PR review

Author: afritzler

.golangci.yml

@@ -5,23 +5,39 @@ run:
 linters:
   default: none
   enable:
+    - bodyclose
+    - containedctx
     - copyloopvar
-    - dupl
+    - dupword
+    - durationcheck
     - errcheck
+    - errname
+    - errorlint
+    - exptostd
+    - forbidigo
     - ginkgolinter
+    - gocheckcompilerdirectives
     - goconst
-    - gocyclo
+    - gocritic
+    - gosec
     - govet
     - ineffassign
-    - lll
+    - intrange
     - misspell
-    - nakedret
-    - prealloc
-    - revive
+    - nilerr
+    - nolintlint
+    - nosprintfhostport
+    - perfsprint
+    - predeclared
+    - rowserrcheck
+    - sqlclosecheck
     - staticcheck
     - unconvert
     - unparam
     - unused
+    - usestdlibvars
+    - usetesting
+    - whitespace
   settings:
     revive:
       rules:
@@ -30,6 +46,12 @@ linters:
   exclusions:
     generated: lax
     rules:
+      - linters:
+          - perfsprint
+          - nolintlint
+          - gosec
+          - forbidigo
+        path: test/
       - linters:
           - lll
         path: api/*
@@ -45,6 +67,8 @@ linters:
         path: test
       - linters:
           - lll
+          - gosec
+          - forbidigo
         path: hack/provider
       - linters:
           - gocyclo
@@ -55,6 +79,12 @@ linters:
         path: internal/provider/cisco/nxos
       - linters:
           - lll
+          - perfsprint
+          - gosec
+          - gocritic
+          - whitespace
+          - errorlint
+          - dupword
         path: internal/provider/openconfig
       - linters:
           - staticcheck
@@ -64,6 +94,10 @@ linters:
           - gofmt
           - gocyclo
           - dupl
+          - gocritic
+          - whitespace
+          - perfsprint
+          - errorlint
         path: internal/provider/cisco/nxos/genyang
       - linters:
           - staticcheck
@@ -81,6 +115,11 @@ formatters:
   enable:
     - gofmt
     - goimports
+  settings:
+    goimports:
+      # Put local imports after 3rd-party packages
+      local-prefixes:
+        - github.com/ironcore-dev/network-operator
   exclusions:
     generated: lax
     paths:

Makefile

@@ -1,5 +1,6 @@
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
+TEST_SERVER_IMG ?= gnmi-test-server:latest
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -135,6 +136,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
 .PHONY: helm
 helm: manifests kubebuilder
 	$(KUBEBUILDER) edit --plugins=helm/v1-alpha
+	@rm -rf charts/network-operator && mv dist/chart charts/network-operator && rm -rf dist
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.
@@ -170,6 +172,13 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default > dist/install.yaml
 
+.PHONY: build-test-gnmi-server
+build-test-gnmi-server: ## Build docker image with the gnmi test server.
+	$(CONTAINER_TOOL) build -t ${TEST_SERVER_IMG} ./test/gnmi/
+
+run-test-gnmi-server: build-test-gnmi-server
+	@$(CONTAINER_TOOL) run --rm -p 8000:8000 -p 9339:9339 $(TEST_SERVER_IMG)
+
 ##@ Deployment
 
 ifndef ignore-not-found

charts/network-operator/Chart.lock

@@ -5,8 +5,3 @@ type: application
 version: 0.1.0
 appVersion: "0.1.0"
 icon: "https://example.com/icon.png"
-dependencies:
-  # See: https://github.com/sapcc/helm-charts/pkgs/container/helm-charts%2Fowner-info
-  - name: owner-info
-    repository: oci://ghcr.io/sapcc/helm-charts
-    version: 1.0.0

