🐛 Fix GKE cloud test (#929)

`GitHubSecurityLab/actions-permissions/monitor` added a MITM proxy to intercept calls.
This proxy signed the GKE API cert which lead to errors:
```
Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority
```

Signed-off-by: Christian Zunker <[email protected]>

.github/terraform/gke/main.tf

@@ -12,11 +12,13 @@ resource "google_container_cluster" "cluster" {
 
   remove_default_node_pool = true
   initial_node_count       = 1
+  deletion_protection = false
 }
 
 resource "google_container_node_pool" "node_pool" {
   name       = "mondoo-operator-pool-${random_string.suffix.result}"
   location   = "us-central1-a"
+  project    = var.project_id
   cluster    = google_container_cluster.cluster.id
   node_count = 1
 

.github/terraform/gke/outputs.tf

@@ -2,4 +2,4 @@ resource "local_file" "kubeconfig" {
   depends_on   = [google_container_cluster.cluster]
   content      = module.gke_auth.kubeconfig_raw
   filename     = "kubeconfig"
-}
+}

.github/workflows/cloud-tests.yaml

@@ -55,9 +55,6 @@ jobs:
         k8s-version: ["1.25", "1.26", "1.27"]
 
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-        with:
-          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
@@ -143,9 +140,6 @@ jobs:
       AWS_REGION: us-east-2
 
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-        with:
-          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
@@ -225,9 +219,6 @@ jobs:
       KUBECONFIG: ${{ format('{0}/{1}', github.workspace, '.github/terraform/gke/kubeconfig') }}
 
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-        with:
-          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
@@ -265,7 +256,7 @@ jobs:
         run: echo "OPERATOR_VERSION=$(docker run ghcr.io/mondoohq/mondoo-operator:${{ env.MONDOO_OPERATOR_IMAGE_TAG }} version --simple)" >> $GITHUB_ENV
 
       - name: Wait a bit for the cluster to become more stable
-        run: kubectl -n kube-system wait --for=condition=Ready pods --all --timeout=60s
+        run: kubectl -n kube-system wait --for=condition=Ready pods --all --timeout=300s
 
       - name: Run integration tests
         env:
@@ -306,9 +297,6 @@ jobs:
     needs: [eks-integration-test,aks-integration-test,gke-integration-test]
     if: always()
     steps:
-    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-      with:
-        config: ${{ vars.PERMISSIONS_CONFIG }}
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
@@ -332,9 +320,6 @@ jobs:
     # Run only if the previous job has failed and only if it's running against the main branch
     if: ${{ always() && contains(join(needs.*.result, ','), 'fail') && github.ref_name == 'main' }}
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-        with:
-          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: sarisia/actions-status-discord@v1
         with:
           webhook: ${{ secrets.DISCORD_WEBHOOK }}

Makefile

@@ -110,7 +110,11 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
 	$(CONTROLLER_GEN) rbac:roleName=manager-role webhook paths="./pkg/webhooks/..."
 
 generate: controller-gen gomockgen prep/tools ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+	echo "Running generate"
+	go mod tidy
+	echo "Running controller-gen"
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
+	echo "Running go generate"
 	go generate ./controllers/... ./pkg/...
 
 fmt: ## Run go fmt against code.
@@ -222,6 +226,7 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 
 .PHONY: generate-manifests
 generate-manifests: manifests kustomize ## Generates manifests and pipes into a yaml file
+	echo "Running generate-manifests"
 	cp config/manager/kustomization.yaml config/manager/kustomization.yaml.before_kustomize
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default > mondoo-operator-manifests.yaml
@@ -268,6 +273,7 @@ endif
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.
 $(CONTROLLER_GEN): $(LOCALBIN)
+	echo "Installing controller-gen"
 	test -s $(LOCALBIN)/controller-gen || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)
 
 .PHONY: envtest
@@ -278,6 +284,7 @@ $(ENVTEST): $(LOCALBIN)
 GOTESTSUM = $(LOCALBIN)/gotestsum
 gotestsum: $(GOTESTSUM) ## Download gotestsum locally if necessary.
 $(GOTESTSUM): $(LOCALBIN)
+	echo "Installing gotestsum"
 	test -s $(LOCALBIN)/gotestsum || GOBIN=$(LOCALBIN) go install gotest.tools/gotestsum@latest
 
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
@@ -402,10 +409,12 @@ test/spell-check:
 # An alternative (especially for local development) is to soft-link a local copy of the repo
 # yourself. We don't pin submodules at this time, but we may want to check if they are up to date here.
 prep/tools: prep/tools/ranger
+	echo "Running prep/tools"
 	command -v protoc-gen-go || go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
 	command -v protoc-gen-rangerrpc-swagger || go install go.mondoo.com/ranger-rpc/protoc-gen-rangerrpc-swagger@latest
 
 prep/tools/ranger:
+	echo "prep/tools/ranger"
 	go install go.mondoo.com/ranger-rpc/protoc-gen-rangerrpc@latest
 
 prep/ci/protoc: