diff --git a/build/build_bundle.sh b/build/build_bundle.sh index 9c77aea2..e2912bb7 100755 --- a/build/build_bundle.sh +++ b/build/build_bundle.sh @@ -31,8 +31,6 @@ if [ -z "$ISHIELD_REPO_ROOT" ]; then exit 1 fi -#source $ISHIELD_REPO_ROOT/ishield-build.conf - cd $ISHIELD_REPO_ROOT/integrity-shield-operator @@ -41,6 +39,15 @@ echo ----------------------------- echo [1/4] Building bundle make bundle IMG=${ISHIELD_OPERATOR_IMAGE_NAME_AND_VERSION} VERSION=${VERSION} +# Temporary workarround for dealing with CRD generation issue + +tmpcrd="${SHIELD_OP_DIR}/config/crd/bases/apis.integrityshield.io_integrityshieldren.yaml" +targetcrd="${SHIELD_OP_DIR}/config/crd/bases/apis.integrityshield.io_integrityshields.yaml" + +if [ -f $tmpcrd ]; then + sed -i 's/integrityshieldren/integrityshields/g' $tmpcrd + mv $tmpcrd $targetcrd +fi csvfile="bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml" cat $csvfile | yq r - -j > tmp.json @@ -53,6 +60,12 @@ change=$(cat tmp.json | jq '.spec.installModes |=map (select(.type == "AllNamesp cat tmp.json | yq r - -P > $csvfile rm tmp.json +docker pull ${ISHIELD_OPERATOR_INDEX_IMAGE_NAME_AND_PREVIOUS_VERSION} | grep "Image is up to date" && pull_status="pulled" || pull_status="failed" + +if [ "$pull_status" = "failed" ]; then + sed -i '/ replaces: /d' ${SHIELD_OP_DIR}/bundle/manifests/*.clusterserviceversion.yaml +fi + make bundle-build BUNDLE_IMG=${ISHIELD_OPERATOR_BUNDLE_IMAGE_NAME_AND_VERSION} # Push ishield-operator bundle @@ -65,7 +78,6 @@ echo ----------------------------- echo [3/4] Adding bundle to index -docker pull ${ISHIELD_OPERATOR_INDEX_IMAGE_NAME_AND_PREVIOUS_VERSION} | grep "Image is up to date" && pull_status="pulled" || pull_status="failed" if [ "$pull_status" = "failed" ]; then sudo /usr/local/bin/opm index add -c docker --generate --bundles ${ISHIELD_OPERATOR_BUNDLE_IMAGE_NAME_AND_VERSION} \ diff --git a/build/build_bundle_ocm.sh b/build/build_bundle_ocm.sh index 1079fe6a..82af9c7a 100755 --- a/build/build_bundle_ocm.sh +++ b/build/build_bundle_ocm.sh @@ -44,6 +44,13 @@ echo ----------------------------- echo [1/4] Building bundle make bundle IMG=${ISHIELD_OPERATOR_IMAGE_NAME_AND_VERSION}${COMPONENT_TAG_EXTENSION} VERSION=${VERSION} +tmpcrd="${SHIELD_OP_DIR}/config/crd/bases/apis.integrityshield.io_integrityshieldren.yaml" +targetcrd="${SHIELD_OP_DIR}/config/crd/bases/apis.integrityshield.io_integrityshields.yaml" + +if [ -f $tmpcrd ]; then + sed -i 's/integrityshieldren/integrityshields/g' $tmpcrd + mv $tmpcrd $targetcrd +fi csvfile="bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml" cat $csvfile | yq r - -j > tmp.json @@ -56,6 +63,11 @@ change=$(cat tmp.json | jq '.spec.installModes |=map (select(.type == "AllNamesp cat tmp.json | yq r - -P > $csvfile rm tmp.json +docker pull ${ISHIELD_OPERATOR_INDEX_IMAGE_NAME_AND_PREVIOUS_VERSION} | grep "Image is up to date" && pull_status="pulled" || pull_status="failed" +if [ "$pull_status" = "failed" ]; then + sed -i '/ replaces: /d' ${SHIELD_OP_DIR}/bundle/manifests/*.clusterserviceversion.yaml +fi + make bundle-build BUNDLE_IMG=${ISHIELD_OPERATOR_BUNDLE_IMAGE_NAME_AND_VERSION}${COMPONENT_TAG_EXTENSION} # Push ishield-operator bundle @@ -78,8 +90,6 @@ make docker-push IMG=$DOCKER_IMAGE_AND_TAG echo ----------------------------- echo [3/4] Adding bundle to index -docker pull ${ISHIELD_OPERATOR_INDEX_IMAGE_NAME_AND_PREVIOUS_VERSION}${COMPONENT_TAG_EXTENSION} | grep "Image is up to date" && pull_status="pulled" || pull_status="failed" - if [ "$pull_status" = "failed" ]; then sudo /usr/local/bin/opm index add -c docker --generate --bundles ${ISHIELD_OPERATOR_BUNDLE_IMAGE_NAME_AND_VERSION}${COMPONENT_TAG_EXTENSION} \ --tag ${ISHIELD_OPERATOR_INDEX_IMAGE_NAME_AND_VERSION}${COMPONENT_TAG_EXTENSION} --out-dockerfile tmp.Dockerfile diff --git a/integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml b/integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml index a1a6b9c6..68742642 100644 --- a/integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml +++ b/integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml @@ -1114,99 +1114,6 @@ spec: format: int32 type: integer type: object - signerConfig: - properties: - breakGlass: - items: - properties: - namespaces: - items: - type: string - type: array - scope: - type: string - type: object - type: array - description: - type: string - policies: - items: - properties: - excludeNamespaces: - items: - type: string - type: array - namespaces: - items: - type: string - type: array - scope: - type: string - signers: - items: - type: string - type: array - type: object - type: array - signers: - items: - properties: - name: - type: string - secret: - type: string - subjects: - items: - properties: - commonName: - type: string - country: - type: string - email: - type: string - locality: - type: string - organization: - type: string - organizationalUnit: - type: string - postalCode: - type: string - province: - type: string - serialNumber: - type: string - streetAddress: - type: string - uid: - type: string - type: object - type: array - type: object - type: array - type: object - tolerations: - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array shieldConfig: properties: allow: @@ -1554,6 +1461,55 @@ spec: type: object type: array type: object + iShieldAdminUserGroup: + type: string + iShieldAdminUserName: + type: string + iShieldResource: + type: string + iShieldResourceCondition: + properties: + operatorResources: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - apiVersion + - kind + - name + - namespace + type: object + type: array + operatorServiceAccount: + type: string + serverResources: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - apiVersion + - kind + - name + - namespace + type: object + type: array + type: object + iShieldServerUserName: + type: string ignore: items: properties: @@ -1617,55 +1573,6 @@ spec: type: object type: object type: object - iShieldAdminUserGroup: - type: string - iShieldAdminUserName: - type: string - iShieldResource: - type: string - iShieldResourceCondition: - properties: - operatorResources: - items: - properties: - apiVersion: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - apiVersion - - kind - - name - - namespace - type: object - type: array - operatorServiceAccount: - type: string - serverResources: - items: - properties: - apiVersion: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - apiVersion - - kind - - name - - namespace - type: object - type: array - type: object - iShieldServerUserName: - type: string keyPathList: items: type: string @@ -1821,6 +1728,99 @@ spec: type: object shieldConfigCrName: type: string + signerConfig: + properties: + breakGlass: + items: + properties: + namespaces: + items: + type: string + type: array + scope: + type: string + type: object + type: array + description: + type: string + policies: + items: + properties: + excludeNamespaces: + items: + type: string + type: array + namespaces: + items: + type: string + type: array + scope: + type: string + signers: + items: + type: string + type: array + type: object + type: array + signers: + items: + properties: + name: + type: string + secret: + type: string + subjects: + items: + properties: + commonName: + type: string + country: + type: string + email: + type: string + locality: + type: string + organization: + type: string + organizationalUnit: + type: string + postalCode: + type: string + province: + type: string + serialNumber: + type: string + streetAddress: + type: string + uid: + type: string + type: object + type: array + type: object + type: array + type: object + tolerations: + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array webhookClusterResource: description: Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended to make sure that all the tuple expansions are valid. properties: diff --git a/integrity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml b/integrity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml index 48c95a03..79059aba 100644 --- a/integrity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml +++ b/integrity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml @@ -17,6 +17,18 @@ metadata: } ], "namespace": "integrity-shield-operator-system", + "shieldConfig": { + "inScopeNamespaceSelector": { + "exclude": [ + "kube-*", + "openshift-*" + ], + "include": [ + "*" + ] + }, + "verifyType": "pgp" + }, "signerConfig": { "policies": [ { @@ -45,18 +57,6 @@ metadata: ] } ] - }, - "shieldConfig": { - "inScopeNamespaceSelector": { - "exclude": [ - "kube-*", - "openshift-*" - ], - "include": [ - "*" - ] - }, - "verifyType": "pgp" } } } @@ -64,7 +64,7 @@ metadata: capabilities: Basic Install operators.operatorframework.io/builder: operator-sdk-v1.1.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v2 - name: integrity-shield-operator.v0.1.0 + name: integrity-shield-operator.v0.1.1 namespace: placeholder spec: apiservicedefinitions: {} @@ -104,8 +104,8 @@ spec: - integrityshields/finalizers - resourcesignatures - resourcesigningprofiles - - signerconfigs - shieldconfigs + - signerconfigs verbs: - create - delete @@ -240,7 +240,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/open-cluster-management/integrity-shield-operator:0.1.0 + image: quay.io/open-cluster-management/integrity-shield-operator:0.1.1 imagePullPolicy: Always name: manager resources: @@ -303,4 +303,4 @@ spec: provider: name: IBM url: https://github.com/ibm/integrity-enforcer - version: 0.1.0 + version: 0.1.1 diff --git a/integrity-shield-operator/config/crd/bases/apis.integrityshield.io_integrityshields.yaml b/integrity-shield-operator/config/crd/bases/apis.integrityshield.io_integrityshields.yaml index f30b4c28..90e96ec7 100644 --- a/integrity-shield-operator/config/crd/bases/apis.integrityshield.io_integrityshields.yaml +++ b/integrity-shield-operator/config/crd/bases/apis.integrityshield.io_integrityshields.yaml @@ -1104,7 +1104,7 @@ spec: type: array targetNamespaceSelector: description: '`TargetNamespaceSelector` is used only for profile - in IShield NS' + in iShield NS' properties: exclude: items: @@ -1543,116 +1543,6 @@ spec: format: int32 type: integer type: object - signerConfig: - properties: - breakGlass: - items: - properties: - namespaces: - items: - type: string - type: array - scope: - type: string - type: object - type: array - description: - type: string - policies: - items: - properties: - excludeNamespaces: - items: - type: string - type: array - namespaces: - items: - type: string - type: array - scope: - type: string - signers: - items: - type: string - type: array - type: object - type: array - signers: - items: - properties: - name: - type: string - secret: - type: string - subjects: - items: - properties: - commonName: - type: string - country: - type: string - email: - type: string - locality: - type: string - organization: - type: string - organizationalUnit: - type: string - postalCode: - type: string - province: - type: string - serialNumber: - type: string - streetAddress: - type: string - uid: - type: string - type: object - type: array - type: object - type: array - type: object - tolerations: - items: - description: The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . - properties: - effect: - description: Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, operator - must be Exists; this combination means to match all values and - all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. Exists - is equivalent to wildcard for value, so that a pod can tolerate - all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the - toleration (which must be of effect NoExecute, otherwise this - field is ignored) tolerates the taint. By default, it is not - set, which means tolerate the taint forever (do not evict). - Zero and negative values will be treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise - just a regular string. - type: string - type: object - type: array shieldConfig: properties: allow: @@ -1929,7 +1819,7 @@ spec: type: array targetNamespaceSelector: description: '`TargetNamespaceSelector` is used only for profile - in IShield NS' + in iShield NS' properties: exclude: items: @@ -2020,6 +1910,55 @@ spec: type: object type: array type: object + iShieldAdminUserGroup: + type: string + iShieldAdminUserName: + type: string + iShieldResource: + type: string + iShieldResourceCondition: + properties: + operatorResources: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - apiVersion + - kind + - name + - namespace + type: object + type: array + operatorServiceAccount: + type: string + serverResources: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - apiVersion + - kind + - name + - namespace + type: object + type: array + type: object + iShieldServerUserName: + type: string ignore: items: properties: @@ -2100,55 +2039,6 @@ spec: type: object type: object type: object - iShieldAdminUserGroup: - type: string - iShieldAdminUserName: - type: string - iShieldResource: - type: string - iShieldResourceCondition: - properties: - operatorResources: - items: - properties: - apiVersion: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - apiVersion - - kind - - name - - namespace - type: object - type: array - operatorServiceAccount: - type: string - serverResources: - items: - properties: - apiVersion: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - apiVersion - - kind - - name - - namespace - type: object - type: array - type: object - iShieldServerUserName: - type: string keyPathList: items: type: string @@ -2169,8 +2059,12 @@ spec: type: string kind: type: string + logLevel: + type: string name: type: string + namespace: + type: string operation: type: string scope: @@ -2191,8 +2085,12 @@ spec: type: string kind: type: string + logLevel: + type: string name: type: string + namespace: + type: string operation: type: string scope: @@ -2222,8 +2120,12 @@ spec: type: string kind: type: string + logLevel: + type: string name: type: string + namespace: + type: string operation: type: string scope: @@ -2244,8 +2146,12 @@ spec: type: string kind: type: string + logLevel: + type: string name: type: string + namespace: + type: string operation: type: string scope: @@ -2304,6 +2210,116 @@ spec: type: object shieldConfigCrName: type: string + signerConfig: + properties: + breakGlass: + items: + properties: + namespaces: + items: + type: string + type: array + scope: + type: string + type: object + type: array + description: + type: string + policies: + items: + properties: + excludeNamespaces: + items: + type: string + type: array + namespaces: + items: + type: string + type: array + scope: + type: string + signers: + items: + type: string + type: array + type: object + type: array + signers: + items: + properties: + name: + type: string + secret: + type: string + subjects: + items: + properties: + commonName: + type: string + country: + type: string + email: + type: string + locality: + type: string + organization: + type: string + organizationalUnit: + type: string + postalCode: + type: string + province: + type: string + serialNumber: + type: string + streetAddress: + type: string + uid: + type: string + type: object + type: array + type: object + type: array + type: object + tolerations: + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, operator + must be Exists; this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. Exists + is equivalent to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the + toleration (which must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By default, it is not + set, which means tolerate the taint forever (do not evict). + Zero and negative values will be treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array webhookClusterResource: description: Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended to make sure that all the tuple expansions are valid. diff --git a/integrity-shield-operator/config/manager/kustomization.yaml b/integrity-shield-operator/config/manager/kustomization.yaml index 85c6b1bf..2adaeb70 100644 --- a/integrity-shield-operator/config/manager/kustomization.yaml +++ b/integrity-shield-operator/config/manager/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: quay.io/open-cluster-management/integrity-shield-operator - newTag: 0.1.0 + newTag: 0.1.1 diff --git a/ishield-build.conf b/ishield-build.conf index ec5cbd78..cf5211d5 100755 --- a/ishield-build.conf +++ b/ishield-build.conf @@ -2,9 +2,9 @@ REGISTRY=quay.io/open-cluster-management LOCAL_REGISTRY=localhost:5000 BUNDLE_REGISTRY=quay.io/open-cluster-management -ISHIELD_VERSION=0.1.0 -VERSION=0.1.0 -PREV_VERSION=0.0.5 +ISHIELD_VERSION=0.1.1 +VERSION=0.1.1 +PREV_VERSION=0.1.0 ISHIELD_IMAGE=integrity-shield-server ISHIELD_LOGGING=integrity-shield-logging