charts/network-operator/Chart.yaml

@@ -21,15 +21,18 @@ spec:
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
-    - jsonPath: .spec.endpoint
+    - jsonPath: .spec.endpoint.address
       name: Endpoint
       type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
     - jsonPath: .status.phase
       name: Phase
       type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
     name: v1alpha1
     schema:
       openAPIV3Schema:
@@ -278,10 +281,86 @@ spec:
                 - domain
                 type: object
               endpoint:
-                description: Endpoint is the management address of the device provided
-                  as <ip:port>.
-                pattern: ^(\d{1,3}\.){3}\d{1,3}:\d{1,5}$
-                type: string
+                description: Endpoint contains the connection information for the
+                  device.
+                properties:
+                  address:
+                    description: Address is the management address of the device provided
+                      as <ip:port>.
+                    pattern: ^(\d{1,3}\.){3}\d{1,3}:\d{1,5}$
+                    type: string
+                  secretRef:
+                    description: |-
+                      SecretRef is name of the authentication secret for the device containing the username and password.
+                      The secret must be of type kubernetes.io/basic-auth and as such contain the following keys: 'username' and 'password'.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  tls:
+                    description: Transport credentials for grpc connection to the
+                      switch.
+                    properties:
+                      ca:
+                        description: The CA certificate to verify the server's identity.
+                        properties:
+                          key:
+                            description: The key of the secret to select from.  Must
+                              be a valid secret key.
+                            type: string
+                          name:
+                            default: ""
+                            description: |-
+                              Name of the referent.
+                              This field is effectively required, but due to backwards compatibility is
+                              allowed to be empty. Instances of this type with an empty value here are
+                              almost certainly wrong.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          optional:
+                            description: Specify whether the Secret or its key must
+                              be defined
+                            type: boolean
+                        required:
+                        - key
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      certificate:
+                        description: |-
+                          The client certificate and private key to use for mutual TLS authentication.
+                          Leave empty if mTLS is not desired.
+                        properties:
+                          secretRef:
+                            description: |-
+                              Secret containing the certificate.
+                              The secret must be of type kubernetes.io/tls and as such contain the following keys: 'tls.crt' and 'tls.key'.
+                            properties:
+                              name:
+                                description: name is unique within a namespace to
+                                  reference a secret resource.
+                                type: string
+                              namespace:
+                                description: namespace defines the space within which
+                                  the secret name must be unique.
+                                type: string
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        required:
+                        - secretRef
+                        type: object
+                    required:
+                    - ca
+                    type: object
+                required:
+                - address
+                type: object
               grpc:
                 description: |-
                   Configuration for the gRPC server on the device.
@@ -484,21 +563,6 @@ spec:
                 required:
                 - certificates
                 type: object
-              secretRef:
-                description: |-
-                  SecretRef is name of the authentication secret for the device containing the username and password.
-                  The secret must be of type kubernetes.io/basic-auth and as such contain the following keys: 'username' and 'password'.
-                properties:
-                  name:
-                    description: name is unique within a namespace to reference a
-                      secret resource.
-                    type: string
-                  namespace:
-                    description: namespace defines the space within which the secret
-                      name must be unique.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               snmp:
                 description: SNMP global configuration.
                 properties:
@@ -577,59 +641,6 @@ spec:
                 - location
                 - srcIf
                 type: object
-              tls:
-                description: Transport credentials for grpc connection to the switch.
-                properties:
-                  ca:
-                    description: The CA certificate to verify the server's identity.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be
-                          a valid secret key.
-                        type: string
-                      name:
-                        default: ""
-                        description: |-
-                          Name of the referent.
-                          This field is effectively required, but due to backwards compatibility is
-                          allowed to be empty. Instances of this type with an empty value here are
-                          almost certainly wrong.
-                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        type: string
-                      optional:
-                        description: Specify whether the Secret or its key must be
-                          defined
-                        type: boolean
-                    required:
-                    - key
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  certificate:
-                    description: |-
-                      The client certificate and private key to use for mutual TLS authentication.
-                      Leave empty if mTLS is not desired.
-                    properties:
-                      secretRef:
-                        description: |-
-                          Secret containing the certificate.
-                          The secret must be of type kubernetes.io/tls and as such contain the following keys: 'tls.crt' and 'tls.key'.
-                        properties:
-                          name:
-                            description: name is unique within a namespace to reference
-                              a secret resource.
-                            type: string
-                          namespace:
-                            description: namespace defines the space within which
-                              the secret name must be unique.
-                            type: string
-                        type: object
-                        x-kubernetes-map-type: atomic
-                    required:
-                    - secretRef
-                    type: object
-                required:
-                - ca
-                type: object
               users:
                 description: List of local users on the switch.
                 items:
@@ -677,7 +688,6 @@ spec:
                   type: object
                 type: array
             required:
-            - bootstrap
             - endpoint
             type: object
           status:

charts/network-operator/templates/crd/networking.cloud.sap_devices.yaml

@@ -35,6 +35,9 @@ spec:
     - jsonPath: .spec.mtu
       name: MTU
       type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date

charts/network-operator/templates/crd/networking.cloud.sap_interfaces.yaml

@@ -19,9 +19,9 @@ spec:
   ingress:
     # This allows ingress traffic from any namespace with the label metrics: enabled
     - from:
-      - namespaceSelector:
-          matchLabels:
-            metrics: enabled  # Only from namespaces with this label
+        - namespaceSelector:
+            matchLabels:
+              metrics: enabled  # Only from namespaces with this label
       ports:
         - port: 8443
           protocol: TCP

charts/network-operator/templates/network-policy/allow-metrics-traffic.yaml

@@ -11,7 +11,6 @@ rules:
   - ""
   resources:
   - configmaps
-  - secrets
   verbs:
   - get
   - list
@@ -23,6 +22,15 @@ rules:
   verbs:
   - create
   - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - networking.cloud.sap
   resources: