From c85fca876cb7ed7803059fa2829f9ba8210f487c Mon Sep 17 00:00:00 2001 From: Aleks <121458075+SequeI@users.noreply.github.com> Date: Mon, 10 Nov 2025 10:54:51 +0000 Subject: [PATCH 1/9] fix: switch to oc kustomize for pass ECP compliance (#33) * fix: switch to oc kustomize for pass ECP compliance Signed-off-by: SequeI * fix Signed-off-by: SequeI --------- Signed-off-by: SequeI --- ...lidation-operator-bundle-pull-request.yaml | 2 - ...model-validation-operator-bundle-push.yaml | 2 - Dockerfile.model-validation-bundle.rh | 50 +++++++++++++++++-- artifacts.lock.yaml | 7 --- hack/build-bundle.sh | 37 -------------- 5 files changed, 47 insertions(+), 51 deletions(-) delete mode 100644 artifacts.lock.yaml delete mode 100755 hack/build-bundle.sh diff --git a/.tekton/model-validation-operator-bundle-pull-request.yaml b/.tekton/model-validation-operator-bundle-pull-request.yaml index df2c7471..92669b88 100644 --- a/.tekton/model-validation-operator-bundle-pull-request.yaml +++ b/.tekton/model-validation-operator-bundle-pull-request.yaml @@ -31,8 +31,6 @@ spec: value: . - name: hermetic value: "true" - - name: prefetch-input - value: '{"type": "generic", "path": "."}' - name: build-source-image value: "true" - name: manager-pipelinerun-selector diff --git a/.tekton/model-validation-operator-bundle-push.yaml b/.tekton/model-validation-operator-bundle-push.yaml index 17268b61..4e52cf83 100644 --- a/.tekton/model-validation-operator-bundle-push.yaml +++ b/.tekton/model-validation-operator-bundle-push.yaml @@ -26,8 +26,6 @@ spec: value: Dockerfile.model-validation-bundle.rh - name: hermetic value: "true" - - name: prefetch-input - value: '{"type": "generic", "path": "."}' - name: build-source-image value: "true" - name: manager-pipelinerun-selector diff --git a/Dockerfile.model-validation-bundle.rh b/Dockerfile.model-validation-bundle.rh index fa642d36..6d24498e 100644 --- a/Dockerfile.model-validation-bundle.rh +++ b/Dockerfile.model-validation-bundle.rh @@ -5,6 +5,44 @@ ARG BUNDLE_OVERLAY="olm" ARG BUNDLE_GEN_FLAGS="-q --overwrite=false --version $VERSION --channels=$CHANNELS --default-channel=$DEFAULT_CHANNEL" ARG IMG +FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:64867e62dbbafe779cdb4233b7c7c8686932717177e5825058e23beccbb3207b AS oc-builder + +WORKDIR /tmp + +COPY ./config/ ./config/ +ARG IMG + +# Replace image reference in kustomization.yaml +RUN if [ -n "$IMG" ]; then \ + if [[ "$IMG" == *"@"* ]]; then \ + IMG_NAME="${IMG%@*}"; IMG_DIGEST="${IMG#*@}"; \ + sed -i "s|newName:.*|newName: ${IMG_NAME}|" config/manager/kustomization.yaml; \ + sed -i "/newTag:/d" config/manager/kustomization.yaml; \ + if grep -q "digest:" config/manager/kustomization.yaml; then \ + sed -i "s|digest:.*|digest: ${IMG_DIGEST}|" config/manager/kustomization.yaml; \ + else \ + sed -i "/newName:/a\ digest: ${IMG_DIGEST}" config/manager/kustomization.yaml; \ + fi; \ + elif [[ "$IMG" == *":"* ]]; then \ + IMG_NAME="${IMG%%:*}"; IMG_TAG="${IMG##*:}"; \ + sed -i "s|newName:.*|newName: ${IMG_NAME}|" config/manager/kustomization.yaml; \ + sed -i "/digest:/d" config/manager/kustomization.yaml; \ + if grep -q "newTag:" config/manager/kustomization.yaml; then \ + sed -i "s|newTag:.*|newTag: ${IMG_TAG}|" config/manager/kustomization.yaml; \ + else \ + sed -i "/newName:/a\ newTag: ${IMG_TAG}" config/manager/kustomization.yaml; \ + fi; \ + else \ + sed -i "s|newName:.*|newName: ${IMG}|" config/manager/kustomization.yaml; \ + sed -i "/digest:/d" config/manager/kustomization.yaml; \ + sed -i "/newTag:/d" config/manager/kustomization.yaml; \ + fi; \ + sed -i "s|^images:|images:\n-|" config/manager/kustomization.yaml; \ + fi + +# Build manifests +RUN oc kustomize config/manifests > /tmp/manifests.yaml + FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:c466d80c1eab6ebeadf58f278eac91ac6a9b38d7ebd301833a8c53474106ee10 AS builder ARG BUNDLE_GEN_FLAGS @@ -13,13 +51,19 @@ ARG BUNDLE_OVERLAY WORKDIR /tmp -COPY ./config/ ./config/ +COPY --from=oc-builder /tmp/manifests.yaml ./config/manifests/all.yaml COPY PROJECT . -COPY hack/build-bundle.sh build-bundle.sh USER root -RUN ./build-bundle.sh +# Generate and validate the Operator bundle +RUN cat ./config/manifests/all.yaml | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} \ + && CSV="bundle/manifests/model-validation-operator.clusterserviceversion.yaml" \ + && sed -i 's/deploymentName: webhook/deploymentName: model-validation-controller-manager/' "${CSV}" \ + && sed -i 's/deploymentName: model-validation-controller-manager/deploymentName: model-validation-controller-manager\ + serviceName: model-validation-webhook\ + containerPort: 9443/' "${CSV}" \ + && operator-sdk bundle validate ./bundle FROM scratch diff --git a/artifacts.lock.yaml b/artifacts.lock.yaml deleted file mode 100644 index 0b925d9b..00000000 --- a/artifacts.lock.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -metadata: - version: "1.0" -artifacts: - - download_url: "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz" - checksum: "sha256:54e4031ddc4e7fc59e408da29e7c646e8e57b8088c51b84b3df0864f47b5148f" - filename: "kustomize_v5.6.0_linux_amd64.tar.gz" diff --git a/hack/build-bundle.sh b/hack/build-bundle.sh deleted file mode 100755 index 8e2a1eb3..00000000 --- a/hack/build-bundle.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -TOOLS="/tmp" - -if [ -d "/cachi2" ]; then - tar -xzf /cachi2/output/deps/generic/kustomize_v5.6.0_linux_amd64.tar.gz -C "${TOOLS}" - KUSTOMIZE="${TOOLS}/kustomize" -else - curl -Lo "${TOOLS}/kustomize.tar.gz" "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz" - tar -xzf "${TOOLS}/kustomize.tar.gz" -C "${TOOLS}" - rm "${TOOLS}/kustomize.tar.gz" - KUSTOMIZE="${TOOLS}/kustomize" -fi -chmod +x "${KUSTOMIZE}" - -operator-sdk generate kustomize manifests -q - -if [[ -n "${IMG:-}" ]]; then - pushd "config/overlays/${BUNDLE_OVERLAY}" >/dev/null - "${KUSTOMIZE}" edit set image "controller=${IMG}" - popd >/dev/null -fi - -"${KUSTOMIZE}" build "config/overlays/${BUNDLE_OVERLAY}" \ - | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} - -CSV="bundle/manifests/model-validation-operator.clusterserviceversion.yaml" -if [[ -f "${CSV}" ]]; then - sed -i.bak 's/deploymentName: webhook/deploymentName: model-validation-controller-manager/' "${CSV}" - sed -i.bak2 's/deploymentName: model-validation-controller-manager/deploymentName: model-validation-controller-manager\ - serviceName: model-validation-webhook\ - containerPort: 9443/' "${CSV}" - rm -f "${CSV}.bak" "${CSV}.bak2" -fi - -operator-sdk bundle validate ./bundle From bed4c210e5dcce10e233e19a095e100da9d72406 Mon Sep 17 00:00:00 2001 From: Aleks <121458075+SequeI@users.noreply.github.com> Date: Mon, 10 Nov 2025 12:32:51 +0000 Subject: [PATCH 2/9] chore: bump to 1.3.1 images (#32) * chore: bump to 1.3.1 images Signed-off-by: SequeI --- .github/workflows/test-e2e.yml | 2 +- Dockerfile.model-validation-bundle.rh | 2 +- Makefile | 2 ++ .../model-validation-operator.clusterserviceversion.yaml | 4 ++-- internal/constants/images.go | 2 +- testdata/docker/test-model.Dockerfile | 2 +- 6 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 38d85617..f2bb1ccd 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -7,7 +7,7 @@ on: branches: [ "main" ] env: - MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:6db7fa2b956875a6f507811166b47b164d463dea78ab4403c6d7648d838b8acb + MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:a03de6850e5a9a948541761de13d903ffb35d78cad4433d1cf67fbdbfed41891 permissions: contents: read diff --git a/Dockerfile.model-validation-bundle.rh b/Dockerfile.model-validation-bundle.rh index 6d24498e..3971f158 100644 --- a/Dockerfile.model-validation-bundle.rh +++ b/Dockerfile.model-validation-bundle.rh @@ -1,4 +1,4 @@ -ARG VERSION="0.0.1" +ARG VERSION="0.0.2" ARG CHANNELS="tech-preview" ARG DEFAULT_CHANNEL="tech-preview" ARG BUNDLE_OVERLAY="olm" diff --git a/Makefile b/Makefile index 5439f85d..7e32e98b 100644 --- a/Makefile +++ b/Makefile @@ -460,6 +460,8 @@ e2e-sign-test-model: e2e-generate-test-keys -v $(PWD)/testdata/tensorflow_saved_model:/model \ -v $(PWD)/testdata/docker/test_private_key.priv:/test_private_key.priv \ --entrypoint "" \ + --user "$(id -u)":"$(id -g)" \ + -e HOME=/tmp \ $(MODEL_TRANSPARENCY_IMG) \ model_signing sign key /model \ --private_key /test_private_key.priv \ diff --git a/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml b/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml index d28a6461..b80ac62d 100644 --- a/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml @@ -18,7 +18,7 @@ metadata: operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' repository: https://github.com/securesign/model-validation-operator support: Red Hat - name: model-validation-operator.v0.0.1 + name: model-validation-operator.v0.0.2 namespace: placeholder spec: apiservicedefinitions: {} @@ -69,4 +69,4 @@ spec: minKubeVersion: 1.24.0 provider: name: Red Hat - version: 0.0.1-techpreview + version: 0.0.2-techpreview diff --git a/internal/constants/images.go b/internal/constants/images.go index 8dbfe28c..df2a4047 100644 --- a/internal/constants/images.go +++ b/internal/constants/images.go @@ -24,5 +24,5 @@ var ( // ModelTransparencyCliImage is the default image for the model transparency CLI // used as an init container to validate model signatures ModelTransparencyCliImage = "registry.redhat.io/rhtas/model-transparency-rhel9@" + - "sha256:6db7fa2b956875a6f507811166b47b164d463dea78ab4403c6d7648d838b8acb" + "sha256:a03de6850e5a9a948541761de13d903ffb35d78cad4433d1cf67fbdbfed41891" ) diff --git a/testdata/docker/test-model.Dockerfile b/testdata/docker/test-model.Dockerfile index c21472c1..ccdbadc5 100644 --- a/testdata/docker/test-model.Dockerfile +++ b/testdata/docker/test-model.Dockerfile @@ -12,4 +12,4 @@ COPY docker/test_invalid_public_key.pub /keys/test_invalid_public_key.pub RUN chmod -R 644 /data /keys && rm -f /data/test_public_key.pub /data/*.pub # Default command -CMD ["sleep", "3600"] \ No newline at end of file +CMD ["sleep", "3600"] From 0c38ba77b3d9e3f671f112def56088467712308c Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 13:04:35 +0000 Subject: [PATCH 3/9] chore(deps): update docker images (#17) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- Dockerfile.model-validation-bundle.rh | 2 +- Dockerfile.model-validation.rh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.model-validation-bundle.rh b/Dockerfile.model-validation-bundle.rh index 3971f158..4a5fcb46 100644 --- a/Dockerfile.model-validation-bundle.rh +++ b/Dockerfile.model-validation-bundle.rh @@ -43,7 +43,7 @@ RUN if [ -n "$IMG" ]; then \ # Build manifests RUN oc kustomize config/manifests > /tmp/manifests.yaml -FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:c466d80c1eab6ebeadf58f278eac91ac6a9b38d7ebd301833a8c53474106ee10 AS builder +FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:8ff0cb8587bbca8809490ff59a67496599b6c0cc8e4ca88451481a265f17e581 AS builder ARG BUNDLE_GEN_FLAGS ARG IMG diff --git a/Dockerfile.model-validation.rh b/Dockerfile.model-validation.rh index 73a27037..695ef6e5 100644 --- a/Dockerfile.model-validation.rh +++ b/Dockerfile.model-validation.rh @@ -1,5 +1,5 @@ # Build the manager binary -FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:14c369670cf3473d8e9b93e42d120c01b79a6f13884c396a1c89b7ca46f859b7 AS builder +FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:6f0e6c534d6b785530f7961089f444bbb14d384bfa3ea09070f5a70029b4a5cb AS builder ARG TARGETOS ARG TARGETARCH @@ -24,7 +24,7 @@ COPY internal/ internal/ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go # Use minimal base image to package the manager binary -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:2f06ae0e6d3d9c4f610d32c480338eef474867f435d8d28625f2985e8acde6e8 +FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7 WORKDIR / COPY --from=builder /workspace/manager . USER 65532:65532 From 245cf749cdd37243f6ab379122ccd36e5af44ea2 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Thu, 13 Nov 2025 09:25:02 +0000 Subject: [PATCH 4/9] chore(deps): update docker images (#34) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- Dockerfile.model-validation-bundle.rh | 2 +- Dockerfile.model-validation.rh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.model-validation-bundle.rh b/Dockerfile.model-validation-bundle.rh index 4a5fcb46..0e27e7be 100644 --- a/Dockerfile.model-validation-bundle.rh +++ b/Dockerfile.model-validation-bundle.rh @@ -5,7 +5,7 @@ ARG BUNDLE_OVERLAY="olm" ARG BUNDLE_GEN_FLAGS="-q --overwrite=false --version $VERSION --channels=$CHANNELS --default-channel=$DEFAULT_CHANNEL" ARG IMG -FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:64867e62dbbafe779cdb4233b7c7c8686932717177e5825058e23beccbb3207b AS oc-builder +FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:5f1fc557bef7e06ad285e94e20e4c1bb4f2b8b31c6239d195fd93ff02a530f9c AS oc-builder WORKDIR /tmp diff --git a/Dockerfile.model-validation.rh b/Dockerfile.model-validation.rh index 695ef6e5..a5c75d28 100644 --- a/Dockerfile.model-validation.rh +++ b/Dockerfile.model-validation.rh @@ -24,7 +24,7 @@ COPY internal/ internal/ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go # Use minimal base image to package the manager binary -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7 +FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7 WORKDIR / COPY --from=builder /workspace/manager . USER 65532:65532 From e501e4fd3c6350998648a0cd4ce7b7a5f4206642 Mon Sep 17 00:00:00 2001 From: Aleks <121458075+SequeI@users.noreply.github.com> Date: Thu, 13 Nov 2025 09:39:44 +0000 Subject: [PATCH 5/9] chore: bump images (#35) Signed-off-by: SequeI --- .github/workflows/test-e2e.yml | 2 +- internal/constants/images.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index f2bb1ccd..fe94060f 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -7,7 +7,7 @@ on: branches: [ "main" ] env: - MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:a03de6850e5a9a948541761de13d903ffb35d78cad4433d1cf67fbdbfed41891 + MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:c9704230cc525fe00b16aced00d31dc56c6105c630849d0a72c558c0aa4c2c60 permissions: contents: read diff --git a/internal/constants/images.go b/internal/constants/images.go index df2a4047..095fca76 100644 --- a/internal/constants/images.go +++ b/internal/constants/images.go @@ -24,5 +24,5 @@ var ( // ModelTransparencyCliImage is the default image for the model transparency CLI // used as an init container to validate model signatures ModelTransparencyCliImage = "registry.redhat.io/rhtas/model-transparency-rhel9@" + - "sha256:a03de6850e5a9a948541761de13d903ffb35d78cad4433d1cf67fbdbfed41891" + "sha256:c9704230cc525fe00b16aced00d31dc56c6105c630849d0a72c558c0aa4c2c60" ) From 070be60f96b16d1ac14de07c883b9d20b8c14fed Mon Sep 17 00:00:00 2001 From: Aleks <121458075+SequeI@users.noreply.github.com> Date: Thu, 13 Nov 2025 13:44:29 +0000 Subject: [PATCH 6/9] fix: bundle generation (#36) Signed-off-by: SequeI --- Dockerfile.model-validation-bundle.rh | 52 ++++----------------------- hack/build-bundle.sh | 30 ++++++++++++++++ 2 files changed, 36 insertions(+), 46 deletions(-) create mode 100755 hack/build-bundle.sh diff --git a/Dockerfile.model-validation-bundle.rh b/Dockerfile.model-validation-bundle.rh index 0e27e7be..0f5e21a3 100644 --- a/Dockerfile.model-validation-bundle.rh +++ b/Dockerfile.model-validation-bundle.rh @@ -5,45 +5,11 @@ ARG BUNDLE_OVERLAY="olm" ARG BUNDLE_GEN_FLAGS="-q --overwrite=false --version $VERSION --channels=$CHANNELS --default-channel=$DEFAULT_CHANNEL" ARG IMG -FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:5f1fc557bef7e06ad285e94e20e4c1bb4f2b8b31c6239d195fd93ff02a530f9c AS oc-builder +FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:64867e62dbbafe779cdb4233b7c7c8686932717177e5825058e23beccbb3207b AS oc-builder -WORKDIR /tmp - -COPY ./config/ ./config/ -ARG IMG +FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:c466d80c1eab6ebeadf58f278eac91ac6a9b38d7ebd301833a8c53474106ee10 AS builder -# Replace image reference in kustomization.yaml -RUN if [ -n "$IMG" ]; then \ - if [[ "$IMG" == *"@"* ]]; then \ - IMG_NAME="${IMG%@*}"; IMG_DIGEST="${IMG#*@}"; \ - sed -i "s|newName:.*|newName: ${IMG_NAME}|" config/manager/kustomization.yaml; \ - sed -i "/newTag:/d" config/manager/kustomization.yaml; \ - if grep -q "digest:" config/manager/kustomization.yaml; then \ - sed -i "s|digest:.*|digest: ${IMG_DIGEST}|" config/manager/kustomization.yaml; \ - else \ - sed -i "/newName:/a\ digest: ${IMG_DIGEST}" config/manager/kustomization.yaml; \ - fi; \ - elif [[ "$IMG" == *":"* ]]; then \ - IMG_NAME="${IMG%%:*}"; IMG_TAG="${IMG##*:}"; \ - sed -i "s|newName:.*|newName: ${IMG_NAME}|" config/manager/kustomization.yaml; \ - sed -i "/digest:/d" config/manager/kustomization.yaml; \ - if grep -q "newTag:" config/manager/kustomization.yaml; then \ - sed -i "s|newTag:.*|newTag: ${IMG_TAG}|" config/manager/kustomization.yaml; \ - else \ - sed -i "/newName:/a\ newTag: ${IMG_TAG}" config/manager/kustomization.yaml; \ - fi; \ - else \ - sed -i "s|newName:.*|newName: ${IMG}|" config/manager/kustomization.yaml; \ - sed -i "/digest:/d" config/manager/kustomization.yaml; \ - sed -i "/newTag:/d" config/manager/kustomization.yaml; \ - fi; \ - sed -i "s|^images:|images:\n-|" config/manager/kustomization.yaml; \ - fi - -# Build manifests -RUN oc kustomize config/manifests > /tmp/manifests.yaml - -FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:8ff0cb8587bbca8809490ff59a67496599b6c0cc8e4ca88451481a265f17e581 AS builder +COPY --from=oc-builder /usr/bin/oc /usr/bin/oc ARG BUNDLE_GEN_FLAGS ARG IMG @@ -51,19 +17,13 @@ ARG BUNDLE_OVERLAY WORKDIR /tmp -COPY --from=oc-builder /tmp/manifests.yaml ./config/manifests/all.yaml +COPY ./config/ ./config/ COPY PROJECT . +COPY hack/build-bundle.sh build-bundle.sh USER root -# Generate and validate the Operator bundle -RUN cat ./config/manifests/all.yaml | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} \ - && CSV="bundle/manifests/model-validation-operator.clusterserviceversion.yaml" \ - && sed -i 's/deploymentName: webhook/deploymentName: model-validation-controller-manager/' "${CSV}" \ - && sed -i 's/deploymentName: model-validation-controller-manager/deploymentName: model-validation-controller-manager\ - serviceName: model-validation-webhook\ - containerPort: 9443/' "${CSV}" \ - && operator-sdk bundle validate ./bundle +RUN ./build-bundle.sh FROM scratch diff --git a/hack/build-bundle.sh b/hack/build-bundle.sh new file mode 100755 index 00000000..de51197c --- /dev/null +++ b/hack/build-bundle.sh @@ -0,0 +1,30 @@ +#!/bin/bash +set -e + +KUSTOMIZATION_FILE="config/manager/kustomization.yaml" + +IMG_NAME="${IMG%@*}" +IMG_DIGEST="${IMG#*@}" + +cat << EOF >> "${KUSTOMIZATION_FILE}" + +images: +- digest: ${IMG_DIGEST} + name: controller + newName: ${IMG_NAME} +EOF + +# Generate and validate the Operator bundle +oc kustomize config/manifests | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} + +CSV="bundle/manifests/model-validation-operator.clusterserviceversion.yaml" + +if [[ -f "${CSV}" ]]; then + sed -i.bak 's/deploymentName: webhook/deploymentName: model-validation-controller-manager/' "${CSV}" + sed -i.bak2 's/deploymentName: model-validation-controller-manager/deploymentName: model-validation-controller-manager\ + serviceName: model-validation-webhook\ + containerPort: 9443/' "${CSV}" + rm -f "${CSV}.bak" "${CSV}.bak2" +fi + +operator-sdk bundle validate ./bundle From 8f0830e33b17b4f6d6a64b56034bb0fa51dbcf5e Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 00:26:22 +0000 Subject: [PATCH 7/9] chore(deps): update docker images (#37) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- Dockerfile.model-validation-bundle.rh | 4 ++-- Dockerfile.model-validation.rh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.model-validation-bundle.rh b/Dockerfile.model-validation-bundle.rh index 0f5e21a3..8fc6a517 100644 --- a/Dockerfile.model-validation-bundle.rh +++ b/Dockerfile.model-validation-bundle.rh @@ -5,9 +5,9 @@ ARG BUNDLE_OVERLAY="olm" ARG BUNDLE_GEN_FLAGS="-q --overwrite=false --version $VERSION --channels=$CHANNELS --default-channel=$DEFAULT_CHANNEL" ARG IMG -FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:64867e62dbbafe779cdb4233b7c7c8686932717177e5825058e23beccbb3207b AS oc-builder +FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:5f1fc557bef7e06ad285e94e20e4c1bb4f2b8b31c6239d195fd93ff02a530f9c AS oc-builder -FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:c466d80c1eab6ebeadf58f278eac91ac6a9b38d7ebd301833a8c53474106ee10 AS builder +FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:8ff0cb8587bbca8809490ff59a67496599b6c0cc8e4ca88451481a265f17e581 AS builder COPY --from=oc-builder /usr/bin/oc /usr/bin/oc diff --git a/Dockerfile.model-validation.rh b/Dockerfile.model-validation.rh index a5c75d28..c5577200 100644 --- a/Dockerfile.model-validation.rh +++ b/Dockerfile.model-validation.rh @@ -1,5 +1,5 @@ # Build the manager binary -FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:6f0e6c534d6b785530f7961089f444bbb14d384bfa3ea09070f5a70029b4a5cb AS builder +FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:380d6de9bbc5a42ca13d425be99958fb397317664bb8a00e49d464e62cc8566c AS builder ARG TARGETOS ARG TARGETARCH From 823f090d4cea52d28f22daf148b9cbaa650f5162 Mon Sep 17 00:00:00 2001 From: Aleks <121458075+SequeI@users.noreply.github.com> Date: Mon, 17 Nov 2025 01:21:04 +0000 Subject: [PATCH 8/9] chore: fix bundle (#38) Signed-off-by: SequeI --- hack/build-bundle.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/hack/build-bundle.sh b/hack/build-bundle.sh index de51197c..3a3994a7 100755 --- a/hack/build-bundle.sh +++ b/hack/build-bundle.sh @@ -1,12 +1,11 @@ -#!/bin/bash -set -e +#!/usr/bin/env bash +set -euo pipefail -KUSTOMIZATION_FILE="config/manager/kustomization.yaml" IMG_NAME="${IMG%@*}" IMG_DIGEST="${IMG#*@}" -cat << EOF >> "${KUSTOMIZATION_FILE}" +cat << EOF >> "config/overlays/${BUNDLE_OVERLAY}/kustomization.yaml" images: - digest: ${IMG_DIGEST} @@ -15,7 +14,7 @@ images: EOF # Generate and validate the Operator bundle -oc kustomize config/manifests | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} +oc kustomize "config/overlays/${BUNDLE_OVERLAY}" | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS} CSV="bundle/manifests/model-validation-operator.clusterserviceversion.yaml" From 2ac1ecc085e51acbd4abc9a40b7e530b4cc03a84 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 01:27:39 +0000 Subject: [PATCH 9/9] chore(deps): update go dependencies Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- go.mod | 88 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/go.mod b/go.mod index a44dba60..ab61ce1c 100644 --- a/go.mod +++ b/go.mod @@ -5,25 +5,25 @@ go 1.23.0 godebug default=go1.23 require ( - github.com/go-logr/logr v1.4.2 + github.com/go-logr/logr v1.4.3 github.com/onsi/ginkgo/v2 v2.22.0 github.com/onsi/gomega v1.36.1 - github.com/prometheus/client_golang v1.19.1 - github.com/prometheus/client_model v0.6.1 - github.com/prometheus/common v0.55.0 - github.com/stretchr/testify v1.9.0 - golang.org/x/time v0.7.0 - k8s.io/api v0.32.1 - k8s.io/apimachinery v0.32.1 - k8s.io/client-go v0.32.1 + github.com/prometheus/client_golang v1.23.2 + github.com/prometheus/client_model v0.6.2 + github.com/prometheus/common v0.67.2 + github.com/stretchr/testify v1.11.1 + golang.org/x/time v0.14.0 + k8s.io/api v0.34.2 + k8s.io/apimachinery v0.34.2 + k8s.io/client-go v0.34.2 k8s.io/klog/v2 v2.130.1 - sigs.k8s.io/controller-runtime v0.20.4 + sigs.k8s.io/controller-runtime v0.22.4 ) require ( - cel.dev/expr v0.18.0 // indirect + cel.dev/expr v0.25.