Boilerplate: Update to 1e947d2b7daee575dbc0283c647b9945a8081c8f

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: boilerplate
   namespace: openshift
-  tag: image-v2.2.0
+  tag: image-v2.3.2

boilerplate/_data/backing-image-tag

@@ -1 +1 @@
-image-v2.2.0
+image-v2.3.2

boilerplate/_data/last-boilerplate-commit

@@ -1 +1 @@
-2a6a579ee07b3df9809fe696606f1138154b4e04
+1e947d2b7daee575dbc0283c647b9945a8081c8f

boilerplate/openshift/golang-osd-operator/README.md

@@ -104,3 +104,22 @@ Checks consist of:
 * `openapi-gen`. This is a no-op if your operator has no APIs.
 * `go generate`. This is a no-op if you have no `//go:generate`
   directives in your code.
+
+## FIPS (Federal Information Processing Standards)
+
+To enable FIPS in your build there is a `make ensure-fips` target.
+
+Add `FIPS_ENABLED=true` to your repos Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles.
+
+e.g.
+```.mk
+FIPS_ENABLED=true
+
+include boilerplate/generated-includes.mk
+```
+
+`ensure-fips` will add a [fips.go](./fips.go) file in the same directory as the `main.go` file. (Please commit this file as normal)
+
+`fips.go` will import the necessary packages to restrict all TLS configuration to FIPS-approved settings.
+
+With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build`

boilerplate/openshift/golang-osd-operator/configure-fips.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -e
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+CONVENTION_DIR="$REPO_ROOT/boilerplate/openshift/golang-osd-operator"
+PRE_V1_SDK_MANAGER_DIR="$REPO_ROOT/cmd/manager"
+
+if [[ -d "$PRE_V1_SDK_MANAGER_DIR" ]]
+then
+  MAIN_DIR=$PRE_V1_SDK_MANAGER_DIR
+else
+  MAIN_DIR=$REPO_ROOT
+fi
+
+echo "Writing fips file at $MAIN_DIR/fips.go"
+
+cp $CONVENTION_DIR/fips.go "$MAIN_DIR/fips.go"

boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh

@@ -65,6 +65,9 @@ EOF
 cat <<EOF > $DOCKERFILE_REGISTRY
 FROM quay.io/openshift/origin-operator-registry:4.8.0
 COPY $SAAS_OPERATOR_DIR manifests
+USER 0
+RUN pip3 install urllib3==1.26.9 pip==21.3.1
+USER 1001
 RUN initializer --permissive
 CMD ["registry-server", "-t", "/tmp/terminate.log"]
 EOF

boilerplate/openshift/golang-osd-operator/fips.go

@@ -0,0 +1,15 @@
+// +build fips_enabled
+
+// BOILERPLATE GENERATED -- DO NOT EDIT
+// Run 'make ensure-fips' to regenerate
+
+package main
+
+import (
+	_ "crypto/tls/fipsonly"
+	"fmt"
+)
+
+func init() {
+	fmt.Println("***** Starting with FIPS crypto enabled *****")
+}

boilerplate/openshift/golang-osd-operator/standard.mk

@@ -46,6 +46,9 @@ OPERATOR_IMAGE_URI=${IMG}
 OPERATOR_IMAGE_URI_LATEST=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(IMAGE_NAME):latest
 OPERATOR_DOCKERFILE ?=build/Dockerfile
 REGISTRY_IMAGE=$(IMAGE_REGISTRY)/$(IMAGE_REPOSITORY)/$(IMAGE_NAME)-registry
+#The api dir that latest osdk generated
+NEW_API_DIR=./api
+USE_OLD_SDK=$(shell if [[ -d "$(NEW_API_DIR)" ]];then echo FALSE;else echo TRUE;fi)
 
 # Consumer can optionally define ADDITIONAL_IMAGE_SPECS like:
 #     define ADDITIONAL_IMAGE_SPECS
@@ -67,15 +70,33 @@ REGISTRY_USER ?=
 REGISTRY_TOKEN ?=
 
 BINFILE=build/_output/bin/$(OPERATOR_NAME)
-MAINPACKAGE ?= ./cmd/manager
+MAINPACKAGE = ./main.go
+API_DIR = $(NEW_API_DIR)
+ifeq ($(USE_OLD_SDK), TRUE)
+MAINPACKAGE = ./cmd/manager
+API_DIR = ./pkg/apis
+endif
 
 GOOS?=$(shell go env GOOS)
 GOARCH?=$(shell go env GOARCH)
 
 # Consumers may override GOFLAGS_MOD e.g. to use `-mod=vendor`
 unexport GOFLAGS
 GOFLAGS_MOD ?=
-GOENV=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 GOFLAGS=${GOFLAGS_MOD}
+
+# In openshift ci (Prow), we need to set $HOME to a writable directory else tests will fail
+# because they don't have permissions to create /.local or /.cache directories
+# as $HOME is set to "/" by default.
+ifeq ($(HOME),/)
+export HOME=/tmp/home
+endif
+
+ifeq (${FIPS_ENABLED}, true)
+GOFLAGS_MOD+=-tags=fips_enabled
+GOFLAGS_MOD:=$(strip ${GOFLAGS_MOD})
+endif
+
+GOENV=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 GOFLAGS="${GOFLAGS_MOD}"
 
 GOBUILDFLAGS=-gcflags="all=-trimpath=${GOPATH}" -asmflags="all=-trimpath=${GOPATH}"
 
@@ -153,11 +174,40 @@ go-generate:
 	${GOENV} go generate $(TESTTARGETS)
 	# Don't forget to commit generated files
 
+# go-get-tool will 'go install' any package $2 and install it to $1.
+define go-get-tool
+@{ \
+set -e ;\
+TMP_DIR=$$(mktemp -d) ;\
+cd $$TMP_DIR ;\
+go mod init tmp ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(shell dirname $(1)) go install $(2) ;\
+echo "Installed in $(1)" ;\
+rm -rf $$TMP_DIR ;\
+}
+endef
+
+# Deciding on the binary versions
+CONTROLLER_GEN_VERSION = v0.8.0
+CONTROLLER_GEN = controller-gen-$(CONTROLLER_GEN_VERSION)
+
+OPENAPI_GEN_VERSION = v0.23.0
+OPENAPI_GEN = openapi-gen-$(OPENAPI_GEN_VERSION)
+
+ifeq ($(USE_OLD_SDK), TRUE)
+#If we are using the old osdk, we use the default controller-gen and openapi-gen versions.
+# Default version is 0.3.0 for now.
+CONTROLLER_GEN = controller-gen
+# Default version is 0.19.4 for now.
+OPENAPI_GEN = openapi-gen
+endif
+
+
 .PHONY: op-generate
 op-generate:
-	# The artist formerly known as `operator-sdk generate crds`:
+	cd $(API_DIR); $(CONTROLLER_GEN) crd paths=./... output:dir=$(PWD)/deploy/crds
 ifeq ($(CRD_VERSION), v1beta1)
-	cd pkg/apis; controller-gen crd paths=./... output:dir=../../deploy/crds
 	# HACK: Due to an OLM bug in 3.11, we need to remove the
 	# spec.validation.openAPIV3Schema.type from CRDs. Remove once
 	# 3.11 is no longer supported.
@@ -170,36 +220,55 @@ ifeq ($(CRD_VERSION), v1beta1)
 	find deploy/crds -name '*.yaml' | xargs -n1 -I{} yq d -i {} 'spec.**.x-kubernetes-list-type'
 	find deploy/crds -name '*.yaml' | xargs -n1 -I{} yq d -i {} 'spec.**.x-kubernetes-map-type'
 	find deploy/crds -name '*.yaml' | xargs -n1 -I{} yq d -i {} 'spec.**.x-kubernetes-struct-type'
-else
-	cd pkg/apis; controller-gen crd:crdVersions=v1 paths=./... output:dir=../../deploy/crds
 endif
-	# The artist formerly known as `operator-sdk generate k8s`:
-	cd pkg/apis; controller-gen object paths=./...
-	# Don't forget to commit generated files
+	cd $(API_DIR); $(CONTROLLER_GEN) object paths=./...
+
+API_DIR_MIN_DEPTH = 1
+ifeq ($(USE_OLD_SDK), TRUE)
+API_DIR_MIN_DEPTH = 2
+endif
 
 .PHONY: openapi-generate
 openapi-generate:
-	find ./pkg/apis/ -maxdepth 2 -mindepth 2 -type d | xargs -t -n1 -I% \
-		openapi-gen --logtostderr=true \
+	find $(API_DIR) -maxdepth 2 -mindepth $(API_DIR_MIN_DEPTH) -type d | xargs -t -I% \
+		$(OPENAPI_GEN) --logtostderr=true \
 			-i % \
 			-o "" \
 			-O zz_generated.openapi \
 			-p % \
 			-h /dev/null \
 			-r "-"
-
+	
 .PHONY: generate
 generate: op-generate go-generate openapi-generate
 
+ifeq (${FIPS_ENABLED}, true)
+go-build: ensure-fips
+endif
+
 .PHONY: go-build
 go-build: ## Build binary
 	# Force GOOS=linux as we may want to build containers in other *nix-like systems (ie darwin).
 	# This is temporary until a better container build method is developed
 	${GOENV} GOOS=linux go build ${GOBUILDFLAGS} -o ${BINFILE} ${MAINPACKAGE}
 
+# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
+ENVTEST_K8S_VERSION = 1.23
+SETUP_ENVTEST = setup-envtest
+
+.PHONY: setup-envtest
+setup-envtest:
+	$(eval KUBEBUILDER_ASSETS := "$(shell $(SETUP_ENVTEST) use $(ENVTEST_K8S_VERSION) -p path --bin-dir /tmp/envtest/bin)")
+
+# Setting SHELL to bash allows bash commands to be executed by recipes.
+# This is a requirement for 'setup-envtest.sh' in the test target.
+# Options are set to exit when a recipe line exits non-zero or a piped command fails.
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+
 .PHONY: go-test
-go-test:
-	${GOENV} go test $(TESTOPTS) $(TESTTARGETS)
+go-test: setup-envtest
+	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test $(TESTOPTS) $(TESTTARGETS)
 
 .PHONY: python-venv
 python-venv:
@@ -272,3 +341,7 @@ opm-build-push: docker-push
 	OPERATOR_IMAGE_TAG="${OPERATOR_IMAGE_TAG}" \
 	OLM_CHANNEL="${OLM_CHANNEL}" \
 	${CONVENTION_DIR}/build-opm-catalog.sh
+
+.PHONY: ensure-fips
+ensure-fips:
+	${CONVENTION_DIR}/configure-fips.sh

boilerplate/openshift/golang-osd-operator/update

@@ -14,8 +14,9 @@ echo "Copying .codecov.yml to your repository root."
 cp ${HERE}/.codecov.yml $REPO_ROOT
 
 # TODO: boilerplate more of Dockerfile
-echo "Overwriting build/Dockerfile's initial FROM with $IMAGE_PULL_PATH"
-${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," build/Dockerfile
+DOCKERFILE=build/Dockerfile
+echo "Overwriting $DOCKERFILE's initial FROM with $IMAGE_PULL_PATH"
+${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," $DOCKERFILE
 
 echo "Writing .ci-operator.yaml in your repository root with:"
 echo "    namespace: $IMAGE_NAMESPACE"

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM quay.io/app-sre/boilerplate:image-v2.2.0 AS builder
+FROM quay.io/app-sre/boilerplate:image-v2.3.2 AS builder
 
 RUN mkdir -p /workdir
 WORKDIR /workdir