diff --git a/.ci-operator.yaml b/.ci-operator.yaml index 0372be15..22d2bf05 100644 --- a/.ci-operator.yaml +++ b/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: boilerplate namespace: openshift - tag: image-v2.2.0 + tag: image-v2.3.2 diff --git a/boilerplate/_data/backing-image-tag b/boilerplate/_data/backing-image-tag index 27dee2a7..bb65150a 100644 --- a/boilerplate/_data/backing-image-tag +++ b/boilerplate/_data/backing-image-tag @@ -1 +1 @@ -image-v2.2.0 +image-v2.3.2 diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit index edcef473..0af56dc3 100644 --- a/boilerplate/_data/last-boilerplate-commit +++ b/boilerplate/_data/last-boilerplate-commit @@ -1 +1 @@ -2a6a579ee07b3df9809fe696606f1138154b4e04 +1e947d2b7daee575dbc0283c647b9945a8081c8f diff --git a/boilerplate/openshift/golang-osd-operator/README.md b/boilerplate/openshift/golang-osd-operator/README.md index ef72320d..4b41791e 100644 --- a/boilerplate/openshift/golang-osd-operator/README.md +++ b/boilerplate/openshift/golang-osd-operator/README.md @@ -104,3 +104,22 @@ Checks consist of: * `openapi-gen`. This is a no-op if your operator has no APIs. * `go generate`. This is a no-op if you have no `//go:generate` directives in your code. + +## FIPS (Federal Information Processing Standards) + +To enable FIPS in your build there is a `make ensure-fips` target. + +Add `FIPS_ENABLED=true` to your repos Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles. + +e.g. +```.mk +FIPS_ENABLED=true + +include boilerplate/generated-includes.mk +``` + +`ensure-fips` will add a [fips.go](./fips.go) file in the same directory as the `main.go` file. (Please commit this file as normal) + +`fips.go` will import the necessary packages to restrict all TLS configuration to FIPS-approved settings. + +With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build` diff --git a/boilerplate/openshift/golang-osd-operator/configure-fips.sh b/boilerplate/openshift/golang-osd-operator/configure-fips.sh new file mode 100755 index 00000000..199998a2 --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/configure-fips.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +set -e + +REPO_ROOT=$(git rev-parse --show-toplevel) +CONVENTION_DIR="$REPO_ROOT/boilerplate/openshift/golang-osd-operator" +PRE_V1_SDK_MANAGER_DIR="$REPO_ROOT/cmd/manager" + +if [[ -d "$PRE_V1_SDK_MANAGER_DIR" ]] +then + MAIN_DIR=$PRE_V1_SDK_MANAGER_DIR +else + MAIN_DIR=$REPO_ROOT +fi + +echo "Writing fips file at $MAIN_DIR/fips.go" + +cp $CONVENTION_DIR/fips.go "$MAIN_DIR/fips.go" \ No newline at end of file diff --git a/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh b/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh index b1c715ca..f712bf58 100755 --- a/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh +++ b/boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh @@ -65,6 +65,9 @@ EOF cat < $DOCKERFILE_REGISTRY FROM quay.io/openshift/origin-operator-registry:4.8.0 COPY $SAAS_OPERATOR_DIR manifests +USER 0 +RUN pip3 install urllib3==1.26.9 pip==21.3.1 +USER 1001 RUN initializer --permissive CMD ["registry-server", "-t", "/tmp/terminate.log"] EOF diff --git a/boilerplate/openshift/golang-osd-operator/fips.go b/boilerplate/openshift/golang-osd-operator/fips.go new file mode 100644 index 00000000..bc0d4547 --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/fips.go @@ -0,0 +1,15 @@ +// +build fips_enabled + +// BOILERPLATE GENERATED -- DO NOT EDIT +// Run 'make ensure-fips' to regenerate + +package main + +import ( + _ "crypto/tls/fipsonly" + "fmt" +) + +func init() { + fmt.Println("***** Starting with FIPS crypto enabled *****") +} diff --git a/boilerplate/openshift/golang-osd-operator/standard.mk b/boilerplate/openshift/golang-osd-operator/standard.mk index 155782cd..9da26601 100644 --- a/boilerplate/openshift/golang-osd-operator/standard.mk +++ b/boilerplate/openshift/golang-osd-operator/standard.mk @@ -46,6 +46,9 @@ OPERATOR_IMAGE_URI=${IMG} OPERATOR_IMAGE_URI_LATEST=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(IMAGE_NAME):latest OPERATOR_DOCKERFILE ?=build/Dockerfile REGISTRY_IMAGE=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(IMAGE_NAME)-registry +#The api dir that latest osdk generated +NEW_API_DIR=./api +USE_OLD_SDK=$(shell if [[ -d "$(NEW_API_DIR)" ]];then echo FALSE;else echo TRUE;fi) # Consumer can optionally define ADDITIONAL_IMAGE_SPECS like: # define ADDITIONAL_IMAGE_SPECS @@ -67,7 +70,12 @@ REGISTRY_USER ?= REGISTRY_TOKEN ?= BINFILE=build/_output/bin/$(OPERATOR_NAME) -MAINPACKAGE ?= ./cmd/manager +MAINPACKAGE = ./main.go +API_DIR = $(NEW_API_DIR) +ifeq ($(USE_OLD_SDK), TRUE) +MAINPACKAGE = ./cmd/manager +API_DIR = ./pkg/apis +endif GOOS?=$(shell go env GOOS) GOARCH?=$(shell go env GOARCH) @@ -75,7 +83,20 @@ GOARCH?=$(shell go env GOARCH) # Consumers may override GOFLAGS_MOD e.g. to use `-mod=vendor` unexport GOFLAGS GOFLAGS_MOD ?= -GOENV=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 GOFLAGS=${GOFLAGS_MOD} + +# In openshift ci (Prow), we need to set $HOME to a writable directory else tests will fail +# because they don't have permissions to create /.local or /.cache directories +# as $HOME is set to "/" by default. +ifeq ($(HOME),/) +export HOME=/tmp/home +endif + +ifeq (${FIPS_ENABLED}, true) +GOFLAGS_MOD+=-tags=fips_enabled +GOFLAGS_MOD:=$(strip ${GOFLAGS_MOD}) +endif + +GOENV=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 GOFLAGS="${GOFLAGS_MOD}" GOBUILDFLAGS=-gcflags="all=-trimpath=${GOPATH}" -asmflags="all=-trimpath=${GOPATH}" @@ -153,11 +174,40 @@ go-generate: ${GOENV} go generate $(TESTTARGETS) # Don't forget to commit generated files +# go-get-tool will 'go install' any package $2 and install it to $1. +define go-get-tool +@{ \ +set -e ;\ +TMP_DIR=$$(mktemp -d) ;\ +cd $$TMP_DIR ;\ +go mod init tmp ;\ +echo "Downloading $(2)" ;\ +GOBIN=$(shell dirname $(1)) go install $(2) ;\ +echo "Installed in $(1)" ;\ +rm -rf $$TMP_DIR ;\ +} +endef + +# Deciding on the binary versions +CONTROLLER_GEN_VERSION = v0.8.0 +CONTROLLER_GEN = controller-gen-$(CONTROLLER_GEN_VERSION) + +OPENAPI_GEN_VERSION = v0.23.0 +OPENAPI_GEN = openapi-gen-$(OPENAPI_GEN_VERSION) + +ifeq ($(USE_OLD_SDK), TRUE) +#If we are using the old osdk, we use the default controller-gen and openapi-gen versions. +# Default version is 0.3.0 for now. +CONTROLLER_GEN = controller-gen +# Default version is 0.19.4 for now. +OPENAPI_GEN = openapi-gen +endif + + .PHONY: op-generate op-generate: - # The artist formerly known as `operator-sdk generate crds`: + cd $(API_DIR); $(CONTROLLER_GEN) crd paths=./... output:dir=$(PWD)/deploy/crds ifeq ($(CRD_VERSION), v1beta1) - cd pkg/apis; controller-gen crd paths=./... output:dir=../../deploy/crds # HACK: Due to an OLM bug in 3.11, we need to remove the # spec.validation.openAPIV3Schema.type from CRDs. Remove once # 3.11 is no longer supported. @@ -170,36 +220,55 @@ ifeq ($(CRD_VERSION), v1beta1) find deploy/crds -name '*.yaml' | xargs -n1 -I{} yq d -i {} 'spec.**.x-kubernetes-list-type' find deploy/crds -name '*.yaml' | xargs -n1 -I{} yq d -i {} 'spec.**.x-kubernetes-map-type' find deploy/crds -name '*.yaml' | xargs -n1 -I{} yq d -i {} 'spec.**.x-kubernetes-struct-type' -else - cd pkg/apis; controller-gen crd:crdVersions=v1 paths=./... output:dir=../../deploy/crds endif - # The artist formerly known as `operator-sdk generate k8s`: - cd pkg/apis; controller-gen object paths=./... - # Don't forget to commit generated files + cd $(API_DIR); $(CONTROLLER_GEN) object paths=./... + +API_DIR_MIN_DEPTH = 1 +ifeq ($(USE_OLD_SDK), TRUE) +API_DIR_MIN_DEPTH = 2 +endif .PHONY: openapi-generate openapi-generate: - find ./pkg/apis/ -maxdepth 2 -mindepth 2 -type d | xargs -t -n1 -I% \ - openapi-gen --logtostderr=true \ + find $(API_DIR) -maxdepth 2 -mindepth $(API_DIR_MIN_DEPTH) -type d | xargs -t -I% \ + $(OPENAPI_GEN) --logtostderr=true \ -i % \ -o "" \ -O zz_generated.openapi \ -p % \ -h /dev/null \ -r "-" - + .PHONY: generate generate: op-generate go-generate openapi-generate +ifeq (${FIPS_ENABLED}, true) +go-build: ensure-fips +endif + .PHONY: go-build go-build: ## Build binary # Force GOOS=linux as we may want to build containers in other *nix-like systems (ie darwin). # This is temporary until a better container build method is developed ${GOENV} GOOS=linux go build ${GOBUILDFLAGS} -o ${BINFILE} ${MAINPACKAGE} +# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. +ENVTEST_K8S_VERSION = 1.23 +SETUP_ENVTEST = setup-envtest + +.PHONY: setup-envtest +setup-envtest: + $(eval KUBEBUILDER_ASSETS := "$(shell $(SETUP_ENVTEST) use $(ENVTEST_K8S_VERSION) -p path --bin-dir /tmp/envtest/bin)") + +# Setting SHELL to bash allows bash commands to be executed by recipes. +# This is a requirement for 'setup-envtest.sh' in the test target. +# Options are set to exit when a recipe line exits non-zero or a piped command fails. +SHELL = /usr/bin/env bash -o pipefail +.SHELLFLAGS = -ec + .PHONY: go-test -go-test: - ${GOENV} go test $(TESTOPTS) $(TESTTARGETS) +go-test: setup-envtest + KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test $(TESTOPTS) $(TESTTARGETS) .PHONY: python-venv python-venv: @@ -272,3 +341,7 @@ opm-build-push: docker-push OPERATOR_IMAGE_TAG="${OPERATOR_IMAGE_TAG}" \ OLM_CHANNEL="${OLM_CHANNEL}" \ ${CONVENTION_DIR}/build-opm-catalog.sh + +.PHONY: ensure-fips +ensure-fips: + ${CONVENTION_DIR}/configure-fips.sh diff --git a/boilerplate/openshift/golang-osd-operator/update b/boilerplate/openshift/golang-osd-operator/update index 5db57dd9..bed4cc8d 100755 --- a/boilerplate/openshift/golang-osd-operator/update +++ b/boilerplate/openshift/golang-osd-operator/update @@ -14,8 +14,9 @@ echo "Copying .codecov.yml to your repository root." cp ${HERE}/.codecov.yml $REPO_ROOT # TODO: boilerplate more of Dockerfile -echo "Overwriting build/Dockerfile's initial FROM with $IMAGE_PULL_PATH" -${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," build/Dockerfile +DOCKERFILE=build/Dockerfile +echo "Overwriting $DOCKERFILE's initial FROM with $IMAGE_PULL_PATH" +${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," $DOCKERFILE echo "Writing .ci-operator.yaml in your repository root with:" echo " namespace: $IMAGE_NAMESPACE" diff --git a/build/Dockerfile b/build/Dockerfile index 7df1ecd5..ce4fd84f 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/app-sre/boilerplate:image-v2.2.0 AS builder +FROM quay.io/app-sre/boilerplate:image-v2.3.2 AS builder RUN mkdir -p /workdir WORKDIR /workdir