Merge branch 'master' into cloud

snapp-incubator · Nov 25, 2023 · 67c41c6 · 67c41c6
2 parents 0317f1b + 0efd306
commit 67c41c6
Show file tree

Hide file tree

Showing 256 changed files with 9,470 additions and 3,647 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -13,7 +13,7 @@ initWorkingDir: &initWorkingDir
     GOROOT=$(go env GOROOT)
     sudo rm -r $(go env GOROOT)
     sudo mkdir $GOROOT
-    LATEST=$(curl -s https://go.dev/VERSION?m=text)
+    LATEST=$(curl -s https://go.dev/VERSION?m=text | grep -v time)
     curl https://dl.google.com/go/${LATEST}.linux-amd64.tar.gz | sudo tar xz -C $GOROOT --strip-components=1
 
 integrationDefaults: &integrationDefaults
@@ -36,7 +36,7 @@ buildCoreDNSImage: &buildCoreDNSImage
       command: |
         cd ~/go/src/${CIRCLE_PROJECT_USERNAME}/coredns
         make coredns SYSTEM="GOOS=linux" && \
-        docker build -t coredns . && \
+        DOCKER_BUILDKIT=1 docker build -t coredns . && \
         kind load docker-image coredns
 
 jobs:

diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -40,7 +40,7 @@ issue first and "claim" it and get feedback before you invest a lot of time.
 
 **If someone already opened a pull request, but you think the pull request has stalled and you would
 like to open another pull request for the same or similar feature, get some of the maintainers (see
-[CODEOWNERS](CODEOWNERS)) involved to resolve the situation and move things forward.**
+[CODEOWNERS](../CODEOWNERS)) involved to resolve the situation and move things forward.**
 
 If possible make a pull request as small as possible, or submit multiple pull request to complete a
 feature. Smaller means: easier to understand and review. This in turn means things can be merged

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,8 +5,15 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-
+    groups:
+       dev-dependencies:
+          patterns:
+            - "*"  
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+       dev-dependencies:
+          patterns:
+            - "*"  
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -20,7 +20,7 @@ jobs:
           fuzz-seconds: 600
           dry-run: false
       - name: Upload Crash
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         if: failure() && steps.build.outcome == 'success'
         with:
           name: artifacts

diff --git a/.github/workflows/go.fmt.yml b/.github/workflows/go.fmt.yml
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -6,11 +6,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
         with:
-          go-version: '1.18'
-      - uses: actions/checkout@v3
+          go-version: '~1.21.0'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v3.7.0
         with:
-          version: v1.46.2
+          version: v1.52.2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,55 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit:
+        description: "Commit (e.g., 52f0348)"
+        default: "master"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.commit }}
+      - name: Set up info
+        run: |
+          set -x -e
+          VERSION=$(make -f Makefile.release version)
+          COMMIT=$(git rev-parse --quiet --verify ${{ github.event.inputs.commit }})
+          if [[ "$(git tag -l v${VERSION})" == "v${VERSION}" ]]; then
+            echo "v${VERSION} already released"
+            exit 1
+          fi
+          echo "commit=${COMMIT}" >> $GITHUB_OUTPUT
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+        id: info
+      - name: Build release binary
+        run: make -f Makefile.release release
+      - name: Build release binary sha256
+        run: (cd release; for asset in `ls -A *tgz`; do sha256sum $asset > $asset.sha256; done)
+      - name: Remove hidden section
+        run: sed '/+++/,//d' notes/coredns-${{ steps.info.outputs.version}}.md > release.md
+      - name: Log release info
+        run: |
+          set -x -e
+          git log -1
+          echo ${{ steps.info.outputs.commit }}
+          echo ${{ steps.info.outputs.version }}
+          cat release.md
+          sha256sum release/*.tgz
+      - name: Draft release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: release.md
+          name: v${{ steps.info.outputs.version }}
+          tag_name: v${{ steps.info.outputs.version }}
+          target_commitish: ${{ steps.info.outputs.commit }}
+          files: |
+            release/*.tgz
+            release/*.tgz.sha256
+          draft: true
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -19,15 +19,16 @@ jobs:
       security-events: write
       actions: read
       contents: read
+      id-token: write
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,14 +43,14 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -0,0 +1,33 @@
+name: Trivy Nightly Scan
+on:
+  schedule:
+    - cron: '0 2 * * 5'  # Run at 2AM UTC on every Friday
+
+permissions: read-all
+jobs:
+  nightly-scan:
+    name: Trivy Scan nightly
+    strategy:
+      fail-fast: false
+      matrix:
+        # It will test for only the latest version as older version is not maintained
+        versions: [latest]
+    permissions:
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0  # master
+        with:
+          image-ref: 'docker.io/coredns/coredns:${{ matrix.versions }}'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a  # v2.13.4
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml
@@ -8,9 +8,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@v4
       - name: 'Yamllint'
-        uses: karancode/yamllint-github-action@dd59165b84d90d37fc919c3c7dd84c7e37cd6bfb
+        uses: karancode/yamllint-github-action@fdef6bc189425ecc84cc4543b2674566c0827053
         with:
           yamllint_file_or_dir: '.'
           yamllint_strict: false

diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 # only add build artifacts concerning coredns - no editor related files
 coredns
 coredns.exe
+Corefile
 build/
 release/
 vendor/
diff --git a/.golangci.yml b/.golangci.yml
@@ -3,11 +3,11 @@ run:
 linters:
   disable-all: true
   enable:
-    - deadcode
     - govet
     - ineffassign
     - staticcheck
-    - structcheck
     - typecheck
-    - varcheck
     - whitespace
+    - unused
+    - gofmt
+    - unconvert
diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -1,3 +1,4 @@
+* [Qwilt](https://www.qwilt.com) uses CoreDNS in production, implementing a global DNS service allowing access to our ISP edge and regional locations.
 * [Infoblox](https://www.infoblox.com) uses CoreDNS in its Active Trust Cloud SaaS service, as well as for Kubernetes cluster DNS.
 * [Sky Betting & Gaming](https://engineering.skybettingandgaming.com) uses CoreDNS for Kubernetes cluster DNS.
 * [Kismia](https://kismia.com) uses CoreDNS for Kubernetes cluster DNS.
@@ -30,4 +31,5 @@
 * [Render](https://render.com) uses CoreDNS in production across all its Kubernetes clusters.
 * [BackMarket](https://www.backmarket.com) uses CoreDNS within Kubernetes in production, with standard configuration.
 * [Absa Group](https://www.absa.africa) uses CoreDNS as an integral part of Kubernetes Global Balancer project - [k8gb](https://www.k8gb.io/).
-* [Northflank](https://northflank.com/) uses CoreDNS on all of our Kubernetes clusters across GCP, AWS, and bare-metal.
+* [Northflank](https://northflank.com/) uses CoreDNS on all of our Kubernetes clusters across GCP, AWS, and bare-metal.
+* [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net) uses CoreDNS on K8s in its highly-loaded internal infrastructure. 
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,4 +1,9 @@
-# @miekg, [email protected], project lead: 11/11/2022
+# 5 steering committee members
+# @chrisohaver, term ends 2024-09-26
+# @johnbelamaric, term ends 2024-09-26
+# @stp-ip, term ends 2024-09-26
+# @superq, term ends 2024-09-26
+# @tantalor93, term ends 2024-09-26
 
 *                       @bradbeam @chrisohaver @dilyevsky @jameshartig @greenpau @isolus @johnbelamaric @miekg @pmoroney @rajansandeep @stp-ip @superq @yongtang @Tantalor93
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 #build stage
-FROM golang:1.17 AS builder
+FROM golang:1.20 AS builder
 RUN mkdir -p /go/src/app
 COPY go.sum go.mod /go/src/app/
 WORKDIR /go/src/app
@@ -18,5 +18,9 @@ COPY --from=slim /etc/ssl/certs /etc/ssl/certs
 WORKDIR /
 COPY --from=builder /go/src/app/coredns /coredns
 
+FROM --platform=$TARGETPLATFORM ${BASE}
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=build /coredns /coredns
+USER nonroot:nonroot
 EXPOSE 53 53/udp
 ENTRYPOINT ["/coredns"]