step 1: move to OSS, update imports

.buildkite/pipeline.yml

@@ -1,7 +1,7 @@
 env:
-  ARTIFACT_NAME: gov-okta-addon
+  APP_NAME: gov-okta-addon
   GOPRIVATE: github.com/equinixmetal/*,go.equinixmetal.net
-  QUAY_REPO: quay.io/equinixmetal/gov-okta-addon
+  IMAGE_REPO: quay.io/equinixmetal/gov-okta-addon
   IMAGE_TAG: ${BUILDKITE_BUILD_NUMBER}-${BUILDKITE_COMMIT:0:8}
   DEPLOYMENT_REPO: k8s-gov-okta-addon
 
@@ -31,7 +31,7 @@ steps:
 
   - label: ":golang: build"
     key: "gobuild"
-    artifact_paths: "${ARTIFACT_NAME}-bin"
+    artifact_paths: "bin/${APP_NAME}"
     plugins:
       - ssh://[email protected]/packethost/ssm-buildkite-plugin#v1.0.4:
           parameters:
@@ -44,28 +44,38 @@ steps:
             - CGO_ENABLED=0
             - GOOS=linux
           entrypoint: ./scripts/ci_entrypoint.sh
-          command: ["go", "build", "-buildvcs=false", "-mod=mod", "-a", "-o", "gov-okta-addon-bin"]
+          command: ["go", "build", "-buildvcs=false", "-mod=mod", "-a", "-o", "bin/$APP_NAME"]
 
   - label: ":docker: docker build and publish"
     key: "build"
     depends_on: ["lint", "test", "gobuild"]
+    env:
+      BUILDKITE_PLUGINS_ALWAYS_CLONE_FRESH: "true"
     commands: |
       #!/bin/bash
       echo --- Retrieve Artifacts
-      buildkite-agent artifact download "${ARTIFACT_NAME}-bin" .
-
-      # work around buildkite stripping the path if the artifact is the same name as the build
-      echo -- Rename artifact
-      mv ${ARTIFACT_NAME}-bin ${ARTIFACT_NAME}
+      buildkite-agent artifact download "bin/${APP_NAME}" .
 
       # make sure it is executable
-      chmod +x ${ARTIFACT_NAME}
-
-      echo --- Build Docker Image
-      docker build . -t "$QUAY_REPO:$IMAGE_TAG"
-
-      echo --- Push Docker Image
-      docker push "$QUAY_REPO:$IMAGE_TAG"
+      chmod +x bin/${APP_NAME}
+    plugins:
+      # - docker-login#v2.1.0:
+      #     username: metal-buildkite
+      #     password-env: SECRET_GHCR_PUBLISH_TOKEN
+      #     server: ghcr.io
+      - equinixmetal-buildkite/docker-metadata#v1.0.0:
+          images:
+          - "${IMAGE_REPO}"
+          extra_tags:
+          - "${IMAGE_TAG}"
+      - equinixmetal-buildkite/docker-build#v1.1.0:
+          push: true
+          build-args:
+            - NAME=${APP_NAME}
+      - equinixmetal-buildkite/trivy#v1.18.3:
+          severity: CRITICAL,HIGH
+          ignore-unfixed: true
+          security-checks: config,secret,vuln
 
   # For main commits, pull-requests will be created to bump the image in the deployment manifest
   - label: "Bump image tag for main branch builds"

Dockerfile

@@ -1,6 +1,9 @@
-FROM gcr.io/distroless/static
+FROM gcr.io/distroless/static:nonroot
 
-COPY ./gov-okta-addon /addon
+# `nonroot` coming from distroless
+USER 65532:65532
+
+COPY ./bin/gov-okta-addon /addon
 
 # Run the web service on container startup.
 ENTRYPOINT ["/addon"]

README.md

@@ -13,7 +13,7 @@ accordingly in Okta.
 
 `gov-okta-addon` subscribes to the Governor event stream where change events are published.  The events published
 by Governor contain the group and/or user id that changed and the type of action.  Events are published on NATS subjects
-dedicated to the resource type ie. `equinixmetal.governor.events.groups` for group events.  When `gov-okta-addon` receives
+dedicated to the resource type ie. `governor.events.groups` for group events.  When `gov-okta-addon` receives
 an event, it reacts by requesting information from Governor about the included resource IDs and making the required
 changes in Okta.
 
@@ -62,7 +62,7 @@ be removed from the group. The groups and users must already exist in governor o
 
 ### Prereq to running locally with governor-api devcontainer
 
-Follow the directions [here](https://github.com/equinixmetal/governor/blob/main/README.md#running-governor-locally) for starting the governor-api devcontainer.
+Follow the directions [here](https://github.com/metal-toolbox/governor-api#running-governor-api-locally) for starting the governor-api devcontainer.
 
 The **first time** you'll need to create a local hydra client for `gov-okta-addon-governor` and copy the nats creds file. After that you can just export the env variables.
 
@@ -102,7 +102,7 @@ Export the following in the terminal where you will run gov-okta-addon:
 ```sh
 export GOA_NATS_URL="nats://127.0.0.1:4222"
 export GOA_OKTA_NOCACHE=true
-export GOA_OKTA_URL="https://equinixmetal.oktapreview.com"
+export GOA_OKTA_URL="https://example.oktapreview.com"
 export GOA_GOVERNOR_URL="http://127.0.0.1:3001"
 export GOA_GOVERNOR_AUDIENCE="http://api:3001/"
 export GOA_GOVERNOR_TOKEN_URL="http://127.0.0.1:4444/oauth2/token"

cmd/serve.go

@@ -10,17 +10,17 @@ import (
 	"time"
 
 	"github.com/equinixmetal/addonx/natslock"
+	"github.com/equinixmetal/gov-okta-addon/internal/okta"
+	"github.com/equinixmetal/gov-okta-addon/internal/reconciler"
+	"github.com/equinixmetal/gov-okta-addon/internal/srv"
 	"github.com/metal-toolbox/auditevent"
 	audithelpers "github.com/metal-toolbox/auditevent/helpers"
 	"github.com/nats-io/nats.go"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
-	"go.equinixmetal.net/gov-okta-addon/internal/okta"
-	"go.equinixmetal.net/gov-okta-addon/internal/reconciler"
-	"go.equinixmetal.net/gov-okta-addon/internal/srv"
 	"golang.org/x/oauth2/clientcredentials"
 
-	governor "go.equinixmetal.net/governor-api/pkg/client"
+	governor "github.com/metal-toolbox/governor-api/pkg/client"
 )
 
 const (
@@ -52,9 +52,9 @@ func init() {
 	viperBindFlag("nats.url", serveCmd.Flags().Lookup("nats-url"))
 	serveCmd.PersistentFlags().String("nats-creds-file", "", "Path to the file containing the NATS credentials file")
 	viperBindFlag("nats.creds-file", serveCmd.PersistentFlags().Lookup("nats-creds-file"))
-	serveCmd.Flags().String("nats-subject-prefix", "equinixmetal.governor.events", "prefix for NATS subjects")
+	serveCmd.Flags().String("nats-subject-prefix", "governor.events", "prefix for NATS subjects")
 	viperBindFlag("nats.subject-prefix", serveCmd.Flags().Lookup("nats-subject-prefix"))
-	serveCmd.Flags().String("nats-queue-group", "equinixmetal.governor.addons.gov-okta-addon", "queue group for load balancing messages across NATS consumers")
+	serveCmd.Flags().String("nats-queue-group", "governor.addons.gov-okta-addon", "queue group for load balancing messages across NATS consumers")
 	viperBindFlag("nats.queue-group", serveCmd.Flags().Lookup("nats-queue-group"))
 	serveCmd.Flags().Int("nats-queue-size", defaultNATSQueueSize, "queue size for load balancing messages across NATS consumers")
 	viperBindFlag("nats.queue-size", serveCmd.Flags().Lookup("nats-queue-size"))
@@ -73,7 +73,7 @@ func init() {
 	viperBindFlag("audit.log-path", serveCmd.Flags().Lookup("audit-log-path"))
 
 	// Okta related flags
-	serveCmd.Flags().String("okta-url", "https://equinixmetal.okta.com", "url for Okta client calls")
+	serveCmd.Flags().String("okta-url", "https://example.okta.com", "url for Okta client calls")
 	viperBindFlag("okta.url", serveCmd.Flags().Lookup("okta-url"))
 	serveCmd.Flags().String("okta-token", "", "token for access to the Okta API")
 	viperBindFlag("okta.token", serveCmd.Flags().Lookup("okta-token"))

cmd/sync.go

@@ -17,7 +17,7 @@ func init() {
 	viperBindFlag("sync.dryrun", syncCmd.PersistentFlags().Lookup("dry-run"))
 
 	// Okta related flags
-	syncCmd.PersistentFlags().String("okta-url", "https://equinixmetal.okta.com", "url for Okta client calls")
+	syncCmd.PersistentFlags().String("okta-url", "https://example.okta.com", "url for Okta client calls")
 	viperBindFlag("okta.url", syncCmd.PersistentFlags().Lookup("okta-url"))
 	syncCmd.PersistentFlags().String("okta-token", "", "token for access to the Okta API")
 	viperBindFlag("okta.token", syncCmd.PersistentFlags().Lookup("okta-token"))

cmd/sync_groups.go

@@ -6,14 +6,14 @@ import (
 	"net/url"
 	"strings"
 
+	"github.com/equinixmetal/gov-okta-addon/internal/okta"
 	"github.com/gosimple/slug"
+	"github.com/metal-toolbox/governor-api/pkg/api/v1alpha1"
+	governor "github.com/metal-toolbox/governor-api/pkg/client"
 	okt "github.com/okta/okta-sdk-golang/v2/okta"
 	"github.com/okta/okta-sdk-golang/v2/okta/query"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
-	"go.equinixmetal.net/gov-okta-addon/internal/okta"
-	"go.equinixmetal.net/governor-api/pkg/api/v1alpha1"
-	governor "go.equinixmetal.net/governor-api/pkg/client"
 	"go.uber.org/zap"
 	"golang.org/x/oauth2/clientcredentials"
 )

cmd/sync_members.go

@@ -6,12 +6,12 @@ import (
 	"fmt"
 	"net/url"
 
+	"github.com/equinixmetal/gov-okta-addon/internal/okta"
+	"github.com/metal-toolbox/governor-api/pkg/api/v1alpha1"
+	governor "github.com/metal-toolbox/governor-api/pkg/client"
 	okt "github.com/okta/okta-sdk-golang/v2/okta"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
-	"go.equinixmetal.net/gov-okta-addon/internal/okta"
-	"go.equinixmetal.net/governor-api/pkg/api/v1alpha1"
-	governor "go.equinixmetal.net/governor-api/pkg/client"
 
 	"go.uber.org/zap"
 	"golang.org/x/oauth2/clientcredentials"

cmd/sync_users.go

@@ -5,13 +5,13 @@ import (
 	"fmt"
 	"net/url"
 
+	"github.com/equinixmetal/gov-okta-addon/internal/okta"
+	"github.com/metal-toolbox/governor-api/pkg/api/v1alpha1"
+	governor "github.com/metal-toolbox/governor-api/pkg/client"
 	okt "github.com/okta/okta-sdk-golang/v2/okta"
 	"github.com/okta/okta-sdk-golang/v2/okta/query"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
-	"go.equinixmetal.net/gov-okta-addon/internal/okta"
-	"go.equinixmetal.net/governor-api/pkg/api/v1alpha1"
-	governor "go.equinixmetal.net/governor-api/pkg/client"
 	"go.uber.org/zap"
 	"golang.org/x/oauth2/clientcredentials"
 )