diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 38d85617..fe94060f 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -7,7 +7,7 @@ on: branches: [ "main" ] env: - MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:6db7fa2b956875a6f507811166b47b164d463dea78ab4403c6d7648d838b8acb + MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:c9704230cc525fe00b16aced00d31dc56c6105c630849d0a72c558c0aa4c2c60 permissions: contents: read diff --git a/.tekton/model-validation-operator-bundle-pull-request.yaml b/.tekton/model-validation-operator-bundle-pull-request.yaml index df2c7471..92669b88 100644 --- a/.tekton/model-validation-operator-bundle-pull-request.yaml +++ b/.tekton/model-validation-operator-bundle-pull-request.yaml @@ -31,8 +31,6 @@ spec: value: . - name: hermetic value: "true" - - name: prefetch-input - value: '{"type": "generic", "path": "."}' - name: build-source-image value: "true" - name: manager-pipelinerun-selector diff --git a/.tekton/model-validation-operator-bundle-push.yaml b/.tekton/model-validation-operator-bundle-push.yaml index 17268b61..4e52cf83 100644 --- a/.tekton/model-validation-operator-bundle-push.yaml +++ b/.tekton/model-validation-operator-bundle-push.yaml @@ -26,8 +26,6 @@ spec: value: Dockerfile.model-validation-bundle.rh - name: hermetic value: "true" - - name: prefetch-input - value: '{"type": "generic", "path": "."}' - name: build-source-image value: "true" - name: manager-pipelinerun-selector diff --git a/Dockerfile.model-validation-bundle.rh b/Dockerfile.model-validation-bundle.rh index fa642d36..8fc6a517 100644 --- a/Dockerfile.model-validation-bundle.rh +++ b/Dockerfile.model-validation-bundle.rh @@ -1,11 +1,15 @@ -ARG VERSION="0.0.1" +ARG VERSION="0.0.2" ARG CHANNELS="tech-preview" ARG DEFAULT_CHANNEL="tech-preview" ARG BUNDLE_OVERLAY="olm" ARG BUNDLE_GEN_FLAGS="-q --overwrite=false --version $VERSION --channels=$CHANNELS --default-channel=$DEFAULT_CHANNEL" ARG IMG -FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:c466d80c1eab6ebeadf58f278eac91ac6a9b38d7ebd301833a8c53474106ee10 AS builder +FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:5f1fc557bef7e06ad285e94e20e4c1bb4f2b8b31c6239d195fd93ff02a530f9c AS oc-builder + +FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:8ff0cb8587bbca8809490ff59a67496599b6c0cc8e4ca88451481a265f17e581 AS builder + +COPY --from=oc-builder /usr/bin/oc /usr/bin/oc ARG BUNDLE_GEN_FLAGS ARG IMG diff --git a/Dockerfile.model-validation.rh b/Dockerfile.model-validation.rh index 73a27037..c5577200 100644 --- a/Dockerfile.model-validation.rh +++ b/Dockerfile.model-validation.rh @@ -1,5 +1,5 @@ # Build the manager binary -FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:14c369670cf3473d8e9b93e42d120c01b79a6f13884c396a1c89b7ca46f859b7 AS builder +FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:380d6de9bbc5a42ca13d425be99958fb397317664bb8a00e49d464e62cc8566c AS builder ARG TARGETOS ARG TARGETARCH @@ -24,7 +24,7 @@ COPY internal/ internal/ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go # Use minimal base image to package the manager binary -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:2f06ae0e6d3d9c4f610d32c480338eef474867f435d8d28625f2985e8acde6e8 +FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 WORKDIR / COPY --from=builder /workspace/manager . USER 65532:65532 diff --git a/Makefile b/Makefile index 5439f85d..7e32e98b 100644 --- a/Makefile +++ b/Makefile @@ -460,6 +460,8 @@ e2e-sign-test-model: e2e-generate-test-keys -v $(PWD)/testdata/tensorflow_saved_model:/model \ -v $(PWD)/testdata/docker/test_private_key.priv:/test_private_key.priv \ --entrypoint "" \ + --user "$(id -u)":"$(id -g)" \ + -e HOME=/tmp \ $(MODEL_TRANSPARENCY_IMG) \ model_signing sign key /model \ --private_key /test_private_key.priv \ diff --git a/artifacts.lock.yaml b/artifacts.lock.yaml deleted file mode 100644 index 0b925d9b..00000000 --- a/artifacts.lock.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -metadata: - version: "1.0" -artifacts: - - download_url: "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz" - checksum: "sha256:54e4031ddc4e7fc59e408da29e7c646e8e57b8088c51b84b3df0864f47b5148f" - filename: "kustomize_v5.6.0_linux_amd64.tar.gz" diff --git a/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml b/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml index d28a6461..b80ac62d 100644 --- a/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml @@ -18,7 +18,7 @@ metadata: operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' repository: https://github.com/securesign/model-validation-operator support: Red Hat - name: model-validation-operator.v0.0.1 + name: model-validation-operator.v0.0.2 namespace: placeholder spec: apiservicedefinitions: {} @@ -69,4 +69,4 @@ spec: minKubeVersion: 1.24.0 provider: name: Red Hat - version: 0.0.1-techpreview + version: 0.0.2-techpreview diff --git a/go.mod b/go.mod index a44dba60..ab61ce1c 100644 --- a/go.mod +++ b/go.mod @@ -5,25 +5,25 @@ go 1.23.0 godebug default=go1.23 require ( - github.com/go-logr/logr v1.4.2 + github.com/go-logr/logr v1.4.3 github.com/onsi/ginkgo/v2 v2.22.0 github.com/onsi/gomega v1.36.1 - github.com/prometheus/client_golang v1.19.1 - github.com/prometheus/client_model v0.6.1 - github.com/prometheus/common v0.55.0 - github.com/stretchr/testify v1.9.0 - golang.org/x/time v0.7.0 - k8s.io/api v0.32.1 - k8s.io/apimachinery v0.32.1 - k8s.io/client-go v0.32.1 + github.com/prometheus/client_golang v1.23.2 + github.com/prometheus/client_model v0.6.2 + github.com/prometheus/common v0.67.2 + github.com/stretchr/testify v1.11.1 + golang.org/x/time v0.14.0 + k8s.io/api v0.34.2 + k8s.io/apimachinery v0.34.2 + k8s.io/client-go v0.34.2 k8s.io/klog/v2 v2.130.1 - sigs.k8s.io/controller-runtime v0.20.4 + sigs.k8s.io/controller-runtime v0.22.4 ) require ( - cel.dev/expr v0.18.0 // indirect + cel.dev/expr v0.25.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect - github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect + github.com/asaskevich/govalidator e11347878e23 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -32,71 +32,71 @@ require ( github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.21.0 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/jsonpointer v0.22.2 // indirect + github.com/go-openapi/jsonreference v0.21.3 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/btree v1.1.3 // indirect - github.com/google/cel-go v0.22.0 // indirect - github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.6.0 // indirect + github.com/google/cel-go v0.26.1 // indirect + github.com/google/gnostic-models v0.7.0 // indirect + github.com/google/go-cmp v0.7.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect + github.com/google/pprof 4902fdda35c8 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/mailru/easyjson v0.7.7 // indirect + github.com/mailru/easyjson v0.9.1 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/procfs v0.15.1 // indirect - github.com/spf13/cobra v1.8.1 // indirect - github.com/spf13/pflag v1.0.5 // indirect - github.com/stoewer/go-strcase v1.3.0 // indirect + github.com/prometheus/procfs v0.19.2 // indirect + github.com/spf13/cobra v1.10.1 // indirect + github.com/spf13/pflag v1.0.10 // indirect + github.com/stoewer/go-strcase v1.3.1 // indirect github.com/x448/float16 v0.8.4 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect go.opentelemetry.io/otel v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect go.opentelemetry.io/otel/metric v1.28.0 // indirect go.opentelemetry.io/otel/sdk v1.28.0 // indirect go.opentelemetry.io/otel/trace v1.28.0 // indirect - go.opentelemetry.io/proto/otlp v1.3.1 // indirect + go.opentelemetry.io/proto/otlp v1.9.