Resolve dependency license handling (#229)

Docker releases will contain all necessary license/notice information for golang dependencies.

The repo and helm chart contain the NOTICEs and LICENSEs that pertain to themselves.

Author: HoustonPutman

.github/workflows/docker.yaml

@@ -17,4 +17,4 @@ jobs:
 
       # Cleanup & Install dependencies
       - run: docker --version
-      - run: make docker-vendor-build
+      - run: make docker-build

LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2017 Bloomberg Finance L.P.
+   Copyright [yyyy] [name of copyright owner]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -199,4 +199,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

Makefile

@@ -43,6 +43,9 @@ release: clean manifests lint
 # Building
 ###
 
+# Prepare the code for a PR or merge
+prepare: fmt generate manifests fetch-licenses-list
+
 # Build solr-operator binary
 build: generate vet
 	BIN=solr-operator VERSION=${VERSION} GIT_SHA=${GIT_SHA} ARCH=${ARCH} GOOS=${GOOS} ./build/build.sh
@@ -77,24 +80,39 @@ fmt:
 vet:
 	go vet ./...
 
+# Run go vet against code
+fetch-licenses-list:
+	go-licenses csv . | grep -v -E "solr-operator" | sort > dependency_licenses.csv
+
+# Run go vet against code
+fetch-licenses-full:
+	go-licenses save . --save_path licenses --force
+
 ###
 # Tests and Checks
 ###
 
 check: lint test
 
-lint: check-format check-license check-manifests check-helm
+lint: check-format check-licenses check-manifests check-generated check-helm
 
 check-format:
 	./hack/check_format.sh
 
-check-license:
+check-licenses:
+	@echo "Check license headers on necessary files"
 	./hack/check_license.sh
+	@echo "Check list of dependency licenses"
+	go-licenses csv . 2>/dev/null | grep -v -E "solr-operator" | sort | diff dependency_licenses.csv -
 
 check-manifests: manifests
 	@echo "Check to make sure the manifests are up to date"
 	git diff --exit-code -- config helm/solr-operator/crds
 
+check-generated: generate
+	@echo "Check to make sure the generated code is up to date"
+	git diff --exit-code -- api/*/zz_generated.deepcopy.go
+
 check-helm:
 	helm lint helm/solr-operator
 
@@ -119,29 +137,13 @@ CONTROLLER_GEN=$(shell which controller-gen)
 # Docker Building & Pushing
 ###
 
-# Build the base builder docker image
-# This can be a static go build or dynamic
-docker-base-build:
-	docker build --build-arg VERSION=$(VERSION) --build-arg GIT_SHA=$(GIT_SHA) . -t solr-operator-build -f ./build/Dockerfile.build
-
-# Build the docker image for the operator only
-docker-build: docker-base-build
-	docker build --build-arg BUILD_IMG=solr-operator-build . -t solr-operator -f ./build/Dockerfile.slim
+# Build the docker image for the operator
+docker-build:
+	docker build --build-arg VERSION=$(VERSION) --build-arg GIT_SHA=$(GIT_SHA) . -t solr-operator -f ./build/Dockerfile
 	docker tag solr-operator ${IMG}:${VERSION}
 	docker tag solr-operator ${IMG}:latest
 
-# Build the docker image for the operator, containing the vendor deps as well
-docker-vendor-build: docker-build
-	docker build --build-arg BUILD_IMG=solr-operator-build --build-arg SLIM_IMAGE=solr-operator . -t solr-operator-vendor -f ./build/Dockerfile.vendor
-	docker tag solr-operator-vendor ${IMG}:${VERSION}-vendor
-	docker tag solr-operator-vendor ${IMG}:latest-vendor
-
 # Push the docker image for the operator
 docker-push:
 	docker push ${IMG}:${VERSION}
 	docker push ${IMG}:latest
-
-# Push the docker image for the operator with vendor deps
-docker-vendor-push:
-	docker push ${IMG}:${VERSION}-vendor
-	docker push ${IMG}:latest-vendor

NOTICE.txt renamed to NOTICE

@@ -26,3 +26,12 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
+
+The Solr Operator project is built using Kubebuilder, which is Apache 2.0 licensed.
+    https://github.com/kubernetes-sigs/kubebuilder
+
+The reconcileStorageFinalizer login in
+    controllers/solrcloud_controller.go
+was influenced by the same logic in the Zookeeper Operator, which is Apache 2.0 licensed.
+    https://github.com/pravega/zookeeper-operator/blob/v0.2.9/pkg/controller/zookeepercluster/zookeepercluster_controller.go#L629)
+Copyright (c) 2020 Dell Inc., or its subsidiaries. All Rights Reserved.

README.md

@@ -132,10 +132,18 @@ Have you had a good experience with the **Solr Operator**? Why not share some lo
 
 We welcome issue reports [here](../../issues); be sure to choose the proper issue template for your issue, so that we can be sure you're providing the necessary information.
 
+Before submitting a PR, please be sure to run `make prepare` before committing.
+Otherwise the github checks are likely to fail.
+
 ## License
 
 Please read the [LICENSE](LICENSE) file here.
 
+### Docker Image Licenses
+
+The Solr Operator docker image contains NOTICE and LICENSE information in the `/etc/licenses` directory.
+This is different from the source release LICENSE and NOTICE files, so make sure to familiarize yourself when using the image.
+
 ## Code of Conduct
 
 This space applies the ASF [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
@@ -150,3 +158,8 @@ can be found [here](https://www.apache.org/security/)
 
 Please do NOT open an issue in the GitHub repository, as we'd prefer to keep vulnerability reports private until
 we've had an opportunity to review and address them.
+
+## Acknowledgements
+
+The Solr Operator was donated to Apache Solr by Bloomberg, after the v0.2.8 release.
+Many thanks to their contributions over the years!

build/Dockerfile

@@ -0,0 +1,56 @@
+# Build the manager binary
+FROM golang:1.14 as builder
+
+WORKDIR /workspace
+ARG GO111MODULE=on
+
+# Download necessary libraries
+RUN go get sigs.k8s.io/controller-tools/cmd/[email protected]; \
+    go get github.com/google/go-licenses
+
+# Copy the Go Modules manifests
+COPY go.mod go.sum ./
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy development resources
+COPY .git/ .git/
+COPY hack/ hack/
+COPY build/build.sh build/build.sh
+COPY Makefile LICENSE NOTICE build/LICENSE-ADDITION build/NOTICE-ADDITION ./
+
+# Add additional binary-release-only information to the LICENSE and NOTICES files
+RUN echo "\n\n" >> LICENSE; \
+    cat LICENSE-ADDITION >> LICENSE; \
+    echo "\n\n" >> NOTICE; \
+    cat NOTICE-ADDITION >> NOTICE
+
+# Copy the go source
+COPY main.go ./
+COPY api/ api/
+COPY controllers/ controllers/
+
+ARG VERSION
+ARG GIT_SHA
+
+# Build
+RUN CGO_ENABLED=0 make fetch-licenses-full build
+
+# =============================================================================
+# Copy the controller-manager into a thin image
+# =============================================================================
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+# Debug is needed, so that the license files are viewable.
+# If there is another way to view these files, we can remove "debug-".
+FROM gcr.io/distroless/base:debug-nonroot
+
+WORKDIR /
+COPY --from=builder workspace/bin/solr-operator .
+COPY --from=builder workspace/LICENSE workspace/NOTICE etc/licenses/
+COPY --from=builder workspace/licenses etc/licenses/dependencies
+USER nonroot:nonroot
+
+ENTRYPOINT ["/solr-operator"]

build/Dockerfile.build

@@ -0,0 +1 @@
+All golang dependency LICENSE and NOTICE information can be found under /etc/licenses/dependencies.

build/Dockerfile.slim

@@ -0,0 +1,2 @@
+This project uses the hashicorp/golang-lru project, which is MPL 2.0 licensed. The source code can be found at
+    https://github.com/hashicorp/golang-lru

build/Dockerfile.vendor

@@ -0,0 +1,53 @@
+cloud.google.com/go/compute/metadata,Unknown,Apache-2.0
+github.com/beorn7/perks/quantile,https://github.com/beorn7/perks/blob/master/quantile/LICENSE,MIT
+github.com/cespare/xxhash/v2,https://github.com/cespare/xxhash/blob/master/v2/LICENSE.txt,MIT
+github.com/davecgh/go-spew/spew,https://github.com/davecgh/go-spew/blob/master/spew/LICENSE,ISC
+github.com/docker/spdystream,https://github.com/docker/spdystream/blob/master/LICENSE,Apache-2.0
+github.com/evanphx/json-patch,https://github.com/evanphx/json-patch/blob/master/LICENSE,BSD-3-Clause
+github.com/fsnotify/fsnotify,https://github.com/fsnotify/fsnotify/blob/master/LICENSE,BSD-3-Clause
+github.com/go-logr/logr,https://github.com/go-logr/logr/blob/master/LICENSE,Apache-2.0
+github.com/go-logr/zapr,https://github.com/go-logr/zapr/blob/master/LICENSE,Apache-2.0
+github.com/gogo/protobuf,https://github.com/gogo/protobuf/blob/master/LICENSE,BSD-3-Clause
+github.com/golang/groupcache/lru,https://github.com/golang/groupcache/blob/master/lru/LICENSE,Apache-2.0
+github.com/golang/protobuf,https://github.com/golang/protobuf/blob/master/LICENSE,BSD-3-Clause
+github.com/google/go-cmp/cmp,https://github.com/google/go-cmp/blob/master/cmp/LICENSE,BSD-3-Clause
+github.com/google/gofuzz,https://github.com/google/gofuzz/blob/master/LICENSE,Apache-2.0
+github.com/google/uuid,https://github.com/google/uuid/blob/master/LICENSE,BSD-3-Clause
+github.com/googleapis/gnostic,https://github.com/googleapis/gnostic/blob/master/LICENSE,Apache-2.0
+github.com/hashicorp/golang-lru,https://github.com/hashicorp/golang-lru/blob/master/LICENSE,MPL-2.0
+github.com/imdario/mergo,https://github.com/imdario/mergo/blob/master/LICENSE,BSD-3-Clause
+github.com/json-iterator/go,https://github.com/json-iterator/go/blob/master/LICENSE,MIT
+github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/master/pbutil/LICENSE,Apache-2.0
+github.com/modern-go/concurrent,https://github.com/modern-go/concurrent/blob/master/LICENSE,Apache-2.0
+github.com/modern-go/reflect2,https://github.com/modern-go/reflect2/blob/master/LICENSE,Apache-2.0
+github.com/pkg/errors,https://github.com/pkg/errors/blob/master/LICENSE,BSD-2-Clause
+github.com/pravega/zookeeper-operator/pkg/apis,https://github.com/pravega/zookeeper-operator/blob/master/pkg/apis/LICENSE,Apache-2.0
+github.com/prometheus/client_golang/prometheus,https://github.com/prometheus/client_golang/blob/master/prometheus/LICENSE,Apache-2.0
+github.com/prometheus/client_model/go,https://github.com/prometheus/client_model/blob/master/go/LICENSE,Apache-2.0
+github.com/prometheus/common,https://github.com/prometheus/common/blob/master/LICENSE,Apache-2.0
+github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg,https://github.com/prometheus/common/blob/master/internal/bitbucket.org/ww/goautoneg/README.txt,BSD-3-Clause
+github.com/prometheus/procfs,https://github.com/prometheus/procfs/blob/master/LICENSE,Apache-2.0
+github.com/spf13/pflag,https://github.com/spf13/pflag/blob/master/LICENSE,BSD-3-Clause
+go.uber.org/atomic,Unknown,MIT
+go.uber.org/multierr,Unknown,MIT
+go.uber.org/zap,Unknown,MIT
+golang.org/x/crypto/ssh/terminal,Unknown,BSD-3-Clause
+golang.org/x/net,Unknown,BSD-3-Clause
+golang.org/x/oauth2,Unknown,BSD-3-Clause
+golang.org/x/sys,Unknown,BSD-3-Clause
+golang.org/x/text,Unknown,BSD-3-Clause
+golang.org/x/time/rate,Unknown,BSD-3-Clause
+gomodules.xyz/jsonpatch/v2,Unknown,Apache-2.0
+google.golang.org/protobuf,Unknown,BSD-3-Clause
+gopkg.in/inf.v0,Unknown,BSD-3-Clause
+gopkg.in/yaml.v2,Unknown,Apache-2.0
+k8s.io/api,Unknown,Apache-2.0
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions,Unknown,Apache-2.0
+k8s.io/apimachinery,Unknown,Apache-2.0
+k8s.io/client-go,Unknown,Apache-2.0
+k8s.io/klog/v2,Unknown,Apache-2.0
+k8s.io/kube-openapi/pkg/util/proto,Unknown,Apache-2.0
+k8s.io/utils,Unknown,Apache-2.0
+sigs.k8s.io/controller-runtime,Unknown,Apache-2.0
+sigs.k8s.io/structured-merge-diff/v4/value,Unknown,Apache-2.0
+sigs.k8s.io/yaml,Unknown,MIT

build/LICENSE-ADDITION

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 docker login -u "$DOCKER_USER" -p "$DOCKER_PASSWORD" \
-    && make docker-push \
-    && make docker-vendor-push
+    && make docker-push

build/NOTICE-ADDITION

@@ -76,12 +76,6 @@ Building and releasing a test operator image with a custom Docker namespace.
 $ NAMESPACE=your-namespace/ make docker-build docker-push
 ```
 
-You can test the vendor docker container by running
-
-```bash
-$ NAMESPACE=your-namespace/ make docker-vendor-build docker-vendor-push
-```
-
 You can control the namespace and version for your solr-operator docker image via the ENV variables:
 - `NAMESPACE`, defaults to `apache/`. **This must end with a forward slash.** This can also include the docker repository information for private repos.
 - `NAME`, defaults to `solr-operator`.
@@ -122,10 +116,11 @@ $ make test
 
 ## Before you create a PR
 
-The CRD should be updated anytime you update the API.
+The github actions will auto-check that linting is successful on your PR.
+To make sure that the linting will succeed, run the following command before committing.
 
 ```bash
-$ make manifests
+$ make prepare
 ```
 
 

dependency_licenses.csv

@@ -54,13 +54,9 @@ After inspecting the status of you Kube cluster, you should see a deployment for
 
 ## Solr Operator Docker Images
 
-Two Docker images are published to [DockerHub](https://hub.docker.com/r/apache/solr-operator), both based off of the same base image.
-
-- [Builder Image](build/Dockerfile.build) - Downloads gomod dependencies, builds operator executable (This is not published, only used to build the following images)
-- [Slim Image](build/Dockerfile.slim) - Contains only the operator executable, with the operator as the entry point
-- [Vendor Image](build/Dockerfile.slim) - Contains the operator executable as well as all dependencies (at `/solr-operator-vendor-sources`)
-
-In order to run the Solr Operator, you will only need the Slim Image.
+The Solr Operator Docker image is published to Dockerhub at [apache/solr-operator](https://hub.docker.com/r/apache/solr-operator).
+The [Dockerfile](/build/Dockerfile) builds from scratch source, and copies all necessary information to a very limited image.
+The final image will only contain the solr-operator binary and necessary License information.
 
 ## Solr Operator Input Args