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect - github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect + github.com/asaskevich/govalidator e11347878e23 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -32,71 +32,71 @@ require ( github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.21.0 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/jsonpointer v0.22.2 // indirect + github.com/go-openapi/jsonreference v0.21.3 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/btree v1.1.3 // indirect - github.com/google/cel-go v0.22.0 // indirect - github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.6.0 // indirect + github.com/google/cel-go v0.26.1 // indirect + github.com/google/gnostic-models v0.7.0 // indirect + github.com/google/go-cmp v0.7.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect + github.com/google/pprof 4902fdda35c8 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/mailru/easyjson v0.7.7 // indirect + github.com/mailru/easyjson v0.9.1 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/procfs v0.15.1 // indirect - github.com/spf13/cobra v1.8.1 // indirect - github.com/spf13/pflag v1.0.5 // indirect - github.com/stoewer/go-strcase v1.3.0 // indirect + github.com/prometheus/procfs v0.19.2 // indirect + github.com/spf13/cobra v1.10.1 // indirect + github.com/spf13/pflag v1.0.10 // indirect + github.com/stoewer/go-strcase v1.3.1 // indirect github.com/x448/float16 v0.8.4 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect go.opentelemetry.io/otel v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect go.opentelemetry.io/otel/metric v1.28.0 // indirect go.opentelemetry.io/otel/sdk v1.28.0 // indirect go.opentelemetry.io/otel/trace v1.28.0 // indirect - go.opentelemetry.io/proto/otlp v1.3.1 // indirect + go.opentelemetry.io/proto/otlp v1.9.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect - golang.org/x/net v0.38.0 // indirect - golang.org/x/oauth2 v0.27.0 // indirect - golang.org/x/sync v0.12.0 // indirect - golang.org/x/sys v0.31.0 // indirect - golang.org/x/term v0.30.0 // indirect - golang.org/x/text v0.23.0 // indirect - golang.org/x/tools v0.26.0 // indirect + golang.org/x/exp e25ba8c21ef6 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/oauth2 v0.33.0 // indirect + golang.org/x/sync v0.18.0 // indirect + golang.org/x/sys v0.38.0 // indirect + golang.org/x/term v0.37.0 // indirect + golang.org/x/text v0.31.0 // indirect + golang.org/x/tools v0.39.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect + google.golang.org/genproto/googleapis/api 95abcf5c77ba // indirect + google.golang.org/genproto/googleapis/rpc 95abcf5c77ba // indirect google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.35.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.32.1 // indirect - k8s.io/apiserver v0.32.1 // indirect - k8s.io/component-base v0.32.1 // indirect - k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect - k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect - sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect + k8s.io/apiextensions-apiserver v0.34.2 // indirect + k8s.io/apiserver v0.34.2 // indirect + k8s.io/component-base v0.34.2 // indirect + k8s.io/kube-openapi 589584f1c912 // indirect + k8s.io/utils bc988d571ff4 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect + sigs.k8s.io/json 2d320260d730 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect )