Merge branch 'master' into config

.github/workflows/ci-image-scanning.yaml

@@ -32,6 +32,10 @@ jobs:
     steps:
       - name: checkout code
         uses: actions/checkout@v4
+      - name: install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
       - name: Build an image from Dockerfile
         run: |
           export VERSION="latest"

.github/workflows/ci-schedule-compatibility.yaml

@@ -4,6 +4,9 @@ on:
     # Run this workflow "At 20:00 UTC on Sunday and Saturday"
     - cron: '0 20 * * 0,6'
 
+permissions:
+  contents: read # Required by actions/checkout to fetch the repository contents.
+
 jobs:
   e2e:
     name: e2e test

.github/workflows/ci.yml

@@ -12,6 +12,8 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.actor }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+permissions:
+  contents: read  # for actions/checkout to fetch code  
 jobs:
   golangci:
     name: lint

.github/workflows/cli.yaml

@@ -12,6 +12,8 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.actor }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+permissions:
+  contents: read  # Required to check out the code
 jobs:
   init:
     name: init
@@ -34,9 +36,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-      - uses: helm/kind-action@v1.10.0
-        with:
-          version: "v0.22.0"
+
       - name: run karmadactl init test
         run: |
           export CLUSTER_VERSION=kindest/node:${{ matrix.k8s }}
@@ -48,11 +48,18 @@ jobs:
           export KUBECONFIG=${HOME}/karmada/karmada-apiserver.config
           GO111MODULE=on go install github.com/onsi/ginkgo/v2/ginkgo
           ginkgo -v --race --trace -p  --focus="[BasicPropagation] propagation testing deployment propagation testing"  ./test/e2e/
-      - uses: chainguard-dev/actions/kind-diag@main
-        # Only upload logs on failure.
-        if: ${{ failure() }}
+      - name: export logs 
+        if: always()
+        run: |
+          export ARTIFACTS_PATH=${{ github.workspace }}/karmadactl-test-logs/${{ matrix.k8s }}/
+          mkdir -p $ARTIFACTS_PATH
+
+          mkdir -p $ARTIFACTS_PATH/karmada-host
+          kind export logs --name=karmada-host $ARTIFACTS_PATH/karmada-host
+      - name: upload logs
+        if: always()
+        uses: actions/upload-artifact@v4
         with:
-          cluster-resources: nodes,namespaces,
-          namespace-resources: configmaps,pods,svc
-          artifact-name: logs-${{ matrix.k8s}}
+          name: karmadactl_test_logs_${{ matrix.k8s }}
+          path: ${{ github.workspace }}/karmadactl-test-logs/${{ matrix.k8s }}/
 

.github/workflows/dockerhub-latest-chart.yml

@@ -22,6 +22,10 @@ jobs:
           # 0 indicates all history for all branches and tags.
           # for `git describe --tags` in Makefile.
           fetch-depth: 0
+      - name: install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
       - name: login to DockerHub
         uses: docker/login-action@v3
         with:

.github/workflows/dockerhub-latest-image.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@v3.6.0
         with:
           cosign-release: 'v2.2.3'
       - name: install QEMU

.github/workflows/dockerhub-released-chart.yml

@@ -17,6 +17,10 @@ jobs:
           # 0 indicates all history for all branches and tags.
           # for `git describe --tags` in Makefile.
           fetch-depth: 0
+      - name: install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
       - name: login to DockerHub
         uses: docker/login-action@v3
         with:

.github/workflows/dockerhub-released-image.yml

@@ -38,7 +38,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@v3.6.0
         with:
           cosign-release: 'v2.2.3'
       - name: install QEMU

.github/workflows/lint-chart.yaml

@@ -3,6 +3,7 @@ name: Chart Lint
 
 env:
   HELM_VERSION: v3.11.2
+  KUSTOMIZE_VERSION: 5.4.3
   KIND_VERSION: v0.22.0
   KIND_NODE_IMAGE: kindest/node:v1.29.0
   K8S_VERSION: v1.29.0
@@ -29,18 +30,47 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
       - name: Set up Helm
         uses: azure/setup-helm@v4
         with:
           version: ${{ env.HELM_VERSION }}
 
+      - name: Set up Kustomize
+        uses: syntaqx/setup-kustomize@v1
+        with:
+          kustomize-version: ${{ env.KUSTOMIZE_VERSION }}
+
       - name: Run chart-testing (template)
         run: |
-          helm template --set components={"search,descheduler,schedulerEstimator"} --dependency-update ./charts/karmada --debug > /dev/null
-          helm template --set components={"search,descheduler,schedulerEstimator"},certs.mode=custom --dependency-update ./charts/karmada --debug > /dev/null
-          helm template --set components={"search,descheduler,schedulerEstimator"},installMode=component --dependency-update ./charts/karmada --debug > /dev/null
-          helm template --set installMode=agent --dependency-update ./charts/karmada --debug > /dev/null
-          helm template --dependency-update ./charts/karmada-operator --debug > /dev/null   
+          cat <<EOF > post-render.sh
+          #!/bin/sh
+          # save helm stdout to file, kustomize will read this
+          cat > all.yaml
+          kustomize build
+          EOF
+
+          chmod +x post-render.sh
+
+          cat <<EOF > kustomization.yaml
+          resources:
+            - all.yaml
+          EOF
+
+          helm template --set components={"search,descheduler,schedulerEstimator"} --dependency-update ./charts/karmada \
+            --post-renderer ./post-render.sh --debug > /dev/null
+          helm template --set components={"search,descheduler,schedulerEstimator"},certs.mode=custom --dependency-update \
+            ./charts/karmada --post-renderer ./post-render.sh --debug > /dev/null
+          helm template --set components={"search,descheduler,schedulerEstimator"},installMode=component --dependency-update \
+            ./charts/karmada --post-renderer ./post-render.sh --debug > /dev/null
+          helm template --set installMode=agent --dependency-update ./charts/karmada --post-renderer ./post-render.sh --debug > /dev/null
+          helm template --dependency-update ./charts/karmada-operator --post-renderer ./post-render.sh --debug > /dev/null
+
+          rm post-render.sh all.yaml kustomization.yaml
 
       # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
       # yamllint (https://github.com/adrienverge/yamllint) which require Python

.github/workflows/release.yml

@@ -33,21 +33,55 @@ jobs:
         GOOS: ${{ matrix.os }}
         GOARCH: ${{ matrix.arch }}
       run: make release-${{ matrix.target }}
-    - name: Making helm charts
-      env:
-        VERSION: ${{ github.ref_name }}
-      run: make package-chart
+    - name: upload cli
+      uses: actions/upload-artifact@v4
+      with:
+        name: cli-${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
+        path: _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
     - name: Uploading assets...
       if: ${{ !env.ACT }}
       uses: softprops/action-gh-release@v2
       with:
         files: |
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256
+  generate-subject-for-cli-provenance:
+    needs: [release-assests]
+    runs-on: ubuntu-22.04
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - name: download cli
+        uses: actions/download-artifact@v4
+        with:
+          path: _output/release
+          pattern: cli-*
+          merge-multiple: true
+      - name: generate cli hash
+        id: hash
+        run: |
+          cd _output/release
+          # sha256sum generates sha256 hash for cli.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT"
+  cli-provenance:
+    needs: [generate-subject-for-cli-provenance]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.generate-subject-for-cli-provenance.outputs.hashes }}"
+      provenance-name: "karmada-cli.intoto.jsonl"
+      upload-assets: true
   release-crds-assests:
     permissions:
       contents: write  # for softprops/action-gh-release to create GitHub release
     name: release crds
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
@@ -61,15 +95,35 @@ jobs:
         cwd: ./charts/karmada/
         files: crds
         outPath: crds.tar.gz
+    - name: generate crds hash
+      id: hash
+      run: |
+        # sha256sum generates sha256 hash for crds.
+        # base64 -w0 encodes to base64 and outputs on a single line.
+        echo "hashes=$(sha256sum crds.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
     - name: Uploading crd assets...
       uses: softprops/action-gh-release@v2
       with:
         files: |
           crds.tar.gz
+  crds-provenance:
+    needs: [release-crds-assests]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.release-crds-assests.outputs.hashes }}"
+      provenance-name: "karmada-crds.intoto.jsonl"
+      upload-assets: true
   release-charts:
     permissions:
       contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release charts
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
@@ -86,10 +140,29 @@ jobs:
           _output/charts/karmada-chart-${{ github.ref_name }}.tgz.sha256
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256
+    - name: generate charts hash
+      id: hash
+      run: |
+        cd _output/charts
+        echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT"
+  charts-provenance:
+    needs: [release-charts]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.release-charts.outputs.hashes }}"
+      provenance-name: "karmada-charts.intoto.jsonl"
+      upload-assets: true
   sbom-assests:
     permissions:
       contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release sbom
+    outputs:
+      hashes: ${{ steps.sbom-hash.outputs.hashes}}
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
@@ -103,11 +176,30 @@ jobs:
     - name: Tar the sbom files
       run: |
         tar -zcf sbom.tar.gz *.spdx
+    - name: Generate SBOM hash
+      shell: bash
+      id: sbom-hash
+      run: |
+        # sha256sum generates sha256 hash for sbom.
+        # base64 -w0 encodes to base64 and outputs on a single line.
+        echo "hashes=$(sha256sum sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
     - name: Uploading sbom assets...
       uses: softprops/action-gh-release@v2
       with:
         files: |
           sbom.tar.gz
+  sbom-provenance:
+    needs: [sbom-assests]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.sbom-assests.outputs.hashes }}"
+      provenance-name: "karmada-sbom.intoto.jsonl"
+      upload-assets: true
   update-krew-index:
     needs: release-assests
     name: Update krew-index

.go-version

@@ -1 +1 @@
-1.22.4
+1.22.6

README.md

@@ -102,7 +102,7 @@ This guide will cover:
 - Propagate an application by using `karmada`.
 
 ### Prerequisites
-- [Go](https://golang.org/) version v1.22.4+
+- [Go](https://golang.org/) version follows [go.mod](https://github.com/karmada-io/karmada/blob/master/go.mod#L3)
 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) version v1.19+
 - [kind](https://kind.sigs.k8s.io/) version v0.14.0+
 

artifacts/deploy/karmada-controller-manager.yaml

@@ -26,12 +26,11 @@ spec:
           command:
             - /bin/karmada-controller-manager
             - --kubeconfig=/etc/kubeconfig
-            - --bind-address=0.0.0.0
             - --cluster-status-update-frequency=10s
-            - --secure-port=10357
             - --failover-eviction-timeout=30s
             - --controllers=*,hpaScaleTargetMarker,deploymentReplicasSyncer
             - --feature-gates=PropagationPolicyPreemption=true,MultiClusterService=true
+            - --health-probe-bind-address=0.0.0.0:10357
             - --v=4
           livenessProbe:
             httpGet:

artifacts/deploy/karmada-descheduler.yaml

@@ -26,7 +26,8 @@ spec:
           command:
             - /bin/karmada-descheduler
             - --kubeconfig=/etc/kubeconfig
-            - --bind-address=0.0.0.0
+            - --metrics-bind-address=0.0.0.0:10358
+            - --health-probe-bind-address=0.0.0.0:10358
             - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt
             - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt
             - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key

artifacts/deploy/karmada-scheduler-estimator.yaml

@@ -30,6 +30,8 @@ spec:
             - --grpc-auth-cert-file=/etc/karmada/pki/karmada.crt
             - --grpc-auth-key-file=/etc/karmada/pki/karmada.key
             - --grpc-client-ca-file=/etc/karmada/pki/ca.crt
+            - --metrics-bind-address=0.0.0.0:10351
+            - --health-probe-bind-address=0.0.0.0:10351
           livenessProbe:
             httpGet:
               path: /healthz

artifacts/deploy/karmada-scheduler.yaml

@@ -36,7 +36,8 @@ spec:
             - /bin/karmada-scheduler
             - --kubeconfig=/etc/kubeconfig
             - --bind-address=0.0.0.0
-            - --secure-port=10351
+            - --metrics-bind-address=0.0.0.0:10351
+            - --health-probe-bind-address=0.0.0.0:10351
             - --enable-scheduler-estimator=true
             - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt
             - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt