diff --git a/.github/actions/documentation/Dockerfile b/.github/actions/documentation/Dockerfile index d56af10d1..81f97209c 100644 --- a/.github/actions/documentation/Dockerfile +++ b/.github/actions/documentation/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/python-39:9.5@sha256:84c028923cd3c8554c9b5c1423a553a4cb8f3ee88c17a3d87756c9b08f5e8fe7 +FROM registry.access.redhat.com/ubi9/python-39:9.5@sha256:dde5068ba8fd81eef41a9128ddad2b99e2e02e5869ffe925c605b609a0ad7bbb # Pin versions in pip. # hadolint ignore=DL3013 diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 08ebcf216..a80345b7e 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -16,7 +16,7 @@ runs: - name: Set up Go 1.23 uses: actions/setup-go@v4 with: - go-version: 1.23.3 + go-version: 1.23.4 cache: false - name: Disable default go problem matcher diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8ed9114e2..ae4a2f21b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,13 +46,13 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: languages: ${{ matrix.language }} tools: latest @@ -64,7 +64,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -78,4 +78,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml index 6239c4ae3..cd61549b2 100644 --- a/.github/workflows/merge.yaml +++ b/.github/workflows/merge.yaml @@ -25,9 +25,9 @@ jobs: steps: - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/pre-main.yaml b/.github/workflows/pre-main.yaml index 7ce9ab2cf..2e44cf720 100644 --- a/.github/workflows/pre-main.yaml +++ b/.github/workflows/pre-main.yaml @@ -19,7 +19,7 @@ env: OCT_IMAGE_NAME: redhat-best-practices-for-k8s/oct OCT_IMAGE_TAG: latest PROBE_IMAGE_NAME: redhat-best-practices-for-k8s/certsuite-probe - PROBE_IMAGE_TAG: v0.0.10 + PROBE_IMAGE_TAG: v0.0.11 CERTSUITE_CONFIG_DIR: /tmp/certsuite/config CERTSUITE_OUTPUT_DIR: /tmp/certsuite/output SMOKE_TESTS_LOG_LEVEL: debug @@ -42,9 +42,9 @@ jobs: steps: - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" @@ -58,7 +58,7 @@ jobs: uses: ./.github/actions/install-yaml-dep - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main + uses: depends-on/depends-on-action@77e67971a155b35424508ada365790c47286fd0f # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -117,9 +117,9 @@ jobs: steps: - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" @@ -133,7 +133,7 @@ jobs: uses: ./.github/actions/install-yaml-dep - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main + uses: depends-on/depends-on-action@77e67971a155b35424508ada365790c47286fd0f # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -187,9 +187,9 @@ jobs: echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG} - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" @@ -203,7 +203,7 @@ jobs: uses: ./.github/actions/install-yaml-dep - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main + uses: depends-on/depends-on-action@77e67971a155b35424508ada365790c47286fd0f # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -240,7 +240,7 @@ jobs: run: ./certsuite claim show failures -c certsuite-out/claim.json - name: Upload smoke test results as an artifact - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 if: always() with: name: smoke-tests @@ -257,7 +257,7 @@ jobs: run: ./certsuite run --label-filter=preflight --log-level="${SMOKE_TESTS_LOG_LEVEL}" - name: Upload preflight smoke test results as an artifact - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 if: always() with: name: preflight-smoke-tests @@ -286,9 +286,9 @@ jobs: # needed by depends-on-action - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 # Perform smoke tests using a Certsuite container. - name: Check out code @@ -302,7 +302,7 @@ jobs: make-command: 'install' - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main + uses: depends-on/depends-on-action@77e67971a155b35424508ada365790c47286fd0f # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -363,7 +363,7 @@ jobs: --label-filter="${SMOKE_TESTS_LABELS_FILTER}" - name: Upload container test results as an artifact - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 if: always() with: name: smoke-tests-container @@ -412,7 +412,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Login to Quay.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 @@ -455,7 +455,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Login to Quay.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 @@ -493,7 +493,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check all dependent Pull Requests are merged - uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main + uses: depends-on/depends-on-action@77e67971a155b35424508ada365790c47286fd0f # main with: token: ${{ secrets.GITHUB_TOKEN }} check-unmerged-pr: true diff --git a/.github/workflows/preflight.yml b/.github/workflows/preflight.yml index 59eb612b0..eb38be3f0 100644 --- a/.github/workflows/preflight.yml +++ b/.github/workflows/preflight.yml @@ -21,9 +21,9 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" diff --git a/.github/workflows/qe-hosted.yml b/.github/workflows/qe-hosted.yml index bfc1c3de4..e3539601d 100644 --- a/.github/workflows/qe-hosted.yml +++ b/.github/workflows/qe-hosted.yml @@ -35,7 +35,7 @@ jobs: ref: ${{ github.sha }} - name: Setup docker buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 # Restart docker using /mnt/docker-storage (sdb) instead of /var/lib/docker (sda). # This step needs to be done right after the partner repo's bootstrap scripts, as they @@ -67,7 +67,7 @@ jobs: outputs: type=docker,dest=/tmp/testimage.tar - name: Store image as artifact - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: testimage path: /tmp/testimage.tar @@ -98,7 +98,7 @@ jobs: # Download the image from the artifact and load it into the docker daemon. - name: Setup docker buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 # Restart docker using /mnt/docker-storage (sdb) instead of /var/lib/docker (sda). # This step needs to be done right after the partner repo's bootstrap scripts, as they @@ -149,7 +149,7 @@ jobs: ref: main - name: Extract dependent Pull Requests - uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main + uses: depends-on/depends-on-action@77e67971a155b35424508ada365790c47286fd0f # main with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/qe-ocp-arm-416.yaml b/.github/workflows/qe-ocp-arm-416.yaml index 5b2d61091..904b71466 100644 --- a/.github/workflows/qe-ocp-arm-416.yaml +++ b/.github/workflows/qe-ocp-arm-416.yaml @@ -34,7 +34,7 @@ jobs: ref: ${{ github.sha }} - name: Setup docker buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Build temporary image tag for this PR uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 @@ -47,7 +47,7 @@ jobs: outputs: type=docker,dest=/tmp/testimage.tar - name: Store image as artifact - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: testimage path: /tmp/testimage.tar @@ -75,7 +75,7 @@ jobs: # Download the image from the artifact and load it into the docker daemon. - name: Setup docker buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Download image from artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 diff --git a/.github/workflows/qe-ocp-pre-main.yaml b/.github/workflows/qe-ocp-pre-main.yaml index dc76771af..3ea9b34b1 100644 --- a/.github/workflows/qe-ocp-pre-main.yaml +++ b/.github/workflows/qe-ocp-pre-main.yaml @@ -32,7 +32,7 @@ jobs: ref: ${{ github.sha }} - name: Setup docker buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Build temporary image tag for this PR uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 @@ -44,7 +44,7 @@ jobs: outputs: type=docker,dest=/tmp/testimage.tar - name: Store image as artifact - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: testimage path: /tmp/testimage.tar @@ -71,7 +71,7 @@ jobs: # Download the image from the artifact and load it into the docker daemon. - name: Setup docker buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Download image from artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f79356472..c53683f82 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: SARIF file path: results.sarif @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: sarif_file: results.sarif diff --git a/.github/workflows/tnf-image.yaml b/.github/workflows/tnf-image.yaml index 1b7914a10..407547f05 100644 --- a/.github/workflows/tnf-image.yaml +++ b/.github/workflows/tnf-image.yaml @@ -117,7 +117,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 # Push the new TNF image to Quay.io. - name: Authenticate against Quay.io @@ -229,7 +229,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 # Push the new TNF image to Quay.io. - name: Authenticate against Quay.io diff --git a/.github/workflows/update-rhcos-mapping.yml b/.github/workflows/update-rhcos-mapping.yml index a160d9292..7eb7502d1 100644 --- a/.github/workflows/update-rhcos-mapping.yml +++ b/.github/workflows/update-rhcos-mapping.yml @@ -28,9 +28,9 @@ jobs: run: make update-rhcos-versions - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 # This prevents any failures due to the updated rhcos_versions_map file from # making it into the PR phase. diff --git a/.github/workflows/upload-release-assets.yaml b/.github/workflows/upload-release-assets.yaml index a019e2510..495547b8a 100644 --- a/.github/workflows/upload-release-assets.yaml +++ b/.github/workflows/upload-release-assets.yaml @@ -14,9 +14,9 @@ jobs: steps: - name: Set up Go 1.23 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: - go-version: 1.23.3 + go-version: 1.23.4 - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/CATALOG.md b/CATALOG.md index a728484da..b336cfd81 100644 --- a/CATALOG.md +++ b/CATALOG.md @@ -13,7 +13,7 @@ Depending on the workload type, not all tests are required to pass to satisfy be |Suite|Tests per suite| |---|---| -|access-control|29| +|access-control|28| |affiliated-certification|4| |lifecycle|18| |manageability|2| @@ -22,7 +22,7 @@ Depending on the workload type, not all tests are required to pass to satisfy be |operator|11| |performance|6| |platform-alteration|13| -|preflight|17| +|preflight|18| ### Extended specific tests only: 12 @@ -379,8 +379,8 @@ Tags|extended,access-control Property|Description ---|--- Unique ID|access-control-security-context-non-root-user-id-check -Description|Checks the security context runAsUser parameter in pods and containers to make sure it is not set to uid root(0). Pods and containers should not run as root (runAsUser is not set to uid0). -Suggested Remediation|Change the pod and containers "runAsUser" uid to something other than root(0) +Description|Checks securityContext's runAsNonRoot and runAsUser fields at pod and container level to make sure containers are not run as root. +Suggested Remediation|Set the securityContext.runAsNonRoot field to true either at pod or container level. Alternatively, set a non-zero value to securityContext.runAsUser field either at pod or container level. Best Practice Reference|https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security Exception Process|No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details. Tags|common,access-control @@ -422,22 +422,6 @@ Tags|common,access-control |Non-Telco|Optional| |Telco|Optional| -#### access-control-security-context-run-as-non-root-user-check - -Property|Description ----|--- -Unique ID|access-control-security-context-run-as-non-root-user-check -Description|Checks the security context runAsNonRoot parameter in pods and containers to make sure it is not set to false. Pods and containers should not be able to run as root.. -Suggested Remediation|Set the the pod and containers "runAsNonRoot" to true. -Best Practice Reference|https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security -Exception Process|No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details. -Tags|common,access-control -|**Scenario**|**Optional/Mandatory**| -|Extended|Mandatory| -|Far-Edge|Mandatory| -|Non-Telco|Mandatory| -|Telco|Mandatory| - #### access-control-service-type Property|Description @@ -1186,6 +1170,22 @@ Tags|telco,observability ### operator +#### operator-catalogsource-bundle-count + +Property|Description +---|--- +Unique ID|operator-catalogsource-bundle-count +Description|Tests operator catalog source bundle count is less than 1000 +Suggested Remediation|Ensure that the Operator's catalog source has a valid bundle count less than 1000. +Best Practice Reference|https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-operator-requirements +Exception Process|No exceptions +Tags|common,operator +|**Scenario**|**Optional/Mandatory**| +|Extended|Mandatory| +|Far-Edge|Mandatory| +|Non-Telco|Mandatory| +|Telco|Mandatory| + #### operator-crd-openapi-schema Property|Description @@ -1800,13 +1800,29 @@ Tags|common,preflight |Non-Telco|Optional| |Telco|Optional| +#### preflight-HasProhibitedContainerName + +Property|Description +---|--- +Unique ID|preflight-HasProhibitedContainerName +Description|Checking if the container-name violates Red Hat trademark. +Suggested Remediation|Update container-name ie (quay.io/repo-name/container-name) to not violate Red Hat trademark. +Best Practice Reference|No Doc Link +Exception Process|There is no documented exception process for this. +Tags|common,preflight +|**Scenario**|**Optional/Mandatory**| +|Extended|Optional| +|Far-Edge|Optional| +|Non-Telco|Optional| +|Telco|Optional| + #### preflight-HasRequiredLabel Property|Description ---|--- Unique ID|preflight-HasRequiredLabel -Description|Checking if the required labels (name, vendor, version, release, summary, description) are present in the container metadata. -Suggested Remediation|Add the following labels to your Dockerfile or Containerfile: name, vendor, version, release, summary, description +Description|Checking if the required labels (name, vendor, version, release, summary, description, maintainer) are present in the container metadata and that they do not violate Red Hat trademark. +Suggested Remediation|Add the following labels to your Dockerfile or Containerfile: name, vendor, version, release, summary, description, maintainer and validate that they do not violate Red Hat trademark. Best Practice Reference|No Doc Link Exception Process|There is no documented exception process for this. Tags|common,preflight diff --git a/Dockerfile b/Dockerfile index cf332f38c..8a6e426c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/ubi:9.5@sha256:2bae9062eddbbc18e76555972e7026ffe02cef560a0076e6d7f72bed2c05723f AS build +FROM registry.access.redhat.com/ubi9/ubi:9.5@sha256:38791b293262ac2169eca2717e68e626a047d2b89fbd1da544db24ed0204efeb AS build ENV CERTSUITE_DIR=/usr/certsuite ENV \ CERTSUITE_SRC_DIR=${CERTSUITE_DIR}/src \ @@ -27,19 +27,19 @@ ENV \ ENV \ GO_DL_URL=https://golang.org/dl \ GOPATH=/root/go -ENV GO_BIN_URL_x86_64=${GO_DL_URL}/go1.23.3.linux-amd64.tar.gz -ENV GO_BIN_URL_aarch64=${GO_DL_URL}/go1.23.3.linux-arm64.tar.gz +ENV GO_BIN_URL_x86_64=${GO_DL_URL}/go1.23.4.linux-amd64.tar.gz +ENV GO_BIN_URL_aarch64=${GO_DL_URL}/go1.23.4.linux-arm64.tar.gz # Determine the CPU architecture and download the appropriate Go binary RUN \ if [ "$(uname -m)" = x86_64 ]; then \ wget --directory-prefix=${TEMP_DIR} ${GO_BIN_URL_x86_64} --quiet \ && rm -rf /usr/local/go \ - && tar -C /usr/local -xzf ${TEMP_DIR}/go1.23.3.linux-amd64.tar.gz; \ + && tar -C /usr/local -xzf ${TEMP_DIR}/go1.23.4.linux-amd64.tar.gz; \ elif [ "$(uname -m)" = aarch64 ]; then \ wget --directory-prefix=${TEMP_DIR} ${GO_BIN_URL_aarch64} --quiet \ && rm -rf /usr/local/go \ - && tar -C /usr/local -xzf ${TEMP_DIR}/go1.23.3.linux-arm64.tar.gz; \ + && tar -C /usr/local -xzf ${TEMP_DIR}/go1.23.4.linux-arm64.tar.gz; \ else \ echo "CPU architecture is not supported." && exit 1; \ fi @@ -102,7 +102,7 @@ FROM quay.io/redhat-best-practices-for-k8s/oct:latest AS db # Copy the state into a new flattened image to reduce size. # TODO run as non-root -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:d85040b6e3ed3628a89683f51a38c709185efc3fb552db2ad1b9180f2a6c38be +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:daa61d6103e98bccf40d7a69a0d4f8786ec390e2204fd94f7cc49053e9949360 ENV \ CERTSUITE_DIR=/usr/certsuite \ diff --git a/cmd/certsuite/check/image_cert_status/image_cert_status.go b/cmd/certsuite/check/image_cert_status/image_cert_status.go index db939b4e1..7b8a51e08 100644 --- a/cmd/certsuite/check/image_cert_status/image_cert_status.go +++ b/cmd/certsuite/check/image_cert_status/image_cert_status.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/cmd/certsuite/generate/feedback/feedback.go b/cmd/certsuite/generate/feedback/feedback.go index 1b17c58a2..e8c080afa 100644 --- a/cmd/certsuite/generate/feedback/feedback.go +++ b/cmd/certsuite/generate/feedback/feedback.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/cmd/certsuite/run/run.go b/cmd/certsuite/run/run.go index ba5a10795..5755a90a7 100644 --- a/cmd/certsuite/run/run.go +++ b/cmd/certsuite/run/run.go @@ -39,7 +39,7 @@ func NewCommand() *cobra.Command { runCmd.PersistentFlags().Bool("include-web-files", false, "Save web files in the configured output folder") runCmd.PersistentFlags().Bool("enable-data-collection", false, "Allow sending test results to an external data collector") runCmd.PersistentFlags().Bool("create-xml-junit-file", false, "Create a JUnit file with the test results") - runCmd.PersistentFlags().String("certsuite-probe-image", "quay.io/redhat-best-practices-for-k8s/certsuite-probe:v0.0.10", "Certsuite probe image") + runCmd.PersistentFlags().String("certsuite-probe-image", "quay.io/redhat-best-practices-for-k8s/certsuite-probe:v0.0.11", "Certsuite probe image") runCmd.PersistentFlags().String("daemonset-cpu-req", "100m", "CPU request for the probe daemonset container") runCmd.PersistentFlags().String("daemonset-cpu-lim", "100m", "CPU limit for the probe daemonset container") runCmd.PersistentFlags().String("daemonset-mem-req", "100M", "Memory request for the probe daemonset container") diff --git a/docs/runtime-env.md b/docs/runtime-env.md index 8305a1b88..046fab8c5 100644 --- a/docs/runtime-env.md +++ b/docs/runtime-env.md @@ -63,4 +63,4 @@ See more about this variable [here](https://github.com/redhat-openshift-ecosyste against a private container registry that has self-signed certificates. Note that you can also specify the probe pod image to use with `SUPPORT_IMAGE` -environment variable, default to `certsuite-probe:v0.0.10`. +environment variable, default to `certsuite-probe:v0.0.11`. diff --git a/expected_results.yaml b/expected_results.yaml index 08991aba9..27bc4fef5 100644 --- a/expected_results.yaml +++ b/expected_results.yaml @@ -22,7 +22,6 @@ testCases: - access-control-security-context-non-root-user-id-check - access-control-security-context-privilege-escalation - access-control-security-context-read-only-file-system - - access-control-security-context-run-as-non-root-user-check - access-control-security-context - access-control-service-type - access-control-ssh-daemons @@ -74,7 +73,6 @@ testCases: - platform-alteration-tainted-node-kernel fail: - affiliated-certification-container-is-certified-digest # test container image is not certified - skip: - access-control-sys-ptrace-capability - affiliated-certification-helm-version @@ -95,6 +93,7 @@ testCases: - operator-single-crd-owner - operator-pods-no-hugepages - operator-multiple-same-operators + - operator-catalogsource-bundle-count - performance-exclusive-cpu-pool-rt-scheduling-policy - performance-isolated-cpu-pool-rt-scheduling-policy - performance-shared-cpu-pool-non-rt-scheduling-policy diff --git a/go.mod b/go.mod index ca77897de..fa6c1a0d1 100644 --- a/go.mod +++ b/go.mod @@ -1,10 +1,10 @@ module github.com/redhat-best-practices-for-k8s/certsuite -go 1.23.3 +go 1.23.4 require ( github.com/Masterminds/semver/v3 v3.3.1 - github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.51 + github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.52 github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cobra v1.8.1 github.com/stretchr/testify v1.10.0 @@ -12,25 +12,26 @@ require ( gopkg.in/yaml.v3 v3.0.1 ) -require k8s.io/client-go v0.31.3 +require k8s.io/client-go v0.32.0 require ( - github.com/mittwald/go-helm-client v0.12.14 + github.com/mittwald/go-helm-client v0.12.16 github.com/openshift/api v3.9.0+incompatible github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f github.com/operator-framework/api v0.27.0 github.com/operator-framework/operator-lifecycle-manager v0.30.0 github.com/pkg/errors v0.9.1 // indirect - helm.sh/helm/v3 v3.16.3 - k8s.io/api v0.31.3 - k8s.io/apimachinery v0.31.3 + helm.sh/helm/v3 v3.16.4 + k8s.io/api v0.32.0 + k8s.io/apimachinery v0.32.0 k8s.io/klog/v2 v2.130.1 // indirect ) require ( - cloud.google.com/go/auth v0.10.2 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect - cloud.google.com/go/compute/metadata v0.5.2 // indirect + cel.dev/expr v0.18.0 // indirect + cloud.google.com/go/auth v0.13.0 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect + cloud.google.com/go/compute/metadata v0.6.0 // indirect dario.cat/mergo v1.0.1 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect @@ -91,10 +92,9 @@ require ( github.com/go-openapi/swag v0.23.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/btree v1.1.2 // indirect - github.com/google/cel-go v0.21.0 // indirect + github.com/google/cel-go v0.22.0 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect @@ -143,7 +143,7 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect - github.com/onsi/gomega v1.34.2 // indirect + github.com/onsi/gomega v1.36.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/openshift/library-go v0.0.0-20231020125025-211b32f1a1f2 // indirect @@ -179,9 +179,6 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.15 // indirect - go.etcd.io/etcd/client/v3 v3.5.15 // indirect - go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect go.opentelemetry.io/otel v1.29.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect @@ -190,52 +187,49 @@ require ( go.opentelemetry.io/otel/sdk v1.29.0 // indirect go.opentelemetry.io/otel/trace v1.29.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect - go.starlark.net v0.0.0-20231121155337-90ade8b19d09 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.27.0 // indirect go4.org v0.0.0-20200104003542-c7e774b10ea0 // indirect - golang.org/x/crypto v0.29.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect - golang.org/x/net v0.31.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.24.0 // indirect - golang.org/x/sync v0.9.0 // indirect - golang.org/x/sys v0.27.0 // indirect - golang.org/x/text v0.20.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.29.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.8.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect google.golang.org/grpc v1.67.1 // indirect google.golang.org/protobuf v1.35.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/apiserver v0.31.3 // indirect - k8s.io/cli-runtime v0.31.3 // indirect - k8s.io/component-base v0.31.3 // indirect + k8s.io/apiserver v0.32.0 // indirect + k8s.io/cli-runtime v0.32.0 // indirect + k8s.io/component-base v0.32.0 // indirect k8s.io/kube-aggregator v0.31.1 // indirect - k8s.io/kube-openapi v0.0.0-20241009091222-67ed5848f094 // indirect - k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect + k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect modernc.org/libc v1.37.6 // indirect modernc.org/mathutil v1.6.0 // indirect modernc.org/memory v1.7.2 // indirect modernc.org/sqlite v1.28.0 // indirect oras.land/oras-go v1.2.5 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect - sigs.k8s.io/controller-runtime v0.19.0 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect + sigs.k8s.io/controller-runtime v0.19.3 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect - sigs.k8s.io/kustomize/api v0.17.2 // indirect - sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/kustomize/api v0.18.0 // indirect + sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) require ( github.com/hashicorp/go-version v1.7.0 - k8s.io/apiextensions-apiserver v0.31.3 + k8s.io/apiextensions-apiserver v0.32.0 ) require ( @@ -247,15 +241,16 @@ require ( github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.5 github.com/k8snetworkplumbingwg/sriov-network-operator v1.4.0 github.com/manifoldco/promptui v0.9.0 - github.com/redhat-best-practices-for-k8s/oct v0.0.28 - github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.41 - github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241021175030-e64988a27024 + github.com/redhat-best-practices-for-k8s/oct v0.0.30 + github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.44 + github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241211152839-f787b66d23c7 github.com/robert-nix/ansihtml v1.0.1 - golang.org/x/term v0.26.0 - google.golang.org/api v0.209.0 - k8s.io/kubectl v0.31.3 + golang.org/x/term v0.28.0 + google.golang.org/api v0.214.0 + k8s.io/kubectl v0.32.0 + k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 ) -replace github.com/redhat-openshift-ecosystem/openshift-preflight => github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241021175030-e64988a27024 +replace github.com/redhat-openshift-ecosystem/openshift-preflight => github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241211152839-f787b66d23c7 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20241024191314-684b2b1679ba diff --git a/go.sum b/go.sum index 8b392c2ae..8fae69b48 100644 --- a/go.sum +++ b/go.sum @@ -1,10 +1,11 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go/auth v0.10.2 h1:oKF7rgBfSHdp/kuhXtqU/tNDr0mZqhYbEh+6SiqzkKo= -cloud.google.com/go/auth v0.10.2/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI= -cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk= -cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= -cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo= -cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= +cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= +cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cloud.google.com/go/auth v0.13.0 h1:8Fu8TZy167JkW8Tj3q7dIkr2v4cndv41ouecJx0PAHs= +cloud.google.com/go/auth v0.13.0/go.mod h1:COOjD9gwfKNKz+IIduatIhYJQIc0mG3H102r/EMxX6Q= +cloud.google.com/go/auth/oauth2adapt v0.2.6 h1:V6a6XDu2lTwPZWOawrAa9HUK+DB2zfJyTuciBG5hFkU= +cloud.google.com/go/auth/oauth2adapt v0.2.6/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= +cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I= +cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= @@ -13,7 +14,6 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs= github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= @@ -64,7 +64,6 @@ github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuP github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= @@ -80,8 +79,6 @@ github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04= github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= github.com/clarketm/json v1.17.1 h1:U1IxjqJkJ7bRK4L6dyphmoO840P6bdhPdbbLySourqI= github.com/clarketm/json v1.17.1/go.mod h1:ynr2LRfb0fQU34l07csRNBTcivjySLLiY1YzQqKVfdo= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= @@ -175,10 +172,6 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= @@ -236,35 +229,20 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-migrate/migrate/v4 v4.17.1 h1:4zQ6iqL6t6AiItphxJctQb3cFqWiSpMnX7wLTPnnYO4= github.com/golang-migrate/migrate/v4 v4.17.1/go.mod h1:m8hinFyWBn0SA4QKHuKh175Pm9wjmxj3S2Mia7dbXzM= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= -github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= +github.com/google/cel-go v0.22.0 h1:b3FJZxpiv1vTMo2/5RDUqAHPxkT8mmMfJIrq1llbf7g= +github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -273,15 +251,14 @@ github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEva github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= -github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM= github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= @@ -398,8 +375,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/mittwald/go-helm-client v0.12.14 h1:az3GJ4kRmFK609Ic3iHXveNtg92n9jWG0YpKKTIK4oo= -github.com/mittwald/go-helm-client v0.12.14/go.mod h1:2VogAupgnV7FiuoPqtpCYKS/RrMh9fFA3/pD/OmTaLc= +github.com/mittwald/go-helm-client v0.12.16 h1:YTyJX6L0SI/O7HNTG0qDZI2/jyGELxJOQEjvTj4mf6k= +github.com/mittwald/go-helm-client v0.12.16/go.mod h1:PDF7Ra8bmJ2YTNzoehoMMi+gW/EJBk/4TLz7j52rehY= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= @@ -432,10 +409,10 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= -github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= -github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= -github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= +github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= +github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= +github.com/onsi/gomega v1.36.0 h1:Pb12RlruUtj4XUuPUqeEWc6j5DkVVVA49Uf6YLfC95Y= +github.com/onsi/gomega v1.36.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -482,7 +459,6 @@ github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zI github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= @@ -494,14 +470,14 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.51 h1:ZcEEA0+7YHcRzrEf/LnhxHVerPHaW0f33J6PTZer2fA= -github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.51/go.mod h1:qIlDWD1vOMo/aZx5i+I0FrKUAp3iXV7waFBVET0q6Yo= -github.com/redhat-best-practices-for-k8s/oct v0.0.28 h1:jsVQ8zNY4HP0a+N5LpW445Y3phklZ4PGtlU1pZQ0Wic= -github.com/redhat-best-practices-for-k8s/oct v0.0.28/go.mod h1:TnyopIPwdsaI7gikOi7WmT9/lgzd1Lp6DZaN6nMJhBA= -github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.41 h1:YhbuZB3pnWvtJwxyC4sFGBBbpISHmk9xp5BUgQkaWcs= -github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.41/go.mod h1:cDM3SyYFuMPlzJhQ4FRWLL0bQ/MnEFKPyY7AX+Y+k8U= -github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241021175030-e64988a27024 h1:qPsNS6SIDigSwcUMUrEdDovIAdbVCNOGvhir8p6wVNc= -github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241021175030-e64988a27024/go.mod h1:WgrOUZnQYsTQetJwbMHkcNecYaOcWMmTVDmDOTTIMcQ= +github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.52 h1:lYegIlsbTrSJcKl5ArvB4A9H7MKJutjDhRlJWhPp+vs= +github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.52/go.mod h1:0ffZ5t3Kk/6mJu0DhUrl3LSGzPXdFbZATiKcbOEhNHs= +github.com/redhat-best-practices-for-k8s/oct v0.0.30 h1:XPCi2DiQXuGDB0CiBbcDWiSMcY73rlNsjZ0oJiHjqns= +github.com/redhat-best-practices-for-k8s/oct v0.0.30/go.mod h1:3/XMjlvc6uiGs5ShI4JWveN1+D3UxAgCiyH5Ib/ZZsE= +github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.44 h1:mgD7WRZpC2xbS/5nqzRxsXeyaF04Y10OrQdFdVjf9Ek= +github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.44/go.mod h1:XVI9IK9DKYKz21XYxBcRYJMeN8Meily8meHOz1Yxcyw= +github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241211152839-f787b66d23c7 h1:zfL9KPgdJ5m0KuEUg283u2eQjJ++nm916W+dGj1cbRk= +github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20241211152839-f787b66d23c7/go.mod h1:OfW8qqVJj2/rhgoC7unTiGDsLRwmKwaGAnHU5yaC3+k= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U= github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc= @@ -597,12 +573,12 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0= go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= -go.etcd.io/etcd/api/v3 v3.5.15 h1:3KpLJir1ZEBrYuV2v+Twaa/e2MdDCEZ/70H+lzEiwsk= -go.etcd.io/etcd/api/v3 v3.5.15/go.mod h1:N9EhGzXq58WuMllgH9ZvnEr7SI9pS0k0+DHZezGp7jM= -go.etcd.io/etcd/client/pkg/v3 v3.5.15 h1:fo0HpWz/KlHGMCC+YejpiCmyWDEuIpnTDzpJLB5fWlA= -go.etcd.io/etcd/client/pkg/v3 v3.5.15/go.mod h1:mXDI4NAOwEiszrHCb0aqfAYNCrZP4e9hRca3d1YK8EU= -go.etcd.io/etcd/client/v3 v3.5.15 h1:23M0eY4Fd/inNv1ZfU3AxrbbOdW79r9V9Rl62Nm6ip4= -go.etcd.io/etcd/client/v3 v3.5.15/go.mod h1:CLSJxrYjvLtHsrPKsy7LmZEE+DK2ktfd2bN4RhBMwlU= +go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0= +go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28= +go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q= +go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E= +go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE= +go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1 h1:ysCfPZB9AjUlMa1UHYup3c9dAOCMQX/6sxSfPBUoxHw= @@ -639,8 +615,6 @@ go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt3 go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= -go.starlark.net v0.0.0-20231121155337-90ade8b19d09 h1:hzy3LFnSN8kuQK8h9tHl4ndF6UruMj47OqwqsS+/Ai4= -go.starlark.net v0.0.0-20231121155337-90ade8b19d09/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -654,49 +628,37 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= -golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190228165749-92fc7df08ae7/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= -golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -715,26 +677,22 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= -golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= +golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= -golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= +golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg= +golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg= golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= @@ -749,35 +707,16 @@ golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSm golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/api v0.209.0 h1:Ja2OXNlyRlWCWu8o+GgI4yUn/wz9h/5ZfFbKz+dQX+w= -google.golang.org/api v0.209.0/go.mod h1:I53S168Yr/PNDNMi5yPnDc0/LGRZO6o7PoEbl/HY3CM= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f h1:zDoHYmMzMacIdjNe+P2XiTmPsLawi/pCbSPfxt6lTfw= -google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f/go.mod h1:Q5m6g8b5KaFFzsQFIGdJkSJDGeJiybVenoYFMMa3ohI= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f h1:C1QccEa9kUwvMgEUORqQD9S17QesQijxjZ84sO82mfo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/api v0.214.0 h1:h2Gkq07OYi6kusGOaT/9rnNljuXmqPnaig7WGPmKbwA= +google.golang.org/api v0.214.0/go.mod h1:bYPpLG8AyeMWwDU6NXoB00xC0DFkikVvd5MfwoxjLqE= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= @@ -806,34 +745,32 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY= -helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8= -k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE= -k8s.io/apiextensions-apiserver v0.31.3 h1:+GFGj2qFiU7rGCsA5o+p/rul1OQIq6oYpQw4+u+nciE= -k8s.io/apiextensions-apiserver v0.31.3/go.mod h1:2DSpFhUZZJmn/cr/RweH1cEVVbzFw9YBu4T+U3mf1e4= -k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= -k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= -k8s.io/apiserver v0.31.3 h1:+1oHTtCB+OheqFEz375D0IlzHZ5VeQKX1KGXnx+TTuY= -k8s.io/apiserver v0.31.3/go.mod h1:PrxVbebxrxQPFhJk4powDISIROkNMKHibTg9lTRQ0Qg= -k8s.io/cli-runtime v0.31.3 h1:fEQD9Xokir78y7pVK/fCJN090/iYNrLHpFbGU4ul9TI= -k8s.io/cli-runtime v0.31.3/go.mod h1:Q2jkyTpl+f6AtodQvgDI8io3jrfr+Z0LyQBPJJ2Btq8= -k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4= -k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs= -k8s.io/component-base v0.31.3 h1:DMCXXVx546Rfvhj+3cOm2EUxhS+EyztH423j+8sOwhQ= -k8s.io/component-base v0.31.3/go.mod h1:xME6BHfUOafRgT0rGVBGl7TuSg8Z9/deT7qq6w7qjIU= +helm.sh/helm/v3 v3.16.4 h1:rBn/h9MACw+QlhxQTjpl8Ifx+VTWaYsw3rguGBYBzr0= +helm.sh/helm/v3 v3.16.4/go.mod h1:k8QPotUt57wWbi90w3LNmg3/MWcLPigVv+0/X4B8BzA= +k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE= +k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0= +k8s.io/apiextensions-apiserver v0.32.0 h1:S0Xlqt51qzzqjKPxfgX1xh4HBZE+p8KKBq+k2SWNOE0= +k8s.io/apiextensions-apiserver v0.32.0/go.mod h1:86hblMvN5yxMvZrZFX2OhIHAuFIMJIZ19bTvzkP+Fmw= +k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg= +k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/apiserver v0.32.0 h1:VJ89ZvQZ8p1sLeiWdRJpRD6oLozNZD2+qVSLi+ft5Qs= +k8s.io/apiserver v0.32.0/go.mod h1:HFh+dM1/BE/Hm4bS4nTXHVfN6Z6tFIZPi649n83b4Ag= +k8s.io/cli-runtime v0.32.0 h1:dP+OZqs7zHPpGQMCGAhectbHU2SNCuZtIimRKTv2T1c= +k8s.io/cli-runtime v0.32.0/go.mod h1:Mai8ht2+esoDRK5hr861KRy6z0zHsSTYttNVJXgP3YQ= +k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8= +k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8= +k8s.io/component-base v0.32.0 h1:d6cWHZkCiiep41ObYQS6IcgzOUQUNpywm39KVYaUqzU= +k8s.io/component-base v0.32.0/go.mod h1:JLG2W5TUxUu5uDyKiH2R/7NnxJo1HlPoRIIbVLkK5eM= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-aggregator v0.31.1 h1:vrYBTTs3xMrpiEsmBjsLETZE9uuX67oQ8B3i1BFfMPw= k8s.io/kube-aggregator v0.31.1/go.mod h1:+aW4NX50uneozN+BtoCxI4g7ND922p8Wy3tWKFDiWVk= -k8s.io/kube-openapi v0.0.0-20241009091222-67ed5848f094 h1:MErs8YA0abvOqJ8gIupA1Tz6PKXYUw34XsGlA7uSL1k= -k8s.io/kube-openapi v0.0.0-20241009091222-67ed5848f094/go.mod h1:7ioBJr1A6igWjsR2fxq2EZ0mlMwYLejazSIc2bzMp2U= -k8s.io/kubectl v0.31.3 h1:3r111pCjPsvnR98oLLxDMwAeM6OPGmPty6gSKaLTQes= -k8s.io/kubectl v0.31.3/go.mod h1:lhMECDCbJN8He12qcKqs2QfmVo9Pue30geovBVpH5fs= -k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI= -k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y= +k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= +k8s.io/kubectl v0.32.0 h1:rpxl+ng9qeG79YA4Em9tLSfX0G8W0vfaiPVrc/WR7Xw= +k8s.io/kubectl v0.32.0/go.mod h1:qIjSX+QgPQUgdy8ps6eKsYNF+YmFOAO3WygfucIqFiE= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw= modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE= modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4= @@ -844,19 +781,19 @@ modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ= modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= +sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= +sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 h1:PFWFSkpArPNJxFX4ZKWAk9NSeRoZaXschn+ULa4xVek= sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I= -sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= -sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= -sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= -sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo= +sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U= +sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E= +sigs.k8s.io/kustomize/kyaml v0.18.1/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo= +sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA= +sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/internal/results/doc.go b/internal/results/doc.go index 67461c9da..9b1c08ff2 100644 --- a/internal/results/doc.go +++ b/internal/results/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2022 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/internal/results/doc_test.go b/internal/results/doc_test.go index 67461c9da..9b1c08ff2 100644 --- a/internal/results/doc_test.go +++ b/internal/results/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2022 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/autodiscover/autodiscover.go b/pkg/autodiscover/autodiscover.go index 600ec3795..948020fa3 100644 --- a/pkg/autodiscover/autodiscover.go +++ b/pkg/autodiscover/autodiscover.go @@ -92,6 +92,7 @@ type DiscoveredTestData struct { RoleBindings []rbacv1.RoleBinding // Contains all rolebindings from all namespaces Roles []rbacv1.Role // Contains all roles from all namespaces Services []*corev1.Service + AllServices []*corev1.Service ServiceAccounts []*corev1.ServiceAccount AllServiceAccounts []*corev1.ServiceAccount Hpas []*scalingv1.HorizontalPodAutoscaler @@ -169,7 +170,10 @@ func DoAutoDiscover(config *configuration.TestConfiguration) DiscoveredTestData } data.AllInstallPlans = getAllInstallPlans(oc.OlmClient) data.AllCatalogSources = getAllCatalogSources(oc.OlmClient) + log.Info("Collected %d catalog sources during autodiscovery", len(data.AllCatalogSources)) + data.AllPackageManifests = getAllPackageManifests(oc.OlmPkgClient) + data.Namespaces = namespacesListToStringList(config.TargetNameSpaces) data.Pods, data.AllPods = findPodsByLabels(oc.K8sClient.CoreV1(), podsUnderTestLabelsObjects, data.Namespaces) data.AbnormalEvents = findAbnormalEvents(oc.K8sClient.CoreV1(), data.Namespaces) @@ -276,6 +280,10 @@ func DoAutoDiscover(config *configuration.TestConfiguration) DiscoveredTestData if err != nil { log.Fatal("Cannot get list of services, err: %v", err) } + data.AllServices, err = getServices(oc.K8sClient.CoreV1(), data.AllNamespaces, data.ServicesIgnoreList) + if err != nil { + log.Fatal("Cannot get list of all services, err: %v", err) + } data.ServiceAccounts, err = getServiceAccounts(oc.K8sClient.CoreV1(), data.Namespaces) if err != nil { log.Fatal("Cannot get list of service accounts under test, err: %v", err) diff --git a/pkg/autodiscover/autodiscover_operators.go b/pkg/autodiscover/autodiscover_operators.go index e2ededd60..5a347d0ae 100644 --- a/pkg/autodiscover/autodiscover_operators.go +++ b/pkg/autodiscover/autodiscover_operators.go @@ -81,6 +81,14 @@ func findOperatorsMatchingAtLeastOneLabel(olmClient clientOlm.Interface, labels } func findOperatorsByLabels(olmClient clientOlm.Interface, labels []labelObject, namespaces []configuration.Namespace) (csvs []*olmv1Alpha.ClusterServiceVersion) { + const nsAnnotation = "olm.operatorNamespace" + + // Helper namespaces map to do quick search of the operator's controller namespace. + namespacesMap := map[string]bool{} + for _, ns := range namespaces { + namespacesMap[ns.Name] = true + } + csvs = []*olmv1Alpha.ClusterServiceVersion{} var csvList *olmv1Alpha.ClusterServiceVersionList for _, ns := range namespaces { @@ -97,7 +105,18 @@ func findOperatorsByLabels(olmClient clientOlm.Interface, labels []labelObject, } } for i := range csvList.Items { - csvs = append(csvs, &csvList.Items[i]) + csv := &csvList.Items[i] + + // Filter out CSV if operator's controller pod/s is/are not running in any configured/test namespace. + controllerNamespace, found := csv.Annotations[nsAnnotation] + if !found { + log.Error("Failed to get ns annotation %q from csv %v/%v", nsAnnotation, csv.Namespace, csv.Name) + continue + } + + if namespacesMap[controllerNamespace] { + csvs = append(csvs, csv) + } } } for i := range csvs { diff --git a/pkg/autodiscover/autodiscover_operators_test.go b/pkg/autodiscover/autodiscover_operators_test.go index 8c5af87b3..2c6969e10 100644 --- a/pkg/autodiscover/autodiscover_operators_test.go +++ b/pkg/autodiscover/autodiscover_operators_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2023 Red Hat, Inc. +// Copyright (C) 2023-2024 Red Hat, Inc. package autodiscover diff --git a/pkg/autodiscover/autodiscover_pdbs_test.go b/pkg/autodiscover/autodiscover_pdbs_test.go index 7f0ef86d9..d6e424927 100644 --- a/pkg/autodiscover/autodiscover_pdbs_test.go +++ b/pkg/autodiscover/autodiscover_pdbs_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/autodiscover/autodiscover_resources_test.go b/pkg/autodiscover/autodiscover_resources_test.go index 7eefcb552..60a4d43fa 100644 --- a/pkg/autodiscover/autodiscover_resources_test.go +++ b/pkg/autodiscover/autodiscover_resources_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/autodiscover/autodiscover_services.go b/pkg/autodiscover/autodiscover_services.go index a50b3d556..d7370e875 100644 --- a/pkg/autodiscover/autodiscover_services.go +++ b/pkg/autodiscover/autodiscover_services.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/autodiscover/autodiscover_services_test.go b/pkg/autodiscover/autodiscover_services_test.go index 80dfa0ecd..bd9242c90 100644 --- a/pkg/autodiscover/autodiscover_services_test.go +++ b/pkg/autodiscover/autodiscover_services_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/autodiscover/autodiscover_test.go b/pkg/autodiscover/autodiscover_test.go index 3eba44d13..de9753d88 100644 --- a/pkg/autodiscover/autodiscover_test.go +++ b/pkg/autodiscover/autodiscover_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/autodiscover/constants.go b/pkg/autodiscover/constants.go index 641f34698..4823ea716 100644 --- a/pkg/autodiscover/constants.go +++ b/pkg/autodiscover/constants.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/compatibility/compatibility.go b/pkg/compatibility/compatibility.go index 22cb26bb2..db16bbbac 100644 --- a/pkg/compatibility/compatibility.go +++ b/pkg/compatibility/compatibility.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by @@ -50,7 +50,7 @@ type VersionInfo struct { } var ( - ocpBetaVersions = []string{"4.13", "4.14", "4.15", "4.16", "4.17"} + ocpBetaVersions = []string{"4.13", "4.14", "4.15", "4.16", "4.17", "4.18"} ocpLifeCycleDates = map[string]VersionInfo{ // TODO: Adjust all of these periodically to make sure they are up to date with the lifecycle // update documentation. diff --git a/pkg/compatibility/compatibility_test.go b/pkg/compatibility/compatibility_test.go index d717ed14e..a475936ef 100644 --- a/pkg/compatibility/compatibility_test.go +++ b/pkg/compatibility/compatibility_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/diagnostics/diagnostics.go b/pkg/diagnostics/diagnostics.go index 507e3d249..2741a3fde 100644 --- a/pkg/diagnostics/diagnostics.go +++ b/pkg/diagnostics/diagnostics.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2023 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/diagnostics/diagnostics_test.go b/pkg/diagnostics/diagnostics_test.go index aba92734a..63a04cc4e 100644 --- a/pkg/diagnostics/diagnostics_test.go +++ b/pkg/diagnostics/diagnostics_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2023 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/postmortem/postmortem.go b/pkg/postmortem/postmortem.go index 874b45960..c957ee488 100644 --- a/pkg/postmortem/postmortem.go +++ b/pkg/postmortem/postmortem.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/provider/catalogsources.go b/pkg/provider/catalogsources.go new file mode 100644 index 000000000..fbf48c0f8 --- /dev/null +++ b/pkg/provider/catalogsources.go @@ -0,0 +1,106 @@ +package provider + +import ( + "strconv" + "strings" + + "github.com/Masterminds/semver" + olmv1Alpha "github.com/operator-framework/api/pkg/operators/v1alpha1" + "github.com/redhat-best-practices-for-k8s/certsuite/internal/clientsholder" + "github.com/redhat-best-practices-for-k8s/certsuite/internal/log" +) + +func GetCatalogSourceBundleCount(env *TestEnvironment, cs *olmv1Alpha.CatalogSource) int { + // Now that we know the catalog source, we are going to count up all of the relatedImages + // that are associated with the catalog source. This will give us the number of bundles that + // are available in the catalog source. + + // If the OCP version is <= 4.12, we need to use the probe container to get the bundle count + const ( + ocpMajorVersion = 4 + ocpMinorVersion = 12 + ) + + // Check if the cluster is running an OCP version <= 4.12 + if env.OpenshiftVersion != "" { + log.Info("Cluster is determined to be running Openshift version %q.", env.OpenshiftVersion) + version, err := semver.NewVersion(env.OpenshiftVersion) + if err != nil { + log.Error("Failed to parse Openshift version %q.", env.OpenshiftVersion) + return 0 + } + + if version.Major() < ocpMajorVersion || (version.Major() == ocpMajorVersion && version.Minor() <= ocpMinorVersion) { + return getCatalogSourceBundleCountFromProbeContainer(env, cs) + } + + // If we didn't find the bundle count via the probe container, we can attempt to use the package manifests + } + + // If we didn't find the bundle count via the probe container, we can use the package manifests + // to get the bundle count + return getCatalogSourceBundleCountFromPackageManifests(env, cs) +} + +func getCatalogSourceBundleCountFromProbeContainer(env *TestEnvironment, cs *olmv1Alpha.CatalogSource) int { + // We need to use the probe container to get the bundle count + // This is because the package manifests are not available in the cluster + // for OCP versions <= 4.12 + o := clientsholder.GetClientsHolder() + + // Find the kubernetes service associated with the catalog source + for _, svc := range env.AllServices { + // Skip if the service is not associated with the catalog source + if svc.Spec.Selector["olm.catalogSource"] != cs.Name { + continue + } + + log.Info("Found service %q associated with catalog source %q.", svc.Name, cs.Name) + + // Use a probe pod to get the bundle count + for _, probePod := range env.ProbePods { + ctx := clientsholder.NewContext(probePod.Namespace, probePod.Name, probePod.Spec.Containers[0].Name) + cmd := "grpcurl -plaintext " + svc.Spec.ClusterIP + ":50051 api.Registry.ListBundles | jq -s 'length'" + cmdValue, errStr, err := o.ExecCommandContainer(ctx, cmd) + if err != nil || errStr != "" { + log.Error("Failed to execute command %s in probe pod %s", cmd, probePod.String()) + continue + } + + // Sanitize the command output + cmdValue = strings.TrimSpace(cmdValue) + cmdValue = strings.Trim(cmdValue, "\"") + + // Parse the command output + bundleCount, err := strconv.Atoi(cmdValue) + if err != nil { + log.Error("Failed to convert bundle count to integer: %s", cmdValue) + continue + } + + // Try each probe pod until we get a valid bundle count (which should only be 1 probe pod) + log.Info("Found bundle count via grpcurl %d for catalog source %q.", bundleCount, cs.Name) + return bundleCount + } + } + + log.Warn("Warning: No services found associated with catalog source %q.", cs.Name) + return -1 +} + +func getCatalogSourceBundleCountFromPackageManifests(env *TestEnvironment, cs *olmv1Alpha.CatalogSource) int { + totalRelatedBundles := 0 + for _, pm := range env.AllPackageManifests { + // Skip if the package manifest is not associated with the catalog source + if pm.Status.CatalogSource != cs.Name || pm.Status.CatalogSourceNamespace != cs.Namespace { + continue + } + + // Count up the number of related bundles + for c := range pm.Status.Channels { + totalRelatedBundles += len(pm.Status.Channels[c].Entries) + } + } + + return totalRelatedBundles +} diff --git a/pkg/provider/catalogsources_test.go b/pkg/provider/catalogsources_test.go new file mode 100644 index 000000000..09cd4b282 --- /dev/null +++ b/pkg/provider/catalogsources_test.go @@ -0,0 +1,85 @@ +package provider + +import ( + "testing" + + olmv1Alpha "github.com/operator-framework/api/pkg/operators/v1alpha1" + olmpkgv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apis/operators/v1" + "github.com/stretchr/testify/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestGetCatalogSourceBundleCount(t *testing.T) { + generateEnv := func(channelEntries []olmpkgv1.ChannelEntry) *TestEnvironment { + return &TestEnvironment{ + AllPackageManifests: []*olmpkgv1.PackageManifest{ + { + Status: olmpkgv1.PackageManifestStatus{ + CatalogSource: "test-catalog-source", + CatalogSourceNamespace: "test-catalog-source-namespace", + Channels: []olmpkgv1.PackageChannel{ + { + Entries: channelEntries, + }, + }, + }, + }, + }, + } + } + + testCases := []struct { + testEnv *TestEnvironment + testCS *olmv1Alpha.CatalogSource + expected int + }{ + { // Test case 1 + testEnv: generateEnv([]olmpkgv1.ChannelEntry{ + { + Name: "test-csv.v1.0.0", + }, + { + Name: "test-csv.v1.0.1", + }, + }), + testCS: &olmv1Alpha.CatalogSource{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-catalog-source", + Namespace: "test-catalog-source-namespace", + }, + }, + expected: 2, + }, + { // Test Case 2 - No matching catalog source found, expecting 0 + testEnv: generateEnv([]olmpkgv1.ChannelEntry{ + { + Name: "test-csv.v1.0.0", + }, + { + Name: "test-csv.v1.0.1", + }, + }), + testCS: &olmv1Alpha.CatalogSource{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-catalog-source2", + Namespace: "test-catalog-source-namespace", + }, + }, + expected: 0, + }, + { // Test Case 3 - No images in the catalog source, expecting 0 + testEnv: generateEnv([]olmpkgv1.ChannelEntry{}), + testCS: &olmv1Alpha.CatalogSource{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-catalog-source", + Namespace: "test-catalog-source-namespace", + }, + }, + expected: 0, + }, + } + + for _, testCase := range testCases { + assert.Equal(t, testCase.expected, GetCatalogSourceBundleCount(testCase.testEnv, testCase.testCS)) + } +} diff --git a/pkg/provider/containers.go b/pkg/provider/containers.go index 8c2a2f71d..241c68a07 100644 --- a/pkg/provider/containers.go +++ b/pkg/provider/containers.go @@ -197,10 +197,26 @@ func (c *Container) IsReadOnlyRootFilesystem(logger *log.Logger) bool { func (c *Container) IsContainerRunAsNonRoot(podRunAsNonRoot *bool) (isContainerRunAsNonRoot bool, reason string) { if c.SecurityContext != nil && c.SecurityContext.RunAsNonRoot != nil { - return *c.SecurityContext.RunAsNonRoot, fmt.Sprintf("RunAsNonRoot is set to %t at the container level, overriding a %v value defined at pod level.", *c.SecurityContext.RunAsNonRoot, stringhelper.BoolToString(podRunAsNonRoot)) + return *c.SecurityContext.RunAsNonRoot, fmt.Sprintf("RunAsNonRoot is set to %t at the container level, overriding a %v value defined at pod level", + *c.SecurityContext.RunAsNonRoot, stringhelper.PointerToString(podRunAsNonRoot)) } + if podRunAsNonRoot != nil { - return *podRunAsNonRoot, fmt.Sprintf("RunAsNonRoot is set to nil at container level and inheriting a %t value from the pod level RunAsNonRoot setting.", *podRunAsNonRoot) + return *podRunAsNonRoot, fmt.Sprintf("RunAsNonRoot is set to nil at container level and inheriting a %t value from the pod level RunAsNonRoot setting", *podRunAsNonRoot) + } + + return false, "RunAsNonRoot is set to nil at pod and container level" +} + +func (c *Container) IsContainerRunAsNonRootUserID(podRunAsNonRootUserID *int64) (isContainerRunAsNonRootUserID bool, reason string) { + if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil { + return *c.SecurityContext.RunAsUser != 0, fmt.Sprintf("RunAsUser is set to %v at the container level, overriding a %s value defined at pod level", + *c.SecurityContext.RunAsUser, stringhelper.PointerToString(podRunAsNonRootUserID)) + } + + if podRunAsNonRootUserID != nil { + return *podRunAsNonRootUserID != 0, fmt.Sprintf("RunAsUser is set to nil at container level and inheriting a %v value from the pod level RunAsUser setting", *podRunAsNonRootUserID) } - return false, "RunAsNonRoot set to nil at pod and container level" + + return false, "RunAsUser is set to nil at pod and container level" } diff --git a/pkg/provider/containers_test.go b/pkg/provider/containers_test.go index 0fd26b1fd..4b9b95794 100644 --- a/pkg/provider/containers_test.go +++ b/pkg/provider/containers_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by @@ -266,7 +266,7 @@ func TestIsContainerRunAsNonRoot(t *testing.T) { }, podDefault: &falseVal, expected: true, - expectedReason: "RunAsNonRoot is set to true at the container level, overriding a false value defined at pod level.", + expectedReason: "RunAsNonRoot is set to true at the container level, overriding a false value defined at pod level", }, { name: "Container set to not run as non-root", @@ -279,7 +279,7 @@ func TestIsContainerRunAsNonRoot(t *testing.T) { }, podDefault: &trueVal, expected: false, - expectedReason: "RunAsNonRoot is set to false at the container level, overriding a true value defined at pod level.", + expectedReason: "RunAsNonRoot is set to false at the container level, overriding a true value defined at pod level", }, { name: "Container set to not run as non-root", @@ -292,7 +292,7 @@ func TestIsContainerRunAsNonRoot(t *testing.T) { }, podDefault: &falseVal, expected: false, - expectedReason: "RunAsNonRoot is set to nil at container level and inheriting a false value from the pod level RunAsNonRoot setting.", + expectedReason: "RunAsNonRoot is set to nil at container level and inheriting a false value from the pod level RunAsNonRoot setting", }, { name: "nil at pod and true at container", @@ -305,7 +305,7 @@ func TestIsContainerRunAsNonRoot(t *testing.T) { }, podDefault: nil, expected: true, - expectedReason: "RunAsNonRoot is set to true at the container level, overriding a nil value defined at pod level.", + expectedReason: "RunAsNonRoot is set to true at the container level, overriding a nil value defined at pod level", }, } diff --git a/pkg/provider/deployments.go b/pkg/provider/deployments.go index 6c7859630..68377ac34 100644 --- a/pkg/provider/deployments.go +++ b/pkg/provider/deployments.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/provider/deployments_test.go b/pkg/provider/deployments_test.go index 0af1eb69a..7e03ad1ec 100644 --- a/pkg/provider/deployments_test.go +++ b/pkg/provider/deployments_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/provider/filters_test.go b/pkg/provider/filters_test.go index 0efa0a2f2..a4ddc740f 100644 --- a/pkg/provider/filters_test.go +++ b/pkg/provider/filters_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/provider/isolation.go b/pkg/provider/isolation.go index 0febd960d..5e9524375 100644 --- a/pkg/provider/isolation.go +++ b/pkg/provider/isolation.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/provider/pods.go b/pkg/provider/pods.go index 3bc4777e8..b533d4215 100644 --- a/pkg/provider/pods.go +++ b/pkg/provider/pods.go @@ -520,31 +520,42 @@ func (p *Pod) IsRunAsUserID(uid int64) bool { return *p.Pod.Spec.SecurityContext.RunAsUser == uid } -// Returns the list of containers that have the RunAsNonRoot SCC parameter set to false -// The RunAsNonRoot parameter is checked first at the pod level and acts as a default value +// Returns the list of containers that have the securityContext.runAsNonRoot set to false and securityContext.runAsUser set to zero. +// Both parameteters are checked first at the pod level and acts as a default value // for the container configuration, if it is not present. -// The RunAsNonRoot parameter is checked next at the container level. // See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -func (p *Pod) GetRunAsNonRootFalseContainers(knownContainersToSkip map[string]bool) (nonCompliantContainers []*Container, nonComplianceReason []string) { +func (p *Pod) GetRunAsNonRootFalseContainers(knownContainersToSkip map[string]bool) (nonCompliantContainers []*Container, nonComplianceReasons []string) { // Check pod-level security context this will be set by default for containers // If not already configured at the container level var podRunAsNonRoot *bool if p.Pod.Spec.SecurityContext != nil && p.Pod.Spec.SecurityContext.RunAsNonRoot != nil { podRunAsNonRoot = p.Pod.Spec.SecurityContext.RunAsNonRoot } + + var podRunAsUserID *int64 + if p.Pod.Spec.SecurityContext != nil && p.Pod.Spec.SecurityContext.RunAsUser != nil { + podRunAsUserID = p.Pod.Spec.SecurityContext.RunAsUser + } + // Check each container for the RunAsNonRoot parameter. // If it is not present, the pod value applies for _, cut := range p.Containers { if knownContainersToSkip[cut.Name] { continue } - if isRunAsNonRoot, reason := cut.IsContainerRunAsNonRoot(podRunAsNonRoot); !isRunAsNonRoot { - // found a container with RunAsNonRoot set to false - nonCompliantContainers = append(nonCompliantContainers, cut) - nonComplianceReason = append(nonComplianceReason, reason) + + isRunAsNonRoot, isRunAsNonRootReason := cut.IsContainerRunAsNonRoot(podRunAsNonRoot) + isRunAsNonRootUserID, isRunAsNonRootUserIDReason := cut.IsContainerRunAsNonRootUserID(podRunAsUserID) + + if isRunAsNonRoot || isRunAsNonRootUserID { + continue } + + nonCompliantContainers = append(nonCompliantContainers, cut) + nonComplianceReasons = append(nonComplianceReasons, isRunAsNonRootReason+", "+isRunAsNonRootUserIDReason) } - return nonCompliantContainers, nonComplianceReason + + return nonCompliantContainers, nonComplianceReasons } // Get the list of top owners of pods diff --git a/pkg/provider/pods_test.go b/pkg/provider/pods_test.go index 660c65ee8..51adc0724 100644 --- a/pkg/provider/pods_test.go +++ b/pkg/provider/pods_test.go @@ -719,7 +719,7 @@ func TestIsRunAsNonRoot(t *testing.T) { }, }, wantNonComplianceReason: []string{ - "RunAsNonRoot is set to false at the container level, overriding a true value defined at pod level.", + "RunAsNonRoot is set to false at the container level, overriding a true value defined at pod level, RunAsUser is set to nil at pod and container level", }, }, { @@ -771,7 +771,7 @@ func TestIsRunAsNonRoot(t *testing.T) { }, }, wantNonComplianceReason: []string{ - "RunAsNonRoot is set to false at the container level, overriding a nil value defined at pod level.", + "RunAsNonRoot is set to false at the container level, overriding a nil value defined at pod level, RunAsUser is set to nil at pod and container level", }, }, { diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 07a7636b8..c01d57975 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -104,6 +104,7 @@ type TestEnvironment struct { // rename this with testTarget HorizontalScaler []*scalingv1.HorizontalPodAutoscaler `json:"testHorizontalScaler"` Services []*corev1.Service `json:"testServices"` + AllServices []*corev1.Service `json:"testAllServices"` ServiceAccounts []*corev1.ServiceAccount `json:"testServiceAccounts"` AllServiceAccounts []*corev1.ServiceAccount `json:"AllServiceAccounts"` AllServiceAccountsMap map[string]*corev1.ServiceAccount @@ -261,6 +262,7 @@ func buildTestEnvironment() { //nolint:funlen,gocyclo aEvent := NewEvent(&data.AbnormalEvents[i]) env.AbnormalEvents = append(env.AbnormalEvents, &aEvent) } + // Service accounts env.ServiceAccounts = data.ServiceAccounts env.AllServiceAccounts = data.AllServiceAccounts @@ -334,6 +336,7 @@ func buildTestEnvironment() { //nolint:funlen,gocyclo env.RoleBindings = data.RoleBindings env.Roles = data.Roles env.Services = data.Services + env.AllServices = data.AllServices env.NetworkPolicies = data.NetworkPolicies for _, nsHelmChartReleases := range data.HelmChartReleases { for _, helmChartRelease := range nsHelmChartReleases { diff --git a/pkg/provider/statefulsets.go b/pkg/provider/statefulsets.go index 1c78631c0..74da595e8 100644 --- a/pkg/provider/statefulsets.go +++ b/pkg/provider/statefulsets.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/stringhelper/stringhelper.go b/pkg/stringhelper/stringhelper.go index e16752b2b..22f33bf23 100644 --- a/pkg/stringhelper/stringhelper.go +++ b/pkg/stringhelper/stringhelper.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by @@ -67,9 +67,35 @@ func RemoveEmptyStrings(s []string) []string { return r } -func BoolToString(b *bool) string { - if b == nil { +// PointerToString returns the default string representation of the value pointer by p, mainly +// used in log traces to print k8s resources' pointer fields. +// If p is a nil pointer, no matter the type, it will return the string "nil". +// +// # Example 1 +// +// var b* bool +// PointerToString(b) -> returns "nil" +// +// # Example 2 +// +// b := true +// bTrue := &b +// PointerToString(bTrue) -> returns "true" +// +// # Example 3 +// +// var num *int +// PointerToString(num) -> returns "nil" +// +// # Example 4 +// +// num := 1984 +// num1984 := &num +// PointerToString(num1984) -> returns "1984" +func PointerToString[T any](p *T) string { + if p == nil { return "nil" + } else { + return fmt.Sprint(*p) } - return fmt.Sprintf("%t", *b) } diff --git a/pkg/stringhelper/stringhelper_test.go b/pkg/stringhelper/stringhelper_test.go index c1fc88cae..bea34e694 100644 --- a/pkg/stringhelper/stringhelper_test.go +++ b/pkg/stringhelper/stringhelper_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by @@ -20,6 +20,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "k8s.io/utils/ptr" ) type otherString string @@ -213,3 +214,48 @@ func TestSubSlice(t *testing.T) { assert.Equal(t, tc.expectedOutput, SubSlice(tc.testSliceA, tc.testSliceB)) } } + +func TestPointerToString(t *testing.T) { + const wantNil = "nil" + + var want string + + // pointer to bool + var boolPointer *bool + want = wantNil + if got := PointerToString(boolPointer); got != want { + t.Errorf("PointerToString() = %v, want %v", got, want) + } + + boolPointer = ptr.To(true) + want = "true" + if got := PointerToString(boolPointer); got != want { + t.Errorf("PointerToString() = %v, want %v", got, want) + } + + // pointer to number + var numPointer *int64 + want = wantNil + if got := PointerToString(numPointer); got != want { + t.Errorf("PointerToString() = %v, want %v", got, want) + } + + numPointer = ptr.To(int64(1984)) + want = "1984" + if got := PointerToString(numPointer); got != want { + t.Errorf("PointerToString() = %v, want %v", got, want) + } + + // pointer to string + var stringPointer *string + want = "nil" + if got := PointerToString(stringPointer); got != want { + t.Errorf("PointerToString() = %v, want %v", got, want) + } + + stringPointer = ptr.To("hello, world!") + want = "hello, world!" + if got := PointerToString(stringPointer); got != want { + t.Errorf("PointerToString() = %v, want %v", got, want) + } +} diff --git a/pkg/testhelper/testhelper.go b/pkg/testhelper/testhelper.go index 41b94c25d..ad933f1bc 100644 --- a/pkg/testhelper/testhelper.go +++ b/pkg/testhelper/testhelper.go @@ -189,6 +189,7 @@ const ( HelmType = "Helm" OperatorType = "Operator" ContainerType = "Container" + CatalogSourceType = "Catalog Source" ContainerImageType = "Container Image" NodeType = "Node" OCPClusterType = "OCP Cluster" @@ -309,6 +310,16 @@ func NewOperatorReportObject(aNamespace, aOperatorName, aReason string, isCompli return out } +// NewCatalogSourceReportObject creates a new ReportObject for a catalog source. +// It takes the namespace, catalog source name, reason, and compliance status as input parameters. +// It returns the created ReportObject. +func NewCatalogSourceReportObject(aNamespace, aCatalogSourceName, aReason string, isCompliant bool) (out *ReportObject) { + out = NewReportObject(aReason, CatalogSourceType, isCompliant) + out.AddField(Namespace, aNamespace) + out.AddField(Name, aCatalogSourceName) + return out +} + // NewDeploymentReportObject creates a new ReportObject for a deployment. // It takes the namespace, deployment name, reason, and compliance status as input parameters. // It returns a pointer to the created ReportObject. @@ -638,6 +649,15 @@ func GetNoHugepagesPodsSkipFn(env *provider.TestEnvironment) func() (bool, strin } } +func GetNoCatalogSourcesSkipFn(env *provider.TestEnvironment) func() (bool, string) { + return func() (bool, string) { + if len(env.AllCatalogSources) == 0 { + return true, "no catalog sources found" + } + return false, "" + } +} + func GetNoOperatorsSkipFn(env *provider.TestEnvironment) func() (bool, string) { return func() (bool, string) { if len(env.Operators) == 0 { diff --git a/pkg/testhelper/testhelper_test.go b/pkg/testhelper/testhelper_test.go index 01b23bbd8..d82b8daf0 100644 --- a/pkg/testhelper/testhelper_test.go +++ b/pkg/testhelper/testhelper_test.go @@ -19,6 +19,7 @@ package testhelper import ( "testing" + "github.com/operator-framework/api/pkg/operators/v1alpha1" "github.com/redhat-best-practices-for-k8s/certsuite/pkg/provider" "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" @@ -381,6 +382,49 @@ func TestNewDeploymentReportObject(t *testing.T) { } } +func TestNewCatalogSourceReportObject(t *testing.T) { + testCases := []struct { + testNamespace string + testCatalogSource string + testReason string + testIsCompliant bool + expectedOutput *ReportObject + }{ + { + testNamespace: "testNamespace", + testCatalogSource: "testCatalogSource", + testReason: "testReason", + testIsCompliant: true, + expectedOutput: &ReportObject{ + ObjectType: CatalogSourceType, + ObjectFieldsKeys: []string{ + Name, + Namespace, + ReasonForCompliance, + }, + ObjectFieldsValues: []string{ + "testNamespace", + "testCatalogSource", + "testReason", + }, + }, + }, + } + + for _, testCase := range testCases { + reportObj := NewCatalogSourceReportObject(testCase.testNamespace, testCase.testCatalogSource, testCase.testReason, testCase.testIsCompliant) + + assert.Equal(t, testCase.expectedOutput.ObjectType, reportObj.ObjectType) + for _, reportKey := range reportObj.ObjectFieldsKeys { + assert.Contains(t, testCase.expectedOutput.ObjectFieldsKeys, reportKey) + } + + for _, reportValue := range reportObj.ObjectFieldsValues { + assert.Contains(t, testCase.expectedOutput.ObjectFieldsValues, reportValue) + } + } +} + func TestNewStatefulSetReportObject(t *testing.T) { testCases := []struct { testNamespace string @@ -1104,3 +1148,160 @@ func TestGetNoOperatorsSkipFn(t *testing.T) { assert.Equal(t, testCase.expectedResult, result) } } + +func TestFailureReasonOutTestString(t *testing.T) { + testCases := []struct { + testFailureReasonOut FailureReasonOut + expectedResult string + }{ + { + testFailureReasonOut: FailureReasonOut{ + CompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject1", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + NonCompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject2", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + }, + //nolint:lll + expectedResult: `testhelper.FailureReasonOut{CompliantObjectsOut: []*testhelper.ReportObject{&testhelper.ReportObject{ObjectType:"testObject1", ObjectFieldsKeys:[]string{"key1", "key2"}, ObjectFieldsValues:[]string{"value1", "value2"}},},NonCompliantObjectsOut: []*testhelper.ReportObject{&testhelper.ReportObject{ObjectType:"testObject2", ObjectFieldsKeys:[]string{"key1", "key2"}, ObjectFieldsValues:[]string{"value1", "value2"}},},}`, + }, + } + + for _, testCase := range testCases { + assert.Equal(t, testCase.expectedResult, FailureReasonOutTestString(testCase.testFailureReasonOut)) + } +} + +func TestReportObjectTestString(t *testing.T) { + testCases := []struct { + testReportObject ReportObject + expectedResult string + }{ + { + testReportObject: ReportObject{ + ObjectType: "testObject", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + expectedResult: `[]testhelper.ReportObject{testhelper.ReportObject{ObjectType:"testObject", ObjectFieldsKeys:[]string{"key1", "key2"}, ObjectFieldsValues:[]string{"value1", "value2"}},}`, + }, + } + + for _, testCase := range testCases { + assert.Equal(t, testCase.expectedResult, ReportObjectTestString([]*ReportObject{&testCase.testReportObject})) + } +} + +func TestFailureReasonOutEqual(t *testing.T) { + testCases := []struct { + testFailureReasonOut1 FailureReasonOut + testFailureReasonOut2 FailureReasonOut + expectedResult bool + }{ + { // Test Case #1 - Equal + testFailureReasonOut1: FailureReasonOut{ + CompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject1", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + NonCompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject2", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + }, + testFailureReasonOut2: FailureReasonOut{ + CompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject1", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + NonCompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject2", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + }, + expectedResult: true, + }, + { // Test Case #2 - Not Equal + testFailureReasonOut1: FailureReasonOut{ + CompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject1", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + NonCompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject2", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + }, + testFailureReasonOut2: FailureReasonOut{ + CompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject1", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + NonCompliantObjectsOut: []*ReportObject{ + { + ObjectType: "testObject3", + ObjectFieldsKeys: []string{"key1", "key2"}, + ObjectFieldsValues: []string{"value1", "value2"}, + }, + }, + }, + expectedResult: false, + }, + } + + for _, testCase := range testCases { + assert.Equal(t, testCase.expectedResult, testCase.testFailureReasonOut1.Equal(testCase.testFailureReasonOut2)) + } +} + +func TestGetNoCatalogSourcesSkipFn(t *testing.T) { + testCases := []struct { + testEnv *provider.TestEnvironment + expectedResult bool + }{ + {testEnv: &provider.TestEnvironment{AllCatalogSources: nil}, expectedResult: true}, + {testEnv: &provider.TestEnvironment{AllCatalogSources: []*v1alpha1.CatalogSource{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "test1", + }, + }, + }}, expectedResult: false}, + } + + for _, testCase := range testCases { + testFunc := GetNoCatalogSourcesSkipFn(testCase.testEnv) + result, _ := testFunc() + assert.Equal(t, testCase.expectedResult, result) + } +} diff --git a/script/rhcos_versions.sh b/script/rhcos_versions.sh index fc22ecd01..c9b88c8cb 100755 --- a/script/rhcos_versions.sh +++ b/script/rhcos_versions.sh @@ -3,7 +3,7 @@ set -x set -e -CHANNELS=(4.17 4.16 4.15 4.14 4.13 4.12 4.11 4.10 4.9 4.8 4.7 4.6 4.5 4.4 4.3 4.2 4.1) +CHANNELS=(4.18 4.17 4.16 4.15 4.14 4.13 4.12 4.11 4.10 4.9 4.8 4.7 4.6 4.5 4.4 4.3 4.2 4.1) CHANNEL_TYPES=(stable candidate) rm -f ./tests/platform/operatingsystem/files/rhcos_version_map &>/dev/null diff --git a/tests/accesscontrol/doc.go b/tests/accesscontrol/doc.go index 55ef913f1..aa5b0801b 100644 --- a/tests/accesscontrol/doc.go +++ b/tests/accesscontrol/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/accesscontrol/doc_test.go b/tests/accesscontrol/doc_test.go index 55ef913f1..aa5b0801b 100644 --- a/tests/accesscontrol/doc_test.go +++ b/tests/accesscontrol/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/accesscontrol/pidshelper_test.go b/tests/accesscontrol/pidshelper_test.go index 3146f95ec..11197056d 100644 --- a/tests/accesscontrol/pidshelper_test.go +++ b/tests/accesscontrol/pidshelper_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/accesscontrol/suite.go b/tests/accesscontrol/suite.go index 3dd3e4814..08415839c 100644 --- a/tests/accesscontrol/suite.go +++ b/tests/accesscontrol/suite.go @@ -119,13 +119,6 @@ func LoadChecks() { })) checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestSecConNonRootUserIDIdentifier)). - WithSkipCheckFn(testhelper.GetNoContainersUnderTestSkipFn(&env)). - WithCheckFn(func(c *checksdb.Check) error { - testSecConRootUserID(c, &env) - return nil - })) - - checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestSecConRunAsNonRootIdentifier)). WithSkipCheckFn(testhelper.GetNoContainersUnderTestSkipFn(&env)). WithCheckFn(func(c *checksdb.Check) error { testSecConRunAsNonRoot(c, &env) @@ -351,65 +344,27 @@ func testBpfCapability(check *checksdb.Check, env *provider.TestEnvironment) { check.SetResult(compliantObjects, nonCompliantObjects) } -// testSecConRootUserID verifies that the container is not running as root -func testSecConRootUserID(check *checksdb.Check, env *provider.TestEnvironment) { - var compliantObjects []*testhelper.ReportObject - var nonCompliantObjects []*testhelper.ReportObject - for _, put := range env.Pods { - check.LogInfo("Testing Pod %q", put) - if put.IsRunAsUserID(0) { - check.LogError("Root user detected (RunAsUser uid=0) in Pod %q", put) - nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Root User detected (RunAsUser uid=0)", false)) - } else { - check.LogInfo("Non-root user detected in Pod %q", put) - compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Root User not detected (RunAsUser uid=0)", true)) - } - - for _, cut := range put.Containers { - check.LogInfo("Testing Container %q", cut) - if knownContainersToSkip[cut.Name] { - check.LogInfo("Skipping container %q in Pod %q", cut.Name, put.Name) - compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, cut.Name, "Container is allowed to run as root", true)) - continue - } - - // Check the container level RunAsUser parameter - if cut.SecurityContext != nil && cut.SecurityContext.RunAsUser != nil { - if *(cut.SecurityContext.RunAsUser) == 0 { - check.LogError("Root user detected (RunAsUser uid=0) in Container %q (%q)", cut.Name, put) - nonCompliantObjects = append(nonCompliantObjects, testhelper.NewContainerReportObject(put.Namespace, put.Name, cut.Name, "Root User detected (RunAsUser uid=0)", false)) - } else { - check.LogInfo("Non-root user detected (RunAsUser uid=0) in Container %q (%q)", cut, put) - compliantObjects = append(compliantObjects, testhelper.NewContainerReportObject(put.Namespace, put.Name, cut.Name, "Root User not detected (RunAsUser uid=0)", true)) - } - } - } - } - - check.SetResult(compliantObjects, nonCompliantObjects) -} - // testSecConRunAsNonRoot verifies that containers are not allowed to run as root. func testSecConRunAsNonRoot(check *checksdb.Check, env *provider.TestEnvironment) { var compliantObjects []*testhelper.ReportObject var nonCompliantObjects []*testhelper.ReportObject for _, put := range env.Pods { - check.LogInfo("Testing Pod %q in namespace %q", put.Name, put.Namespace) + check.LogInfo("Testing pod %s/%s", put.Namespace, put.Name) nonCompliantContainers, nonComplianceReason := put.GetRunAsNonRootFalseContainers(knownContainersToSkip) if len(nonCompliantContainers) == 0 { - check.LogInfo("Pod %q is configured with RunAsNonRoot SCC parameter set to true for all of its containers", put.Name) - compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is configured with RunAsNonRoot SCC parameter set to true for all of its containers", true)) + compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is configured with RunAsNonRoot=true or RunAsUser!=0 at pod or container level.", true)) } else { - check.LogError("Pod %q is configured with RunAsNonRoot SCC parameter set to false for some of its containers", put.Name) - nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is configured with RunAsNonRoot SCC parameter set to false for some of its containers", false)) + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "One or more containers of the pod are running with root user", false)) for index := range nonCompliantContainers { - check.LogError("In Container %q of Pod %q, %s", nonCompliantContainers[index].Name, put.Name, nonComplianceReason[index]) - nonCompliantObjects = append(nonCompliantObjects, testhelper.NewContainerReportObject(put.Namespace, put.Name, - nonCompliantContainers[index].Name, fmt.Sprintf("In Container %q of Pod %q, %s", nonCompliantContainers[index].Name, put.Name, nonComplianceReason[index]), false)) + check.LogError("Pod %s/%s, container %q is not compliant: %s", put.Namespace, put.Name, nonCompliantContainers[index].Name, nonComplianceReason[index]) + + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewContainerReportObject(put.Namespace, put.Name, nonCompliantContainers[index].Name, + nonComplianceReason[index], false)) } } } + check.SetResult(compliantObjects, nonCompliantObjects) } diff --git a/tests/accesscontrol/suite_test.go b/tests/accesscontrol/suite_test.go index 6b54ada21..95f684a64 100644 --- a/tests/accesscontrol/suite_test.go +++ b/tests/accesscontrol/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/certification/doc.go b/tests/certification/doc.go index 1225d7094..9fabea16f 100644 --- a/tests/certification/doc.go +++ b/tests/certification/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/certification/doc_test.go b/tests/certification/doc_test.go index 1225d7094..9fabea16f 100644 --- a/tests/certification/doc_test.go +++ b/tests/certification/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/certification/suite_test.go b/tests/certification/suite_test.go index a099bc3f6..8d100296b 100644 --- a/tests/certification/suite_test.go +++ b/tests/certification/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/common/constant_test.go b/tests/common/constant_test.go index 30631e7eb..a63809b48 100644 --- a/tests/common/constant_test.go +++ b/tests/common/constant_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/common/doc.go b/tests/common/doc.go index c306011ef..9983be2c7 100644 --- a/tests/common/doc.go +++ b/tests/common/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/common/doc_test.go b/tests/common/doc_test.go index c306011ef..9983be2c7 100644 --- a/tests/common/doc_test.go +++ b/tests/common/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/common/env.go b/tests/common/env.go index 18b0c9beb..57cadf57a 100644 --- a/tests/common/env.go +++ b/tests/common/env.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/common/env_test.go b/tests/common/env_test.go index 30631e7eb..a63809b48 100644 --- a/tests/common/env_test.go +++ b/tests/common/env_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/common/rbac/roles_test.go b/tests/common/rbac/roles_test.go index d281c8bff..066b03317 100644 --- a/tests/common/rbac/roles_test.go +++ b/tests/common/rbac/roles_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/identifiers/doc.go b/tests/identifiers/doc.go index 03d7d692b..2cfad6da1 100644 --- a/tests/identifiers/doc.go +++ b/tests/identifiers/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2022 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/identifiers/doc_test.go b/tests/identifiers/doc_test.go index 03d7d692b..2cfad6da1 100644 --- a/tests/identifiers/doc_test.go +++ b/tests/identifiers/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2022 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/identifiers/exceptions.go b/tests/identifiers/exceptions.go index cdfebead6..639e81298 100644 --- a/tests/identifiers/exceptions.go +++ b/tests/identifiers/exceptions.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/identifiers/exceptions_test.go b/tests/identifiers/exceptions_test.go index e7536bddc..52a3de65f 100644 --- a/tests/identifiers/exceptions_test.go +++ b/tests/identifiers/exceptions_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/identifiers/identifiers.go b/tests/identifiers/identifiers.go index a30b14199..b2084f2c9 100644 --- a/tests/identifiers/identifiers.go +++ b/tests/identifiers/identifiers.go @@ -102,7 +102,6 @@ var ( TestRtAppNoExecProbes claim.Identifier TestRestartOnRebootLabelOnPodsUsingSRIOV claim.Identifier TestSecConNonRootUserIDIdentifier claim.Identifier - TestSecConRunAsNonRootIdentifier claim.Identifier TestNetworkAttachmentDefinitionSRIOVUsingMTU claim.Identifier TestSecContextIdentifier claim.Identifier TestSecConPrivilegeEscalation claim.Identifier @@ -128,13 +127,13 @@ var ( TestOperatorOlmSkipRange claim.Identifier TestOperatorAutomountTokens claim.Identifier TestOperatorRunAsNonRoot claim.Identifier - TestOperatorRunAsUserID claim.Identifier TestOperatorCrdVersioningIdentifier claim.Identifier TestOperatorCrdSchemaIdentifier claim.Identifier TestOperatorSingleCrdOwnerIdentifier claim.Identifier TestOperatorPodsNoHugepages claim.Identifier TestMultipleSameOperatorsIdentifier claim.Identifier TestOperatorInstallationInTenantNamespace claim.Identifier + TestOperatorCatalogSourceBundleCountIdentifier claim.Identifier TestPodNodeSelectorAndAffinityBestPractices claim.Identifier TestPodHighAvailabilityBestPractices claim.Identifier TestPodClusterRoleBindingsBestPracticesIdentifier claim.Identifier @@ -604,23 +603,7 @@ func InitCatalog() map[claim.Identifier]claim.TestCaseDescription { TestSecConNonRootUserIDIdentifier = AddCatalogEntry( "security-context-non-root-user-id-check", common.AccessControlTestKey, - `Checks the security context runAsUser parameter in pods and containers to make sure it is not set to uid root(0). Pods and containers should not run as root (runAsUser is not set to uid0).`, - SecConNonRootUserRemediation, - SecConNonRootUserExceptionProcess, - TestSecConNonRootUserIdentifierDocLink, - true, - map[string]string{ - FarEdge: Mandatory, - Telco: Mandatory, - NonTelco: Mandatory, - Extended: Mandatory, - }, - TagCommon) - - TestSecConRunAsNonRootIdentifier = AddCatalogEntry( - "security-context-run-as-non-root-user-check", - common.AccessControlTestKey, - `Checks the security context runAsNonRoot parameter in pods and containers to make sure it is not set to false. Pods and containers should not be able to run as root..`, + `Checks securityContext's runAsNonRoot and runAsUser fields at pod and container level to make sure containers are not run as root.`, SecConRunAsNonRootUserRemediation, SecConNonRootUserExceptionProcess, TestSecConNonRootUserIdentifierDocLink, @@ -1085,6 +1068,22 @@ that Node's kernel may not have the same hacks.'`, }, TagCommon) + TestOperatorCatalogSourceBundleCountIdentifier = AddCatalogEntry( + "catalogsource-bundle-count", + common.OperatorTestKey, + `Tests operator catalog source bundle count is less than 1000`, + OperatorCatalogSourceBundleCountRemediation, + NoExceptions, + TestOperatorCatalogSourceBundleCountIdentifierDocLink, + false, + map[string]string{ + FarEdge: Mandatory, + Telco: Mandatory, + NonTelco: Mandatory, + Extended: Mandatory, + }, + TagCommon) + TestMultipleSameOperatorsIdentifier = AddCatalogEntry( "multiple-same-operators", common.OperatorTestKey, diff --git a/tests/identifiers/remediation.go b/tests/identifiers/remediation.go index fb8ae588a..889cfced4 100644 --- a/tests/identifiers/remediation.go +++ b/tests/identifiers/remediation.go @@ -26,7 +26,7 @@ const ( SecConNonRootUserRemediation = `Change the pod and containers "runAsUser" uid to something other than root(0)` - SecConRunAsNonRootUserRemediation = `Set the the pod and containers "runAsNonRoot" to true.` + SecConRunAsNonRootUserRemediation = `Set the securityContext.runAsNonRoot field to true either at pod or container level. Alternatively, set a non-zero value to securityContext.runAsUser field either at pod or container level.` SecConRemediation = `Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why.` @@ -87,8 +87,6 @@ const ( OperatorCrdSchemaIdentifierRemediation = `Ensure that the Operator CRD is defined with OpenAPI spec.` - OperatorRunAsUserID = `Ensure that the user ID of the pods is not 0.` - OperatorRunAsNonRoot = `Ensure that the pods are running as non root.` OperatorAutomountTokens = `Ensure that the pods have the automount service account token disabled.` @@ -101,6 +99,8 @@ const ( OperatorPodsNoHugepagesRemediation = `Ensure that the pods are not using hugepages` + OperatorCatalogSourceBundleCountRemediation = `Ensure that the Operator's catalog source has a valid bundle count less than 1000.` + MultipleSameOperatorsRemediation = `Ensure that only one Operator of the same type is installed in the cluster.` OperatorInstallationInTenantNamespaceRemediation = `Ensure that operator with install mode SingleNamespace only is installed in the tenant namespace.` diff --git a/tests/identifiers/remediation_test.go b/tests/identifiers/remediation_test.go index e7536bddc..52a3de65f 100644 --- a/tests/identifiers/remediation_test.go +++ b/tests/identifiers/remediation_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/doc.go b/tests/lifecycle/doc.go index 1d197a6b8..aa031ba08 100644 --- a/tests/lifecycle/doc.go +++ b/tests/lifecycle/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/doc_test.go b/tests/lifecycle/doc_test.go index 1d197a6b8..aa031ba08 100644 --- a/tests/lifecycle/doc_test.go +++ b/tests/lifecycle/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/podrecreation/podrecreation.go b/tests/lifecycle/podrecreation/podrecreation.go index 3fea9cc87..52abacb25 100644 --- a/tests/lifecycle/podrecreation/podrecreation.go +++ b/tests/lifecycle/podrecreation/podrecreation.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/podrecreation/podrecreation_test.go b/tests/lifecycle/podrecreation/podrecreation_test.go index e863789b3..61493b790 100644 --- a/tests/lifecycle/podrecreation/podrecreation_test.go +++ b/tests/lifecycle/podrecreation/podrecreation_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/podsets/podsets_test.go b/tests/lifecycle/podsets/podsets_test.go index 9b0c0505a..aea80adfd 100644 --- a/tests/lifecycle/podsets/podsets_test.go +++ b/tests/lifecycle/podsets/podsets_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/scaling/crd_scaling_test.go b/tests/lifecycle/scaling/crd_scaling_test.go index 73ff6de77..35af5da69 100644 --- a/tests/lifecycle/scaling/crd_scaling_test.go +++ b/tests/lifecycle/scaling/crd_scaling_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/scaling/statefulset_scaling_test.go b/tests/lifecycle/scaling/statefulset_scaling_test.go index ff3618eb7..5ce5e5894 100644 --- a/tests/lifecycle/scaling/statefulset_scaling_test.go +++ b/tests/lifecycle/scaling/statefulset_scaling_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/suite_test.go b/tests/lifecycle/suite_test.go index 1f8d9f269..fb58a608c 100644 --- a/tests/lifecycle/suite_test.go +++ b/tests/lifecycle/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/tolerations/tolerations.go b/tests/lifecycle/tolerations/tolerations.go index c0a21c7a5..f44cd845e 100644 --- a/tests/lifecycle/tolerations/tolerations.go +++ b/tests/lifecycle/tolerations/tolerations.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/tolerations/tolerations_test.go b/tests/lifecycle/tolerations/tolerations_test.go index 687716281..8298af00e 100644 --- a/tests/lifecycle/tolerations/tolerations_test.go +++ b/tests/lifecycle/tolerations/tolerations_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/volumes/volumes.go b/tests/lifecycle/volumes/volumes.go index 080184c90..1026b7a22 100644 --- a/tests/lifecycle/volumes/volumes.go +++ b/tests/lifecycle/volumes/volumes.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/lifecycle/volumes/volumes_test.go b/tests/lifecycle/volumes/volumes_test.go index 8f874b238..30c039150 100644 --- a/tests/lifecycle/volumes/volumes_test.go +++ b/tests/lifecycle/volumes/volumes_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/manageability/suite_test.go b/tests/manageability/suite_test.go index 38131c4a2..6287cde35 100644 --- a/tests/manageability/suite_test.go +++ b/tests/manageability/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/networking/doc.go b/tests/networking/doc.go index daab51ff8..f4204d769 100644 --- a/tests/networking/doc.go +++ b/tests/networking/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/networking/doc_test.go b/tests/networking/doc_test.go index daab51ff8..f4204d769 100644 --- a/tests/networking/doc_test.go +++ b/tests/networking/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/networking/netcommons/netcommons_test.go b/tests/networking/netcommons/netcommons_test.go index b6b92fcdd..83d2e06b0 100644 --- a/tests/networking/netcommons/netcommons_test.go +++ b/tests/networking/netcommons/netcommons_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/networking/netutil/netutil_test.go b/tests/networking/netutil/netutil_test.go index f7635b526..ad3e608c7 100644 --- a/tests/networking/netutil/netutil_test.go +++ b/tests/networking/netutil/netutil_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/networking/services/services.go b/tests/networking/services/services.go index 159c0374c..c261a5430 100644 --- a/tests/networking/services/services.go +++ b/tests/networking/services/services.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/networking/services/services_test.go b/tests/networking/services/services_test.go index a02dac987..7f4da1c9a 100644 --- a/tests/networking/services/services_test.go +++ b/tests/networking/services/services_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/networking/suite_test.go b/tests/networking/suite_test.go index d16dda924..82dbb3664 100644 --- a/tests/networking/suite_test.go +++ b/tests/networking/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/observability/doc.go b/tests/observability/doc.go index eeea9e484..283db6d84 100644 --- a/tests/observability/doc.go +++ b/tests/observability/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/observability/doc_test.go b/tests/observability/doc_test.go index eeea9e484..283db6d84 100644 --- a/tests/observability/doc_test.go +++ b/tests/observability/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/observability/suite_test.go b/tests/observability/suite_test.go index 6b92790fb..883e45e96 100644 --- a/tests/observability/suite_test.go +++ b/tests/observability/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2025 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/operator/catalogsource/catalogsource.go b/tests/operator/catalogsource/catalogsource.go new file mode 100644 index 000000000..94526473d --- /dev/null +++ b/tests/operator/catalogsource/catalogsource.go @@ -0,0 +1,30 @@ +package catalogsource + +import ( + olmpkgv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apis/operators/v1" + "github.com/redhat-best-practices-for-k8s/certsuite/internal/log" +) + +func SkipPMBasedOnChannel(channels []olmpkgv1.PackageChannel, csvName string) bool { + // This logic is in place because it is possible for an operator to pull from a multiple package manifests. + skipPMBasedOnChannel := true + for c := range channels { + log.Debug("Comparing channel currentCSV %q with current CSV %q", channels[c].CurrentCSV, csvName) + log.Debug("Number of channel entries %d", len(channels[c].Entries)) + for _, entry := range channels[c].Entries { + log.Debug("Comparing entry name %q with current CSV %q", entry.Name, csvName) + + if entry.Name == csvName { + log.Debug("Skipping package manifest based on channel entry %q", entry.Name) + skipPMBasedOnChannel = false + break + } + } + + if !skipPMBasedOnChannel { + break + } + } + + return skipPMBasedOnChannel +} diff --git a/tests/operator/catalogsource/catalogsource_test.go b/tests/operator/catalogsource/catalogsource_test.go new file mode 100644 index 000000000..eb5ee1e4f --- /dev/null +++ b/tests/operator/catalogsource/catalogsource_test.go @@ -0,0 +1,49 @@ +package catalogsource + +import ( + "testing" + + olmpkgv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apis/operators/v1" + "github.com/stretchr/testify/assert" +) + +func TestSkipPMBasedOnChannel(t *testing.T) { + testCases := []struct { + testChannels []olmpkgv1.PackageChannel + testCSVName string + expected bool + }{ + { // Test Case #1 - Do not skip package manifest based on channel entry + testChannels: []olmpkgv1.PackageChannel{ + { + CurrentCSV: "test-csv.v1.0.0", + Entries: []olmpkgv1.ChannelEntry{ + { + Name: "test-csv.v1.0.0", + }, + }, + }, + }, + testCSVName: "test-csv.v1.0.0", + expected: false, + }, + { // Test Case #2 - Skip package manifest based on channel entry + testChannels: []olmpkgv1.PackageChannel{ + { + CurrentCSV: "test-csv.v1.0.0", + Entries: []olmpkgv1.ChannelEntry{ + { + Name: "test-csv.v1.0.0", + }, + }, + }, + }, + testCSVName: "test-csv.v1.0.1", + expected: true, + }, + } + + for _, tc := range testCases { + assert.Equal(t, tc.expected, SkipPMBasedOnChannel(tc.testChannels, tc.testCSVName)) + } +} diff --git a/tests/operator/helper_test.go b/tests/operator/helper_test.go index 3f2f9a681..00c9b2ecd 100644 --- a/tests/operator/helper_test.go +++ b/tests/operator/helper_test.go @@ -20,7 +20,9 @@ Package operator provides CNFCERT tests used to validate operator CNF facets. package operator -import "testing" +import ( + "testing" +) func TestSplitCsv(t *testing.T) { tests := []struct { diff --git a/tests/operator/phasecheck/phasecheck.go b/tests/operator/phasecheck/phasecheck.go index fe25f9840..640424bcf 100644 --- a/tests/operator/phasecheck/phasecheck.go +++ b/tests/operator/phasecheck/phasecheck.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/operator/phasecheck/phasecheck_test.go b/tests/operator/phasecheck/phasecheck_test.go index 1b4a0de43..0260dbf40 100644 --- a/tests/operator/phasecheck/phasecheck_test.go +++ b/tests/operator/phasecheck/phasecheck_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/operator/suite.go b/tests/operator/suite.go index 3fc346b8d..9733ea7ac 100644 --- a/tests/operator/suite.go +++ b/tests/operator/suite.go @@ -17,15 +17,19 @@ package operator import ( + "strconv" "strings" + "github.com/Masterminds/semver" "github.com/redhat-best-practices-for-k8s/certsuite/tests/common" "github.com/redhat-best-practices-for-k8s/certsuite/tests/identifiers" + "github.com/redhat-best-practices-for-k8s/certsuite/tests/operator/catalogsource" "github.com/redhat-best-practices-for-k8s/certsuite/tests/operator/phasecheck" "github.com/redhat-best-practices-for-k8s/certsuite/internal/log" "github.com/redhat-best-practices-for-k8s/certsuite/pkg/checksdb" "github.com/redhat-best-practices-for-k8s/certsuite/pkg/provider" + "github.com/redhat-best-practices-for-k8s/certsuite/pkg/stringhelper" "github.com/redhat-best-practices-for-k8s/certsuite/pkg/testhelper" "github.com/redhat-best-practices-for-k8s/certsuite/pkg/versions" ) @@ -372,9 +376,19 @@ func testOperatorSingleCrdOwner(check *checksdb.Check, env *provider.TestEnviron for i := range env.Operators { operator := env.Operators[i] ownedCrds := operator.Csv.Spec.CustomResourceDefinitions.Owned + + // Helper map to filter out different versions of the same CRD name. + uniqueOnwnedCrds := map[string]struct{}{} for j := range ownedCrds { - crdOwners[ownedCrds[j].Name] = append(crdOwners[ownedCrds[j].Name], operator.Name) + uniqueOnwnedCrds[ownedCrds[j].Name] = struct{}{} + } + + // Now we can append the operator as CRD owner + for crdName := range uniqueOnwnedCrds { + crdOwners[crdName] = append(crdOwners[crdName], operator.Name) } + + check.LogInfo("CRDs owned by operator %s: %+v", operator.Name, uniqueOnwnedCrds) } // Flag those that are owned by more than one operator @@ -483,3 +497,101 @@ func testMultipleSameOperators(check *checksdb.Check, env *provider.TestEnvironm check.SetResult(compliantObjects, nonCompliantObjects) } + +//nolint:funlen +func testOperatorCatalogSourceBundleCount(check *checksdb.Check, env *provider.TestEnvironment) { + var compliantObjects []*testhelper.ReportObject + var nonCompliantObjects []*testhelper.ReportObject + + const ( + bundleCountLimit = 1000 + + // If the OCP version is <= 4.12, we need to use the probe container to get the bundle count. + // This means we cannot use the package manifests to skip based on channel. + ocpMajorVersion = 4 + ocpMinorVersion = 12 + ) + + ocp412Skip := false + // Check if the cluster is running an OCP version <= 4.12 + if env.OpenshiftVersion != "" { + log.Info("Cluster is determined to be running Openshift version %q.", env.OpenshiftVersion) + version, err := semver.NewVersion(env.OpenshiftVersion) + if err != nil { + log.Error("Failed to parse Openshift version %q.", env.OpenshiftVersion) + check.LogError("Failed to parse Openshift version %q.", env.OpenshiftVersion) + return + } + + if version.Major() < ocpMajorVersion || (version.Major() == ocpMajorVersion && version.Minor() <= ocpMinorVersion) { + log.Info("Cluster is running an OCP version <= 4.12.") + ocp412Skip = true + } else { + log.Info("Cluster is running an OCP version > 4.12.") + } + } + + bundleCountLimitStr := strconv.Itoa(bundleCountLimit) + + // Loop through all labeled operators and check if they have more than 1000 referenced images. + var catalogsAlreadyReported []string + for _, op := range env.Operators { + catalogSourceCheckComplete := false + check.LogInfo("Checking bundle count for operator %q", op.Csv.Name) + + // Search through packagemanifests to match the name of the CSV. + for _, pm := range env.AllPackageManifests { + // Skip package manifests based on channel entries. + // Note: This only works for OCP versions > 4.12 due to channel entries existence. + if !ocp412Skip && catalogsource.SkipPMBasedOnChannel(pm.Status.Channels, op.Csv.Name) { + log.Debug("Skipping package manifest %q based on channel", pm.Name) + continue + } + + // Search through all catalog sources to match the name and namespace of the package manifest. + for _, catalogSource := range env.AllCatalogSources { + if catalogSource.Name != pm.Status.CatalogSource || catalogSource.Namespace != pm.Status.CatalogSourceNamespace { + log.Debug("Skipping catalog source %q based on name or namespace", catalogSource.Name) + continue + } + + // If the catalog source has already been reported, skip it. + if stringhelper.StringInSlice(catalogsAlreadyReported, catalogSource.Name+"."+catalogSource.Namespace, false) { + log.Debug("Skipping catalog source %q based on already reported", catalogSource.Name) + continue + } + + log.Debug("Found matching catalog source %q for operator %q", catalogSource.Name, op.Csv.Name) + + // The name and namespace match. Lookup the bundle count. + bundleCount := provider.GetCatalogSourceBundleCount(env, catalogSource) + + if bundleCount == -1 { + check.LogError("Failed to get bundle count for CatalogSource %q", catalogSource.Name) + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewCatalogSourceReportObject(catalogSource.Namespace, catalogSource.Name, "Failed to get bundle count", false)) + } else { + if bundleCount > bundleCountLimit { + check.LogError("CatalogSource %q has more than "+bundleCountLimitStr+" ("+strconv.Itoa(bundleCount)+") referenced images", catalogSource.Name) + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewCatalogSourceReportObject(catalogSource.Namespace, catalogSource.Name, "CatalogSource has more than "+bundleCountLimitStr+" referenced images", false)) + } else { + check.LogInfo("CatalogSource %q has less than "+bundleCountLimitStr+" ("+strconv.Itoa(bundleCount)+") referenced images", catalogSource.Name) + compliantObjects = append(compliantObjects, testhelper.NewCatalogSourceReportObject(catalogSource.Namespace, catalogSource.Name, "CatalogSource has less than "+bundleCountLimitStr+" referenced images", true)) + } + } + + log.Debug("Adding catalog source %q to list of already reported", catalogSource.Name) + catalogsAlreadyReported = append(catalogsAlreadyReported, catalogSource.Name+"."+catalogSource.Namespace) + // Signal that the catalog source check is complete. + catalogSourceCheckComplete = true + break + } + + // If the catalog source check is complete, break out of the loop. + if catalogSourceCheckComplete { + break + } + } + } + + check.SetResult(compliantObjects, nonCompliantObjects) +} diff --git a/tests/operator/suite_test.go b/tests/operator/suite_test.go index c56a13b8b..1c688eaba 100644 --- a/tests/operator/suite_test.go +++ b/tests/operator/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/performance/suite_test.go b/tests/performance/suite_test.go index 7a4f8e98f..fe9b24e6d 100644 --- a/tests/performance/suite_test.go +++ b/tests/performance/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/bootparams/bootparams.go b/tests/platform/bootparams/bootparams.go index 46644d886..7063d71c5 100644 --- a/tests/platform/bootparams/bootparams.go +++ b/tests/platform/bootparams/bootparams.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/bootparams/bootparams_test.go b/tests/platform/bootparams/bootparams_test.go index 46c78270c..29fbcd3a4 100644 --- a/tests/platform/bootparams/bootparams_test.go +++ b/tests/platform/bootparams/bootparams_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/doc.go b/tests/platform/doc.go index 9b2d9e2fa..22732d637 100644 --- a/tests/platform/doc.go +++ b/tests/platform/doc.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/doc_test.go b/tests/platform/doc_test.go index 9b2d9e2fa..22732d637 100644 --- a/tests/platform/doc_test.go +++ b/tests/platform/doc_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/isredhat/isredhat.go b/tests/platform/isredhat/isredhat.go index 8adf2d364..2f70fa4d5 100644 --- a/tests/platform/isredhat/isredhat.go +++ b/tests/platform/isredhat/isredhat.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2023 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/isredhat/isredhat_test.go b/tests/platform/isredhat/isredhat_test.go index a8eaddb06..ac9b6cc7a 100644 --- a/tests/platform/isredhat/isredhat_test.go +++ b/tests/platform/isredhat/isredhat_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/nodetainted/nodetainted.go b/tests/platform/nodetainted/nodetainted.go index fdb06bae2..be2a95082 100644 --- a/tests/platform/nodetainted/nodetainted.go +++ b/tests/platform/nodetainted/nodetainted.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2023 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/nodetainted/nodetainted_test.go b/tests/platform/nodetainted/nodetainted_test.go index 57b094e60..c2d1f54f0 100644 --- a/tests/platform/nodetainted/nodetainted_test.go +++ b/tests/platform/nodetainted/nodetainted_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2023 Red Hat, Inc. +// Copyright (C) 2021-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/operatingsystem/files/rhcos_version_map b/tests/platform/operatingsystem/files/rhcos_version_map index 0512ae62d..0ea201d78 100644 --- a/tests/platform/operatingsystem/files/rhcos_version_map +++ b/tests/platform/operatingsystem/files/rhcos_version_map @@ -223,6 +223,8 @@ 4.12.68 / 412.86.202410300039-0 4.12.69 / 412.86.202411061519-0 4.12.7 / 412.86.202303011010-0 +4.12.70 / 412.86.202411270001-0 +4.12.71 / 412.86.202412201644-0 4.12.8 / 412.86.202303141242-0 4.12.9 / 412.86.202303211731-0 4.13.0 / 413.92.202305041429-0 @@ -285,6 +287,7 @@ 4.13.51 / 413.92.202409180051-0 4.13.52 / 413.92.202410081857-0 4.13.53 / 413.92.202410300103-0 +4.13.54 / 413.92.202411212100-0 4.13.6 / 413.92.202307182034-0 4.13.7 / 413.92.202307260246-0 4.13.8 / 413.92.202307311416-0 @@ -339,6 +342,9 @@ 4.14.4 / 414.92.202311222314-0 4.14.40 / 414.92.202410290222-0 4.14.41 / 414.92.202411130444-0 +4.14.42 / 414.92.202411260513-0 +4.14.43 / 414.92.202412110121-0 +4.14.44 / 414.92.202412202114-0 4.14.5 / 414.92.202311281318-0 4.14.6 / 414.92.202312011602-0 4.14.7 / 414.92.202312132152-0 @@ -389,6 +395,9 @@ 4.15.37 / 415.92.202410232038-0 4.15.38 / 415.92.202411050056-0 4.15.39 / 415.92.202411201723-0 +4.15.40 / 415.92.202412022228-0 +4.15.41 / 415.92.202412022228-0 +4.15.42 / 415.92.202412171121-0 4.15.5 / 415.92.202403191241-0 4.15.6 / 415.92.202403270524-0 4.15.7 / 415.92.202403270524-0 @@ -426,6 +435,11 @@ 4.16.21 / 416.94.202411061221-0 4.16.23 / 416.94.202411111409-0 4.16.24 / 416.94.202411201433-0 +4.16.25 / 416.94.202411261619-0 +4.16.26 / 416.94.202412040832-0 +4.16.27 / 416.94.202412100237-0 +4.16.28 / 416.94.202412170927-0 +4.16.29 / 416.94.202412301627-0 4.16.3 / 416.94.202407081958-0 4.16.4 / 416.94.202407171205-0 4.16.5 / 416.94.202407231922-0 @@ -445,11 +459,25 @@ 4.17.0-rc.5 / 417.94.202409120353-0 4.17.0-rc.6 / 417.94.202409121747-0 4.17.1 / 417.94.202410090854-0 +4.17.10 / 417.94.202412180008-0 +4.17.11 / 417.94.202412250812-0 4.17.2 / 417.94.202410160352-0 4.17.3 / 417.94.202410211619-0 4.17.4 / 417.94.202411050056-0 4.17.5 / 417.94.202411070820-0 4.17.6 / 417.94.202411201839-0 +4.17.7 / 417.94.202411261220-0 +4.17.8 / 417.94.202412040832-0 +4.17.9 / 417.94.202412120651-0 +4.18.0-ec.0 / 418.94.202408212252-0 +4.18.0-ec.1 / 418.94.202409131956-0 +4.18.0-ec.2 / 418.94.202410071559-0 +4.18.0-ec.3 / 418.94.202410260038-0 +4.18.0-ec.4 / 418.94.202411210552-0 +4.18.0-rc.0 / 418.94.202411291453-0 +4.18.0-rc.1 / 418.94.202412050001-0 +4.18.0-rc.2 / 418.94.202412120450-0 +4.18.0-rc.3 / 418.94.202412172234-0 4.4.0 / 44.81.202004260825-0 4.4.0-rc.0 / 44.81.202003110830-0 4.4.0-rc.1 / 44.81.202003130330-0 diff --git a/tests/platform/operatingsystem/operatingsystem.go b/tests/platform/operatingsystem/operatingsystem.go index 96eaa84f4..d005f089e 100644 --- a/tests/platform/operatingsystem/operatingsystem.go +++ b/tests/platform/operatingsystem/operatingsystem.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/operatingsystem/operatingsystem_test.go b/tests/platform/operatingsystem/operatingsystem_test.go index 266375383..027eb6a9f 100644 --- a/tests/platform/operatingsystem/operatingsystem_test.go +++ b/tests/platform/operatingsystem/operatingsystem_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/suite_test.go b/tests/platform/suite_test.go index ea1515b0b..f19850eba 100644 --- a/tests/platform/suite_test.go +++ b/tests/platform/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/sysctlconfig/sysctlconfig.go b/tests/platform/sysctlconfig/sysctlconfig.go index ed122530f..f135692e1 100644 --- a/tests/platform/sysctlconfig/sysctlconfig.go +++ b/tests/platform/sysctlconfig/sysctlconfig.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/platform/sysctlconfig/sysctlconfig_test.go b/tests/platform/sysctlconfig/sysctlconfig_test.go index cecc3febe..dfb525714 100644 --- a/tests/platform/sysctlconfig/sysctlconfig_test.go +++ b/tests/platform/sysctlconfig/sysctlconfig_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/tests/preflight/suite_test.go b/tests/preflight/suite_test.go index 3d972c8d1..a80da65ad 100644 --- a/tests/preflight/suite_test.go +++ b/tests/preflight/suite_test.go @@ -1,4 +1,4 @@ -// Copyright (C) 2022-2023 Red Hat, Inc. +// Copyright (C) 2022-2024 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/version.json b/version.json index effd6611e..6820ff877 100644 --- a/version.json +++ b/version.json @@ -1,5 +1,5 @@ { - "debugTag": "v0.0.10", + "debugTag": "v0.0.11", "claimFormat": "v0.5.0", "parserTag": "v0.5.0" }