Update to latest version of tinygo and KW's Go SDK

Latest version of TinyGo has all the fixes we need. We can now move away from our "hack". As part of the transition, we also have to update to latest stable release of KW's Go SDK. This version provides a different way to mock the waPC client, hence some changes had to be done to our codebase. Signed-off-by: Flavio Castelli <[email protected]>
kubewarden · Jun 24, 2024 · 03ef928 · 03ef928
1 parent 480fa9a
commit 03ef928
Show file tree

Hide file tree

Showing 80 changed files with 25,118 additions and 474 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,12 +5,12 @@ on:
     tags:
       - "v*"
 
-name: Release policy - test
+name: Release policy
 
 jobs:
   test:
     name: run tests and linters
-    uses: ./.github/workflows/reusable-test-policy-go.yml
+    uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-go.yml@v3.2.0
 
   release:
     needs: test
@@ -22,72 +22,6 @@ jobs:
       # Required by cosign keyless signing
       id-token: write
 
-    # TODO: go back to using the reusable workflow once we don't need the special tinygo build
-    #uses: kubewarden/github-actions/.github/workflows/[email protected]
-    #with:
-    #  oci-target: ghcr.io/${{ github.repository_owner }}/policies/rancher-project-quotas-namespace-validator
-
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install dependencies
-        uses: kubewarden/github-actions/[email protected]
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          # until https://github.com/actions/checkout/pull/579 is released
-          fetch-depth: 0
-      - name: Install patched tinygo
-        shell: bash
-        run: |
-          wget https://github.com/tinygo-org/tinygo/releases/download/v0.28.1/tinygo_0.28.1_amd64.deb
-          sudo dpkg -i tinygo_0.28.1_amd64.deb
-          wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-16/libclang_rt.builtins-wasm32-wasi-16.0.tar.gz
-          tar xvf libclang_rt.builtins-wasm32-wasi-16.0.tar.gz
-          sudo cp lib/wasi/libclang_rt.builtins-wasm32.a /usr/local/lib/tinygo/lib/wasi-libc/sysroot/lib/wasm32-wasi/
-          sudo cp wasi-gh-action.json /usr/local/lib/tinygo/targets/wasi.json
-      - id: calculate-version
-        if: ${{ inputs.artifacthub }}
-        # obtain latest tag. Here it must be the current release tag
-        run: echo "version=$(git describe --tags --abbrev=0 | cut -c2-)" >> $GITHUB_OUTPUT
-        shell: bash
-      - name: Check that artifacthub-pkg.yml is up-to-date
-        if: ${{ inputs.artifacthub }}
-        uses: kubewarden/github-actions/[email protected]
-        with:
-          version: ${{ steps.calculate-version.outputs.version }}
-      - name: Build policy
-        run: |
-          tinygo build -o policy.wasm -target=wasi -no-debug .
-      - name: Generate the SBOM files
-        shell: bash
-        run: |
-          spdx-sbom-generator -f json
-
-          # SBOM files should have "sbom" in the name due the CLO monitor
-          # https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom
-          mv bom-go-mod.json policy-sbom.spdx.json
-      - name: Annotate Wasm module
-        shell: bash
-        run: |
-          make annotated-policy.wasm
-      - name: Sign BOM file
-        shell: bash
-        run: |
-          cosign sign-blob --yes --output-certificate policy-sbom.spdx.cert \
-            --output-signature policy-sbom.spdx.sig \
-            policy-sbom.spdx.json
-      - name: Upload policy SBOM files
-        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
-        with:
-          name: policy-sbom
-          path: |
-            policy-sbom.spdx.json
-            policy-sbom.spdx.cert
-            policy-sbom.spdx.sig
-      - name: Run e2e tests
-        run: |
-          make e2e-tests
-      - name: Release
-        uses: kubewarden/github-actions/[email protected]
-        with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          oci-target: ghcr.io/${{ github.repository_owner }}/policies/rancher-project-quotas-namespace-validator
+    uses: kubewarden/github-actions/.github/workflows/[email protected]
+    with:
+      oci-target: ghcr.io/${{ github.repository_owner }}/policies/rancher-project-quotas-namespace-validator
diff --git a/.github/workflows/reusable-test-policy-go.yml b/.github/workflows/reusable-test-policy-go.yml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -3,4 +3,4 @@ name: Continuous integration
 jobs:
   test:
     name: run tests and linters
-    uses: ./.github/workflows/reusable-test-policy-go.yml
+    uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-go.yml@v3.2.0
diff --git a/Makefile b/Makefile
@@ -1,27 +1,16 @@
 SOURCE_FILES := $(shell find . -type f -name '*.go')
 VERSION := $(shell git describe | cut -c2-)
 
-# We cannot use the official tinygo container image until
-# this issue is closed: https://github.com/tinygo-org/tinygo/issues/3501
-CONTAINER_IMAGE = tinygo/tinygo:0.30.0
-
-# TODO: drop this once we can use the official tinygo container image
-# see comment from above
-build-container:
-	DOCKER_BUILDKIT=1 docker build . -t $(CONTAINER_IMAGE)
+CONTAINER_IMAGE = "tinygo/tinygo:0.32.0"
 
 policy.wasm: $(SOURCE_FILES) go.mod go.sum
-	# TODO: remove the -opt=0 once tinygo ships with a more recent version of
-	# wasm-opt
 	docker run \
 		--rm \
 		-e GOFLAGS="-buildvcs=false" \
 		-v ${PWD}:/src \
 		-w /src \
 		$(CONTAINER_IMAGE) \
-		tinygo build -o policy-no-opt.wasm -opt=0 -target=wasi -no-debug .
-	# Note: requires binaryen >= 116 to be installed
-	wasm-opt -Os policy-no-opt.wasm -o policy.wasm
+		tinygo build -o policy.wasm -target=wasip1 -no-debug .
 
 artifacthub-pkg.yml: metadata.yml go.mod
 	$(warning If you are updating the artifacthub-pkg.yml file for a release, \

diff --git a/go.mod b/go.mod
@@ -1,16 +1,23 @@
 module github.com/kubewarden/rancher-project-quotas-namespace-validator
 
-go 1.21
+go 1.22
 
-toolchain go1.21.6
+toolchain go1.22.4
 
 replace github.com/go-openapi/strfmt => github.com/kubewarden/strfmt v0.1.3
 
 require (
 	github.com/kubewarden/k8s-objects v1.29.0-kw1
-	github.com/kubewarden/policy-sdk-go v0.7.0
+	github.com/kubewarden/policy-sdk-go v0.11.0
 	github.com/wapc/wapc-guest-tinygo v0.3.3
 	gopkg.in/inf.v0 v0.9.1
 )
 
-require github.com/go-openapi/strfmt v0.21.5 // indirect
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-openapi/strfmt v0.21.5 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -1,29 +1,22 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/kubewarden/k8s-objects v1.27.0-kw2 h1:6ZA72SFtDSbCupwxlIyJimUzN0nSweMCUx5jUEnoxkw=
-github.com/kubewarden/k8s-objects v1.27.0-kw2/go.mod h1:wVx4Rg1HKml8yewPwAHUWp1wYSAtBlKV/tsmteDuK1g=
-github.com/kubewarden/k8s-objects v1.27.0-kw3 h1:3a5icCAl4gRDFcDhHk/rkHeocrjSzg/gAlfhrLReqWU=
-github.com/kubewarden/k8s-objects v1.27.0-kw3/go.mod h1:EMF+Hr26oDR4yQkWJAQpl0M0Ek5ioNXlCswjGZO0G2U=
-github.com/kubewarden/k8s-objects v1.27.0-kw4 h1:az1qJLD5f5Pcx9ur1oRMhWqZi1AL5MLJoXXgRjCeuQY=
-github.com/kubewarden/k8s-objects v1.27.0-kw4/go.mod h1:EMF+Hr26oDR4yQkWJAQpl0M0Ek5ioNXlCswjGZO0G2U=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/kubewarden/k8s-objects v1.29.0-kw1 h1:bVQ2WL1ROqApYmHQJ/yxrs3tssfzzalblE2txChcHxY=
 github.com/kubewarden/k8s-objects v1.29.0-kw1/go.mod h1:EMF+Hr26oDR4yQkWJAQpl0M0Ek5ioNXlCswjGZO0G2U=
-github.com/kubewarden/policy-sdk-go v0.5.0 h1:JnSRf5pHjFzTNNp6jJbSP5a4cwzFzkUBjLujqJd+Z+w=
-github.com/kubewarden/policy-sdk-go v0.5.0/go.mod h1:1IZXauwI5iCuOZj7tU58nE/SZFb/HsCmj3ZpDVStVQs=
-github.com/kubewarden/policy-sdk-go v0.5.1 h1:O2C1NuGtGo5/d7c5iiijV3zheGDfwvBOkphfgl19crE=
-github.com/kubewarden/policy-sdk-go v0.5.1/go.mod h1:C8sUX4FYhbP69cvQfPLmIvAJhVHQyg1qaq9EynOn8a0=
-github.com/kubewarden/policy-sdk-go v0.5.2 h1:GCIXmqNBVG3ADvoH9L9KkBYHM+Npa2G2HZu2Khsyvt8=
-github.com/kubewarden/policy-sdk-go v0.5.2/go.mod h1:C8sUX4FYhbP69cvQfPLmIvAJhVHQyg1qaq9EynOn8a0=
-github.com/kubewarden/policy-sdk-go v0.6.0 h1:f7RL+hkcjt1g5/4JmUU+itzsdMNs5rFJT7ISJtSAB9g=
-github.com/kubewarden/policy-sdk-go v0.6.0/go.mod h1:C8sUX4FYhbP69cvQfPLmIvAJhVHQyg1qaq9EynOn8a0=
-github.com/kubewarden/policy-sdk-go v0.7.0 h1:quNOrqtZRgLHpknoIWl0yDWDK8xJ/hDtP8M40HVDPmc=
-github.com/kubewarden/policy-sdk-go v0.7.0/go.mod h1:wq/jwnVOpSaETu/n9DW0ePbeoUdoqYTEzlNKmZGaPIM=
+github.com/kubewarden/policy-sdk-go v0.11.0 h1:qW2UqARixH2r8KyitSistiAg0Ex0LA+HJr/xaBwiDcg=
+github.com/kubewarden/policy-sdk-go v0.11.0/go.mod h1:4Yg/Wpxnt7p4Ps68hBfnK8qoGURM5MJaq67Kjao2smY=
 github.com/kubewarden/strfmt v0.1.3 h1:bb+2rbotioROjCkziSt+hqnHXzOlumN94NxDKdV2kPI=
 github.com/kubewarden/strfmt v0.1.3/go.mod h1:DXoaaIYwqW1LyyRoMeyxfHUU+VUSTNFdj38juCXfRzs=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/wapc/wapc-guest-tinygo v0.3.3 h1:jLebiwjVSHLGnS+BRabQ6+XOV7oihVWAc05Hf1SbeR0=
 github.com/wapc/wapc-guest-tinygo v0.3.3/go.mod h1:mzM3CnsdSYktfPkaBdZ8v88ZlfUDEy5Jh5XBOV3fYcw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/host_context_native.go b/host_context_native.go
diff --git a/host_context_wasi.go b/host_context_wasi.go
diff --git a/validate.go b/validate.go
@@ -8,6 +8,7 @@ import (
 	corev1 "github.com/kubewarden/k8s-objects/api/core/v1"
 	meta_v1 "github.com/kubewarden/k8s-objects/apimachinery/pkg/apis/meta/v1"
 	kubewarden "github.com/kubewarden/policy-sdk-go"
+	"github.com/kubewarden/policy-sdk-go/pkg/capabilities"
 	"github.com/kubewarden/policy-sdk-go/pkg/capabilities/kubernetes"
 	kubewarden_protocol "github.com/kubewarden/policy-sdk-go/protocol"
 )
@@ -30,6 +31,8 @@ const (
 	RancherProjectKind = "Project"
 )
 
+var host = capabilities.NewHost()
+
 func validate(payload []byte) ([]byte, error) {
 	// Create a ValidationRequest instance from the incoming payload
 	validationRequest := kubewarden_protocol.ValidationRequest{}
@@ -119,7 +122,6 @@ func findProject(projectID, projectNamespace string) (Project, *LookupError) {
 		DisableCache: true,
 	}
 
-	host := getWapcHost()
 	projectRaw, err := kubernetes.GetResource(&host, findPrjReq)
 
 	if err != nil {