Red Hat Konflux purge security-profiles-operator

Dockerfile.openshift

@@ -0,0 +1,60 @@
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.21 as builder
+
+RUN export SMDEV_CONTAINER_OFF=1 && \
+    subscription-manager register --org $(cat "/activation-key/org") --activationkey $(cat "/activation-key/activationkey") && \
+    # use --allowerasing to avoid conflicts with the base image for mingw packages
+    # Problem 1: cannot install both mingw-binutils-generic-2.41-3.el9.x86_64 and mingw-binutils-generic-2.39-2.el9.x86_64
+    # Problem 2: package mingw64-filesystem-139-1.el9.noarch requires mingw-filesystem-base = 139-1.el9, but none of the providers can be installed
+    yum -y update --allowerasing && \
+    yum -y install git libseccomp-devel && yum clean all && \
+    yum -y clean all && rm -rf /var/cache/yum  && \
+    subscription-manager unregister
+
+WORKDIR /go/src/github.com/openshift/security-profiles-operator
+
+ENV GOFLAGS="-mod=vendor" BUILD_FLAGS="-tags strictfipsruntime"
+
+COPY . .
+
+RUN mkdir -p build
+
+ARG APPARMOR_ENABLED=0
+ARG BPF_ENABLED=0
+# OCP in FIPS mode doesn't like statically linked SPO
+ARG STATIC_LINK=no
+
+RUN make
+
+FROM registry.redhat.io/ubi9/ubi-minimal:latest
+
+RUN INSTALL_PKGS="tar libseccomp" && \
+    if [ ! -e /usr/bin/dnf ]; then ln -s /usr/bin/microdnf /usr/bin/dnf; fi && \
+        dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
+        dnf clean all && rm -rf /var/cache/*
+LABEL \
+        io.k8s.display-name="Security Profiles Operator" \
+        io.k8s.description="The Security Profiles Operator makes it easier for cluster admins to manage their seccomp, or SELinux profiles and apply them to Kubernetes' workloads." \
+        io.openshift.tags="security,seccomp,selinux" \
+        com.redhat.delivery.appregistry="false" \
+        maintainer="Red Hat ISC <isc-team@redhat.com>" \
+        License="APL 2.0" \
+        name="openshift-security-profiles-operator" \
+        com.redhat.component="openshift-security-profiles-operator-container" \
+        io.openshift.maintainer.product="OpenShift Container Platform" \
+        io.openshift.maintainer.component="Security Profiles Operator" \
+        version=0.8.4
+#        io.openshift.build.commit.id=98271bc2812881010146f47e4587dcd449b846bd \
+#        io.openshift.build.source-location=https://github.com/openshift/file-integrity-operator.git \
+#        io.openshift.build.commit.url=https://github.com/openshift/file-integrity-operator.git/commit/98271bc2812881010146f47e4587dcd449b846bd \
+
+ENV OPERATOR=/usr/local/bin/security-profiles-operator \
+    USER_UID=65534 \
+    USER_NAME=security-profiles-operator
+
+COPY --from=builder /go/src/github.com/openshift/security-profiles-operator/build/security-profiles-operator ${OPERATOR}
+# This is required for the bundle build.
+COPY --from=builder /go/src/github.com/openshift/security-profiles-operator/bundle /bundle
+
+ENTRYPOINT ["/usr/local/bin/security-profiles-operator"]
+
+USER ${USER_UID}:${USER_UID}

Makefile

@@ -553,6 +553,8 @@ OLM_EXAMPLES := \
 
 BUNDLE_SA_OPTS ?= --extra-service-accounts security-profiles-operator,spod,spo-webhook
 
+BUNDLE_SA_OPTS ?= --extra-service-accounts security-profiles-operator,spod,spo-webhook
+
 .PHONY: bundle
 bundle: operator-sdk deployments ## Generate bundle manifests and metadata, then validate generated files.
 	$(SED) "s/\(olm.skipRange: '>=.*\)<.*'/\1<$(VERSION)'/" deploy/base/clusterserviceversion.yaml

OWNERS

@@ -1,13 +1,18 @@
-# See the OWNERS docs at https://go.k8s.io/owners
+# See the OWNERS docs at https://go.k8s.io/owners for details
 
 reviewers:
   - Vincent056
 approvers:
-  - ccojocar
   - pjbgf
   - saschagrunert
   - JAORMX
   - jhrozek
+  - sheriff-rh
+  - Vincent056
+  - xiaojiey
+  - BhargaviGudi
 emeritus_approvers:
   - cmurphy
   - hasheddan
+
+component: "Security Profiles Operator"

bundle/manifests/security-profiles-operator.clusterserviceversion.yaml

@@ -985,5 +985,5 @@ spec:
     name: selinuxd-el8
   - image: quay.io/security-profiles-operator/selinuxd-el9:latest
     name: selinuxd-el9
-  replaces: security-profiles-operator.v0.8.3
+  replaces: security-profiles-operator.v0.8.1
   version: 0.8.4

dependencies.yaml

@@ -105,6 +105,18 @@ dependencies:
     - path: Dockerfile.build-image
       match: tag
 
+  - name: ubi9-minimal
+    version: sha256:ef6fb6b3b38ef6c85daebeabebc7ff3151b9dd1500056e6abc9c3295e4b78a51
+    refPaths:
+    - path: Dockerfile.ubi
+      match: registry.access.redhat.com/ubi9/ubi-minimal
+
+  - name: ubi9-go-toolset
+    version: sha256:d1911ff6e8b3d17175dafe00aa466e83c3ceec45903b01a7cc18e9e417781263
+    refPaths:
+    - path: Dockerfile.ubi
+      match: registry.access.redhat.com/ubi9/go-toolset
+
   - name: nix
     version: 2.18.1
     refPaths:

test/e2e_flaky_test.go

@@ -67,7 +67,7 @@ func (e *e2e) TestSecurityProfilesOperator_Flaky() {
 	// fix the issue with the certs.
 	e.Run("cluster-wide: Seccomp: Verify profile binding", func() {
 		e.testCaseSeccompProfileBinding(nodes, "quay.io/security-profiles-operator/test-hello-world:latest")
-		e.testCaseSeccompProfileBinding(nodes, "*")
+		e.testCaseSeccompProfileBinding(nodes, "'*'")
 	})
 
 	e.Run("cluster-wide: Seccomp: Verify profile recording logs", func() {

test/tc_seccomp_profilebindings_test.go

@@ -106,12 +106,21 @@ spec:
 
 	namespace := e.getCurrentContextNamespace(defaultNamespace)
 
-	e.logf("Testing that pod has securityContext")
-	output = e.kubectl(
-		"get", "pod", "hello",
-		"--output", "jsonpath={.spec.containers[0].securityContext.seccompProfile.localhostProfile}",
-	)
-	e.Equal(fmt.Sprintf("operator/%s/profile-allow-unsafe.json", namespace), output)
+	if image == "*" || image == "'*'" {
+		e.logf("Profile Binding has * image, Testing that pod has securityContext")
+		output = e.kubectl(
+			"get", "pod", "hello",
+			"--output", "jsonpath={.spec.securityContext.seccompProfile.localhostProfile}",
+		)
+		e.Equal(fmt.Sprintf("operator/%s/profile-allow-unsafe.json", namespace), output)
+	} else {
+		e.logf("Testing that pod container has securityContext for specific image")
+		output = e.kubectl(
+			"get", "pod", "hello",
+			"--output", "jsonpath={.spec.containers[0].securityContext.seccompProfile.localhostProfile}",
+		)
+		e.Equal(fmt.Sprintf("operator/%s/profile-allow-unsafe.json", namespace), output)
+	}
 
 	e.logf("Testing that profile binding has pod reference")
 	output = e.kubectl("get", "profilebinding", "hello-binding", "--output", "jsonpath={.status.activeWorkloads[0]}")