Release 2023 08 01.1.1a211ce (#1184)

## Description
<!-- Please include a summary of the change and a link to the JIRA
ticket. Please add any additional motivation and context as needed.
Screenshots are also welcome -->
Release 2023 08 01.1.1a211ce

.secrets.baseline

@@ -340,7 +340,7 @@
         "filename": "fleetshard/pkg/central/cloudprovider/dbclient_moq.go",
         "hashed_secret": "80519927d0f3ce1efe933f46ca9e05e68e491adc",
         "is_verified": false,
-        "line_number": 139
+        "line_number": 143
       }
     ],
     "internal/dinosaur/pkg/api/public/api/openapi.yaml": [
@@ -564,5 +564,5 @@
       }
     ]
   },
-  "generated_at": "2023-06-21T12:15:21Z"
+  "generated_at": "2023-07-19T10:20:12Z"
 }

dev/env/defaults/00-defaults.env

@@ -10,10 +10,10 @@ export CLUSTER_ID_DEFAULT="1234567890abcdef1234567890abcdef"
 export CLUSTER_DNS_DEFAULT="cluster.local"
 
 export IMAGE_REGISTRY_DEFAULT="quay.io/rhacs-eng"
-STACKROX_VERSION_TAG="4.0.1" # Note: SCANNER_VERSION_DEFAULT needs to be in sync with this.
+STACKROX_VERSION_TAG="4.1.1" # Note: SCANNER_VERSION_DEFAULT needs to be in sync with this.
 export STACKROX_OPERATOR_VERSION_DEFAULT="${STACKROX_VERSION_TAG}"
 export CENTRAL_VERSION_DEFAULT=$(echo "$STACKROX_VERSION_TAG" | sed -e 's/0-nightly/x-nightly/;')
-export SCANNER_VERSION_DEFAULT="2.29.2" # This one matches the above operator version tag.
+export SCANNER_VERSION_DEFAULT="2.30.2" # This one matches the above operator version tag.
 export STACKROX_OPERATOR_NAMESPACE_DEFAULT="rhacs"
 export FLEET_MANAGER_IMAGE_DEFAULT=""
 export IGNORE_REPOSITORY_DIRTINESS_DEFAULT="false"

dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml

@@ -43,6 +43,8 @@ spec:
                   optional: false
             - name: RUNTIME_POLL_PERIOD
               value: 10s
+            - name: AUDIT_LOG_ENABLED
+              value: "$AUDIT_LOG_ENABLED"
             - name: MANAGED_DB_ENABLED
               value: "$MANAGED_DB_ENABLED"
             - name: MANAGED_DB_SECURITY_GROUP

dev/env/scripts/create-imagepullsecrets

@@ -70,7 +70,7 @@ function print_auth() {
 
 registry_auth="$(print_auth "$(mkauth "${username}" "${password}")")"
 
-if [[ "$INSTALL_OPERATOR" == "true" ]]; then
+if [[ "$INSTALL_OPERATOR" == "true" || "$RHACS_TARGETED_OPERATOR_UPGRADES" == "true" ]]; then
     res=$(
         cat <<EOF
 apiVersion: v1

dev/env/scripts/docker.sh

@@ -110,11 +110,12 @@ preload_dependency_images() {
     fi
     log "Preloading images into ${CLUSTER_TYPE} cluster..."
     docker_pull "postgres:13"
-    if [[ "$INSTALL_OPERATOR" == "true" ]]; then
+    if [[ "$INSTALL_OPERATOR" == "true" || "$RHACS_TARGETED_OPERATOR_UPGRADES" == "true" ]]; then
         # Preload images required by Central installation.
         docker_pull "${IMAGE_REGISTRY}/scanner:${SCANNER_VERSION}"
         docker_pull "${IMAGE_REGISTRY}/scanner-db:${SCANNER_VERSION}"
         docker_pull "${IMAGE_REGISTRY}/main:${CENTRAL_VERSION}"
+        docker_pull "${IMAGE_REGISTRY}/central-db:${CENTRAL_VERSION}"
     fi
     log "Images preloaded"
 }

dp-terraform/helm/rhacs-terraform/Chart.lock

@@ -8,11 +8,11 @@ dependencies:
 - name: logging
   repository: ""
   version: 0.1.0
-- name: vector
-  repository: https://helm.vector.dev
-  version: 0.21.1
+- name: audit-logs
+  repository: ""
+  version: 0.1.0
 - name: secured-cluster
   repository: ""
   version: 0.1.0
-digest: sha256:5fbf64564effcead5f874af84029ceb77c4ffba073350de4d72cf81c7a7c1df5
-generated: "2023-06-26T11:06:14.387259+02:00"
+digest: sha256:4b3301d2cdd6907207fb21ad741b6fa1e5302aaff1ce6fe5315cab8519908d61
+generated: "2023-07-06T21:15:28.778426+02:00"

dp-terraform/helm/rhacs-terraform/Chart.yaml

@@ -34,10 +34,10 @@ dependencies:
   - name: logging
     version: "0.1.0"
     condition: logging.enabled
-  - name: vector
-    version: "0.21.1"
-    repository: "https://helm.vector.dev"
-    condition: vector.enabled
+  - name: audit-logs
+    version: "0.1.0"
+    repository: ""
+    condition: audit-logs.enabled
   - name: secured-cluster
     version: "0.1.0"
     condition: secured-cluster.enabled

dp-terraform/helm/rhacs-terraform/charts/audit-logs/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

dp-terraform/helm/rhacs-terraform/charts/audit-logs/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: audit-logs
+description: "Chart to terraform audit-logs stack for dataplane OSD clusters"
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: "0.1.0"
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

dp-terraform/helm/rhacs-terraform/charts/audit-logs/README.md

@@ -0,0 +1,31 @@
+# Data plane terraform audit-logs Helm chart
+
+This chart installs resource into `rhacs-audit-logs` namespace.
+
+## Usage
+
+Create a file `~/dp-terraform-audit-logs-values.yaml` with the values for the parameters in [values.yaml](./values.yaml) that are missing or that you want to override.
+
+**Render the chart to see the generated templates during development**
+
+```bash
+helm template rhacs-terraform-audit-logs \
+  --debug \
+  --namespace rhacs \
+  --values ~/dp-terraform-audit-logs-values.yaml .
+```
+
+**Install or update the chart**
+
+```bash
+helm upgrade --install rhacs-terraform-audit-logs \
+  --namespace rhacs \
+  --create-namespace \
+  --values ~/dp-terraform-audit-logs-values.yaml .
+```
+
+**Uninstall the chart and cleanup all created resources**
+
+```bash
+helm uninstall rhacs-terraform-audit-logs --namespace rhacs
+```

dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/01-namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ include "aggregator.namespace" . }}
+  annotations:
+  {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/02-configmap.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aggregator.fullname" . }}
+  namespace: {{ include "aggregator.namespace" . }}
+  labels:
+    {{- include "aggregator.selectorLabels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- if .Values.customConfig }}
+  vector.yaml: |
+{{ tpl (toYaml .Values.customConfig) . | indent 4 }}
+  {{- end }}

dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/03-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "aggregator.fullname" . }}
+  namespace: {{ include "aggregator.namespace" . }}
+  labels:
+    {{- include "aggregator.selectorLabels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+{{- range $key, $value := .Values.secrets }}
+  {{ $key }}: {{ $value | b64enc | quote }}
+{{- end }}

dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/04-serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "aggregator.fullname" . }}
+  namespace: {{ include "aggregator.namespace" . }}
+  labels:
+    {{- include "aggregator.selectorLabels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: true

dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/05-service.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "aggregator.fullname" . }}
+  namespace: {{ include "aggregator.namespace" . }}
+  labels:
+    {{- include "aggregator.selectorLabels" . | nindent 4 }}
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: {{ include "aggregator.fullname" . }}-tls-secret
+  {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ipFamilies:
+    - IPv4
+  ports:
+    - name: http-server
+      protocol: TCP
+      port: 8888
+      targetPort: 8888
+  internalTrafficPolicy: Cluster
+  type: ClusterIP
+  ipFamilyPolicy: SingleStack
+  sessionAffinity: None
+  selector:
+    {{- include "aggregator.selectorLabels" . | nindent 4 }}

dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml

@@ -0,0 +1,127 @@
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: {{ include "aggregator.fullname" . }}
+  namespace: {{ include "aggregator.namespace" . }}
+  labels:
+    {{- include "aggregator.selectorLabels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.replicas }}
+  podManagementPolicy: OrderedReady
+  selector:
+    matchLabels:
+      {{- include "aggregator.selectorLabels" . | nindent 6 }}
+  serviceName: {{ include "aggregator.fullname" . }}
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 0
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print .Template.BasePath "/02-configmap.yaml") . | sha256sum }}
+      {{- with .Values.annotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: {{ include "aggregator.fullname" . }}
+        {{- include "aggregator.selectorLabels" . | nindent 8 }}
+    spec:
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      serviceAccountName: {{ include "aggregator.fullname" . }}
+      schedulerName: default-scheduler
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app
+                    operator: In
+                    values:
+                      - {{ include "aggregator.fullname" . }}
+              topologyKey: topology.kubernetes.io/zone
+      terminationGracePeriodSeconds: 60
+      securityContext: {}
+      containers:
+        - resources: {}
+          terminationMessagePath: /tmp/vector-termination-log
+          name: vector
+          command:
+            - /usr/bin/vector
+          env:
+            - name: AWS_WEB_IDENTITY_TOKEN_FILE
+              value: /var/run/secrets/aws-token/aws-token
+            - name: AWS_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "aggregator.fullname" . }}
+                  key: aws_region
+            - name: AWS_ROLE_ARN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "aggregator.fullname" . }}
+                  key: aws_role_arn
+          ports:
+            - name: http-server
+              containerPort: 8888
+              protocol: TCP
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: config
+              readOnly: true
+              mountPath: /etc/aggregator/
+            - name: service-tls-secret
+              readOnly: true
+              mountPath: /etc/aggregator/tls
+            - name: aws-token
+              mountPath: /var/run/secrets/aws-token
+            {{- if .Values.persistence.enabled }}
+            - name: data
+              mountPath: /aggregator-data-dir
+            {{- end }}
+          terminationMessagePolicy: File
+          image: {{ .Values.image | quote }}
+          args:
+            - '--config-dir'
+            - /etc/aggregator/
+      serviceAccount: audit-logs-aggregator
+      volumes:
+        - name: config
+          projected:
+            sources:
+              - configMap:
+                  name: {{ include "aggregator.fullname" . }}
+            defaultMode: 420
+        - name: service-tls-secret
+          projected:
+            sources:
+              - secret:
+                  name: {{ include "aggregator.fullname" . }}-tls-secret
+            defaultMode: 420
+        - name: aws-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  audience: 'sts.amazonaws.com'
+                  expirationSeconds: 3600
+                  path: aws-token
+            defaultMode: 420
+  {{- if .Values.persistence.enabled }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        {{- if .Values.persistence.storageClassName }}
+        storageClassName: {{ .Values.persistence.storageClassName }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
+  {{- end }}