Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable vendoring. #558

Merged
merged 2 commits into from
Feb 2, 2024
Merged

Enable vendoring. #558

merged 2 commits into from
Feb 2, 2024

Conversation

jkh52
Copy link
Contributor

@jkh52 jkh52 commented Jan 24, 2024

Enable vendoring.

Motivation: isolation, reliability, and reproducibility.

Note to reviewer: the first commit is large, but all manual edits are in the second commit.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jan 24, 2024
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jan 24, 2024
@elmiko
Copy link
Contributor

elmiko commented Jan 24, 2024

talking about this at the office hours today, a question has arisen about why we might want to add vendoring. one reason, is to help be more explicit about the supply chain and dependencies. also to help reduce errors that might happen from our dependencies changing between when we build and when an upstream dependency might update.

to simplify the vendor flags, if we want, we could GOFLAGS=-mod=vendor environment variable.

also from the docs https://go.dev/ref/mod

At go 1.14 or higher, automatic [vendoring](https://go.dev/ref/mod#vendoring) may be enabled. If the file vendor/modules.txt is present and consistent with go.mod, there is no need to explicitly use the -mod=vendor flag.

@jkh52
Copy link
Contributor Author

jkh52 commented Jan 24, 2024

/assign @ipochi

@jkh52
Copy link
Contributor Author

jkh52 commented Jan 24, 2024

/retest

@jkh52 jkh52 force-pushed the vendor branch 2 times, most recently from 1771674 to 6b058c2 Compare January 24, 2024 23:42
@jkh52
Copy link
Contributor Author

jkh52 commented Jan 25, 2024

Based on discussion I changed things so that:

  • Makefile uses GOFLAGS = -mod=vendor environment
    • reduce clutter
  • Dockerfiles directly use -mod=vendor flag
    • ensure builds are hermetic

Happy to tweak further, otherwise I think this is ready.

Copy link

@jparrill jparrill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewing the PR, the default behaviour from go 1.11 and you're vendoring is that it has by default this -mod=vendor added. But if that so I would say to remove it in all the cases or add it in all the cases (I'm in the side of add it in all the cases.)

Not just for build but also for go test commands in the makefile.

I think this is not in the scope of this pr but I also would add something like:

GO=GO111MODULE=on GOFLAGS=-mod=vendor go
GO_BUILD_RECIPE=CGO_ENABLED=1 $(GO) build .....

And this $(GO_BUILD_RECIPE) add them in all the cases to be consistent. Maybe I can drop a following up PR fixing some things like this one.

I would like to have other community opinions like from @cheftako or @ipochi to have more points of view.

Makefile Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
@jkh52
Copy link
Contributor Author

jkh52 commented Jan 26, 2024

Reviewing the PR, the default behaviour from go 1.11 and you're vendoring is that it has by default this -mod=vendor added. But if that so I would say to remove it in all the cases or add it in all the cases (I'm in the side of add it in all the cases.)

Not just for build but also for go test commands in the makefile.

This was a good suggestion, because it caught the absence of vendor/ in the konnectivity-client module. Latest upload vendors both modules, and runs tests with the flag.

I think this is not in the scope of this pr but I also would add something like:

GO=GO111MODULE=on GOFLAGS=-mod=vendor go
GO_BUILD_RECIPE=CGO_ENABLED=1 $(GO) build .....

And this $(GO_BUILD_RECIPE) add them in all the cases to be consistent. Maybe I can drop a following up PR fixing some things like this one.

+1 to keeping deeper cleanup separate from this PR. We should improve consistency between Makefile and Dockerfiles as well (example: GO111MODULE=on).

@cheftako
Copy link
Contributor

Reviewing the PR, the default behaviour from go 1.11 and you're vendoring is that it has by default this -mod=vendor added. But if that so I would say to remove it in all the cases or add it in all the cases (I'm in the side of add it in all the cases.)
Not just for build but also for go test commands in the makefile.

This was a good suggestion, because it caught the absence of vendor/ in the konnectivity-client module. Latest upload vendors both modules, and runs tests with the flag.

I think adding vendor consistently for the rest of the ANP seems like a good idea. It not only makes the build chain clear but it means when doing code inspection/debugging you have the correct version of the code present cutting down on confusion due to dependency version discrepancies. Konnectivity-client is a bit different. It is not an executable but a library. The version of its dependencies are determined by the build of the executables which pull it in. So I worry that at best pulling a vendor directory into konnectivity-client is misleading. At worst it might cause problems for things like merging it into the K/K KAS build.

@jkh52
Copy link
Contributor Author

jkh52 commented Jan 26, 2024

Reviewing the PR, the default behaviour from go 1.11 and you're vendoring is that it has by default this -mod=vendor added. But if that so I would say to remove it in all the cases or add it in all the cases (I'm in the side of add it in all the cases.)
Not just for build but also for go test commands in the makefile.

This was a good suggestion, because it caught the absence of vendor/ in the konnectivity-client module. Latest upload vendors both modules, and runs tests with the flag.

I think adding vendor consistently for the rest of the ANP seems like a good idea. It not only makes the build chain clear but it means when doing code inspection/debugging you have the correct version of the code present cutting down on confusion due to dependency version discrepancies. Konnectivity-client is a bit different. It is not an executable but a library. The version of its dependencies are determined by the build of the executables which pull it in. So I worry that at best pulling a vendor directory into konnectivity-client is misleading. At worst it might cause problems for things like merging it into the K/K KAS build.

Good thinking, I checked and it seems that there should not be k/k problems.

I tried updating k/k with:

./hack/pin-dependency.sh sigs.k8s.io/apiserver-network-proxy/konnectivity-client=github.com/jkh52/apiserver-network-proxy/konnectivity-client vendor
./hack/update-codegen.sh
./hack/update-vendor.sh

as hoped, the vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client contents did not change. I double checked, and there are no vendor directories anywhere in https://github.com/kubernetes/kubernetes/tree/master/vendor.

https://go.dev/ref/mod#vendoring says Unlike [vendoring in GOPATH mode](https://go.dev/s/go15vendor), the go command ignores vendor directories in locations other than the main module’s root directory. So it makes sense that k/k vendoring would avoid taking recursive vendor cruft.

That said, it does seem heavy handed to vendor the pure client lib, just in support of a single test konnectivity-client/pkg/client/client_test.go.

@jkh52
Copy link
Contributor Author

jkh52 commented Jan 29, 2024

Reviewing the PR, the default behaviour from go 1.11 and you're vendoring is that it has by default this -mod=vendor added. But if that so I would say to remove it in all the cases or add it in all the cases (I'm in the side of add it in all the cases.)
Not just for build but also for go test commands in the makefile.

This was a good suggestion, because it caught the absence of vendor/ in the konnectivity-client module. Latest upload vendors both modules, and runs tests with the flag.

I think adding vendor consistently for the rest of the ANP seems like a good idea. It not only makes the build chain clear but it means when doing code inspection/debugging you have the correct version of the code present cutting down on confusion due to dependency version discrepancies. Konnectivity-client is a bit different. It is not an executable but a library. The version of its dependencies are determined by the build of the executables which pull it in. So I worry that at best pulling a vendor directory into konnectivity-client is misleading. At worst it might cause problems for things like merging it into the K/K KAS build.

Good thinking, I checked and it seems that there should not be k/k problems.

I tried updating k/k with:

./hack/pin-dependency.sh sigs.k8s.io/apiserver-network-proxy/konnectivity-client=github.com/jkh52/apiserver-network-proxy/konnectivity-client vendor
./hack/update-codegen.sh
./hack/update-vendor.sh

as hoped, the vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client contents did not change. I double checked, and there are no vendor directories anywhere in https://github.com/kubernetes/kubernetes/tree/master/vendor.

https://go.dev/ref/mod#vendoring says Unlike [vendoring in GOPATH mode](https://go.dev/s/go15vendor), the go command ignores vendor directories in locations other than the main module’s root directory. So it makes sense that k/k vendoring would avoid taking recursive vendor cruft.

That said, it does seem heavy handed to vendor the pure client lib, just in support of a single test konnectivity-client/pkg/client/client_test.go.

Choices:

  1. Vendor both modules (it is more consistent, but could confuse some readers)
  2. Vendor only the top level module, do not vendor the client lib module

I still lean toward 1, because it makes the repo consistent (all builds and tests run against locally available dependencies) but I can switch to 2 if @cheftako feels strongly, or if others also prefer it.

@ipochi or @jparrill do either of you have an opinion?

@jparrill
Copy link

jparrill commented Feb 1, 2024

do either of you have an opinion?

Well, @cheftako knows better than me the project, so I think He will have the point here :).

@jkh52
Copy link
Contributor Author

jkh52 commented Feb 1, 2024

do either of you have an opinion?

Well, @cheftako knows better than me the project, so I think He will have the point here :).

Thanks. I'll switch to option 2 since there is better consensus there.

@jkh52 jkh52 marked this pull request as draft February 1, 2024 16:53
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 1, 2024
@jkh52 jkh52 marked this pull request as ready for review February 1, 2024 16:57
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 1, 2024
@k8s-ci-robot k8s-ci-robot requested a review from ipochi February 1, 2024 16:57
@jkh52
Copy link
Contributor Author

jkh52 commented Feb 1, 2024

/assign @cheftako

@cheftako
Copy link
Contributor

cheftako commented Feb 2, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 2, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheftako, jkh52

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 125962d into kubernetes-sigs:master Feb 2, 2024
10 checks passed
@jkh52 jkh52 mentioned this pull request Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants