From 4383f861aa44ff1bae0c7fd11c7ef6122d781ec3 Mon Sep 17 00:00:00 2001 From: devppratik Date: Fri, 15 May 2026 16:47:26 +0530 Subject: [PATCH 1/6] chore(SREP-4482, SREP-4486, SREP-4800: Boilerplate Update for Agentic SDLC Rollout) --- .ci-operator.yaml | 2 +- .codecov.yml | 10 +- .pre-commit-config.yaml | 134 ++++++++++++++++++ OWNERS_ALIASES | 6 +- boilerplate/_data/backing-image-tag | 2 +- boilerplate/_data/last-boilerplate-commit | 2 +- .../golang-osd-operator/.codecov.yml | 10 +- .../golang-osd-operator/OWNERS_ALIASES | 6 +- .../golang-osd-operator/golangci.yml | 85 +++++++---- .../pre-commit-config.yaml | 134 ++++++++++++++++++ .../openshift/golang-osd-operator/standard.mk | 28 +++- .../openshift/golang-osd-operator/update | 4 + build/Dockerfile | 4 +- build/Dockerfile.olm-registry | 2 +- 14 files changed, 386 insertions(+), 43 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml diff --git a/.ci-operator.yaml b/.ci-operator.yaml index 559bdf38..188626d7 100644 --- a/.ci-operator.yaml +++ b/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: boilerplate namespace: openshift - tag: image-v8.3.4 + tag: image-v8.3.6 diff --git a/.codecov.yml b/.codecov.yml index ba05647a..20cbf543 100644 --- a/.codecov.yml +++ b/.codecov.yml @@ -8,8 +8,14 @@ coverage: range: "20...100" status: - project: no - patch: no + project: + default: + target: 35% + threshold: 1% + patch: + default: + target: 50% + threshold: 1% changes: no parsers: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..14ecdd9b --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,134 @@ +# ============================================================================= +# Tier 1 — Common Pre-Commit Hooks for OSD Operators +# SREP-4485 | Golden rules: SREP-4450 +# ============================================================================= +# +# INSTALL +# pip install pre-commit +# pre-commit install +# +# USAGE +# pre-commit run # staged files only (developer / agent workflow) +# pre-commit run --all-files # full repo (CI / first-time setup) +# +# BYPASS (golden rule 16) +# Skip one hook: SKIP=hook-id git commit +# Never use: git commit --no-verify +# Agents: never bypass any hook +# Security hooks: never bypassable under any circumstances +# +# CI RELATIONSHIP (golden rule 17) +# These hooks mirror ci/prow/lint. CI remains the authoritative gate. +# Every check here also runs in CI. Pre-commit is developer convenience. +# +# AGENT USAGE (golden rule 1, 7, 19) +# Agents run: pre-commit run +# Output: PRE_COMMIT=1 is set automatically — hooks emit structured output +# Retry: max 2 fix-and-retry iterations before escalating to human +# +# TIMING TARGETS (golden rule 2, 3) +# Total run: <= 10s target / <= 60s hard limit on a 10-file changeset +# Hooks run fastest-first (golden rule 13). Each hook has a timeout guard. +# +# FIRST RUN NOTE +# Auto-fix hooks (trailing-whitespace, end-of-file-fixer) will correct +# pre-existing violations on the first run. Stage and commit those fixes +# separately before day-to-day use. +# +# ============================================================================= + +repos: + + # --------------------------------------------------------------------------- + # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error + # - check-merge-conflict: detects unresolved merge markers + # - trailing-whitespace: removes trailing spaces (auto-fix) + # - end-of-file-fixer: ensures single EOF newline (auto-fix) + # - check-yaml: validates YAML syntax in deploy/ manifests; + # mirrors ci/prow/lint: olm-deploy-yaml-validate + # --------------------------------------------------------------------------- + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 # pinned immutable tag + hooks: + - id: check-merge-conflict + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + - id: check-yaml + name: YAML syntax (deploy/) + files: ^deploy/.*\.ya?ml$ + args: [--allow-multiple-documents] + + # --------------------------------------------------------------------------- + # 2. SECRETS DETECTION | target < 5s | always blocking + # Scans all file types (YAML, shell, config) — gosec covers Go only. + # High-confidence findings block; configure .gitleaks.toml for allowlist. + # --------------------------------------------------------------------------- + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.0 # pinned immutable tag (golden rule 15) + hooks: + - id: gitleaks + + # --------------------------------------------------------------------------- + # 3. STATIC ANALYSIS | target < 15s cached | error + # Mirrors ci/prow/lint: go-check exactly (same version + config as CI). + # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml + # --------------------------------------------------------------------------- + - repo: https://github.com/golangci/golangci-lint + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + hooks: + - id: golangci-lint + args: + - --config=boilerplate/openshift/golang-osd-operator/golangci.yml + - --timeout=120s # graceful timeout (golden rule 3) + + # --------------------------------------------------------------------------- + # Local hooks — compile, dependency, security + # + # TIMEOUT NOTE (golden rule 3) + # Uses portable timeout detection: 'timeout' on Linux, 'gtimeout' on macOS. + # macOS: brew install coreutils + # Linux: timeout is available by default (GNU coreutils) + # --------------------------------------------------------------------------- + - repo: local + hooks: + + # ----------------------------------------------------------------------- + # 4. COMPILE CHECK | target < 10s cached | error + # Catches import cycles and type errors before golangci-lint runs. + # Note: go build ./... writes no binary to the repo (compile check only). + # Fix: resolve compilation errors reported by go build. + # ----------------------------------------------------------------------- + - id: go-build + name: go build + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} go build ./...' + types: [go] + pass_filenames: false + + # ----------------------------------------------------------------------- + # 5. DEPENDENCY DRIFT | target < 10s | error + # Detects uncommitted go.mod/go.sum changes after go mod tidy. + # Fix: run 'go mod tidy' and stage go.mod and go.sum. + # ----------------------------------------------------------------------- + - id: go-mod-tidy + name: go mod tidy + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' + files: '(\.go$|go\.(mod|sum)$)' + exclude: '^vendor/' + pass_filenames: false + + # ----------------------------------------------------------------------- + # 6. RBAC WILDCARD CHECK | target < 5s | warn-only (blocking after cleanup) + # Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"] + # or multi-line - '*' format). Logic lives in standard.mk target + # 'rbac-wildcard-check' for readability and reuse. + # Fix: replace wildcards with explicit verbs and resource names. + # ----------------------------------------------------------------------- + - id: rbac-wildcard-check + name: RBAC wildcard permissions + language: system + entry: bash -c 'make rbac-wildcard-check' + files: ^deploy/.*\.ya?ml$ + pass_filenames: false diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index e0e91ef2..7fddbfa2 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -4,12 +4,12 @@ # ============================================================================= aliases: srep-functional-team-aurora: - - abyrne55 - AlexSmithGH + - BATMAN-JD - dakotalongRH - eth1030 + - geowa4 - joshbranham - - luis-falcon - reedcort srep-functional-team-fedramp: - theautoroboto @@ -73,7 +73,6 @@ aliases: - yiqinzhang - varunraokadaparthi srep-functional-leads: - - abyrne55 - clcollins - bergmannf - theautoroboto @@ -91,5 +90,4 @@ aliases: - maorfr - rogbas srep-architects: - - jharrington22 - cblecker diff --git a/boilerplate/_data/backing-image-tag b/boilerplate/_data/backing-image-tag index 77a6bbe4..ca21d244 100644 --- a/boilerplate/_data/backing-image-tag +++ b/boilerplate/_data/backing-image-tag @@ -1 +1 @@ -image-v8.3.4 +image-v8.3.6 diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit index 4235f5c1..1fc1cbc3 100644 --- a/boilerplate/_data/last-boilerplate-commit +++ b/boilerplate/_data/last-boilerplate-commit @@ -1 +1 @@ -28f0d527a87f963961e218687f8e481acf62e47d +0d8c4f5b1d0cc0be7f35fa2d84430c112eb3a5f0 diff --git a/boilerplate/openshift/golang-osd-operator/.codecov.yml b/boilerplate/openshift/golang-osd-operator/.codecov.yml index ba05647a..20cbf543 100644 --- a/boilerplate/openshift/golang-osd-operator/.codecov.yml +++ b/boilerplate/openshift/golang-osd-operator/.codecov.yml @@ -8,8 +8,14 @@ coverage: range: "20...100" status: - project: no - patch: no + project: + default: + target: 35% + threshold: 1% + patch: + default: + target: 50% + threshold: 1% changes: no parsers: diff --git a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES index e0e91ef2..7fddbfa2 100644 --- a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES +++ b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES @@ -4,12 +4,12 @@ # ============================================================================= aliases: srep-functional-team-aurora: - - abyrne55 - AlexSmithGH + - BATMAN-JD - dakotalongRH - eth1030 + - geowa4 - joshbranham - - luis-falcon - reedcort srep-functional-team-fedramp: - theautoroboto @@ -73,7 +73,6 @@ aliases: - yiqinzhang - varunraokadaparthi srep-functional-leads: - - abyrne55 - clcollins - bergmannf - theautoroboto @@ -91,5 +90,4 @@ aliases: - maorfr - rogbas srep-architects: - - jharrington22 - cblecker diff --git a/boilerplate/openshift/golang-osd-operator/golangci.yml b/boilerplate/openshift/golang-osd-operator/golangci.yml index 46fec035..df1596ff 100644 --- a/boilerplate/openshift/golang-osd-operator/golangci.yml +++ b/boilerplate/openshift/golang-osd-operator/golangci.yml @@ -1,39 +1,76 @@ version: "2" -run: - concurrency: 10 + linters: - default: none enable: + # Error Handling & Security - errcheck - - gosec - govet - - ineffassign - - misspell - staticcheck + - gosec + - bodyclose + - sqlclosecheck + - contextcheck + - noctx + + # Error Prevention + - errorlint + - nilerr + - nilnil + - revive + + # Code Quality + - ineffassign + - unconvert + - unparam - unused + - misspell + + # Maintainability + - prealloc + - nolintlint + - gocyclo + - exhaustive + - makezero + - containedctx + settings: + revive: + rules: + - name: package-comments + disabled: true + + errcheck: + check-type-assertions: true + check-blank: false + + exclusions: + presets: + - std-error-handling + + gocyclo: + min-complexity: 15 + + errorlint: + errorf: true + asserts: true + comparison: true + misspell: extra-words: - typo: openshit correction: OpenShift - exclusions: - generated: lax - presets: - - comments - - common-false-positives - - legacy - - std-error-handling - paths: - - third_party/ - - builtin/ - - examples/ + +run: + timeout: 5m + # Incremental linting (new-from-rev) is passed via the Makefile's + # go-check target. In CI it uses PULL_BASE_SHA (guaranteed to exist + # even in shallow clones); locally it falls back to origin/HEAD. + +formatters: + enable: + - gofmt + - goimports + issues: max-issues-per-linter: 0 max-same-issues: 0 -formatters: - exclusions: - generated: lax - paths: - - third_party/ - - builtin/ - - examples/ diff --git a/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml new file mode 100644 index 00000000..14ecdd9b --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml @@ -0,0 +1,134 @@ +# ============================================================================= +# Tier 1 — Common Pre-Commit Hooks for OSD Operators +# SREP-4485 | Golden rules: SREP-4450 +# ============================================================================= +# +# INSTALL +# pip install pre-commit +# pre-commit install +# +# USAGE +# pre-commit run # staged files only (developer / agent workflow) +# pre-commit run --all-files # full repo (CI / first-time setup) +# +# BYPASS (golden rule 16) +# Skip one hook: SKIP=hook-id git commit +# Never use: git commit --no-verify +# Agents: never bypass any hook +# Security hooks: never bypassable under any circumstances +# +# CI RELATIONSHIP (golden rule 17) +# These hooks mirror ci/prow/lint. CI remains the authoritative gate. +# Every check here also runs in CI. Pre-commit is developer convenience. +# +# AGENT USAGE (golden rule 1, 7, 19) +# Agents run: pre-commit run +# Output: PRE_COMMIT=1 is set automatically — hooks emit structured output +# Retry: max 2 fix-and-retry iterations before escalating to human +# +# TIMING TARGETS (golden rule 2, 3) +# Total run: <= 10s target / <= 60s hard limit on a 10-file changeset +# Hooks run fastest-first (golden rule 13). Each hook has a timeout guard. +# +# FIRST RUN NOTE +# Auto-fix hooks (trailing-whitespace, end-of-file-fixer) will correct +# pre-existing violations on the first run. Stage and commit those fixes +# separately before day-to-day use. +# +# ============================================================================= + +repos: + + # --------------------------------------------------------------------------- + # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error + # - check-merge-conflict: detects unresolved merge markers + # - trailing-whitespace: removes trailing spaces (auto-fix) + # - end-of-file-fixer: ensures single EOF newline (auto-fix) + # - check-yaml: validates YAML syntax in deploy/ manifests; + # mirrors ci/prow/lint: olm-deploy-yaml-validate + # --------------------------------------------------------------------------- + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 # pinned immutable tag + hooks: + - id: check-merge-conflict + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + - id: check-yaml + name: YAML syntax (deploy/) + files: ^deploy/.