Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decouple dependencies of tools/ and the rest of the codebase #1840

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

phoracek
Copy link
Member

@phoracek phoracek commented Aug 2, 2024

What this PR does / why we need it:

This PR introduces a dedicated subpackage for tools used in the project. This allows us to shed much of the vendored dependencies that are tied to the production code.

This is important, because it allows us to quickly evaluate whether any reported CVE/CWE affects the production code. Decoupling the dependencies also makes is easier to keep them up to date. Finally, making it clear which dependencies are used by the production code enables us to audit the list and decide whether we want to remove any of the dependencies.

Number of go lines vendored by the production code was cut by 96 %, from 384015 to 14460. Checked with cd vendor && find . -name '*.go' | xargs wc -l.

Number of dependencies (including indirect) of the production code was cut by 30 %, from 806 to 566. Checked with cat go.sum | awk '{print $1}' | sort | uniq | wc -l.

The list of dependencies we were able to shed off is here: https://gist.github.com/phoracek/aafc6cae0275291117b0c13e94c48e66

Special notes for your reviewer:

Review the PR commit by commit. The last commit contains all the vendoring and go.sum updates.

Release note:

NONE

@kubevirt-bot kubevirt-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/L labels Aug 2, 2024
@kubevirt-bot kubevirt-bot requested review from oshoval and RamLavi August 2, 2024 14:49
@kubevirt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from phoracek. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link
Collaborator

@RamLavi RamLavi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a preparation step before making tooks/ its own module.

typo in commit msg: tooks/ --> tools

@phoracek
Copy link
Member Author

phoracek commented Aug 4, 2024

@oshoval don't bother reviewing it, it's WIP

@kubevirt-bot kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 4, 2024
@phoracek phoracek force-pushed the rework_dependencies branch from ddf1137 to ee00f93 Compare August 22, 2024 11:13
The module was moved from coreos org under prometheus-operator.
Reflect that in imports, to allow `go mod tidy` to pass.

Signed-off-by: Petr Horacek <phoracek@redhat.com>
Otherwise `go mod tidy` fails due to broken libvmi import.

Signed-off-by: Petr Horacek <phoracek@redhat.com>
@phoracek phoracek force-pushed the rework_dependencies branch from ee00f93 to df8e705 Compare August 22, 2024 11:18
@kubevirt-bot kubevirt-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 22, 2024
@phoracek phoracek force-pushed the rework_dependencies branch 3 times, most recently from 47a0611 to 1f0d12c Compare August 22, 2024 11:51
@phoracek phoracek force-pushed the rework_dependencies branch from aa0731d to cf357cd Compare August 26, 2024 15:47
@phoracek phoracek force-pushed the rework_dependencies branch from cf357cd to ae6987f Compare September 6, 2024 12:03
This is a preparation step before making tooks/ its own module.

This greatly reduces the amound of dependencies it the root go.mod,
allowing for easier scanning and resolution of vulnerabilities.

Signed-off-by: Petr Horacek <phoracek@redhat.com>
Signed-off-by: Petr Horacek <phoracek@redhat.com>
@phoracek phoracek force-pushed the rework_dependencies branch from ae6987f to f5cec32 Compare September 6, 2024 12:45
Copy link

sonarqubecloud bot commented Sep 6, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
7 Security Hotspots

See analysis details on SonarCloud

@kubevirt-bot kubevirt-bot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Sep 6, 2024
@phoracek phoracek changed the title WIP Rework dependencies Decouple dependencies of tools/ and the rest of the codebase Sep 6, 2024
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 6, 2024
@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024

IPAM lane started to fail on random tests, not related to this PR i believe,
always at "Waiting for readiness at virtual machine alpine..." stage,
git actions is low on resources, so it might give best effort resources,
for some reason it doesnt collect the artifacts that should also be solved and would able to hint about the problem

The teardown from glance looks fine after each test.

@@ -3,11 +3,11 @@
set -e

function fix() {
git ls-files -- ':!vendor/' | xargs sed --follow-symlinks -i 's/[[:space:]]*$//'
git ls-files -- ':!vendor/' ':!tools/vendor' | xargs sed --follow-symlinks -i 's/[[:space:]]*$//'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: in order to exclude /vendor/ folders that might exists in the future
git ls-files | grep -vE '^vendor/|/vendor/'
or maybe also
git ls-files -- ':!vendor' ':!**/vendor/**'
but just nice to have please, it can wait for once we have new vendor folders

@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024

Very nice, thank you
/lgtm

We can just ignore failures on the IPAM for this PR imo, and fix it soon
checking here main branch state #1880
(fails there as well)

also sonar can be ignored please

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 8, 2024
Copy link
Collaborator

@RamLavi RamLavi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024

Can you please rebase this PR ?
(maybe once 1882 is merged so ipam flakes will be solved as well)

Git actions doesn't auto rebase, it is always good please to rebase manually just before merge
(we added a github config that should block merging when it is not the case, but it seems it doesn't work perfectly, need to revisit it on relevant repos)
We can also make git actions rebase once running (but it is not a bullet proof, because it is only when running, not also when ref HEAD was changed)
Btw this is one of the things prow is better than git actions imho,
moreover all those flakes, i wish we would move to prow on CNAO IPAM,
the drawback is that we can't use kind 0.20+ / k8s 1.29+ yet on prow, so it can be considered blocker

@oshoval
Copy link
Collaborator

oshoval commented Sep 8, 2024

#1882
EDIT - merged

should fix the ipam flakiness, at least some of them are due to that (will run few times)
ipam artifacts collecting stopped working because of this i believe
https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/
(the folder we are on is .output which is hidden)
Will fix it soon

@kubevirt-bot
Copy link
Collaborator

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubevirt-bot kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 9, 2024
@RamLavi
Copy link
Collaborator

RamLavi commented Sep 11, 2024

@phoracek sorry for conflicting with your PR, can you re-copy the conflicted files to the new location?

@kubevirt-bot
Copy link
Collaborator

Pull requests that are marked with lgtm should receive a review
from an approver within 1 week.

After that period the bot marks them with the label needs-approver-review.

/label needs-approver-review

@kubevirt-bot kubevirt-bot added the needs-approver-review Indicates that a PR requires a review from an approver. label Sep 23, 2024
@kubevirt-bot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@kubevirt-bot kubevirt-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-approver-review Indicates that a PR requires a review from an approver. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note-none Denotes a PR that doesn't merit a release note. size/XXL
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants