Sync remaining API and operator-registry 4.10 commit(s) downstream

go.sum

@@ -190,6 +190,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
@@ -315,6 +316,7 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -1650,8 +1652,9 @@ google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.41.0 h1:f+PlOh7QV4iIJkPrx5NQ7qaNGFQ3OTse67yaDHfju4E=
+google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v0.0.0-20200709232328-d8193ee9cc3e/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0 h1:M1YKkFIboKNieVO5DLUEVzQfGwJD30Nv2jfUgzb5UcE=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=

staging/api/RELEASE.md

@@ -8,7 +8,8 @@ post to the [operator-framework group][of-ggroup].
 ## Tags
 
 As per semver, all releases containing new features must map to a major or minor version increase.
-Patch releases must only contain fixes to features released in a prior release.
+
+**Patch releases must only contain bug fixes. Releases containing features must be major or minor releases.**
 
 ## Process
 
@@ -31,6 +32,8 @@ Then create release notes while still on the `master` branch:
 while read -r line; do echo $line | awk '{f = $1; $1 = ""; print "-"$0; }'; done <<< $(git log $PREVIOUS_RELEASE_TAG..$RELEASE_TAG --format=oneline --no-merges)
 ```
 
+**You cannot cut a patch release if any of these release notes start with `feat:` or `feature:`.**
+
 Copy them into the Github release [description form][release-desc-page],
 select `vX.Y.Z` in the `Tag version` form, and click `Publish release`.
 

staging/api/pkg/apis/scorecard/v1alpha3/configuration_types.go

@@ -22,6 +22,9 @@ type Configuration struct {
 
 	// Storage is the optional storage configuration
 	Storage Storage `json:"storage,omitempty" yaml:"storage,omitempty"`
+
+	// ServiceAccount is the service account under which scorecard tests are run. This field is optional. If left unset, the `default` service account will be used.
+	ServiceAccount string `json:"serviceaccount,omitempty" yaml:"serviceaccount,omitempty"`
 }
 
 // StageConfiguration configures a set of tests to be run.

staging/api/pkg/validation/internal/bundle.go

@@ -8,6 +8,8 @@ import (
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/operator-framework/api/pkg/validation/errors"
 	interfaces "github.com/operator-framework/api/pkg/validation/interfaces"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
@@ -26,9 +28,42 @@ func validateBundles(objs ...interface{}) (results []errors.ManifestResult) {
 func validateBundle(bundle *manifests.Bundle) (result errors.ManifestResult) {
 	result = validateOwnedCRDs(bundle, bundle.CSV)
 	result.Name = bundle.CSV.Spec.Version.String()
+	saErrors := validateServiceAccounts(bundle)
+	if saErrors != nil {
+		result.Add(saErrors...)
+	}
 	return result
 }
 
+func validateServiceAccounts(bundle *manifests.Bundle) []errors.Error {
+	// get service account names defined in the csv
+	saNamesFromCSV := make(map[string]struct{}, 0)
+	for _, deployment := range bundle.CSV.Spec.InstallStrategy.StrategySpec.DeploymentSpecs {
+		saName := deployment.Spec.Template.Spec.ServiceAccountName
+		saNamesFromCSV[saName] = struct{}{}
+	}
+
+	// find any hardcoded service account objects are in the bundle, then check if they match any sa definition in the csv
+	var errs []errors.Error
+	for _, obj := range bundle.Objects {
+		if obj.GroupVersionKind() != v1.SchemeGroupVersion.WithKind("ServiceAccount") {
+			continue
+		}
+		sa := v1.ServiceAccount{}
+		if err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, &sa); err == nil {
+			if _, ok := saNamesFromCSV[sa.Name]; ok {
+				errs = append(errs, errors.ErrInvalidBundle(fmt.Sprintf("invalid service account found in bundle. " +
+					"This service account %s in your bundle is not valid, because a service account with the same name " +
+					"was already specified in your CSV. If this was unintentional, please remove the service account " +
+					"manifest from your bundle. If it was intentional to specify a separate service account, " +
+					"please rename the SA in either the bundle manifest or the CSV.",sa.Name), sa.Name))
+			}
+		}
+	}
+
+	return errs
+}
+
 func validateOwnedCRDs(bundle *manifests.Bundle, csv *operatorsv1alpha1.ClusterServiceVersion) (result errors.ManifestResult) {
 	ownedKeys := getOwnedCustomResourceDefintionKeys(csv)
 

staging/api/pkg/validation/internal/bundle_test.go

@@ -4,6 +4,8 @@ import (
 	"testing"
 
 	"github.com/operator-framework/api/pkg/manifests"
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"github.com/stretchr/testify/require"
 )
@@ -43,20 +45,118 @@ func TestValidateBundle(t *testing.T) {
 			hasError:    true,
 			errString:   `duplicate CRD "test.example.com/v1alpha1, Kind=Test" in bundle "test-operator.v0.0.1"`,
 		},
+		{
+			description: "invalid bundle service account can't match sa in csv",
+			directory:   "./testdata/invalid_bundle_sa",
+			hasError:    true,
+			errString:   `invalid service account found in bundle. This service account etcd-operator in your bundle is not valid, because a service account with the same name was already specified in your CSV. If this was unintentional, please remove the service account manifest from your bundle. If it was intentional to specify a separate service account, please rename the SA in either the bundle manifest or the CSV.`,
+		},
 	}
 
 	for _, tt := range table {
-		// Validate the bundle object
-		bundle, err := manifests.GetBundleFromDir(tt.directory)
-		require.NoError(t, err)
+		t.Run(tt.description, func(t *testing.T) {
+			// Validate the bundle object
+			bundle, err := manifests.GetBundleFromDir(tt.directory)
+			require.NoError(t, err)
 
-		results := BundleValidator.Validate(bundle)
+			results := BundleValidator.Validate(bundle)
 
-		if len(results) > 0 {
-			require.Equal(t, results[0].HasError(), tt.hasError)
-			if results[0].HasError() {
+			require.Greater(t, len(results), 0)
+			if tt.hasError {
+				require.True(t, results[0].HasError(), "found no error when an error was expected")
 				require.Contains(t, results[0].Errors[0].Error(), tt.errString)
+			} else {
+				require.False(t, results[0].HasError(), "found error when an error was not expected")
 			}
+		})
+	}
+}
+
+func TestValidateServiceAccount(t *testing.T) {
+	csvWithSAs := func(saNames ...string) *v1alpha1.ClusterServiceVersion {
+		csv := &v1alpha1.ClusterServiceVersion{}
+		depSpecs := make([]v1alpha1.StrategyDeploymentSpec, len(saNames))
+		for i, saName := range saNames {
+			depSpecs[i].Spec.Template.Spec.ServiceAccountName = saName
 		}
+		csv.Spec.InstallStrategy.StrategySpec.DeploymentSpecs = depSpecs
+		return csv
+	}
+
+	var table = []struct {
+		description string
+		bundle      *manifests.Bundle
+		hasError    bool
+		errString   string
+	}{
+		{
+			description: "an object with the same name as the service account",
+			bundle: &manifests.Bundle{
+				CSV: csvWithSAs("foo"),
+				Objects: []*unstructured.Unstructured{
+					{Object: map[string]interface{}{
+						"apiVersion": "apps/v1",
+						"kind":       "Deployment",
+						"metadata": map[string]interface{}{
+							"name": "foo",
+						},
+						"spec": map[string]interface{}{
+							"template": map[string]interface{}{
+								"spec": map[string]interface{}{
+									"serviceAccountName": "foo",
+								},
+							},
+						},
+					}},
+				},
+			},
+			hasError: false,
+		},
+		{
+			description: "service account included in both CSV and bundle",
+			bundle: &manifests.Bundle{
+				CSV: csvWithSAs("foo"),
+				Objects: []*unstructured.Unstructured{
+					{Object: map[string]interface{}{
+						"apiVersion": "apps/v1",
+						"kind":       "Deployment",
+						"metadata": map[string]interface{}{
+							"name": "foo",
+						},
+						"spec": map[string]interface{}{
+							"template": map[string]interface{}{
+								"spec": map[string]interface{}{
+									"serviceAccountName": "foo",
+								},
+							},
+						},
+					}},
+					{Object: map[string]interface{}{
+						"apiVersion": "v1",
+						"kind":       "ServiceAccount",
+						"metadata": map[string]interface{}{
+							"name": "foo",
+						},
+					}},
+				},
+			},
+			hasError:  true,
+			errString: `invalid service account found in bundle. This service account foo in your bundle is not valid, because a service account with the same name was already specified in your CSV. If this was unintentional, please remove the service account manifest from your bundle. If it was intentional to specify a separate service account, please rename the SA in either the bundle manifest or the CSV.`,
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.description, func(t *testing.T) {
+			// Validate the bundle object
+			results := BundleValidator.Validate(tt.bundle)
+
+			require.Greater(t, len(results), 0)
+			if tt.hasError {
+				require.True(t, results[0].HasError(), "found no error when an error was expected")
+				require.Contains(t, results[0].Errors[0].Error(), tt.errString)
+			} else {
+				require.False(t, results[0].HasError(), "found error when an error was not expected")
+			}
+		})
 	}
 }

staging/api/pkg/validation/internal/community.go

@@ -21,6 +21,9 @@ const IndexImagePathKey = "index-path"
 // where the bundle will be distributed
 const ocpLabelindex = "com.redhat.openshift.versions"
 
+// OCP version where the apis v1beta1 is no longer supported
+const ocpVerV1beta1Unsupported = "4.9"
+
 // CommunityOperatorValidator validates the bundle manifests against the required criteria to publish
 // the projects on the community operators
 //