controllerManager.manager.image.version | string | `nil` | Sets the manager image version to retrieve. Could be a tag i.e. "v0.17.0" or a SHA digest i.e. "sha256:e2399e70e99ac370ca6a3c7e5affa9655da3b246d0ada77c40ed155b3726ee2e" |
 | controllerManager.manager.leaderElection | object | `{"enabled":true}` | Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started |
+| controllerManager.manager.resources.limits.cpu | string | `"500m"` |  |
+| controllerManager.manager.resources.limits.memory | string | `"192Mi"` |  |
 | controllerManager.manager.resources.requests.cpu | string | `"100m"` |  |
 | controllerManager.manager.resources.requests.memory | string | `"64Mi"` |  |
 | controllerManager.replicas | int | `1` |  |
@@ -267,12 +262,12 @@ If you want to see a list of all available charts and releases, check [index.yam
 | metricsService.ports[0].name | string | `"https"` |  |
 | metricsService.ports[0].port | int | `8443` |  |
 | metricsService.ports[0].protocol | string | `"TCP"` |  |
-| metricsService.ports[0].targetPort | string | `"https"` |  |
+| metricsService.ports[0].targetPort | int | `8443` |  |
 | metricsService.type | string | `"ClusterIP"` |  |
 | nodeSelector | object | `{}` | Sets all pods' node selector. Can be configured also with `global.nodeSelector` |
 | podAnnotations | object | `{}` | Annotations to be added to the deployment. |
 | podLabels | object | `{}` | Additional labels for chart pods |
-| podSecurityContext | object | `{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | SecurityContext holds pod-level security attributes and common container settings |
+| podSecurityContext | object | `{"runAsNonRoot":true}` | SecurityContext holds pod-level security attributes and common container settings |
 | priorityClassName | string | `""` | Sets pod's priorityClassName. Can be configured also with `global.priorityClassName` |
 | serviceAccount | object | See `values.yaml` | Settings controlling ServiceAccount creation |
 | serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created |

charts/k8s-agents-operator/templates/_helpers.tpl

@@ -14,12 +14,3 @@ Returns if the template should render, it checks if the required values are set.
 {{- printf "%s:%s" .Values.controllerManager.manager.image.repository $managerVersion -}}
 {{- end -}}
 {{- end -}}
-
-{{- define "k8s-agents-operator.kubeRbacProxy.image" -}}
-{{- $kubeRbacProxyVersion := .Values.controllerManager.kubeRbacProxy.image.version | default .Chart.AppVersion -}}
-{{- if eq (substr 0 7 $kubeRbacProxyVersion) "sha256:" -}}
-{{- printf "%s@%s" .Values.controllerManager.kubeRbacProxy.image.repository $kubeRbacProxyVersion -}}
-{{- else -}}
-{{- printf "%s:%s" .Values.controllerManager.kubeRbacProxy.image.repository $kubeRbacProxyVersion -}}
-{{- end -}}
-{{- end -}}

charts/k8s-agents-operator/templates/_naming.tpl

@@ -7,6 +7,10 @@
 {{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "webhook-service") -}}
 {{- end -}}
 
+{{- define "k8s-agents-operator.metricsService.name" -}}
+{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "controller-manager-metrics-service") -}}
+{{- end -}}
+
 {{- define "k8s-agents-operator.webhook.mutating.name" -}}
 {{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "mutation") -}}
 {{- end -}}
@@ -23,12 +27,12 @@
 {{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "serving-cert") -}}
 {{- end -}}
 
-{{- define "k8s-agents-operator.rbac.proxy.role.name" -}}
-{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "proxy-role") -}}
+{{- define "k8s-agents-operator.rbac.metricsAuth.role.name" -}}
+{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "metrics-auth-role") -}}
 {{- end -}}
 
-{{- define "k8s-agents-operator.rbac.proxy.roleBinding.name" -}}
-{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "proxy-rolebinding") -}}
+{{- define "k8s-agents-operator.rbac.metricsAuth.roleBinding.name" -}}
+{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "metrics-auth-rolebinding") -}}
 {{- end -}}
 
 {{- define "k8s-agents-operator.rbac.manager.role.name" -}}
@@ -50,3 +54,11 @@
 {{- define "k8s-agents-operator.rbac.metricsReader.role.name" -}}
 {{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "metrics-reader") -}}
 {{- end -}}
+
+{{- define "k8s-agents-operator.rbac.instrumentationEditor.role.name" -}}
+{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "instrumentation-editor-role") -}}
+{{- end -}}
+
+{{- define "k8s-agents-operator.rbac.instrumentationViewer.role.name" -}}
+{{- include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "instrumentation-viewer-role") -}}
+{{- end -}}

charts/k8s-agents-operator/templates/_security_context.tpl

@@ -1,14 +1,3 @@
-{{- /*
-A helper to return the container security context to apply to kubeRbacProxy.
-*/ -}}
-{{- define "k8s-agents-operator.kubeRbacProxy.securityContext.container" -}}
-{{- if .Values.controllerManager.kubeRbacProxy.containerSecurityContext -}}
-    {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext -}}
-{{- else if include "newrelic.common.securityContext.container" . -}}
-    {{- include "newrelic.common.securityContext.container" . -}}
-{{- end -}}
-{{- end -}}
-
 {{- /*
 A helper to return the container security context to apply to the manager.
 */ -}}

charts/k8s-agents-operator/templates/deployment.yaml

@@ -42,12 +42,13 @@ spec:
           {{- . | nindent 10 }}
         {{- end }}
         args:
-        - --metrics-addr=127.0.0.1:8080
+        - --metrics-bind-address=:8443
         {{- if .Values.controllerManager.manager.leaderElection.enabled }}
-        - --enable-leader-election
+        - --leader-elect
         {{- end }}
-        - --zap-log-level=info
-        - --zap-time-encoding=rfc3339nano
+        - --health-probe-bind-address=:8081
+        command:
+        - /bin/operator
         env:
         - name: OPERATOR_NAMESPACE
           valueFrom:
@@ -81,26 +82,6 @@ spec:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
-      - name: kube-rbac-proxy
-        {{- with include "k8s-agents-operator.kubeRbacProxy.securityContext.container" . }}
-        securityContext:
-          {{- . | nindent 10 }}
-        {{- end }}
-        args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=0
-        env:
-        - name: KUBERNETES_CLUSTER_DOMAIN
-          value: {{ quote .Values.kubernetesClusterDomain }}
-        image: {{ include "k8s-agents-operator.kubeRbacProxy.image" . }}
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }}
       {{- if or .Values.admissionWebhooks.create (include "k8s-agents-operator.certificateSecret.name" . ) }}
       volumes:
       - name: cert