From 7360f6640e72dec308848d79c43fa1120507466a Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Fri, 26 Jan 2024 14:25:27 +0100 Subject: [PATCH 1/4] [go.mod]Bump from v0.3.0 to pseudoversion Our intention is to track service operator and lib-common dependencies via pseudoversions. However renovate does not automatically bump from a tagged version (e.g. v0.3.0) to a newer but not tagged pseudoversion. So this patch does the manual bump. After this renovate will bump the newer pseduoversions. --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d867eee..08d0a96 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240117103205-2bd91a3da216 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240117103205-2bd91a3da216 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240117103205-2bd91a3da216 - github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0 + github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240124160436-36095347284f go.uber.org/zap v1.26.0 k8s.io/api v0.26.13 k8s.io/apimachinery v0.27.1 diff --git a/go.sum b/go.sum index 2626399..7faf820 100644 --- a/go.sum +++ b/go.sum @@ -246,8 +246,8 @@ github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.202401171 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240117103205-2bd91a3da216/go.mod h1:Z8oPtR/G1ukNwJoD75I8Ew+8Ibt4vqtK+XoaiKK3gXk= github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240117103205-2bd91a3da216 h1:VTlhT+Epr3YY/I9NKKCv4MWITnNgBUXv684FB7YQT+E= github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240117103205-2bd91a3da216/go.mod h1:ni4mvKeubWsTjKmcToJ+hIo7pJipM9hwiUv8qhm1R6Y= -github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0 h1:FB0xB6whYM6W4XIncYo2mPiOJWkFsIOWtCT+UOtvOaQ= -github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0/go.mod h1:xhiz5wFdKWwVM7BF/VYon4TT3NuUPXp/Pyn2hWcp0CE= +github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240124160436-36095347284f h1:01HrDX32rjFdvbSOMfz0fBCfxK6Kqthv0BgvimWL7Vc= +github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240124160436-36095347284f/go.mod h1:gAIo5SMvTTgUomxGC51T3PHIyremhe8xUvz2xpbuCsI= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= From cc2d88b8e1a6b9086ca3c84903dcd6a3d96f8960 Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Fri, 2 Feb 2024 14:42:11 +0100 Subject: [PATCH 2/4] Drop Debug fields These fields were redundant. Crashing pods can be debugged via oc debug. Implements: OSPRH-4290 --- .../barbican.openstack.org_barbicanapis.yaml | 24 -------------- ...enstack.org_barbicankeystonelisteners.yaml | 24 -------------- .../barbican.openstack.org_barbicans.yaml | 24 -------------- ...arbican.openstack.org_barbicanworkers.yaml | 24 -------------- api/v1beta1/common_types.go | 29 ----------------- api/v1beta1/zz_generated.deepcopy.go | 16 ---------- .../barbican.openstack.org_barbicanapis.yaml | 24 -------------- ...enstack.org_barbicankeystonelisteners.yaml | 24 -------------- .../barbican.openstack.org_barbicans.yaml | 24 -------------- ...arbican.openstack.org_barbicanworkers.yaml | 24 -------------- config/samples/barbican_v1beta1_barbican.yaml | 5 --- pkg/barbican/dbsync.go | 8 +---- pkg/barbicanapi/deployment.go | 28 +++++------------ pkg/barbicankeystonelistener/deployment.go | 8 +---- pkg/barbicanworker/deployment.go | 31 ++++++------------- 15 files changed, 20 insertions(+), 297 deletions(-) diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index 4069a53..f52bb38 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -67,30 +67,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 1802a14..ddb1d63 100644 --- a/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -68,30 +68,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index 4d105ee..d9e0ee9 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -551,30 +551,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/api/bases/barbican.openstack.org_barbicanworkers.yaml b/api/bases/barbican.openstack.org_barbicanworkers.yaml index c16ebf4..aab3e31 100644 --- a/api/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/api/bases/barbican.openstack.org_barbicanworkers.yaml @@ -66,30 +66,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 877d8da..b9ad1c9 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -45,12 +45,6 @@ type BarbicanTemplate struct { // PasswordSelectors - Selectors to identify the DB and ServiceUser password from the Secret PasswordSelectors PasswordSelector `json:"passwordSelectors"` - // +kubebuilder:validation:Optional - // Debug - enable debug for different deploy stages. If an init container is used, it runs and the - // actual action pod gets started with sleep infinity - // TODO(dmendiza): Do we need this? - Debug BarbicanDebug `json:"debug,omitempty"` - // +kubebuilder:validation:Optional // CustomServiceConfig - customize the service config using this parameter to change service defaults, // or overwrite rendered information using raw OpenStack config format. The content gets added to @@ -121,26 +115,3 @@ type PasswordSelector struct { // Service - Selector to get the barbican service user password from the Secret Service string `json:"service"` } - -// BarbicanDebug indicates whether certain stages of deployment should be paused -type BarbicanDebug struct { - // +kubebuilder:validation:Optional - // +kubebuilder:default=false - // dbInitContainer enable debug (waits until /tmp/stop-init-container disappears) - DBInitContainer bool `json:"dbInitContainer"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=false - // dbSync enable debug - DBSync bool `json:"dbSync"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=false - // initContainer enable debug (waits until /tmp/stop-init-container disappears) - InitContainer bool `json:"initContainer"` - - // +kubebuilder:validation:Optional - // +kubebuilder:default=false - // Service enable debug - Service bool `json:"service"` -} diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 59fc786..a633e6f 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -265,21 +265,6 @@ func (in *BarbicanComponentTemplate) DeepCopy() *BarbicanComponentTemplate { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *BarbicanDebug) DeepCopyInto(out *BarbicanDebug) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanDebug. -func (in *BarbicanDebug) DeepCopy() *BarbicanDebug { - if in == nil { - return nil - } - out := new(BarbicanDebug) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanDefaults) DeepCopyInto(out *BarbicanDefaults) { *out = *in @@ -529,7 +514,6 @@ func (in *BarbicanStatus) DeepCopy() *BarbicanStatus { func (in *BarbicanTemplate) DeepCopyInto(out *BarbicanTemplate) { *out = *in out.PasswordSelectors = in.PasswordSelectors - out.Debug = in.Debug } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanTemplate. diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index 4069a53..f52bb38 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -67,30 +67,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml index 1802a14..ddb1d63 100644 --- a/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicankeystonelisteners.yaml @@ -68,30 +68,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index 4d105ee..d9e0ee9 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -551,30 +551,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml index c16ebf4..aab3e31 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanworkers.yaml @@ -66,30 +66,6 @@ spec: description: DatabaseUser - optional username used for barbican DB, defaults to barbican type: string - debug: - description: 'Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity TODO(dmendiza): Do we need this?' - properties: - dbInitContainer: - default: false - description: dbInitContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - dbSync: - default: false - description: dbSync enable debug - type: boolean - initContainer: - default: false - description: initContainer enable debug (waits until /tmp/stop-init-container - disappears) - type: boolean - service: - default: false - description: Service enable debug - type: boolean - type: object defaultConfigOverwrite: additionalProperties: type: string diff --git a/config/samples/barbican_v1beta1_barbican.yaml b/config/samples/barbican_v1beta1_barbican.yaml index 433da7c..2cdae12 100644 --- a/config/samples/barbican_v1beta1_barbican.yaml +++ b/config/samples/barbican_v1beta1_barbican.yaml @@ -18,11 +18,6 @@ spec: passwordSelectors: database: BarbicanDatabasePassword service: BarbicanPassword - debug: - dbInitContainer: false - dbSync: false - initContainer: false - service: false preserveJobs: true nodeSelector: node: controller diff --git a/pkg/barbican/dbsync.go b/pkg/barbican/dbsync.go index 0ecf75c..c22c1c1 100644 --- a/pkg/barbican/dbsync.go +++ b/pkg/barbican/dbsync.go @@ -3,7 +3,6 @@ package barbican import ( barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" - "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/env" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" @@ -59,12 +58,7 @@ func DbSyncJob(instance *barbicanv1beta1.Barbican, labels map[string]string, ann ReadOnly: true, }, } - args := []string{"-c"} - if instance.Spec.Debug.DBSync { - args = append(args, common.DebugCommand) - } else { - args = append(args, DBSyncCommand) - } + args := []string{"-c", DBSyncCommand} runAsUser := int64(0) envVars := map[string]env.Setter{} diff --git a/pkg/barbicanapi/deployment.go b/pkg/barbicanapi/deployment.go index 29e8997..f1d942e 100644 --- a/pkg/barbicanapi/deployment.go +++ b/pkg/barbicanapi/deployment.go @@ -3,7 +3,6 @@ package barbicanapi import ( "fmt" - "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/env" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -43,26 +42,15 @@ func Deployment( PeriodSeconds: 5, InitialDelaySeconds: 5, } - args := []string{"-c"} - if instance.Spec.Debug.Service { - args = append(args, common.DebugCommand) - livenessProbe.Exec = &corev1.ExecAction{ - Command: []string{ - "/bin/true", - }, - } - readinessProbe.Exec = livenessProbe.Exec - } else { - args = append(args, ServiceCommand) - // - // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - // - livenessProbe.HTTPGet = &corev1.HTTPGetAction{ - Path: "/healthcheck", - Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(barbican.BarbicanPublicPort)}, - } - readinessProbe.HTTPGet = livenessProbe.HTTPGet + args := []string{"-c", ServiceCommand} + // + // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + // + livenessProbe.HTTPGet = &corev1.HTTPGetAction{ + Path: "/healthcheck", + Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(barbican.BarbicanPublicPort)}, } + readinessProbe.HTTPGet = livenessProbe.HTTPGet apiVolumes := []corev1.Volume{ { diff --git a/pkg/barbicankeystonelistener/deployment.go b/pkg/barbicankeystonelistener/deployment.go index bb20157..8d96c78 100644 --- a/pkg/barbicankeystonelistener/deployment.go +++ b/pkg/barbicankeystonelistener/deployment.go @@ -3,7 +3,6 @@ package barbicankeystonelistener import ( "fmt" - "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/env" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -30,12 +29,7 @@ func Deployment( envVars := map[string]env.Setter{} envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") envVars["CONFIG_HASH"] = env.SetValue(configHash) - args := []string{"-c"} - if instance.Spec.Debug.Service { - args = append(args, common.DebugCommand) - } else { - args = append(args, ServiceCommand) - } + args := []string{"-c", ServiceCommand} keystoneListenerVolumes := []corev1.Volume{ { diff --git a/pkg/barbicanworker/deployment.go b/pkg/barbicanworker/deployment.go index 44d7ca2..995b546 100644 --- a/pkg/barbicanworker/deployment.go +++ b/pkg/barbicanworker/deployment.go @@ -3,11 +3,11 @@ package barbicanworker import ( "fmt" - "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/env" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + //"k8s.io/apimachinery/pkg/util/intstr" barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" @@ -45,26 +45,15 @@ func Deployment( InitialDelaySeconds: 5, } */ - args := []string{"-c"} - if instance.Spec.Debug.Service { - args = append(args, common.DebugCommand) - //livenessProbe.Exec = &corev1.ExecAction{ - // Command: []string{ - // "/bin/true", - // }, - //} - //readinessProbe.Exec = livenessProbe.Exec - } else { - args = append(args, ServiceCommand) - // - // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - // - //livenessProbe.HTTPGet = &corev1.HTTPGetAction{ - // Path: "/healthcheck", - // Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(barbican.BarbicanPublicPort)}, - //} - //readinessProbe.HTTPGet = livenessProbe.HTTPGet - } + args := []string{"-c", ServiceCommand} + // + // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + // + //livenessProbe.HTTPGet = &corev1.HTTPGetAction{ + // Path: "/healthcheck", + // Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(barbican.BarbicanPublicPort)}, + //} + //readinessProbe.HTTPGet = livenessProbe.HTTPGet workerVolumes := []corev1.Volume{ { From d31e9bb09839ae160a3fc703a2c116c6c1e8ed59 Mon Sep 17 00:00:00 2001 From: Brendan Shephard Date: Wed, 7 Feb 2024 12:45:42 +1000 Subject: [PATCH 3/4] FIPS compliant images - Changed the build image to ubi9/go-toolkit - Changed the base image to ubi9/minimal - Added the default GO_BUILD_EXTRA_ARGS="-tags strictfipsruntime" - Added the GO_BUILD_EXTRA_ENV_ARGS build argument to allow custom build arguments at build time. It defaults to "CGO_ENABLED=1 GO111MODULE=on" - Those default parameters have been added to enable FIPS compliance - Fixed indentation - Removed TARGETOS and TARGETARCH env vars. - Added DOCKER_BUILD_ARGS variable in Makefile to pass custom parameters during podman build - Added export FAIL_FIPS_CHECK=true in .prow_ci.env file Signed-off-by: Brendan Shephard --- .prow_ci.env | 1 + Dockerfile | 24 +++++++++++++----------- Makefile | 5 ++++- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/.prow_ci.env b/.prow_ci.env index 2606e6b..ce722ac 100644 --- a/.prow_ci.env +++ b/.prow_ci.env @@ -1 +1,2 @@ export USE_IMAGE_DIGESTS=true +export FAIL_FIPS_CHECK=true diff --git a/Dockerfile b/Dockerfile index f0378c5..9e6391d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ -ARG GOLANG_BUILDER=golang:1.19 -ARG OPERATOR_BASE_IMAGE=gcr.io/distroless/static:nonroot +ARG GOLANG_BUILDER=registry.access.redhat.com/ubi9/go-toolset:1.19 +ARG OPERATOR_BASE_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:latest # Build the manager binary FROM $GOLANG_BUILDER AS builder @@ -12,11 +12,13 @@ ARG REMOTE_SOURCE_DIR=/remote-source ARG REMOTE_SOURCE_SUBDIR= ARG DEST_ROOT=/dest-root -ARG GO_BUILD_EXTRA_ARGS= +ARG GO_BUILD_EXTRA_ARGS="-tags strictfipsruntime" +ARG GO_BUILD_EXTRA_ENV_ARGS="CGO_ENABLED=1 GO111MODULE=on" COPY $REMOTE_SOURCE $REMOTE_SOURCE_DIR WORKDIR $REMOTE_SOURCE_DIR/$REMOTE_SOURCE_SUBDIR +USER root RUN mkdir -p ${DEST_ROOT}/usr/local/bin/ # cache deps before building and copying source so that we don't need to re-download as much @@ -24,7 +26,7 @@ RUN mkdir -p ${DEST_ROOT}/usr/local/bin/ RUN if [ ! -f $CACHITO_ENV_FILE ]; then go mod download ; fi # Build manager -RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; CGO_ENABLED=0 GO111MODULE=on go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager main.go +RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; env ${GO_BUILD_EXTRA_ENV_ARGS} go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager main.go RUN cp -r templates ${DEST_ROOT}/templates @@ -49,16 +51,16 @@ ARG IMAGE_TAGS="cn-openstack openstack" # Labels required by upstream and osbs build system LABEL com.redhat.component="${IMAGE_COMPONENT}" \ - name="${IMAGE_NAME}" \ - version="${IMAGE_VERSION}" \ - summary="${IMAGE_SUMMARY}" \ - io.k8s.name="${IMAGE_NAME}" \ - io.k8s.description="${IMAGE_DESC}" \ - io.openshift.tags="${IMAGE_TAGS}" + name="${IMAGE_NAME}" \ + version="${IMAGE_VERSION}" \ + summary="${IMAGE_SUMMARY}" \ + io.k8s.name="${IMAGE_NAME}" \ + io.k8s.description="${IMAGE_DESC}" \ + io.openshift.tags="${IMAGE_TAGS}" ### DO NOT EDIT LINES ABOVE ENV USER_UID=$USER_ID \ - OPERATOR_TEMPLATES=/usr/share/barbican-operator/templates/ + OPERATOR_TEMPLATES=/usr/share/barbican-operator/templates/ WORKDIR / diff --git a/Makefile b/Makefile index 3a9b04c..1f3cb75 100644 --- a/Makefile +++ b/Makefile @@ -68,6 +68,9 @@ endif SHELL = /usr/bin/env bash -o pipefail .SHELLFLAGS = -ec +# Extra vars which will be passed to the Docker-build + DOCKER_BUILD_ARGS ?= + .PHONY: all all: build @@ -138,7 +141,7 @@ run: manifests generate fmt vet ## Run a controller from your host. # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ .PHONY: docker-build docker-build: test ## Build docker image with the manager. - podman build -t ${IMG} . + podman build -t ${IMG} . ${DOCKER_BUILD_ARGS} .PHONY: docker-push docker-push: ## Push docker image with the manager. From 5ee05f1b8da152c539746d1aa1ca0b2f89ff0969 Mon Sep 17 00:00:00 2001 From: Brendan Shephard Date: Fri, 9 Feb 2024 15:18:46 +1000 Subject: [PATCH 4/4] Add fips compliant annotation Signed-off-by: Brendan Shephard --- .../manifests/bases/barbican-operator.clusterserviceversion.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/manifests/bases/barbican-operator.clusterserviceversion.yaml b/config/manifests/bases/barbican-operator.clusterserviceversion.yaml index 4dc8551..0abc65f 100644 --- a/config/manifests/bases/barbican-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/barbican-operator.clusterserviceversion.yaml @@ -5,6 +5,7 @@ metadata: alm-examples: '[]' capabilities: Basic Install features.operators.openshift.io/disconnected: "true" + features.operators.openshift.io/fips-compliant: "true" operators.openshift.io/infrastructure-features: '["disconnected"]' operators.operatorframework.io/operator-type: non-standalone name: barbican-operator.v0.0.0