Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decouple dependencies of tools/ and the rest of the codebase #1840

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Decouple dependencies of tools/ and the rest of the codebase #1840

wants to merge 4 commits into from

Conversation

phoracek
Copy link
Member

@phoracek phoracek commented Aug 2, 2024
edited
Loading

What this PR does / why we need it:

This PR introduces a dedicated subpackage for tools used in the project. This allows us to shed much of the vendored dependencies that are tied to the production code.

This is important, because it allows us to quickly evaluate whether any reported CVE/CWE affects the production code. Decoupling the dependencies also makes is easier to keep them up to date. Finally, making it clear which dependencies are used by the production code enables us to audit the list and decide whether we want to remove any of the dependencies.

Number of go lines vendored by the production code was cut by 96 %, from 384015 to 14460. Checked with cd vendor && find . -name '*.go' | xargs wc -l.

Number of dependencies (including indirect) of the production code was cut by 30 %, from 806 to 566. Checked with cat go.sum | awk '{print $1}' | sort | uniq | wc -l.

The list of dependencies we were able to shed off is here: https://gist.github.com/phoracek/aafc6cae0275291117b0c13e94c48e66

Special notes for your reviewer:

Review the PR commit by commit. The last commit contains all the vendoring and go.sum updates.

Release note:

NONE

@kubevirt-bot kubevirt-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/L labels Aug 2, 2024
@kubevirt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from phoracek. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

RamLavi
RamLavi reviewed Aug 4, 2024
View reviewed changes
Copy link
Collaborator

@RamLavi RamLavi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a preparation step before making tooks/ its own module.

typo in commit msg: tooks/ --> tools

@phoracek
Copy link
Member Author

phoracek commented Aug 4, 2024

@oshoval don't bother reviewing it, it's WIP

@kubevirt-bot kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 4, 2024
@phoracek
chore: Use the new prometheus-operator org
ca630c8 
The module was moved from coreos org under prometheus-operator.
Reflect that in imports, to allow `go mod tidy` to pass.

Signed-off-by: Petr Horacek <[email protected]>
@phoracek
chore: Set a replace for kubevirt import
b32daa0 
Otherwise `go mod tidy` fails due to broken libvmi import.

Signed-off-by: Petr Horacek <[email protected]>
@kubevirt-bot kubevirt-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 22, 2024
@phoracek phoracek force-pushed the rework_dependencies branch 3 times, most recently from 47a0611 to 1f0d12c Compare August 22, 2024 11:51
@phoracek
Move tools.go under the tools/ subdirectory
6c237ac 
This is a preparation step before making tooks/ its own module.

This greatly reduces the amound of dependencies it the root go.mod,
allowing for easier scanning and resolution of vulnerabilities.

Signed-off-by: Petr Horacek <[email protected]>
@phoracek
Update vendored dependencies
f5cec32 
Signed-off-by: Petr Horacek <[email protected]>
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Sep 6, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
7 Security Hotspots

See analysis details on SonarCloud

@kubevirt-bot kubevirt-bot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Sep 6, 2024
@phoracek phoracek changed the title WIP Rework dependencies Decouple dependencies of tools/ and the rest of the codebase Sep 6, 2024
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 6, 2024
@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024
edited
Loading

IPAM lane started to fail on random tests, not related to this PR i believe,
always at "Waiting for readiness at virtual machine alpine..." stage,
git actions is low on resources, so it might give best effort resources,
for some reason it doesnt collect the artifacts that should also be solved and would able to hint about the problem

The teardown from glance looks fine after each test.

oshoval
oshoval reviewed Sep 8, 2024
View reviewed changes
hack/whitespace.sh
@@ -3,11 +3,11 @@
set -e

function fix() {
git ls-files -- ':!vendor/' | xargs sed --follow-symlinks -i 's/[[:space:]]*$//'
git ls-files -- ':!vendor/' ':!tools/vendor' | xargs sed --follow-symlinks -i 's/[[:space:]]*$//'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: in order to exclude /vendor/ folders that might exists in the future
git ls-files | grep -vE '^vendor/|/vendor/'
or maybe also
git ls-files -- ':!vendor' ':!**/vendor/**'
but just nice to have please, it can wait for once we have new vendor folders

@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024
edited
Loading

Very nice, thank you
/lgtm

We can just ignore failures on the IPAM for this PR imo, and fix it soon
checking here main branch state #1880
(fails there as well)

also sonar can be ignored please

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 8, 2024
RamLavi
RamLavi approved these changes Sep 8, 2024
View reviewed changes
Copy link
Collaborator

@RamLavi RamLavi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024
edited
Loading

Can you please rebase this PR ?
(maybe once 1882 is merged so ipam flakes will be solved as well)

Git actions doesn't auto rebase, it is always good please to rebase manually just before merge
(we added a github config that should block merging when it is not the case, but it seems it doesn't work perfectly, need to revisit it on relevant repos)
We can also make git actions rebase once running (but it is not a bullet proof, because it is only when running, not also when ref HEAD was changed)
Btw this is one of the things prow is better than git actions imho,
moreover all those flakes, i wish we would move to prow on CNAO IPAM,
the drawback is that we can't use kind 0.20+ / k8s 1.29+ yet on prow, so it can be considered blocker

@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024
edited
Loading

#1882
EDIT - merged

should fix the ipam flakiness, at least some of them are due to that (will run few times)
ipam artifacts collecting stopped working because of this i believe
https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/
(the folder we are on is .output which is hidden)
Will fix it soon

@kubevirt-bot
Copy link
Collaborator

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubevirt-bot kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 9, 2024
@RamLavi
Copy link
Collaborator

RamLavi commented Sep 11, 2024

@phoracek sorry for conflicting with your PR, can you re-copy the conflicted files to the new location?

@kubevirt-bot
Copy link
Collaborator

Pull requests that are marked with lgtm should receive a review
from an approver within 1 week.

After that period the bot marks them with the label needs-approver-review.

/label needs-approver-review

@kubevirt-bot kubevirt-bot added the needs-approver-review Indicates that a PR requires a review from an approver. label Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oshoval oshoval oshoval left review comments

@RamLavi RamLavi RamLavi approved these changes

Assignees

@RamLavi RamLavi

@oshoval oshoval

Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. needs-approver-review Indicates that a PR requires a review from an approver. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note-none Denotes a PR that doesn't merit a release note. size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@phoracek @kubevirt-bot @oshoval @RamLavi