diff --git a/changelog/fragments/05-rbu-psa.yaml b/changelog/fragments/05-rbu-psa.yaml new file mode 100644 index 00000000000..e3944007bd6 --- /dev/null +++ b/changelog/fragments/05-rbu-psa.yaml @@ -0,0 +1,31 @@ +# entries is a list of entries to include in +# release notes and/or the migration guide +entries: + - description: > + `operator-sdk run bundle(-upgrade)`: Fix a bug where SQLite bundle images were failing to be run properly due to + a change in the default channel that is used by `run bundle(-upgrade)` when creating a subscription. + + kind: "bugfix" + breaking: false + + - description: > + `operator-sdk run bundle(-upgrade)`: Update the logic used to set a Registry Pod's PSA configuration + to fix a bug where a Pod's containers still had a restrictive SecurityContext even when setting + `--security-context-config=legacy`. + + kind: "bugfix" + breaking: false + + - description: > + `operator-sdk run bundle(-upgrade)`: Change default of the `--security-context-config` flag to be `legacy` + instead of `restricted`. + + kind: "change" + breaking: false + + - description: > + `operator-sdk run bundle`: When creating the CatalogSource, we now set the `grpcPodConfig.SecurityContextConfig` + to the value of the `--security-context-config` flag. + + kind: "change" + breaking: false diff --git a/internal/olm/operator/bundle/install.go b/internal/olm/operator/bundle/install.go index cd3fe483cb7..90f15e71451 100644 --- a/internal/olm/operator/bundle/install.go +++ b/internal/olm/operator/bundle/install.go @@ -17,6 +17,7 @@ package bundle import ( "context" "fmt" + "strings" log "github.com/sirupsen/logrus" "github.com/spf13/pflag" @@ -102,13 +103,7 @@ func (i *Install) setup(ctx context.Context) error { if i.IndexImageCatalogCreator.BundleAddMode != "" { return fmt.Errorf("specifying the bundle add mode is not supported for File-Based Catalog bundles and index images") } - } else { - // index image is of the SQLite index format. - deprecationMsg := fmt.Sprintf("%s is a SQLite index image. SQLite based index images are being deprecated and will be removed in a future release, please migrate your catalogs to the new File-Based Catalog format", i.IndexImageCatalogCreator.IndexImage) - log.Warn(deprecationMsg) - } - if i.IndexImageCatalogCreator.HasFBCLabel { // FBC variables f := &fbcutil.FBCContext{ Package: labels[registrybundle.PackageLabel], @@ -130,13 +125,20 @@ func (i *Install) setup(ctx context.Context) error { } i.IndexImageCatalogCreator.FBCContent = content + i.OperatorInstaller.Channel = fbcutil.DefaultChannel + } else { + // index image is of the SQLite index format. + deprecationMsg := fmt.Sprintf("%s is a SQLite index image. SQLite based index images are being deprecated and will be removed in a future release, please migrate your catalogs to the new File-Based Catalog format", i.IndexImageCatalogCreator.IndexImage) + log.Warn(deprecationMsg) + + // set the channel the old way + i.OperatorInstaller.Channel = strings.Split(labels[registrybundle.ChannelsLabel], ",")[0] } i.OperatorInstaller.PackageName = labels[registrybundle.PackageLabel] i.OperatorInstaller.CatalogSourceName = operator.CatalogNameForPackage(i.OperatorInstaller.PackageName) i.OperatorInstaller.StartingCSV = csv.Name i.OperatorInstaller.SupportedInstallModes = operator.GetSupportedInstallModes(csv.Spec.InstallModes) - i.OperatorInstaller.Channel = fbcutil.DefaultChannel i.IndexImageCatalogCreator.PackageName = i.OperatorInstaller.PackageName i.IndexImageCatalogCreator.BundleImage = i.BundleImage diff --git a/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go b/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go index b56f86eb1d8..32fd1e2cf1c 100644 --- a/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go +++ b/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go @@ -20,6 +20,7 @@ import ( "errors" "fmt" "path" + "strings" "text/template" "time" @@ -31,7 +32,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/util/retry" - pointer "k8s.io/utils/pointer" + "k8s.io/utils/pointer" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "github.com/operator-framework/operator-sdk/internal/olm/operator" @@ -46,8 +47,9 @@ const ( defaultContainerName = "registry-grpc" defaultContainerPortName = "grpc" - defaultConfigMapName = "operator-sdk-run-bundle-config" - defaultConfigMapKey = "extraFBC" + defaultConfigMapKey = "extraFBC" + + maxConfigMapSize = 1 * 1024 * 1024 ) // FBCRegistryPod holds resources necessary for creation of a registry pod in FBC scenarios. @@ -76,6 +78,8 @@ type FBCRegistryPod struct { //nolint:maligned // SecurityContext on the Pod SecurityContext string + configMapName string + cfg *operator.Configuration } @@ -89,6 +93,10 @@ func (f *FBCRegistryPod) init(cfg *operator.Configuration, cs *v1alpha1.CatalogS f.FBCIndexRootDir = fmt.Sprintf("/%s-configs", cs.Name) } + if f.configMapName == "" { + f.configMapName = fmt.Sprintf("%s-configmap", cs.Name) + } + f.cfg = cfg // validate the FBCRegistryPod struct and ensure required fields are set @@ -126,6 +134,16 @@ func (f *FBCRegistryPod) Create(ctx context.Context, cfg *operator.Configuration Type: corev1.SeccompProfileTypeRuntimeDefault, }, } + + // Update the Registry Pod container security context to be restrictive + f.pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ + Privileged: pointer.Bool(false), + ReadOnlyRootFilesystem: pointer.Bool(false), + AllowPrivilegeEscalation: pointer.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + } } if err := f.cfg.Client.Create(ctx, f.pod); err != nil { @@ -210,11 +228,39 @@ func (f *FBCRegistryPod) podForBundleRegistry(cs *v1alpha1.CatalogSource) (*core // create ConfigMap if it does not exist, // if it exists, then update it with new content. - cm, err := f.createConfigMap(cs) + cms, err := f.createConfigMaps(cs) if err != nil { return nil, fmt.Errorf("configMap error: %w", err) } + volumes := []corev1.Volume{} + volumeMounts := []corev1.VolumeMount{} + + for _, cm := range cms { + volumes = append(volumes, corev1.Volume{ + Name: k8sutil.TrimDNS1123Label(cm.Name + "-volume"), + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + Items: []corev1.KeyToPath{ + { + Key: defaultConfigMapKey, + Path: path.Join(cm.Name, fmt.Sprintf("%s.yaml", defaultConfigMapKey)), + }, + }, + LocalObjectReference: corev1.LocalObjectReference{ + Name: cm.Name, + }, + }, + }, + }) + + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: k8sutil.TrimDNS1123Label(cm.Name + "-volume"), + MountPath: path.Join(f.FBCIndexRootDir, cm.Name), + SubPath: cm.Name, + }) + } + // make the pod definition f.pod = &corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ @@ -256,24 +302,7 @@ func (f *FBCRegistryPod) podForBundleRegistry(cs *v1alpha1.CatalogSource) (*core // Type: corev1.SeccompProfileTypeRuntimeDefault, // }, // }, - Volumes: []corev1.Volume{ - { - Name: k8sutil.TrimDNS1123Label(cm.Name + "-volume"), - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - Items: []corev1.KeyToPath{ - { - Key: defaultConfigMapKey, - Path: path.Join(defaultConfigMapName, fmt.Sprintf("%s.yaml", defaultConfigMapKey)), - }, - }, - LocalObjectReference: corev1.LocalObjectReference{ - Name: cm.Name, - }, - }, - }, - }, - }, + Volumes: volumes, Containers: []corev1.Container{ { Name: defaultContainerName, @@ -286,21 +315,7 @@ func (f *FBCRegistryPod) podForBundleRegistry(cs *v1alpha1.CatalogSource) (*core Ports: []corev1.ContainerPort{ {Name: defaultContainerPortName, ContainerPort: f.GRPCPort}, }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: k8sutil.TrimDNS1123Label(cm.Name + "-volume"), - MountPath: path.Join(f.FBCIndexRootDir, cm.Name), - SubPath: cm.Name, - }, - }, - SecurityContext: &corev1.SecurityContext{ - Privileged: pointer.Bool(false), - ReadOnlyRootFilesystem: pointer.Bool(false), - AllowPrivilegeEscalation: pointer.Bool(false), - Capabilities: &corev1.Capabilities{ - Drop: []corev1.Capability{"ALL"}, - }, - }, + VolumeMounts: volumeMounts, }, }, ServiceAccountName: f.cfg.ServiceAccount, @@ -315,50 +330,134 @@ const fbcCmdTemplate = `opm serve {{ .FBCIndexRootDir}} -p {{ .GRPCPort }}` // createConfigMap creates a ConfigMap if it does not exist and if it does, then update it with new content. // Also, sets the owner reference by making CatalogSource the owner of ConfigMap object for cleanup purposes. -func (f *FBCRegistryPod) createConfigMap(cs *v1alpha1.CatalogSource) (*corev1.ConfigMap, error) { - // new ConfigMap - cm := &corev1.ConfigMap{ +func (f *FBCRegistryPod) createConfigMaps(cs *v1alpha1.CatalogSource) ([]*corev1.ConfigMap, error) { + // By default just use the partitioning logic. + // If the entire FBC contents can fit in one ConfigMap it will. + cms := f.partitionedConfigMaps() + + // Loop through all the ConfigMaps and set the OwnerReference and try to create them + for _, cm := range cms { + // set owner reference by making catalog source the owner of ConfigMap object + if err := controllerutil.SetOwnerReference(cs, cm, f.cfg.Scheme); err != nil { + return nil, fmt.Errorf("set configmap %q owner reference: %v", cm.GetName(), err) + } + + err := f.createOrUpdateConfigMap(cm) + if err != nil { + return nil, err + } + } + + return cms, nil +} + +// partitionedConfigMaps will create and return a list of *corev1.ConfigMap +// that represents all the ConfigMaps that will need to be created to +// properly have all the FBC contents rendered in the registry pod. +func (f *FBCRegistryPod) partitionedConfigMaps() []*corev1.ConfigMap { + // Split on the YAML separator `---` + yamlDefs := strings.Split(f.FBCContent, "---")[1:] + configMaps := []*corev1.ConfigMap{} + + // Keep the number of ConfigMaps that are created to a minimum by + // stuffing them as full as possible. + partitionCount := 1 + cm := f.makeBaseConfigMap() + // for each chunk of yaml see if it can be added to the ConfigMap partition + for _, yamlDef := range yamlDefs { + // If the ConfigMap has data then lets attempt to add to it + if len(cm.Data) != 0 { + // Create a copy to use to verify that adding the data doesn't + // exceed the max ConfigMap size of 1 MiB. + tempCm := cm.DeepCopy() + tempCm.Data[defaultConfigMapKey] = tempCm.Data[defaultConfigMapKey] + "\n---\n" + yamlDef + + // if it would be too large adding the data then partition it. + if tempCm.Size() >= maxConfigMapSize { + // Set the ConfigMap name based on the partition it is + cm.SetName(fmt.Sprintf("%s-partition-%d", f.configMapName, partitionCount)) + // Increase the partition count + partitionCount++ + // Add the ConfigMap to the list of ConfigMaps + configMaps = append(configMaps, cm.DeepCopy()) + + // Create a new ConfigMap + cm = f.makeBaseConfigMap() + // Since adding this data would have made the previous + // ConfigMap too large, add it to this new one. + // No chunk of YAML from the bundle should cause + // the ConfigMap size to exceed 1 MiB and if + // somehow it does then there is a problem with the + // YAML itself. We can't reasonably break it up smaller + // since it is a single object. + cm.Data[defaultConfigMapKey] = yamlDef + } else { + // if adding the data to the ConfigMap + // doesn't make the ConfigMap exceed the + // size limit then actually add it. + cm.Data = tempCm.Data + } + } else { + // If there is no data in the ConfigMap + // then this is the first pass. Since it is + // the first pass go ahead and add the data. + cm.Data[defaultConfigMapKey] = yamlDef + } + } + + // if there aren't as many ConfigMaps as partitions AND the unadded ConfigMap has data + // then add it to the list of ConfigMaps. This is so we don't miss adding a ConfigMap + // after the above loop completes. + if len(configMaps) != partitionCount && len(cm.Data) != 0 { + cm.SetName(fmt.Sprintf("%s-partition-%d", f.configMapName, partitionCount)) + configMaps = append(configMaps, cm.DeepCopy()) + } + + return configMaps +} + +// makeBaseConfigMap will return the base *corev1.ConfigMap +// definition that is used by various functions when creating a ConfigMap. +func (f *FBCRegistryPod) makeBaseConfigMap() *corev1.ConfigMap { + return &corev1.ConfigMap{ TypeMeta: metav1.TypeMeta{ APIVersion: corev1.SchemeGroupVersion.String(), Kind: "ConfigMap", }, ObjectMeta: metav1.ObjectMeta{ - Name: defaultConfigMapName, Namespace: f.cfg.Namespace, }, - Data: map[string]string{ - defaultConfigMapKey: f.FBCContent, - }, - } - - // set owner reference by making catalog source the owner of ConfigMap object - if err := controllerutil.SetOwnerReference(cs, cm, f.cfg.Scheme); err != nil { - return nil, fmt.Errorf("set configmap %q owner reference: %v", cm.GetName(), err) + Data: map[string]string{}, } +} +// createOrUpdateConfigMap will create a ConfigMap if it doesn't exist or +// update it if it already exists. +func (f *FBCRegistryPod) createOrUpdateConfigMap(cm *corev1.ConfigMap) error { cmKey := types.NamespacedName{ - Namespace: f.cfg.Namespace, - Name: defaultConfigMapName, + Namespace: cm.GetNamespace(), + Name: cm.GetName(), } // create a ConfigMap if it does not exist; // update it with new data if it already exists. if err := retry.RetryOnConflict(retry.DefaultBackoff, func() error { - err := f.cfg.Client.Get(context.TODO(), cmKey, cm) + tempCm := &corev1.ConfigMap{} + err := f.cfg.Client.Get(context.TODO(), cmKey, tempCm) if apierrors.IsNotFound(err) { if err := f.cfg.Client.Create(context.TODO(), cm); err != nil { return fmt.Errorf("error creating ConfigMap: %w", err) } + return nil } // update ConfigMap with new FBCContent - cm.Data = map[string]string{defaultConfigMapKey: f.FBCContent} - return f.cfg.Client.Update(context.TODO(), cm) + tempCm.Data = cm.Data + return f.cfg.Client.Update(context.TODO(), tempCm) }); err != nil { - return nil, fmt.Errorf("error updating ConfigMap: %w", err) + return fmt.Errorf("error updating ConfigMap: %w", err) } - return cm, nil - + return nil } // getContainerCmd uses templating to construct the container command diff --git a/internal/olm/operator/registry/index/registry_pod.go b/internal/olm/operator/registry/index/registry_pod.go index 61719c64d3a..c9f3434f8ca 100644 --- a/internal/olm/operator/registry/index/registry_pod.go +++ b/internal/olm/operator/registry/index/registry_pod.go @@ -139,6 +139,16 @@ func (rp *SQLiteRegistryPod) Create(ctx context.Context, cfg *operator.Configura Type: corev1.SeccompProfileTypeRuntimeDefault, }, } + + // Update the Registry Pod container security context to be restrictive + rp.pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ + Privileged: pointer.Bool(false), + ReadOnlyRootFilesystem: pointer.Bool(false), + AllowPrivilegeEscalation: pointer.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + } } if err := rp.cfg.Client.Create(ctx, rp.pod); err != nil { @@ -277,14 +287,7 @@ func (rp *SQLiteRegistryPod) podForBundleRegistry() (*corev1.Pod, error) { Ports: []corev1.ContainerPort{ {Name: defaultContainerPortName, ContainerPort: rp.GRPCPort}, }, - SecurityContext: &corev1.SecurityContext{ - Privileged: pointer.Bool(false), - ReadOnlyRootFilesystem: pointer.Bool(false), - AllowPrivilegeEscalation: pointer.Bool(false), - Capabilities: &corev1.Capabilities{ - Drop: []corev1.Capability{"ALL"}, - }, - }, + WorkingDir: "/tmp", }, }, ServiceAccountName: rp.cfg.ServiceAccount, @@ -362,11 +365,11 @@ func newBool(b bool) *bool { return bp } -const cmdTemplate = `mkdir -p {{ dirname .DBPath }} && \ +const cmdTemplate = `[[ -f {{ .DBPath }} ]] && cp {{ .DBPath }} /tmp/tmp.db; \ {{- range $i, $item := .BundleItems }} -opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls-verify={{ $.SkipTLSVerify }} --use-http={{ $.UseHTTP }} && \ +opm registry add -d /tmp/tmp.db -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls-verify={{ $.SkipTLSVerify }} --use-http={{ $.UseHTTP }} && \ {{- end }} -opm registry serve -d {{ .DBPath }} -p {{ .GRPCPort }} +opm registry serve -d /tmp/tmp.db -p {{ .GRPCPort }} ` // getContainerCmd uses templating to construct the container command diff --git a/internal/olm/operator/registry/index/registry_pod_test.go b/internal/olm/operator/registry/index/registry_pod_test.go index 2229c2482f1..4f1f81130dd 100644 --- a/internal/olm/operator/registry/index/registry_pod_test.go +++ b/internal/olm/operator/registry/index/registry_pod_test.go @@ -290,7 +290,8 @@ func containerCommandFor(dbPath string, items []BundleItem, hasCA, skipTLSVerify } additions := &strings.Builder{} for _, item := range items { - additions.WriteString(fmt.Sprintf("opm registry add -d %s -b %s --mode=%s%s --skip-tls-verify=%v --use-http=%v && \\\n", dbPath, item.ImageTag, item.AddMode, caFlag, skipTLSVerify, useHTTP)) + additions.WriteString(fmt.Sprintf("opm registry add -d /tmp/tmp.db -b %s --mode=%s%s --skip-tls-verify=%v --use-http=%v && \\\n", item.ImageTag, item.AddMode, caFlag, skipTLSVerify, useHTTP)) } - return fmt.Sprintf("mkdir -p /database && \\\n%sopm registry serve -d /database/index.db -p 50051\n", additions.String()) + + return fmt.Sprintf("[[ -f %s ]] && cp %s /tmp/tmp.db; \\\n%sopm registry serve -d /tmp/tmp.db -p 50051\n", dbPath, dbPath, additions.String()) } diff --git a/internal/olm/operator/registry/index_image.go b/internal/olm/operator/registry/index_image.go index db87f862237..2f080d3761a 100644 --- a/internal/olm/operator/registry/index_image.go +++ b/internal/olm/operator/registry/index_image.go @@ -138,8 +138,8 @@ func (c *IndexImageCatalogCreator) BindFlags(fs *pflag.FlagSet) { fs.BoolVar(&c.UseHTTP, "use-http", false, "use plain HTTP for container image registries "+ "while pulling bundles") - // default to Restricted - c.SecurityContext = SecurityContext{ContextType: Restricted} + // default to Legacy + c.SecurityContext = SecurityContext{ContextType: Legacy} fs.Var(&c.SecurityContext, "security-context-config", "specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'.") } @@ -148,6 +148,7 @@ func (c IndexImageCatalogCreator) CreateCatalog(ctx context.Context, name string cs := newCatalogSource(name, c.cfg.Namespace, withSDKPublisher(c.PackageName), withSecrets(c.SecretName), + withGrpcPodSecurityContextConfig(c.SecurityContext.String()), ) if err := c.cfg.Client.Create(ctx, cs); err != nil { return nil, fmt.Errorf("error creating catalog source: %v", err) diff --git a/internal/olm/operator/registry/olm_resources.go b/internal/olm/operator/registry/olm_resources.go index d43b1e99340..41abc145bb4 100644 --- a/internal/olm/operator/registry/olm_resources.go +++ b/internal/olm/operator/registry/olm_resources.go @@ -89,6 +89,15 @@ func withSecrets(secretNames ...string) func(*v1alpha1.CatalogSource) { } } +func withGrpcPodSecurityContextConfig(securityContextConfig string) func(*v1alpha1.CatalogSource) { + return func(cs *v1alpha1.CatalogSource) { + if cs.Spec.GrpcPodConfig == nil { + cs.Spec.GrpcPodConfig = &v1alpha1.GrpcPodConfig{} + } + cs.Spec.GrpcPodConfig.SecurityContextConfig = v1alpha1.SecurityConfig(securityContextConfig) + } +} + // newCatalogSource creates a new CatalogSource with a name derived from // pkgName, the package manifest's packageName, in namespace. opts will // be applied to the CatalogSource object. diff --git a/testdata/go/v3/memcached-operator/README.md b/testdata/go/v3/memcached-operator/README.md index cb5b4efc002..e4dd2e876a2 100644 --- a/testdata/go/v3/memcached-operator/README.md +++ b/testdata/go/v3/memcached-operator/README.md @@ -78,7 +78,7 @@ More information can be found via the [Kubebuilder Documentation](https://book.k ## License -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/api/v1alpha1/groupversion_info.go b/testdata/go/v3/memcached-operator/api/v1alpha1/groupversion_info.go index 593f0d44318..b5a1e8f2d3c 100644 --- a/testdata/go/v3/memcached-operator/api/v1alpha1/groupversion_info.go +++ b/testdata/go/v3/memcached-operator/api/v1alpha1/groupversion_info.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_types.go b/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_types.go index eb79e261ba9..822d0a4084a 100644 --- a/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_types.go +++ b/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_types.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_webhook.go b/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_webhook.go index c6997a42de2..ce5e119e46c 100644 --- a/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_webhook.go +++ b/testdata/go/v3/memcached-operator/api/v1alpha1/memcached_webhook.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/api/v1alpha1/webhook_suite_test.go b/testdata/go/v3/memcached-operator/api/v1alpha1/webhook_suite_test.go index 75bba1ebad6..7fa23aac478 100644 --- a/testdata/go/v3/memcached-operator/api/v1alpha1/webhook_suite_test.go +++ b/testdata/go/v3/memcached-operator/api/v1alpha1/webhook_suite_test.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go b/testdata/go/v3/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go index ad3b8725d8b..26ea5c32e4b 100644 --- a/testdata/go/v3/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go +++ b/testdata/go/v3/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go @@ -2,7 +2,7 @@ // +build !ignore_autogenerated /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/controllers/memcached_controller.go b/testdata/go/v3/memcached-operator/controllers/memcached_controller.go index ffd7a4c7861..26b9b3ecd0d 100644 --- a/testdata/go/v3/memcached-operator/controllers/memcached_controller.go +++ b/testdata/go/v3/memcached-operator/controllers/memcached_controller.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/controllers/memcached_controller_test.go b/testdata/go/v3/memcached-operator/controllers/memcached_controller_test.go index 3598c5629d9..b3921067850 100644 --- a/testdata/go/v3/memcached-operator/controllers/memcached_controller_test.go +++ b/testdata/go/v3/memcached-operator/controllers/memcached_controller_test.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/controllers/suite_test.go b/testdata/go/v3/memcached-operator/controllers/suite_test.go index 0e0366714e3..6b6c12f4636 100644 --- a/testdata/go/v3/memcached-operator/controllers/suite_test.go +++ b/testdata/go/v3/memcached-operator/controllers/suite_test.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/hack/boilerplate.go.txt b/testdata/go/v3/memcached-operator/hack/boilerplate.go.txt index 29c55ecda3b..65b86227183 100644 --- a/testdata/go/v3/memcached-operator/hack/boilerplate.go.txt +++ b/testdata/go/v3/memcached-operator/hack/boilerplate.go.txt @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v3/memcached-operator/main.go b/testdata/go/v3/memcached-operator/main.go index 738188527e3..5a43d313193 100644 --- a/testdata/go/v3/memcached-operator/main.go +++ b/testdata/go/v3/memcached-operator/main.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/README.md b/testdata/go/v4-alpha/memcached-operator/README.md index cb5b4efc002..e4dd2e876a2 100644 --- a/testdata/go/v4-alpha/memcached-operator/README.md +++ b/testdata/go/v4-alpha/memcached-operator/README.md @@ -78,7 +78,7 @@ More information can be found via the [Kubebuilder Documentation](https://book.k ## License -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/groupversion_info.go b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/groupversion_info.go index 593f0d44318..b5a1e8f2d3c 100644 --- a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/groupversion_info.go +++ b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/groupversion_info.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_types.go b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_types.go index eb79e261ba9..822d0a4084a 100644 --- a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_types.go +++ b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_types.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_webhook.go b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_webhook.go index c6997a42de2..ce5e119e46c 100644 --- a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_webhook.go +++ b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/memcached_webhook.