diff --git a/Makefile b/Makefile index 4e1ed449..41608269 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.0.1 +VERSION ?= 0.8.0 ARCH = $(shell uname -m) # CHANNELS define the bundle channels used in the bundle. @@ -181,10 +181,12 @@ $(LOCALBIN): KUSTOMIZE ?= $(LOCALBIN)/kustomize CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest +OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk ## Tool Versions KUSTOMIZE_VERSION ?= v3.8.7 CONTROLLER_TOOLS_VERSION ?= v0.9.2 +OPERATOR_SDK_VERSION ?= v1.30.0 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize @@ -202,20 +204,20 @@ envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. $(ENVTEST): $(LOCALBIN) test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest -.PHONY: bundle -bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. - operator-sdk generate kustomize manifests -q - cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) - $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) - operator-sdk bundle validate ./bundle - -.PHONY: bundle-build -bundle-build: ## Build the bundle image. - docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . - -.PHONY: bundle-push -bundle-push: ## Push the bundle image. - $(MAKE) docker-push IMG=$(BUNDLE_IMG) +.PHONY: operator-sdk +operator-sdk: $(OPERATOR_SDK) ## Download operator-sdk locally if necessary. +$(OPERATOR_SDK): $(LOCALBIN) +ifeq (,$(shell which operator-sdk 2>/dev/null)) + test -s $(LOCALBIN)/operator-sdk || \ + { \ + set -e; \ + OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH); \ + curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$${OS}_$${ARCH}; \ + chmod +x $(OPERATOR_SDK); \ + } +else +OPERATOR_SDK = $(shell which operator-sdk) +endif .PHONY: opm OPM = ./bin/opm @@ -234,6 +236,23 @@ OPM = $(shell which opm) endif endif +##@ Operator Hub + +.PHONY: bundle +bundle: manifests kustomize operator-sdk## Generate bundle manifests and metadata, then validate generated files. + $(OPERATOR_SDK) generate kustomize manifests -q + cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) + $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) + $(OPERATOR_SDK) bundle validate ./bundle --select-optional suite=operatorframework + +.PHONY: bundle-build +bundle-build: ## Build the bundle image. + docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . + +.PHONY: bundle-push +bundle-push: ## Push the bundle image. + $(MAKE) docker-push IMG=$(BUNDLE_IMG) + # A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). # These images MUST exist in a registry and be pull-able. BUNDLE_IMGS ?= $(BUNDLE_IMG) diff --git a/bundle.Dockerfile b/bundle.Dockerfile index dfd01dc0..df7872e2 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=cc-operator LABEL operators.operatorframework.io.bundle.channels.v1=alpha -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.23.0 +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.30.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 diff --git a/bundle/manifests/cc-operator.clusterserviceversion.yaml b/bundle/manifests/cc-operator.clusterserviceversion.yaml index adf8ca8c..caa00a9b 100644 --- a/bundle/manifests/cc-operator.clusterserviceversion.yaml +++ b/bundle/manifests/cc-operator.clusterserviceversion.yaml @@ -8,8 +8,7 @@ metadata: "apiVersion": "confidentialcontainers.org/v1beta1", "kind": "CcRuntime", "metadata": { - "name": "ccruntime-sample", - "namespace": "confidential-containers-system" + "name": "ccruntime-sample" }, "spec": { "ccNodeSelector": { @@ -22,19 +21,12 @@ metadata: "/opt/kata-artifacts/scripts/kata-deploy.sh", "reset" ], + "debug": false, + "defaultRuntimeClassName": "kata-qemu", "environmentVariables": [ { - "name": "NODE_NAME", - "valueFrom": { - "fieldRef": { - "apiVersion": "v1", - "fieldPath": "spec.nodeName" - } - } - }, - { - "name": "CONFIGURE_CC", - "value": "yes" + "name": "INSTALL_OFFICIAL_CONTAINERD", + "value": "false" } ], "installCmd": [ @@ -46,6 +38,10 @@ metadata: }, "installType": "bundle", "installerVolumeMounts": [ + { + "mountPath": "/etc/crio/", + "name": "crio-conf" + }, { "mountPath": "/etc/containerd/", "name": "containerd-conf" @@ -54,14 +50,6 @@ metadata: "mountPath": "/opt/kata/", "name": "kata-artifacts" }, - { - "mountPath": "/var/run/dbus/system_bus_socket", - "name": "dbus" - }, - { - "mountPath": "/run/systemd/system", - "name": "systemd" - }, { "mountPath": "/usr/local/bin/", "name": "local-bin" @@ -70,31 +58,24 @@ metadata: "installerVolumes": [ { "hostPath": { - "path": "/etc/containerd/", + "path": "/etc/crio/", "type": "" }, - "name": "containerd-conf" - }, - { - "hostPath": { - "path": "/opt/kata/", - "type": "DirectoryOrCreate" - }, - "name": "kata-artifacts" + "name": "crio-conf" }, { "hostPath": { - "path": "/var/run/dbus/system_bus_socket", + "path": "/etc/containerd/", "type": "" }, - "name": "dbus" + "name": "containerd-conf" }, { "hostPath": { - "path": "/run/systemd/system", - "type": "" + "path": "/opt/kata/", + "type": "DirectoryOrCreate" }, - "name": "systemd" + "name": "kata-artifacts" }, { "hostPath": { @@ -104,9 +85,9 @@ metadata: "name": "local-bin" } ], - "payloadImage": "quay.io/confidential-containers/runtime-payload:kata-containers-5b7009f2f9cdb39099b97a4f868b53ec9f3c383f", + "payloadImage": "quay.io/confidential-containers/runtime-payload-ci:kata-containers-8de1f8e19f858134ba455a7c04edcb21d8bcf6b1", "postUninstall": { - "image": "quay.io/confidential-containers/reqs-payload:latest", + "image": "quay.io/confidential-containers/reqs-payload:e92cb67ea8956128a31950a0c3fa79a086dbaf1a", "volumeMounts": [ { "mountPath": "/opt/confidential-containers/", @@ -117,12 +98,16 @@ metadata: "name": "etc-systemd-system" }, { - "mountPath": "/var/run/dbus/system_bus_socket", - "name": "dbus" + "mountPath": "/etc/containerd/", + "name": "containerd-conf" }, { - "mountPath": "/run/systemd/system", - "name": "systemd" + "mountPath": "/usr/local/bin/", + "name": "local-bin" + }, + { + "mountPath": "/var/lib/containerd-nydus/", + "name": "containerd-nydus" } ], "volumes": [ @@ -142,22 +127,29 @@ metadata: }, { "hostPath": { - "path": "/var/run/dbus/system_bus_socket", + "path": "/etc/containerd/", + "type": "" + }, + "name": "containerd-conf" + }, + { + "hostPath": { + "path": "/usr/local/bin/", "type": "" }, - "name": "dbus" + "name": "local-bin" }, { "hostPath": { - "path": "/run/systemd/system", + "path": "/var/lib/containerd-nydus/", "type": "" }, - "name": "systemd" + "name": "containerd-nydus" } ] }, "preInstall": { - "image": "quay.io/confidential-containers/reqs-payload:latest", + "image": "quay.io/confidential-containers/reqs-payload:e92cb67ea8956128a31950a0c3fa79a086dbaf1a", "volumeMounts": [ { "mountPath": "/opt/confidential-containers/", @@ -168,12 +160,16 @@ metadata: "name": "etc-systemd-system" }, { - "mountPath": "/var/run/dbus/system_bus_socket", - "name": "dbus" + "mountPath": "/etc/containerd/", + "name": "containerd-conf" }, { - "mountPath": "/run/systemd/system", - "name": "systemd" + "mountPath": "/usr/local/bin/", + "name": "local-bin" + }, + { + "mountPath": "/var/lib/containerd-nydus/", + "name": "containerd-nydus" } ], "volumes": [ @@ -193,32 +189,52 @@ metadata: }, { "hostPath": { - "path": "/var/run/dbus/system_bus_socket", + "path": "/etc/containerd/", + "type": "" + }, + "name": "containerd-conf" + }, + { + "hostPath": { + "path": "/usr/local/bin/", "type": "" }, - "name": "dbus" + "name": "local-bin" }, { "hostPath": { - "path": "/run/systemd/system", + "path": "/var/lib/containerd-nydus/", "type": "" }, - "name": "systemd" + "name": "containerd-nydus" } ] }, - "runtimeClassNames": [ - "kata", - "kata-clh", - "kata-clh-tdx", - "kata-clh-tdx-eaa-kbc" - "kata-qemu", - "kata-qemu-sev", - "kata-qemu-se", - "kata-qemu-snp", - "kata-qemu-tdx", - "kata-qemu-tdx-eaa-kbc", - "kata-remote" + "runtimeClasses": [ + { + "name": "kata-clh", + "snapshotter": "nydus" + }, + { + "name": "kata-clh-tdx", + "snapshotter": "nydus" + }, + { + "name": "kata-qemu", + "snapshotter": "nydus" + }, + { + "name": "kata-qemu-tdx", + "snapshotter": "nydus" + }, + { + "name": "kata-qemu-sev", + "snapshotter": "nydus" + }, + { + "name": "kata-qemu-snp", + "snapshotter": "nydus" + } ], "uninstallCmd": [ "/opt/kata-artifacts/scripts/kata-deploy.sh", @@ -233,9 +249,12 @@ metadata: } ] capabilities: Basic Install - operators.operatorframework.io/builder: operator-sdk-v1.23.0 + categories: Security + containerImage: quay.io/confidential-containers/operator:v0.8.0 + createdAt: "2023-11-15T15:02:03Z" + operators.operatorframework.io/builder: operator-sdk-v1.30.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 - name: cc-operator.v0.0.1 + name: cc-operator.v0.8.0 namespace: placeholder spec: apiservicedefinitions: {} @@ -250,12 +269,19 @@ spec: on Kubernetes cluster displayName: Confidential Containers Runtime Operator icon: - - base64data: "" - mediatype: "" + - base64data: /9j/2wCEAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDIBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMv/AABEIAMgAyAMBIgACEQEDEQH/xAGiAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgsQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+gEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoLEQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APf6KKKACiiigAooooAKKKKACiijpQAUZxWDrnjDRdA3LeXi+eBnyIxuc/h2/HFeWa/8T9Y1QvDYf6BbHgGM5lI927fh+dbU6E57Gc6sY7nuGRS186Lofim7j+3ix1OUdRKQxY+47n8K0dF+IfiDQ5BDPK13Ahw0NzncPUBuo/HP0rV4R/ZdzNYhdVY96orl9B8faHrpSJLj7NdNx5E/ykn2PQ/z9q6gHIzXNKLi7NG6knsFFFFSMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACimu6xozuwVVGSScACvOfFvxPgst1poTJcXHR7gjMaf7v94/p9auFOU3aJM5qKuzt9X1zT9DtDc6hcpCn8IJ+Zz6KOpNeUeJPinfajG1vpEb2MJ6ylsysPbHC/hk+9c5aab4g8aamZAJ7qRjh7iXhEHuegHsPwFereHPhtpGjKk12ov7wc75V+RT/sr0/E5/CurkpUdZ6s5+apV+HRHm2geA9a8Sj7W2Le2c5+0XGcv7gdT9eB716p4e8A6NoBjmEX2q8Xnz5hkg/7I6D+fvXUgYAHpS1jUxE56bI1hRjEKwNe8H6P4hVjd2qrORgXEXyyD8e/45rforFScXdGjSaszwzxB8M9W0eJ7i0YahbqefLUiRR6le/4E03w38R9V0JVtrsG+tF4CyNh0+jensf0r3WuY8ReBdG8QB5ZIfs923/LxCMMT7jo38/euuOJUly1Vc53RcXemy5oPirSvEUG+xuP3oGXgfiRPqO49xkVt189az4X17whei5xKI42zFeW5OPxI5U+x/Wus8KfFJ0dbTxC29Dwl2q8j/fA/mP/AK9TPDac1N3Q41tbT0Z6zRUVtcw3duk9vKksTjKujBgR7EVLXKdAUUUUAFFFFABRRRQAUUUUAFFFFABUF5dQ2NpLdXDhIYkLux7AVPXGfFG7a28FTIpwbiVIv13f+y1UI80lEmb5YtnnPizxxf8Aii5NlaCSLTy21IE+9Kc8Fsdfp/Otvwr8LZ53W68QKYocAraq3zt/vEdB7Dn6UfCPSbe5u77UZ4leS32JCxGdpOdxHvwK9dAxXXWq+z/d09Dnp0+f35kVraQWVvHb20SRQxjaiIMACpqKMiuI6gpks0UETSyyIkaDLMxwAPc1zPiDxtY6MzwQ4ursfwIflT/eP9BzXm+r+ItT1tv9LnPlA5ESfKg/Dv8AjWM68Y6bs9LC5ZVr+89Ino8vxA0OK6EIkmdc4MqR/IP6n8BXR2l5b31ulxazJLE4yGU14BV3TNXvtIn82yuGiJ+8vVW+o6GsY4l3949GtkkOT909fM95ori/D/j+1v2W31JUtZzwJM/u2P49Px/OuzVgwBBBB9K6ozUldHhVsPUoy5aisJJGksbI6hkYYZWGQR715p4s+F0dyTd6Aqwyk5e2ZsI3+6ex9un0r02itYVJQd4nNOEZKzPnvQ/Eer+C9VeBlcRo+Lizl6H1x6H3H6ivdNG1iz13TIr+yctDJkYIwVI6gj1ri/ixpFtLoMeqLCouoZVQygclDkYPrzj/ACaq/By7Z7HVLMn5YpUlUf7wIP8A6CK6avLUp+0SszGF4T5Oh6dRRRXGdIUUUUAFFFFABRRRQAUUUUAFec/GGTGg6fFn71yW/JT/AI16NXmHxkb/AEHSV9ZJD+i/41th/wCKjKt8DLfwfix4cvZcctdlfyRf8a9ErhPhKu3wfIf7125/8dWu7pV/4jHS+BEc0giieRvuopY/QV5Jr/ja/wBY3Q25a1tM/dU/Mw/2j/QfrXquonGmXZ9IX/ka8DrhxEmrJH0GTUKc3Kcldq1vxCiiiuM+kCiikZlRSzEKoGST0FAC1r6V40u/DGN9yrWmeYZm4/4D3B+lcRf+J4o90dmvmP8A32+6Pw71zNxczXUplnkLue5oUnF3RNSjCrHlmro+vdF1SDW9HtdStgwhuYw6huoq/XKfDVt3w70U/wDTDH5Ma6uvTi7pM+FrQUKkoro2cr8RovN8C6kMcqI2H4SLXEfB6TGtajFn71uGx9G/+vXoHjpd3grVR/0xz+RBrzf4QnHiu7X1smP/AI+n+NdtP+BI45/xke00UUVyHQFFFFABRRRQAUUUUAFFFFABXl3xl/1Gj/7038kr1GvL/jKP9G0c+jy/yWt8N/FRlW+Bmx8KP+RN/wC3mT+ldxXDfCc58HMPS6f+S13NTW/iSHS+BFXU/wDkE3n/AFwf/wBBNeB175qf/IKvP+uL/wDoJrwOvPxO6Ppsj+Gfy/UKKKK5T3ijqmpJpluJGUuzHCqO5964691S6v2PnSHZnIjXhRW74sP7i2/3m/kK5aky4oKKKKRR9SfDH/knOjf9cm/9Dautrk/hmMfDrRv+uJP/AI+1dZXqw+FHwOK/jz9WYPjX/kTNW/692rzL4Rf8jbc/9eT/APoaV6Z43O3wXqx/6dyK8z+EI/4q25/68n/9DSu2l/AmcFT+LE9rooorkOgKKKKACiiigAooooAKKKKACvNPjGmdL0x/Sdx+aj/CvS64H4uQGTwpBKB/qrtSfYFWH88VtQdqiM6q9xifCF93hO5X+7ev/wCgJXf15l8HbgHTdTt88pMj4/3gR/7LXptGIVqrCi7wRBeo0ljcRqMs0bAD14rwF0aNyjqyupwVYYINfQuKx9b8N6drkJW4iCzfwzIAHH49x7GuKtSc1oevl2OjhW1JaM8RoroNb8Hanozu4ia5tQMiaJc4HuOo/lXP1xSi4uzPqaVaFWPNB3Rzniz/AFNt/vN/SuXrqfFn+ptv95v6Vy1QzdbBRXR+GvA+u+Kpk+wWjLbE4a6lBWJfXnv9BmvePB/w00bwtEkrxJe6h1a5mQfKf9hedv16+9a06Mp+hwYvMqOG03l2Ro+ALaW08CaNBPE0Ui2wLIwwRkk8j8a6WgDFFeilZWPjqk+ebl3Oa8fv5fgfVG9Y1X83A/rXn3wfTPiS9f0tCPzdf8K7T4oTiHwRcoT/AK6SNB/30G/9lrmPg5ATc6tPjhUjQH6lj/SuyGmHkzjn/GR6zRRRXIdIUUUUAFFFFABRRRQAUUUUAFYvizRm17w1eafGVEsihoy3TcpBH54x+NbVFNNp3Qmrqx88+GvEV74M1uUvASpPlXVu/BOD+hHNe3aB4l03xHaefYzZZf8AWQtw8Z9x/XpVLxR4L0zxJA7vGsF9twlyg+bjpuH8Q+teN6hpGv8AgnUxKTLbtnEdzATscemf6Gu1qGI1WkjmXPR80fRNFeZ+FfilBcCOz17EM33RdAfI3+8P4fr0+lekxSxzxrJE6ujDIZTkEVyTpyg7SRvGakrocQD1rktd8B2OpF57PFpcnk7R8jH3Hb8K66ispRUlZnRRrVKMuam7M+fPFPgHxJNd2tjb6e87lziWM/u8epY8D8cV1PhT4K2Vi8d34gnW9mGCLaPIiU+56t+g+tes4HpS4xWUcPBO53Vs2xFSHKnb0GRQxwRrHFGqRoMKqjAA9AKfRSMwUZJwK3PMFqjqmr2OjWTXd/cJDCvc9WPoB3P0rkfFPxL0/SUktdLZby96blOYoz7nv9B+YrzAv4h8bamqkz3s2eB0SIH9FFdNPDSkuaWiMJ1ktI6s0PGnjabxXMlrBCYrCJ90aMMu7dATj6ngetel/Drw9caD4eJvE2XN1J5rIeqDAAU+/U/jUXhP4eafoUcVzeIl3qIwxdhlIz/sj+p5+ldqAB0orVY8vs6ewU6cr88twooormNwooooAKKKKACiiigAooooAKKKKACorm2hu7d7e4iSWJxhkdQwI+hqWigDyjxN8KX817rQHXaeTaytjH+6x/kfzrjtJ8Qa74N1BoVEkW0/vbS4B2n8Ox9xX0RWVrfhzTPEFv5Wo2yyY+444dPow5rqhiXblqK6OeVBXvDRmF4f+I+i6yEink+w3bceXMflJ9n6fng12VeK+JPhdqGns8+jlr22HPlnHmr+HRvw59qyNG8deIPD5FsJzNBGdpt7kE7cdgeo+n6VTw8Zq9JiVaUXaaPoGivN4fjBprWJefTrpbof8skKspP+9x/KuP1r4la7q3mRQSLY278bIPv49C55/LFZxw1RvYuVeCR6n4g8c6L4f3RTz+ddD/l3h+Zh9ey/jXkniLxtrHiib7MheG1c7UtISTv/AN7HLH26e1WfDnw51fW3We8VrGzPJklX53+i9fxP616xoHg/R/Dq5srfM5HM8vzOfx7fhitb0qPmzP8AeVfJHnPhz4V315LHPrTfZbfhjCpzI3sey/zr1nTdLstJtFtbC3jghX+FB1PqT3PuauUVz1K0qnxG0KcYbBRRRWRoFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVk6t4b0jW4mS/sYpWPSQLhx9GHNa1FNNp3Qmk9zzaX4Pac1zuj1K6SDvGUVm/764/lXVaL4N0PQkX7LYo0w/5bzDfIffJ6fhit+irlWnJWbJVOCd0g6UUUVmWFFFFABRRRQAUUUUAFFFFABRRRQAVWv7+10yxnvb2dILaBC8krnAVR3qzXmHx7a7HwxnFvu8s3UIuMf8APPJ6/wDAtlAGbN8fLSa5kGjeGdV1O1iOHuVG0D3wAePriu38O+P9D8ReFpfEEcz2tpb7vtP2ldphIGSD2P4Z/PinfDxdMT4faGNJCG1+yIcpjl8fPn/a3bs++a4r4+eYnw1RdPCrbHUU+0iLAGPnJzj/AKaYz70ARTfH21lmkbSfC+q39lEcPcgbQPfAB/Uiu88GeOdG8b6Y15pcrB4ztmt5QBJEe2QCeD2PQ/gRU3gtNMj8GaONJEZsfssfllBweBkn3znPfOa8p8NCGP8AaZ1ldE2/YTA/2oRfcDbE3/8AkXH45oA7fwf8V9H8WeILzRFiksr2BmEaTMCJ9pIbaR3GM49Poa0Nc8fW2ieOtH8LSWUss2pqGSdWAVMsw5HX+GvnTw/4T1PXbnxTrWhzyJq+h3sdxbpH1kBaUtt/2hsBA78jvW/aeNh46+LPge/eEw3kCpBdJ/D5gZzlfYgg47dPcgHpnij4y23hvxhdeG10C+v7qDZzbsDv3Rh+FxngN+lW/C3xSl8Ta/BpTeFdW08Shj9ouUwi7VJ5474xXmPiK81ew/aau7nQtOXUdRRU8q1eQIHzaKG5JAGASfwr1zwlrvjfU9XeHxH4Vh0qyELMs6XKyEvkYXAY9iTn2oAXwd8RLbxjBrMtvYzW40t9jiRgd/DdMf7tcfbftAQXsRltfCOrzxKcM8RDgH0yBWd8D/8Ajw8c/wDXf+klaf7OH/Ihal/2E3/9FR0Adf4L+J2g+NppbSzM9rqEQ3PaXShXx3K4JBA/P1FYGvfGm30XxVfeH4/DuoX9zaNtY2zA7uAcgYzjmub8ei3j+P3hFtH2/wBptJF9tEXXZvxlsd/L3Z77cVhzt4kT9oXXz4VjtJNS2txdn5NmxM9xz0oA9T8JfEyXxVrg01vDGq6cDG0nn3KYTjt06mpPCXxU0fxT4iv9D8uSzvrZ2WNJmGJ9pIbaR3GM464+hxY8GyeP3v7geL4NLjtfK/cmzPzb8jryeMZr5/0jwRqXii/8Wanoc7pq2kagJYI1O0yAvITtPZgUBH4+1AH0Dr3xBttC8daR4WksZpZtTVGSdXAVNzMvI6/w1ymqfHSPSJ7hLrwlqyxQymLznwqMQcZBI74rz2Hxl/wm3xZ8DX0sTRXtuIra7UjA81ZHJI9jkHHbp2r079oDj4Yv/wBfkP8AWgCTw18YP+Ek1e0so/C+qW0NyGZbqQZjACls5x3xj8a2vh78Q7X4g217Pa2M1oto6owlcNu3AnjH0qx4D/5JZoX/AGC4v/QBXmH7O13BYeGvE15cyCKCCRJZHPRVVGJP5CgDt/Hvxb0zwJrMGmT2U95PJCJnELqPLBJAznucH9PWu9trqK8s4bq3cPFNGsiMOjKRkGvmGx8UeE/Emu+MNY8V3rW8uqQm1sIzA8hhTja/yggEbY/yb1r0n4C+LV1jwlJoVxJuvNK+VM/xwE/KR9DlfYbaAOl+HfxHtfiFHqD2thNaCyMYYSuG3b93TH+7Xb14J+zP/wAeviX/AH7b+Ule90AFFFFABVLVtJs9c0u503UIRNa3MZjkQ8ZH4dD3zV2igDyFfghd6ZJLF4c8davpVhMcvbqC2fxV1H44zXXaF8ONG0bwhc+G5Xub+0u9zXBupC29j1IHReeRjnPOSea7CvL/ABj8WJ9O8RHwx4V0htY1teJBz5cZxnGBySO/IA9euACgPgheaf5ttoPjvWNN02UkvagFs568q6j9K7LwR8PNG8CWcseneZNcz4M91OQXfHbjgDrwPxzXMeHfHPj9PEFnpvirwYYobtti3NipKxnGctl2GPXkHHr0p/i/4q3ll4lbwx4S0Y6xrEYzMeTHEe4IHJx3OQBnHXoAbfgT4dxeB73WrmLUnuzqkiSMrQhPL2lzjqc/f/SqVx8I9IPxBtPFtjcPZyxTefNbJGCkr9yOflz361ztv8WPFXhzUrWHx/4YTTrK5fYLy2DbIz7jcwPuAc45welbnxP+JV14HtdFu9PtbW9gv3fcXY4KAKQVIPcN157UAXx8NoR8Vz47/tN/NIx9k8kbf9T5X3s/j0ruSM1y0njO1vPhxeeK9HZJ1isZblI5OzopJRwDwQRg1yVl4/8AG2t+BNI13QPDlnfXd1NMlxECQkao2FIywPOD3oA6DwX8OYvB0GtxR6k91/aj7yWiCeXw3uc/e/SuU034Hajo9u1tpnxA1eyt3fe8VsrRqzYAyQsmM4A59qytO+LXxG1bV73SbHwlp81/Yki5hVmBjIODnL46+lek6h4qvtB+G0viLW7OO11GK13yWuflEx4VM5PBYgdaAKXg34VaL4P1F9VS4utQ1WRSGu7tgSM9do7E+pyffmsfWPg7PqHjG+8S6f4tvtLu7s5P2aLBUYAI3BwccVN8Lfide+Nr3UNP1axgsr23ijniSMMPMibvhifVD7hhUvxA+IeoeEvF3h7SLS0tZodTdVleXduTMgXjBA6HvQBc8MeAtb0HW47+98c6tq0CKym1uS2xiRgE5c9OvSrXgjwBF4L1DXLuPUHuzqsyzMrRBPLwXOByc/f/AErnfHXxZk8D+P8AT9HubKKXSprdJp5hu81NzOuV5wcbQcY55rb8e+PD4d8Ax+JdF+y3ySyRiIsSUZWzzwQaAKV18H9Jf4gWviyxuns5Y5xcTWqxhklkzkkHI2579a3/AB54Oj8c+Gzo8l61opmSXzVj3n5c8YyPWuY8b/EnUvC/w+8P+IbWytJbjUhEZI5d2xd8Rc4wc9eKzF8Z/GB1DL4EsSCMg+b/APbKAPTND0VdF8MWWirOZVtbZbcSlcFgFxnFcBpfwYGkeDtY8O23iKYJqkkbSz/ZgGVV6qBu79/bPrUXxB+JniDwlrWh6Vp+k2dxd6jboximLZErNt2jDAdapv8AFjxf4aubebxr4PFjpk0gjNzbsTsJ59WB6HjIPB9KAO88OfD/AMP+H9As9L/s60u2gTDXE9sjPIxOSTkHuTxngcVlWHwvtdH+IknivSdQNnHMpWbT0gHluCMEA5GBkBunUVQ8b/FSbRtT07RPDWmrq2rahEs0OWIj2Nnb0wSSAT1GBzmk8NeKviVJ4htLDxJ4PtoLS4Yhrq2c7YgATlsO47Yxx1oAyNL+BN9oYlGk+PdUsBLjzBaxmPfjOM7XGcZP516F4P8ADd/4Z0+e21DxDe63JLL5izXZJZBgDaMseOM/jXR0UAFFFFABRRRQAh6V4H4D1Kx8PfHPxdaa1IlvdXtxILaaY7Qd0m8Lk9NylSPpj0r32uV8VfDrwz4xbzdW04NdBdq3MTGOQD6jr+INAGzda3pVnqNrp1zqFvHe3RKwQNIA7kAngfhXi3w0vbTw18W/GGl67IlvqN5cE280xChxvZsAn+8GRh64ruvDvwa8H+HNQjvobSe7uYmDRPeS7xGw6EKABkepHFaniv4ceGPGMgn1XT83QXaLmFzHIB2BI4P4g0Acj8e9c0mHwLLo8sscupXUsZt4VILptYEuR1AxkZ77q4n4nafcWXgb4b6fqKnz408uVG6j5Y/lP0HH4V6f4e+DPg7w7fR3sNlNd3MTB45LuXfsI6EKMDP1Brd8VeCNH8YtYHVUmb7DIZIfKk24JxnPr90UAeE+KrDV/hHca3plur3PhfX7aaGEFjiJ2Qgc9mXP/Al9xx6n8C/+SUab/wBdZ/8A0Y1dprug6d4k0ebTNVtlntphgqeCp7Mp7EetReGfDlh4U0SHSNMEgtImZlEj7myxJPP1NAHlfwx/5Ld4+/66yf8Ao6s/45+KF1DXtL8IQxXFxBDIt1qEdqu6Rx2QD1C5b0+ZfSvWdG8E6RoXiPVNdskmF7qTFrgvJlSS244HbmodK8BaLpPiq88SQpPLqd3u8yWeXeBuIJ2jt0A9hxQB4XrHjyHT/iRo/i+w0DU9Lt4o1tLyK4h2LLGBt+X1Ozt/sLXQ/GO4iuviJ4CuIXDxSvG6OvRlMyEEfhXsXijwvpni/Rn0rVoWktmdXBRtrKwPBB7HqPoTWHc/C7w/eHQzOLxzoqqlmTPyArBgDxzjAH0FAHnPxI0W08RfH7QdIvlZra600RvtOCP9eQQfUEA/hXDeMjrXgbRL/wCHmp4ubJp0vLG5Hyjbk5wPQ85HZgeua+kr3wVpOoeMbLxTOk39p2UflQssmEC/N1Xv99qd4r8F6J4zsY7XWbTzfKbdFKjbXj9cN6HuOn5CgDx74vf8kS8Ff7tt/wCkxrqNO8E/ECK4tJpfiKZLdHR3h8n7ygglevpxXX698PtE8R+HdO0LUEuDZafsEASXaw2psGT34rmf+FA+CP8Anjf/APgUf8KAOO+OE89v8UPCNxaQfabiNYnihDY8xhNkLntk4H41W8aeIfFHj/WNL8C6tpFt4ce6mWcNcyly+AwXBAxzyAO5wMivW9Q+G2ganf6Le3MdyZtGjijtCs2ABGQV3evIq54p8E6P4wS1GqQyebaSeZBPBJ5ciH2Yduh/AUAcN4v+GGka1qOj22n+IxpXiDTrGKKD5gXkiTIRtoYMCCD8wrJtvE3jnwF460Pw74h1a01uz1OVIkKj96gZwgYnAYHJB5yCAefTvvEnwt8NeLHhn1WG5e9iiWIXaTlZGVemf4T69Kh8N/CLwp4a1NNSt7a4ur2M7o5ruYuUPqAMDPvjigDux0ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//2Q== + mediatype: image/jpeg install: spec: clusterPermissions: - rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update - apiGroups: - apps resources: @@ -350,7 +376,7 @@ spec: - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 name: kube-rbac-proxy ports: - containerPort: 8443 @@ -363,7 +389,12 @@ spec: - --leader-elect command: - /manager - image: quay.io/confidential-containers/operator:latest + env: + - name: CCRUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: quay.io/confidential-containers/operator:v0.8.0 livenessProbe: httpGet: path: /healthz @@ -443,14 +474,16 @@ spec: - name: Confidential Containers url: https://github.com/confidential-containers maintainers: - - email: fidenco - name: Fabiano - - email: jensfr - name: Jens - - email: bpradipt - name: Pradipta + - email: cncf-ccontainers-maintainers@lists.cncf.io + name: Fabiano Fidencio + - email: cncf-ccontainers-maintainers@lists.cncf.io + name: Jens Freimann + - email: cncf-ccontainers-maintainers@lists.cncf.io + name: Pradipta Banerjee maturity: alpha + minKubeVersion: 1.24.0 provider: name: Confidential Containers Community url: https://github.com/confidential-containers - version: 0.0.1 + replaces: cc-operator.v0.5.0 + version: 0.8.0 diff --git a/bundle/manifests/confidentialcontainers.org_ccruntimes.yaml b/bundle/manifests/confidentialcontainers.org_ccruntimes.yaml index 8b605025..b284513c 100644 --- a/bundle/manifests/confidentialcontainers.org_ccruntimes.yaml +++ b/bundle/manifests/confidentialcontainers.org_ccruntimes.yaml @@ -101,6 +101,16 @@ spec: items: type: string type: array + debug: + description: This specifies whether the CcRuntime (kata or enclave-cc) + will be running on debug mode + type: boolean + defaultRuntimeClassName: + description: This specifies the RuntimeClass to be used as the + default one If not set, the default "kata" runtime class will + NOT be created. Otherwise, the default "kata" runtime class + will be created as as "alias" for the value set here + type: string environmentVariables: description: This specifies the environment variables required by the daemon set @@ -695,7 +705,7 @@ spec: value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -770,10 +780,13 @@ spec: If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents - of the specified data source. If the AnyVolumeDataSource - feature gate is enabled, this field will always - have the same contents as the DataSourceRef - field.' + of the specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource contents + will be copied to dataSourceRef, and dataSourceRef + contents will be copied to dataSource when + dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef + will not be copied to dataSource.' properties: apiGroup: description: APIGroup is the group for the @@ -799,29 +812,37 @@ spec: description: 'dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may - be any local object from a non-empty API group - (non core object) or a PersistentVolumeClaim - object. When this field is specified, volume - binding will only succeed if the type of the - specified object matches some installed volume - populator or dynamic provisioner. This field - will replace the functionality of the DataSource - field and as such if both fields are non-empty, + be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding + will only succeed if the type of the specified + object matches some installed volume populator + or dynamic provisioner. This field will replace + the functionality of the dataSource field + and as such if both fields are non-empty, they must have the same value. For backwards - compatibility, both fields (DataSource and - DataSourceRef) will be set to the same value - automatically if one of them is empty and - the other is non-empty. There are two important - differences between DataSource and DataSourceRef: - * While DataSource only allows two specific - types of objects, DataSourceRef allows any - non-core object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef preserves - all values, and generates an error if a disallowed - value is specified. (Beta) Using this field - requires the AnyVolumeDataSource feature gate - to be enabled.' + compatibility, when namespace isn''t specified + in dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to the same + value automatically if one of them is empty + and the other is non-empty. When namespace + is specified in dataSourceRef, dataSource + isn''t set to the same value and must be empty. + There are three important differences between + dataSource and dataSourceRef: * While dataSource + only allows two specific types of objects, + dataSourceRef allows any non-core object, + as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values + (dropping them), dataSourceRef preserves all + values, and generates an error if a disallowed + value is specified. * While dataSource only + allows local objects, dataSourceRef allows + objects in any namespaces. (Beta) Using this + field requires the AnyVolumeDataSource feature + gate to be enabled. (Alpha) Using the namespace + field of dataSourceRef requires the CrossNamespaceVolumeDataSource + feature gate to be enabled.' properties: apiGroup: description: APIGroup is the group for the @@ -838,11 +859,21 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note that + when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. (Alpha) This + field requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object - x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure @@ -852,6 +883,32 @@ spec: capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -875,7 +932,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -2473,7 +2531,7 @@ spec: be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that - the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -2552,10 +2610,13 @@ spec: can support the specified data source, it will create a new volume based on the contents of the specified data source. - If the AnyVolumeDataSource feature gate - is enabled, this field will always have - the same contents as the DataSourceRef - field.' + When the AnyVolumeDataSource feature gate + is enabled, dataSource contents will be + copied to dataSourceRef, and dataSourceRef + contents will be copied to dataSource + when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef + will not be copied to dataSource.' properties: apiGroup: description: APIGroup is the group for @@ -2582,31 +2643,39 @@ spec: description: 'dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. - This may be any local object from a non-empty + This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the - functionality of the DataSource field + functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to the + compatibility, when namespace isn''t specified + in dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to the same value automatically if one of them - is empty and the other is non-empty. There - are two important differences between - DataSource and DataSourceRef: * While - DataSource only allows two specific types - of objects, DataSourceRef allows any non-core - object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef + is empty and the other is non-empty. When + namespace is specified in dataSourceRef, + dataSource isn''t set to the same value + and must be empty. There are three important + differences between dataSource and dataSourceRef: + * While dataSource only allows two specific + types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed + values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified. + * While dataSource only allows local objects, + dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource - feature gate to be enabled.' + feature gate to be enabled. (Alpha) Using + the namespace field of dataSourceRef requires + the CrossNamespaceVolumeDataSource feature + gate to be enabled.' properties: apiGroup: description: APIGroup is the group for @@ -2624,11 +2693,23 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See + the ReferenceGrant documentation for + details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object - x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure @@ -2639,6 +2720,32 @@ spec: status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2663,7 +2770,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -4296,7 +4404,7 @@ spec: be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that - the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -4375,10 +4483,13 @@ spec: can support the specified data source, it will create a new volume based on the contents of the specified data source. - If the AnyVolumeDataSource feature gate - is enabled, this field will always have - the same contents as the DataSourceRef - field.' + When the AnyVolumeDataSource feature gate + is enabled, dataSource contents will be + copied to dataSourceRef, and dataSourceRef + contents will be copied to dataSource + when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef + will not be copied to dataSource.' properties: apiGroup: description: APIGroup is the group for @@ -4405,31 +4516,39 @@ spec: description: 'dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. - This may be any local object from a non-empty + This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the - functionality of the DataSource field + functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to the + compatibility, when namespace isn''t specified + in dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to the same value automatically if one of them - is empty and the other is non-empty. There - are two important differences between - DataSource and DataSourceRef: * While - DataSource only allows two specific types - of objects, DataSourceRef allows any non-core - object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef + is empty and the other is non-empty. When + namespace is specified in dataSourceRef, + dataSource isn''t set to the same value + and must be empty. There are three important + differences between dataSource and dataSourceRef: + * While dataSource only allows two specific + types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed + values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified. + * While dataSource only allows local objects, + dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource - feature gate to be enabled.' + feature gate to be enabled. (Alpha) Using + the namespace field of dataSourceRef requires + the CrossNamespaceVolumeDataSource feature + gate to be enabled.' properties: apiGroup: description: APIGroup is the group for @@ -4447,11 +4566,23 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See + the ReferenceGrant documentation for + details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object - x-kubernetes-map-type: atomic resources: description: 'resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure @@ -4462,6 +4593,32 @@ spec: status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4486,7 +4643,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -5524,11 +5682,23 @@ spec: type: object type: array type: object - runtimeClassNames: - description: This specifies the RuntimeClasses that needs to be - created + runtimeClasses: + description: This specifies the RuntimeClasses that need to be + created, with its name and an associated snapshotter to be used items: - type: string + description: RuntimeClass holds the name and the snapshotter + to be used by a runtime class + properties: + name: + description: Name of the runtime class + type: string + snapshotter: + description: The snapshotter to be used by the runtime class + type: string + required: + - name + - snapshotter + type: object type: array runtimeImage: description: This specifies the location of the container image diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 983b48dc..9a262456 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -5,7 +5,7 @@ annotations: operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: cc-operator operators.operatorframework.io.bundle.channels.v1: alpha - operators.operatorframework.io.metrics.builder: operator-sdk-v1.23.0 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.30.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 diff --git a/config/crd/bases/confidentialcontainers.org_ccruntimes.yaml b/config/crd/bases/confidentialcontainers.org_ccruntimes.yaml index fba7bf18..d51ec464 100644 --- a/config/crd/bases/confidentialcontainers.org_ccruntimes.yaml +++ b/config/crd/bases/confidentialcontainers.org_ccruntimes.yaml @@ -706,7 +706,7 @@ spec: value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -890,7 +890,8 @@ spec: that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature - gate. \n This field is immutable." + gate. \n This field is immutable. It can + only be set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -932,7 +933,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -2530,7 +2532,7 @@ spec: be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that - the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -2725,7 +2727,8 @@ spec: that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable." + feature gate. \n This field is immutable. + It can only be set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -2768,7 +2771,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -4401,7 +4405,7 @@ spec: be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that - the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -4596,7 +4600,8 @@ spec: that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable." + feature gate. \n This field is immutable. + It can only be set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -4639,7 +4644,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 1c64f811..b247c45b 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,4 +13,4 @@ kind: Kustomization images: - name: controller newName: quay.io/confidential-containers/operator - newTag: latest + newTag: v0.8.0 diff --git a/config/manifests/bases/cc-operator.clusterserviceversion.yaml b/config/manifests/bases/cc-operator.clusterserviceversion.yaml index ca847177..93c77f6f 100644 --- a/config/manifests/bases/cc-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/cc-operator.clusterserviceversion.yaml @@ -4,6 +4,8 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install + categories: Security + containerImage: quay.io/confidential-containers/operator:v0.8.0 name: cc-operator.v0.0.1 namespace: placeholder spec: @@ -19,8 +21,8 @@ spec: on Kubernetes cluster displayName: Confidential Containers Runtime Operator icon: - - base64data: "" - mediatype: "" + - base64data: /9j/2wCEAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDIBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMv/AABEIAMgAyAMBIgACEQEDEQH/xAGiAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgsQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+gEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoLEQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APf6KKKACiiigAooooAKKKKACiijpQAUZxWDrnjDRdA3LeXi+eBnyIxuc/h2/HFeWa/8T9Y1QvDYf6BbHgGM5lI927fh+dbU6E57Gc6sY7nuGRS186Lofim7j+3ix1OUdRKQxY+47n8K0dF+IfiDQ5BDPK13Ahw0NzncPUBuo/HP0rV4R/ZdzNYhdVY96orl9B8faHrpSJLj7NdNx5E/ykn2PQ/z9q6gHIzXNKLi7NG6knsFFFFSMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACimu6xozuwVVGSScACvOfFvxPgst1poTJcXHR7gjMaf7v94/p9auFOU3aJM5qKuzt9X1zT9DtDc6hcpCn8IJ+Zz6KOpNeUeJPinfajG1vpEb2MJ6ylsysPbHC/hk+9c5aab4g8aamZAJ7qRjh7iXhEHuegHsPwFereHPhtpGjKk12ov7wc75V+RT/sr0/E5/CurkpUdZ6s5+apV+HRHm2geA9a8Sj7W2Le2c5+0XGcv7gdT9eB716p4e8A6NoBjmEX2q8Xnz5hkg/7I6D+fvXUgYAHpS1jUxE56bI1hRjEKwNe8H6P4hVjd2qrORgXEXyyD8e/45rforFScXdGjSaszwzxB8M9W0eJ7i0YahbqefLUiRR6le/4E03w38R9V0JVtrsG+tF4CyNh0+jensf0r3WuY8ReBdG8QB5ZIfs923/LxCMMT7jo38/euuOJUly1Vc53RcXemy5oPirSvEUG+xuP3oGXgfiRPqO49xkVt189az4X17whei5xKI42zFeW5OPxI5U+x/Wus8KfFJ0dbTxC29Dwl2q8j/fA/mP/AK9TPDac1N3Q41tbT0Z6zRUVtcw3duk9vKksTjKujBgR7EVLXKdAUUUUAFFFFABRRRQAUUUUAFFFFABUF5dQ2NpLdXDhIYkLux7AVPXGfFG7a28FTIpwbiVIv13f+y1UI80lEmb5YtnnPizxxf8Aii5NlaCSLTy21IE+9Kc8Fsdfp/Otvwr8LZ53W68QKYocAraq3zt/vEdB7Dn6UfCPSbe5u77UZ4leS32JCxGdpOdxHvwK9dAxXXWq+z/d09Dnp0+f35kVraQWVvHb20SRQxjaiIMACpqKMiuI6gpks0UETSyyIkaDLMxwAPc1zPiDxtY6MzwQ4ursfwIflT/eP9BzXm+r+ItT1tv9LnPlA5ESfKg/Dv8AjWM68Y6bs9LC5ZVr+89Ino8vxA0OK6EIkmdc4MqR/IP6n8BXR2l5b31ulxazJLE4yGU14BV3TNXvtIn82yuGiJ+8vVW+o6GsY4l3949GtkkOT909fM95ori/D/j+1v2W31JUtZzwJM/u2P49Px/OuzVgwBBBB9K6ozUldHhVsPUoy5aisJJGksbI6hkYYZWGQR715p4s+F0dyTd6Aqwyk5e2ZsI3+6ex9un0r02itYVJQd4nNOEZKzPnvQ/Eer+C9VeBlcRo+Lizl6H1x6H3H6ivdNG1iz13TIr+yctDJkYIwVI6gj1ri/ixpFtLoMeqLCouoZVQygclDkYPrzj/ACaq/By7Z7HVLMn5YpUlUf7wIP8A6CK6avLUp+0SszGF4T5Oh6dRRRXGdIUUUUAFFFFABRRRQAUUUUAFec/GGTGg6fFn71yW/JT/AI16NXmHxkb/AEHSV9ZJD+i/41th/wCKjKt8DLfwfix4cvZcctdlfyRf8a9ErhPhKu3wfIf7125/8dWu7pV/4jHS+BEc0giieRvuopY/QV5Jr/ja/wBY3Q25a1tM/dU/Mw/2j/QfrXquonGmXZ9IX/ka8DrhxEmrJH0GTUKc3Kcldq1vxCiiiuM+kCiikZlRSzEKoGST0FAC1r6V40u/DGN9yrWmeYZm4/4D3B+lcRf+J4o90dmvmP8A32+6Pw71zNxczXUplnkLue5oUnF3RNSjCrHlmro+vdF1SDW9HtdStgwhuYw6huoq/XKfDVt3w70U/wDTDH5Ma6uvTi7pM+FrQUKkoro2cr8RovN8C6kMcqI2H4SLXEfB6TGtajFn71uGx9G/+vXoHjpd3grVR/0xz+RBrzf4QnHiu7X1smP/AI+n+NdtP+BI45/xke00UUVyHQFFFFABRRRQAUUUUAFFFFABXl3xl/1Gj/7038kr1GvL/jKP9G0c+jy/yWt8N/FRlW+Bmx8KP+RN/wC3mT+ldxXDfCc58HMPS6f+S13NTW/iSHS+BFXU/wDkE3n/AFwf/wBBNeB175qf/IKvP+uL/wDoJrwOvPxO6Ppsj+Gfy/UKKKK5T3ijqmpJpluJGUuzHCqO5964691S6v2PnSHZnIjXhRW74sP7i2/3m/kK5aky4oKKKKRR9SfDH/knOjf9cm/9Dautrk/hmMfDrRv+uJP/AI+1dZXqw+FHwOK/jz9WYPjX/kTNW/692rzL4Rf8jbc/9eT/APoaV6Z43O3wXqx/6dyK8z+EI/4q25/68n/9DSu2l/AmcFT+LE9rooorkOgKKKKACiiigAooooAKKKKACvNPjGmdL0x/Sdx+aj/CvS64H4uQGTwpBKB/qrtSfYFWH88VtQdqiM6q9xifCF93hO5X+7ev/wCgJXf15l8HbgHTdTt88pMj4/3gR/7LXptGIVqrCi7wRBeo0ljcRqMs0bAD14rwF0aNyjqyupwVYYINfQuKx9b8N6drkJW4iCzfwzIAHH49x7GuKtSc1oevl2OjhW1JaM8RoroNb8Hanozu4ia5tQMiaJc4HuOo/lXP1xSi4uzPqaVaFWPNB3Rzniz/AFNt/vN/SuXrqfFn+ptv95v6Vy1QzdbBRXR+GvA+u+Kpk+wWjLbE4a6lBWJfXnv9BmvePB/w00bwtEkrxJe6h1a5mQfKf9hedv16+9a06Mp+hwYvMqOG03l2Ro+ALaW08CaNBPE0Ui2wLIwwRkk8j8a6WgDFFeilZWPjqk+ebl3Oa8fv5fgfVG9Y1X83A/rXn3wfTPiS9f0tCPzdf8K7T4oTiHwRcoT/AK6SNB/30G/9lrmPg5ATc6tPjhUjQH6lj/SuyGmHkzjn/GR6zRRRXIdIUUUUAFFFFABRRRQAUUUUAFYvizRm17w1eafGVEsihoy3TcpBH54x+NbVFNNp3Qmrqx88+GvEV74M1uUvASpPlXVu/BOD+hHNe3aB4l03xHaefYzZZf8AWQtw8Z9x/XpVLxR4L0zxJA7vGsF9twlyg+bjpuH8Q+teN6hpGv8AgnUxKTLbtnEdzATscemf6Gu1qGI1WkjmXPR80fRNFeZ+FfilBcCOz17EM33RdAfI3+8P4fr0+lekxSxzxrJE6ujDIZTkEVyTpyg7SRvGakrocQD1rktd8B2OpF57PFpcnk7R8jH3Hb8K66ispRUlZnRRrVKMuam7M+fPFPgHxJNd2tjb6e87lziWM/u8epY8D8cV1PhT4K2Vi8d34gnW9mGCLaPIiU+56t+g+tes4HpS4xWUcPBO53Vs2xFSHKnb0GRQxwRrHFGqRoMKqjAA9AKfRSMwUZJwK3PMFqjqmr2OjWTXd/cJDCvc9WPoB3P0rkfFPxL0/SUktdLZby96blOYoz7nv9B+YrzAv4h8bamqkz3s2eB0SIH9FFdNPDSkuaWiMJ1ktI6s0PGnjabxXMlrBCYrCJ90aMMu7dATj6ngetel/Drw9caD4eJvE2XN1J5rIeqDAAU+/U/jUXhP4eafoUcVzeIl3qIwxdhlIz/sj+p5+ldqAB0orVY8vs6ewU6cr88twooormNwooooAKKKKACiiigAooooAKKKKACorm2hu7d7e4iSWJxhkdQwI+hqWigDyjxN8KX817rQHXaeTaytjH+6x/kfzrjtJ8Qa74N1BoVEkW0/vbS4B2n8Ox9xX0RWVrfhzTPEFv5Wo2yyY+444dPow5rqhiXblqK6OeVBXvDRmF4f+I+i6yEink+w3bceXMflJ9n6fng12VeK+JPhdqGns8+jlr22HPlnHmr+HRvw59qyNG8deIPD5FsJzNBGdpt7kE7cdgeo+n6VTw8Zq9JiVaUXaaPoGivN4fjBprWJefTrpbof8skKspP+9x/KuP1r4la7q3mRQSLY278bIPv49C55/LFZxw1RvYuVeCR6n4g8c6L4f3RTz+ddD/l3h+Zh9ey/jXkniLxtrHiib7MheG1c7UtISTv/AN7HLH26e1WfDnw51fW3We8VrGzPJklX53+i9fxP616xoHg/R/Dq5srfM5HM8vzOfx7fhitb0qPmzP8AeVfJHnPhz4V315LHPrTfZbfhjCpzI3sey/zr1nTdLstJtFtbC3jghX+FB1PqT3PuauUVz1K0qnxG0KcYbBRRRWRoFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVk6t4b0jW4mS/sYpWPSQLhx9GHNa1FNNp3Qmk9zzaX4Pac1zuj1K6SDvGUVm/764/lXVaL4N0PQkX7LYo0w/5bzDfIffJ6fhit+irlWnJWbJVOCd0g6UUUVmWFFFFABRRRQAUUUUAFFFFABRRRQAVWv7+10yxnvb2dILaBC8krnAVR3qzXmHx7a7HwxnFvu8s3UIuMf8APPJ6/wDAtlAGbN8fLSa5kGjeGdV1O1iOHuVG0D3wAePriu38O+P9D8ReFpfEEcz2tpb7vtP2ldphIGSD2P4Z/PinfDxdMT4faGNJCG1+yIcpjl8fPn/a3bs++a4r4+eYnw1RdPCrbHUU+0iLAGPnJzj/AKaYz70ARTfH21lmkbSfC+q39lEcPcgbQPfAB/Uiu88GeOdG8b6Y15pcrB4ztmt5QBJEe2QCeD2PQ/gRU3gtNMj8GaONJEZsfssfllBweBkn3znPfOa8p8NCGP8AaZ1ldE2/YTA/2oRfcDbE3/8AkXH45oA7fwf8V9H8WeILzRFiksr2BmEaTMCJ9pIbaR3GM49Poa0Nc8fW2ieOtH8LSWUss2pqGSdWAVMsw5HX+GvnTw/4T1PXbnxTrWhzyJq+h3sdxbpH1kBaUtt/2hsBA78jvW/aeNh46+LPge/eEw3kCpBdJ/D5gZzlfYgg47dPcgHpnij4y23hvxhdeG10C+v7qDZzbsDv3Rh+FxngN+lW/C3xSl8Ta/BpTeFdW08Shj9ouUwi7VJ5474xXmPiK81ew/aau7nQtOXUdRRU8q1eQIHzaKG5JAGASfwr1zwlrvjfU9XeHxH4Vh0qyELMs6XKyEvkYXAY9iTn2oAXwd8RLbxjBrMtvYzW40t9jiRgd/DdMf7tcfbftAQXsRltfCOrzxKcM8RDgH0yBWd8D/8Ajw8c/wDXf+klaf7OH/Ihal/2E3/9FR0Adf4L+J2g+NppbSzM9rqEQ3PaXShXx3K4JBA/P1FYGvfGm30XxVfeH4/DuoX9zaNtY2zA7uAcgYzjmub8ei3j+P3hFtH2/wBptJF9tEXXZvxlsd/L3Z77cVhzt4kT9oXXz4VjtJNS2txdn5NmxM9xz0oA9T8JfEyXxVrg01vDGq6cDG0nn3KYTjt06mpPCXxU0fxT4iv9D8uSzvrZ2WNJmGJ9pIbaR3GM464+hxY8GyeP3v7geL4NLjtfK/cmzPzb8jryeMZr5/0jwRqXii/8Wanoc7pq2kagJYI1O0yAvITtPZgUBH4+1AH0Dr3xBttC8daR4WksZpZtTVGSdXAVNzMvI6/w1ymqfHSPSJ7hLrwlqyxQymLznwqMQcZBI74rz2Hxl/wm3xZ8DX0sTRXtuIra7UjA81ZHJI9jkHHbp2r079oDj4Yv/wBfkP8AWgCTw18YP+Ek1e0so/C+qW0NyGZbqQZjACls5x3xj8a2vh78Q7X4g217Pa2M1oto6owlcNu3AnjH0qx4D/5JZoX/AGC4v/QBXmH7O13BYeGvE15cyCKCCRJZHPRVVGJP5CgDt/Hvxb0zwJrMGmT2U95PJCJnELqPLBJAznucH9PWu9trqK8s4bq3cPFNGsiMOjKRkGvmGx8UeE/Emu+MNY8V3rW8uqQm1sIzA8hhTja/yggEbY/yb1r0n4C+LV1jwlJoVxJuvNK+VM/xwE/KR9DlfYbaAOl+HfxHtfiFHqD2thNaCyMYYSuG3b93TH+7Xb14J+zP/wAeviX/AH7b+Ule90AFFFFABVLVtJs9c0u503UIRNa3MZjkQ8ZH4dD3zV2igDyFfghd6ZJLF4c8davpVhMcvbqC2fxV1H44zXXaF8ONG0bwhc+G5Xub+0u9zXBupC29j1IHReeRjnPOSea7CvL/ABj8WJ9O8RHwx4V0htY1teJBz5cZxnGBySO/IA9euACgPgheaf5ttoPjvWNN02UkvagFs568q6j9K7LwR8PNG8CWcseneZNcz4M91OQXfHbjgDrwPxzXMeHfHPj9PEFnpvirwYYobtti3NipKxnGctl2GPXkHHr0p/i/4q3ll4lbwx4S0Y6xrEYzMeTHEe4IHJx3OQBnHXoAbfgT4dxeB73WrmLUnuzqkiSMrQhPL2lzjqc/f/SqVx8I9IPxBtPFtjcPZyxTefNbJGCkr9yOflz361ztv8WPFXhzUrWHx/4YTTrK5fYLy2DbIz7jcwPuAc45welbnxP+JV14HtdFu9PtbW9gv3fcXY4KAKQVIPcN157UAXx8NoR8Vz47/tN/NIx9k8kbf9T5X3s/j0ruSM1y0njO1vPhxeeK9HZJ1isZblI5OzopJRwDwQRg1yVl4/8AG2t+BNI13QPDlnfXd1NMlxECQkao2FIywPOD3oA6DwX8OYvB0GtxR6k91/aj7yWiCeXw3uc/e/SuU034Hajo9u1tpnxA1eyt3fe8VsrRqzYAyQsmM4A59qytO+LXxG1bV73SbHwlp81/Yki5hVmBjIODnL46+lek6h4qvtB+G0viLW7OO11GK13yWuflEx4VM5PBYgdaAKXg34VaL4P1F9VS4utQ1WRSGu7tgSM9do7E+pyffmsfWPg7PqHjG+8S6f4tvtLu7s5P2aLBUYAI3BwccVN8Lfide+Nr3UNP1axgsr23ijniSMMPMibvhifVD7hhUvxA+IeoeEvF3h7SLS0tZodTdVleXduTMgXjBA6HvQBc8MeAtb0HW47+98c6tq0CKym1uS2xiRgE5c9OvSrXgjwBF4L1DXLuPUHuzqsyzMrRBPLwXOByc/f/AErnfHXxZk8D+P8AT9HubKKXSprdJp5hu81NzOuV5wcbQcY55rb8e+PD4d8Ax+JdF+y3ySyRiIsSUZWzzwQaAKV18H9Jf4gWviyxuns5Y5xcTWqxhklkzkkHI2579a3/AB54Oj8c+Gzo8l61opmSXzVj3n5c8YyPWuY8b/EnUvC/w+8P+IbWytJbjUhEZI5d2xd8Rc4wc9eKzF8Z/GB1DL4EsSCMg+b/APbKAPTND0VdF8MWWirOZVtbZbcSlcFgFxnFcBpfwYGkeDtY8O23iKYJqkkbSz/ZgGVV6qBu79/bPrUXxB+JniDwlrWh6Vp+k2dxd6jboximLZErNt2jDAdapv8AFjxf4aubebxr4PFjpk0gjNzbsTsJ59WB6HjIPB9KAO88OfD/AMP+H9As9L/s60u2gTDXE9sjPIxOSTkHuTxngcVlWHwvtdH+IknivSdQNnHMpWbT0gHluCMEA5GBkBunUVQ8b/FSbRtT07RPDWmrq2rahEs0OWIj2Nnb0wSSAT1GBzmk8NeKviVJ4htLDxJ4PtoLS4Yhrq2c7YgATlsO47Yxx1oAyNL+BN9oYlGk+PdUsBLjzBaxmPfjOM7XGcZP516F4P8ADd/4Z0+e21DxDe63JLL5izXZJZBgDaMseOM/jXR0UAFFFFABRRRQAh6V4H4D1Kx8PfHPxdaa1IlvdXtxILaaY7Qd0m8Lk9NylSPpj0r32uV8VfDrwz4xbzdW04NdBdq3MTGOQD6jr+INAGzda3pVnqNrp1zqFvHe3RKwQNIA7kAngfhXi3w0vbTw18W/GGl67IlvqN5cE280xChxvZsAn+8GRh64ruvDvwa8H+HNQjvobSe7uYmDRPeS7xGw6EKABkepHFaniv4ceGPGMgn1XT83QXaLmFzHIB2BI4P4g0Acj8e9c0mHwLLo8sscupXUsZt4VILptYEuR1AxkZ77q4n4nafcWXgb4b6fqKnz408uVG6j5Y/lP0HH4V6f4e+DPg7w7fR3sNlNd3MTB45LuXfsI6EKMDP1Brd8VeCNH8YtYHVUmb7DIZIfKk24JxnPr90UAeE+KrDV/hHca3plur3PhfX7aaGEFjiJ2Qgc9mXP/Al9xx6n8C/+SUab/wBdZ/8A0Y1dprug6d4k0ebTNVtlntphgqeCp7Mp7EetReGfDlh4U0SHSNMEgtImZlEj7myxJPP1NAHlfwx/5Ld4+/66yf8Ao6s/45+KF1DXtL8IQxXFxBDIt1qEdqu6Rx2QD1C5b0+ZfSvWdG8E6RoXiPVNdskmF7qTFrgvJlSS244HbmodK8BaLpPiq88SQpPLqd3u8yWeXeBuIJ2jt0A9hxQB4XrHjyHT/iRo/i+w0DU9Lt4o1tLyK4h2LLGBt+X1Ozt/sLXQ/GO4iuviJ4CuIXDxSvG6OvRlMyEEfhXsXijwvpni/Rn0rVoWktmdXBRtrKwPBB7HqPoTWHc/C7w/eHQzOLxzoqqlmTPyArBgDxzjAH0FAHnPxI0W08RfH7QdIvlZra600RvtOCP9eQQfUEA/hXDeMjrXgbRL/wCHmp4ubJp0vLG5Hyjbk5wPQ85HZgeua+kr3wVpOoeMbLxTOk39p2UflQssmEC/N1Xv99qd4r8F6J4zsY7XWbTzfKbdFKjbXj9cN6HuOn5CgDx74vf8kS8Ff7tt/wCkxrqNO8E/ECK4tJpfiKZLdHR3h8n7ygglevpxXX698PtE8R+HdO0LUEuDZafsEASXaw2psGT34rmf+FA+CP8Anjf/APgUf8KAOO+OE89v8UPCNxaQfabiNYnihDY8xhNkLntk4H41W8aeIfFHj/WNL8C6tpFt4ce6mWcNcyly+AwXBAxzyAO5wMivW9Q+G2ganf6Le3MdyZtGjijtCs2ABGQV3evIq54p8E6P4wS1GqQyebaSeZBPBJ5ciH2Yduh/AUAcN4v+GGka1qOj22n+IxpXiDTrGKKD5gXkiTIRtoYMCCD8wrJtvE3jnwF460Pw74h1a01uz1OVIkKj96gZwgYnAYHJB5yCAefTvvEnwt8NeLHhn1WG5e9iiWIXaTlZGVemf4T69Kh8N/CLwp4a1NNSt7a4ur2M7o5ruYuUPqAMDPvjigDux0ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//2Q== + mediatype: image/jpeg install: spec: deployments: null @@ -43,14 +45,16 @@ spec: - name: Confidential Containers url: https://github.com/confidential-containers maintainers: - - email: fidenco - name: Fabiano - - email: jensfr - name: Jens - - email: bpradipt - name: Pradipta + - email: cncf-ccontainers-maintainers@lists.cncf.io + name: Fabiano Fidencio + - email: cncf-ccontainers-maintainers@lists.cncf.io + name: Jens Freimann + - email: cncf-ccontainers-maintainers@lists.cncf.io + name: Pradipta Banerjee maturity: alpha + minKubeVersion: 1.24.0 provider: name: Confidential Containers Community url: https://github.com/confidential-containers + replaces: cc-operator.v0.5.0 version: 0.0.1 diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 57dc0bfa..13a36a66 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -2,8 +2,8 @@ # used to generate the 'manifests/' directory in a bundle. resources: - bases/cc-operator.clusterserviceversion.yaml -- ../default -- ../samples +- ../release +- ../samples/ccruntime/default - ../scorecard # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. diff --git a/docs/OPERATOR_HUB.md b/docs/OPERATOR_HUB.md new file mode 100644 index 00000000..eb4d342b --- /dev/null +++ b/docs/OPERATOR_HUB.md @@ -0,0 +1,52 @@ +# Introduction + +Our releases are published on the [OperatorHub.io](https://operatorhub.io). Find more information on [our landing page](https://operatorhub.io/operator/cc-operator) at the Operator Hub. + +# Publishing a new operator version + +First of all, you should have a fork of the Operator Hub [community-operators repository](https://github.com/k8s-operatorhub/community-operators) cloned. + +>Note: on the examples below let's suppose that `TARGET_RELEASE="0.8.0"` + +Follow the steps: + +1. Bump the `VERSION` variable in [Makefile](../Makefile) to `${TARGET_RELEASE}`. For example, `VERSION ?= 0.8.0` + +2. Add the `replaces` tag under `spec` in the [base CSV(ClusterServiceVersion) file](../config/manifests/bases/cc-operator.clusterserviceversion.yaml). It defines the version that this bundle should replace on an operator upgrade (see https://sdk.operatorframework.io/docs/olm-integration/generation/#upgrade-your-operator for further details). For example, at the time of this writing version 0.8.0 replaces 0.5.0: + ``` + diff --git a/config/manifests/bases/cc-operator.clusterserviceversion.yaml b/config/manifests/bases/cc-operator.clusterserviceversion.yaml + index f30cecf..f5f81d1 100644 + --- a/config/manifests/bases/cc-operator.clusterserviceversion.yaml + +++ b/config/manifests/bases/cc-operator.clusterserviceversion.yaml + @@ -54,4 +54,5 @@ spec: + provider: + name: Confidential Containers Community + url: https://github.com/confidential-containers + + replaces: cc-operator.v0.5.0 + version: 0.0.1 + ``` +3. Update the `containerImage` tag under `spec` in the [base CSV(ClusterServiceVersion) file](../config/manifests/bases/cc-operator.clusterserviceversion.yaml) + +4. Re-generate the [bundle](../bundle/): + ```shell + make bundle IMG=quay.io/confidential-containers/operator:v${TARGET_RELEASE} + ``` + +5. Copy the bundle directory to the community-operators repository directory. On the example below I got the community-operators repository cloned to `../../../github.com/k8s-operatorhub/community-operators`: + ```shell + cp -r bundle ../../../github.com/k8s-operatorhub/community-operators/operators/cc-operator/${TARGET_RELEASE} + ``` + +6. Prepare a commit and push to your tree + ``` + cd ../../../github.com/k8s-operatorhub/community-operators/operators/cc-operator/${TARGET_RELEASE} + git checkout -b "new_${TARGET_RELEASE}" + git add . + git commit -s -m "operator cc-operator (${TARGET_RELEASE})" + git push my-fork "new_${TARGET_RELEASE}" + ``` + +7. Open a pull request to update the community-operators repository + * In case the CI fails you will need to fix and re-do this process from step 2 + +8. Open a pull request on this repository with the changes diff --git a/tests/e2e/ansible/group_vars/all b/tests/e2e/ansible/group_vars/all index 3d6827d7..43f145d4 100644 --- a/tests/e2e/ansible/group_vars/all +++ b/tests/e2e/ansible/group_vars/all @@ -11,7 +11,6 @@ build_pkgs: - gcc container_runtime: containerd go_version: 1.20.7 -operator_sdk_version: v1.23.0 # conntrack and socat are needed by the `kubeadm init` preflight checks kubeadm_pkgs: ubuntu: diff --git a/tests/e2e/ansible/install_build_deps.yml b/tests/e2e/ansible/install_build_deps.yml index 4c55fd44..e1621dbd 100644 --- a/tests/e2e/ansible/install_build_deps.yml +++ b/tests/e2e/ansible/install_build_deps.yml @@ -25,12 +25,6 @@ src: /usr/local/go/bin/go dest: /usr/local/bin/go state: link - - name: Install the operator-sdk - get_url: - # TODO: use facts - url: https://github.com/operator-framework/operator-sdk/releases/download/{{ operator_sdk_version }}/operator-sdk_linux_{{ target_arch }} - dest: /usr/local/bin/operator-sdk - mode: '+x' - import_tasks: "install_docker.yml" # Docker buildx relies on qemu-user-static to multi-arch builds, but # qemu-user-static is not packaged for CentOS. Let's get it installed via @@ -50,10 +44,6 @@ - name: Uninstall build dependencies tags: undo block: - - name: Uninstall operator-sdk - file: - path: /usr/local/bin/operator-sdk - state: absent - name: Uninstall go file: path: "{{ item }}" diff --git a/tests/e2e/lib.sh b/tests/e2e/lib.sh index 3cb7f6d2..6e489e25 100644 --- a/tests/e2e/lib.sh +++ b/tests/e2e/lib.sh @@ -46,10 +46,12 @@ check_pods_are_ready() { debug_pod() { local pod="$1" local ns="$2" + local ns_param="" + [ -n "$ns" ] && ns_param="-n $ns" set -x - kubectl describe "pods/$1" ${ns:+"-n $ns"} || true - kubectl logs "pods/$1" ${ns:+"-n $ns"} || true + kubectl describe "pods/$1" $ns_param || true + kubectl logs "pods/$1" $ns_param || true set +x } diff --git a/tests/e2e/operator.sh b/tests/e2e/operator.sh index 9806156e..46877dec 100755 --- a/tests/e2e/operator.sh +++ b/tests/e2e/operator.sh @@ -17,7 +17,7 @@ source "${script_dir}/lib.sh" # The operator namespace. readonly op_ns="confidential-containers-system" # There should be a registry running locally on port 5000. -export IMG=localhost:5000/cc-operator +export IMG=localhost:5000/cc-operator:latest export PRE_INSTALL_IMG=localhost:5000/reqs-payload # Build the operator and push images to a local registry. @@ -95,7 +95,7 @@ install_operator() { pushd "$project_dir" >/dev/null # We should use a locally built image for operator. - sed -i "s~\(.*newName: \).*~\1${IMG}~g" config/manager/kustomization.yaml + kustomization_set_image config/manager controller "${IMG}" kubectl apply -k config/default popd >/dev/null