Manually ensuring nothing was missed gamma to main

Dockerfile

@@ -23,7 +23,7 @@ COPY controllers/ controllers/
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
 
-FROM registry.access.redhat.com/ubi9-minimal
+FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:582e18f13291d7c686ec4e6e92d20b24c62ae0fc72767c46f30a69b1a6198055
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532

Makefile

@@ -221,6 +221,21 @@ envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
 
+.PHONY: productization-adjustments
+productization-adjustments: ## Add feature labels and swap base image for konflux
+	sed -i '' 's/^FROM scratch$$/FROM registry.access.redhat.com\/ubi9\/ubi-micro/' bundle.Dockerfile
+	echo '' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/disconnected: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/fips-compliant: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/proxy-aware: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/cnf: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/cni: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/csi: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/tls-profiles: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/token-auth-aws: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/token-auth-azure: "false"' >> bundle/metadata/annotations.yaml
+	echo '  features.operators.openshift.io/token-auth-gcp: "false"' >> bundle/metadata/annotations.yaml
+
 .PHONY: operator-sdk
 OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk
 operator-sdk: ## Download operator-sdk locally if necessary.
@@ -243,6 +258,7 @@ bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metada
 	$(OPERATOR_SDK) generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
 	$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS)
+	make productization-adjustments
 	$(OPERATOR_SDK) bundle validate ./bundle
 
 .PHONY: bundle-build

bundle.Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi9/ubi-micro
+FROM registry.access.redhat.com/ubi9/ubi-micro@sha256:d72202acf3073b61cb407e86395935b7bac5b93b16071d2b40b9fb485db2135d
 
 # Core bundle labels.
 LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
@@ -10,6 +10,26 @@ LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
 
+LABEL description="The bundle image for the rhtas-operator, containing manifests, metadata and testing scorecard."
+LABEL io.k8s.description="The bundle image for the rhtas-operator, containing manifests, metadata and testing scorecard."
+LABEL io.k8s.display-name="RHTAS operator bundle container image for Red Hat Trusted Artifact Signer."
+LABEL io.openshift.tags="rhtas-operator-bundle, rhtas-operator, Red Hat Trusted Artifact Signer."
+LABEL summary="Operator Bundle for the rhtas-operator."
+LABEL com.redhat.component="sigstore-operator-bundle"
+#
+LABEL features.operators.openshift.io/cni="false"
+LABEL features.operators.openshift.io/disconnected="false"
+LABEL features.operators.openshift.io/disconnected="false"
+LABEL features.operators.openshift.io/fips-compliant="false"
+LABEL features.operators.openshift.io/proxy-aware="false"
+LABEL features.operators.openshift.io/cnf="false"
+LABEL features.operators.openshift.io/cni="false"
+LABEL features.operators.openshift.io/csi="false"
+LABEL features.operators.openshift.io/tls-profiles="false"
+LABEL features.operators.openshift.io/token-auth-aws="false"
+LABEL features.operators.openshift.io/token-auth-azure="false"
+LABEL features.operators.openshift.io/token-auth-gcp="false"
+
 # Labels for testing.
 LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
 LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/

fbc/fbc-preflight-testing-steps

@@ -0,0 +1,25 @@
+# STEPS:
+# Caveat: Run these commands from a FBC overlay (ex: v4.14)
+# 1. run the container:         FBC_VERSION="v4.14" && CONTAINER_ID=$(docker run -u root -d registry.redhat.io/redhat/redhat-operator-index:$FBC_VERSION)
+# 2. copy the catalog file in:  docker cp $(pwd)/catalog/rhtas-operator/catalog.json $CONTAINER_ID:/configs/rhtas-operator/catalog.json
+# 3. re-serve:                  docker exec -u root -it $CONTAINER_ID opm serve --pprof-addr="" --cache-only /configs
+# 4. commit the image:          docker commit $CONTAINER_ID quay.io/grpereir/redhat-operator-index:$FBC_VERSION
+# 5  push the image:            docker push quay.io/grpereir/redhat-operator-index:$FBC_VERSION
+    # NOTE: if you are using your own repo, you will have to switch this to public so it is pullable by testing cluster
+# 6. create catalog source (see below):
+: '
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: rhtas-operator
+  namespace: openshift-marketplace
+spec:
+  sourceType: grpc
+  grpcPodConfig:
+    securityContextConfig: legacy
+  publisher: Red Hat
+  image: quay.io/grpereir/redhat-operator-index:$FBC_VERSION
+  displayName: TAS Operator
+'
+# 7. apply the CS:              oc apply -f ./catalogSource.yaml
+# 8. delete the catalog-operator pod:  CATALOG_OPERATOR_POD=$oc get pods -n openshift-operator-lifecycle-manager | grep catalog-operator | awk '{print $1}') && oc delete pod $CATALOG_OPERATOR_POD -n openshift-operator-lifecycle-manage

fbc/generate-fbc.sh

@@ -0,0 +1,202 @@
+#!/usr/bin/env bash
+
+set -e
+
+SKOPEO_CMD=${SKOPEO_CMD:-skopeo}
+OPM_CMD=${OPM_CMD:-opm}
+AUTH_FILE=${AUTH_FILE:-}
+
+package_name="rhtas-operator"
+
+helpFunction()
+{
+  echo -e "Usage: $0\n"
+  echo -e "\t--help:   see all commands of this script\n"
+  echo -e "\t--init-basic <OCP_minor> <yq|jq>:   initialize a new composite fragment\n\t  example: $0 --init-basic v4.13 yq\n"
+  echo -e "\t--init-basic-all:   initialize all the fragments from production\n\t  example: $0 --init-basic-all\n"
+  echo -e "\t--comment-graph <OCP_minor>:   add human readable bundle tags as comments to graph generated by --init-basic\n\t  example: $0 --comment-graph v4.13\n"
+  echo -e "\t--render <OCP_minor> <brew>: render one FBC fragment\n\t\"brew\" optional parameter will made it consuming bundle images from the brew registry\n\t  example: $0 --render v4.13 brew\n"
+  echo -e "\t--render-all <brew>: render all the FBC fragments\n\t\"brew\" optional parameter will made it consuming bundle images from the brew registry\n\t  example: $0 --render-all brew\n"
+  exit 1
+}
+
+devfile()
+{
+    cat <<EOT > "$1"/devfile.yaml
+schemaVersion: 2.2.0
+metadata:
+  name: fbc-$1
+  displayName: FBC $1
+  description: 'File based catalog'
+  language: fbc
+  provider: Red Hat
+components:
+  - name: image-build
+    image:
+      imageName: ""
+      dockerfile:
+        uri: catalog.Dockerfile
+        buildContext: ""
+  - name: kubernetes
+    kubernetes:
+      inlined: placeholder
+    attributes:
+      deployment/container-port: 50051
+      deployment/cpuRequest: "100m"
+      deployment/memoryRequest: 512Mi
+      deployment/replicas: 1
+      deployment/storageRequest: "0"
+commands:
+  - id: build-image
+    apply:
+      component: image-build
+EOT
+}
+
+dockerfile()
+{
+  cat <<EOT > "$1"/catalog.Dockerfile
+# The base image is expected to contain
+# /bin/opm (with a serve subcommand) and /bin/grpc_health_probe
+FROM registry.redhat.io/openshift4/ose-operator-registry:$1
+
+ENTRYPOINT ["/bin/opm"]
+CMD ["serve", "/configs", "--cache-dir=/tmp/cache"]
+
+add catalog /configs
+RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"]
+
+# Core bundle labels.
+
+LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
+LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
+LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
+LABEL operators.operatorframework.io.bundle.package.v1=rhtas-operator
+LABEL operators.operatorframework.io.bundle.channels.v1=alpha
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0
+LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
+LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
+LABEL operators.operatorframework.io.index.configs.v1=/configs
+
+EOT
+}
+
+setBrew()
+{
+if [[ "$2" == "brew" ]]; then
+    sed -i 's|image: registry.redhat.ioregistry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator|image: brew.registry.redhat.ioregistry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator|g' "${frag}"/graph.yaml
+fi
+}
+
+unsetBrew()
+{
+if [[ "$2" == "brew" ]]; then
+    sed -i 's|image: brew.registry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator|image: registry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator|g' "${frag}"/graph.yaml
+    sed -i 's|brew.registry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator|registry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator|g' "${frag}"/catalog/rhtas-operator/catalog.json
+fi
+}
+
+
+cmd="$1"
+case $cmd in
+  "--help")
+    helpFunction
+  ;;
+  "--init-basic")
+    frag=$2
+    if [ -z "$frag" ]
+    then
+      echo "Please specify OCP minor, eg: v4.12"
+      exit 1
+    fi
+    FROMV=$(grep FROM "${frag}"/catalog.Dockerfile)
+    OCPV=${FROMV##*:}
+    from=registry.redhat.io/redhat/redhat-operator-index:${OCPV}
+    yqOrjq=$3
+    mkdir -p "${frag}/catalog/rhtas-operator/" "${frag}/${frag}"
+    touch "${frag}/${frag}/.empty"
+    case $yqOrjq in
+      "yq")
+        touch "${frag}"/graph.yaml
+        echo opm render $from -o yaml
+	"${OPM_CMD}" render "$from" -o yaml | yq "select( .package == \"$package_name\" or .name == \"$package_name\")" | yq 'select(.schema == "olm.bundle") = {"schema": .schema, "image": .image}' | yq 'select(.schema == "olm.package") = {"schema": .schema, "name": .name, "defaultChannel": .defaultChannel}' > "${frag}"/graph.yaml
+      ;;
+      "jq")
+        "${OPM_CMD}" render "$from" | jq "select( .package == \"$package_name\" or .name == \"$package_name\")" | jq 'if (.schema == "olm.bundle") then {schema: .schema, image: .image} else (if (.schema == "olm.package") then {schema: .schema, name: .name, defaultChannel: .defaultChannel} else . end) end' > "${frag}"/graph.json
+      ;;
+      *)
+        echo "please specify if yq or jq"
+        exit 1
+      ;;
+    esac
+    devfile "$frag"
+    dockerfile "$frag"
+  ;;
+  "--init-basic-all")
+    for f in ./"v4."*; do
+      frag=${f#./}
+      $0 --init-basic "${frag}" yq
+      $0 --comment-graph "${frag}"
+    done
+  ;;
+  "--render")
+    frag=$2
+    if [ -z "$frag" ]
+    then
+      echo "Please specify OCP minor, eg: v4.12"
+      exit 1
+    fi
+    setBrew "${frag}" "$3"
+    "${OPM_CMD}" alpha render-template basic "${frag}"/graph.yaml > "${frag}"/catalog/rhtas-operator/catalog.json
+    unsetBrew "${frag}" "$3"
+  ;;
+  "--render-all")
+    for f in ./"v4."*; do
+      frag=${f#./}
+      setBrew "${frag}" "$2"
+      "${OPM_CMD}" alpha render-template basic "${frag}"/graph.yaml > "${frag}"/catalog/rhtas-operator/catalog.json
+      unsetBrew "${frag}" "$2"
+    done
+  ;;
+  "--comment-graph")
+    frag=$2
+    if [ -z "$frag" ]
+    then
+      echo "Please specify OCP minor, eg: v4.12"
+      exit 1
+    fi
+    setBrew "${frag}" "$3"
+    sed -i "/# hco-bundle-registry v4\./d" "$frag"/graph.yaml
+    grep -E "^image: [brew\.]*registry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator[-rhel9]*@sha256" "$frag"/graph.yaml | while read -r line ; do
+      image=${line/image: /}
+      echo "Processing $image"
+      # shellcheck disable=SC2086
+      url=$(${SKOPEO_CMD} inspect --no-tags ${AUTH_FILE} docker://"$image" | grep "\"url\": ")
+      tag1=${url/*\/images\/}
+      tag=${tag1/\",/}
+      sed -i "s|$image|$image\n# hco-bundle-registry $tag|g" "$frag"/graph.yaml
+    done
+    unsetBrew "${frag}" "$3"
+  ;;
+  "--comment-graph-all")
+    for f in ./"v4."*; do
+      frag=${f#./}
+      setBrew "${frag}" "$2"
+      sed -i "/# hco-bundle-registry v4\./d" "$frag"/graph.yaml
+      grep -E "^image: [brew\.]*registry.redhat.io/rhtas-tech-preview/sigstore-rhel9-operator[-rhel9]*@sha256" "$frag"/graph.yaml | while read -r line ; do
+        image=${line/image: /}
+        echo "Processing $image"
+	# shellcheck disable=SC2086
+        url=$(${SKOPEO_CMD} inspect --no-tags ${AUTH_FILE} docker://"$image" | grep "\"url\": ")
+        tag1=${url/*\/images\/}
+        tag=${tag1/\",/}
+        sed -i "s|$image|$image\n# hco-bundle-registry $tag|g" "$frag"/graph.yaml
+      done
+      unsetBrew "${frag}" "$2"
+    done
+  ;;
+  *)
+    echo "$cmd not one of the allowed flags"
+    helpFunction
+  ;;
+esac

tas-env-generate.sh

@@ -71,15 +71,15 @@ export COSIGN_CERTIFICATE_OIDC_ISSUER=\$OIDC_ISSUER_URL
 export COSIGN_YES="true"
 
 # Gitsign/Sigstore Variables
-export SIGSTORE_FULCIO_URL=\$FULCIO_URL
-export SIGSTORE_OIDC_ISSUER=\$OIDC_ISSUER_URL
-export SIGSTORE_REKOR_URL=\$REKOR_URL
+export SIGSTORE_FULCIO_URL=\$COSIGN_FULCIO_URL
+export SIGSTORE_OIDC_ISSUER=\$COSIGN_OIDC_ISSUER
+export SIGSTORE_REKOR_URL=\$COSIGN_REKOR_URL
 
 # Rekor CLI Variables
-export REKOR_REKOR_SERVER=\$REKOR_URL
+export REKOR_REKOR_SERVER=\$COSIGN_REKOR_URL
 EOL
 
 # Make the generated script executable
 chmod +x tas-env-vars.sh
 echo "A file 'tas-env-vars.sh' to set a local signing environment has been created in the current directory."
-echo "To initialize the environment variables, run 'source ./tas-env-vars.sh' from the terminal."
+echo "To initialize the environment variables, run 'source ./tas-env-vars.sh' from the terminal."