Sign bundle manifest excluding certain fields and add the signature as an annotation

.golangci.yml

@@ -1,12 +1,6 @@
 run:
   timeout: 5m
-  skip-files:
-    - "zz_generated.*\\.go$"
-  skip-dirs:
-    - ".*/mocks"
-    - "manager/tilt_modules"
-    - "internal/aws-sdk-go-v2"
-    - "pkg/providers/snow/api/v1beta1"
+
 linters:
   enable:
     - gofumpt
@@ -15,6 +9,7 @@ linters:
     - nakedret
     - gocyclo
     - revive
+
 linters-settings:
   gci:
     sections:
@@ -34,9 +29,20 @@ linters-settings:
   gocyclo:
     # Minimal code complexity to report.
     min-complexity: 10
+
 issues:
   max-same-issues: 0
   max-issues-per-linter: 0
+
+  exclude-files:
+    - "zz_generated.*\\.go$"
+
+  exclude-dirs:
+    - ".*/mocks"
+    - "manager/tilt_modules"
+    - "internal/aws-sdk-go-v2"
+    - "pkg/providers/snow/api/v1beta1"
+
   include:
     - EXC0012 # EXC0012 revive: exported (.+) should have comment( \(or a comment on this block\))? or be unexported
     - EXC0014 # EXC0014 revive: comment on exported (.+) should be of the form "(.+)..."

release/api/v1alpha1/artifact_types.go

@@ -16,6 +16,8 @@ package v1alpha1
 
 import "strings"
 
+// Image represents a container image asset along with metadata such as OS,
+// architecture, and registry information.
 type Image struct {
 	// +kubebuilder:validation:Required
 	// The asset name
@@ -42,10 +44,14 @@ type Image struct {
 	ImageDigest string `json:"imageDigest,omitempty"`
 }
 
+// VersionedImage returns the full URI of the Image, including registry,
+// repository, and tag or digest.
 func (i Image) VersionedImage() string {
 	return i.URI
 }
 
+// Image returns the repository URI of the Image, excluding the tag or digest
+// if one is present.
 func (i Image) Image() string {
 	lastInd := strings.LastIndex(i.URI, ":")
 	if lastInd == -1 {
@@ -54,6 +60,7 @@ func (i Image) Image() string {
 	return i.URI[:lastInd]
 }
 
+// Tag returns the tag portion of the Image's URI if present, otherwise an empty string.
 func (i Image) Tag() string {
 	lastInd := strings.LastIndex(i.URI, ":")
 	if lastInd == -1 || lastInd == len(i.URI)-1 {
@@ -62,6 +69,8 @@ func (i Image) Tag() string {
 	return i.URI[lastInd+1:]
 }
 
+// ChartName constructs a typical Helm chart artifact name (with ".tgz")
+// from the Image's name by replacing the last colon with a hyphen.
 func (i Image) ChartName() string {
 	lastInd := strings.LastIndex(i.Image(), "/")
 	if lastInd == -1 {
@@ -73,6 +82,7 @@ func (i Image) ChartName() string {
 	return chart
 }
 
+// Registry returns the registry portion of the Image URI (the substring before the first slash).
 func (i *Image) Registry() string {
 	result := strings.Split(i.URI, "/")
 	if len(result) < 1 {
@@ -81,6 +91,7 @@ func (i *Image) Registry() string {
 	return result[0]
 }
 
+// Repository returns the repository name (between the registry and the tag/digest).
 func (i *Image) Repository() string {
 	rol := strings.TrimPrefix(i.URI, i.Registry()+"/")
 	result := strings.Split(rol, "@")
@@ -94,6 +105,7 @@ func (i *Image) Repository() string {
 	return result[0]
 }
 
+// Digest returns the SHA digest portion (after '@') of the Image URI, if present.
 func (i *Image) Digest() string {
 	rol := strings.TrimPrefix(i.URI, i.Registry()+"/")
 	result := strings.Split(rol, "@")
@@ -103,6 +115,7 @@ func (i *Image) Digest() string {
 	return result[1]
 }
 
+// Version returns the tag portion (after ':') of the Image URI, if present, or empty if the URI uses digests.
 func (i *Image) Version() string {
 	rol := strings.TrimPrefix(i.URI, i.Registry()+"/")
 	result := strings.Split(rol, "@")
@@ -116,6 +129,8 @@ func (i *Image) Version() string {
 	return ""
 }
 
+// Archive represents an archive asset (e.g. tarball) along with its OS/architecture metadata,
+// and checksums for file integrity.
 type Archive struct {
 	// +kubebuilder:validation:Required
 	// The asset name
@@ -138,14 +153,18 @@ type Archive struct {
 	// +kubebuilder:validation:Required
 	// The URI where the asset is located
 	URI string `json:"uri,omitempty"`
+
 	// +kubebuilder:validation:Required
 	// The sha512 of the asset, only applies for 'file' store
 	SHA512 string `json:"sha512,omitempty"`
+
 	// +kubebuilder:validation:Required
 	// The sha256 of the asset, only applies for 'file' store
 	SHA256 string `json:"sha256,omitempty"`
 }
 
+// Manifest represents a reference to a manifest, typically containing
+// further resource definitions or configurations.
 type Manifest struct {
 	// +kubebuilder:validation:Required
 	// URI points to the manifest yaml file

release/api/v1alpha1/artifacts.go

@@ -14,6 +14,7 @@
 
 package v1alpha1
 
+// Manifests returns a map of manifests for different components in a VersionsBundle.
 func (vb *VersionsBundle) Manifests() map[string][]*string {
 	return map[string][]*string{
 		"core-cluster-api": {
@@ -83,12 +84,14 @@ func (vb *VersionsBundle) Manifests() map[string][]*string {
 	}
 }
 
+// Ovas returns a list of OVA archives in a VersionsBundle.
 func (vb *VersionsBundle) Ovas() []Archive {
 	return []Archive{
 		vb.EksD.Ova.Bottlerocket,
 	}
 }
 
+// CloudStackImages returns images needed for the CloudStack provider in a VersionsBundle.
 func (vb *VersionsBundle) CloudStackImages() []Image {
 	return []Image{
 		vb.CloudStack.ClusterAPIController,
@@ -97,6 +100,7 @@ func (vb *VersionsBundle) CloudStackImages() []Image {
 	}
 }
 
+// VsphereImages returns images needed for the vSphere provider in a VersionsBundle.
 func (vb *VersionsBundle) VsphereImages() []Image {
 	return []Image{
 		vb.VSphere.ClusterAPIController,
@@ -106,13 +110,15 @@ func (vb *VersionsBundle) VsphereImages() []Image {
 	}
 }
 
+// DockerImages returns images needed for the Docker provider in a VersionsBundle.
 func (vb *VersionsBundle) DockerImages() []Image {
 	return []Image{
 		vb.Docker.KubeProxy,
 		vb.Docker.Manager,
 	}
 }
 
+// SnowImages returns images needed for the Snow provider in a VersionsBundle.
 func (vb *VersionsBundle) SnowImages() []Image {
 	i := make([]Image, 0, 2)
 	if vb.Snow.KubeVip.URI != "" {
@@ -128,6 +134,7 @@ func (vb *VersionsBundle) SnowImages() []Image {
 	return i
 }
 
+// TinkerbellImages returns images needed for the Tinkerbell provider in a VersionsBundle.
 func (vb *VersionsBundle) TinkerbellImages() []Image {
 	return []Image{
 		vb.Tinkerbell.ClusterAPIController,
@@ -154,6 +161,7 @@ func (vb *VersionsBundle) TinkerbellImages() []Image {
 	}
 }
 
+// NutanixImages returns images needed for the Nutanix provider in a VersionsBundle.
 func (vb *VersionsBundle) NutanixImages() []Image {
 	i := make([]Image, 0, 2)
 	if vb.Nutanix.ClusterAPIController.URI != "" {
@@ -167,6 +175,7 @@ func (vb *VersionsBundle) NutanixImages() []Image {
 	return i
 }
 
+// SharedImages returns images that are shared across different providers in a VersionsBundle.
 func (vb *VersionsBundle) SharedImages() []Image {
 	return []Image{
 		vb.Bootstrap.Controller,
@@ -204,6 +213,7 @@ func (vb *VersionsBundle) SharedImages() []Image {
 	}
 }
 
+// Images returns all images from the VersionsBundle by aggregating those from different providers.
 func (vb *VersionsBundle) Images() []Image {
 	groupedImages := [][]Image{
 		vb.SharedImages(),
@@ -228,6 +238,7 @@ func (vb *VersionsBundle) Images() []Image {
 	return images
 }
 
+// Charts returns a map of Helm chart images used by different components in a VersionsBundle.
 func (vb *VersionsBundle) Charts() map[string]*Image {
 	return map[string]*Image{
 		"cilium":                &vb.Cilium.HelmChart,

release/api/v1alpha1/artifacts_test.go

@@ -14,6 +14,7 @@
 
 package v1alpha1_test
 
+//nolint:revive
 import (
 	"testing"