Boilerplate: Update to 5fea264b458ec33913afb04eda6ff87d8013d9f4

[clcollins]

Conventions:

• openshift/golang-osd-operator: Update

  https://github.com/openshift/boilerplate/compare/884e5a831330ce731485fd84a70668453315b252...5fea264b458ec33913afb04eda6ff87d8013d9f4

commit: e6753c2a4252695328187dad83370e63f308e355 author: Christopher Collins Updates the version of the openshift-operator-registry image

Updates the version of the openshift-operator-registry image to 4.8.0, to address several high vulnerabilities found in the 4.7.0 image.

REF: OSD-6831

Signed-off-by: Christopher Collins collins.christopher@gmail.com

commit: c35da9dd532d5ed389e4e93f83c75fe9e51e98c9 author: Eric Fried Fix generated-files-checker for go 1.16

go 1.16 is stricter about go.sum being up to date for things like go -list. Fix up the test (case & project) accordingly.

Also add test loops for missing supported asdk versions. Not sure when we missed those.

Also fix the backing image -- it was hacking the go lib/cache permissions too early.

Also make it possible to override the backing image used by container-make, to ease debugging when writing commits like this.

commit: 0acfc9d8d31942977df26f49ec043038d2fd3320 author: Rob Rati Update to use golang 1.16

commit: c49cf6f755ffab5c6e2ce6e4118b743e83093248 author: Eric Fried Fix unbound local variable error

...noted in https://ci.int.devshift.net/job/app-sre-deployment-validation-operator-gh-build-master/60/console

commit: 3bcb750bd6dc9120f5458aa44d82fff6973d2171 author: Eric Fried Improve subscriber report release

This commit improves the subscriber report release tool in the following ways:

• It now requires a list of subscribers, or ALL, with the same semantics as subscriber propose update.
• It now produces a diff with which you can patch -R what's in the release repository to make it conform.

commit: 9062716c4df7b01b72ba4308e106b4c932ab5649 author: Christopher Collins Adds .gitattributes to unacceptable_deltas "ignores" list

With a recent update to boilerplate, a .gitattributes file is created during the bootstrap process. This is causing failures in the "framework/04-update-from-master-and-revert" test, which currently doesn't expect the .gitattributes file to exist, uncommitted, after the test bootstrap.

This adds the .gitattributes file to the "ignores" list in the unacceptable_deltas function of boilerplate/update.

Also runs ./boilerplate/_lib/boilerplate-commit to "clean" before the next test run.

Signed-off-by: Christopher Collins collins.christopher@gmail.com

commit: 69519b47fcbd219aa4d30aeb28377c2113ea8272 author: Eric Fried Secure freeze-check, enable hiding boilerplate deltas

• Document the "trust and ignore" philosophy that subscribers should adopt when reviewing PRs that include boilerplate updates.
• Secure freeze-check so you actually can trust such changes.
• Lay down .gitattributes content such that, if a subscriber decides to suppress boilerplate deltas by default, certain files will still always be shown:
  • Because an attacker could attempt to subvert freeze-check by modifying that script or its dependencies, we explicitly exclude those from the hiding-by-default.
  • Because an attacker could try to subvert the hiding by appending entries to .gitattributes, we exclude THAT file from the hiding-by-default as well.

Security is hard.

commit: 7679eeabd8af9bcd1deb2ef998d862e275fdb3f2 author: Eric Fried Split out stderr for skopeo inspect

This started happening suddenly:

10:08:43 parse error: Invalid literal at line 1, column 6
10:08:43 Unexpected error: skopeo inspect succeeded, but output contained no .Digest
10:08:43 Here's the output:
10:08:43 time="2021-05-10T15:08:41Z" level=error msg="HEADER map[Content-Length:[185] Content-Type:[text/html] Date:[Mon, 10 May 2021 15:08:41 GMT] Server:[nginx/1.12.1]]"
10:08:43 {
10:08:43     "Name": "quay.io/app-sre/aws-account-operator",
10:08:43     "Digest": "sha256:02baefe6abe17a60f9751441fdd7223b3d79af5580639d4ea90285bbab28a0c7",

For some reason, skopeo inspect is now producing that header information on stderr, whereas it wasn't before.

Nevertheless, that's no excuse for glomming together stdout and stderr when we expect to be able to parse the former. So with this commit, we split stderr out and redirect it to a temporary file instead.

commit: 9f62838f2f7eba3573d83400d2b227655f71b399 author: Eric Fried Support building multiple images

Previously the app-sre pipeline scripts were designed to build/push (if not already extant) exactly two things: the operator image and the OLM catalog.

With this commit we allow the consumer to build arbitrary images in addition to the operator image by setting a multiline make variable as follows:

define ADDITIONAL_IMAGE_SPECS
./path/to/a/Dockerfile $(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/a-image:v1.2.3
./path/to/b/Dockerfile $(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/b-image:v4.5.6
endef

NOTE: As an ancillary side effect (benefit) of this commit, we stop tagging latest operator images. They were unused at best, misused at worst.

commit: cc2ba9070df73175397f4d36ffeaadae073d240f author: Eric Fried Add splunk-forwarder-operator as a subscriber

commit: f03b007a8a2bb12183b611ed231cef5a82ef8f7d author: Christoph Blecker Use /usr/bin/env bash everywhere

commit: bf324c0b4fbf95930caf2613f60f362bc32e8469 author: Dominic Finn help to makefile

commit: 06e3d461cbccc2f73bd2b67a8e6173def1ccb2eb author: Christoph Blecker Make sed prompt to use compatible sed

commit: 29ea0a0182e40bed2d90c162b084e96d6643c75a author: Eric Fried Subscriber updates

All registered operators are onboarded at this point.

commit: 01138a140ecac9b3c761408c5f75d667e9a0ff52 author: Dominic Finn Update boilerplate/_lib/container-make

Co-authored-by: Eric Fried 2uasimojo@users.noreply.github.com

commit: 1d066c78317c923381571167f98e53f44478f01c author: Dominic Finn podman build logic

commit: 4a28e9b440b478795346b68bc2c8a0d6f29deee2 author: Christoph Blecker Fix codecov job errors

commit: 5522c6bdcda11035e975bcf7898e1709950f2792 author: Christoph Blecker Persist codecov script used as a test artifact

commit: 12e79262e14bd97051e12c34ef4a11ecfd958764 author: Kirk Bater removes debug flag from container-make

commit: 994bbe4f92687be3a386fe26ee28331c8f1c07cb author: Arjun Naik Error when unsupported resources present

Signed-off-by: Arjun Naik anaik@redhat.com

commit: 63afc0b627ce08a08abe95b9e5b62440ff1d3dba author: Eric Fried app-sre.md: Remove references to REGISTRY_USER/_TOKEN

These are no longer necessary since 272a910

commit: 9d00c82de0a3c05d3d3d0864d9196640df11472f author: Benjamin Dematteo enabling back codecov as we are clear from the incident

commit: 272a910b67ee97c8085b1a9d8dd741f14d25f433 author: Benjamin Dematteo Replacing REGISTRY_USER and REGISTRY_TOKEN bu QUAY_USER/QUAY_TOKEN for make docker-login

commit: f49517a7e1623c641772ebde965bd60e5091ad2e author: Eric Fried Disable codecov

...while we investigate a codecov.io security breach

commit: d3c263cee468dc862b9bb108cd6e6c86297f3585 author: Benjamin Dematteo Adding missing varaible for git token auhtent

commit: 40db4e9aac5cae0b1fa5f71ca7170b762ef8ec5c author: Arjun Naik Remove flags for interactive docker run for the CSV generation

Signed-off-by: Arjun Naik anaik@redhat.com

commit: 38876608dfa38d552f368837b1e8faa5955aa215 author: Eric Fried Fix CI: Support disabling SaaS file checks

The 06-csv-generate test invokes (make targets that invoke) csv-generate.sh, which now queries the operator's SaaS file in app-interface to determine whether it's a hive or cluster operator. Since the test uses a dummy project, it has no such SaaS file in app-interface. Even if it did, the CI image doesn't have the right certs to query it over https.

This commit enables an environment variable to bypass that whole section of csv-generate.sh, and enables it in the test case.

commit: 380d825ff9e137cd6fccff62f2035872a6be3daf author: James Harrington Containerize yq

commit: 0378b16b89cba33fecea0447f306eadd3b979d82 author: James Harrington Ensure we fetch a valid deployed production hash

commit: 5f1d9a464728641d0c5ea1828fed7b5b2361c99f author: Arjun Naik Small improvements to make it easier to run csv-generate test locally

Signed-off-by: Arjun Naik anaik@redhat.com

commit: b926c8703e255748b632d0dabdb061f439b581d4 author: Arjun Naik Updated the hack generation script

Signed-off-by: Arjun Naik anaik@redhat.com

commit: 7973db3122b3f0bbade38cf95bc3ab1aa1b84e25 author: Eric Fried Run CSV generator in a container

...unless we're already in a container.

...because we can't rely on py3 being present on jenkins nodes, and py2 is dead.

OSD-6993

commit: 639160e9a92475f0a446c44aff3ad202d935e83e author: Arjun Naik Updated test case for CSV generation

Signed-off-by: Arjun Naik anaik@redhat.com

commit: 1dc94f0588ad8177e8804a8adf3bed94333453ec author: Arjun Naik Use trim_index and add default namespace for rolebinding subject SA

Signed-off-by: Arjun Naik anaik@redhat.com

commit: 2c6032115302c4449b8843b076a59d0cf2d25fa9 author: Arjun Naik Add roles into CSV permissions

Signed-off-by: Arjun Naik anaik@redhat.com

commit: a9321bb73ef42b9e30d3ec7673ddc1b7f3c99876 author: Eric Fried csv-generate: Use the project's major.minor

Finishes resolving a TODO whereby the csv generator scripts were hardcoding the operator's major.minor version to 0.1.

With this commit, common-generate-operator-bundle.py no longer accepts separate arguments for commit number or hash to construct the {major}.{minor}.{commit-count}-{commit-hash}. It now accepts -V operator-version where operator-version is already in that form.

commit: b707cd183bce5fbe1281109cdbf211c607d054f8 author: Eric Fried Generate operator bundle generically and inclusively

This is an almost-total rewrite of the common operator bundle generator script to accommodate variations in boilerplate consumers.

Before: The script looked for specific files by name. This wasn't a big deal as long as consumers had the right corresponding file they could simply rename. However, it would blow up if those files weren't present or didn't contain exactly what was expected; or (importantly) if more than one file of that kind was needed.

After: The script processes all yaml documents under the deploy/ subdirectory, regardless of filename, including cases where multiple yaml documents exist in a single file, and processes them based on their Kind. The following are treated specially:

• CustomResourceDefinitions: These are registered as "owned" in the CSV. Otherwise they are copied into the bundle directory as usual.
• ClusterRoles: These are folded into the CSV's clusterPermissions and not copied into the bundle directory.
• ClusterRoleBindings: These are only used to discover the appropriate serviceAccountName for their corresponding ClusterRoles. They are not copied into the bundle directory. If any ClusterRoleBindings are "left over" at the end (not used to find a ServiceAccount), an error is raised.
• Deployment: We explicitly validate that there is exactly one of these. We fold the contents into the CSV's deployments. The Deployment is not copied to the bundle directory.
• ServiceAccounts: These are ignored, as we assume they correspond exactly to those listed in ClusterRoleBindings or the Deployment's Pod spec.

TODO:s

• The CSV schema appears to support Role[Binding]s in a manner similar to ClusterRole[Binding]s. Assuming OLM supports that, we should use it. For now, this commit treats Role[Binding]s as generic resources and simply copies them into the bundle, as consumers appeared to be doing.
• We should validate ServiceAccounts to make sure they correspond to [Cluster]RoleBindings or Pod specs in the Deployment, and error if any are "left over".

commit: bfcccf9262c7f9cd1fa7b9c0676a03fe476a579c author: James Harrington Removed to pass tests

commit: fa055ee00a16f0f25aba8542b4c441be161ce8cb author: James Harrington Include package.yaml in OLM bundle

commit: 32fa7dc294da442d1333551c5554652095c3306c author: Eric Fried golang-osd-operator: Pull operator image by digest

This commit tweaks the common CSV generator logic such that the operator image is referenced by digest ({registry}/{repo}/{operator}@sha256:{digest}) rather than by tag ({registry}/{repo}/{operator}:v{major}.{minor}.{count}-{commit-sha}).

NOTE: This does not affect how the catalog image is pulled. That requires changes in the app-interface saas file and the consuming repository's OLM template.

commit: 4bba942de7a8d389a46f606c798a512c0f903d9b author: Eric Fried golang-osd-operator: Enable app-sre build and deploy

This commit adds the top-level script to perform the end-to-end app-sre build and deploy sequence, and enables it by default for consumers via the build-push make target.

It also enables (and documents) local testing of this sequence without changing code.

commit: dec995b5d0a456d48898807f617580ec3c54d079 author: Eric Fried Enable selecting test cases

With this commit, you can use a CASE_GLOB variable to restrict which tests are run by make test (aka make pr-check). The value of CASE_GLOB is passed to find ... -name, so may be anything that will accept. For example, to run just the test case named 06-csv-generate, you can run:

make CASE_GLOB=06-csv-generate test

This also works via container-make, which can be convenient for debugging CI failures:

./boilerplate/_lib/container-make CASE_GLOB=06-csv-generate pr-check

commit: 8e99ebe14d1c7c547c9de3fa5d94e876fd674f8d author: Eric Fried golang-osd-operator: Pull operator image by digest

This commit tweaks the common CSV generator logic such that the operator image is referenced by digest ({registry}/{repo}/{operator}@sha256:{digest}) rather than by tag ({registry}/{repo}/{operator}:v{major}.{minor}.{count}-{commit-sha}).

NOTE: This does not affect how the catalog image is pulled. That requires changes in the app-interface saas file and the consuming repository's OLM template.

commit: aeca64eaa1fee9b69d0797e7d8bf06f792a907b8 author: Eric Fried golang-osd-operator: Enable app-sre build and deploy

This commit adds the top-level script to perform the end-to-end app-sre build and deploy sequence, and enables it by default for consumers via the build-push make target.

It also enables (and documents) local testing of this sequence without changing code.

commit: c937d6ab7756ea4f287ae828cd21dbd0e5415f20 author: Eric Fried Enable container-make in boilerplate itself

Previously in order for container-make to function in the boilerplate repository itself, you had to set the LATEST_IMAGE_TAG environment variable manually. With this commit, if it's unset and we're in boilerplate, we discover it from git.

commit: 05f546cc7e24911477b504df585f63dbd53445ba author: Eric Fried Document subscribers

Add documentation for the subscribers.yaml file and the subscriber utility.

commit: 10166fa7731ab847c291a85e78b4f0318f52a0b2 author: Benjamin Dematteo Fixing the bad variable used for calling the generate scripts

commit: 0813021e913229a7f0c62a4f86c3a0814b627bc7 author: James Harrington Erroneous additional parameter specified

commit: d7c8056d99bade30bed6fdc4d376ce979bfa8558 author: Eric Fried Pin yq to 3.4.1 in csv-generate.sh

See openshift/osd-metrics-exporter#43 for details.

commit: cf31f7abe2964e70b6fdef249ac984822bce0cef author: Eric Fried image-v0.5.1: registry.svc.ci.openshift.org is dead

We need to build our image FROM registry.ci.openshift.org now, since registry.svc.ci.openshift.org has been decommissioned.

image-v0.5.0 will never build and is therefore unusable.

commit: 96415a636afa0e304dbdab60318fd4f9e2bbc825 author: Manuel Dewald add operator-sdk v1.2.0

commit: 19951d141e1c7a2b371a5ec34784e7005c073345 author: Eric Fried image-v0.5.0: more go helpers

Add the following to the backing image:

• controller-gen
• kustomize
• go-bindata

commit: 262eaba2a0a13e3220e7586b5b9cd6b9be733d6e author: Rafa Porres Molina Do not evaluate main with an or conditional

Not only it is not needed, it can deactivate the effect of set -e

Signed-off-by: Rafa Porres Molina rporresm@redhat.com

commit: a8324a4e572ba4568cd92d5b69c9c74d11cdce8b author: Eric Fried Fix container-make for openapi-gen

openapi-gen is really picky about how GOPATH is set with respect to the path to the repo clone it's working on. And CI is really picky about where things like go mod download are allowed to write. With this change, we make sure the path inside container-make's container gels with GOPATH so openapi-gen works as expected.

Co-Authored-By: Kirk Bater kbater@redhat.com

commit: f700776ea385de430a71398ee3e05c5304a2e502 author: Kirk Bater Adds extra debug output to isclean

commit: d6e0c61cf1cba062b0ae9281adbdbf4bbf6c954b author: Benjamin Dematteo Removing explicit call to python3

commit: 048e344dd49f9fb8070808b404721c75ddfd0f72 author: Manuel Dewald Allow configuration of MAINPACKAGE and TESTTARGETS

• Consuming operators may want to have a different set of TESTTARGETS
• MAINPACKAGE differs for operator-sdk v1, allowing to override it will help onboarding operators on operator-sdk v1

commit: 9ac2810dcaf56eaacd9e3cc2d076961ca49ab212 author: Benjamin Dematteo Integrating comments from MR review

commit: 60959312e1f456a47968bc8cc5839ee3435e6cdd author: Eric Fried golang-osd-operator: Cap concurrency for codecov

Some consumers were regularly having their coverage CI pods OOM-killed. Experimenting with the prow configuration, we found we needed to set the memory limits unreasonably high to make it work.

By default, cover tool runs with a number of threads equal to the detected number of CPUs. In the CI environment at this time, that appears to be 16. With this commit, we cap it at 4, which brings the memory usage down to a manageable level without unduly affecting the runtime of the job.

commit: 5cf48e3eb539b9c26d8ae4999758f790175a28da author: Benjamin Dematteo Fixing tests

commit: f5a20e2644ff854ff42ff7881d1e8788878d48d6 author: Benjamin Dematteo First commit for the bundle-generate

commit: b86c5e0dcd7a2f664a55236dc42de87658814d4c author: Eric Fried Update subscribers

The following have been onboarded and are marked as such:

• aws-account-operator
• aws-efs-operator
• managed-upgrade-operator

commit: 3dd1657739fe1ab4604f25bd5b777c8a66e9dd4c author: Rafa Porres Molina Add dry run mode to test to avoid pushes

Signed-off-by: Rafa Porres Molina rporresm@redhat.com

commit: ed0062e80fd0d826b303e87632eca0dba88f81ed author: Rafa Porres Molina Add missing push in git operations

This was left behind in the refactoring made in #104

Signed-off-by: Rafa Porres Molina rporresm@redhat.com

[jharrington22]

/approve /lgtm

This closes #33

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clcollins, jharrington22

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/aws-efs-operator/blob/master/OWNERS)~~ [jharrington22] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment