Merge branch 'main' into rotation

.github/workflows/chart.yaml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
         with:
           submodules: true
           fetch-depth: 0

.github/workflows/codecov.yaml

@@ -14,16 +14,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "^1.20"
       - name: Run tests
         run: make go-test
-      - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673
+      - uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e
         with:
           files: ./cover.out

.github/workflows/codeql.yaml

@@ -21,20 +21,20 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+        uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+        uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+        uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13

.github/workflows/create-release.yaml

@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
         with:
           fetch-depth: 0
       - name: Goreleaser

.github/workflows/dependency-review.yaml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/e2e.yaml

@@ -32,11 +32,11 @@ jobs:
         KUBERNETES_VERSION: ["v1.28.9", "v1.29.4", "v1.30.2"]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
         with:
           submodules: true
           fetch-depth: 0

.github/workflows/markdown-link-check.yaml

@@ -22,10 +22,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
       with:
         egress-policy: audit
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
     - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15
       with:
         # this will only show errors in the output

.github/workflows/scan-vulns.yaml

@@ -19,12 +19,12 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.21"
           check-latest: true
-      - uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # v1.0.3
+      - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4

.github/workflows/scorecards.yaml

@@ -31,12 +31,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.0.0
         with:
           persist-credentials: false
 
@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           sarif_file: results.sarif

Makefile

@@ -29,8 +29,8 @@ E2E_PROVIDER_IMAGE_NAME ?= e2e-provider
 
 # Release version is the current supported release for the driver
 # Update this version when the helm chart is being updated for release
-RELEASE_VERSION := v1.4.5
-IMAGE_VERSION ?= v1.4.5
+RELEASE_VERSION := v1.4.7
+IMAGE_VERSION ?= v1.4.7
 
 # Use a custom version for E2E tests if we are testing in CI
 ifdef CI
@@ -103,7 +103,7 @@ KIND_VERSION ?= 0.23.0
 KUBERNETES_VERSION ?= 1.30.2
 KUBECTL_VERSION ?= 1.30.2
 BATS_VERSION ?= 1.4.1
-TRIVY_VERSION ?= 0.39.1
+TRIVY_VERSION ?= 0.57.1
 PROTOC_VERSION ?= 3.20.1
 SHELLCHECK_VER ?= v0.8.0
 YQ_VERSION ?= v4.11.2
@@ -116,17 +116,22 @@ AWS_REGION := us-west-2
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:crdVersions=v1"
 
-## --------------------------------------
+
 ## Validate golang version
-## --------------------------------------
+
 GO_MAJOR_VERSION = $(shell go version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f1)
 GO_MINOR_VERSION = $(shell go version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f2)
 MINIMUM_SUPPORTED_GO_MAJOR_VERSION = 1
 MINIMUM_SUPPORTED_GO_MINOR_VERSION = 16
 GO_VERSION_VALIDATION_ERR_MSG = Golang version is not supported, please update to at least $(MINIMUM_SUPPORTED_GO_MAJOR_VERSION).$(MINIMUM_SUPPORTED_GO_MINOR_VERSION)
 
+
+.PHONY: help
+help: ## Display this help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
 .PHONY: validate-go
-validate-go: ## Validates the installed version of go.
+validate-go: ## Validates the installed version of go
 	@if [ $(GO_MAJOR_VERSION) -gt $(MINIMUM_SUPPORTED_GO_MAJOR_VERSION) ]; then \
 		exit 0 ;\
 	elif [ $(GO_MAJOR_VERSION) -lt $(MINIMUM_SUPPORTED_GO_MAJOR_VERSION) ]; then \
@@ -137,35 +142,31 @@ validate-go: ## Validates the installed version of go.
 		exit 1; \
 	fi
 
-## --------------------------------------
-## Testing
-## --------------------------------------
+##@ Testing
 
 .PHONY: test
-test: go-test
+test: go-test ## Run unit tests
 
-.PHONY: go-test # Run unit tests
+.PHONY: go-test
 go-test:
 	go test -count=1 $(GO_FILES) -v -coverprofile cover.out
 	cd test/e2eprovider && go test ./... -tags e2e -count=1 -v
 
 # skipping Controller tests as this driver only implements Node and Identity service.
 .PHONY: sanity-test # Run CSI sanity tests for the driver
-sanity-test:
+sanity-test: ## Run sanity tests
 	go test -v ./test/sanity -ginkgo.skip=Controller\|should.work\|NodeStageVolume
 
 .PHONY: image-scan
-image-scan: $(TRIVY)
+image-scan: $(TRIVY) ## Run image-scan
 	# show all vulnerabilities
 	$(TRIVY) image --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
 	$(TRIVY) image --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 	# show vulnerabilities that have been fixed
 	$(TRIVY) image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
 	$(TRIVY) image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 
-## --------------------------------------
 ## Tooling Binaries
-## --------------------------------------
 
 $(CONTROLLER_GEN): $(TOOLS_MOD_DIR)/go.mod $(TOOLS_MOD_DIR)/go.sum $(TOOLS_MOD_DIR)/tools.go ## Build controller-gen from tools folder.
 	cd $(TOOLS_MOD_DIR) && \
@@ -177,7 +178,7 @@ $(GOLANGCI_LINT): ## Build golangci-lint from tools folder.
 
 $(KUSTOMIZE): ## Build kustomize from tools folder.
 	cd $(TOOLS_MOD_DIR) && \
-		GOPROXY=$(GOPROXY) go build -tags=tools -o $(TOOLS_BIN_DIR)/kustomize sigs.k8s.io/kustomize/kustomize/v4
+		GOPROXY=$(GOPROXY) go build -tags=tools -o $(TOOLS_BIN_DIR)/kustomize sigs.k8s.io/kustomize/kustomize/v5
 
 $(PROTOC_GEN_GO): ## Build protoc-gen-go from tools folder.
 	cd $(TOOLS_MOD_DIR) && \
@@ -187,9 +188,7 @@ $(PROTOC_GEN_GO_GRPC): ## Build protoc-gen-go-grpc from tools folder.
 	cd $(TOOLS_MOD_DIR) && \
 		GOPROXY=$(GOPROXY) go build -tags=tools -o $(TOOLS_BIN_DIR)/protoc-gen-go-grpc google.golang.org/grpc/cmd/protoc-gen-go-grpc
 
-## --------------------------------------
 ## Testing Binaries
-## --------------------------------------
 
 $(HELM): ## Install helm3 if not present
 	helm version --short | grep -q v3 || (curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash)
@@ -234,34 +233,32 @@ $(SHELLCHECK):
 	chmod +x "$(TOOLS_BIN_DIR)/shellcheck" "$(SHELLCHECK)"
 	rm -rf shellcheck*
 
-## --------------------------------------
-## Linting
-## --------------------------------------
+##@ Linting
+
 .PHONY: test-style
 test-style: lint lint-charts shellcheck
 
 .PHONY: lint
-lint: $(GOLANGCI_LINT)
+lint: $(GOLANGCI_LINT) ## Run lint
 	# Setting timeout to 5m as default is 1m
 	$(GOLANGCI_LINT) run --timeout=5m -v
 	cd test/e2eprovider && $(GOLANGCI_LINT) run --build-tags e2e --timeout=5m -v
 
 lint-full: $(GOLANGCI_LINT)
 	$(GOLANGCI_LINT) run -v --fast=false
 
-lint-charts: $(HELM) # Run helm lint tests
+lint-charts: $(HELM) ## Run lint on helm charts
 	helm lint charts/secrets-store-csi-driver
 	helm lint manifest_staging/charts/secrets-store-csi-driver
 
 .PHONY: shellcheck
 shellcheck: $(SHELLCHECK)
 	find . -name '*.sh' -not -path './third_party/*'  | xargs $(SHELLCHECK)
 
-## --------------------------------------
-## Builds
-## --------------------------------------
+##@ Builds
+
 .PHONY: build
-build:
+build: ## Build Secret Store CSI Driver binary
 	GOPROXY=$(GOPROXY) CGO_ENABLED=0 GOOS=linux go build -a -ldflags $(LDFLAGS) -o _output/secrets-store-csi ./cmd/secrets-store-csi-driver
 
 .PHONY: build-e2e-provider
@@ -281,7 +278,7 @@ clean-crds:
 	rm -rf _output/crds/*
 
 .PHONY: build-crds
-build-crds: clean-crds
+build-crds: clean-crds ## Build crds
 	mkdir -p _output/crds
 ifdef CI
 	cp -R manifest_staging/charts/secrets-store-csi-driver/crds/ _output/crds/
@@ -294,7 +291,7 @@ e2e-provider-container:
 	docker buildx build --no-cache -t $(E2E_PROVIDER_IMAGE_TAG) -f test/e2eprovider/Dockerfile --progress=plain .
 
 .PHONY: container
-container: crd-container
+container: crd-container ## Build container image
 	docker buildx build --no-cache --build-arg IMAGE_VERSION=$(IMAGE_VERSION) -t $(IMAGE_TAG) -f docker/Dockerfile --progress=plain .
 
 .PHONY: crd-container
@@ -356,9 +353,8 @@ push-manifest:
 	docker manifest push --purge $(CRD_IMAGE_TAG)
 	docker manifest inspect $(CRD_IMAGE_TAG)
 
-## --------------------------------------
-## E2E Testing
-## --------------------------------------
+##@ E2E Testing
+
 .PHONY: e2e-install-prerequisites
 e2e-install-prerequisites: $(HELM) $(BATS) $(KIND) $(KUBECTL) $(ENVSUBST) $(YQ)
 
@@ -388,7 +384,7 @@ e2e-mock-provider-container:
 	kind load docker-image --name kind $(E2E_PROVIDER_IMAGE_TAG)
 
 .PHONY: e2e-test
-e2e-test: e2e-bootstrap e2e-helm-deploy # run test for windows
+e2e-test: e2e-bootstrap e2e-helm-deploy  ## Run e2e tests for windows
 	$(MAKE) e2e-azure
 
 .PHONY: e2e-teardown
@@ -496,12 +492,10 @@ e2e-aws:
 e2e-conjur:
 	bats -t test/bats/conjur.bats
 
-## --------------------------------------
-## Generate
-## --------------------------------------
-# Generate manifests e.g. CRD, RBAC etc.
+##@ Generate
+
 .PHONY: manifests
-manifests: $(CONTROLLER_GEN) $(KUSTOMIZE)
+manifests: $(CONTROLLER_GEN) $(KUSTOMIZE)  ## Generate manifests e.g. CRD, RBAC etc.
 	# Generate the base CRD/RBAC
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=secretproviderclasses-role object:headerFile=./hack/boilerplate.go.txt paths="./apis/..." \
 		 paths="./apis/..." paths="./controllers" output:crd:artifacts:config=config/crd/bases
@@ -553,9 +547,8 @@ generate-protobuf: $(PROTOC) $(PROTOC_GEN_GO) $(PROTOC_GEN_GO_GRPC) # generates
 	# Update boilerplate for the generated file.
 	cat hack/boilerplate.go.txt provider/v1alpha1/service_grpc.pb.go > tmpfile && mv tmpfile provider/v1alpha1/service_grpc.pb.go
 
-## --------------------------------------
 ## Release
-## --------------------------------------
+
 .PHONY: release-manifest
 release-manifest:
 	$(MAKE) manifests
@@ -573,9 +566,8 @@ promote-staging-manifest: #promote staging manifests to release dir
 	@rm -rf charts/secrets-store-csi-driver
 	@cp -r manifest_staging/charts/secrets-store-csi-driver ./charts
 
-## --------------------------------------
-## Local
-## --------------------------------------
+##@ Local
+
 .PHONY: redeploy-driver
-redeploy-driver: e2e-container
+redeploy-driver: e2e-container ## Redeploy driver and e2e-container
 	kubectl delete pod $(shell kubectl get pod -n kube-system -l app=secrets-store-csi-driver -o jsonpath="{.items[0].metadata.name}") -n kube-system --force --grace-period 0