fix: CI and downgrade sigs.k8s.io/controller-runtime to mitigate memory

leak

Author: alex-berger

.devcontainer/Dockerfile

@@ -1,5 +1,12 @@
-FROM nexxiot-registry-oci.jfrog.io/golang:1.24.2-alpine3.21
+FROM nexxiot-registry-oci.jfrog.io/golang:1.24.5-alpine3.22
 
-RUN apk --no-cache add git bash make zip
+RUN apk --no-cache add git bash make zip kubectl docker fuse-overlayfs helm curl # kind
+
+# Kind from package manager is too old, so download it from upstream.
+RUN ([ $(uname -m) = x86_64 ] && curl -Lo /usr/bin/kind https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-amd64) || true
+
+RUN ([ $(uname -m) = aarch64 ] && curl -Lo /usr/bin/kind https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-arm64) || true
+
+RUN chmod +x /usr/bin/kind
 
 RUN go install golang.org/x/tools/gopls@v0.19.1

.devcontainer/devcontainer.json

@@ -3,9 +3,11 @@
     "dockerfile": "./Dockerfile"
   },
   "mounts": [
+    "source=${localEnv:HOME}/.kube,target=/root/.kube,type=bind,consistency=cached",
     "source=${localEnv:HOME}/.aws,target=/root/.aws,type=bind,consistency=cached",
     "source=${localEnv:HOME}/.gitconfig,target=/root/.gitconfig,type=bind,consistency=cached"
   ],
+  "runArgs": ["--privileged", "--cgroupns=host"],
   "customizations": {
     "vscode": {
       "extensions": [
@@ -19,4 +21,4 @@
       ]
     }
   }
-}
+}

.github/install.sh

@@ -1,14 +1,14 @@
 #!/bin/bash
 
 set -e
+set -x
 
 make docker-build IMG=test/secrets-controller:latest
 
-kind load docker-image test/secrets-controller:latest --name "${KIND:-kind}"
-
-echo $@ - $1
-if [[ "$1" == "helm" ]]; then
-    helm upgrade k8s-gitops-secrets-controller charts/k8s-gitops-secrets-controller --install -n k8s-gitops-secrets-system --create-namespace --set fullnameOverride=k8s-gitops-secrets-controller-manager --set image.repository=test/secrets-controller --set image.tag=latest
-else
-    make deploy IMG=test/secrets-controller:latest
+if ! kind load docker-image test/secrets-controller:latest --name "${KIND:-kind}" -v 10; then
+    docker save -o /tmp/image-archive.tar test/secrets-controller:latest
+    kind load image-archive /tmp/image-archive.tar --name "${KIND:-kind}";
 fi
+
+
+helm upgrade k8s-gitops-secrets-controller charts/k8s-gitops-secrets-controller --install -n k8s-gitops-secrets-system --create-namespace --set fullnameOverride=k8s-gitops-secrets-controller-manager --set image.repository=test/secrets-controller --set image.tag=latest

.github/workflows/build.yaml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.24.2
+          go-version: 1.24.5
       - name: Setup Kubernetes
         uses: helm/kind-action@v1.5.0
         with:

.github/workflows/publish.yml

@@ -104,7 +104,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.24.2
+          go-version: 1.24.5
       - name: Build seals CLI
         run: make cli
       - name: Extract TAG_NAME from GITHUB_REF

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.24.2 as builder
+FROM golang:1.24.5 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

Makefile

@@ -2,7 +2,7 @@
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.33.1
+ENVTEST_K8S_VERSION = 1.33.0
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))

charts/k8s-gitops-secrets-controller/values.yaml

@@ -52,11 +52,11 @@ securityContext:
 
 resources:
   limits:
-    cpu: 100m
-    memory: 32Mi
+    cpu: 1000m
+    memory: 128Mi
   requests:
     cpu: 10m
-    memory: 16Mi
+    memory: 64Mi
 
 nodeSelector: {}
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/rustrial/k8s-gitops-secrets
 
-go 1.24.2
+go 1.24.5
 
 require (
 	github.com/aws/aws-sdk-go-v2/config v1.29.17
@@ -15,7 +15,9 @@ require (
 	k8s.io/apimachinery v0.33.2
 	k8s.io/client-go v0.33.2
 	k8s.io/kubectl v0.33.2
-	sigs.k8s.io/controller-runtime v0.21.0
+	// sigs.k8s.io/controller-runtime v0.21.0 caused a memory leak, which resulted in
+	// container beeing OOMKilled, so we stick with v0.20.4 for now.
+	sigs.k8s.io/controller-runtime v0.20.4
 )
 
 require (
@@ -35,7 +37,6 @@ require (
 require (
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect

go.sum

@@ -28,8 +28,6 @@ github.com/aws/smithy-go v1.22.4 h1:uqXzVZNuNexwc/xrh6Tb56u89WDlJY6HS+KC0S4QSjw=
 github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
-github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
@@ -222,8 +220,8 @@ k8s.io/kubectl v0.33.2 h1:7XKZ6DYCklu5MZQzJe+CkCjoGZwD1wWl7t/FxzhMz7Y=
 k8s.io/kubectl v0.33.2/go.mod h1:8rC67FB8tVTYraovAGNi/idWIK90z2CHFNMmGJZJ3KI=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
-sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU=
+sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=