Merge branch 'karmada-io:master' into prevent-removal-managed-resourc…

…es-docs
karmada-io · Jul 8, 2024 · b9171d6 · b9171d6
2 parents 1a1150b + 26aae55
commit b9171d6
Show file tree

Hide file tree

Showing 152 changed files with 1,987 additions and 692 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -19,18 +19,18 @@ updates:
 
 - package-ecosystem: docker
   directory: /cluster/images/
-  target-branch: "release-1.9"
+  target-branch: "release-1.10"
   schedule:
     interval: weekly
 
 - package-ecosystem: docker
   directory: /cluster/images/
-  target-branch: "release-1.8"
+  target-branch: "release-1.9"
   schedule:
     interval: weekly
 
 - package-ecosystem: docker
   directory: /cluster/images/
-  target-branch: "release-1.7"
+  target-branch: "release-1.8"
   schedule:
     interval: weekly
diff --git a/.github/workflows/ci-image-scanning.yaml b/.github/workflows/ci-image-scanning.yaml
@@ -5,8 +5,12 @@ on:
     # for PRs initiated by Dependabot.
     branches-ignore:
       - 'dependabot/**'
+permissions:
+  contents: read
 jobs:
   use-trivy-to-scan-image:
+    permissions:
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     name: image-scanning
     if: ${{ github.repository == 'karmada-io/karmada' }}
     runs-on: ubuntu-22.04
@@ -34,15 +38,15 @@ jobs:
           export REGISTRY="docker.io/karmada"
           make image-${{ matrix.target }}
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.21.0
+        uses: aquasecurity/trivy-action@0.23.0
         with:
           image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
           format: 'sarif'
           ignore-unfixed: true
           vuln-type: 'os,library'
           output: 'trivy-results.sarif'
       - name: display scan results
-        uses: aquasecurity/trivy-action@0.21.0
+        uses: aquasecurity/trivy-action@0.23.0
         with:
           image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
           format: 'table'

diff --git a/.github/workflows/ci-schedule-compatibility.yaml b/.github/workflows/ci-schedule-compatibility.yaml
@@ -17,7 +17,9 @@ jobs:
       fail-fast: false
       matrix:
         kubeapiserver-version: [ v1.23.4, v1.24.2, v1.25.0, v1.26.0, v1.27.3, v1.28.0, v1.29.0, v1.30.0 ]
-        karmada-version: [ release-1.7, release-1.8, release-1.9 ]
+        karmada-version: [ master, release-1.10, release-1.9, release-1.8 ]
+    env:
+      KARMADA_APISERVER_VERSION: ${{ matrix.kubeapiserver-version }}
     steps:
       # Free up disk space on Ubuntu
       - name: Free Disk Space (Ubuntu)
@@ -50,21 +52,6 @@ jobs:
           timeout_minutes: 20
           command: |
             hack/local-up-karmada.sh
-      - name: change kube-apiserver and kube-controller-manager version
-        run: |
-          # Update images
-          kubectl --kubeconfig=${HOME}/.kube/karmada.config --context=karmada-host \
-            set image deployment/karmada-apiserver -nkarmada-system \
-            karmada-apiserver=registry.k8s.io/kube-apiserver:${{ matrix.kubeapiserver-version }}
-          kubectl --kubeconfig=${HOME}/.kube/karmada.config --context=karmada-host \
-            set image deployment/karmada-kube-controller-manager -nkarmada-system \
-            kube-controller-manager=registry.k8s.io/kube-controller-manager:${{ matrix.kubeapiserver-version }}
-
-          # Wait ready
-          kubectl --kubeconfig=${HOME}/.kube/karmada.config --context=karmada-host \
-            rollout status deployment/karmada-kube-controller-manager -nkarmada-system --timeout=5m
-          kubectl --kubeconfig=${HOME}/.kube/karmada.config --context=karmada-host \
-            rollout status deployment/karmada-apiserver -nkarmada-system --timeout=5m
       - name: run e2e
         run: |
           export ARTIFACTS_PATH=${{ github.workspace }}/karmada-e2e-logs/${{ matrix.kubeapiserver-version }}-${{ matrix.karmada-version }}/

diff --git a/.github/workflows/dockerhub-latest-chart.yml b/.github/workflows/dockerhub-latest-chart.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - master
+
+permissions: read-all      
+
 jobs:
   publish-chart-to-dockerhub:
     name: publish to DockerHub

diff --git a/.github/workflows/dockerhub-latest-image.yml b/.github/workflows/dockerhub-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub

diff --git a/.github/workflows/dockerhub-released-chart.yml b/.github/workflows/dockerhub-released-chart.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-chart-to-dockerhub:
     name: publish to DockerHub

diff --git a/.github/workflows/dockerhub-released-image.yml b/.github/workflows/dockerhub-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub

diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -5,6 +5,10 @@ on:
     # for PRs initiated by Dependabot.
     branches-ignore:
       - 'dependabot/**'
+
+permissions:
+  contents: read # Required by actions/checkout@v4 to fetch the repository contents.
+
 jobs:
   fossa:
     name: FOSSA

diff --git a/.github/workflows/lint-chart.yaml b/.github/workflows/lint-chart.yaml
@@ -17,6 +17,9 @@ on:
     paths:
       - "charts/**"
 
+permissions:
+  contents: read
+
 jobs:
   chart-lint-test:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,8 +3,12 @@ on:
     types:
     - published
 name: Build Release
+permissions:
+  contents: read
 jobs:
   release-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release kubectl-karmada
     runs-on: ubuntu-22.04
     strategy:
@@ -41,6 +45,8 @@ jobs:
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256
   release-crds-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release crds
     runs-on: ubuntu-22.04
     steps:
@@ -61,6 +67,8 @@ jobs:
         files: |
           crds.tar.gz
   release-charts:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release charts
     runs-on: ubuntu-22.04
     steps:
@@ -78,6 +86,28 @@ jobs:
           _output/charts/karmada-chart-${{ github.ref_name }}.tgz.sha256
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256
+  sbom-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
+    name: Release sbom
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Generate sbom for karmada file system
+      uses: aquasecurity/trivy-action@0.23.0
+      with:
+        scan-type: 'fs'
+        format: 'spdx'
+        output: 'sbom-karmada.spdx'
+        scan-ref: "/github/workspace/"
+    - name: Tar the sbom files
+      run: |
+        tar -zcf sbom.tar.gz *.spdx
+    - name: Uploading sbom assets...
+      uses: softprops/action-gh-release@v2
+      with:
+        files: |
+          sbom.tar.gz
   update-krew-index:
     needs: release-assests
     name: Update krew-index

diff --git a/.github/workflows/swr-latest-image.yml b/.github/workflows/swr-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image:
     name: publish images

diff --git a/.github/workflows/swr-released-image.yml b/.github/workflows/swr-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   release-image:
     name: release images

diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -2,6 +2,6 @@
 
 Karmada has been adopted by many [organizations](https://karmada.io/adopters/).
 
-If you are using Karmada in your organization, please feel free to add your name to the [list](https://karmada.io/docs/casestudies/adopters)! We are happy and proud to have you all as part of our community!💖
+If you are using Karmada in your organization, please feel free to add your name to the list! We are happy and proud to have you all as part of our community!💖
 
-To join this list, please follow [these instructions](https://karmada.io/adopters).
+To join this list, please leave a comment on the [issue](https://github.com/karmada-io/karmada/issues/4540), and then the community member will help you on board.
diff --git a/OWNERS b/OWNERS
@@ -4,6 +4,7 @@ reviewers:
 - jwcesign
 - Poor12
 - RainbowMango
+- whitewindmills
 - XiShanYongYe-Chang
 approvers:
 - chaunceyjiang

diff --git a/README.md b/README.md
@@ -7,9 +7,13 @@
 [![Releases](https://img.shields.io/github/v/release/karmada-io/karmada)](https://github.com/karmada-io/karmada/releases/latest)
 [![Slack](https://img.shields.io/badge/slack-join-brightgreen)](https://slack.cncf.io)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5301/badge)](https://bestpractices.coreinfrastructure.org/projects/5301)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/karmada-io/karmada/badge)](https://securityscorecards.dev/viewer/?uri=github.com/karmada-io/karmada)
 ![build](https://github.com/karmada-io/karmada/actions/workflows/ci.yml/badge.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/karmada-io/karmada)](https://goreportcard.com/report/github.com/karmada-io/karmada)
 [![codecov](https://codecov.io/gh/karmada-io/karmada/branch/master/graph/badge.svg?token=ROM8CMPXZ6)](https://codecov.io/gh/karmada-io/karmada)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B28176%2Fgit.luolix.top%2Fkarmada-io%2Fkarmada.svg?type=shield)](https://app.fossa.com/projects/custom%2B28176%2Fgit.luolix.top%2Fkarmada-io%2Fkarmada?ref=badge_shield)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/karmada)](https://artifacthub.io/packages/krew/krew-index/karmada)
+[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/karmada/badge)](https://clomonitor.io/projects/cncf/karmada)
 
 ## Karmada: Open, Multi-Cloud, Multi-Cluster Kubernetes Orchestration
 

diff --git a/artifacts/deploy/karmada-apiserver.yaml b/artifacts/deploy/karmada-apiserver.yaml
@@ -64,7 +64,7 @@ spec:
             - --tls-private-key-file=/etc/karmada/pki/apiserver.key
             - --tls-min-version=VersionTLS13
           name: karmada-apiserver
-          image: registry.k8s.io/kube-apiserver:v1.27.11
+          image: registry.k8s.io/kube-apiserver:{{karmada_apiserver_version}}
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 8

diff --git a/artifacts/deploy/karmada-descheduler.yaml b/artifacts/deploy/karmada-descheduler.yaml
@@ -27,6 +27,9 @@ spec:
             - /bin/karmada-descheduler
             - --kubeconfig=/etc/kubeconfig
             - --bind-address=0.0.0.0
+            - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt
+            - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt
+            - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key
             - --v=4
           livenessProbe:
             httpGet:
@@ -38,10 +41,16 @@ spec:
             periodSeconds: 15
             timeoutSeconds: 5
           volumeMounts:
+            - name: karmada-certs
+              mountPath: /etc/karmada/pki
+              readOnly: true
             - name: kubeconfig
               subPath: kubeconfig
               mountPath: /etc/kubeconfig
       volumes:
+        - name: karmada-certs
+          secret:
+            secretName: karmada-cert-secret
         - name: kubeconfig
           secret:
             secretName: kubeconfig
diff --git a/artifacts/deploy/karmada-scheduler-estimator.yaml b/artifacts/deploy/karmada-scheduler-estimator.yaml
@@ -27,6 +27,9 @@ spec:
             - /bin/karmada-scheduler-estimator
             - --kubeconfig=/etc/{{member_cluster_name}}-kubeconfig
             - --cluster-name={{member_cluster_name}}
+            - --grpc-auth-cert-file=/etc/karmada/pki/karmada.crt
+            - --grpc-auth-key-file=/etc/karmada/pki/karmada.key
+            - --grpc-client-ca-file=/etc/karmada/pki/ca.crt
           livenessProbe:
             httpGet:
               path: /healthz
@@ -37,10 +40,16 @@ spec:
             periodSeconds: 15
             timeoutSeconds: 5
           volumeMounts:
+            - name: karmada-certs
+              mountPath: /etc/karmada/pki
+              readOnly: true
             - name: member-kubeconfig
               subPath: {{member_cluster_name}}-kubeconfig
               mountPath: /etc/{{member_cluster_name}}-kubeconfig
       volumes:
+        - name: karmada-certs
+          secret:
+            secretName: karmada-cert-secret
         - name: member-kubeconfig
           secret:
             secretName: {{member_cluster_name}}-kubeconfig

diff --git a/artifacts/deploy/karmada-scheduler.yaml b/artifacts/deploy/karmada-scheduler.yaml
@@ -38,12 +38,21 @@ spec:
             - --bind-address=0.0.0.0
             - --secure-port=10351
             - --enable-scheduler-estimator=true
+            - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt
+            - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt
+            - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key
             - --v=4
           volumeMounts:
+            - name: karmada-certs
+              mountPath: /etc/karmada/pki
+              readOnly: true
             - name: kubeconfig
               subPath: kubeconfig
               mountPath: /etc/kubeconfig
       volumes:
+        - name: karmada-certs
+          secret:
+            secretName: karmada-cert-secret
         - name: kubeconfig
           secret:
             secretName: kubeconfig
diff --git a/artifacts/deploy/kube-controller-manager.yaml b/artifacts/deploy/kube-controller-manager.yaml
@@ -52,7 +52,7 @@ spec:
             - --service-cluster-ip-range=10.96.0.0/12
             - --use-service-account-credentials=true
             - --v=4
-          image: registry.k8s.io/kube-controller-manager:v1.27.11
+          image: registry.k8s.io/kube-controller-manager:{{karmada_apiserver_version}}
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 8

diff --git a/artifacts/kindClusterConfig/member3.yaml b/artifacts/kindClusterConfig/member3.yaml
@@ -0,0 +1,7 @@
+kind: Cluster
+apiVersion: "kind.x-k8s.io/v1alpha4"
+networking:
+  podSubnet: "10.14.0.0/16"
+  serviceSubnet: "10.15.0.0/16"
+nodes:
+  - role: control-plane
diff --git a/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml b/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml
@@ -18,10 +18,10 @@ spec:
   versions:
   - additionalPrinterColumns:
     - jsonPath: .status.conditions[?(@.type=="Ready")].status
-      name: Ready
+      name: READY
       type: string
     - jsonPath: .metadata.creationTimestamp
-      name: Age
+      name: AGE
       type: date
     name: v1alpha1
     schema: