ROSAENG-58014 : Vulnerability mitigation for certman operator

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: boilerplate
   namespace: openshift
-  tag: image-v8.3.6
+  tag: image-v8.4.1

OWNERS_ALIASES

@@ -26,7 +26,6 @@ aliases:
     - cjnovak98
   srep-functional-team-hulk:
     - ravitri
-    - devppratik
     - Tafhim
     - tkong-redhat
     - TheUndeadKing
@@ -55,10 +54,8 @@ aliases:
     - jaybeeunix
     - sam-nguyen7
     - wshearn
-    - dem4gus
     - npecka
     - pshickeydev
-    - casey-williams-rh
     - boranx
   srep-functional-team-thor:
     - diakovnec

boilerplate/_data/backing-image-tag

@@ -1 +1 @@
-image-v8.3.6
+image-v8.4.1

boilerplate/_data/last-boilerplate-commit

@@ -1 +1 @@
-8fb7c801f68dc7e06e8d2ae138c2a98f0b234b56
+bae34e3f78c0022bdd9842d69f72b5c23e857229

boilerplate/_lib/subscriber-propose-update

@@ -25,7 +25,7 @@ Quirks and Limitations:
 - Is still slightly interactive, because 'gh pr create' likes to ask
   questions about your origin and upstream.
 EOF
-    exit -1
+    exit 1
 }
 
 source $REPO_ROOT/boilerplate/_lib/subscriber.sh
@@ -34,47 +34,101 @@ source $REPO_ROOT/boilerplate/_lib/subscriber.sh
 [[ $# -eq 0 ]] && usage
 
 TMPD=$(mktemp -d)
+echo $TMPD;
 trap "rm -fr $TMPD" EXIT
 
+run_step() {
+    local title=$1
+    local log_file="$TMPD/$title.log"
+    log_file=$(tr '[:upper:]' '[:lower:]' <<< "$log_file")
+    log_file=$(tr ' ' '-' <<< "$log_file")
+    shift
+
+    if [[ $1 != "--" ]]; then
+        echo "ERR: expected '--' but got '$1'"
+        exit 1
+    fi
+    shift
+    echo -n "$title...  "
+
+    if ! "$@" > "$log_file" 2>&1; then
+        echo " FAILED"
+        echo "!!!"
+        echo "!!! Boilerplate update failed for $subscriber"
+        echo "!!!"
+        echo ""
+        cat "$log_file"
+        exit 1
+    fi
+    echo " DONE"
+}
+
+sync_main() {
+    local main_branch=$1
+    shift
+
+    git pull upstream $main_branch
+    git push origin $main_branch
+}
+
+git_clean_and_push() {
+    local branch=$1
+    shift
+
+    git push --delete origin $branch || true
+    git push -u origin $branch
+}
+
 propose_update() {
     local subscriber=$1
     local proj=${subscriber#*/}
 
-    if [[ -z "$DRY_RUN" ]]; then
-        echo "DRY RUN: Would propose update for $subscriber"
-        return 0
-    fi
-
     (
         # Clone my fork of the subscriber repo
         cd $TMPD
         # This
         # - uses the existing fork if one exists
         # - sets 'origin' and 'upstream' remotes
-        gh repo fork $subscriber --clone=true --remote=true
+        # only clones the default branch to save disk space and time
+
+        run_step "Creating fork" -- gh repo fork $subscriber --clone=true --default-branch-only
         cd $proj
 
-        # Current branch is 'master' or 'main'
-        cur_branch=$(current_branch .)
-        # Make sure our origin is synced with upstream, so our update
-        # commit is based off of the latest code.
-        # WARNING: This changes your fork!
-        git pull upstream $cur_branch
-        git push origin $cur_branch
-
-        # Create the update commit
-        make boilerplate-update
-        make boilerplate-commit
-
-        # And create the PR
-        # TODO: This is interactive. How do we tell gh "Yes, please use
-        # upstream as upstream and origin as origin?"
-        gh pr create -f
+        # Current branch is 'master' or 'main' or 'trunk'
+        main_branch=$(current_branch .)
+        run_step "Syncing Fork" -- sync_main $main_branch
+        # run_step "Pushing fork" -- git push origin $main_branch
+
+        # Create the update commit - only cat logs if something goes wrong.
+        run_step "Updating boilerplate" -- make boilerplate-update
+        run_step "Committing boilerplate update" -- make boilerplate-commit
+
+        boilerplate_branch=$(git rev-parse --abbrev-ref HEAD)
+        # By pushing to the origin boilerplate branch explicitly before opening a PR,
+        # we make don't get prompted for the branch to push to.
+        # If we still find that it's giving us an interactive prompt, we can otherwise
+        # use `gh api` to create the PR programmatically.
+        if [[ "$boilerplate_branch" == "$main_branch" ]]; then
+            echo "CRITICAL ERROR: boilerplate branch '$boilerplate_branch' is the same as main branch '$main_branch'"
+            echo "If you see this, something has gone terribly wrong"
+            echo "Skipping"
+            exit 20
+        fi
+        run_step "pushing update" -- git_clean_and_push $boilerplate_branch
+
+        gh pr create --repo $subscriber -f $DRY_RUN_FLAG
     )
 }
 
 bp_master=$(git rev-parse master)
 
+DRY_RUN_FLAG=""
+if [[ -z "$DRY_RUN" ]]; then
+    echo "DRY RUN: ENABLED"
+    DRY_RUN_FLAG="--dry-run"
+fi
+
+
 for subscriber in $(subscriber_args "$@"); do
 
     # Does this one need an update?
@@ -89,14 +143,45 @@ for subscriber in $(subscriber_args "$@"); do
         continue
     fi
 
-    # Is there already a PR proposed for this level?
-    existing_pr=$(gh pr list --repo $subscriber | grep -P ":boilerplate-\S+-$bp_master\s")
+    # Is there already a PR proposed for this commit?
+    pr_list=$(gh pr list --repo $subscriber --json headRefName,url,number | jq -r '. | map(select(.headRefName | startswith("boilerplate-update--")))')
+    existing_pr=$(jq -r ".[] | select(.headRefName == \"boilerplate-update--$bp_master\")" <<< "$pr_list")
     if [[ -n "$existing_pr" ]]; then
-        echo "Subscriber '$subscriber' already has an open PR:"
-        echo "https://github.com/$subscriber/pull/$existing_pr"
+        echo "Subscriber '$subscriber' already has an open PR for this boilerplate commit:"
+        jq -r .url <<< "$existing_pr"
         continue
     fi
 
     # Pull the trigger
-    propose_update "$subscriber"
+    if ! propose_update "$subscriber"; then
+        echo "Error: failed to propose update for '$subscriber'"
+        continue
+    fi
+
+    new_pr="XXXX"
+    # Get the new PR URL
+    # only run if not dry-run - otherwise the new_pr var will be empty
+    if [[ -n $DRY_RUN ]]; then
+        new_pr=$(gh pr list --repo $subscriber --json headRefName,number | jq -r ".[] | select(.headRefName == \"boilerplate-update--$bp_master\") | .number")
+        if [[ -z "$new_pr" ]]; then
+            echo "error: unable to find new PR for boilerplate update '$bp_master' on subscriber '$subscriber'"
+            continue
+        fi
+    fi
+
+    # Add comments to existing PRs to say they're superseded by this new one
+    if [[ -n "$pr_list" ]]; then
+        prs=$(jq -r '. | map(.number) | @tsv' <<< "$pr_list")
+        echo "Closing old PRs: $prs"
+        for pr in $prs; do
+            if [[ -z $DRY_RUN ]]; then
+                echo "Dry run - would close $pr with comment:"
+                echo "  \"Superseded by #$new_pr.\""
+                continue
+            fi
+
+            gh pr close --repo $subscriber --comment "Superseded by #$new_pr." $pr
+        done
+    fi
+
 done

boilerplate/openshift/golang-osd-e2e/update

@@ -12,25 +12,30 @@ source $CONVENTION_ROOT/_lib/common.sh
 
 REPO_ROOT=$(git rev-parse --show-toplevel)
 OPERATOR_NAME=$(sed -n 's/.*OperatorName .*=.*"\([^"]*\)".*/\1/p' "${REPO_ROOT}/config/config.go")
+GO_MODULE_PATH=$(awk '/^module / { print $2; exit }' "${REPO_ROOT}/go.mod")
 E2E_SUITE_DIRECTORY=$REPO_ROOT/test/e2e
 
+if [[ -z "${GO_MODULE_PATH}" ]]; then
+  err "Could not read module path from ${REPO_ROOT}/go.mod"
+fi
+
 # Update operator name in templates
 OPERATOR_UNDERSCORE_NAME=${OPERATOR_NAME//-/_}
 OPERATOR_PROPER_NAME=$(echo "$OPERATOR_NAME" | sed 's/-/ /g' | awk '{for(i=1;i<=NF;i++){ $i=toupper(substr($i,1,1)) substr($i,2) }}1')
 OPERATOR_NAME_CAMEL_CASE=${OPERATOR_PROPER_NAME// /}
 
 mkdir -p "${E2E_SUITE_DIRECTORY}"
 
-E2E_SUITE_BUILDER_IMAGE=registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.25-openshift-4.21
+E2E_SUITE_BUILDER_IMAGE=registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.26-openshift-4.22
 if [[ -n ${KONFLUX_BUILDS} ]]; then
-	E2E_SUITE_BUILDER_IMAGE="brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.25"
+	E2E_SUITE_BUILDER_IMAGE="brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.26"
 fi
 
 echo "syncing ${E2E_SUITE_DIRECTORY}/Dockerfile"
 tee "${E2E_SUITE_DIRECTORY}/Dockerfile" <<EOF
 # THIS FILE IS GENERATED BY BOILERPLATE. DO NOT EDIT.
 FROM ${E2E_SUITE_BUILDER_IMAGE} as builder
-WORKDIR /go/src/github.com/openshift/$OPERATOR_NAME/
+WORKDIR /go/src/${GO_MODULE_PATH}/
 COPY . .
 RUN  CGO_ENABLED=0 GOFLAGS="-mod=mod" go test ./test/e2e -v -c --tags=osde2e -o /e2e.test
 

boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES

@@ -26,7 +26,6 @@ aliases:
     - cjnovak98
   srep-functional-team-hulk:
     - ravitri
-    - devppratik
     - Tafhim
     - tkong-redhat
     - TheUndeadKing
@@ -55,10 +54,8 @@ aliases:
     - jaybeeunix
     - sam-nguyen7
     - wshearn
-    - dem4gus
     - npecka
     - pshickeydev
-    - casey-williams-rh
     - boranx
   srep-functional-team-thor:
     - diakovnec

boilerplate/openshift/golang-osd-operator/docs/pre-commit.md

@@ -7,15 +7,12 @@
 [uv](https://github.com/astral-sh/uv) is recommended for Python dependency management. It provides dependency locking with package hashes (supply-chain protection), virtual environment management, and is 10-100x faster than pip.
 
 **Install uv:**
-```bash
-# macOS/Linux
-curl -LsSf https://astral.sh/uv/install.sh | sh
 
-# Windows
-powershell -c "irm https://astral.sh/uv/install.ps1 | iex"
+To avoid piping unverified remote scripts and avoid using `sudo`, install `uv` via `pip` into your user directory:
 
-# Via pip
-pip install uv
+```bash
+# Install to user directory (never use sudo)
+pip install --user uv
 ```
 
 **First-time setup:**

boilerplate/openshift/golang-osd-operator/update

@@ -18,15 +18,17 @@ cp ${HERE}/.codecov.yml $REPO_ROOT
 echo "Copying OWNERS_ALIASES to your repository root."
 cp -L ${HERE}/OWNERS_ALIASES $REPO_ROOT
 
-# Add CICD owners to .tekton if exists
-if [[ -d "${REPO_ROOT}/.tekton/" ]]; then
-	echo "Adding Konflux subdirectory OWNERS file to .tekton/"
-	cat >"${REPO_ROOT}/.tekton/OWNERS" <<EOF
-reviewers:
-- srep-infra-cicd
-approvers:
-- srep-infra-cicd
-EOF
+# Clean up srep-infra-cicd from .tekton/OWNERS if it exists
+TEKTON_OWNERS="${REPO_ROOT}/.tekton/OWNERS"
+if [[ -f "${TEKTON_OWNERS}" ]] && grep -q "srep-infra-cicd" "${TEKTON_OWNERS}"; then
+	echo "Removing srep-infra-cicd from .tekton/OWNERS..."
+	${SED?} -i '/srep-infra-cicd/d' "${TEKTON_OWNERS}"
+
+	# If no owners remain (ignoring section headers, comments, and blank lines), remove the file
+	if ! grep -qE "^\\s*-\\s+\\S" "${TEKTON_OWNERS}"; then
+		echo "Removing .tekton/OWNERS (no owners remain after cleanup)"
+		rm "${TEKTON_OWNERS}"
+	fi
 fi
 
 # Add dependabot configuration

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6 AS builder
+FROM quay.io/redhat-services-prod/openshift/boilerplate:image-v8.4.1 AS builder
 
 RUN mkdir -p /workdir
 WORKDIR /workdir
@@ -8,7 +8,7 @@ COPY . .
 RUN make go-build
 
 ####
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1782191395
 
 ENV USER_UID=1001 \
     USER_NAME=certman-operator

build/Dockerfile.olm-registry

@@ -4,7 +4,7 @@ COPY ${SAAS_OPERATOR_DIR} manifests
 RUN initializer --permissive
 
 # ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1782191395
 
 COPY --from=builder /bin/registry-server /bin/registry-server
 COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe

test/e2e/Dockerfile

@@ -1,5 +1,5 @@
 # THIS FILE IS GENERATED BY BOILERPLATE. DO NOT EDIT.
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.25 as builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.26 as builder
 WORKDIR /go/src/github.com/openshift/certman-operator/
 COPY . .
 RUN  CGO_ENABLED=0 GOFLAGS="-mod=mod" go test ./test/e2e -v -c --tags=osde2e -o /e2e.test