Kustomize controller v1 6 0

.github/workflows/release.yml

@@ -50,20 +50,20 @@ jobs:
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
-          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
-      - name: Login to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: fluxcdbot
-          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      #- name: Login to Docker Hub
+      #  uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      #  with:
+      #    username: fluxcdbot
+      #    password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
       - name: Generate images meta
         id: meta
         uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
+          #fluxcd/${{ env.CONTROLLER }}
           images: |
-            fluxcd/${{ env.CONTROLLER }}
-            ghcr.io/fluxcd/${{ env.CONTROLLER }}
+            ghcr.io/sparebank1utvikling/kustomize-controller
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish images
@@ -79,82 +79,82 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
-      - name: Sign images
-        env:
-          COSIGN_EXPERIMENTAL: 1
-        run: |
-          cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
-          cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
-      - name: Generate release artifacts
-        if: startsWith(github.ref, 'refs/tags/v')
-        run: |
-          mkdir -p config/release
-          kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
-          kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
-      - uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
-      - name: Create release and SBOM
-        id: run-goreleaser
-        if: startsWith(github.ref, 'refs/tags/v')
-        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
-        with:
-          version: latest
-          args: release --clean --skip=validate
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate SLSA metadata
-        id: slsa
-        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
-        run: |
-          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
-          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-
-          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
-          echo "image_url=$image_url" >> $GITHUB_OUTPUT
-
-          image_digest=${{ steps.build-push.outputs.digest }}
-          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
-
-  release-provenance:
-    needs: [release]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      contents: write # for uploading attestations to GitHub releases.
-    if: startsWith(github.ref, 'refs/tags/v')
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      provenance-name: "provenance.intoto.jsonl"
-      base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true
+#      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+#      - name: Sign images
+#        env:
+#          COSIGN_EXPERIMENTAL: 1
+#        run: |
+#          cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
+#          cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
+#      - name: Generate release artifacts
+#        if: startsWith(github.ref, 'refs/tags/v')
+#        run: |
+#          mkdir -p config/release
+#          kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
+#          kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
+#      - uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
+#      - name: Create release and SBOM
+#        id: run-goreleaser
+#        if: startsWith(github.ref, 'refs/tags/v')
+#        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+#        with:
+#          version: latest
+#          args: release --clean --skip=validate
+#        env:
+#          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#      - name: Generate SLSA metadata
+#        id: slsa
+#        env:
+#          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+#        run: |
+#          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+#          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+#          
+#          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
+#          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+#          
+#          image_digest=${{ steps.build-push.outputs.digest }}
+#          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
 
-  dockerhub-provenance:
-    needs: [release]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations.
-    if: startsWith(github.ref, 'refs/tags/v')
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: ${{ needs.release.outputs.image_url }}
-      digest: ${{ needs.release.outputs.image_digest }}
-      registry-username: fluxcdbot
-    secrets:
-      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-
-  ghcr-provenance:
-    needs: [release]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations.
-    if: startsWith(github.ref, 'refs/tags/v')
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: ghcr.io/${{ needs.release.outputs.image_url }}
-      digest: ${{ needs.release.outputs.image_digest }}
-      registry-username: fluxcdbot
-    secrets:
-      registry-password: ${{ secrets.GHCR_TOKEN }}
+#  release-provenance:
+#    needs: [release]
+#    permissions:
+#      actions: read # for detecting the Github Actions environment.
+#      id-token: write # for creating OIDC tokens for signing.
+#      contents: write # for uploading attestations to GitHub releases.
+#    if: startsWith(github.ref, 'refs/tags/v')
+#    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+#    with:
+#      provenance-name: "provenance.intoto.jsonl"
+#      base64-subjects: "${{ needs.release.outputs.hashes }}"
+#      upload-assets: true
+#
+#  dockerhub-provenance:
+#    needs: [release]
+#    permissions:
+#      actions: read # for detecting the Github Actions environment.
+#      id-token: write # for creating OIDC tokens for signing.
+#      packages: write # for uploading attestations.
+#    if: startsWith(github.ref, 'refs/tags/v')
+#    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+#    with:
+#      image: ${{ needs.release.outputs.image_url }}
+#      digest: ${{ needs.release.outputs.image_digest }}
+#      registry-username: fluxcdbot
+#    secrets:
+#      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+#
+#  ghcr-provenance:
+#    needs: [release]
+#    permissions:
+#      actions: read # for detecting the Github Actions environment.
+#      id-token: write # for creating OIDC tokens for signing.
+#      packages: write # for uploading attestations.
+#    if: startsWith(github.ref, 'refs/tags/v')
+#    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+#    with:
+#      image: ghcr.io/${{ needs.release.outputs.image_url }}
+#      digest: ${{ needs.release.outputs.image_digest }}
+#      registry-username: fluxcdbot
+#    secrets:
+#      registry-password: ${{ secrets.GHCR_TOKEN }}

go.mod

@@ -52,8 +52,8 @@ require (
 
 // Pin kustomize to v5.6.0
 replace (
-	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.19.0
-	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.19.0
+	sigs.k8s.io/kustomize/api => github.com/chlunde/kustomize/api v0.0.0-20241007194522-e5d19a7c5738
+	sigs.k8s.io/kustomize/kyaml => github.com/chlunde/kustomize/kyaml v0.0.0-20241007194522-e5d19a7c5738
 )
 
 // Fix CVE-2022-28948

go.sum

@@ -125,6 +125,10 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80=
 github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
+github.com/chlunde/kustomize/api v0.0.0-20241007194522-e5d19a7c5738 h1:AHgurqfxwShMc4a11AO8W1P58siO97uX41sAtTpiDTA=
+github.com/chlunde/kustomize/api v0.0.0-20241007194522-e5d19a7c5738/go.mod h1:sj3GaWvzpy53fJBCB56rtUkWJcjCwdNCWp7A0E7fCB8=
+github.com/chlunde/kustomize/kyaml v0.0.0-20241007194522-e5d19a7c5738 h1:l1PDRxwrBIQgg4/7E4dQzai22IYsXq4gbFKNPyM/TiM=
+github.com/chlunde/kustomize/kyaml v0.0.0-20241007194522-e5d19a7c5738/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
 github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f h1:C5bqEmzEPLsHm9Mv73lSE9e9bKV23aB1vxOsmZrkl3k=
@@ -595,10 +599,6 @@ sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytI
 sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
-sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ=
-sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o=
-sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA=
-sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY=
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=

internal/controller/kustomization_controller.go

@@ -444,12 +444,14 @@ func (r *KustomizationReconciler) reconcile(
 		return err
 	}
 
+	t := time.Now()
 	// Build the Kustomize overlay and decrypt secrets if needed.
 	resources, err := r.build(ctx, obj, unstructured.Unstructured{Object: k}, tmpDir, dirPath)
 	if err != nil {
 		conditions.MarkFalse(obj, meta.ReadyCondition, meta.BuildFailedReason, "%s", err)
 		return err
 	}
+	log.Info("build", "duration", time.Since(t).Seconds())
 
 	// Convert the build result into Kubernetes unstructured objects.
 	objects, err := ssautil.ReadObjects(bytes.NewReader(resources))
@@ -829,7 +831,9 @@ func (r *KustomizationReconciler) apply(ctx context.Context,
 
 	// validate, apply and wait for CRDs and Namespaces to register
 	if len(defStage) > 0 {
+		t := time.Now()
 		changeSet, err := manager.ApplyAll(ctx, defStage, applyOpts)
+		log.Info("ApplyAll defStage", "duration", time.Since(t).Seconds())
 		if err != nil {
 			return false, nil, err
 		}
@@ -859,7 +863,10 @@ func (r *KustomizationReconciler) apply(ctx context.Context,
 
 	// validate, apply and wait for Class type objects to register
 	if len(classStage) > 0 {
+		t := time.Now()
 		changeSet, err := manager.ApplyAll(ctx, classStage, applyOpts)
+		log.Info("ApplyAll classStage", "duration", time.Since(t).Seconds())
+
 		if err != nil {
 			return false, nil, err
 		}
@@ -890,7 +897,10 @@ func (r *KustomizationReconciler) apply(ctx context.Context,
 	// sort by kind, validate and apply all the others objects
 	sort.Sort(ssa.SortableUnstructureds(resStage))
 	if len(resStage) > 0 {
+		t := time.Now()
 		changeSet, err := manager.ApplyAll(ctx, resStage, applyOpts)
+		log.Info("ApplyAll resStage", "duration", time.Since(t).Seconds())
+
 		if err != nil {
 			return false, nil, fmt.Errorf("%w\n%s", err, changeSetLog.String())
 		}