Skip to content

Commit 50d7887

Browse files
yashvardhannanavatidirgim
yashvardhannanavati
authored and
dirgim
committed
fix: use CSV annotations for fips compliance of a bundle
previously, the FIPS compliance tasks checked image labels to identify if an operator bundle claims to be fips compliant. Not all product teams include it as labels. A more robust way is to check the CSV annotations. This commit implements that fix. Refers to KONFLUX-6664 Signed-off-by: Yashvardhan Nanavati <[email protected]>
1 parent 5e0950d commit 50d7887

File tree

4 files changed

+16
-18
lines changed

4 files changed

+16
-18
lines changed

task/fbc-fips-check-oci-ta/0.1/fbc-fips-check-oci-ta.yaml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -124,17 +124,16 @@ spec:
124124
fi
125125
subscription_label=$(echo "${bundle_out}" | jq -r '.properties[] | select(.value.annotations["operators.openshift.io/valid-subscription"] != null) | (.value.annotations["operators.openshift.io/valid-subscription"] | fromjson)[]')
126126
127-
bundle_labels=$(get_image_labels "${bundle}")
128-
fips_label=$(echo "${bundle_labels}" | grep '^features.operators.openshift.io/fips-compliant=' | cut -d= -f2 || true)
127+
fips_annotation=$(echo "${bundle_out}" | jq -r '.properties[] | select(.value.annotations["features.operators.openshift.io/fips-compliant"]? == "true") | .value.annotations["features.operators.openshift.io/fips-compliant"]')
129128
130129
if ! echo "${subscription_label}" | grep -e "OpenShift Kubernetes Engine" -e "OpenShift Container Platform" -e "OpenShift Platform Plus"; then
131130
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are not present in operators.openshift.io/valid-subscription."
132131
echo "Subscription labels are : $subscription_label"
133-
if [ -z "${fips_label}" ] || [ "${fips_label}" != "true" ]; then
134-
echo "The label features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check for ${bundle}"
132+
if [ -z "${fips_annotation}" ] || [ "${fips_annotation}" != "true" ]; then
133+
echo "The annotation features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check for ${bundle}"
135134
continue
136135
else
137-
echo "The label features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
136+
echo "The annotation features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
138137
fi
139138
else
140139
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are present in operators.openshift.io/valid-subscription. Running the FIPS static check..."

task/fbc-fips-check/0.1/fbc-fips-check.yaml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -121,17 +121,16 @@ spec:
121121
fi
122122
subscription_label=$(echo "${bundle_out}" | jq -r '.properties[] | select(.value.annotations["operators.openshift.io/valid-subscription"] != null) | (.value.annotations["operators.openshift.io/valid-subscription"] | fromjson)[]')
123123
124-
bundle_labels=$(get_image_labels "${bundle}")
125-
fips_label=$(echo "${bundle_labels}" | grep '^features.operators.openshift.io/fips-compliant=' | cut -d= -f2 || true)
124+
fips_annotation=$(echo "${bundle_out}" | jq -r '.properties[] | select(.value.annotations["features.operators.openshift.io/fips-compliant"]? == "true") | .value.annotations["features.operators.openshift.io/fips-compliant"]')
126125
127126
if ! echo "${subscription_label}" | grep -e "OpenShift Kubernetes Engine" -e "OpenShift Container Platform" -e "OpenShift Platform Plus"; then
128127
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are not present in operators.openshift.io/valid-subscription."
129128
echo "Subscription labels are : $subscription_label"
130-
if [ -z "${fips_label}" ] || [ "${fips_label}" != "true" ]; then
131-
echo "The label features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check for ${bundle}"
129+
if [ -z "${fips_annotation}" ] || [ "${fips_annotation}" != "true" ]; then
130+
echo "The annotation features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check for ${bundle}"
132131
continue
133132
else
134-
echo "The label features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
133+
echo "The annotation features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
135134
fi
136135
else
137136
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are present in operators.openshift.io/valid-subscription. Running the FIPS static check..."

task/fips-operator-bundle-check-oci-ta/0.1/fips-operator-bundle-check-oci-ta.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -78,16 +78,16 @@ spec:
7878
# Run the FIPS check only if the bundle is part of the Openshift Subscription or has the fips label set
7979
image_and_digest_render_out=$(opm render "$image_and_digest")
8080
subscription_label=$(echo "${image_and_digest_render_out}" | jq -r '.properties[] | select(.value.annotations["operators.openshift.io/valid-subscription"] != null) | (.value.annotations["operators.openshift.io/valid-subscription"] | fromjson)[]')
81-
fips_label=$(echo "${image_and_digest_labels}" | grep '^features.operators.openshift.io/fips-compliant=' | cut -d= -f2 || true)
81+
fips_annotation=$(echo "${image_and_digest_render_out}" | jq -r '.properties[] | select(.value.annotations["features.operators.openshift.io/fips-compliant"]? == "true") | .value.annotations["features.operators.openshift.io/fips-compliant"]')
8282
8383
if ! echo "${subscription_label}" | grep -e "OpenShift Kubernetes Engine" -e "OpenShift Container Platform" -e "OpenShift Platform Plus"; then
8484
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are not present in operators.openshift.io/valid-subscription."
8585
echo "Subscription labels are : $subscription_label"
86-
if [ -z "${fips_label}" ] || [ "${fips_label}" != "true" ]; then
87-
echo "The label features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check..."
86+
if [ -z "${fips_annotation}" ] || [ "${fips_annotation}" != "true" ]; then
87+
echo "The annotation features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check..."
8888
exit 0
8989
else
90-
echo "The label features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
90+
echo "The annotation features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
9191
fi
9292
else
9393
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are present in operators.openshift.io/valid-subscription. Running the FIPS static check..."

task/fips-operator-bundle-check/0.1/fips-operator-bundle-check.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -63,16 +63,16 @@ spec:
6363
# Run the FIPS check only if the bundle is part of the Openshift Subscription or has the fips label set
6464
image_and_digest_render_out=$(opm render "$image_and_digest")
6565
subscription_label=$(echo "${image_and_digest_render_out}" | jq -r '.properties[] | select(.value.annotations["operators.openshift.io/valid-subscription"] != null) | (.value.annotations["operators.openshift.io/valid-subscription"] | fromjson)[]')
66-
fips_label=$(echo "${image_and_digest_labels}" | grep '^features.operators.openshift.io/fips-compliant=' | cut -d= -f2 || true)
66+
fips_annotation=$(echo "${image_and_digest_render_out}" | jq -r '.properties[] | select(.value.annotations["features.operators.openshift.io/fips-compliant"]? == "true") | .value.annotations["features.operators.openshift.io/fips-compliant"]')
6767
6868
if ! echo "${subscription_label}" | grep -e "OpenShift Kubernetes Engine" -e "OpenShift Container Platform" -e "OpenShift Platform Plus"; then
6969
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are not present in operators.openshift.io/valid-subscription."
7070
echo "Subscription labels are : $subscription_label"
71-
if [ -z "${fips_label}" ] || [ "${fips_label}" != "true" ]; then
72-
echo "The label features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check..."
71+
if [ -z "${fips_annotation}" ] || [ "${fips_annotation}" != "true" ]; then
72+
echo "The annotation features.operators.openshift.io/fips-compliant is also not set to true. Skipping the FIPS static check..."
7373
exit 0
7474
else
75-
echo "The label features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
75+
echo "The annotation features.operators.openshift.io/fips-compliant is set to true. Running the FIPS static check..."
7676
fi
7777
else
7878
echo "OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform are present in operators.openshift.io/valid-subscription. Running the FIPS static check..."

0 commit comments

Comments
 (0)