chore(deps): update go dependencies

.github/workflows/test-e2e.yml

@@ -7,7 +7,7 @@ on:
     branches: [ "main" ]
 
 env:
-  MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:6db7fa2b956875a6f507811166b47b164d463dea78ab4403c6d7648d838b8acb
+  MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:c9704230cc525fe00b16aced00d31dc56c6105c630849d0a72c558c0aa4c2c60
 
 permissions:
   contents: read

.tekton/model-validation-operator-bundle-pull-request.yaml

@@ -31,8 +31,6 @@ spec:
     value: .
   - name: hermetic
     value: "true"
-  - name: prefetch-input
-    value: '{"type": "generic", "path": "."}'
   - name: build-source-image
     value: "true"
   - name: manager-pipelinerun-selector

.tekton/model-validation-operator-bundle-push.yaml

@@ -26,8 +26,6 @@ spec:
     value: Dockerfile.model-validation-bundle.rh
   - name: hermetic
     value: "true"
-  - name: prefetch-input
-    value: '{"type": "generic", "path": "."}'
   - name: build-source-image
     value: "true"
   - name: manager-pipelinerun-selector

Dockerfile.model-validation-bundle.rh

@@ -1,11 +1,15 @@
-ARG VERSION="0.0.1"
+ARG VERSION="0.0.2"
 ARG CHANNELS="tech-preview"
 ARG DEFAULT_CHANNEL="tech-preview"
 ARG BUNDLE_OVERLAY="olm"
 ARG BUNDLE_GEN_FLAGS="-q --overwrite=false --version $VERSION --channels=$CHANNELS --default-channel=$DEFAULT_CHANNEL"
 ARG IMG
 
-FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:c466d80c1eab6ebeadf58f278eac91ac6a9b38d7ebd301833a8c53474106ee10 AS builder
+FROM registry.redhat.io/openshift4/ose-cli-rhel9@sha256:5f1fc557bef7e06ad285e94e20e4c1bb4f2b8b31c6239d195fd93ff02a530f9c AS oc-builder
+
+FROM registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:8ff0cb8587bbca8809490ff59a67496599b6c0cc8e4ca88451481a265f17e581 AS builder
+
+COPY --from=oc-builder /usr/bin/oc /usr/bin/oc
 
 ARG BUNDLE_GEN_FLAGS
 ARG IMG

Dockerfile.model-validation.rh

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:14c369670cf3473d8e9b93e42d120c01b79a6f13884c396a1c89b7ca46f859b7 AS builder
+FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:380d6de9bbc5a42ca13d425be99958fb397317664bb8a00e49d464e62cc8566c AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -24,7 +24,7 @@ COPY internal/ internal/
 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
 
 # Use minimal base image to package the manager binary
-FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:2f06ae0e6d3d9c4f610d32c480338eef474867f435d8d28625f2985e8acde6e8
+FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532

Makefile

@@ -460,6 +460,8 @@ e2e-sign-test-model: e2e-generate-test-keys
 		-v $(PWD)/testdata/tensorflow_saved_model:/model \
 		-v $(PWD)/testdata/docker/test_private_key.priv:/test_private_key.priv \
 		--entrypoint "" \
+		--user "$(id -u)":"$(id -g)" \
+		-e HOME=/tmp \
 		$(MODEL_TRANSPARENCY_IMG) \
 		model_signing sign key /model \
 		--private_key /test_private_key.priv \

config/manifests/bases/model-validation-operator.clusterserviceversion.yaml

@@ -18,7 +18,7 @@ metadata:
     operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
     repository: https://github.com/securesign/model-validation-operator
     support: Red Hat
-  name: model-validation-operator.v0.0.1
+  name: model-validation-operator.v0.0.2
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -69,4 +69,4 @@ spec:
   minKubeVersion: 1.24.0
   provider:
     name: Red Hat
-  version: 0.0.1-techpreview
+  version: 0.0.2-techpreview

go.mod

@@ -5,25 +5,25 @@
 godebug default=go1.23
 
 require (
-	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/logr v1.4.3
 	github.com/onsi/ginkgo/v2 v2.22.0
 	github.com/onsi/gomega v1.36.1
-	github.com/prometheus/client_golang v1.19.1
-	github.com/prometheus/client_model v0.6.1
-	github.com/prometheus/common v0.55.0
-	github.com/stretchr/testify v1.9.0
-	golang.org/x/time v0.7.0
-	k8s.io/api v0.32.1
-	k8s.io/apimachinery v0.32.1
-	k8s.io/client-go v0.32.1
+	github.com/prometheus/client_golang v1.23.2
+	github.com/prometheus/client_model v0.6.2
+	github.com/prometheus/common v0.67.2
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/time v0.14.0
+	k8s.io/api v0.34.2
+	k8s.io/apimachinery v0.34.2
+	k8s.io/client-go v0.34.2
 	k8s.io/klog/v2 v2.130.1
-	sigs.k8s.io/controller-runtime v0.20.4
+	sigs.k8s.io/controller-runtime v0.22.4
 )
 
 require (
-	cel.dev/expr v0.18.0 // indirect
+	cel.dev/expr v0.25.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
+	github.com/asaskevich/govalidator e11347878e23 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
@@ -32,71 +32,71 @@
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/jsonpointer v0.22.2 // indirect
+	github.com/go-openapi/jsonreference v0.21.3 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/cel-go v0.22.0 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/cel-go v0.26.1 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
+	github.com/google/pprof 4902fdda35c8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mailru/easyjson v0.9.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/cobra v1.8.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/spf13/cobra v1.10.1 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
 	go.opentelemetry.io/otel v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/tools v0.26.0 // indirect
+	golang.org/x/exp e25ba8c21ef6 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect
+	google.golang.org/genproto/googleapis/api 95abcf5c77ba // indirect
+	google.golang.org/genproto/googleapis/rpc 95abcf5c77ba // indirect
 	google.golang.org/grpc v1.65.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.32.1 // indirect
-	k8s.io/apiserver v0.32.1 // indirect
-	k8s.io/component-base v0.32.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
-	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
-	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	k8s.io/apiextensions-apiserver v0.34.2 // indirect
+	k8s.io/apiserver v0.34.2 // indirect
+	k8s.io/component-base v0.34.2 // indirect
+	k8s.io/kube-openapi 589584f1c912 // indirect
+	k8s.io/utils bc988d571ff4 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect
+	sigs.k8s.io/json 2d320260d730 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )

hack/build-bundle.sh

@@ -1,31 +1,23 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-TOOLS="/tmp"
-
-if [ -d "/cachi2" ]; then
-  tar -xzf /cachi2/output/deps/generic/kustomize_v5.6.0_linux_amd64.tar.gz -C "${TOOLS}"
-  KUSTOMIZE="${TOOLS}/kustomize"
-else
-  curl -Lo "${TOOLS}/kustomize.tar.gz" "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz"
-  tar -xzf "${TOOLS}/kustomize.tar.gz" -C "${TOOLS}"
-  rm "${TOOLS}/kustomize.tar.gz"
-  KUSTOMIZE="${TOOLS}/kustomize"
-fi
-chmod +x "${KUSTOMIZE}"
 
-operator-sdk generate kustomize manifests -q
+IMG_NAME="${IMG%@*}"
+IMG_DIGEST="${IMG#*@}"
 
-if [[ -n "${IMG:-}" ]]; then
-  pushd "config/overlays/${BUNDLE_OVERLAY}" >/dev/null
-  "${KUSTOMIZE}" edit set image "controller=${IMG}"
-  popd >/dev/null
-fi
+cat << EOF >> "config/overlays/${BUNDLE_OVERLAY}/kustomization.yaml"
 
-"${KUSTOMIZE}" build "config/overlays/${BUNDLE_OVERLAY}" \
-  | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS}
+images:
+- digest: ${IMG_DIGEST}
+  name: controller
+  newName: ${IMG_NAME}
+EOF
+
+# Generate and validate the Operator bundle
+oc kustomize "config/overlays/${BUNDLE_OVERLAY}" | operator-sdk generate bundle ${BUNDLE_GEN_FLAGS}
 
 CSV="bundle/manifests/model-validation-operator.clusterserviceversion.yaml"
+
 if [[ -f "${CSV}" ]]; then
   sed -i.bak  's/deploymentName: webhook/deploymentName: model-validation-controller-manager/' "${CSV}"
   sed -i.bak2 's/deploymentName: model-validation-controller-manager/deploymentName: model-validation-controller-manager\

internal/constants/images.go

@@ -24,5 +24,5 @@ var (
 	// ModelTransparencyCliImage is the default image for the model transparency CLI
 	// used as an init container to validate model signatures
 	ModelTransparencyCliImage = "registry.redhat.io/rhtas/model-transparency-rhel9@" +
-		"sha256:6db7fa2b956875a6f507811166b47b164d463dea78ab4403c6d7648d838b8acb"
+		"sha256:c9704230cc525fe00b16aced00d31dc56c6105c630849d0a72c558c0aa4c2c60"
 )

testdata/docker/test-model.Dockerfile

@@ -12,4 +12,4 @@ COPY docker/test_invalid_public_key.pub /keys/test_invalid_public_key.pub
 RUN chmod -R 644 /data /keys && rm -f /data/test_public_key.pub /data/*.pub
 
 # Default command
-CMD ["sleep", "3600"]
+CMD ["sleep", "3600"]