update boilerplate

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: boilerplate
   namespace: openshift
-  tag: image-v3.0.2
+  tag: image-v5.0.0

.github/dependabot.yml

@@ -10,3 +10,5 @@ updates:
     ignore:
       - dependency-name: "app-sre/boilerplate"
         # don't upgrade boilerplate via these means
+      - dependency-name: "openshift4/ose-operator-registry"
+        # don't upgrade ose-operator-registry via these means

OWNERS_ALIASES

@@ -5,84 +5,78 @@
 aliases:
   srep-functional-team-aurora:
     - abyrne55
-    - bdematte
-    - boranx
+    - AlexVulaj
     - dakotalongRH
     - lnguyen1401
     - luis-falcon
     - rafael-azevedo
+    - reedcort
   srep-functional-team-fedramp:
     - tonytheleg
     - theautoroboto
     - rhdedgar
     - katherinelc321
     - robotmaxtron
     - rojasreinold
+    - hbhushan3
+    - fsferraz-rh
   srep-functional-team-hulk:
-    - mrbarge
     - a7vicky
-    - bmeng
-    - jwai7
     - rendhalver
     - ravitri
     - shitaljante
     - weherdh
+    - devppratik
   srep-functional-team-orange:
+    - bergmannf
     - bng0y
     - typeid
     - Makdaam
+    - mrWinston
     - Nikokolas3270
     - ninabauer
     - RaphaelBut
     - Tessg22
-    - thavlice
   srep-functional-team-rocket:
-    - anispate
-    - yithian
     - aliceh
-    - bdmiller3
-    - mjlshen
-    - sam-nguyen7
+    - anispate
+    - clcollins
+    - iamkirkbater
     - tnierman
+    - yithian
   srep-functional-team-security:
-    - karthikperu7
-    - clcollins
     - gsleeman
     - jaybeeunix
+    - sam-nguyen7
     - wshearn
+    - SamuelSidakwo
   srep-functional-team-thor:
-    - wanghaoran1988
+    - bmeng
     - MitaliBhalla
     - hectorakemp
-    - reetika-vyas
     - feichashao
-    - supreeth7
     - Tafhim
-  srep-functional-team-v1alpha1:
-    - iamkirkbater
-    - AlexVulaj
-    - T0MASD
-    - bergmannf
-    - dkeohane
-    - reedcort
-    - mrWinston
+    - samanthajayasinghe
   srep-functional-leads:
-    - mrbarge
     - rafael-azevedo
-    - wanghaoran1988
-    - sam-nguyen7
     - iamkirkbater
-    - bng0y
-    - tonytheleg
-    - karthikperu7
+    - Nikokolas3270
+    - theautoroboto
+    - bmeng
+    - mjlshen
+    - sam-nguyen7
+    - ravitri
   srep-team-leads:
-    - cblecker
-    - jharrington22
     - NautiluX
     - rogbas
-    - jewzaam
     - fahlmant
     - dustman9000
+    - wanghaoran1988
+    - bng0y
+  sre-group-leads:
+    - apahim
+    - maorfr
+    - rogbas
   srep-architects:
     - jewzaam
     - jharrington22

boilerplate/_data/backing-image-tag

@@ -1 +1 @@
-image-v3.0.2
+image-v5.0.0

boilerplate/_data/last-boilerplate-commit

@@ -1 +1 @@
-f2283ca508e2f9af2e1f1d08e86051aefdad0386
+368331d7b41947c357275c024a610ae8652c1e53

boilerplate/_lib/freeze-check

@@ -35,7 +35,7 @@ BOILERPLATE_GIT_REPO=https://github.com/openshift/boilerplate.git
 # and reapply the diff? Messy and error-prone -- and I would be
 # seriously ticked off if something went wrong and lost my in-flight
 # changes.
-if ! [ -z "$(git status --porcelain)" ]; then
+if ! [ -z "$(git status --porcelain -- ':!build/Dockerfile*')" ]; then
   echo "Can't validate boilerplate in a dirty repository. Please commit your changes and try again." >&2
   exit 1
 fi
@@ -70,9 +70,9 @@ cd $REPO_ROOT
 BOILERPLATE_GIT_CLONE="git clone $TMPD" boilerplate/update
 
 # Okay, if anything has changed, that's bad.
-if [[ $(git status --porcelain | wc -l) -ne 0 ]]; then
+if [[ $(git status --porcelain -- ':!build/Dockerfile*' | wc -l) -ne 0 ]]; then
   echo "Your boilerplate is dirty!" >&2
-  git status --porcelain
+  git status --porcelain -- ':!build/Dockerfile*'
   exit 1
 fi
 

boilerplate/_lib/subscriber-report

@@ -11,4 +11,3 @@ SUBCOMMANDS=(
 )
 
 source $REPO_ROOT/boilerplate/_lib/subscriber.sh
-

boilerplate/_lib/subscriber.sh

@@ -69,13 +69,11 @@ SUBSCRIBERS_FILE=$REPO_ROOT/subscribers.yaml
 #       all:        Prints all subscribers
 #       onboarded:  Prints only onboarded subscribers
 subscriber_list() {
-    local filt
     case $1 in
-        all) filt='[*]';;
+        all) yq '.subscribers[] | .name' $SUBSCRIBERS_FILE;;
         # TODO: Right now subscribers are only "manual".
-        onboarded) filt='(conventions.**.status==manual)';;
+        onboarded) yq '.subscribers[] | select(.conventions[].status == "manual") | .name' $SUBSCRIBERS_FILE;;
     esac
-    yq r $SUBSCRIBERS_FILE "subscribers${filt}.name"
 }
 
 ## last_bp_commit ORG/PROJ

boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry

@@ -0,0 +1,22 @@
+FROM registry.redhat.io/openshift4/ose-operator-registry:v4.12 AS builder
+ARG SAAS_OPERATOR_DIR
+COPY ${SAAS_OPERATOR_DIR} manifests
+RUN initializer --permissive
+
+# ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+
+COPY --from=builder /bin/registry-server /bin/registry-server
+COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe
+COPY --from=builder /bin/initializer /bin/initializer
+
+WORKDIR /registry
+RUN chgrp -R 0 /registry && chmod -R g+rwx /registry
+
+USER 1001
+
+COPY --from=builder /registry /registry
+
+EXPOSE 50051
+
+CMD ["registry-server", "-t", "/tmp/terminate.log"]

boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES

@@ -5,84 +5,78 @@
 aliases:
   srep-functional-team-aurora:
     - abyrne55
-    - bdematte
-    - boranx
+    - AlexVulaj
     - dakotalongRH
     - lnguyen1401
     - luis-falcon
     - rafael-azevedo
+    - reedcort
   srep-functional-team-fedramp:
     - tonytheleg
     - theautoroboto
     - rhdedgar
     - katherinelc321
     - robotmaxtron
     - rojasreinold
+    - hbhushan3
+    - fsferraz-rh
   srep-functional-team-hulk:
-    - mrbarge
     - a7vicky
-    - bmeng
-    - jwai7
     - rendhalver
     - ravitri
     - shitaljante
     - weherdh
+    - devppratik
   srep-functional-team-orange:
+    - bergmannf
     - bng0y
     - typeid
     - Makdaam
+    - mrWinston
     - Nikokolas3270
     - ninabauer
     - RaphaelBut
     - Tessg22
-    - thavlice
   srep-functional-team-rocket:
-    - anispate
-    - yithian
     - aliceh
-    - bdmiller3
-    - mjlshen
-    - sam-nguyen7
+    - anispate
+    - clcollins
+    - iamkirkbater
     - tnierman
+    - yithian
   srep-functional-team-security:
-    - karthikperu7
-    - clcollins
     - gsleeman
     - jaybeeunix
+    - sam-nguyen7
     - wshearn
+    - SamuelSidakwo
   srep-functional-team-thor:
-    - wanghaoran1988
+    - bmeng
     - MitaliBhalla
     - hectorakemp
-    - reetika-vyas
     - feichashao
-    - supreeth7
     - Tafhim
-  srep-functional-team-v1alpha1:
-    - iamkirkbater
-    - AlexVulaj
-    - T0MASD
-    - bergmannf
-    - dkeohane
-    - reedcort
-    - mrWinston
+    - samanthajayasinghe
   srep-functional-leads:
-    - mrbarge
     - rafael-azevedo
-    - wanghaoran1988
-    - sam-nguyen7
     - iamkirkbater
-    - bng0y
-    - tonytheleg
-    - karthikperu7
+    - Nikokolas3270
+    - theautoroboto
+    - bmeng
+    - mjlshen
+    - sam-nguyen7
+    - ravitri
   srep-team-leads:
-    - cblecker
-    - jharrington22
     - NautiluX
     - rogbas
-    - jewzaam
     - fahlmant
     - dustman9000
+    - wanghaoran1988
+    - bng0y
+  sre-group-leads:
+    - apahim
+    - maorfr
+    - rogbas
   srep-architects:
     - jewzaam
     - jharrington22

boilerplate/openshift/golang-osd-operator/README.md

@@ -8,6 +8,9 @@
   - [Code coverage](#code-coverage)
   - [Linting and other static analysis with `golangci-lint`](#linting-and-other-static-analysis-with-golangci-lint)
   - [Checks on generated code](#checks-on-generated-code)
+  - [FIPS](#fips-federal-information-processing-standards)
+  - [Additional deployment support](#additional-deployment-support)
+  - [OLM SkipRange](#olm-skiprange)
 
 This convention is suitable for both cluster- and hive-deployed operators.
 
@@ -136,3 +139,29 @@ include boilerplate/generated-includes.mk
 `fips.go` will import the necessary packages to restrict all TLS configuration to FIPS-approved settings.
 
 With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build`
+
+## Additional deployment support
+
+- The convention currently supports a maximum of two deployments. i.e. The operator deployment itself plus an optional additional deployment.
+- If an additional deployment image has to be built and appended to the CSV as part of the build process, then the consumer needs to:
+  - Specify `SupplementaryImage` which is the deployment name in the consuming repository's `config/config.go`.
+  - Define the image to be built as `ADDITIONAL_IMAGE_SPECS` in the consuming repository's Makefile, Boilerplate later parses this image as part of the build process; [ref](https://github.com/openshift/boilerplate/blob/master/boilerplate/openshift/golang-osd-operator/standard.mk#L56).
+
+  e.g.
+
+    ```.mk
+    # Additional Deployment Image
+    define ADDITIONAL_IMAGE_SPECS
+    build/Dockerfile.webhook $(SUPPLEMENTARY_IMAGE_URI)
+    end
+    ```
+  - Ensure the CSV template of the consuming repository has the additional deployment name.
+
+## OLM SkipRange
+
+- OLM currently doesn't support cross-catalog upgrades.
+- The convention standardizes the catalog repositories to adhere to the naming convention `${OPERATOR_NAME}-registry`.
+- For an existing operator that has been deployed looking to onboard Boilerplate is a problem. Once deployed, for an existing operator to upgrade to the new Boilerplate-deployed operator which refers to the new catalog registry with `staging/production` channels, OLM needs to support cross-catalog upgrades.
+- Cross catalog upgrades are only possible via [OLM Skiprange](https://v0-18-z.olm.operatorframework.io/docs/concepts/olm-architecture/operator-catalog/creating-an-update-graph/#skiprange).
+- The consumer can explictly enable OLM SkipRange for their operator by specifying `EnableOLMSkipRange="true"` in the repository's `config/config.go`.
+- If specified, the `olm.skipRange` annotation will be appended to the CSV during the build process creating an upgrade path for the operator.

boilerplate/openshift/golang-osd-operator/configure-fips.sh

@@ -15,4 +15,4 @@ fi
 
 echo "Writing fips file at $MAIN_DIR/fips.go"
 
-cp $CONVENTION_DIR/fips.go.tmplt "$MAIN_DIR/fips.go"
+cp $CONVENTION_DIR/fips.go.tmplt "$MAIN_DIR/fips.go"

boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh

@@ -36,7 +36,7 @@ check_mandatory_params operator_channel operator_name
 # Parameters for the Dockerfile
 SAAS_OPERATOR_DIR="saas-${operator_name}-bundle"
 BUNDLE_DIR="${SAAS_OPERATOR_DIR}/${operator_name}"
-DOCKERFILE_REGISTRY="Dockerfile.olm-registry"
+DOCKERFILE_REGISTRY="build/Dockerfile.olm-registry"
 
 # Checking SAAS_OPERATOR_DIR exist
 if [ ! -d "${SAAS_OPERATOR_DIR}/.git" ] ; then
@@ -61,31 +61,7 @@ channels:
   currentCSV: ${operator_name}.v${OPERATOR_NEW_VERSION}
 EOF
 
-# Build registry
-cat <<EOF > $DOCKERFILE_REGISTRY
-FROM quay.io/openshift/origin-operator-registry:4.10.0 AS builder
-COPY $SAAS_OPERATOR_DIR manifests
-RUN initializer --permissive
-
-FROM registry.access.redhat.com/ubi8/ubi-micro:8.6-484
-
-COPY --from=builder /bin/registry-server /bin/registry-server
-COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe
-COPY --from=builder /bin/initializer /bin/initializer
-
-WORKDIR /registry
-RUN chgrp -R 0 /registry && chmod -R g+rwx /registry
-
-USER 1001
-
-COPY --from=builder /registry /registry
-
-EXPOSE 50051
-
-CMD ["registry-server", "-t", "/tmp/terminate.log"]
-EOF
-
-${CONTAINER_ENGINE} build --pull -f $DOCKERFILE_REGISTRY --tag "${registry_image}:${operator_channel}-latest" .
+${CONTAINER_ENGINE} build --pull -f "${DOCKERFILE_REGISTRY}" --build-arg "SAAS_OPERATOR_DIR=${SAAS_OPERATOR_DIR}" --tag "${registry_image}:${operator_channel}-latest" .
 
 if [ $? -ne 0 ] ; then
     echo "docker build failed, exiting..."