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect - golang.org/x/net v0.38.0 // indirect - golang.org/x/oauth2 v0.27.0 // indirect - golang.org/x/sync v0.12.0 // indirect - golang.org/x/sys v0.31.0 // indirect - golang.org/x/term v0.30.0 // indirect - golang.org/x/text v0.23.0 // indirect - golang.org/x/tools v0.26.0 // indirect + golang.org/x/exp e25ba8c21ef6 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/oauth2 v0.33.0 // indirect + golang.org/x/sync v0.18.0 // indirect + golang.org/x/sys v0.38.0 // indirect + golang.org/x/term v0.37.0 // indirect + golang.org/x/text v0.31.0 // indirect + golang.org/x/tools v0.39.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect + google.golang.org/genproto/googleapis/api 95abcf5c77ba // indirect + google.golang.org/genproto/googleapis/rpc 95abcf5c77ba // indirect google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.35.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.32.1 // indirect - k8s.io/apiserver v0.32.1 // indirect - k8s.io/component-base v0.32.1 // indirect - k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect - k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect + k8s.io/apiextensions-apiserver v0.34.2 // indirect + k8s.io/apiserver v0.34.2 // indirect + k8s.io/component-base v0.34.2 // indirect + k8s.io/kube-openapi 589584f1c912 // indirect + k8s.io/utils bc988d571ff4 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect + sigs.k8s.io/json 2d320260d730 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect ) diff --git a/hack/build-bundle.sh b/hack/build-bundle.sh index 8e2a1eb3..3a3994a7 100755 --- a/hack/build-bundle.sh +++ b/hack/build-bundle.sh @@ -1,31 +1,23 @@ #!/usr/bin/env bash set -euo pipefail -TOOLS="/tmp" - -if [ -d "/cachi2" ]; then - tar -xzf /cachi2/output/deps/generic/kustomize_v5.6.0_linux_amd64.tar.gz -C "${TOOLS}" - KUSTOMIZE="${TOOLS}/kustomize" -else - curl -Lo "${TOOLS}/kustomize.tar.gz" "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz" - tar -xzf "${TOOLS}/kustomize.tar.gz" -C "${TOOLS}" - rm "${TOOLS}/kustomize.tar.gz" - KUSTOMIZE="${TOOLS}/kustomize" -fi -chmod +x "${KUSTOMIZE}" -operator-sdk generate kustomize manifests -q +IMG_NAME="${IMG%@*}" +IMG_DIGEST="${IMG#*@}" -if [[ -n "${IMG:-}" ]]; then - pushd "config/overlays/${BUNDLE_OVERLAY}" >/dev/null - "${KUSTOMIZE}" edit set image "controller=${IMG}" - popd >/dev/null -fi +cat << EOF >> "config/overlays/${BUNDLE_OVERLAY}/kustomization.yaml" -"${KUSTOMIZE}" build "config/overlays/${BUNDLE_OVERLAY}" \ - | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} +images: +- digest: ${IMG_DIGEST} + name: controller + newName: ${IMG_NAME} +EOF + +# Generate and validate the Operator bundle +oc kustomize "config/overlays/${BUNDLE_OVERLAY}" | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} CSV="bundle/manifests/model-validation-operator.clusterserviceversion.yaml" + if [[ -f "${CSV}" ]]; then sed -i.bak 's/deploymentName: webhook/deploymentName: model-validation-controller-manager/' "${CSV}" sed -i.bak2 's/deploymentName: model-validation-controller-manager/deploymentName: model-validation-controller-manager\ diff --git a/internal/constants/images.go b/internal/constants/images.go index 8dbfe28c..095fca76 100644 --- a/internal/constants/images.go +++ b/internal/constants/images.go @@ -24,5 +24,5 @@ var ( // ModelTransparencyCliImage is the default image for the model transparency CLI // used as an init container to validate model signatures ModelTransparencyCliImage = "registry.redhat.io/rhtas/model-transparency-rhel9@" + - "sha256:6db7fa2b956875a6f507811166b47b164d463dea78ab4403c6d7648d838b8acb" + "sha256:c9704230cc525fe00b16aced00d31dc56c6105c630849d0a72c558c0aa4c2c60" ) diff --git a/testdata/docker/test-model.Dockerfile b/testdata/docker/test-model.Dockerfile index c21472c1..ccdbadc5 100644 --- a/testdata/docker/test-model.Dockerfile +++ b/testdata/docker/test-model.Dockerfile @@ -12,4 +12,4 @@ COPY docker/test_invalid_public_key.pub /keys/test_invalid_public_key.pub RUN chmod -R 644 /data /keys && rm -f /data/test_public_key.pub /data/*.pub # Default command -CMD ["sleep", "3600"] \ No newline at end of file +CMD ["sleep", "3600"]