kubeslice · gourishkb · Jan 22, 2026 · Jan 29, 2026 · Jan 29, 2026 · Feb 17, 2026
@@ -1,4 +1,19 @@
-# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Ignore build and test binaries.
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
 bin/
 testbin/
+# Git and CI
+.git
+.gitignore
+.github
+# Docs and non-runtime
+*.md
+LICENSE
+coverage.out
+*.test
+# Avoid sending unnecessary context
+.dockerignore
+Dockerfile*
+Makefile
+config/
+bundle.Dockerfile
+test.Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.4
 ##########################################################
 #Dockerfile
 #Copyright (c) 2022 Avesha, Inc. All rights reserved.
@@ -18,45 +19,46 @@
 ##########################################################
 
 # Build the manager binary
-FROM golang:1.24 AS builder
+FROM golang:1.25-alpine AS builder
 
 WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-ADD vendor vendor
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-#RUN echo "[url \"git@bitbucket.org:\"]\n\tinsteadOf = https://bitbucket.org/" >> /root/.gitconfig
-
-ARG TARGETOS
-ARG TARGETPLATFORM
-ARG TARGETARCH
-
-# Copy the go source
-COPY main.go main.go
+
+# Multi-arch build args (injected by buildx when using --platform)
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+ARG TARGETVARIANT
+# TARGETVARIANT is set for arm/v7 (e.g. arm32); empty for amd64/arm64
+
+# Copy module manifests and vendor first (better layer cache)
+COPY go.mod go.sum ./
+COPY vendor/ vendor/
+
+# Copy source
+COPY main.go ./
 COPY api/ api/
 COPY controllers/ controllers/
 COPY pkg/ pkg/
 COPY events/ events/
-# Build
-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on go build -mod=vendor -a -o manager main.go
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
+# Build with cache mount for faster rebuilds; -ldflags -s -w reduces binary size
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on \
+    go build -mod=vendor -trimpath -ldflags="-s -w" -o manager main.go
+
+# Final image: distroless static (multi-arch manifest)
 FROM gcr.io/distroless/static-debian12:nonroot
 LABEL maintainer="Avesha Systems"
+
 WORKDIR /
 COPY --from=builder /workspace/manager .
 
 # Copy manifest files for istio gateways deployment
 COPY files files
+COPY scripts scripts
+
 ENV MANIFEST_PATH="/files/manifests"
-# Copy script files
 ENV SCRIPT_PATH="/scripts"
-COPY scripts scripts
 
 USER 65532:65532
-
 ENTRYPOINT ["/manager"]
 
@@ -37,6 +37,10 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
 # Image URL to use all building/pushing image targets
 IMG ?= docker.io/aveshasystems/worker-operator:$(VERSION)
+# PLATFORMS for multi-arch builds (used by docker-build-multi and docker-push)
+PLATFORMS ?= linux/amd64,linux/arm64
+# Buildx builder name (reused to avoid creating multiple builders)
+BUILDX_BUILDER ?= worker-operator-builder
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.23
 
@@ -114,14 +118,18 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 .PHONY: docker-build
-docker-build: ## Build docker image with the manager.
-	docker buildx create --name container --driver=docker-container || true
-	docker build --builder container --platform linux/amd64,linux/arm64 -t ${IMG} .
+docker-build: ## Build docker image for current platform and load into docker (for local use).
+	docker build -t ${IMG} .
+
+.PHONY: docker-build-multi
+docker-build-multi: ## Build multi-arch image (result in buildx cache; follow with docker-push to push).
+	docker buildx create --name $(BUILDX_BUILDER) --driver docker-container --use 2>/dev/null || docker buildx use $(BUILDX_BUILDER)
+	docker buildx build --platform $(PLATFORMS) -t ${IMG} .
 
 .PHONY: docker-push
-docker-push: ## Push docker image with the manager.
-	docker buildx create --name container --driver=docker-container || true
-	docker build --push --builder container --platform linux/amd64,linux/arm64 -t ${IMG} .
+docker-push: ## Build multi-arch image and push to registry.
+	docker buildx create --name $(BUILDX_BUILDER) --driver docker-container --use 2>/dev/null || docker buildx use $(BUILDX_BUILDER)
+	docker buildx build --platform $(PLATFORMS) -t ${IMG} --push .
 
 ##@ Deployment
 

@@ -45,6 +45,7 @@ type SliceGatewayConfig struct {
 	// Slice gateway subnet range.
 	SliceSiteName string `json:"sliceSiteName,omitempty"`
 	// Slice gateway vpn type
+	// +kubebuilder:default:=OpenVPN
 	SliceGatewayType controllerv1alpha1.SliceGatewayType `json:"sliceGatewayType,omitempty"`
 	// Slice gateway subnet range.
 	SliceGatewaySubnet string `json:"sliceGatewaySubnet,omitempty"`
@@ -151,7 +152,7 @@ type TunnelStatus struct {
 	TxRate     uint64 `json:"TxRate,omitempty"`
 	RxRate     uint64 `json:"RxRate,omitempty"`
 	PacketLoss uint64 `json:"PacketLoss,omitempty"`
-	// Status is the status of the tunnel. 0: DOWN, 1: UP
+	// Status is the status of the tunnel. 0: UP, 1: DOWN (protobuf TunnelStatusType)
 	Status int32 `json:"Status,omitempty"`
 	// TunnelState is the state of the tunnel in string format: UP, DOWN, UNKNOWN
 	TunnelState string `json:"TunnelState,omitempty"`

@@ -131,6 +131,7 @@ spec:
                     description: Slice gateway subnet range.
                     type: string
                   sliceGatewayType:
+                    default: OpenVPN
                     description: Slice gateway vpn type
                     enum:
                     - OpenVPN
@@ -204,8 +205,8 @@ spec:
                           format: int64
                           type: integer
                         Status:
-                          description: 'Status is the status of the tunnel. 0: DOWN,
-                            1: UP'
+                          description: 'Status is the status of the tunnel. 0: UP,
+                            1: DOWN (protobuf TunnelStatusType)'
                           format: int32
                           type: integer
                         TunnelState:

@@ -60,7 +60,7 @@ func (r *Reconciler) ReconcileServiceEntries(ctx context.Context, serviceexport
 		}
 
 		// Check if the endpoint IP address in the service entry matches the pod's nsm IP
-		if checkEndpoint(endpoint, *seFound) {
+		if checkEndpoint(endpoint, seFound) {
 			seFound.Spec.Endpoints[0].Address = endpoint.NsmIP
 			err := r.Update(ctx, seFound)
 			if err != nil {
@@ -81,7 +81,7 @@ func (r *Reconciler) ReconcileServiceEntries(ctx context.Context, serviceexport
 
 	for _, se := range toDelete {
 		log.Info("Deleting serviceentry", "se", se)
-		err = r.Delete(ctx, &se)
+		err = r.Delete(ctx, se)
 		if err != nil {
 			log.Error(err, "Unable to delete serviceentry")
 			return ctrl.Result{}, err, true
@@ -93,7 +93,7 @@ func (r *Reconciler) ReconcileServiceEntries(ctx context.Context, serviceexport
 }
 
 // getServiceEntries returns all the serviceentries belongs to a serviceexport
-func getServiceEntries(ctx context.Context, r client.Reader, serviceexport *kubeslicev1beta1.ServiceExport) ([]istiov1beta1.ServiceEntry, error) {
+func getServiceEntries(ctx context.Context, r client.Reader, serviceexport *kubeslicev1beta1.ServiceExport) ([]*istiov1beta1.ServiceEntry, error) {
 	seList := &istiov1beta1.ServiceEntryList{}
 	listOpts := []client.ListOption{
 		client.MatchingLabels(labelsForServiceEntry(serviceexport)),
@@ -103,19 +103,22 @@ func getServiceEntries(ctx context.Context, r client.Reader, serviceexport *kube
 		return nil, err
 	}
 
-	ses := []istiov1beta1.ServiceEntry{}
-
-	ses = append(ses, seList.Items...)
+	ses := make([]*istiov1beta1.ServiceEntry, 0, len(seList.Items))
+	for _, item := range seList.Items {
+		if item != nil {
+			ses = append(ses, item)
+		}
+	}
 
 	return ses, nil
 }
 
 // Create serviceEntry based on serviceExport endpoint spec
 func (r *Reconciler) createServiceEntryForEndpoint(serviceexport *kubeslicev1beta1.ServiceExport, endpoint *kubeslicev1beta1.ServicePod) *istiov1beta1.ServiceEntry {
-	ports := []*networkingv1beta1.Port{}
+	ports := []*networkingv1beta1.ServicePort{}
 
 	for _, p := range serviceexport.Spec.Ports {
-		po := &networkingv1beta1.Port{
+		po := &networkingv1beta1.ServicePort{
 			Name:       p.Name,
 			Protocol:   string(p.Protocol),
 			Number:     uint32(p.ContainerPort),
@@ -157,19 +160,20 @@ func serviceEntryName(endpoint *kubeslicev1beta1.ServicePod, ns string) string {
 	return endpoint.Name + "-" + ns + "-ingress"
 }
 
-func servicesEntriesToDelete(seList []istiov1beta1.ServiceEntry, se *kubeslicev1beta1.ServiceExport) []istiov1beta1.ServiceEntry {
-
+func servicesEntriesToDelete(seList []*istiov1beta1.ServiceEntry, se *kubeslicev1beta1.ServiceExport) []*istiov1beta1.ServiceEntry {
 	exists := struct{}{}
 	dnsSet := make(map[string]struct{})
-	toDelete := []istiov1beta1.ServiceEntry{}
+	toDelete := []*istiov1beta1.ServiceEntry{}
 
 	for _, e := range se.Status.Pods {
 		dnsSet[e.DNSName] = exists
 	}
 
 	for _, s := range seList {
-		if _, ok := dnsSet[s.Spec.Hosts[0]]; !ok {
-			toDelete = append(toDelete, s)
+		if s != nil && len(s.Spec.Hosts) > 0 {
+			if _, ok := dnsSet[s.Spec.Hosts[0]]; !ok {
+				toDelete = append(toDelete, s)
+			}
 		}
 	}
 
@@ -184,10 +188,10 @@ func labelsForServiceEntry(se *kubeslicev1beta1.ServiceExport) map[string]string
 	}
 }
 
-func serviceEntryExists(seList []istiov1beta1.ServiceEntry, e kubeslicev1beta1.ServicePod) *istiov1beta1.ServiceEntry {
+func serviceEntryExists(seList []*istiov1beta1.ServiceEntry, e kubeslicev1beta1.ServicePod) *istiov1beta1.ServiceEntry {
 	for _, se := range seList {
-		if len(se.Spec.Hosts) > 0 && se.Spec.Hosts[0] == e.DNSName {
-			return &se
+		if se != nil && len(se.Spec.Hosts) > 0 && se.Spec.Hosts[0] == e.DNSName {
+			return se
 		}
 	}
 
@@ -204,7 +208,7 @@ func (r *Reconciler) DeleteIstioServiceEntries(ctx context.Context, serviceexpor
 	}
 
 	for _, se := range entries {
-		err = r.Delete(ctx, &se)
+		err = r.Delete(ctx, se)
 		if err != nil {
 			return err
 		}
@@ -213,6 +217,6 @@ func (r *Reconciler) DeleteIstioServiceEntries(ctx context.Context, serviceexpor
 	return nil
 }
 
-func checkEndpoint(endpoint kubeslicev1beta1.ServicePod, seFound istiov1beta1.ServiceEntry) bool {
-	return endpoint.NsmIP != "" && seFound.Spec.Endpoints[0].Address != endpoint.NsmIP
+func checkEndpoint(endpoint kubeslicev1beta1.ServicePod, seFound *istiov1beta1.ServiceEntry) bool {
+	return endpoint.NsmIP != "" && seFound != nil && len(seFound.Spec.Endpoints) > 0 && seFound.Spec.Endpoints[0].Address != endpoint.NsmIP
 }
@@ -69,7 +69,7 @@ func (r *Reconciler) ReconcileServiceEntries(ctx context.Context, serviceimport
 
 	for _, se := range toDelete {
 		log.Info("Deleting serviceentry", "se", se)
-		err = r.Delete(ctx, &se)
+		err = r.Delete(ctx, se)
 		if err != nil {
 			log.Error(err, "Unable to delete serviceentry")
 			return ctrl.Result{}, err, true
@@ -85,7 +85,7 @@ func (r *Reconciler) ReconcileServiceEntries(ctx context.Context, serviceimport
 func (r *Reconciler) serviceEntryForEndpoint(serviceImport *kubeslicev1beta1.ServiceImport, endpoint *kubeslicev1beta1.ServiceEndpoint, ns string) *istiov1beta1.ServiceEntry {
 	p := serviceImport.Spec.Ports[0]
 
-	ports := []*networkingv1beta1.Port{{
+	ports := []*networkingv1beta1.ServicePort{{
 		Name:       p.Name,
 		Protocol:   string(p.Protocol),
 		Number:     uint32(p.ContainerPort),
@@ -133,7 +133,7 @@ func serviceEntryName(endpoint *kubeslicev1beta1.ServiceEndpoint) string {
 }
 
 // getServiceEntriesForSI returns all the serviceentries belongs to an import
-func getServiceEntriesForSI(ctx context.Context, c client.Client, serviceimport *kubeslicev1beta1.ServiceImport, ns string) ([]istiov1beta1.ServiceEntry, error) {
+func getServiceEntriesForSI(ctx context.Context, c client.Client, serviceimport *kubeslicev1beta1.ServiceImport, ns string) ([]*istiov1beta1.ServiceEntry, error) {
 	seList := &istiov1beta1.ServiceEntryList{}
 	listOpts := []client.ListOption{
 		client.MatchingLabels(labelsForServiceEntry(serviceimport)),
@@ -143,36 +143,40 @@ func getServiceEntriesForSI(ctx context.Context, c client.Client, serviceimport
 		return nil, err
 	}
 
-	ses := []istiov1beta1.ServiceEntry{}
-
-	ses = append(ses, seList.Items...)
+	ses := make([]*istiov1beta1.ServiceEntry, 0, len(seList.Items))
+	for _, item := range seList.Items {
+		if item != nil {
+			ses = append(ses, item)
+		}
+	}
 
 	return ses, nil
 }
 
-func serviceEntryExists(seList []istiov1beta1.ServiceEntry, e kubeslicev1beta1.ServiceEndpoint) bool {
+func serviceEntryExists(seList []*istiov1beta1.ServiceEntry, e kubeslicev1beta1.ServiceEndpoint) bool {
 	for _, se := range seList {
-		if len(se.Spec.Hosts) > 0 && se.Spec.Hosts[0] == e.DNSName {
+		if se != nil && len(se.Spec.Hosts) > 0 && se.Spec.Hosts[0] == e.DNSName {
 			return true
 		}
 	}
 
 	return false
 }
 
-func servicesEntriesToDelete(seList []istiov1beta1.ServiceEntry, si *kubeslicev1beta1.ServiceImport) []istiov1beta1.ServiceEntry {
-
+func servicesEntriesToDelete(seList []*istiov1beta1.ServiceEntry, si *kubeslicev1beta1.ServiceImport) []*istiov1beta1.ServiceEntry {
 	exists := struct{}{}
 	dnsSet := make(map[string]struct{})
-	toDelete := []istiov1beta1.ServiceEntry{}
+	toDelete := []*istiov1beta1.ServiceEntry{}
 
 	for _, e := range si.Status.Endpoints {
 		dnsSet[e.DNSName] = exists
 	}
 
-	for _, si := range seList {
-		if _, ok := dnsSet[si.Spec.Hosts[0]]; !ok {
-			toDelete = append(toDelete, si)
+	for _, se := range seList {
+		if se != nil && len(se.Spec.Hosts) > 0 {
+			if _, ok := dnsSet[se.Spec.Hosts[0]]; !ok {
+				toDelete = append(toDelete, se)
+			}
 		}
 	}
 
@@ -190,7 +194,7 @@ func (r *Reconciler) DeleteIstioServiceEntries(ctx context.Context, serviceimpor
 	}
 
 	for _, se := range entries {
-		err = r.Delete(ctx, &se)
+		err = r.Delete(ctx, se)
 		if err != nil {
 			return nil
 		}