From f97bdfd319773ddc79d5c5861b5d5cd91e6e6762 Mon Sep 17 00:00:00 2001 From: Trevor Nierman Date: Mon, 8 Jan 2024 16:17:43 -0600 Subject: [PATCH] Boilerplate: Update to a48d90919cb9a4fe3b4bbd51ac6ef71ea1b49ed6 Conventions: - openshift/golang-osd-operator: Update --- https://github.com/openshift/boilerplate/compare/0a69514b0c6b0cec124afb603ae2fd2e02ec7fcd...a48d90919cb9a4fe3b4bbd51ac6ef71ea1b49ed6 commit: c93835dd34f897e62b1ef5a88e1640fb9774850b author: Supreeth Basabattini fix: Invalid option reference commit: ece25ada17378a38dff53847d7ed21132c0caf6d author: Supreeth Basabattini TOC added commit: 75e862e6b6fc86ca7df41fcc9612929247cd8d6d author: Supreeth Basabattini Docs added + cleanup commit: ece978220f0ccdbb00b45f703a2cec01d32d1448 author: Supreeth Basabattini feat: introduce OLM Skiprange commit: cc80888d2bee2552168a9a285d27656e13c5fae5 author: Ritu Mundhe Added env var to osde2e pod template commit: 5d593fd53f826d2886e2086b9adba67caed868ac author: Supreeth Basabattini Make image digest generation modular Removed redundant lines commit: e124c758f491297ef6d9f273296875786bf12008 author: Supreeth Basabattini feat: Support multiple deployments commit: 1b054708852bc2404e830b7a16d66dfbd4ba258f author: Michael Shen Correctly select base image for AppSRE build process Signed-off-by: Michael Shen commit: 9183ddafe84cb0f4f571d836a116edb2bef6d558 author: Michael Shen We need to stay on RHEL 8 for compatible GCC versions Signed-off-by: Michael Shen commit: 38335348c70c453c83a3a4b37cef0bd1a4201b68 author: Michael Shen use image-v4.0.0 in .ci-operator Signed-off-by: Michael Shen commit: 26fbdba3ef571cf413520ef221458c0e2bed6d23 author: Michael Shen Create boilerplate v4.0.0 to support Go 1.20 OCP 4.14 is using Go 1.20 and we need to be able to support it when we pull in dependencies from OCP. Signed-off-by: Michael Shen commit: 741bd9fc3f5640865015f72966a214d1eaed6715 author: Trevor Nierman OSD-18002 - Prevent operator commit reverts commit: 333fc3eb933631294c2a1ad44df1b441b0c20825 author: Christoph Blecker Update boilerplate SREP TL list commit: e1409eabf6deecff9649d4c8e250417accb56d70 author: Ravi Trivedi Updating Hulk members and FL list commit: b79dfcb57358bd3a04b063e6b57fc189e30595e9 author: Michael Shen Accept the latest ubi-minimal version Specifically, version differences after the last period were previously excluded from consideration. Signed-off-by: Michael Shen commit: 889a9f5aef2b89750d7bafdea6e146213db7d944 author: Karthik Perumal Update OWNERS_ALIASES with recent team changes (#311) * Update OWNERS_ALIASES with recent team changes * Add Sam to FL list commit: 60617bc64af03d910d8554957a262c8c0a16f114 author: Ritu Mundhe sdcicd-1139 added osde2e tekton job openshift template generation (#309) * sdcicd-1139 added osde2e job template generation * added operator name to job name in e2e template to distinguish from other jobs * nit - fix "hyphen" to "underscore" commit: 8512a74b52ed9d3f1d0a1852713821c9000114ba author: Michael Shen Do not need to surround yq string with single quotes Signed-off-by: Michael Shen commit: 24fdf68d0161e7ee131f45e0e7ffb8e6da7ef8b7 author: Michael Shen Increment ci image to image-v3.0.6 Signed-off-by: Michael Shen commit: d6a0b5760288c815c9ce8a2eeda497146ea36eff author: Michael Shen quay.io/app-sre/yq:4 has entrypoint yq Signed-off-by: Michael Shen commit: bc1c1eb68a02b3f6b7e1c4f5767ff6d65f035fc2 author: Ritu Mundhe push latest harness tag commit: 655fe58dc9700dabff94752ff8ecbf765f41804a author: Michael Shen golang-osd-operator: optionally generate operator manifests using kustomize Signed-off-by: Michael Shen commit: 3406777ae7fc1bd0cc5bba1758b904f056a6e77a author: Michael Shen Update boilerplate image to us yq:v4.34.2 This commit removes yq:v3 dependencies for the subscriber script within boilerplate as well as the golang-osd-operator's csv-generate script by refactoring the yq commands to use the yq:v4 syntax. Signed-off-by: Michael Shen commit: 816e2ffebdd62ec7a65b45a70bcb1eb2aec63add author: Michael Shen Add govulncheck to the boilerplate image This will be included in v3.0.5 Signed-off-by: Michael Shen commit: 092b2f7156ddf8680441795c5bc126f74f6a4cd2 author: Michael Shen Fix bug with printing output in Makefiles Signed-off-by: Michael Shen commit: cd0e87c2b4a8dcdae6da431074f23d12d38797de author: Michael Shen Bump base image to v3.0.4 in CI Signed-off-by: Michael Shen commit: 022aa906a5057339081b66ac103dd836858fcb1d author: Michael Shen Enable GOEXPERIMENT=strictfipsruntime This ensures that the binary will fail to run if running in a non-FIPS Compliant environment when built with FIPS_ENABLED=true. GOEXPERIMENT=strictfipsruntime is not supported by Go generally and is something that Red Hat is supporting in our own fork. Red Hat's fork of Go is currently in registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.19-openshift-4.12 which will allow this to work. When building locally, developers should set FIPS_ENABLED=false to get around this. Therefore, also rebuilding this image which has the patched Go containing remediations for CVE-2023-3089 Signed-off-by: Michael Shen commit: b50f89b062d2803e22cb695bc276dbe751126e44 author: Michael Shen CGO_ENABLED=1 for FIPS compliance Enforce that any ubi images are using ubi8/ubi-minimal This is our agreed upon way to ensure FIPS compliance for now https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant Signed-off-by: Michael Shen commit: b8471722f97446ecb928f969d4452a9166b55fad author: Michael Shen Fix bugs preventing registry from running in fips mode registry.redhat.io/openshift4/ose-operator-registry:v4.12 is the OCP released image that has more guarantees about its release process and ubi-micro needs OpenSSL to be available in order to run in fips mode. Signed-off-by: Michael Shen commit: ff00526298e00331b92697d83d11569d8a0519ed author: Ritu Mundhe sdcicd-926 harness image versioning commit: e6dd946dc128b4c0a2354bb0221e60c713d29d35 author: Michael Shen Update after shift between rocket and security Signed-off-by: Michael Shen commit: e54dfc24bf74099164f165a01c756f188224bc50 author: Ritu Mundhe dockerfile template fix commit: 6699b052ab9e59f909b8424b538d77be19ef100e author: Michael Shen Allow generation of embedded ObjectMeta in CRDs This will allow for using metav1.ObjectMeta's in nested fields. Without this option, the generated metadata field is non-functional as described in https://github.com/kubernetes-sigs/controller-tools/pull/557. Signed-off-by: Michael Shen Co-authored-by: Alice Hubenko commit: cac1395fbae95d2dc43aeeec649dc46c04d065c4 author: Bo Meng update owners commit: 4c6d460e088fc7520d58cfeb2e5f457228b6ec13 author: Ritu Mundhe fixed hardcoded operator namein osde2e convention template commit: 56ec373e5d204115567d6a399e8cbfcdb71669cb author: Ryan Williams Replace addon with operator name for osde2e boilerplate This commit modifies the following: * Rename the junit output filename to include operator name * Update readme to remove the word "addon" commit: a000622561d57cefe749978b6505be030f3114bb author: Ritu Mundhe renamed test tags from "integration" to "osde2e" for specificity commit: bbb667c6d0ad14399c2e572acab68dd01ffa3f18 author: Dustin Row Exclude build/Dockerfile* from initial git status check commit: 7a16980d213b68b1a982ae3a710a5cee4b983491 author: Ritu Mundhe fix: escaped quote in template commit: ba40cfc5f02b30b6f9c4d1f420c14da7edd8a6c3 author: Ritu Mundhe osde2e dockerfile contains building ginkgo binary (#284) * osde2e dockerfile contains building ginkgo binary * Update ubi version Co-authored-by: Michael Shen * Update go base image version Co-authored-by: Michael Shen --------- Co-authored-by: Michael Shen commit: 023d6fc8e9714428c149c7c1343e24b53449f4bd author: Ritu Mundhe reverting docker registry credentials for test-harness for app-interface commit: 50a4abf7890faa6bdbda0faa03cde25b5ba64be0 author: Ritu Mundhe updating docker registry credentials for test-harness for ci-operator commit: b2e3e1b90c2e5a60020cba909d2112b76021f201 author: Diego Santamaria Swap sed command delimiter I believe this will explode because $TEST_IMAGE contains /s. I would use some other delimiter for that sed command -- one that can't appear in a URI -- e.g.: Co-authored-by: Eric Fried <2uasimojo@users.noreply.github.com> Remove project.mk commit: 7adb0b88cea0e8527b4d32ddeb9c5425e83aa7a3 author: Diego Santamaria Swap sed command delimiter I believe this will explode because $TEST_IMAGE contains /s. I would use some other delimiter for that sed command -- one that can't appear in a URI -- e.g.: Co-authored-by: Eric Fried <2uasimojo@users.noreply.github.com> commit: 19ae2a423b085b1ae0b650374570da1784a8daa3 author: Diego Santamaria Add acceptance Test convention commit: f9e6c350556d9d5845babbb46686639a01945d03 author: Diego Santamaria Initial Commit for PD boiletPlate commit: 479ec3635d761fb91a59a884ef6bc29be8a15470 author: Christoph Blecker Revert yq/python version bump commit: 999bf51ca03b8add6de2f6cb83971c5c5a95bb93 author: Christoph Blecker Remove tag-check exemption for config/Dockerfile commit: f77a7379f0bef64b0eab6163f91e87bdd67f8b34 author: Christoph Blecker Bump base image to v3.0.3 commit: 56d013c17a42b259a88e987ed6798d0fdc2f2c2a author: Christoph Blecker Hard code default branch commit: fc2e7a8d1eb5dda50f086e0f16059957352defba author: Christoph Blecker Remove prescriptive URL from config/Dockerfile commit: 82d19adadc2857c2359a8890631c081ac2824bda author: Christoph Blecker Rev boilerplate image to v3.0.3 commit: 46c46423d7f2df00731fbdcf3573773becd7c9e7 author: Christoph Blecker Don't check tag-check or config/Dockerfile when checking for a tag commit: ecfd17b4fed6a4aea80d5bdc551de7350a4d6fd8 author: Christoph Blecker Add skopeo to boilerplate image commit: de1f8d8aa7af04115fa2da8751c2d6a1f4227ddb author: Christoph Blecker Don't fail validate on changes to build/Dockerfile* commit: 4b929d2cb15df8fd9100797f39d67cdfa5dea0ab author: Christoph Blecker Always pull fresh images in our build pipeline commit: 89eaae4e4f08b7c1c4d4c168a64a1f6e2d6424e2 author: Christoph Blecker Write olm-registry dockerfile so that it can be updated by dependabot commit: 31dea5e0c0d561897eec99b72041b31a95e92e19 author: Ritu Mundhe Adding necessary "Test" prefix to e2e test runner function commit: 33deebe8c9f86d86aa773c9546d1545d06d0397c author: Ritu Mundhe whitespace cleanup commit: 09b943656d3d41ed617178935e3807c1e2922e3e author: Ritu Mundhe moved test files to osde2e base dir. Other minor fixes. (#270) * moved test files to osde2e base dir. Other minor fixes. * removed ginkgo.Recover() per https://github.com/openshift/boilerplate/issues/269 commit: 08d5b433772ca42a7b541e6b31a0a0050d6b1d59 author: Dustin Row Scope GO vars per make target instead of global commit: 6f0542f471fbf37ced9e909a2e5bb29e7c1ac47e author: Ritu Mundhe renamed packagename without underscore commit: c1321df3f70091c8492dd4ce2cca4ba2ca49baaf author: Ritu Mundhe removing default target from osde2e convention commit: 7ceb63b0dcc24fdb829f652b943b414c5ffdc335 author: Dustin Row Rename osde2e convention commit: 566848f4eb17890aac7401536167e81e7642f037 author: Ritu Mundhe reverted dynamic var eval commit: 483a87cd016b84879adac3997d2af5806041bc26 author: Ritu Mundhe renamed variable conflicting with other convention dirs commit: b181cee588fa3373172fefbb5da1e7d5c2585f54 author: Ritu Mundhe added note about exclusive use by operators. commit: ff36e6cb4fb3f33cf26d34d38a4283de8cbd0b25 author: Ritu Mundhe convention renamed to focus on operators commit: f2283ca508e2f9af2e1f1d08e86051aefdad0386 author: Ritu Mundhe SDCICD-917 Added boilerplate for osde2e test harness (#262) * SDCICD-917 Added boilerplate for osde2e test harness * SDCICD-917 Moved into new osde2e dedicated convention * convention name commit: 56a55bd887dd24422f3b535cebda0ad3f9e8ac16 author: Michael Shen Update golangci-lint and removing deprecated checks: varcheck, structcheck, and deadcode Signed-off-by: Michael Shen commit: f107cf95439ba3b90f3ad374f57a76e376b32c18 author: Ritu Mundhe SDCICD-854 adding /osde2e framework to operators. Need to exclude this folder from unit tests. commit: e86e8f484d2329dec8a0cabf9226d042d06d6c64 author: Christoph Blecker Remove deprecated lint checks commit: 8e970fe54984a8a3a4c674d4c96408413222b81f author: Christoph Blecker Fix containerized commands with podman on darwin commit: 282cad375410596eec181561b7a8b83b34944e0a author: Dustin Row Fix typo in name of OWNERS_ALIASES file commit: d6092c90093e6c7d49b5a7c703032002bd131a65 author: Dustin Row Add OWNER_ALIASES to golang-osd-operators commit: 1dae753a7765e57f27c028b738724ec34e723612 author: Dustin Row Remove trailing floating point adhere to MAJOR.MINOR-PATCH semver format commit: e254c36cd75db800235fa95c442871197cd4df24 author: Dustin Row Add dependabot configuration for OSD Operators and update Dockerfile commit: 87aee11f1a1f71b10ace91ba24c59773a0cb1ccc author: Christoph Blecker shallow clone release repo commit: 03d949e8c702b881535147d8662b371910211a29 author: Eric Fried Add mjlshen to OWNERS commit: 96624bfad5a806635da9200c20b2debcd075b391 author: Michael Shen Increment boilerplate image-v3.0.2 to speedup CI Signed-off-by: Michael Shen commit: 0acfd19f21ba3e6b283a1812e0fcae4d9328785b author: Michael Shen Increment boilerplate image-v3.0.1 to get jq in the image Signed-off-by: Michael Shen commit: 6d0572cec2e00a4d853f80d4a179379c4bf7938c author: Michael Shen Add the new go:build syntax for go fmt Signed-off-by: Michael Shen commit: ba65c303d06b8f5d47b113da66bea82745aefdc6 author: Michael Shen Set GOEXPERIMENT=boringcrypto to enable fips moving forward https://go.googlesource.com/go/+/refs/heads/dev.boringcrypto/README.boringcrypto.md Signed-off-by: Michael Shen commit: b85907a270357cef0599f678cae7f71aa007f8ff author: Michael Shen Update documentation around updating image tags Signed-off-by: Michael Shen commit: 8637d3dae8ae644b87a922b31594305f3cc0c13c author: Michael Shen Remove old operator-sdk logic Signed-off-by: Michael Shen commit: 56c1793ab4be2b5d5d7ed88b1f63bbc580980422 author: Michael Shen Release boilerplate v3.0.0 for Operator-SDK v1.25.0, Go 1.19 Signed-off-by: Michael Shen commit: 94825f3cf075658be2cac702c0b64e6f037ef7c4 author: Andrew Pantuso fix: fix opm-build-push to use proper container engine name commit: 7c59357bf444030bc731acac184fed2aa8a2bf1a author: Andrew Pantuso fix: bump OPM version for opm-build-push commit: 7d3fe8364cdae48e94201f63d57ff20e0e470ed7 author: Andrew Pantuso fix: permit docker with config option for opm-build-push commit: 08bf780089af601a3554931e1342d81238286396 author: klin update ubi image tag commit: 93bb8c3b6f9636c582f4b1e642f259cf569283ab author: klin update ubi image commit: efe22eed1a95a5820f9011c979e8bc25933f2587 author: Supreeth Basabattini Add container-make targets commit: b8febb30962c92e9406143e24292249d38bc5064 author: Michael Shen Make env var optional for operator containers Signed-off-by: Michael Shen commit: 6f0a5c1385f7b48ff30f7ae49cfbddee775ab88a author: Ravi Trivedi Ignoring autogenerated zz files for codecov commit: b2b57ed9f0d2ebe75dfeea3bb13d360aba460d8a author: Ravi Trivedi Ignoring mock clients for codecov commit: 9520d29ded3d9dda08172165e6e15bc31a72ce4c author: Matt Bargenquast Set main package to base dir in new SDK commit: 350f8631ecf20a852b82a0f90b7bcfea8ff19845 author: Antony Natale OSD-12367: update to fix skopeo version dependency (#236) * update to fix skopeo version dependency * typo fix * typo fix commit: 4c70ca1b4f70da2a3a4606e37bf0d2caa23dc120 author: Antony Natale fix quoting commit: b6c8caca3763c7d3b85783b327f29afbaecaaffb author: Antony Natale added more error checking commit: f6c47f83a2fff43c027d22ff2c93e56496f8e27f author: Antony Natale added other commented fixes from last PR commit: b71e2da17b3d1eb344b57ce6dad8637ac71561ff author: Antony Natale fixes error check on opm command commit: 7db0538e630305a5ba047aa7ceef7bd78adb8f86 author: Antony Natale OSD-11742, OSD-12367 - bug and CVE fixes for catalog operators (#234) * base changes and logic set, needs polishing * adds printout of first run, undos changes made for local testing * update custom catalog makefile to match golang and better handle podman vs docker * fix typos and clean up * made suggested changes * remove unwanted testing values commit: 79cb8136e506524e740d78aff414e419415017ea author: Alex Vulaj Only remove for darwin/mac commit: 21b4ed75091749567ff9f53367e4303f850a0ef5 author: Alex Vulaj Remove :Z mount option for podman in container-make commit: fe734d5a42331418c0630cfe1e86221e8e995320 author: Eric Fried Fix golang-lint README It touted the wrong `make` target name. commit: 7c5112a0a8e3d187f56384efac222200b9b10244 author: Benjamin Dematteo Fixing the variable assignment commit: 1a05b3e6572eb37bd2098267287afc3dc35dead9 author: Supreeth Basabattini Automate migration to an extent commit: 31bf3b7e35fc1f900aa7e1d8ae61e7c209182181 author: Ron Green feat(golangci): add gosec per ticket OSD-10161, this change should be running via CI on all osd operators. this way we are always compliant to the gosec (as we have done one audit a forever ago and cleaned issues this change should get approval before merging as this might cause initial work to upgrade to this version of boilerplate --- .ci-operator.yaml | 2 +- .codecov.yml | 4 + .docker/config.json | 1 + .github/dependabot.yml | 14 ++ OWNERS_ALIASES | 82 +++++++++++ boilerplate/_data/backing-image-tag | 2 +- boilerplate/_data/last-boilerplate-commit | 2 +- boilerplate/_lib/container-make | 8 +- boilerplate/_lib/freeze-check | 6 +- boilerplate/_lib/release.sh | 2 +- boilerplate/_lib/subscriber-report | 1 - boilerplate/_lib/subscriber.sh | 6 +- .../golang-osd-operator/.codecov.yml | 4 + .../Dockerfile.olm-registry | 22 +++ .../golang-osd-operator/OWNERS_ALIASES | 82 +++++++++++ .../openshift/golang-osd-operator/README.md | 58 ++++++-- .../golang-osd-operator/build-opm-catalog.sh | 2 +- .../golang-osd-operator/configure-fips.sh | 2 +- .../csv-generate/catalog-build.sh | 28 +--- .../common-generate-operator-bundle.py | 76 +++++++--- .../csv-generate/common.sh | 21 +++ .../csv-generate/csv-generate.mk | 6 +- .../csv-generate/csv-generate.sh | 52 ++++--- .../golang-osd-operator/dependabot.yml | 14 ++ .../openshift/golang-osd-operator/ensure.sh | 2 +- .../golang-osd-operator/fips.go.tmplt | 1 + .../golang-osd-operator/golangci.yml | 4 +- .../openshift/golang-osd-operator/project.mk | 7 + .../openshift/golang-osd-operator/standard.mk | 132 ++++++++++++------ .../openshift/golang-osd-operator/update | 40 +++++- build/Dockerfile | 4 +- build/Dockerfile.olm-registry | 22 +++ 32 files changed, 563 insertions(+), 146 deletions(-) create mode 100644 .docker/config.json create mode 100644 .github/dependabot.yml create mode 100644 OWNERS_ALIASES create mode 100644 boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry create mode 100644 boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES create mode 100644 boilerplate/openshift/golang-osd-operator/dependabot.yml create mode 100644 build/Dockerfile.olm-registry diff --git a/.ci-operator.yaml b/.ci-operator.yaml index 22d2bf05..4f56e301 100644 --- a/.ci-operator.yaml +++ b/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: boilerplate namespace: openshift - tag: image-v2.3.2 + tag: image-v4.0.2 diff --git a/.codecov.yml b/.codecov.yml index 844b447e..ba05647a 100644 --- a/.codecov.yml +++ b/.codecov.yml @@ -24,3 +24,7 @@ comment: layout: "reach,diff,flags,tree" behavior: default require_changes: no + +ignore: + - "**/mocks" + - "**/zz_generated*.go" diff --git a/.docker/config.json b/.docker/config.json new file mode 100644 index 00000000..0967ef42 --- /dev/null +++ b/.docker/config.json @@ -0,0 +1 @@ +{} diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..004cb068 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: "docker" + directory: "/build" + labels: + - "area/dependency" + - "ok-to-test" + schedule: + interval: "weekly" + ignore: + - dependency-name: "app-sre/boilerplate" + # don't upgrade boilerplate via these means + - dependency-name: "openshift4/ose-operator-registry" + # don't upgrade ose-operator-registry via these means diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES new file mode 100644 index 00000000..ecc0d0ad --- /dev/null +++ b/OWNERS_ALIASES @@ -0,0 +1,82 @@ +# ================================ DO NOT EDIT ================================ +# This file is managed in https://github.com/openshift/boilerplate +# See the OWNERS_ALIASES docs: https://git.k8s.io/community/contributors/guide/owners.md#OWNERS_ALIASES +# ============================================================================= +aliases: + srep-functional-team-aurora: + - abyrne55 + - bdematte + - boranx + - dakotalongRH + - lnguyen1401 + - luis-falcon + - rafael-azevedo + srep-functional-team-fedramp: + - tonytheleg + - theautoroboto + - rhdedgar + - katherinelc321 + - robotmaxtron + - rojasreinold + srep-functional-team-hulk: + - a7vicky + - rendhalver + - ravitri + - shitaljante + - weherdh + - devppratik + srep-functional-team-orange: + - bng0y + - typeid + - Makdaam + - Nikokolas3270 + - ninabauer + - RaphaelBut + - Tessg22 + srep-functional-team-rocket: + - aliceh + - anispate + - bdmiller3 + - clcollins + - mjlshen + - tnierman + - yithian + srep-functional-team-security: + - gsleeman + - jaybeeunix + - sam-nguyen7 + - wshearn + srep-functional-team-thor: + - bmeng + - MitaliBhalla + - hectorakemp + - feichashao + - Tafhim + - samanthajayasinghe + srep-functional-team-v1alpha1: + - iamkirkbater + - AlexVulaj + - T0MASD + - bergmannf + - dkeohane + - reedcort + - mrWinston + srep-functional-leads: + - rafael-azevedo + - iamkirkbater + - bng0y + - tonytheleg + - bmeng + - mjlshen + - sam-nguyen7 + - ravitri + srep-team-leads: + - NautiluX + - rogbas + - fahlmant + - dustman9000 + - wanghaoran1988 + srep-architects: + - jewzaam + - jharrington22 + - cblecker diff --git a/boilerplate/_data/backing-image-tag b/boilerplate/_data/backing-image-tag index bb65150a..041381eb 100644 --- a/boilerplate/_data/backing-image-tag +++ b/boilerplate/_data/backing-image-tag @@ -1 +1 @@ -image-v2.3.2 +image-v4.0.2 diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit index 1f4cbe9f..64b6216d 100644 --- a/boilerplate/_data/last-boilerplate-commit +++ b/boilerplate/_data/last-boilerplate-commit @@ -1 +1 @@ -0a69514b0c6b0cec124afb603ae2fd2e02ec7fcd +a48d90919cb9a4fe3b4bbd51ac6ef71ea1b49ed6 diff --git a/boilerplate/_lib/container-make b/boilerplate/_lib/container-make index 08850cea..e847e3a8 100755 --- a/boilerplate/_lib/container-make +++ b/boilerplate/_lib/container-make @@ -19,10 +19,14 @@ CONTAINER_MOUNT=/go/src/$(repo_import $REPO_ROOT) # First set up a detached container with the repo mounted. banner "Starting the container" +CE_OPTS="--platform=linux/amd64" if [[ "${CONTAINER_ENGINE##*/}" == "podman" ]]; then - CE_OPTS="--userns keep-id -v $REPO_ROOT:$CONTAINER_MOUNT:Z" + CE_OPTS="${CE_OPTS} --userns keep-id" +fi +if [[ "${CONTAINER_ENGINE##*/}" == "podman" ]] && [[ $OSTYPE == *"linux"* ]]; then + CE_OPTS="${CE_OPTS} -v $REPO_ROOT:$CONTAINER_MOUNT:Z" else - CE_OPTS="-v $REPO_ROOT:$CONTAINER_MOUNT" + CE_OPTS="${CE_OPTS} -v $REPO_ROOT:$CONTAINER_MOUNT" fi container_id=$($CONTAINER_ENGINE run -d ${CE_OPTS} $IMAGE_PULL_PATH sleep infinity) diff --git a/boilerplate/_lib/freeze-check b/boilerplate/_lib/freeze-check index 88c91bbd..080629f5 100755 --- a/boilerplate/_lib/freeze-check +++ b/boilerplate/_lib/freeze-check @@ -35,7 +35,7 @@ BOILERPLATE_GIT_REPO=https://github.com/openshift/boilerplate.git # and reapply the diff? Messy and error-prone -- and I would be # seriously ticked off if something went wrong and lost my in-flight # changes. -if ! [ -z "$(git status --porcelain)" ]; then +if ! [ -z "$(git status --porcelain -- ':!build/Dockerfile*')" ]; then echo "Can't validate boilerplate in a dirty repository. Please commit your changes and try again." >&2 exit 1 fi @@ -70,9 +70,9 @@ cd $REPO_ROOT BOILERPLATE_GIT_CLONE="git clone $TMPD" boilerplate/update # Okay, if anything has changed, that's bad. -if [[ $(git status --porcelain | wc -l) -ne 0 ]]; then +if [[ $(git status --porcelain -- ':!build/Dockerfile*' | wc -l) -ne 0 ]]; then echo "Your boilerplate is dirty!" >&2 - git status --porcelain + git status --porcelain -- ':!build/Dockerfile*' exit 1 fi diff --git a/boilerplate/_lib/release.sh b/boilerplate/_lib/release.sh index 3ce9c4b3..3a98c935 100755 --- a/boilerplate/_lib/release.sh +++ b/boilerplate/_lib/release.sh @@ -97,7 +97,7 @@ release_prep_clone() { # If a release repo clone wasn't specified, create one if [[ -z "$RELEASE_CLONE" ]]; then RELEASE_CLONE=$(mktemp -dt openshift_release_XXXXXXX) - git clone git@github.com:${RELEASE_REPO}.git $RELEASE_CLONE + git clone --depth=1 git@github.com:${RELEASE_REPO}.git $RELEASE_CLONE else [[ -z "$(git -C $RELEASE_CLONE status --porcelain)" ]] || err " Your release clone must start clean." diff --git a/boilerplate/_lib/subscriber-report b/boilerplate/_lib/subscriber-report index 3150302d..022b27dc 100755 --- a/boilerplate/_lib/subscriber-report +++ b/boilerplate/_lib/subscriber-report @@ -11,4 +11,3 @@ SUBCOMMANDS=( ) source $REPO_ROOT/boilerplate/_lib/subscriber.sh - diff --git a/boilerplate/_lib/subscriber.sh b/boilerplate/_lib/subscriber.sh index 62ddcaaa..23214f2b 100644 --- a/boilerplate/_lib/subscriber.sh +++ b/boilerplate/_lib/subscriber.sh @@ -69,13 +69,11 @@ SUBSCRIBERS_FILE=$REPO_ROOT/subscribers.yaml # all: Prints all subscribers # onboarded: Prints only onboarded subscribers subscriber_list() { - local filt case $1 in - all) filt='[*]';; + all) yq '.subscribers[] | .name' $SUBSCRIBERS_FILE;; # TODO: Right now subscribers are only "manual". - onboarded) filt='(conventions.**.status==manual)';; + onboarded) yq '.subscribers[] | select(.conventions[].status == "manual") | .name' $SUBSCRIBERS_FILE;; esac - yq r $SUBSCRIBERS_FILE "subscribers${filt}.name" } ## last_bp_commit ORG/PROJ diff --git a/boilerplate/openshift/golang-osd-operator/.codecov.yml b/boilerplate/openshift/golang-osd-operator/.codecov.yml index 844b447e..ba05647a 100644 --- a/boilerplate/openshift/golang-osd-operator/.codecov.yml +++ b/boilerplate/openshift/golang-osd-operator/.codecov.yml @@ -24,3 +24,7 @@ comment: layout: "reach,diff,flags,tree" behavior: default require_changes: no + +ignore: + - "**/mocks" + - "**/zz_generated*.go" diff --git a/boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry b/boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry new file mode 100644 index 00000000..b1200088 --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry @@ -0,0 +1,22 @@ +FROM registry.redhat.io/openshift4/ose-operator-registry:v4.12 AS builder +ARG SAAS_OPERATOR_DIR +COPY ${SAAS_OPERATOR_DIR} manifests +RUN initializer --permissive + +# ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest + +COPY --from=builder /bin/registry-server /bin/registry-server +COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe +COPY --from=builder /bin/initializer /bin/initializer + +WORKDIR /registry +RUN chgrp -R 0 /registry && chmod -R g+rwx /registry + +USER 1001 + +COPY --from=builder /registry /registry + +EXPOSE 50051 + +CMD ["registry-server", "-t", "/tmp/terminate.log"] diff --git a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES new file mode 100644 index 00000000..ecc0d0ad --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES @@ -0,0 +1,82 @@ +# ================================ DO NOT EDIT ================================ +# This file is managed in https://github.com/openshift/boilerplate +# See the OWNERS_ALIASES docs: https://git.k8s.io/community/contributors/guide/owners.md#OWNERS_ALIASES +# ============================================================================= +aliases: + srep-functional-team-aurora: + - abyrne55 + - bdematte + - boranx + - dakotalongRH + - lnguyen1401 + - luis-falcon + - rafael-azevedo + srep-functional-team-fedramp: + - tonytheleg + - theautoroboto + - rhdedgar + - katherinelc321 + - robotmaxtron + - rojasreinold + srep-functional-team-hulk: + - a7vicky + - rendhalver + - ravitri + - shitaljante + - weherdh + - devppratik + srep-functional-team-orange: + - bng0y + - typeid + - Makdaam + - Nikokolas3270 + - ninabauer + - RaphaelBut + - Tessg22 + srep-functional-team-rocket: + - aliceh + - anispate + - bdmiller3 + - clcollins + - mjlshen + - tnierman + - yithian + srep-functional-team-security: + - gsleeman + - jaybeeunix + - sam-nguyen7 + - wshearn + srep-functional-team-thor: + - bmeng + - MitaliBhalla + - hectorakemp + - feichashao + - Tafhim + - samanthajayasinghe + srep-functional-team-v1alpha1: + - iamkirkbater + - AlexVulaj + - T0MASD + - bergmannf + - dkeohane + - reedcort + - mrWinston + srep-functional-leads: + - rafael-azevedo + - iamkirkbater + - bng0y + - tonytheleg + - bmeng + - mjlshen + - sam-nguyen7 + - ravitri + srep-team-leads: + - NautiluX + - rogbas + - fahlmant + - dustman9000 + - wanghaoran1988 + srep-architects: + - jewzaam + - jharrington22 + - cblecker diff --git a/boilerplate/openshift/golang-osd-operator/README.md b/boilerplate/openshift/golang-osd-operator/README.md index 4b41791e..690eb038 100644 --- a/boilerplate/openshift/golang-osd-operator/README.md +++ b/boilerplate/openshift/golang-osd-operator/README.md @@ -8,12 +8,16 @@ - [Code coverage](#code-coverage) - [Linting and other static analysis with `golangci-lint`](#linting-and-other-static-analysis-with-golangci-lint) - [Checks on generated code](#checks-on-generated-code) + - [FIPS](#fips-federal-information-processing-standards) + - [Additional deployment support](#additional-deployment-support) + - [OLM SkipRange](#olm-skiprange) This convention is suitable for both cluster- and hive-deployed operators. The following components are included: ## `make` targets and functions. + **Note:** Your repository's main `Makefile` needs to be edited to include the "nexus makefile include": @@ -28,7 +32,7 @@ following: ### Prow | Test name / `make` target | Purpose | -|---------------------------|-----------------------------------------------------------------------------------------------------------------| +| ------------------------- | --------------------------------------------------------------------------------------------------------------- | | `validate` | Ensure code generation has not been forgotten; and ensure generated and boilerplate code has not been modified. | | `lint` | Perform static analysis. | | `test` | "Local" unit and functional testing. | @@ -48,18 +52,26 @@ $ make RELEASE_CLONE=/home/me/github/openshift/release prow-config ``` This will generate a delta configuring prow to: + - Build your `build/Dockerfile`. - Run the above targets in presubmit tests. - Run the `coverage` target in a postsubmit. This is the step that updates your coverage report in codecov.io. #### Local Testing + You can run these `make` targets locally during development to test your code changes. However, differences in platforms and environments may lead to unpredictable results. Therefore boilerplate provides a utility to run targets in a container environment that is designed to be as similar as possible to CI: +```shell +$ make container-{target} +``` + +or + ```shell $ ./boilerplate/_lib/container-make {target} ``` @@ -72,8 +84,9 @@ By default it is configured to be run from the app-sre jenkins pipelines. Consult [this doc](app-sre.md) for information on local execution/testing. ## Code coverage + - A `codecov.sh` script, referenced by the `coverage` `make` target, to -run code coverage analysis per [this SOP](https://github.com/openshift/ops-sop/blob/93d100347746ce04ad552591136818f82043c648/services/codecov.md). + run code coverage analysis per [this SOP](https://github.com/openshift/ops-sop/blob/93d100347746ce04ad552591136818f82043c648/services/codecov.md). - A `.codecov.yml` configuration file for [codecov.io](https://docs.codecov.io/docs/codecov-yaml). Note that @@ -94,15 +107,17 @@ The convention embeds default checks to ensure generated code generation is curr To trigger the check, you can use `make generate-check` provided your Makefile properly includes the boilerplate-generated include `boilerplate/generated-includes.mk`. Checks consist of: -* Checking all files are committed to ensure a safe point to revert to in case of error -* Running the `make generate` command (see below) to regenerate the needed code -* Checking if this results in any new uncommitted files in the git project or if all is clean. + +- Checking all files are committed to ensure a safe point to revert to in case of error +- Running the `make generate` command (see below) to regenerate the needed code +- Checking if this results in any new uncommitted files in the git project or if all is clean. `make generate` does the following: -* generate crds and deepcopy via controller-gen. This is a no-op if your + +- generate crds and deepcopy via controller-gen. This is a no-op if your operator has no APIs. -* `openapi-gen`. This is a no-op if your operator has no APIs. -* `go generate`. This is a no-op if you have no `//go:generate` +- `openapi-gen`. This is a no-op if your operator has no APIs. +- `go generate`. This is a no-op if you have no `//go:generate` directives in your code. ## FIPS (Federal Information Processing Standards) @@ -112,6 +127,7 @@ To enable FIPS in your build there is a `make ensure-fips` target. Add `FIPS_ENABLED=true` to your repos Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles. e.g. + ```.mk FIPS_ENABLED=true @@ -123,3 +139,29 @@ include boilerplate/generated-includes.mk `fips.go` will import the necessary packages to restrict all TLS configuration to FIPS-approved settings. With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build` + +## Additional deployment support + +- The convention currently supports a maximum of two deployments. i.e. The operator deployment itself plus an optional additional deployment. +- If an additional deployment image has to be built and appended to the CSV as part of the build process, then the consumer needs to: + - Specify `SupplementaryImage` which is the deployment name in the consuming repository's `config/config.go`. + - Define the image to be built as `ADDITIONAL_IMAGE_SPECS` in the consuming repository's Makefile, Boilerplate later parses this image as part of the build process; [ref](https://github.com/openshift/boilerplate/blob/master/boilerplate/openshift/golang-osd-operator/standard.mk#L56). + + e.g. + + ```.mk + # Additional Deployment Image + define ADDITIONAL_IMAGE_SPECS + build/Dockerfile.webhook $(SUPPLEMENTARY_IMAGE_URI) + end + ``` + - Ensure the CSV template of the consuming repository has the additional deployment name. + +## OLM SkipRange + +- OLM currently doesn't support cross-catalog upgrades. +- The convention standardizes the catalog repositories to adhere to the naming convention `${OPERATOR_NAME}-registry`. +- For an existing operator that has been deployed looking to onboard Boilerplate is a problem. Once deployed, for an existing operator to upgrade to the new Boilerplate-deployed operator which refers to the new catalog registry with `staging/production` channels, OLM needs to support cross-catalog upgrades. +- Cross catalog upgrades are only possible via [OLM Skiprange](https://v0-18-z.olm.operatorframework.io/docs/concepts/olm-architecture/operator-catalog/creating-an-update-graph/#skiprange). +- The consumer can explictly enable OLM SkipRange for their operator by specifying `EnableOLMSkipRange="true"` in the repository's `config/config.go`. +- If specified, the `olm.skipRange` annotation will be appended to the CSV during the build process creating an upgrade path for the operator. diff --git a/boilerplate/openshift/golang-osd-operator/build-opm-catalog.sh b/boilerplate/openshift/golang-osd-operator/build-opm-catalog.sh index 196d07a7..3bb8328c 100755 --- a/boilerplate/openshift/golang-osd-operator/build-opm-catalog.sh +++ b/boilerplate/openshift/golang-osd-operator/build-opm-catalog.sh @@ -309,7 +309,7 @@ function main() { opm_local_executable=$(setup_local_executable opm) grpcurl_local_executable=$(setup_local_executable grpcurl) engine_cmd=$(setup_authenticated_registry_command) - image_builder=$(basename "$CONTAINER_ENGINE") + image_builder=$(basename "$CONTAINER_ENGINE" | awk '{print $1}') check_opm_supported_container_engine "$image_builder" || return 1 diff --git a/boilerplate/openshift/golang-osd-operator/configure-fips.sh b/boilerplate/openshift/golang-osd-operator/configure-fips.sh index e506a00d..d0092551 100755 --- a/boilerplate/openshift/golang-osd-operator/configure-fips.sh +++ b/boilerplate/openshift/golang-osd-operator/configure-fips.sh @@ -15,4 +15,4 @@ fi echo "Writing fips file at $MAIN_DIR/fips.go" -cp $CONVENTION_DIR/fips.go.tmplt "$MAIN_DIR/fips.go" \ No newline at end of file +cp $CONVENTION_DIR/fips.go.tmplt "$MAIN_DIR/fips.go" diff --git a/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh b/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh index b4ca8382..904ef767 100755 --- a/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh +++ b/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh @@ -36,7 +36,7 @@ check_mandatory_params operator_channel operator_name # Parameters for the Dockerfile SAAS_OPERATOR_DIR="saas-${operator_name}-bundle" BUNDLE_DIR="${SAAS_OPERATOR_DIR}/${operator_name}" -DOCKERFILE_REGISTRY="Dockerfile.olm-registry" +DOCKERFILE_REGISTRY="build/Dockerfile.olm-registry" # Checking SAAS_OPERATOR_DIR exist if [ ! -d "${SAAS_OPERATOR_DIR}/.git" ] ; then @@ -61,31 +61,7 @@ channels: currentCSV: ${operator_name}.v${OPERATOR_NEW_VERSION} EOF -# Build registry -cat < $DOCKERFILE_REGISTRY -FROM quay.io/openshift/origin-operator-registry:4.10.0 AS builder -COPY $SAAS_OPERATOR_DIR manifests -RUN initializer --permissive - -FROM registry.access.redhat.com/ubi8/ubi-micro:8.5-836 - -COPY --from=builder /bin/registry-server /bin/registry-server -COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe -COPY --from=builder /bin/initializer /bin/initializer - -WORKDIR /registry -RUN chgrp -R 0 /registry && chmod -R g+rwx /registry - -USER 1001 - -COPY --from=builder /registry /registry - -EXPOSE 50051 - -CMD ["registry-server", "-t", "/tmp/terminate.log"] -EOF - -${CONTAINER_ENGINE} build --pull -f $DOCKERFILE_REGISTRY --tag "${registry_image}:${operator_channel}-latest" . +${CONTAINER_ENGINE} build --pull -f "${DOCKERFILE_REGISTRY}" --build-arg "SAAS_OPERATOR_DIR=${SAAS_OPERATOR_DIR}" --tag "${registry_image}:${operator_channel}-latest" . if [ $? -ne 0 ] ; then echo "docker build failed, exiting..." diff --git a/boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py b/boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py index c8bcf13f..e6b4a233 100755 --- a/boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py +++ b/boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py @@ -13,11 +13,8 @@ import datetime import os -import sys import yaml -import shutil import argparse -import string # The registry is pinned to version 4.7 and only the following resouces are permitted in # the bundle. The full list can be found at https://github.com/operator-framework/operator-registry/blob/release-4.7/pkg/lib/bundle/supported_resources.go#L4-L19 @@ -47,6 +44,8 @@ parser.add_argument("-p", "--previous-version", type=str, help="Semver of the version being replaced", required=False) parser.add_argument("-i", "--operator-image", type=str, help="Base index image to be used", required=True) parser.add_argument("-V", "--operator-version", type=str, help="The full version of the operator (without the leading `v`): {major}.{minor}.{commit-number}-{hash}", required=True) +parser.add_argument("-s", "--supplementary-image", type=str, help="Image of the supplementary deployment", required=False) +parser.add_argument("-e", "--skip-range-enabled", type=str, help="OLM skip range is enabled", required=False) args = parser.parse_args() OPERATOR_NAME = args.operator_name @@ -54,6 +53,10 @@ prev_version = args.previous_version operator_image = args.operator_image full_version = args.operator_version +supplementary_image = args.supplementary_image +skip_range_enabled=args.skip_range_enabled + +hasMultipleDeployments = False class UnsupportedRegistryResourceKind(Exception): def __init__(self, kind, path): @@ -70,11 +73,6 @@ class NoDeploymentFound(Exception): def __init__(self): super().__init__("At least one Deployment is required!") -class MultipleDeploymentsNotSupported(Exception): - def __init__(self, deployments): - super().__init__( - f"Multiple Deployments not supported! Found {len(deployments)}.") - class BindingsNotSupported(Exception): def __init__(self, bindings): super().__init__( @@ -88,6 +86,12 @@ def __init__(self, operator_name): f"Namespace not defined for operator {operator_name} in CSV template" ) +class UndefinedSupplementaryImage(Exception): + def __init__(self): + super().__init__( + f"Image has not been defined for the additional deployment" + ) + class NoAssociatedRoleBinding(Exception): def __init__(name, namespace): super.__init__( @@ -230,17 +234,21 @@ def trim_index(index, kind, item): if 'Deployment' not in by_kind: raise NoDeploymentFound() -# TODO: Should we support additional Deployments that aren't the operator -# Deployment? +# We support no more than two deployments if len(by_kind['Deployment']) > 1: - raise MultipleDeploymentsNotSupported(by_kind['Deployment']) + hasMultipleDeployments = True + +# Check if the supplementary image has been provided +if hasMultipleDeployments and not supplementary_image: + raise UndefinedSupplementaryImage() + ## Process CRDs if 'CustomResourceDefinition' in by_kind: csv['spec']['customresourcedefinitions'] = {'owned': []} for crd in by_kind.get('CustomResourceDefinition', []): log_resource(crd) - + # And register the CRD as "owned" in the CSV for version in crd["spec"]["versions"]: csv['spec']['customresourcedefinitions']['owned'].append( @@ -307,27 +315,31 @@ def trim_index(index, kind, item): csv['spec']['install']['spec']['permissions'].append( { 'rules': role['rules'], - 'serviceAccountName': role_binding['subjects'][0]['name'] + 'serviceAccountName': role_binding['subjects'][0]['name'] } ) trim_index(by_kind, 'Role', role) trim_index(by_kind, 'RoleBinding', role_binding) ## Add the Deployment -# We already made sure there's exactly one Deployment +# We currently support a maximum of two Deployments deploy = by_kind['Deployment'][0] # Use the operator image pull spec we were passed deploy['spec']['template']['spec']['containers'][0]['image'] = operator_image # Add or replace OPERATOR_IMAGE env var -env = deploy['spec']['template']['spec']['containers'][0]['env'] -# Does OPERATOR_IMAGE key already exist in spec? If so, update value -for entry in env: - if entry['name'] == 'OPERATOR_IMAGE': - entry['value'] = operator_image - break -# If not, add it +env = deploy['spec']['template']['spec']['containers'][0].get('env') +if env: + # Does OPERATOR_IMAGE key already exist in spec? If so, update value + for entry in env: + if entry['name'] == 'OPERATOR_IMAGE': + entry['value'] = operator_image + break + # If not, add it + else: + env.append(dict(name='OPERATOR_IMAGE', value=operator_image)) else: - env.append(dict(name='OPERATOR_IMAGE', value=operator_image)) + # The container has no environment variables, so just set this one + env = dict(name='OPERATOR_IMAGE', value=operator_image) csv['spec']['install']['spec']['deployments'] = [ { @@ -335,6 +347,19 @@ def trim_index(index, kind, item): 'spec': deploy['spec'], } ] + +# If the supplementary image is specified, +# Append the Deployment to the CSV. +if hasMultipleDeployments: + deploy = by_kind['Deployment'][1] + deploy['spec']['template']['spec']['containers'][0]['image'] = supplementary_image + + csv['spec']['install']['spec']['deployments'].append( + { + 'name': deploy['metadata']['name'], + 'spec': deploy['spec'], + } + ) # Get rid of these so we can iterate over what's left at the end trim_index(by_kind, 'Deployment', 'ALL') @@ -359,7 +384,12 @@ def trim_index(index, kind, item): # Update the versions to include git hash: csv['metadata']['name'] = f"{OPERATOR_NAME}.v{full_version}" csv['spec']['version'] = full_version -if prev_version: + +# Support cross-catalog upgrades via OLM skiprange. +# Attributes 'skiprange' and 'replaces' cannot coexists in a CSV. +if skip_range_enabled == "true": + csv['metadata']['annotations']['olm.skipRange'] = f">=0.0.1 <{full_version}" +elif prev_version: csv['spec']['replaces'] = f"{OPERATOR_NAME}.v{prev_version}" # Set the CSV createdAt annotation: diff --git a/boilerplate/openshift/golang-osd-operator/csv-generate/common.sh b/boilerplate/openshift/golang-osd-operator/csv-generate/common.sh index e8624bec..2b44480a 100644 --- a/boilerplate/openshift/golang-osd-operator/csv-generate/common.sh +++ b/boilerplate/openshift/golang-osd-operator/csv-generate/common.sh @@ -18,3 +18,24 @@ function check_mandatory_params() { usage fi } + +# generateImageDigest returns the image URI as repo URL + image digest +function generateImageDigest() { + local param_image + local param_version + local image_digest + + param_image="$1" + param_version="$2" + if [[ -z $param_image || -z $param_version ]]; then + usage + fi + + image_digest=$(skopeo inspect docker://${param_image}:v${param_version} | jq -r .Digest) + if [[ -z "$image_digest" ]]; then + echo "Couldn't discover IMAGE_DIGEST for docker://${param_image}:v${param_version}!" + exit 1 + fi + + echo "${param_image}@${image_digest}" +} diff --git a/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.mk b/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.mk index 21e9ea43..a08868fc 100644 --- a/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.mk +++ b/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.mk @@ -1,6 +1,6 @@ .PHONY: staging-csv-build staging-csv-build: - @${CONVENTION_DIR}/csv-generate/csv-generate.sh -o $(OPERATOR_NAME) -i $(OPERATOR_IMAGE) -V $(OPERATOR_VERSION) -c staging -H $(CURRENT_COMMIT) -n $(COMMIT_NUMBER) + @${CONVENTION_DIR}/csv-generate/csv-generate.sh -o $(OPERATOR_NAME) -i $(OPERATOR_IMAGE) -V $(OPERATOR_VERSION) -c staging -H $(CURRENT_COMMIT) -n $(COMMIT_NUMBER) -s $(SUPPLEMENTARY_IMAGE) -e $(SKIP_RANGE_ENABLED) .PHONY: staging-catalog-build staging-catalog-build: @@ -22,11 +22,11 @@ staging-catalog-build-and-publish: .PHONY: production-hack-csv-build production-hack-csv-build: - @${CONVENTION_DIR}/csv-generate/csv-generate.sh -o $(OPERATOR_NAME) -i $(OPERATOR_IMAGE) -V $(OPERATOR_VERSION) -c production -H $(CURRENT_COMMIT) -n $(COMMIT_NUMBER) -g hack + @${CONVENTION_DIR}/csv-generate/csv-generate.sh -o $(OPERATOR_NAME) -i $(OPERATOR_IMAGE) -V $(OPERATOR_VERSION) -c production -H $(CURRENT_COMMIT) -n $(COMMIT_NUMBER) -s $(SUPPLEMENTARY_IMAGE) -e $(SKIP_RANGE_ENABLED) -g hack .PHONY: production-csv-build production-csv-build: - @${CONVENTION_DIR}/csv-generate/csv-generate.sh -o $(OPERATOR_NAME) -i $(OPERATOR_IMAGE) -V $(OPERATOR_VERSION) -c production -H $(CURRENT_COMMIT) -n $(COMMIT_NUMBER) + @${CONVENTION_DIR}/csv-generate/csv-generate.sh -o $(OPERATOR_NAME) -i $(OPERATOR_IMAGE) -V $(OPERATOR_VERSION) -c production -H $(CURRENT_COMMIT) -n $(COMMIT_NUMBER) -s $(SUPPLEMENTARY_IMAGE) -e $(SKIP_RANGE_ENABLED) .PHONY: production-catalog-build production-catalog-build: diff --git a/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh b/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh index 5e7a7104..5966a8db 100755 --- a/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh +++ b/boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.sh @@ -4,10 +4,10 @@ set -e source `dirname $0`/common.sh -usage() { echo "Usage: $0 -o operator-name -c saas-repository-channel -H operator-commit-hash -n operator-commit-number -i operator-image -V operator-version" 1>&2; exit 1; } +usage() { echo "Usage: $0 -o operator-name -c saas-repository-channel -H operator-commit-hash -n operator-commit-number -i operator-image -V operator-version -s supplementary-image -e skip-range-enabled" 1>&2; exit 1; } # TODO : Add support of long-options -while getopts "c:dg:H:i:n:o:V:" option; do +while getopts "c:dg:H:i:n:o:V:s:e:" option; do case "${option}" in c) operator_channel=${OPTARG} @@ -32,6 +32,12 @@ while getopts "c:dg:H:i:n:o:V:" option; do # Notably, it does *not* start with `v`. operator_version=${OPTARG} ;; + s) + supplementary_image=${OPTARG} + ;; + e) + skip_range_enabled=${OPTARG} + ;; *) usage esac @@ -48,16 +54,21 @@ fi if [[ -z "$CONTAINER_ENGINE" ]]; then YQ_CMD="yq" else - YQ_CMD="$CONTAINER_ENGINE run --rm -i quay.io/app-sre/yq:3.4.1 yq" + yq_image="quay.io/app-sre/yq:4" + $CONTAINER_ENGINE pull $yq_image + YQ_CMD="$CONTAINER_ENGINE run --rm -i $yq_image" fi -# Get the image URI as repo URL + image digest -IMAGE_DIGEST=$(skopeo inspect docker://${operator_image}:v${operator_version} | jq -r .Digest) -if [[ -z "$IMAGE_DIGEST" ]]; then - echo "Couldn't discover IMAGE_DIGEST for docker://${operator_image}:v${operator_version}!" - exit 1 +REPO_DIGEST=$(generateImageDigest $operator_image $operator_version) + +# Given a supplementary image is specified, +# generate the image digest. +if [[ -n $supplementary_image ]]; then + SECONDARY_REPO_DIGEST=$(generateImageDigest $supplementary_image $operator_version) + SECONDARY_REPO_DIGEST="-s ${SECONDARY_REPO_DIGEST}" +else + SECONDARY_REPO_DIGEST="" fi -REPO_DIGEST=${operator_image}@${IMAGE_DIGEST} # If no override, using the gitlab repo if [ -z "$GIT_PATH" ] ; then @@ -74,7 +85,7 @@ git clone --branch "$operator_channel" ${GIT_PATH} "$SAAS_OPERATOR_DIR" # If this is a brand new SaaS setup, then set up accordingly if [[ ! -d "${BUNDLE_DIR}" ]]; then echo "Setting up new SaaS operator dir: ${BUNDLE_DIR}" - mkdir "${BUNDLE_DIR}" + mkdir -p "${BUNDLE_DIR}" fi # For testing purposes, support disabling anything that relies on @@ -97,10 +108,10 @@ if [[ -z "$SKIP_SAAS_FILE_CHECKS" ]]; then # For customer clusters: /services/osd-operators/namespace//namespaces/cluster-scope.yaml # For hive clusters: /services/osd-operators/namespace//namespaces/.yaml MANAGED_RESOURCE_TYPE=$(curl -s "${SAAS_FILE_URL}" | \ - $YQ_CMD r - "managedResourceTypes[0]" + $YQ_CMD '.managedResourceTypes[0]' - ) if [[ "${MANAGED_RESOURCE_TYPE}" == "" ]]; then - echo "Unabled to determine if SAAS file managed resource type" + echo "Unable to determine if SAAS file managed resource type" exit 1 fi @@ -116,10 +127,8 @@ if [[ -z "$SKIP_SAAS_FILE_CHECKS" ]]; then # remove any versions more recent than deployed hash if [[ "$operator_channel" == "production" ]]; then if [ -z "$DEPLOYED_HASH" ] ; then - DEPLOYED_HASH=$( - curl -s "${SAAS_FILE_URL}" | \ - $YQ_CMD r - "resourceTemplates[*].targets(namespace.\$ref==${resource_template_ns_path}).ref" - ) + deployed_hash_yq_filter=".resourceTemplates[].targets[] | select(.namespace.\$ref == \"${resource_template_ns_path}\") | .ref" + DEPLOYED_HASH="$(curl -s "${SAAS_FILE_URL}" | $YQ_CMD "${deployed_hash_yq_filter}" -)" fi # Ensure that our query for the current deployed hash worked @@ -161,6 +170,13 @@ OUTPUT_DIR=${BUNDLE_DIR} if [[ -z "${OPERATOR_PREV_VERSION}" ]]; then PREV_VERSION_OPTS="" else + OPERATOR_PREV_COMMIT_NUMBER=$(echo "${OPERATOR_PREV_VERSION}" | awk -F. '{print $3}' | awk -F- '{print $1}') + if [[ "${OPERATOR_PREV_COMMIT_NUMBER}" -gt "${operator_commit_number}" ]]; + then + echo "Revert detected. Reverting OLM operators is not allowed" + exit 99 + fi + PREV_VERSION_OPTS="-p ${OPERATOR_PREV_VERSION}" fi # Jenkins can't be relied upon to have py3, so run the generator in @@ -168,12 +184,12 @@ fi # ...Unless we're already in a container, which is how boilerplate # CI runs. We have py3 there, so run natively in that case. if [[ -z "$CONTAINER_ENGINE" ]]; then - ./boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py -o ${operator_name} -d ${OUTPUT_DIR} ${PREV_VERSION_OPTS} -i ${REPO_DIGEST} -V ${operator_version} + ./boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py -o ${operator_name} -d ${OUTPUT_DIR} ${PREV_VERSION_OPTS} -i ${REPO_DIGEST} -V ${operator_version} ${SECONDARY_REPO_DIGEST} -e ${skip_range_enabled} else if [[ ${CONTAINER_ENGINE##*/} == "podman" ]]; then CE_OPTS="--userns keep-id -v `pwd`:`pwd`:Z" else CE_OPTS="-v `pwd`:`pwd`" fi - $CONTAINER_ENGINE run --rm ${CE_OPTS} -u `id -u`:0 -w `pwd` registry.access.redhat.com/ubi8/python-36:1-134 /bin/bash -c "python -m pip install oyaml; python ./boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py -o ${operator_name} -d ${OUTPUT_DIR} ${PREV_VERSION_OPTS} -i ${REPO_DIGEST} -V ${operator_version}" + $CONTAINER_ENGINE run --pull=always --rm ${CE_OPTS} -u `id -u`:0 -w `pwd` registry.access.redhat.com/ubi8/python-36 /bin/bash -c "python -m pip install --disable-pip-version-check oyaml; python ./boilerplate/openshift/golang-osd-operator/csv-generate/common-generate-operator-bundle.py -o ${operator_name} -d ${OUTPUT_DIR} ${PREV_VERSION_OPTS} -i ${REPO_DIGEST} -V ${operator_version} ${SECONDARY_REPO_DIGEST} -e ${skip_range_enabled}" fi diff --git a/boilerplate/openshift/golang-osd-operator/dependabot.yml b/boilerplate/openshift/golang-osd-operator/dependabot.yml new file mode 100644 index 00000000..004cb068 --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: "docker" + directory: "/build" + labels: + - "area/dependency" + - "ok-to-test" + schedule: + interval: "weekly" + ignore: + - dependency-name: "app-sre/boilerplate" + # don't upgrade boilerplate via these means + - dependency-name: "openshift4/ose-operator-registry" + # don't upgrade ose-operator-registry via these means diff --git a/boilerplate/openshift/golang-osd-operator/ensure.sh b/boilerplate/openshift/golang-osd-operator/ensure.sh index a0a97575..fe4a7fdd 100755 --- a/boilerplate/openshift/golang-osd-operator/ensure.sh +++ b/boilerplate/openshift/golang-osd-operator/ensure.sh @@ -6,7 +6,7 @@ REPO_ROOT=$(git rev-parse --show-toplevel) source $REPO_ROOT/boilerplate/_lib/common.sh GOLANGCI_LINT_VERSION="1.30.0" -OPM_VERSION="v1.15.2" +OPM_VERSION="v1.23.2" GRPCURL_VERSION="1.7.0" DEPENDENCY=${1:-} GOOS=$(go env GOOS) diff --git a/boilerplate/openshift/golang-osd-operator/fips.go.tmplt b/boilerplate/openshift/golang-osd-operator/fips.go.tmplt index bc0d4547..d4b108ee 100644 --- a/boilerplate/openshift/golang-osd-operator/fips.go.tmplt +++ b/boilerplate/openshift/golang-osd-operator/fips.go.tmplt @@ -1,3 +1,4 @@ +//go:build fips_enabled // +build fips_enabled // BOILERPLATE GENERATED -- DO NOT EDIT diff --git a/boilerplate/openshift/golang-osd-operator/golangci.yml b/boilerplate/openshift/golang-osd-operator/golangci.yml index 77ff6450..4cd695e3 100644 --- a/boilerplate/openshift/golang-osd-operator/golangci.yml +++ b/boilerplate/openshift/golang-osd-operator/golangci.yml @@ -16,13 +16,11 @@ issues: linters: disable-all: true enable: - - deadcode - errcheck + - gosec - gosimple - govet - ineffassign - staticcheck - - structcheck - typecheck - unused - - varcheck diff --git a/boilerplate/openshift/golang-osd-operator/project.mk b/boilerplate/openshift/golang-osd-operator/project.mk index 4dad5b29..e146a08d 100644 --- a/boilerplate/openshift/golang-osd-operator/project.mk +++ b/boilerplate/openshift/golang-osd-operator/project.mk @@ -6,6 +6,13 @@ IMAGE_REGISTRY?=quay.io IMAGE_REPOSITORY?=app-sre IMAGE_NAME?=$(OPERATOR_NAME) +# Optional additional deployment image +SUPPLEMENTARY_IMAGE_NAME?=$(shell sed -n 's/.*SupplementaryImage .*"\([^"]*\)".*/\1/p' config/config.go) + +# Optional: Enable OLM skip-range +# https://v0-18-z.olm.operatorframework.io/docs/concepts/olm-architecture/operator-catalog/creating-an-update-graph/#skiprange +EnableOLMSkipRange?=$(shell sed -n 's/.*EnableOLMSkipRange .*"\([^"]*\)".*/\1/p' config/config.go) + VERSION_MAJOR?=0 VERSION_MINOR?=1 diff --git a/boilerplate/openshift/golang-osd-operator/standard.mk b/boilerplate/openshift/golang-osd-operator/standard.mk index 6d6dd6fc..56cc802f 100644 --- a/boilerplate/openshift/golang-osd-operator/standard.mk +++ b/boilerplate/openshift/golang-osd-operator/standard.mk @@ -26,6 +26,12 @@ CONTAINER_ENGINE_CONFIG_DIR = .docker # also accepts REGISTRY_AUTH_FILE from the env. See # https://www.mankier.com/1/podman-login#Options---authfile=path export REGISTRY_AUTH_FILE = ${CONTAINER_ENGINE_CONFIG_DIR}/config.json +# If this configuration file doesn't exist, podman will error out. So +# we'll create it if it doesn't exist. +ifeq (,$(wildcard $(REGISTRY_AUTH_FILE))) +$(shell mkdir -p $(CONTAINER_ENGINE_CONFIG_DIR)) +$(shell echo '{}' > $(REGISTRY_AUTH_FILE)) +endif # ==> Docker uses --config=PATH *before* (any) subcommand; so we'll glue # that to the CONTAINER_ENGINE variable itself. (NOTE: I tried half a # dozen other ways to do this. This was the least ugly one that actually @@ -46,9 +52,22 @@ OPERATOR_IMAGE_URI=${IMG} OPERATOR_IMAGE_URI_LATEST=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(IMAGE_NAME):latest OPERATOR_DOCKERFILE ?=build/Dockerfile REGISTRY_IMAGE=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(IMAGE_NAME)-registry -#The api dir that latest osdk generated -NEW_API_DIR=./api -USE_OLD_SDK=$(shell if [[ -d "$(NEW_API_DIR)" ]];then echo FALSE;else echo TRUE;fi) + +ifeq ($(SUPPLEMENTARY_IMAGE_NAME),) +# We need SUPPLEMENTARY_IMAGE to be defined for csv-generate.mk +SUPPLEMENTARY_IMAGE="" +else +# If the configuration specifies a SUPPLEMENTARY_IMAGE_NAME +# then append the image registry and generate the image URI. +SUPPLEMENTARY_IMAGE=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(SUPPLEMENTARY_IMAGE_NAME) +SUPPLEMENTARY_IMAGE_URI=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(SUPPLEMENTARY_IMAGE_NAME):${OPERATOR_IMAGE_TAG} +endif + +ifeq ($(EnableOLMSkipRange), true) +SKIP_RANGE_ENABLED=true +else +SKIP_RANGE_ENABLED=false +endif # Consumer can optionally define ADDITIONAL_IMAGE_SPECS like: # define ADDITIONAL_IMAGE_SPECS @@ -69,16 +88,9 @@ OLM_CHANNEL ?= alpha REGISTRY_USER ?= REGISTRY_TOKEN ?= -BINFILE=build/_output/bin/$(OPERATOR_NAME) -MAINPACKAGE = ./main.go -API_DIR = $(NEW_API_DIR) -ifeq ($(USE_OLD_SDK), TRUE) -MAINPACKAGE = ./cmd/manager -API_DIR = ./pkg/apis -endif - GOOS?=$(shell go env GOOS) GOARCH?=$(shell go env GOARCH) +GOBIN?=$(shell go env GOBIN) # Consumers may override GOFLAGS_MOD e.g. to use `-mod=vendor` unexport GOFLAGS @@ -92,15 +104,17 @@ export HOME=/tmp/home endif PWD=$(shell pwd) +GOENV=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=1 GOFLAGS="${GOFLAGS_MOD}" +GOBUILDFLAGS=-gcflags="all=-trimpath=${GOPATH}" -asmflags="all=-trimpath=${GOPATH}" + ifeq (${FIPS_ENABLED}, true) GOFLAGS_MOD+=-tags=fips_enabled GOFLAGS_MOD:=$(strip ${GOFLAGS_MOD}) +$(warning Setting GOEXPERIMENT=strictfipsruntime,boringcrypto - this generally causes builds to fail unless building inside the provided Dockerfile. If building locally consider calling 'go build .') +GOENV+=GOEXPERIMENT=strictfipsruntime,boringcrypto +GOENV:=$(strip ${GOENV}) endif -GOENV=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 GOFLAGS="${GOFLAGS_MOD}" - -GOBUILDFLAGS=-gcflags="all=-trimpath=${GOPATH}" -asmflags="all=-trimpath=${GOPATH}" - # GOLANGCI_LINT_CACHE needs to be set to a directory which is writeable # Relevant issue - https://github.com/golangci/golangci-lint/issues/734 GOLANGCI_LINT_CACHE ?= /tmp/golangci-cache @@ -108,7 +122,7 @@ GOLANGCI_LINT_CACHE ?= /tmp/golangci-cache GOLANGCI_OPTIONAL_CONFIG ?= ifeq ($(origin TESTTARGETS), undefined) -TESTTARGETS := $(shell ${GOENV} go list -e ./... | egrep -v "/(vendor)/") +TESTTARGETS := $(shell ${GOENV} go list -e ./... | egrep -v "/(vendor)/" | egrep -v "/(osde2e)/") endif # ex, -v TESTOPTS := @@ -117,10 +131,11 @@ ALLOW_DIRTY_CHECKOUT?=false # TODO: Figure out how to discover this dynamically CONVENTION_DIR := boilerplate/openshift/golang-osd-operator +BOILERPLATE_CONTAINER_MAKE := boilerplate/_lib/container-make # Set the default goal in a way that works for older & newer versions of `make`: # Older versions (<=3.8.0) will pay attention to the `default` target. -# Newer versions pay attention to .DEFAULT_GOAL, where uunsetting it makes the next defined target the default: +# Newer versions pay attention to .DEFAULT_GOAL, where unsetting it makes the next defined target the default: # https://www.gnu.org/software/make/manual/make.html#index-_002eDEFAULT_005fGOAL-_0028define-default-goal_0029 .DEFAULT_GOAL := .PHONY: default @@ -132,7 +147,7 @@ clean: .PHONY: isclean isclean: - @(test "$(ALLOW_DIRTY_CHECKOUT)" != "false" || test 0 -eq $$(git status --porcelain | wc -l)) || (echo "Local git checkout is not clean, commit changes and try again." >&2 && git --no-pager diff && exit 1) + @(test "$(ALLOW_DIRTY_CHECKOUT)" != "false" || test 0 -eq $$(git status --porcelain | wc -l)) || (echo "Local git checkout is not clean, commit changes and try again or use ALLOW_DIRTY_CHECKOUT=true to override." >&2 && git --no-pager diff && exit 1) # TODO: figure out how to docker-login only once across multiple `make` calls .PHONY: docker-build-push-one @@ -189,35 +204,20 @@ rm -rf $$TMP_DIR ;\ } endef -# Deciding on the binary versions -CONTROLLER_GEN_VERSION = v0.8.0 -CONTROLLER_GEN = controller-gen-$(CONTROLLER_GEN_VERSION) - -OPENAPI_GEN_VERSION = v0.23.0 -OPENAPI_GEN = openapi-gen-$(OPENAPI_GEN_VERSION) - -ifeq ($(USE_OLD_SDK), TRUE) -#If we are using the old osdk, we use the default controller-gen and openapi-gen versions. -# Default version is 0.3.0 for now. CONTROLLER_GEN = controller-gen -# Default version is 0.19.4 for now. OPENAPI_GEN = openapi-gen -endif +KUSTOMIZE = kustomize +YQ = yq .PHONY: op-generate ## CRD v1beta1 is no longer supported. op-generate: - cd $(API_DIR); $(CONTROLLER_GEN) crd:crdVersions=v1 paths=./... output:dir=$(PWD)/deploy/crds - cd $(API_DIR); $(CONTROLLER_GEN) object paths=./... - -API_DIR_MIN_DEPTH = 1 -ifeq ($(USE_OLD_SDK), TRUE) -API_DIR_MIN_DEPTH = 2 -endif + cd ./api; $(CONTROLLER_GEN) crd:crdVersions=v1,generateEmbeddedObjectMeta=true paths=./... output:dir=$(PWD)/deploy/crds + cd ./api; $(CONTROLLER_GEN) object paths=./... .PHONY: openapi-generate openapi-generate: - find $(API_DIR) -maxdepth 2 -mindepth $(API_DIR_MIN_DEPTH) -type d | xargs -t -I% \ + find ./api -maxdepth 2 -mindepth 1 -type d | xargs -t -I% \ $(OPENAPI_GEN) --logtostderr=true \ -i % \ -o "" \ @@ -225,9 +225,19 @@ openapi-generate: -p % \ -h /dev/null \ -r "-" - + +.PHONY: manifests +manifests: +# Only use kustomize to template out manifests if the path config/default exists +ifneq (,$(wildcard config/default)) + $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." + $(KUSTOMIZE) build config/default | $(YQ) -s '"deploy/" + .metadata.name + "." + .kind + ".yaml"' +else + $(info Did not find 'config/default' - skipping kustomize manifest generation) +endif + .PHONY: generate -generate: op-generate go-generate openapi-generate +generate: op-generate go-generate openapi-generate manifests ifeq (${FIPS_ENABLED}, true) go-build: ensure-fips @@ -237,7 +247,7 @@ endif go-build: ## Build binary # Force GOOS=linux as we may want to build containers in other *nix-like systems (ie darwin). # This is temporary until a better container build method is developed - ${GOENV} GOOS=linux go build ${GOBUILDFLAGS} -o ${BINFILE} ${MAINPACKAGE} + ${GOENV} GOOS=linux go build ${GOBUILDFLAGS} -o build/_output/bin/$(OPERATOR_NAME) . # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.23 @@ -246,7 +256,7 @@ SETUP_ENVTEST = setup-envtest .PHONY: setup-envtest setup-envtest: $(eval KUBEBUILDER_ASSETS := "$(shell $(SETUP_ENVTEST) use $(ENVTEST_K8S_VERSION) -p path --bin-dir /tmp/envtest/bin)") - + # Setting SHELL to bash allows bash commands to be executed by recipes. # This is a requirement for 'setup-envtest.sh' in the test target. # Options are set to exit when a recipe line exits non-zero or a piped command fails. @@ -332,3 +342,41 @@ opm-build-push: docker-push .PHONY: ensure-fips ensure-fips: ${CONVENTION_DIR}/configure-fips.sh + +# You will need to export the forked/cloned operator repository directory as OLD_SDK_REPO_DIR to make this work. +# Example: export OLD_SDK_REPO_DIR=~/Projects/My-Operator-Fork +.PHONY: migrate-to-osdk1 +migrate-to-osdk1: +ifndef OLD_SDK_REPO_DIR + $(error OLD_SDK_REPO_DIR is not set) +endif + # Copying files & folders from old repository to current project + rm -rf config + rsync -a $(OLD_SDK_REPO_DIR)/deploy . --exclude=crds + rsync -a $(OLD_SDK_REPO_DIR)/pkg . --exclude={'apis','controller'} + rsync -a $(OLD_SDK_REPO_DIR)/Makefile . + rsync -a $(OLD_SDK_REPO_DIR)/.gitignore . + rsync -a $(OLD_SDK_REPO_DIR)/ . --exclude={'cmd','version','boilerplate','deploy','pkg'} --ignore-existing + +# Boilerplate container-make targets. +# Runs 'make' in the boilerplate backing container. +# If the command fails, starts a shell in the container so you can debug. +.PHONY: container-test +container-test: + ${BOILERPLATE_CONTAINER_MAKE} test + +.PHONY: container-generate +container-generate: + ${BOILERPLATE_CONTAINER_MAKE} generate + +.PHONY: container-lint +container-lint: + ${BOILERPLATE_CONTAINER_MAKE} lint + +.PHONY: container-validate +container-validate: + ${BOILERPLATE_CONTAINER_MAKE} validate + +.PHONY: container-coverage +container-coverage: + ${BOILERPLATE_CONTAINER_MAKE} coverage diff --git a/boilerplate/openshift/golang-osd-operator/update b/boilerplate/openshift/golang-osd-operator/update index bed4cc8d..f64a6f27 100755 --- a/boilerplate/openshift/golang-osd-operator/update +++ b/boilerplate/openshift/golang-osd-operator/update @@ -10,14 +10,46 @@ source $CONVENTION_ROOT/_lib/common.sh # Expect POST [[ "$1" == "POST" ]] || err "Got a parameter I don't understand: '$1'. Did the infrastructure change?" +# Add codecov configuration echo "Copying .codecov.yml to your repository root." cp ${HERE}/.codecov.yml $REPO_ROOT -# TODO: boilerplate more of Dockerfile -DOCKERFILE=build/Dockerfile -echo "Overwriting $DOCKERFILE's initial FROM with $IMAGE_PULL_PATH" -${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," $DOCKERFILE +# Add OWNERS_ALIASES to $REPO_ROOT +echo "Copying OWNERS_ALIASES to your repository root." +cp ${HERE}/OWNERS_ALIASES $REPO_ROOT +# Add dependabot configuration +mkdir -p $REPO_ROOT/.github +echo "Copying dependabot.yml to .github/dependabot.yml" +cp ${HERE}/dependabot.yml ${REPO_ROOT}/.github/dependabot.yml + +# Add olm-registry Dockerfile +mkdir -p $REPO_ROOT/build +echo "Copying Dockerfile.olm-registry to build/Dockerfile.olm-registry" +cp ${HERE}/Dockerfile.olm-registry ${REPO_ROOT}/build/Dockerfile.olm-registry +# if the gitignore file exists, remove the olm-registry line +if [[ -f ${REPO_ROOT}/.gitignore ]]; then + ${SED?} -i "/Dockerfile.olm-registry/d" ${REPO_ROOT}/.gitignore +fi + +# Update Dockerfile builder image +DOCKERFILES=$(ls -1 $REPO_ROOT/build/Dockerfile*) +for file in $DOCKERFILES; do + # only update boilerplate base on the main file + if [[ $file == *"Dockerfile" ]]; then + echo "Overwriting $file's initial FROM with $IMAGE_PULL_PATH" + ${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," $file + fi + + # Update any UBI images to use a versioned tag of ubi8/ubi-minimal that is compatible with dependabot + for ubi_latest in $(grep -oE 'registry.access.redhat.com/ubi[7-9]/ubi.*?:.*' ${file}); do + replacement_image=$(skopeo inspect --override-os linux --override-arch amd64 docker://registry.access.redhat.com/ubi8/ubi-minimal --format "{{.Name}}:{{.Labels.version}}-{{.Labels.release}}") + echo "Overwriting ${file}'s ${ubi_latest} image to ${replacement_image}" + ${SED?} -i "s,${ubi_latest},${replacement_image}," ${file} + done +done + +# Add ci-operator configuration echo "Writing .ci-operator.yaml in your repository root with:" echo " namespace: $IMAGE_NAMESPACE" echo " name: $IMAGE_NAME" diff --git a/build/Dockerfile b/build/Dockerfile index d4a48e98..9817de41 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/app-sre/boilerplate:image-v2.3.2 AS builder +FROM quay.io/app-sre/boilerplate:image-v4.0.2 AS builder RUN mkdir -p /workdir WORKDIR /workdir @@ -7,7 +7,7 @@ RUN go mod download COPY . . RUN make go-build -FROM registry.access.redhat.com/ubi8/ubi-minimal:latest +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9-1029 ENV USER_UID=1001 \ USER_NAME=aws-efs-operator diff --git a/build/Dockerfile.olm-registry b/build/Dockerfile.olm-registry new file mode 100644 index 00000000..8ee16427 --- /dev/null +++ b/build/Dockerfile.olm-registry @@ -0,0 +1,22 @@ +FROM registry.redhat.io/openshift4/ose-operator-registry:v4.12 AS builder +ARG SAAS_OPERATOR_DIR +COPY ${SAAS_OPERATOR_DIR} manifests +RUN initializer --permissive + +# ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9-1029 + +COPY --from=builder /bin/registry-server /bin/registry-server +COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe +COPY --from=builder /bin/initializer /bin/initializer + +WORKDIR /registry +RUN chgrp -R 0 /registry && chmod -R g+rwx /registry + +USER 1001 + +COPY --from=builder /registry /registry + +EXPOSE 50051 + +CMD ["registry-server", "-t", "/tmp/terminate.log"]