Merge branch 'main' into feat/service-catalog-registration-design

Author: JoseSzycho

.github/workflows/lint.yml

@@ -15,9 +15,9 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.24'
+          go-version: '~1.26'
 
       - name: Run linter
         uses: golangci/golangci-lint-action@v7
         with:
-          version: v2.1.6
+          version: v2.12.2

.github/workflows/publish.yaml

@@ -16,21 +16,26 @@ jobs:
       contents: read
       packages: write
       attestations: write
-    uses: datum-cloud/actions/.github/workflows/publish-docker.yaml@v1.14.0
+    uses: datum-cloud/actions/.github/workflows/publish-docker.yaml@v1.15.0
     with:
       image-name: network-services-operator
       platforms: linux/amd64,linux/arm64
     secrets: inherit
 
   publish-kustomize-bundles:
+    # The bundle pins image references to this build, so only publish it once
+    # the container image has been built and pushed.
+    needs: publish-container-image
     permissions:
       id-token: write
       contents: read
       packages: write
-    uses: datum-cloud/actions/.github/workflows/publish-kustomize-bundle.yaml@v1.14.0
+    uses: datum-cloud/actions/.github/workflows/publish-kustomize-bundle.yaml@v1.15.0
     with:
       bundle-name: ghcr.io/datum-cloud/network-services-operator-kustomize
       bundle-path: config
       image-name: ghcr.io/datum-cloud/network-services-operator
-      image-overlays: config/manager
+      # Both overlays run the same image (single binary, subcommand selects role),
+      # so pin both to the release tag in the published bundle.
+      image-overlays: config/manager,config/extension-server
     secrets: inherit

.github/workflows/test-e2e.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.24'
+          go-version: '~1.26'
 
       - name: Verify kind installation
         run: kind version

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.24'
+          go-version: '~1.26'
 
       - name: Running Tests
         run: |

.github/workflows/validate-kustomize.yaml

@@ -5,4 +5,4 @@ on:
 
 jobs:
   validate-kustomize:
-    uses: datum-cloud/actions/.github/workflows/validate-kustomize.yaml@v1.6.1
+    uses: datum-cloud/actions/.github/workflows/validate-kustomize.yaml@v1.16.0

.golangci.yml

@@ -37,6 +37,17 @@ linters:
           - dupl
           - lll
         path: internal/*
+      # Repeated string literals in tests are usually fixture/table data;
+      # extracting them to constants hurts readability more than it helps.
+      - linters:
+          - goconst
+        path: _test\.go
+      # The validation packages are built almost entirely from field.ErrorList
+      # accumulators that hold a handful of errors; preallocating them adds noise
+      # without meaningful benefit.
+      - linters:
+          - prealloc
+        path: internal/validation
     paths:
       - third_party$
       - builtin$

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.24 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG VERSION=dev
@@ -31,13 +31,18 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build \
       -X main.gitCommit=${GIT_COMMIT} \
       -X main.gitTreeState=${GIT_TREE_STATE} \
       -X main.buildDate=${BUILD_DATE}" \
-    -o manager cmd/main.go
+    -o network-services cmd/main.go
 
-# Use distroless as minimal base image to package the manager binary
+# Use distroless as minimal base image to package the manager binary.
+# static-debian12:nonroot is explicit about the Debian variant to avoid silent
+# drift if the :nonroot alias resolves to a different Debian release in future.
+# For reproducible builds, pin to a SHA digest via:
+#   FROM gcr.io/distroless/static-debian12:nonroot@sha256:<digest>
+# and update via Dependabot or `cosign verify`.
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/network-services .
 USER 65532:65532
 
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/network-services"]

Makefile

@@ -109,11 +109,11 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 
 .PHONY: build
 build: manifests generate fmt vet ## Build manager binary.
-	go build -o bin/manager cmd/main.go
+	go build -o bin/network-services cmd/main.go
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
-	go run ./cmd/main.go -health-probe-bind-address 0 --server-config ./config/dev/config.yaml
+	go run ./cmd/main.go manager --health-probe-bind-address=0 --server-config=./config/dev/config.yaml
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.
@@ -153,7 +153,13 @@ set-image-controller: manifests kustomize
 	cd config/manager && $(KUSTOMIZE) edit set image ghcr.io/datum-cloud/network-services-operator=${IMG}
 
 .PHONY: prepare-infra-cluster
-prepare-infra-cluster: cert-manager envoy-gateway external-dns
+prepare-infra-cluster: cert-manager envoy-gateway external-dns downstream-crds
+
+.PHONY: downstream-crds
+downstream-crds: ## Install NSO CRDs on the downstream (infra) cluster that the replicator mirrors into it.
+	$(KUBECTL) apply -f config/crd/bases/networking.datumapis.com_connectors.yaml
+	$(KUBECTL) apply -f config/crd/bases/networking.datumapis.com_httpproxies.yaml
+	$(KUBECTL) apply -f config/crd/bases/networking.datumapis.com_trafficprotectionpolicies.yaml
 
 .PHONY: prepare-e2e
 prepare-e2e: chainsaw set-image-controller cert-manager load-image-all deploy-e2e
@@ -241,7 +247,7 @@ KUSTOMIZE_VERSION ?= v5.5.0
 CONTROLLER_TOOLS_VERSION ?= v0.16.4
 DEFAULTER_GEN_VERSION ?= v0.32.3
 ENVTEST_VERSION ?= release-0.19
-GOLANGCI_LINT_VERSION ?= v2.1.6
+GOLANGCI_LINT_VERSION ?= v2.12.2
 
 # renovate: datasource=go depName=github.com/cert-manager/cert-manager
 CERTMANAGER_VERSION ?= 1.17.1
@@ -253,7 +259,7 @@ CRDOC_VERSION ?= v0.6.4
 KIND_VERSION ?= v0.27.0
 
 # renovate: datasource=go depName=github.com/kyverno/chainsaw
-CHAINSAW_VERSION ?= v0.2.13
+CHAINSAW_VERSION ?= v0.2.15
 
 # renovate: datasource=go depName=github.com/cert-manager/cmctl/v2
 CMCTL_VERSION ?= v2.1.1

Taskfile.dev.yaml

@@ -0,0 +1,103 @@
+version: '3'
+
+vars:
+  TMP_DIR:
+    sh: echo "${TMPDIR:-/tmp}"
+
+tasks:
+  bootstrap:
+    desc: "Bootstrap the multi-cluster dev environment (nso-standard and nso-infra) for local testing"
+    cmds:
+      - echo "🚀 Bootstrapping dev environment..."
+      - task: create-clusters
+      - task: prep-upstream
+      - task: prep-downstream
+      - task: link-clusters
+      - echo "🎉 Dev environment bootstrapped successfully! Context is now kind-nso-standard."
+
+  create-clusters:
+    desc: "Create Kind upstream (standard) and downstream (infra) clusters"
+    cmds:
+      - echo "🧹 Cleaning up any existing clusters..."
+      - kind delete cluster --name nso-standard || true
+      - kind delete cluster --name nso-infra || true
+      - echo "🏗️ Creating upstream (nso-standard) cluster..."
+      - make kind-standard-cluster
+      - echo "🏗️ Creating downstream (nso-infra) cluster..."
+      - make kind-infra-cluster
+
+  prep-upstream:
+    desc: "Prepare the upstream cluster with Operator and cert-manager"
+    cmds:
+      - echo "🔧 Preparing upstream (nso-standard)..."
+      - kubectl config use-context kind-nso-standard
+      - make prepare-e2e
+
+  prep-downstream:
+    desc: "Prepare the downstream cluster with cert-manager, envoy-gateway, and external-dns"
+    cmds:
+      - echo "🔧 Preparing downstream (nso-infra)..."
+      - kubectl config use-context kind-nso-infra
+      - make prepare-infra-cluster
+
+  link-clusters:
+    desc: "Link upstream and downstream clusters using kubeconfig secret"
+    cmds:
+      - echo "🔗 Linking clusters..."
+      - kind get kubeconfig --name nso-infra --internal > {{.TMP_DIR}}/.kind-nso-infra-internal.yaml
+      - kubectl config use-context kind-nso-standard
+      - |
+        kubectl create namespace network-services-operator-system --dry-run=client -o yaml | kubectl apply -f -
+        kubectl create secret -n network-services-operator-system \
+          generic downstream-cluster-kubeconfig \
+          --save-config \
+          --dry-run=client -o yaml \
+          --from-file=kubeconfig={{.TMP_DIR}}/.kind-nso-infra-internal.yaml | kubectl apply -f -
+      - echo "⏳ Waiting for operator controller manager deployment to be ready..."
+      - |
+        kubectl -n network-services-operator-system \
+          wait deploy network-services-operator-controller-manager \
+          --for=condition=Available \
+          --timeout=180s
+
+  redeploy-operator:
+    desc: "Rebuild the operator image, load it into nso-standard, and roll out the deployed controller"
+    cmds:
+      - echo "🔨 Building operator image and loading it into nso-standard..."
+      # docker-build + kind load docker-image $(IMG) -n nso-standard
+      - make load-image-operator
+      - echo "♻️  Restarting the controller-manager to pick up the new image..."
+      - kubectl config use-context kind-nso-standard
+      - |
+        kubectl -n network-services-operator-system \
+          rollout restart deploy network-services-operator-controller-manager
+      - echo "⏳ Waiting for the new controller-manager rollout to complete..."
+      - |
+        kubectl -n network-services-operator-system \
+          rollout status deploy network-services-operator-controller-manager \
+          --timeout=180s
+      - echo "✅ Operator redeployed with the freshly built image."
+
+  destroy:
+    desc: "Tear down the multi-cluster dev environment"
+    cmds:
+      - echo "💥 Destroying clusters..."
+      - kind delete cluster --name nso-standard || true
+      - kind delete cluster --name nso-infra || true
+      - rm -f {{.TMP_DIR}}/.kind-nso-infra-internal.yaml
+      - echo "✨ Cleanup finished."
+
+  test:
+    desc: "Run E2E tests using chainsaw on the local multi-cluster setup"
+    cmds:
+      - echo "🧪 Running E2E tests..."
+      - |
+        if [ -n "{{.CLI_ARGS}}" ]; then
+          if [[ "{{.CLI_ARGS}}" == test/e2e/* || "{{.CLI_ARGS}}" == ./test/e2e/* ]]; then
+            make test-e2e TEST_DIR="{{.CLI_ARGS}}"
+          else
+            make test-e2e TEST_DIR="./test/e2e/{{.CLI_ARGS}}"
+          fi
+        else
+          make test-e2e
+        fi

Taskfile.yaml

@@ -1,5 +1,9 @@
 version: '3'
 
+includes:
+  dev:
+    taskfile: ./Taskfile.dev.yaml
+
 tasks:
   validate-kustomizations:
       desc: Validate all kustomization.yaml files using kustomize build