From 1e0a7d4d05ec1837b4ae76c51e14f36cede7d9c7 Mon Sep 17 00:00:00 2001 From: Zhongcheng Lao Date: Fri, 8 Sep 2023 12:38:19 +0800 Subject: [PATCH 1/3] Add verify-import-restrictions to enforce import restrictions --- Makefile | 14 ++++++- apis/.import-restrictions | 5 +++ apis/v1beta1/.import-restrictions | 5 +++ apis/vmware/v1beta1/.import-restrictions | 5 +++ hack/verify-import-restrictions.sh | 51 ++++++++++++++++++++++++ 5 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 apis/.import-restrictions create mode 100644 apis/v1beta1/.import-restrictions create mode 100644 apis/vmware/v1beta1/.import-restrictions create mode 100755 hack/verify-import-restrictions.sh diff --git a/Makefile b/Makefile index ce99462618..2a9b1373ad 100644 --- a/Makefile +++ b/Makefile @@ -173,6 +173,11 @@ KIND_BIN := kind KIND := $(abspath $(TOOLS_BIN_DIR)/$(KIND_BIN)-$(KIND_VER)) KIND_PKG := sigs.k8s.io/kind +IMPORT_BOSS_BIN := import-boss +IMPORT_BOSS_VER := v0.28.1 +IMPORT_BOSS := $(abspath $(TOOLS_BIN_DIR)/$(IMPORT_BOSS_BIN)) +IMPORT_BOSS_PKG := k8s.io/code-generator/cmd/import-boss + CAPI_HACK_TOOLS_VER := 4abf44cd85c4590602e4c10543d53cd4ec914845 # Note: this is the commit ID of the dependend CAPI release tag, currently v1.5.0 CONVERSION_VERIFIER_VER := $(CAPI_HACK_TOOLS_VER) @@ -337,7 +342,7 @@ APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/main) apidiff: $(GO_APIDIFF) ## Check for API differences $(GO_APIDIFF) $(APIDIFF_OLD_COMMIT) --print-compatible -ALL_VERIFY_CHECKS = licenses boilerplate shellcheck modules gen conversions doctoc flavors +ALL_VERIFY_CHECKS = licenses boilerplate shellcheck modules gen conversions doctoc flavors import-restrictions .PHONY: verify verify: $(addprefix verify-,$(ALL_VERIFY_CHECKS)) ## Run all verify-* targets @@ -407,6 +412,9 @@ verify-flavors: $(FLAVOR_DIR) generate-flavors ## Verify generated flavors echo "flavor files in templates directory are out of date"; exit 1; \ fi +.PHONY: verify-import-restrictions +verify-import-restrictions: $(IMPORT_BOSS) ## Verify import restrictions with import-boss + ./hack/verify-import-restrictions.sh ## -------------------------------------- ## Build @@ -769,6 +777,8 @@ $(GOVC_BIN): $(GOVC) ## Build a local copy of govc. .PHONY: $(KIND_BIN) $(KIND_BIN): $(KIND) ## Build a local copy of kind. +.PHONY: $(IMPORT_BOSS_BIN) +$(IMPORT_BOSS_BIN): $(IMPORT_BOSS) .PHONY: $(RELEASE_NOTES_BIN) $(RELEASE_NOTES_BIN): $(RELEASE_NOTES) ## Build a local copy of release-notes. @@ -821,6 +831,8 @@ $(GOVC): # Build GOVC. $(KIND): # Build kind. GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(KIND_PKG) $(KIND_BIN) $(KIND_VER) +$(IMPORT_BOSS): # Build import-boss + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(IMPORT_BOSS_PKG) $(IMPORT_BOSS_BIN) $(IMPORT_BOSS_VER) $(RELEASE_NOTES): # Build release-notes. GOBIN=$(TOOLS_BIN_DIR) $(GO_TOOLS_BUILD) $(RELEASE_NOTES_PKG) $(RELEASE_NOTES_BIN) $(RELEASE_NOTES_VER) diff --git a/apis/.import-restrictions b/apis/.import-restrictions new file mode 100644 index 0000000000..f6f10b3ff5 --- /dev/null +++ b/apis/.import-restrictions @@ -0,0 +1,5 @@ +rules: + - selectorRegexp: sigs[.]k8s[.]io/controller-runtime + allowedPrefixes: + - "sigs.k8s.io/controller-runtime/pkg/conversion" + forbiddenPrefixes: [] diff --git a/apis/v1beta1/.import-restrictions b/apis/v1beta1/.import-restrictions new file mode 100644 index 0000000000..a2e1dfd081 --- /dev/null +++ b/apis/v1beta1/.import-restrictions @@ -0,0 +1,5 @@ +rules: + - selectorRegexp: sigs[.]k8s[.]io/controller-runtime + allowedPrefixes: [] + forbiddenPrefixes: + - "sigs.k8s.io/controller-runtime" diff --git a/apis/vmware/v1beta1/.import-restrictions b/apis/vmware/v1beta1/.import-restrictions new file mode 100644 index 0000000000..a2e1dfd081 --- /dev/null +++ b/apis/vmware/v1beta1/.import-restrictions @@ -0,0 +1,5 @@ +rules: + - selectorRegexp: sigs[.]k8s[.]io/controller-runtime + allowedPrefixes: [] + forbiddenPrefixes: + - "sigs.k8s.io/controller-runtime" diff --git a/hack/verify-import-restrictions.sh b/hack/verify-import-restrictions.sh new file mode 100755 index 0000000000..72c461738c --- /dev/null +++ b/hack/verify-import-restrictions.sh @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script checks import restrictions. The script looks for a file called +# `.import-restrictions` in each directory, then all imports of the package are +# checked against each "rule" in the file. +# Usage: `hack/verify-import-restrictions.sh`. + +set -o errexit +set -o nounset +set -o pipefail + +sub_packages=( + "apis" +) + +packages=() +visit() { + local count=0 + for file in "$1"/* ; do + if [ -d "$file" ]; then + visit "$file" + elif [ -f "$file" ]; then + ((count += 1)) + fi + done + if [ "$count" -gt 0 ]; then + # import-boss may not accept directories without any sources + packages+=("./$1") + fi +} +for d in "${sub_packages[@]}"; do + visit "$d" +done + +INPUT_DIRS="$(IFS=, ; echo "${packages[*]}")" +echo "Enforcing imports in source codes under the following directories: ${INPUT_DIRS}" +import-boss --include-test-files=true --verify-only --input-dirs "${INPUT_DIRS}" From dafbcde1a4da84769ef6c3b690f98af5cd4c4927 Mon Sep 17 00:00:00 2001 From: Stefan Bueringer Date: Mon, 11 Sep 2023 10:35:28 +0200 Subject: [PATCH 2/3] test --- apis/v1beta1/groupversion_info.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apis/v1beta1/groupversion_info.go b/apis/v1beta1/groupversion_info.go index a4ff809a7e..a2f8e8d329 100644 --- a/apis/v1beta1/groupversion_info.go +++ b/apis/v1beta1/groupversion_info.go @@ -20,6 +20,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" ) const ( @@ -34,6 +35,9 @@ var ( // GroupVersion is group version used to register these objects. GroupVersion = schema.GroupVersion{Group: GroupName, Version: Version} + // SchemeBuilder is used to add go types to the GroupVersionKind scheme. + SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} + // schemeBuilder is used to add go types to the GroupVersionKind scheme. schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) From 353538a670ae99e9d2b6d8673d3a8cfc940b11a9 Mon Sep 17 00:00:00 2001 From: Stefan Bueringer Date: Tue, 12 Sep 2023 10:27:21 +0200 Subject: [PATCH 3/3] unset gopath --- hack/verify-import-restrictions.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/hack/verify-import-restrictions.sh b/hack/verify-import-restrictions.sh index 72c461738c..9b56353533 100755 --- a/hack/verify-import-restrictions.sh +++ b/hack/verify-import-restrictions.sh @@ -48,4 +48,5 @@ done INPUT_DIRS="$(IFS=, ; echo "${packages[*]}")" echo "Enforcing imports in source codes under the following directories: ${INPUT_DIRS}" +unset GOPATH import-boss --include-test-files=true --verify-only --input-dirs "${INPUT_DIRS}"