Devolutions · dion-gionet · Oct 20, 2025 · Oct 17, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -2,3 +2,4 @@
 # Ignore build and test binaries.
 bin/
 testbin/
+.DS_Store
@@ -1,16 +1,13 @@
 name: release
 
 on:
-  push:
-    branches:
-      - master
-    paths:
-      - Makefile
   workflow_dispatch:
 
 jobs:
   create-release:
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get-version.outputs.version }}
 
     steps:
       - name: Check out ${{ github.repository }}
@@ -33,3 +30,40 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           tag: v${{ steps.get-version.outputs.version }}
+
+  build-image:
+    runs-on: ubuntu-latest
+    needs: create-release
+    environment: container-build
+
+    steps:
+      - name: Check out devolutions/dvls-kubernetes-operator
+        uses: actions/checkout@v4
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: devolutionsbot
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            devolutions/dvls-kubernetes-operator:latest
+            devolutions/dvls-kubernetes-operator:${{ needs.create-release.outputs.version }}
+
+      - name: Docker Scout
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: devolutions/dvls-kubernetes-operator:latest
+          ignore-base: true
+          only-severities: critical,high
+          summary: true
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
diff --git a/.gitignore b/.gitignore
@@ -24,3 +24,6 @@ Dockerfile.cross
 *.swp
 *.swo
 *~
+
+# OS generated files
+.DS_Store
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.21 AS builder
+FROM golang:1.24 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 0.2.0
+VERSION ?= 0.2.1
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -47,7 +47,7 @@ ifeq ($(USE_IMAGE_DIGESTS), true)
 endif
 
 # Image URL to use all building/pushing image targets
-IMG ?= devolutions/dvls-kubernetes-operator:latest
+IMG ?= devolutions/dvls-kubernetes-operator:$(VERSION)
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.25.0
 
@@ -102,6 +102,7 @@ $(HELMIFY): $(LOCALBIN)
 	test -s $(LOCALBIN)/helmify || GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@latest
 
 helm: manifests kustomize helmify ## Generate helm chart using helmify.
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default | $(HELMIFY)
 
 
@@ -192,7 +193,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
-CONTROLLER_TOOLS_VERSION ?= v0.10.0
+CONTROLLER_TOOLS_VERSION ?= v0.16.5
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

diff --git a/PROJECT b/PROJECT
@@ -1,6 +1,6 @@
 domain: devolutions.com
 layout:
-- go.kubebuilder.io/v3
+- go.kubebuilder.io/v4
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.2.1"
diff --git a/chart/templates/ctrl-mgr-metrics-service.yaml b/chart/templates/ctrl-mgr-metrics-service.yaml
@@ -12,6 +12,6 @@ spec:
   type: {{ .Values.ctrlMgrMetricsService.type }}
   selector:
     control-plane: controller-manager
-  {{- include "chart.selectorLabels" . | nindent 4 }}
+    {{- include "chart.selectorLabels" . | nindent 4 }}
   ports:
-	{{- .Values.ctrlMgrMetricsService.ports | toYaml | nindent 2 -}}
+  {{- .Values.ctrlMgrMetricsService.ports | toYaml | nindent 2 }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -1,13 +1,3 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "chart.fullname" . }}-controller-manager
-  labels:
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: dvls-kubernetes-operator
-    app.kubernetes.io/part-of: dvls-kubernetes-operator
-  {{- include "chart.labels" . | nindent 4 }}
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -49,47 +39,42 @@ spec:
                 values:
                 - linux
       containers:
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=0
+      - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }}
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
-          value: {{ .Values.kubernetesClusterDomain }}
-        image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default .Chart.AppVersion }}
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag
+          | default .Chart.AppVersion }}
         name: kube-rbac-proxy
         ports:
         - containerPort: 8443
           name: https
           protocol: TCP
-        resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-      - args:
-        - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8080
-        - --leader-elect
+        resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent
+          10 }}
+        securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
+          | nindent 10 }}
+      - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
         command:
         - /manager
         env:
         - name: DEVO_OPERATOR_DVLS_APPID
-          value: {{ required "controllerManager.manager.env.devoOperatorDvlsAppid is required" .Values.controllerManager.manager.env.devoOperatorDvlsAppid }}
+          value: {{ quote .Values.controllerManager.manager.env.devoOperatorDvlsAppid }}
         - name: DEVO_OPERATOR_DVLS_BASEURI
-          value: {{ required "controllerManager.manager.env.devoOperatorDvlsBaseuri is required" .Values.controllerManager.manager.env.devoOperatorDvlsBaseuri  | quote }}
+          value: {{ quote .Values.controllerManager.manager.env.devoOperatorDvlsBaseuri
+            }}
         - name: DEVO_OPERATOR_REQUEUE_DURATION
-          value: {{ .Values.controllerManager.manager.env.devoOperatorRequeueDuration }}
+          value: {{ quote .Values.controllerManager.manager.env.devoOperatorRequeueDuration
+            }}
         - name: DEVO_OPERATOR_DVLS_APPSECRET
           valueFrom:
             secretKeyRef:
               key: secret
               name: {{ include "chart.fullname" . }}-instance-secret
         - name: KUBERNETES_CLUSTER_DOMAIN
-          value: {{ .Values.kubernetesClusterDomain }}
-        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
+          | default .Chart.AppVersion }}
         livenessProbe:
           httpGet:
             path: /healthz
@@ -103,15 +88,11 @@ spec:
             port: 8081
           initialDelaySeconds: 5
           periodSeconds: 10
-        resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
+        resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10
+          }}
+        securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
+          | nindent 10 }}
+      securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent
+        8 }}
       serviceAccountName: {{ include "chart.fullname" . }}-controller-manager
       terminationGracePeriodSeconds: 10
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,3 +24,6 @@ Dockerfile.cross @@
     *.swp
     *.swo
     *~
+    # OS generated files
+    .DS_Store