Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (#33)

* Operator update (#1)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Operator update (#2)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Prepare for Operatorhub.io submission: fixed scripts and odoc

* Prepare for Operatorhub.io submission: fixed script

* Operator update (#3)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Prepare for Operatorhub.io submission: fixed scripts and odoc

* Prepare for Operatorhub.io submission: fixed script

* Prepare for Operatorhub.io submission: fixed docs

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (#4)

* Prepare for Operatorhub.io submission, fixed makefile, scripts

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (#5)

* Prepare for Operatorhub.io submission: fixed script

Author: Kugamoorthy Gajananan

Makefile

@@ -349,9 +349,13 @@ install-ishield: check-kubeconfig install-crds install-operator create-cr
 uninstall-ishield: delete-cr delete-operator
 
 create-ns:
-	@echo
-	@echo creating namespace
-	kubectl create ns $(ISHIELD_NS)
+	@if [ "$(shell kubectl get ns $(ISHIELD_NS) | sed -n '2 p' | awk '{print$$1}')" = $(ISHIELD_NS) ]; then \
+		echo namespace already exists !;  \
+	else  \
+		echo; \
+		echo creating namespace; \
+		kubectl create ns $(ISHIELD_NS); \
+	fi
 
 install-crds:
 	@echo installing crds
@@ -570,7 +574,6 @@ setup-olm-local:
 	$(ISHIELD_REPO_ROOT)/build/setup-olm-local.sh
 
 bundle-test-local:
-	make create-keyring-secret
 	make setup-tmp-cr
 	make setup-test-env
 	make e2e-test

build/clean-e2e-bundle-test-local.sh

@@ -62,7 +62,7 @@ metadata:
   name: integrity-shield-operator
   namespace: ${ISHIELD_NS}
 spec:
-  channel: alpha
+  channel: ${ISHIELD_DEFAULT_CHANNEL}
   name: integrity-shield-operator
   source: integrity-shield-operator-catalog
   sourceNamespace: olm

build/deploy-bundle-local.sh

@@ -49,12 +49,48 @@ echo ""
 echo "-------------------------------------------------"
 echo "Install bundle catalogsource"
 
+cat <<EOF | kubectl create -f -
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: integrity-shield-operator-catalog
+  namespace: olm
+spec:
+  displayName: Integrity Ishield Operator
+  image: ${BUNDLE_INDX_IMAGE}
+  publisher: Community
+  sourceType: grpc
+  updateStrategy:
+    registryPoll:
+      interval: 15m
+EOF
+
+echo ""
+echo "-------------------------------------------------"
+echo "Check if integrity-shield-operator-catalog is deployed correctly."
+echo "Let's wait for integrity-shield-operator-catalog to be deployed..."
+while true; do
+   ISHIELD_STATUS=$(kubectl get pod -n olm 2>/dev/null | grep integrity-shield-operator-catalog | awk '{print $3}')
+   READY_STATUS=$(kubectl get pod -n olm 2>/dev/null | grep integrity-shield-operator-catalog | awk '{print $2}')
+   if [[ "$ISHIELD_STATUS" == "Running"  && "$READY_STATUS" == "1/1" ]]; then
+      echo
+      echo -n "===== Integrity Shield operator catalog has started, let's continue with installing subscription. ====="
+      echo
+      break
+   else
+      printf "."
+      sleep 2
+   fi
+done
+
 cat <<EOF | kubectl create -f -
 apiVersion: v1
 kind: Namespace
 metadata:
   name: ${ISHIELD_NS}
----
+EOF
+
+cat <<EOF | kubectl create -f -
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
@@ -63,31 +99,19 @@ metadata:
 spec:
   targetNamespaces:
   - ${ISHIELD_NS}
----
+EOF
+
+cat <<EOF | kubectl create -f -
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
   name: integrity-shield-operator
   namespace: ${ISHIELD_NS}
 spec:
-  channel: alpha
+  channel: ${ISHIELD_DEFAULT_CHANNEL}
   installPlanApproval: Automatic
   name: integrity-shield-operator
   source: integrity-shield-operator-catalog
   sourceNamespace: olm
   startingCSV: ${STARTING_CSV}
----
-apiVersion: operators.coreos.com/v1alpha1
-kind: CatalogSource
-metadata:
-  name: integrity-shield-operator-catalog
-  namespace: olm
-spec:
-  displayName: Integrity Ishield Operator
-  image: ${BUNDLE_INDX_IMAGE}
-  publisher: Community
-  sourceType: grpc
-  updateStrategy:
-    registryPoll:
-      interval: 15m
 EOF

build/pull_images.sh

@@ -53,9 +53,9 @@ echo -----------------------------
 echo ""
 
 
-# Push integrity-shield-logging image
+# Push integrity-shield-admission-controller image
 echo -----------------------------
-echo [2/3] Pulling integrity-shield-logging image.
+echo [2/3] Pulling integrity-shield-admission-controller image.
 docker pull ${ISHIELD_ADMISSION_CONTROLLER_IMAGE_NAME_AND_VERSION}
 echo done.
 echo -----------------------------

build/update-version.sh

@@ -26,15 +26,18 @@ if [ -z "$SHIELD_OP_DIR" ]; then
     exit 1
 fi
 
-sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/docs/ACM/README_DISABLE_ISHIELD_PROTECTION_ACM_ENV.md
-sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/scripts/install_shield.sh
-sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/COMPONENT_VERSION
-sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/develop/local-deploy/operator_local.yaml
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}Makefile
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/deploymentForIShield.yaml
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCRForTest.yaml
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCR.yaml
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/default-ishield-cr.yaml
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}config/manifests/bases/integrity-shield-operator.clusterserviceversion.yaml
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}version/version.go
-sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}pkg/util/mapnode/node_test.go
+OS_NAME=$(uname -s)
+
+
+if [[ "$OS_NAME" == "Darwin" ]]; then
+   sedi=(-i "")
+else
+   sedi=(-i)
+fi
+
+
+sed "${sedi[@]}" "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/docs/ACM/README_DISABLE_ISHIELD_PROTECTION_ACM_ENV.md
+sed "${sedi[@]}" "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/scripts/install_shield.sh
+sed "${sedi[@]}" "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/COMPONENT_VERSION
+sed "${sedi[@]}" "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}Makefile
+sed "${sedi[@]}" "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}config/manifests/bases/integrity-shield-operator.clusterserviceversion.yaml

integrity-shield-operator/bundle.Dockerfile

@@ -21,7 +21,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=integrity-shield-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha-0.3.0
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.12.0
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.10.0+git
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
 

integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml

@@ -222,6 +222,18 @@ spec:
                             description: GMSACredentialSpecName is the name of the
                               GMSA credential spec to use.
                             type: string
+                          hostProcess:
+                            description: HostProcess determines if a container should
+                              be run as a 'Host Process' container. This field is
+                              alpha-level and will only be honored by components that
+                              enable the WindowsHostProcessContainers feature flag.
+                              Setting this field without the feature flag will result
+                              in errors when validating the Pod. All of a Pod's containers
+                              must have the same effective HostProcess value (it is
+                              not allowed to have a mix of HostProcess containers
+                              and non-HostProcess containers).  In addition, if HostProcess
+                              is true then HostNetwork must also be set to true.
+                            type: boolean
                           runAsUserName:
                             description: The UserName in Windows to run the entrypoint
                               of the container process. Defaults to the user specified
@@ -532,7 +544,7 @@ spec:
                                     field and the ones listed in the namespaces field.
                                     null selector and null or empty namespaces list
                                     means "this pod's namespace". An empty selector
-                                    ({}) matches all namespaces. This field is alpha-level
+                                    ({}) matches all namespaces. This field is beta-level
                                     and is only honored when PodAffinityNamespaceSelector
                                     feature is enabled.
                                   properties:
@@ -688,7 +700,7 @@ spec:
                                 the ones listed in the namespaces field. null selector
                                 and null or empty namespaces list means "this pod's
                                 namespace". An empty selector ({}) matches all namespaces.
-                                This field is alpha-level and is only honored when
+                                This field is beta-level and is only honored when
                                 PodAffinityNamespaceSelector feature is enabled.
                               properties:
                                 matchExpressions:
@@ -841,7 +853,7 @@ spec:
                                     field and the ones listed in the namespaces field.
                                     null selector and null or empty namespaces list
                                     means "this pod's namespace". An empty selector
-                                    ({}) matches all namespaces. This field is alpha-level
+                                    ({}) matches all namespaces. This field is beta-level
                                     and is only honored when PodAffinityNamespaceSelector
                                     feature is enabled.
                                   properties:
@@ -997,7 +1009,7 @@ spec:
                                 the ones listed in the namespaces field. null selector
                                 and null or empty namespaces list means "this pod's
                                 namespace". An empty selector ({}) matches all namespaces.
-                                This field is alpha-level and is only honored when
+                                This field is beta-level and is only honored when
                                 PodAffinityNamespaceSelector feature is enabled.
                               properties:
                                 matchExpressions:
@@ -1278,6 +1290,18 @@ spec:
                             description: GMSACredentialSpecName is the name of the
                               GMSA credential spec to use.
                             type: string
+                          hostProcess:
+                            description: HostProcess determines if a container should
+                              be run as a 'Host Process' container. This field is
+                              alpha-level and will only be honored by components that
+                              enable the WindowsHostProcessContainers feature flag.
+                              Setting this field without the feature flag will result
+                              in errors when validating the Pod. All of a Pod's containers
+                              must have the same effective HostProcess value (it is
+                              not allowed to have a mix of HostProcess containers
+                              and non-HostProcess containers).  In addition, if HostProcess
+                              is true then HostNetwork must also be set to true.
+                            type: boolean
                           runAsUserName:
                             description: The UserName in Windows to run the entrypoint
                               of the container process. Defaults to the user specified
@@ -1458,6 +1482,18 @@ spec:
                             description: GMSACredentialSpecName is the name of the
                               GMSA credential spec to use.
                             type: string
+                          hostProcess:
+                            description: HostProcess determines if a container should
+                              be run as a 'Host Process' container. This field is
+                              alpha-level and will only be honored by components that
+                              enable the WindowsHostProcessContainers feature flag.
+                              Setting this field without the feature flag will result
+                              in errors when validating the Pod. All of a Pod's containers
+                              must have the same effective HostProcess value (it is
+                              not allowed to have a mix of HostProcess containers
+                              and non-HostProcess containers).  In addition, if HostProcess
+                              is true then HostNetwork must also be set to true.
+                            type: boolean
                           runAsUserName:
                             description: The UserName in Windows to run the entrypoint
                               of the container process. Defaults to the user specified
@@ -1652,6 +1688,18 @@ spec:
                             description: GMSACredentialSpecName is the name of the
                               GMSA credential spec to use.
                             type: string
+                          hostProcess:
+                            description: HostProcess determines if a container should
+                              be run as a 'Host Process' container. This field is
+                              alpha-level and will only be honored by components that
+                              enable the WindowsHostProcessContainers feature flag.
+                              Setting this field without the feature flag will result
+                              in errors when validating the Pod. All of a Pod's containers
+                              must have the same effective HostProcess value (it is
+                              not allowed to have a mix of HostProcess containers
+                              and non-HostProcess containers).  In addition, if HostProcess
+                              is true then HostNetwork must also be set to true.
+                            type: boolean
                           runAsUserName:
                             description: The UserName in Windows to run the entrypoint
                               of the container process. Defaults to the user specified

integrity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml

@@ -76,7 +76,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    operators.operatorframework.io/builder: operator-sdk-v1.12.0
+    operators.operatorframework.io/builder: operator-sdk-v1.10.0+git
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     containerImage: quay.io/open-cluster-management/integrity-shield-operator:0.3.0
   name: integrity-shield-operator.v0.3.0
@@ -253,7 +253,6 @@ spec:
             - apiGroups:
                 - apis.integrityshield.io
               resources:
-                - integrityshieldren
                 - integrityshields
               verbs:
                 - create
@@ -263,20 +262,6 @@ spec:
                 - patch
                 - update
                 - watch
-            - apiGroups:
-                - apis.integrityshield.io
-              resources:
-                - integrityshields
-                - integrityshields/finalizers
-                - manifestintegrityprofiles
-              verbs:
-                - create
-                - delete
-                - get
-                - list
-                - patch
-                - update
-                - watch
             - apiGroups:
                 - apis.integrityshield.io
               resources:
@@ -303,16 +288,6 @@ spec:
                 - patch
                 - update
                 - watch
-            - apiGroups:
-                - coordination.k8s.io
-              resources:
-                - leases
-              verbs:
-                - create
-                - delete
-                - get
-                - list
-                - update
             - apiGroups:
                 - ""
               resources:
@@ -329,18 +304,6 @@ spec:
                 - patch
                 - update
                 - watch
-            - apiGroups:
-                - policy
-              resources:
-                - podsecuritypolicies
-              verbs:
-                - create
-                - delete
-                - get
-                - list
-                - patch
-                - update
-                - watch
             - apiGroups:
                 - rbac.authorization.k8s.io
               resources:
@@ -476,4 +439,5 @@ spec:
   maturity: alpha
   provider:
     name: Community
-  version: 0.3.0
+  replaces: integrity-shield-operator.v0.1.6
+  version: 0.3.0

integrity-shield-operator/bundle/metadata/annotations.yaml

@@ -5,7 +5,7 @@ annotations:
   operators.operatorframework.io.bundle.metadata.v1: metadata/
   operators.operatorframework.io.bundle.package.v1: integrity-shield-operator
   operators.operatorframework.io.bundle.channels.v1: alpha-0.3.0
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.12.0
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.10.0+git
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3