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/webhook_suite_test.go b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/webhook_suite_test.go index 75bba1ebad6..7fa23aac478 100644 --- a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/webhook_suite_test.go +++ b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/webhook_suite_test.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go index ad3b8725d8b..26ea5c32e4b 100644 --- a/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go +++ b/testdata/go/v4-alpha/memcached-operator/api/v1alpha1/zz_generated.deepcopy.go @@ -2,7 +2,7 @@ // +build !ignore_autogenerated /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller.go b/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller.go index ffd7a4c7861..26b9b3ecd0d 100644 --- a/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller.go +++ b/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller_test.go b/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller_test.go index 3598c5629d9..b3921067850 100644 --- a/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller_test.go +++ b/testdata/go/v4-alpha/memcached-operator/controllers/memcached_controller_test.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/controllers/suite_test.go b/testdata/go/v4-alpha/memcached-operator/controllers/suite_test.go index 0e0366714e3..6b6c12f4636 100644 --- a/testdata/go/v4-alpha/memcached-operator/controllers/suite_test.go +++ b/testdata/go/v4-alpha/memcached-operator/controllers/suite_test.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/hack/boilerplate.go.txt b/testdata/go/v4-alpha/memcached-operator/hack/boilerplate.go.txt index 29c55ecda3b..65b86227183 100644 --- a/testdata/go/v4-alpha/memcached-operator/hack/boilerplate.go.txt +++ b/testdata/go/v4-alpha/memcached-operator/hack/boilerplate.go.txt @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/testdata/go/v4-alpha/memcached-operator/main.go b/testdata/go/v4-alpha/memcached-operator/main.go index 738188527e3..5a43d313193 100644 --- a/testdata/go/v4-alpha/memcached-operator/main.go +++ b/testdata/go/v4-alpha/memcached-operator/main.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2023. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/website/content/en/docs/advanced-topics/custom-bundle-validation.md b/website/content/en/docs/advanced-topics/custom-bundle-validation.md index eadc2ece4bc..f0d9d2a0dd5 100644 --- a/website/content/en/docs/advanced-topics/custom-bundle-validation.md +++ b/website/content/en/docs/advanced-topics/custom-bundle-validation.md @@ -309,7 +309,7 @@ $ operator-sdk bundle validate ./bundle --alpha-select-external ./myvalidator/ma WARN[0000] Warning: Value sandbox-op.v0.0.1: owned CRD "sandboxes.sandbox.example.come" has an empty description INFO[0000] All validation tests have completed successfully ``` -[errors-pkg]: https://github.com/operator-framework/api/pkg/tree/master/validation/errors +[errors-pkg]: https://github.com/operator-framework/api/tree/master/pkg/validation/errors [manifest_result]: https://github.com/operator-framework/api/blob/master/pkg/validation/errors/error.go#L9-L16 [of-api]: https://github.com/operator-framework/api [of-validation]: https://github.com/operator-framework/api/tree/master/pkg/validation diff --git a/website/content/en/docs/advanced-topics/multi-arch.md b/website/content/en/docs/advanced-topics/multi-arch.md index fc5e21e71c3..863137ea224 100644 --- a/website/content/en/docs/advanced-topics/multi-arch.md +++ b/website/content/en/docs/advanced-topics/multi-arch.md @@ -50,7 +50,7 @@ For operators distributed through the [Operator Lifecycle Manager (OLM)][olm]: [manifest_list]: https://docs.docker.com/registry/spec/manifest-v2-2/#manifest-list [image_index]: https://github.com/opencontainers/image-spec/blob/main/image-index.md -[buildah]: https://github.com/containers/buildah/blob/main/docs/buildah-bud.md#building-an-multi-architecture-image-using-a---manifest-option-requires-emulation-software +[buildah]: https://github.com/containers/buildah/blob/main/docs/buildah-build.1.md#building-an-multi-architecture-image-using-the---manifest-option-requires-emulation-software [buildx]: https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images [buildx_multiarch]: https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images [olm]: https://olm.operatorframework.io/docs/ diff --git a/website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md b/website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md index a6e644db8da..f24f64d8628 100644 --- a/website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md +++ b/website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md @@ -24,7 +24,7 @@ operator-sdk run bundle-upgrade [flags] --kubeconfig string Path to the kubeconfig file to use for CLI requests. -n, --namespace string If present, namespace scope for this CLI request --pull-secret-name string Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in - --security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default restricted) + --security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default legacy) --service-account string Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account --skip-tls skip authentication of image registry TLS certificate when pulling a bundle image in-cluster --skip-tls-verify skip TLS certificate verification for container image registries while pulling bundles diff --git a/website/content/en/docs/cli/operator-sdk_run_bundle.md b/website/content/en/docs/cli/operator-sdk_run_bundle.md index 3750a64243d..7619e183090 100644 --- a/website/content/en/docs/cli/operator-sdk_run_bundle.md +++ b/website/content/en/docs/cli/operator-sdk_run_bundle.md @@ -35,7 +35,7 @@ operator-sdk run bundle [flags] --kubeconfig string Path to the kubeconfig file to use for CLI requests. -n, --namespace string If present, namespace scope for this CLI request --pull-secret-name string Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in - --security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default restricted) + --security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default legacy) --service-account string Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account --skip-tls skip authentication of image registry TLS certificate when pulling a bundle image in-cluster --skip-tls-verify skip TLS certificate verification for container image registries while pulling bundles diff --git a/website/content/en/docs/contribution-guidelines/releasing.md b/website/content/en/docs/contribution-guidelines/releasing.md index c72c91159f8..6fc531210ac 100644 --- a/website/content/en/docs/contribution-guidelines/releasing.md +++ b/website/content/en/docs/contribution-guidelines/releasing.md @@ -198,12 +198,10 @@ We will use the `v1.3.1` release version in this example. #### 0. Lock down release branches on GitHub -Lock down the `v1.3.x` branch to prevent further merges/commits. - -To do this, edit the `Branch protection rules`: https://github.com/operator-framework/operator-sdk/settings/branches - -- click `Edit` on the `v.*` branch rule. -- In section `Protect matching branches` of the `Rule settings` box, set "Required approving reviewers" to `6`. +1. Lock down the `v1.3.x` branch to prevent further commits before the release completes: + 1. Go to `Settings -> Branches` in the SDK repo. + 1. Under `Branch protection rules`, click `Edit` on the `v*.` branch rule. + 1. In section `Protect matching branches` of the `Rule settings` box, increase the number of required approving reviewers to `6`. #### 1. Branch diff --git a/website/content/en/docs/overview/cheat-sheet.md b/website/content/en/docs/overview/cheat-sheet.md index c8cf495d530..24db235e187 100644 --- a/website/content/en/docs/overview/cheat-sheet.md +++ b/website/content/en/docs/overview/cheat-sheet.md @@ -70,7 +70,7 @@ make bundle CHANNELS=fast,preview DEFAULT_CHANNEL=stable VERSION=1.0.0 IMG=