From 3551c576e142c29acae835fc5f3a34db2395816c Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Sun, 29 May 2022 09:09:28 +0100 Subject: [PATCH 1/2] Upgrade Kubebuilder dep from 3.4.1 to the commit 800fdeec6e5c Signed-off-by: Camila Macedo - For Golang/Ansible/Helm language-based operators (go/v3, ansible/v1 and helm/v1): applying restrictive SCC for all containers scaffolded by the tool (k8s versions < 1.19 will no longer work with). - For Golang-based language (go/v2) fix the issue introduced by removing the GO111MODULE=on from Dockerfile. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/2678)) - For Golang/Ansible/Helm language-based operators (go/v3, ansible/v1 and helm/v1 language (go/v3), add a new comment with the option `leaderElectionReleaseOnCancel` ((More info)[https://github.com/kubernetes-sigs/kubebuilder/pull/2596]) Only to get the changes from what we currently use in SDK from kubebuilder. - Ensure that scaffolds begin to be performed with a restrive Security Context - Be able to do specific follow up PR so we can discuss properly how we will consume the new additions on Kubebuilder - Make eaiser the process to keep SDK updated, otherwise, it is hard to properly review if we wait to do a big PR with all. - Ensure that SDK features can work with the latest changes performed in Kubebuilder **Extra info** You can check the latest changes on Kubebuilder by looking: https://github.com/kubernetes-sigs/kubebuilder/compare/v3.4.1...master Note that SDK users Kubebuilder as a LIB. So that all that is currently important is updated by default when we bump. However, all that was added to Kubebuilder but still not imported/used in SDK will not be added here. Therefore we can do follow up PRs to get the additions. Why? we have significant changes and additions for example adding the support for the phase 2 plugin, but if we try to do it all in the same PR it will be very hard to get properly reviewed. Co-authored-by: Varsha --- changelog/fragments/kb-800fdeec6e5c.yaml | 72 +++++++++++++++++++ go.mod | 6 +- go.sum | 27 +++---- .../operator-sdk/generate/bundle/bundle.go | 31 +++++++- ...cached-operator.clusterserviceversion.yaml | 10 +++ .../default/manager_auth_proxy_patch.yaml | 5 ++ .../config/manager/manager.yaml | 5 ++ testdata/go/v2/memcached-operator/Dockerfile | 2 +- ...cached-operator.clusterserviceversion.yaml | 10 +++ .../default/manager_auth_proxy_patch.yaml | 5 ++ .../config/manager/manager.yaml | 5 ++ testdata/go/v3/memcached-operator/main.go | 11 +++ ...cached-operator.clusterserviceversion.yaml | 10 +++ .../default/manager_auth_proxy_patch.yaml | 5 ++ .../config/manager/manager.yaml | 5 ++ 15 files changed, 184 insertions(+), 25 deletions(-) create mode 100644 changelog/fragments/kb-800fdeec6e5c.yaml diff --git a/changelog/fragments/kb-800fdeec6e5c.yaml b/changelog/fragments/kb-800fdeec6e5c.yaml new file mode 100644 index 0000000000..fd79cb4af2 --- /dev/null +++ b/changelog/fragments/kb-800fdeec6e5c.yaml @@ -0,0 +1,72 @@ +# entries is a list of entries to include in +# release notes and/or the migration guide +entries: + - description: > + For Golang/Ansible/Helm/HybridHelm language-based operators (go/v3, ansible/v1, helm/v1, hybrid.helm/v1-alpha): applying restrictive SCC for all containers scaffolded by the tool (will not work with k8s versions < 1.19). + ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/2700)). Important: You might be affected while updating Kubernetes to 1.25, Hence, ensure that the containers + used in your project are restrictive or defined with the property labels `pod-security.kubernetes.io` on clusters ([More info](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces)). Therefore, we suggest + that you begin to configure the projects according to the best practices. ([More info](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)) + kind: "change" + + # Is this a breaking change? + breaking: false + migration: + header: For Golang/Ansible/Helm/HybridHelm language-based operators (go/v3, ansible/v1, helm/v1, hybrid.helm/v1-alpha) + body: | + Following the steps + 1) In `config/kdefault/manager_auth_proxy_patch.go` ensure the following security context: + + ```yaml + ... + spec: + containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ... + ``` + + 2) In the `config/manager/manager.yaml` ensure the following security context: + + ```yaml + spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - command: + - /manager + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ``` + 3) Run make bundle tagert to ensure that the above changes are also applied to + your bundles. + - description: > + For Golang-based language (go/v2), fix issue introduced by removing the GO111MODULE=on from Dockerfile. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/2678)) + + **IMPORTANT NOTE**: If you are using `go/v2` we highly recommend to upgrade your project to latest `go/v3` plugin (default operator-sdk scaffold). Please be aware that + `go/v2` is a plugin which was kept to ensure the backwards compatibility with old Kubebuilder + layout produced using its CLI versions < `3.0.0`. ([More info](https://book.kubebuilder.io/plugins/go-v2-plugin.html)) + Therefore, we are unable to upgrade this plugin continuously and solve tech-debts as it is + very likely that it would soon be deprecated by the Kubebuilder community. Note that projects built + with this plugin do not produce CRDs for example using v1 APIs so that cannot work on + Kubernetes cluster >= `1.22`). Please, ensure that you follow our migration guide + [Migrating from pre-v1.0.0 to latest](https://sdk.operatorframework.io/docs/building-operators/golang/migration/) + + kind: "bugfix" + breaking: false + - description: > + For Golang/Ansible/Helm/HybridHelm language-based operators (go/v3, ansible/v1, helm/v1, hybrid.helm/v1-alpha, add a new comment with the option `leaderElectionReleaseOnCancel` ((More info)[https://github.com/kubernetes-sigs/kubebuilder/pull/2596]) + kind: "addition" + - description: > + For HybridHelm based-language (hybrid.helm/v1-alpha), update its version from v0.0.10 to [v0.0.11-0.20220607145946-5b29693d1612](https://github.com/operator-framework/helm-operator-plugins/commit/5b29693d1612f87797e1e91e6cf1253842a5714e). [More info](https://github.com/operator-framework/helm-operator-plugins/compare/v0.0.8...5b29693d1612) + kind: "change" diff --git a/go.mod b/go.mod index c6c47132ba..5036588d30 100644 --- a/go.mod +++ b/go.mod @@ -14,8 +14,8 @@ require ( github.com/onsi/ginkgo v1.16.5 github.com/onsi/gomega v1.17.0 github.com/operator-framework/api v0.14.1-0.20220413143725-33310d6154f3 - github.com/operator-framework/helm-operator-plugins v0.0.10 - github.com/operator-framework/java-operator-plugins v0.3.0 + github.com/operator-framework/helm-operator-plugins v0.0.11-0.20220607145946-5b29693d1612 + github.com/operator-framework/java-operator-plugins v0.1.0 github.com/operator-framework/operator-lib v0.10.0 github.com/operator-framework/operator-manifest-tools v0.2.0 github.com/operator-framework/operator-registry v1.21.0 @@ -41,7 +41,7 @@ require ( k8s.io/kubectl v0.23.1 sigs.k8s.io/controller-runtime v0.11.2 sigs.k8s.io/controller-tools v0.8.0 - sigs.k8s.io/kubebuilder/v3 v3.4.1 + sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220528140651-800fdeec6e5c sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index 9efea1c395..a4316c0aad 100644 --- a/go.sum +++ b/go.sum @@ -744,7 +744,6 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO github.com/huandu/xstrings v1.3.1 h1:4jgBlKK6tLKFvO8u5pmYjG91cqytmDCDvGh7ECVFfFs= github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= -github.com/iancoleman/strcase v0.1.2/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE= github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -1022,10 +1021,10 @@ github.com/operator-framework/api v0.10.0/go.mod h1:tV0BUNvly7szq28ZPBXhjp1Sqg5y github.com/operator-framework/api v0.12.0/go.mod h1:FTiYGm11fZQ3cSX+EQHc/UWoGZAwkGfyeHU+wMJ8jmA= github.com/operator-framework/api v0.14.1-0.20220413143725-33310d6154f3 h1:su4h7uvJ+2xfvUDdSUxzsqtnlKqE5u0zmnUyj19x5PA= github.com/operator-framework/api v0.14.1-0.20220413143725-33310d6154f3/go.mod h1:r/erkmp9Kc1Al4dnxmRkJYc0uCtD5FohN9VuJ5nTxz0= -github.com/operator-framework/helm-operator-plugins v0.0.10 h1:27o8kDaLY9A3DKp2v6s+cAhebM0gXyfgYVc54x7Vtgc= -github.com/operator-framework/helm-operator-plugins v0.0.10/go.mod h1:5SNPtUyW8cUTZwV1Jgowq/dR9dy35XWPoktYQn2cADs= -github.com/operator-framework/java-operator-plugins v0.3.0 h1:K+gdg1cLugxP3KbGNc1SttKIY69z7ywBFaXW0vVIG9o= -github.com/operator-framework/java-operator-plugins v0.3.0/go.mod h1:38ZUfA6J5JQjPZLQJZKyXE3v+t91mpJ2utAtVCDQTY0= +github.com/operator-framework/helm-operator-plugins v0.0.11-0.20220607145946-5b29693d1612 h1:spWnkNizO0KAWafWq71DxileosPGPyXUcZ0ct/j5sv0= +github.com/operator-framework/helm-operator-plugins v0.0.11-0.20220607145946-5b29693d1612/go.mod h1:i+evTHPT0cCfyXGiFHL1vLScm5DY1Rk6vvcEVLtiwUU= +github.com/operator-framework/java-operator-plugins v0.1.0 h1:khkYsrkEG4m+wT+oPjZYmWXo8jd0QQ8E4agSrqrhPhU= +github.com/operator-framework/java-operator-plugins v0.1.0/go.mod h1:sGKGELFkUeRqElcyvyPC89bC76YnCL7MPMa13P0AQcw= github.com/operator-framework/operator-lib v0.3.0/go.mod h1:LTp5UQd8ivq4MXqm/W/XHulHQ0RRoZXsAj73sNMAQxc= github.com/operator-framework/operator-lib v0.10.0 h1:tTjrt8Udi0msABkMpgxKHp7sXKnC73jFPO5Col0tWso= github.com/operator-framework/operator-lib v0.10.0/go.mod h1:sdCls/olFjSHLXU0bHlaPtmyeIdentoxz/9miyw27kw= @@ -2024,7 +2023,6 @@ k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s= k8s.io/api v0.21.3/go.mod h1:hUgeYHUbBp23Ue4qdX9tR8/ANi/g3ehylAqDn9NWVOg= k8s.io/api v0.22.0/go.mod h1:0AoXXqst47OI/L0oGKq9DG61dvGRPXs7X4/B7KyjBCU= k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY= -k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8= k8s.io/api v0.23.0/go.mod h1:8wmDdLBHBNxtOIytwLstXt5E9PddnZb0GaMcqsvDBpg= k8s.io/api v0.23.1/go.mod h1:WfXnOnwSqNtG62Y1CdjoMxh7r7u9QXGCkA1u0na2jgo= k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA= @@ -2036,9 +2034,7 @@ k8s.io/apiextensions-apiserver v0.21.0/go.mod h1:gsQGNtGkc/YoDG9loKI0V+oLZM4ljRP k8s.io/apiextensions-apiserver v0.21.1/go.mod h1:KESQFCGjqVcVsZ9g0xX5bacMjyX5emuWcS2arzdEouA= k8s.io/apiextensions-apiserver v0.21.3/go.mod h1:kl6dap3Gd45+21Jnh6utCx8Z2xxLm8LGDkprcd+KbsE= k8s.io/apiextensions-apiserver v0.22.1/go.mod h1:HeGmorjtRmRLE+Q8dJu6AYRoZccvCMsghwS8XTUYb2c= -k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA= k8s.io/apiextensions-apiserver v0.23.0/go.mod h1:xIFAEEDlAZgpVBl/1VSjGDmLoXAWRG40+GsWhKhAxY4= -k8s.io/apiextensions-apiserver v0.23.1/go.mod h1:0qz4fPaHHsVhRApbtk3MGXNn2Q9M/cVWWhfHdY2SxiM= k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI= k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= @@ -2048,10 +2044,10 @@ k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlm k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= +k8s.io/apimachinery v0.21.2/go.mod h1:CdTY8fU/BlvAbJ2z/8kBwimGki5Zp8/fbVuLY8gJumM= k8s.io/apimachinery v0.21.3/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI= k8s.io/apimachinery v0.22.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= -k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/apimachinery v0.23.0/go.mod h1:fFCTTBKvKcwTPFzjlcxp91uPFZr+JA0FubU4fLzzFYc= k8s.io/apimachinery v0.23.1/go.mod h1:SADt2Kl8/sttJ62RRsi9MIV4o8f5S3coArm0Iu3fBno= k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0= @@ -2063,9 +2059,7 @@ k8s.io/apiserver v0.21.0/go.mod h1:w2YSn4/WIwYuxG5zJmcqtRdtqgW/J2JRgFAqps3bBpg= k8s.io/apiserver v0.21.1/go.mod h1:nLLYZvMWn35glJ4/FZRhzLG/3MPxAaZTgV4FJZdr+tY= k8s.io/apiserver v0.21.3/go.mod h1:eDPWlZG6/cCCMj/JBcEpDoK+I+6i3r9GsChYBHSbAzU= k8s.io/apiserver v0.22.1/go.mod h1:2mcM6dzSt+XndzVQJX21Gx0/Klo7Aen7i0Ai6tIa400= -k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI= k8s.io/apiserver v0.23.0/go.mod h1:Cec35u/9zAepDPPFyT+UMrgqOCjgJ5qtfVJDxjZYmt4= -k8s.io/apiserver v0.23.1/go.mod h1:Bqt0gWbeM2NefS8CjWswwd2VNAKN6lUKR85Ft4gippY= k8s.io/apiserver v0.23.5 h1:2Ly8oUjz5cnZRn1YwYr+aFgDZzUmEVL9RscXbnIeDSE= k8s.io/apiserver v0.23.5/go.mod h1:7wvMtGJ42VRxzgVI7jkbKvMbuCbVbgsWFT7RyXiRNTw= k8s.io/cli-runtime v0.21.0/go.mod h1:XoaHP93mGPF37MkLbjGVYqg3S1MnsFdKtiA/RZzzxOo= @@ -2081,7 +2075,6 @@ k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs= k8s.io/client-go v0.21.3/go.mod h1:+VPhCgTsaFmGILxR/7E1N0S+ryO010QBeNCv5JwRGYU= k8s.io/client-go v0.22.0/go.mod h1:GUjIuXR5PiEv/RVK5OODUsm6eZk7wtSWZSaSJbpFdGg= k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk= -k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U= k8s.io/client-go v0.23.0/go.mod h1:hrDnpnK1mSr65lHHcUuIZIXDgEbzc7/683c6hyG4jTA= k8s.io/client-go v0.23.1/go.mod h1:6QSI8fEuqD4zgFK0xbdwfB/PthBsIxCJMa3s17WlcO0= k8s.io/client-go v0.23.5 h1:zUXHmEuqx0RY4+CsnkOn5l0GU+skkRXKGJrhmE2SLd8= @@ -2094,7 +2087,6 @@ k8s.io/code-generator v0.21.1/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64uZCHD k8s.io/code-generator v0.21.3/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo= k8s.io/code-generator v0.22.0/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= -k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= k8s.io/code-generator v0.23.0/go.mod h1:vQvOhDXhuzqiVfM/YHp+dmg10WDZCchJVObc9MvowsE= k8s.io/code-generator v0.23.1/go.mod h1:V7yn6VNTCWW8GqodYCESVo95fuiEg713S8B7WacWZDA= k8s.io/code-generator v0.23.5/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= @@ -2107,7 +2099,6 @@ k8s.io/component-base v0.21.1/go.mod h1:NgzFZ2qu4m1juby4TnrmpR8adRk6ka62YdH5DkII k8s.io/component-base v0.21.3/go.mod h1:kkuhtfEHeZM6LkX0saqSK8PbdO7A0HigUngmhhrwfGQ= k8s.io/component-base v0.22.0/go.mod h1:SXj6Z+V6P6GsBhHZVbWCw9hFjUdUYnJerlhhPnYCBCg= k8s.io/component-base v0.22.1/go.mod h1:0D+Bl8rrnsPN9v0dyYvkqFfBeAd4u7n77ze+p8CMiPo= -k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug= k8s.io/component-base v0.23.0/go.mod h1:DHH5uiFvLC1edCpvcTDV++NKULdYYU6pR9Tt3HIKMKI= k8s.io/component-base v0.23.1/go.mod h1:6llmap8QtJIXGDd4uIWJhAq0Op8AtQo6bDW2RrNMTeo= k8s.io/component-base v0.23.5 h1:8qgP5R6jG1BBSXmRYW+dsmitIrpk8F/fPEvgDenMCCE= @@ -2153,7 +2144,6 @@ k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ k8s.io/utils v0.0.0-20210527160623-6fdb442a123b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= @@ -2177,15 +2167,14 @@ sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8 sigs.k8s.io/controller-tools v0.4.1/go.mod h1:G9rHdZMVlBDocIxGkK3jHLWqcTMNvveypYJwrvYKjWU= sigs.k8s.io/controller-tools v0.6.0/go.mod h1:baRMVPrctU77F+rfAuH2uPqW93k6yQnZA2dhUOr7ihc= sigs.k8s.io/controller-tools v0.6.2/go.mod h1:oaeGpjXn6+ZSEIQkUe/+3I40PNiDYp9aeawbt3xTgJ8= -sigs.k8s.io/controller-tools v0.7.0/go.mod h1:bpBAo0VcSDDLuWt47evLhMLPxRPxMDInTEH/YbdeMK0= sigs.k8s.io/controller-tools v0.8.0 h1:uUkfTGEwrguqYYfcI2RRGUnC8mYdCFDqfwPKUcNJh1o= sigs.k8s.io/controller-tools v0.8.0/go.mod h1:qE2DXhVOiEq5ijmINcFbqi9GZrrUjzB1TuJU0xa6eoY= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/kind v0.11.1/go.mod h1:fRpgVhtqAWrtLB9ED7zQahUimpUXuG/iHT88xYqEGIA= -sigs.k8s.io/kubebuilder/v3 v3.3.0/go.mod h1:573SPrO9ttCNPvXVuGQRCpjsEsFza/S+8Jo/b+a+wR0= -sigs.k8s.io/kubebuilder/v3 v3.4.1 h1:TrkJOD+mOlZla3i/c9OA/IMMWyKtvQ2Z8eKCq0ca/x8= -sigs.k8s.io/kubebuilder/v3 v3.4.1/go.mod h1:IIGxKjoHwVx+UGT34KL6O4wiXzZ656MOVBVfWAEIU6M= +sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20210702145813-742983631190/go.mod h1:pUhjQx9f/+cn1OtSa5zMohY1lgk9s/9Mbcvwj82lrNk= +sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220528140651-800fdeec6e5c h1:udhrfBSBchoMnU09zz9GBQJ22013gC42xt6iyZ5VSjw= +sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220528140651-800fdeec6e5c/go.mod h1:IIGxKjoHwVx+UGT34KL6O4wiXzZ656MOVBVfWAEIU6M= sigs.k8s.io/kustomize/api v0.8.5/go.mod h1:M377apnKT5ZHJS++6H4rQoCHmWtt6qTpp3mbe7p6OLY= sigs.k8s.io/kustomize/api v0.8.11/go.mod h1:a77Ls36JdfCWojpUqR6m60pdGY1AYFix4AH83nJtY1g= sigs.k8s.io/kustomize/api v0.10.1/go.mod h1:2FigT1QN6xKdcnGS2Ppp1uIWrtWN28Ms8A3OZUZhwr8= diff --git a/internal/cmd/operator-sdk/generate/bundle/bundle.go b/internal/cmd/operator-sdk/generate/bundle/bundle.go index 080b72dc5a..7bdb0b862e 100644 --- a/internal/cmd/operator-sdk/generate/bundle/bundle.go +++ b/internal/cmd/operator-sdk/generate/bundle/bundle.go @@ -21,13 +21,14 @@ import ( "os" "path/filepath" + kbutil "sigs.k8s.io/kubebuilder/v3/pkg/plugin/util" + "sigs.k8s.io/yaml" + "github.com/operator-framework/api/pkg/apis/scorecard/v1alpha3" "github.com/operator-framework/operator-manifest-tools/pkg/image" "github.com/operator-framework/operator-manifest-tools/pkg/imageresolver" "github.com/operator-framework/operator-manifest-tools/pkg/pullspec" "github.com/operator-framework/operator-registry/pkg/lib/bundle" - "sigs.k8s.io/yaml" - metricsannotations "github.com/operator-framework/operator-sdk/internal/annotations/metrics" genutil "github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/generate/internal" gencsv "github.com/operator-framework/operator-sdk/internal/generate/clusterserviceversion" @@ -162,6 +163,11 @@ func (c bundleCmd) runManifests() (err error) { c.outputDir = defaultRootDir } + // The following code was added for we ensure that default + // option commented in the config/manager/controller_manager_config.yaml + // will not be used in the bundle. + c.removeDefaultCommentsFromControllerManager() + col := &collector.Manifests{} switch { case genutil.IsPipeReader(): @@ -246,6 +252,27 @@ func (c bundleCmd) runManifests() (err error) { return nil } +// removeDefaultCommentsFromControllerManager will the remove the specific comment added by +// default in the scaffolds in order to not set it on the bundles +// note that the replace only should be made when the string and path are found +// so that, we do not raise an issue here. +func (c bundleCmd) removeDefaultCommentsFromControllerManager() { + const commentsControllerManager = `# leaderElectionReleaseOnCancel defines if the leader should step down volume +# when the Manager ends. This requires the binary to immediately end when the +# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly +# speeds up voluntary leader transitions as the new leader don't have to wait +# LeaseDuration time first. +# In the default scaffold provided, the program ends immediately after +# the manager stops, so would be fine to enable this option. However, +# if you are doing or is intended to do any operation such as perform cleanups +# after the manager stops then its usage might be unsafe. +# leaderElectionReleaseOnCancel: true +` + + // if not found we will not raise an error + _ = kbutil.ReplaceInFile(filepath.Join(c.inputDir, "config/manager/controller_manager_config.yaml"), commentsControllerManager, "") +} + // writeScorecardConfig writes cfg to dir at the hard-coded config path 'config.yaml'. func writeScorecardConfig(dir string, cfg v1alpha3.Configuration) error { // Skip writing if config is empty. diff --git a/testdata/ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/testdata/ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml index a1e70e50a7..d1694c6a0e 100644 --- a/testdata/ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml +++ b/testdata/ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml @@ -127,6 +127,11 @@ spec: requests: cpu: 5m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - args: - --health-probe-bind-address=:6789 - --metrics-bind-address=127.0.0.1:8080 @@ -158,8 +163,13 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: memcached-operator-controller-manager terminationGracePeriodSeconds: 10 permissions: diff --git a/testdata/ansible/memcached-operator/config/default/manager_auth_proxy_patch.yaml b/testdata/ansible/memcached-operator/config/default/manager_auth_proxy_patch.yaml index b863f6d2ab..2278a321cf 100644 --- a/testdata/ansible/memcached-operator/config/default/manager_auth_proxy_patch.yaml +++ b/testdata/ansible/memcached-operator/config/default/manager_auth_proxy_patch.yaml @@ -10,6 +10,11 @@ spec: spec: containers: - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" diff --git a/testdata/ansible/memcached-operator/config/manager/manager.yaml b/testdata/ansible/memcached-operator/config/manager/manager.yaml index cca6f91556..07cb837903 100644 --- a/testdata/ansible/memcached-operator/config/manager/manager.yaml +++ b/testdata/ansible/memcached-operator/config/manager/manager.yaml @@ -26,6 +26,8 @@ spec: spec: securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - args: - --leader-elect @@ -37,6 +39,9 @@ spec: value: explicit securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL livenessProbe: httpGet: path: /healthz diff --git a/testdata/go/v2/memcached-operator/Dockerfile b/testdata/go/v2/memcached-operator/Dockerfile index f23bcb9d31..74eb9d7412 100644 --- a/testdata/go/v2/memcached-operator/Dockerfile +++ b/testdata/go/v2/memcached-operator/Dockerfile @@ -15,7 +15,7 @@ COPY api/ api/ COPY controllers/ controllers/ # Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details diff --git a/testdata/go/v3/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/testdata/go/v3/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml index 9a90848157..89d1875646 100644 --- a/testdata/go/v3/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml +++ b/testdata/go/v3/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml @@ -144,6 +144,11 @@ spec: requests: cpu: 5m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 @@ -177,8 +182,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: memcached-operator-controller-manager terminationGracePeriodSeconds: 10 permissions: diff --git a/testdata/go/v3/memcached-operator/config/default/manager_auth_proxy_patch.yaml b/testdata/go/v3/memcached-operator/config/default/manager_auth_proxy_patch.yaml index 131a314292..70f24a0b4e 100644 --- a/testdata/go/v3/memcached-operator/config/default/manager_auth_proxy_patch.yaml +++ b/testdata/go/v3/memcached-operator/config/default/manager_auth_proxy_patch.yaml @@ -10,6 +10,11 @@ spec: spec: containers: - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" diff --git a/testdata/go/v3/memcached-operator/config/manager/manager.yaml b/testdata/go/v3/memcached-operator/config/manager/manager.yaml index cf11cecc26..d857a2f90f 100644 --- a/testdata/go/v3/memcached-operator/config/manager/manager.yaml +++ b/testdata/go/v3/memcached-operator/config/manager/manager.yaml @@ -26,6 +26,8 @@ spec: spec: securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - command: - /manager @@ -35,6 +37,9 @@ spec: name: manager securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL livenessProbe: httpGet: path: /healthz diff --git a/testdata/go/v3/memcached-operator/main.go b/testdata/go/v3/memcached-operator/main.go index 62ac1de98c..a93d317d79 100644 --- a/testdata/go/v3/memcached-operator/main.go +++ b/testdata/go/v3/memcached-operator/main.go @@ -72,6 +72,17 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "86f835c3.example.com", + // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily + // when the Manager ends. This requires the binary to immediately end when the + // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + // speeds up voluntary leader transitions as the new leader don't have to wait + // LeaseDuration time first. + // + // In the default scaffold provided, the program ends immediately after + // the manager stops, so would be fine to enable this option. However, + // if you are doing or is intended to do any operation such as perform cleanups + // after the manager stops then its usage might be unsafe. + // LeaderElectionReleaseOnCancel: true, }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml index 6dd458c80c..e68c2b52c7 100644 --- a/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml +++ b/testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml @@ -215,6 +215,11 @@ spec: requests: cpu: 5m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 @@ -243,8 +248,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: memcached-operator-controller-manager terminationGracePeriodSeconds: 10 permissions: diff --git a/testdata/helm/memcached-operator/config/default/manager_auth_proxy_patch.yaml b/testdata/helm/memcached-operator/config/default/manager_auth_proxy_patch.yaml index 5c1e9f887e..c4cb41bb56 100644 --- a/testdata/helm/memcached-operator/config/default/manager_auth_proxy_patch.yaml +++ b/testdata/helm/memcached-operator/config/default/manager_auth_proxy_patch.yaml @@ -10,6 +10,11 @@ spec: spec: containers: - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" diff --git a/testdata/helm/memcached-operator/config/manager/manager.yaml b/testdata/helm/memcached-operator/config/manager/manager.yaml index abcc1e0efd..3a3c77d942 100644 --- a/testdata/helm/memcached-operator/config/manager/manager.yaml +++ b/testdata/helm/memcached-operator/config/manager/manager.yaml @@ -26,6 +26,8 @@ spec: spec: securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - args: - --leader-elect @@ -34,6 +36,9 @@ spec: name: manager securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL livenessProbe: httpGet: path: /healthz From ec65ba100aa11f90d557a25faf97210e21ac59e5 Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Wed, 8 Jun 2022 11:28:27 +0100 Subject: [PATCH 2/2] trying to fix ansible lint --- .../operator-sdk/generate/bundle/bundle.go | 19 ++++++++++++ internal/plugins/ansible/v1/init.go | 31 +++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/internal/cmd/operator-sdk/generate/bundle/bundle.go b/internal/cmd/operator-sdk/generate/bundle/bundle.go index 7bdb0b862e..4da2ac2b81 100644 --- a/internal/cmd/operator-sdk/generate/bundle/bundle.go +++ b/internal/cmd/operator-sdk/generate/bundle/bundle.go @@ -271,6 +271,25 @@ func (c bundleCmd) removeDefaultCommentsFromControllerManager() { // if not found we will not raise an error _ = kbutil.ReplaceInFile(filepath.Join(c.inputDir, "config/manager/controller_manager_config.yaml"), commentsControllerManager, "") + + //todo: remove the space on Kubebuilder project so that we can remove the following replace + //it is required because of the molecule issues, see: https://github.com/operator-framework/operator-sdk/issues/5838 + + const commentManagerUpdate = `# leaderElectionReleaseOnCancel defines if the leader should step down volume +# when the Manager ends. This requires the binary to immediately end when the +# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly +# speeds up voluntary leader transitions as the new leader don't have to wait +# LeaseDuration time first. +# In the default scaffold provided, the program ends immediately after +# the manager stops, so would be fine to enable this option. However, +# if you are doing or is intended to do any operation such as perform cleanups +# after the manager stops then its usage might be unsafe. +# leaderElectionReleaseOnCancel: true +` + + // if not found we will not raise an error + _ = kbutil.ReplaceInFile(filepath.Join(c.inputDir, "config/manager/controller_manager_config.yaml"), commentManagerUpdate, "") + } // writeScorecardConfig writes cfg to dir at the hard-coded config path 'config.yaml'. diff --git a/internal/plugins/ansible/v1/init.go b/internal/plugins/ansible/v1/init.go index 20929a2b60..d0a408eca7 100644 --- a/internal/plugins/ansible/v1/init.go +++ b/internal/plugins/ansible/v1/init.go @@ -243,5 +243,36 @@ func addInitCustomizations(projectName string) error { return fmt.Errorf("error updating kustomization.yaml files: %v", err) } + //todo: remove the space on Kubebuilder project so that we can remove the following replace + //it is required because of the molecule issues, see: https://github.com/operator-framework/operator-sdk/issues/5838 + + const commentManager = `# leaderElectionReleaseOnCancel defines if the leader should step down volume +# when the Manager ends. This requires the binary to immediately end when the +# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly +# speeds up voluntary leader transitions as the new leader don't have to wait +# LeaseDuration time first. +# In the default scaffold provided, the program ends immediately after +# the manager stops, so would be fine to enable this option. However, +# if you are doing or is intended to do any operation such as perform cleanups +# after the manager stops then its usage might be unsafe. +# leaderElectionReleaseOnCancel: true` + + const commentManagerUpdate = `# leaderElectionReleaseOnCancel defines if the leader should step down volume +# when the Manager ends. This requires the binary to immediately end when the +# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly +# speeds up voluntary leader transitions as the new leader don't have to wait +# LeaseDuration time first. +# In the default scaffold provided, the program ends immediately after +# the manager stops, so would be fine to enable this option. However, +# if you are doing or is intended to do any operation such as perform cleanups +# after the manager stops then its usage might be unsafe. +# leaderElectionReleaseOnCancel: true` + + controllerManagerFile := filepath.Join("config", "manager", "controller_manager_config.yaml") + + err = util.ReplaceInFile(controllerManagerFile, commentManager, commentManagerUpdate) + if err != nil { + return err + } return nil }