*\.ya?ml$ + args: [--allow-multiple-documents] + + # --------------------------------------------------------------------------- + # 2. SECRETS DETECTION | target < 5s | always blocking + # Scans all file types (YAML, shell, config) — gosec covers Go only. + # High-confidence findings block; configure .gitleaks.toml for allowlist. + # --------------------------------------------------------------------------- + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.0 # pinned immutable tag (golden rule 15) + hooks: + - id: gitleaks + + # --------------------------------------------------------------------------- + # 3. STATIC ANALYSIS | target < 15s cached | error + # Mirrors ci/prow/lint: go-check exactly (same version + config as CI). + # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml + # --------------------------------------------------------------------------- + - repo: https://github.com/golangci/golangci-lint + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + hooks: + - id: golangci-lint + args: + - --config=boilerplate/openshift/golang-osd-operator/golangci.yml + - --timeout=120s # graceful timeout (golden rule 3) + + # --------------------------------------------------------------------------- + # Local hooks — compile, dependency, security + # + # TIMEOUT NOTE (golden rule 3) + # Uses portable timeout detection: 'timeout' on Linux, 'gtimeout' on macOS. + # macOS: brew install coreutils + # Linux: timeout is available by default (GNU coreutils) + # --------------------------------------------------------------------------- + - repo: local + hooks: + + # ----------------------------------------------------------------------- + # 4. COMPILE CHECK | target < 10s cached | error + # Catches import cycles and type errors before golangci-lint runs. + # Note: go build ./... writes no binary to the repo (compile check only). + # Fix: resolve compilation errors reported by go build. + # ----------------------------------------------------------------------- + - id: go-build + name: go build + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} go build ./...' + types: [go] + pass_filenames: false + + # ----------------------------------------------------------------------- + # 5. DEPENDENCY DRIFT | target < 10s | error + # Detects uncommitted go.mod/go.sum changes after go mod tidy. + # Fix: run 'go mod tidy' and stage go.mod and go.sum. + # ----------------------------------------------------------------------- + - id: go-mod-tidy + name: go mod tidy + language: system + entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' + files: '(\.go$|go\.(mod|sum)$)' + exclude: '^vendor/' + pass_filenames: false + + # ----------------------------------------------------------------------- + # 6. RBAC WILDCARD CHECK | target < 5s | warn-only (blocking after cleanup) + # Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"] + # or multi-line - '*' format). Logic lives in standard.mk target + # 'rbac-wildcard-check' for readability and reuse. + # Fix: replace wildcards with explicit verbs and resource names. + # ----------------------------------------------------------------------- + - id: rbac-wildcard-check + name: RBAC wildcard permissions + language: system + entry: bash -c 'make rbac-wildcard-check' + files: ^deploy/.*\.ya?ml$ + pass_filenames: false diff --git a/boilerplate/openshift/golang-osd-operator/standard.mk b/boilerplate/openshift/golang-osd-operator/standard.mk index cebc4505..c6356e27 100644 --- a/boilerplate/openshift/golang-osd-operator/standard.mk +++ b/boilerplate/openshift/golang-osd-operator/standard.mk @@ -172,10 +172,19 @@ docker-login: mkdir -p ${CONTAINER_ENGINE_CONFIG_DIR} @${CONTAINER_ENGINE} login -u="${REGISTRY_USER}" -p="${REGISTRY_TOKEN}" quay.io +# Only lint new/changed code. In Prow CI, PULL_BASE_SHA points to the +# base commit and is guaranteed to exist in the checkout (even shallow +# clones). Locally, fall back to the default branch ref. +ifdef PULL_BASE_SHA +LINT_NEW_FROM_REV := $(PULL_BASE_SHA) +else +LINT_NEW_FROM_REV := $(shell git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/||') +endif + .PHONY: go-check go-check: ## Golang linting and other static analysis ${CONVENTION_DIR}/ensure.sh golangci-lint - ${GOENV} GOLANGCI_LINT_CACHE=${GOLANGCI_LINT_CACHE} golangci-lint run -c ${CONVENTION_DIR}/golangci.yml ./... + ${GOENV} GOLANGCI_LINT_CACHE=${GOLANGCI_LINT_CACHE} golangci-lint run -c ${CONVENTION_DIR}/golangci.yml $(if $(LINT_NEW_FROM_REV),--new-from-rev=$(LINT_NEW_FROM_REV)) ./... .PHONY: go-generate go-generate: @@ -380,6 +389,23 @@ validate: boilerplate-freeze-check generate-check validate-pko-fixtures .PHONY: lint lint: olm-deploy-yaml-validate go-check +# rbac-wildcard-check: Detect wildcard RBAC permissions in deploy/ manifests. +# Checks both inline (verbs: ["*"]) and multi-line (- '*' under verbs/resources:) +# formats. Called by the pre-commit rbac-wildcard-check hook. +# Currently warn-only (exits 0) to avoid breaking repos with pre-existing wildcards. +# Will become blocking once existing violations are resolved across the fleet. +.PHONY: rbac-wildcard-check +rbac-wildcard-check: + @python3 -c "\ +import sys,glob;\ +violations=[(f,n,l.rstrip()) for f in glob.glob('deploy/*.yaml')+glob.glob('deploy/*.yml') \ +for lines in [list(enumerate(open(f),1))] \ +for i,(n,l) in enumerate(lines) \ +if l.strip().lstrip('- ').strip(chr(39)+chr(34))=='*' \ +and any(lines[j][1].strip() in ('verbs:','resources:') for j in range(max(0,i-5),i))];\ +[print('WARNING: wildcard RBAC found: '+v[0]+'|'+str(v[1])+'|'+v[2]) for v in violations];\ +sys.exit(0)" + # test: "Local" unit and functional testing. .PHONY: test test: go-test diff --git a/boilerplate/openshift/golang-osd-operator/update b/boilerplate/openshift/golang-osd-operator/update index 7f2c702f..5fe4a385 100755 --- a/boilerplate/openshift/golang-osd-operator/update +++ b/boilerplate/openshift/golang-osd-operator/update @@ -110,6 +110,10 @@ echo " name: $IMAGE_NAME" echo " tag: $LATEST_IMAGE_TAG" ${SED?} "s/__NAMESPACE__/$IMAGE_NAMESPACE/; s/__NAME__/$IMAGE_NAME/; s/__TAG__/$LATEST_IMAGE_TAG/" ${HERE}/.ci-operator.yaml >$REPO_ROOT/.ci-operator.yaml +# Add pre-commit hooks configuration (SREP-4485) +echo "Copying pre-commit-config.yaml to .pre-commit-config.yaml" +cp ${HERE}/pre-commit-config.yaml $REPO_ROOT/.pre-commit-config.yaml + # Check for pipeline files in .tekton directory and centralize them TEKTON_DIR="${REPO_ROOT}/.tekton" if [ -d "$TEKTON_DIR" ]; then diff --git a/build/Dockerfile b/build/Dockerfile index 6a835c55..6c2d9c81 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,9 +1,9 @@ -FROM quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.4 AS builder +FROM quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6 AS builder COPY . /go/src/github.com/openshift/splunk-forwarder-operator WORKDIR /go/src/github.com/openshift/splunk-forwarder-operator RUN make go-build -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778072020 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778562320 ENV OPERATOR_PATH=/go/src/github.com/openshift/splunk-forwarder-operator \ OPERATOR_BIN=splunk-forwarder-operator diff --git a/build/Dockerfile.olm-registry b/build/Dockerfile.olm-registry index ab3a27c8..1d247750 100644 --- a/build/Dockerfile.olm-registry +++ b/build/Dockerfile.olm-registry @@ -4,7 +4,7 @@ COPY ${SAAS_OPERATOR_DIR} manifests RUN initializer --permissive # ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778072020 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778562320 COPY --from=builder /bin/registry-server /bin/registry-server COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe From a90d69c8e577c3cb9b37f77e499f4d9fb6974b90 Mon Sep 17 00:00:00 2001 From: Jason Healy Date: Thu, 28 May 2026 12:02:17 -0400 Subject: [PATCH 2/6] update boilerplate --- .pre-commit-config.yaml | 25 ++-- boilerplate/_data/last-boilerplate-commit | 2 +- .../golang-osd-operator/docs/pre-commit.md | 123 ++++++++++++++++++ .../golang-osd-operator/olm_pko_migration.py | 4 +- .../pre-commit-config.yaml | 25 ++-- .../openshift/golang-osd-operator/standard.mk | 22 +++- build/Dockerfile | 2 +- build/Dockerfile.olm-registry | 2 +- 8 files changed, 181 insertions(+), 24 deletions(-) create mode 100644 boilerplate/openshift/golang-osd-operator/docs/pre-commit.md diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 14ecdd9b..c74049fb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,8 +4,14 @@ # ============================================================================= # # INSTALL -# pip install pre-commit -# pre-commit install +# For detailed setup instructions including uv (recommended) and pip, +# see: boilerplate/openshift/golang-osd-operator/docs/pre-commit.md +# +# Quick start (uv): +# uv sync && source .venv/bin/activate && pre-commit install +# +# Quick start (pip): +# pip install 'pre-commit==4.6.0' && pre-commit install # # USAGE # pre-commit run # staged files only (developer / agent workflow) @@ -35,10 +41,12 @@ # pre-existing violations on the first run. Stage and commit those fixes # separately before day-to-day use. # +# Fix commits can be excluded from git blame +# https://git-scm.com/docs/git-blame#Documentation/git-blame.txt---ignore-revs-filefile +# # ============================================================================= repos: - # --------------------------------------------------------------------------- # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error # - check-merge-conflict: detects unresolved merge markers @@ -48,7 +56,7 @@ repos: # mirrors ci/prow/lint: olm-deploy-yaml-validate # --------------------------------------------------------------------------- - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 # pinned immutable tag + rev: v5.0.0 # pinned immutable tag hooks: - id: check-merge-conflict - id: trailing-whitespace @@ -65,7 +73,7 @@ repos: # High-confidence findings block; configure .gitleaks.toml for allowlist. # --------------------------------------------------------------------------- - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 # pinned immutable tag (golden rule 15) + rev: v8.18.0 # pinned immutable tag (golden rule 15) hooks: - id: gitleaks @@ -75,12 +83,12 @@ repos: # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml # --------------------------------------------------------------------------- - repo: https://github.com/golangci/golangci-lint - rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) hooks: - id: golangci-lint args: - --config=boilerplate/openshift/golang-osd-operator/golangci.yml - - --timeout=120s # graceful timeout (golden rule 3) + - --timeout=120s # graceful timeout (golden rule 3) # --------------------------------------------------------------------------- # Local hooks — compile, dependency, security @@ -92,7 +100,6 @@ repos: # --------------------------------------------------------------------------- - repo: local hooks: - # ----------------------------------------------------------------------- # 4. COMPILE CHECK | target < 10s cached | error # Catches import cycles and type errors before golangci-lint runs. @@ -116,7 +123,7 @@ repos: language: system entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' files: '(\.go$|go\.(mod|sum)$)' - exclude: '^vendor/' + exclude: "^vendor/" pass_filenames: false # ----------------------------------------------------------------------- diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit index 1fc1cbc3..745b7499 100644 --- a/boilerplate/_data/last-boilerplate-commit +++ b/boilerplate/_data/last-boilerplate-commit @@ -1 +1 @@ -0d8c4f5b1d0cc0be7f35fa2d84430c112eb3a5f0 +05d233f4d9639f3e1c54ead5c2b1eb59654091b6 diff --git a/boilerplate/openshift/golang-osd-operator/docs/pre-commit.md b/boilerplate/openshift/golang-osd-operator/docs/pre-commit.md new file mode 100644 index 00000000..88ff5bca --- /dev/null +++ b/boilerplate/openshift/golang-osd-operator/docs/pre-commit.md @@ -0,0 +1,123 @@ +# Pre-Commit Hooks Setup Guide + +## Installation + +### Recommended: Using uv + +[uv](https://github.com/astral-sh/uv) is recommended for Python dependency management. It provides dependency locking with package hashes (supply-chain protection), virtual environment management, and is 10-100x faster than pip. + +**Install uv:** +```bash +# macOS/Linux +curl -LsSf https://astral.sh/uv/install.sh | sh + +# Windows +powershell -c "irm https://astral.sh/uv/install.ps1 | iex" + +# Via pip +pip install uv +``` + +**First-time setup:** +```bash +uv init --bare # creates pyproject.toml +uv add --dev pre-commit==4.6.0 # adds dependency, generates uv.lock +source .venv/bin/activate # macOS/Linux (.venv\Scripts\activate on Windows) +pre-commit install +``` + +**Subsequent setup** (when `pyproject.toml` and `uv.lock` exist): +```bash +uv sync +source .venv/bin/activate +pre-commit install +``` + +### Alternative: Using pip + +```bash +pip install 'pre-commit==4.6.0' # pinned version (Golden Rule 15) +pre-commit install +``` + +Add to `requirements-dev.txt`: `pre-commit==4.6.0` + +## First-Time Setup + +Run on all files to catch existing issues: +```bash +pre-commit run --all-files +``` + +Auto-fix hooks will modify files on first run. Stage and commit these separately: +```bash +git diff +git add . +git commit -m "Fix: Apply pre-commit auto-fixes" +``` + +**Exclude fix commits from git blame:** +```bash +# Create .git-blame-ignore-revs with commit hashes +git config blame.ignoreRevsFile .git-blame-ignore-revs +``` + +See [git-blame docs](https://git-scm.com/docs/git-blame#Documentation/git-blame.txt---ignore-revs-filefile). + +## Usage + +**Automatic** (runs on `git commit`): +```bash +git add +git commit -m "Message" +``` + +**Manual:** +```bash +pre-commit run # staged files only +pre-commit run --all-files # entire repo +pre-commit run --files path/to/file # specific files +``` + +**Bypass (use sparingly):** +```bash +SKIP=hook-id git commit -m "Message" # skip one hook +git commit --no-verify # NEVER use (Golden Rule 16) +``` + +Rules: Agents never bypass hooks. Security hooks (gitleaks) never bypassable. + +## Troubleshooting + +**macOS timeout issues:** +```bash +brew install coreutils # provides gtimeout +``` + +**Virtual environment not found:** +```bash +source .venv/bin/activate +uv sync +``` + +**Hooks not running:** +```bash +ls -la .git/hooks/pre-commit # verify installation +pre-commit install # reinstall +``` + +**Hook failures:** Read error messages and fix issues: +- `go-build`: Fix compilation errors +- `go-mod-tidy`: Run `go mod tidy` and stage go.mod/go.sum +- `check-yaml`: Fix YAML syntax + +## CI Integration + +Pre-commit mirrors `ci/prow/lint`. CI is authoritative; pre-commit is developer convenience. All hooks run in CI with same config. + +If pre-commit passes but CI fails: `pre-commit autoupdate` + +## Resources + +- [Pre-Commit Documentation](https://pre-commit.com/) +- [uv Documentation](https://github.com/astral-sh/uv) diff --git a/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py b/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py index abcd28d3..e9866b3e 100644 --- a/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py +++ b/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py @@ -11,7 +11,7 @@ import subprocess import sys from pathlib import Path -from typing import Any +from typing import Any, Optional import yaml @@ -629,7 +629,7 @@ def write_pko_dockerfile(): ) ) -def extract_deployment_selector() -> str | None: +def extract_deployment_selector() -> Optional[str]: """ Extract the clusterDeploymentSelector from hack/olm-registry/olm-artifacts-template.yaml. diff --git a/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml index 14ecdd9b..c74049fb 100644 --- a/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml +++ b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml @@ -4,8 +4,14 @@ # ============================================================================= # # INSTALL -# pip install pre-commit -# pre-commit install +# For detailed setup instructions including uv (recommended) and pip, +# see: boilerplate/openshift/golang-osd-operator/docs/pre-commit.md +# +# Quick start (uv): +# uv sync && source .venv/bin/activate && pre-commit install +# +# Quick start (pip): +# pip install 'pre-commit==4.6.0' && pre-commit install # # USAGE # pre-commit run # staged files only (developer / agent workflow) @@ -35,10 +41,12 @@ # pre-existing violations on the first run. Stage and commit those fixes # separately before day-to-day use. # +# Fix commits can be excluded from git blame +# https://git-scm.com/docs/git-blame#Documentation/git-blame.txt---ignore-revs-filefile +# # ============================================================================= repos: - # --------------------------------------------------------------------------- # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error # - check-merge-conflict: detects unresolved merge markers @@ -48,7 +56,7 @@ repos: # mirrors ci/prow/lint: olm-deploy-yaml-validate # --------------------------------------------------------------------------- - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 # pinned immutable tag + rev: v5.0.0 # pinned immutable tag hooks: - id: check-merge-conflict - id: trailing-whitespace @@ -65,7 +73,7 @@ repos: # High-confidence findings block; configure .gitleaks.toml for allowlist. # --------------------------------------------------------------------------- - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 # pinned immutable tag (golden rule 15) + rev: v8.18.0 # pinned immutable tag (golden rule 15) hooks: - id: gitleaks @@ -75,12 +83,12 @@ repos: # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml # --------------------------------------------------------------------------- - repo: https://github.com/golangci/golangci-lint - rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) hooks: - id: golangci-lint args: - --config=boilerplate/openshift/golang-osd-operator/golangci.yml - - --timeout=120s # graceful timeout (golden rule 3) + - --timeout=120s # graceful timeout (golden rule 3) # --------------------------------------------------------------------------- # Local hooks — compile, dependency, security @@ -92,7 +100,6 @@ repos: # --------------------------------------------------------------------------- - repo: local hooks: - # ----------------------------------------------------------------------- # 4. COMPILE CHECK | target < 10s cached | error # Catches import cycles and type errors before golangci-lint runs. @@ -116,7 +123,7 @@ repos: language: system entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' files: '(\.go$|go\.(mod|sum)$)' - exclude: '^vendor/' + exclude: "^vendor/" pass_filenames: false # ----------------------------------------------------------------------- diff --git a/boilerplate/openshift/golang-osd-operator/standard.mk b/boilerplate/openshift/golang-osd-operator/standard.mk index c6356e27..4f617e93 100644 --- a/boilerplate/openshift/golang-osd-operator/standard.mk +++ b/boilerplate/openshift/golang-osd-operator/standard.mk @@ -243,8 +243,28 @@ else $(info Did not find 'config/default' - skipping kustomize manifest generation) endif +.PHONY: sync-pko-crds +sync-pko-crds: +ifneq (,$(wildcard deploy_pko)) + @if [ -d deploy/crds ]; then \ + yq_yaml_flag=""; \ + if $(YQ) --version 2>&1 | grep -qE "^yq [0-9]"; then \ + yq_yaml_flag="-y"; \ + fi; \ + for crd in deploy/crds/*.yaml; do \ + [ -f "$$crd" ] || continue; \ + name=$$($(YQ) -r '.metadata.name' "$$crd"); \ + $(YQ) $$yq_yaml_flag '.metadata.annotations["package-operator.run/phase"] = "crds" | .metadata.annotations["package-operator.run/collision-protection"] = "IfNoController"' \ + "$$crd" > "deploy_pko/CustomResourceDefinition-$$name.yaml"; \ + echo "Synced CRD $$name to deploy_pko/"; \ + done; \ + fi +else + $(info deploy_pko/ not found - skipping PKO CRD sync) +endif + .PHONY: generate -generate: op-generate go-generate openapi-generate manifests +generate: op-generate go-generate openapi-generate manifests sync-pko-crds ifeq (${FIPS_ENABLED}, true) go-build: ensure-fips diff --git a/build/Dockerfile b/build/Dockerfile index 6c2d9c81..dee9d5e9 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -3,7 +3,7 @@ COPY . /go/src/github.com/openshift/splunk-forwarder-operator WORKDIR /go/src/github.com/openshift/splunk-forwarder-operator RUN make go-build -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778562320 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423 ENV OPERATOR_PATH=/go/src/github.com/openshift/splunk-forwarder-operator \ OPERATOR_BIN=splunk-forwarder-operator diff --git a/build/Dockerfile.olm-registry b/build/Dockerfile.olm-registry index 1d247750..7b5899ea 100644 --- a/build/Dockerfile.olm-registry +++ b/build/Dockerfile.olm-registry @@ -4,7 +4,7 @@ COPY ${SAAS_OPERATOR_DIR} manifests RUN initializer --permissive # ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1778562320 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423 COPY --from=builder /bin/registry-server /bin/registry-server COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe From 0e10a8e4a0668ae1da3efd06fdd1e45d43cd8001 Mon Sep 17 00:00:00 2001 From: Jason Healy Date: Thu, 28 May 2026 13:16:01 -0400 Subject: [PATCH 3/6] rerun controller-gen another bp update --- .pre-commit-config.yaml | 12 +- .../pre-commit-config.yaml | 12 +- ....splunkforwarder.managed.openshift.io.yaml | 313 ++++++++---------- ....splunkforwarder.managed.openshift.io.yaml | 313 ++++++++---------- 4 files changed, 302 insertions(+), 348 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c74049fb..94e5b26c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,6 +47,7 @@ # ============================================================================= repos: + # --------------------------------------------------------------------------- # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error # - check-merge-conflict: detects unresolved merge markers @@ -56,7 +57,7 @@ repos: # mirrors ci/prow/lint: olm-deploy-yaml-validate # --------------------------------------------------------------------------- - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 # pinned immutable tag + rev: v5.0.0 # pinned immutable tag hooks: - id: check-merge-conflict - id: trailing-whitespace @@ -73,7 +74,7 @@ repos: # High-confidence findings block; configure .gitleaks.toml for allowlist. # --------------------------------------------------------------------------- - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 # pinned immutable tag (golden rule 15) + rev: v8.18.0 # pinned immutable tag (golden rule 15) hooks: - id: gitleaks @@ -83,12 +84,12 @@ repos: # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml # --------------------------------------------------------------------------- - repo: https://github.com/golangci/golangci-lint - rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) hooks: - id: golangci-lint args: - --config=boilerplate/openshift/golang-osd-operator/golangci.yml - - --timeout=120s # graceful timeout (golden rule 3) + - --timeout=120s # graceful timeout (golden rule 3) # --------------------------------------------------------------------------- # Local hooks — compile, dependency, security @@ -100,6 +101,7 @@ repos: # --------------------------------------------------------------------------- - repo: local hooks: + # ----------------------------------------------------------------------- # 4. COMPILE CHECK | target < 10s cached | error # Catches import cycles and type errors before golangci-lint runs. @@ -123,7 +125,7 @@ repos: language: system entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' files: '(\.go$|go\.(mod|sum)$)' - exclude: "^vendor/" + exclude: '^vendor/' pass_filenames: false # ----------------------------------------------------------------------- diff --git a/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml index c74049fb..94e5b26c 100644 --- a/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml +++ b/boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml @@ -47,6 +47,7 @@ # ============================================================================= repos: + # --------------------------------------------------------------------------- # 1. FILE HYGIENE + YAML SYNTAX | target < 2s | auto-fix + error # - check-merge-conflict: detects unresolved merge markers @@ -56,7 +57,7 @@ repos: # mirrors ci/prow/lint: olm-deploy-yaml-validate # --------------------------------------------------------------------------- - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 # pinned immutable tag + rev: v5.0.0 # pinned immutable tag hooks: - id: check-merge-conflict - id: trailing-whitespace @@ -73,7 +74,7 @@ repos: # High-confidence findings block; configure .gitleaks.toml for allowlist. # --------------------------------------------------------------------------- - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 # pinned immutable tag (golden rule 15) + rev: v8.18.0 # pinned immutable tag (golden rule 15) hooks: - id: gitleaks @@ -83,12 +84,12 @@ repos: # Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml # --------------------------------------------------------------------------- - repo: https://github.com/golangci/golangci-lint - rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) + rev: v2.0.2 # pinned immutable tag — must match CI (golden rule 15) hooks: - id: golangci-lint args: - --config=boilerplate/openshift/golang-osd-operator/golangci.yml - - --timeout=120s # graceful timeout (golden rule 3) + - --timeout=120s # graceful timeout (golden rule 3) # --------------------------------------------------------------------------- # Local hooks — compile, dependency, security @@ -100,6 +101,7 @@ repos: # --------------------------------------------------------------------------- - repo: local hooks: + # ----------------------------------------------------------------------- # 4. COMPILE CHECK | target < 10s cached | error # Catches import cycles and type errors before golangci-lint runs. @@ -123,7 +125,7 @@ repos: language: system entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum' files: '(\.go$|go\.(mod|sum)$)' - exclude: "^vendor/" + exclude: '^vendor/' pass_filenames: false # ----------------------------------------------------------------------- diff --git a/deploy_pko/.test-fixtures/default/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml b/deploy_pko/.test-fixtures/default/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml index c8a7d07a..7c957965 100755 --- a/deploy_pko/.test-fixtures/default/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml +++ b/deploy_pko/.test-fixtures/default/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -15,172 +16,146 @@ spec: singular: splunkforwarder scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SplunkForwarder is the Schema for the splunkforwarders API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. - - Servers should convert recognized schemas to the latest internal value, - and - - may reject unrecognized values. - - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. - - Servers may infer this from the endpoint the client submits requests - to. - - Cannot be updated. - - In CamelCase. - - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SplunkForwarderSpec defines the desired state of SplunkForwarder - properties: - clusterID: - description: 'Unique cluster name. - - Optional: Looked up on the cluster if not provided, default to openshift' - type: string - filters: - description: 'List of additional filters supplied to configure the - Splunk Heavy Forwarder - - Optional: Defaults to no additional filters (no transforms.conf).' - items: - description: SplunkFilter is the struct that configures Splunk Heavy - Forwarder filters. - properties: - filter: - description: Routing criteria regex for the filter to match - on. - type: string - name: - description: Name of the filter, will be prepended with "filter_". - type: string - required: - - filter - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - heavyForwarderDigest: - description: 'Container image digest of the container image defined - in HeavyForwarderImage. - - Optional: Defaults to latest' - type: string - heavyForwarderImage: - description: 'Container image path to the Splunk Heavy Forwarder image. - Required when - - UseHeavyForwarder is true.' - type: string - heavyForwarderReplicas: - description: 'Number of desired Splunk Heavy Forwarder pods. - - Optional: Defaults to 2' - format: int32 - type: integer - heavyForwarderSelector: - description: 'Specifies the value of the NodeSelector for the Splunk - Heavy Forwarder pods - - with key: "node-role.kubernetes.io" - - Optional: Defaults to an empty value.' - type: string - image: - description: Container image path to the Splunk Forwarder - type: string - imageDigest: - description: 'Container image digest of the Splunk Forwarder image. - - Has precedence and is recommended over ImageTag. - - Optional: Defaults to latest' - type: string - imageTag: - description: 'The container image tag of the Splunk Forwarder image. - - Is not used if ImageDigest is supplied. - - Optional: Defaults to latest' - type: string - splunkInputs: - items: - description: SplunkForwarderInputs is the struct that defines all - the splunk inputs - properties: - blackList: - description: 'Regex to exclude certain files from monitoring. - Multiple regex rules may be specified separated by "|" (OR) - - Optional: Defaults to monitoring all files in the specified - Path' - type: string - index: - description: 'Repository for data. More info: https://docs.splunk.com/Splexicon:Index - - Optional: Defaults to "main"' - type: string - path: - description: 'Required: Filepath for Splunk to monitor.' - type: string - sourceType: - description: 'Data structure of the event. More info: https://docs.splunk.com/Splexicon:Sourcetype - - Optional: Defaults to "_json"' - type: string - whiteList: - description: 'Regex to monitor certain files. Multiple regex - rules may be specified separated by "|" (OR) - - Optional: Defaults to monitoring all files in the specified - Path' - type: string - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - splunkLicenseAccepted: - description: 'Adds an --accept-license flag to automatically accept - the Splunk License Agreement. - - Must be true for the Red Hat provided Splunk Forwarder image. - - Optional: Defaults to false.' - type: boolean - useHeavyForwarder: - description: 'Whether an additional Splunk Heavy Forwarder should - be deployed. - - Optional: Defaults to false.' - type: boolean - required: - - image - - splunkInputs - type: object - status: - description: SplunkForwarderStatus defines the observed state of SplunkForwarder - type: object - type: object - served: true - storage: true - subresources: - status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SplunkForwarder is the Schema for the splunkforwarders API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SplunkForwarderSpec defines the desired state of SplunkForwarder + properties: + clusterID: + description: |- + Unique cluster name. + Optional: Looked up on the cluster if not provided, default to openshift + type: string + filters: + description: |- + List of additional filters supplied to configure the Splunk Heavy Forwarder + Optional: Defaults to no additional filters (no transforms.conf). + items: + description: SplunkFilter is the struct that configures Splunk Heavy Forwarder filters. + properties: + filter: + description: Routing criteria regex for the filter to match on. + type: string + name: + description: Name of the filter, will be prepended with "filter_". + type: string + required: + - filter + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + heavyForwarderDigest: + description: |- + Container image digest of the container image defined in HeavyForwarderImage. + Optional: Defaults to latest + type: string + heavyForwarderImage: + description: |- + Container image path to the Splunk Heavy Forwarder image. Required when + UseHeavyForwarder is true. + type: string + heavyForwarderReplicas: + description: |- + Number of desired Splunk Heavy Forwarder pods. + Optional: Defaults to 2 + format: int32 + type: integer + heavyForwarderSelector: + description: |- + Specifies the value of the NodeSelector for the Splunk Heavy Forwarder pods + with key: "node-role.kubernetes.io" + Optional: Defaults to an empty value. + type: string + image: + description: Container image path to the Splunk Forwarder + type: string + imageDigest: + description: |- + Container image digest of the Splunk Forwarder image. + Has precedence and is recommended over ImageTag. + Optional: Defaults to latest + type: string + imageTag: + description: |- + The container image tag of the Splunk Forwarder image. + Is not used if ImageDigest is supplied. + Optional: Defaults to latest + type: string + splunkInputs: + items: + description: SplunkForwarderInputs is the struct that defines all the splunk inputs + properties: + blackList: + description: |- + Regex to exclude certain files from monitoring. Multiple regex rules may be specified separated by "|" (OR) + Optional: Defaults to monitoring all files in the specified Path + type: string + index: + description: |- + Repository for data. More info: https://docs.splunk.com/Splexicon:Index + Optional: Defaults to "main" + type: string + path: + description: 'Required: Filepath for Splunk to monitor.' + type: string + sourceType: + description: |- + Data structure of the event. More info: https://docs.splunk.com/Splexicon:Sourcetype + Optional: Defaults to "_json" + type: string + whiteList: + description: |- + Regex to monitor certain files. Multiple regex rules may be specified separated by "|" (OR) + Optional: Defaults to monitoring all files in the specified Path + type: string + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + splunkLicenseAccepted: + description: |- + Adds an --accept-license flag to automatically accept the Splunk License Agreement. + Must be true for the Red Hat provided Splunk Forwarder image. + Optional: Defaults to false. + type: boolean + useHeavyForwarder: + description: |- + Whether an additional Splunk Heavy Forwarder should be deployed. + Optional: Defaults to false. + type: boolean + required: + - image + - splunkInputs + type: object + status: + description: SplunkForwarderStatus defines the observed state of SplunkForwarder + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy_pko/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml b/deploy_pko/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml index c8a7d07a..7c957965 100644 --- a/deploy_pko/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml +++ b/deploy_pko/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -15,172 +16,146 @@ spec: singular: splunkforwarder scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SplunkForwarder is the Schema for the splunkforwarders API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. - - Servers should convert recognized schemas to the latest internal value, - and - - may reject unrecognized values. - - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. - - Servers may infer this from the endpoint the client submits requests - to. - - Cannot be updated. - - In CamelCase. - - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SplunkForwarderSpec defines the desired state of SplunkForwarder - properties: - clusterID: - description: 'Unique cluster name. - - Optional: Looked up on the cluster if not provided, default to openshift' - type: string - filters: - description: 'List of additional filters supplied to configure the - Splunk Heavy Forwarder - - Optional: Defaults to no additional filters (no transforms.conf).' - items: - description: SplunkFilter is the struct that configures Splunk Heavy - Forwarder filters. - properties: - filter: - description: Routing criteria regex for the filter to match - on. - type: string - name: - description: Name of the filter, will be prepended with "filter_". - type: string - required: - - filter - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - heavyForwarderDigest: - description: 'Container image digest of the container image defined - in HeavyForwarderImage. - - Optional: Defaults to latest' - type: string - heavyForwarderImage: - description: 'Container image path to the Splunk Heavy Forwarder image. - Required when - - UseHeavyForwarder is true.' - type: string - heavyForwarderReplicas: - description: 'Number of desired Splunk Heavy Forwarder pods. - - Optional: Defaults to 2' - format: int32 - type: integer - heavyForwarderSelector: - description: 'Specifies the value of the NodeSelector for the Splunk - Heavy Forwarder pods - - with key: "node-role.kubernetes.io" - - Optional: Defaults to an empty value.' - type: string - image: - description: Container image path to the Splunk Forwarder - type: string - imageDigest: - description: 'Container image digest of the Splunk Forwarder image. - - Has precedence and is recommended over ImageTag. - - Optional: Defaults to latest' - type: string - imageTag: - description: 'The container image tag of the Splunk Forwarder image. - - Is not used if ImageDigest is supplied. - - Optional: Defaults to latest' - type: string - splunkInputs: - items: - description: SplunkForwarderInputs is the struct that defines all - the splunk inputs - properties: - blackList: - description: 'Regex to exclude certain files from monitoring. - Multiple regex rules may be specified separated by "|" (OR) - - Optional: Defaults to monitoring all files in the specified - Path' - type: string - index: - description: 'Repository for data. More info: https://docs.splunk.com/Splexicon:Index - - Optional: Defaults to "main"' - type: string - path: - description: 'Required: Filepath for Splunk to monitor.' - type: string - sourceType: - description: 'Data structure of the event. More info: https://docs.splunk.com/Splexicon:Sourcetype - - Optional: Defaults to "_json"' - type: string - whiteList: - description: 'Regex to monitor certain files. Multiple regex - rules may be specified separated by "|" (OR) - - Optional: Defaults to monitoring all files in the specified - Path' - type: string - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - splunkLicenseAccepted: - description: 'Adds an --accept-license flag to automatically accept - the Splunk License Agreement. - - Must be true for the Red Hat provided Splunk Forwarder image. - - Optional: Defaults to false.' - type: boolean - useHeavyForwarder: - description: 'Whether an additional Splunk Heavy Forwarder should - be deployed. - - Optional: Defaults to false.' - type: boolean - required: - - image - - splunkInputs - type: object - status: - description: SplunkForwarderStatus defines the observed state of SplunkForwarder - type: object - type: object - served: true - storage: true - subresources: - status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SplunkForwarder is the Schema for the splunkforwarders API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SplunkForwarderSpec defines the desired state of SplunkForwarder + properties: + clusterID: + description: |- + Unique cluster name. + Optional: Looked up on the cluster if not provided, default to openshift + type: string + filters: + description: |- + List of additional filters supplied to configure the Splunk Heavy Forwarder + Optional: Defaults to no additional filters (no transforms.conf). + items: + description: SplunkFilter is the struct that configures Splunk Heavy Forwarder filters. + properties: + filter: + description: Routing criteria regex for the filter to match on. + type: string + name: + description: Name of the filter, will be prepended with "filter_". + type: string + required: + - filter + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + heavyForwarderDigest: + description: |- + Container image digest of the container image defined in HeavyForwarderImage. + Optional: Defaults to latest + type: string + heavyForwarderImage: + description: |- + Container image path to the Splunk Heavy Forwarder image. Required when + UseHeavyForwarder is true. + type: string + heavyForwarderReplicas: + description: |- + Number of desired Splunk Heavy Forwarder pods. + Optional: Defaults to 2 + format: int32 + type: integer + heavyForwarderSelector: + description: |- + Specifies the value of the NodeSelector for the Splunk Heavy Forwarder pods + with key: "node-role.kubernetes.io" + Optional: Defaults to an empty value. + type: string + image: + description: Container image path to the Splunk Forwarder + type: string + imageDigest: + description: |- + Container image digest of the Splunk Forwarder image. + Has precedence and is recommended over ImageTag. + Optional: Defaults to latest + type: string + imageTag: + description: |- + The container image tag of the Splunk Forwarder image. + Is not used if ImageDigest is supplied. + Optional: Defaults to latest + type: string + splunkInputs: + items: + description: SplunkForwarderInputs is the struct that defines all the splunk inputs + properties: + blackList: + description: |- + Regex to exclude certain files from monitoring. Multiple regex rules may be specified separated by "|" (OR) + Optional: Defaults to monitoring all files in the specified Path + type: string + index: + description: |- + Repository for data. More info: https://docs.splunk.com/Splexicon:Index + Optional: Defaults to "main" + type: string + path: + description: 'Required: Filepath for Splunk to monitor.' + type: string + sourceType: + description: |- + Data structure of the event. More info: https://docs.splunk.com/Splexicon:Sourcetype + Optional: Defaults to "_json" + type: string + whiteList: + description: |- + Regex to monitor certain files. Multiple regex rules may be specified separated by "|" (OR) + Optional: Defaults to monitoring all files in the specified Path + type: string + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + splunkLicenseAccepted: + description: |- + Adds an --accept-license flag to automatically accept the Splunk License Agreement. + Must be true for the Red Hat provided Splunk Forwarder image. + Optional: Defaults to false. + type: boolean + useHeavyForwarder: + description: |- + Whether an additional Splunk Heavy Forwarder should be deployed. + Optional: Defaults to false. + type: boolean + required: + - image + - splunkInputs + type: object + status: + description: SplunkForwarderStatus defines the observed state of SplunkForwarder + type: object + type: object + served: true + storage: true + subresources: + status: {} From ed38886a2bcf27d3fdeed8ef0f31722e04e8a0db Mon Sep 17 00:00:00 2001 From: Jason Healy Date: Thu, 28 May 2026 11:57:31 -0400 Subject: [PATCH 4/6] update SFI hash --- hack/pko/clusterpackage.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/hack/pko/clusterpackage.yaml b/hack/pko/clusterpackage.yaml index 6929e780..f58ecdc6 100644 --- a/hack/pko/clusterpackage.yaml +++ b/hack/pko/clusterpackage.yaml @@ -144,7 +144,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true filters: - name: ignore_serviceaccount_users @@ -233,7 +233,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true splunkInputs: - path: /host/var/log/pods/*_ip-*-*-*-*ec2internal-debug_*/container-*/*.log @@ -291,7 +291,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true splunkInputs: - path: /host/var/log/hypershift-osd-audit/*/audit.log @@ -365,7 +365,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true filters: - name: ignore_serviceaccount_users @@ -453,7 +453,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true splunkInputs: - path: /host/var/log/hypershift-osd-audit/*/audit.log @@ -519,7 +519,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true filters: - name: ignore_serviceaccount_users @@ -608,7 +608,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true filters: - name: ignore_serviceaccount_users @@ -712,7 +712,7 @@ objects: namespace: openshift-security spec: image: quay.io/redhat-services-prod/openshift/splunk-forwarder-images - imageDigest: sha256:534d2dc94dcc28f99f7358a0a55683f0f6b93e23141e28073e81287e63353399 + imageDigest: sha256:8e4ebb34756f6f5908c229cdc7b383d424f21361e7a445a120946188ecda7b91 splunkLicenseAccepted: true splunkInputs: - index: rh_osd_cluster_audit_stage From 0d90ee30e3b5e3ca397a02d8ac52e1301d8845dc Mon Sep 17 00:00:00 2001 From: Jason Healy Date: Thu, 28 May 2026 12:01:00 -0400 Subject: [PATCH 5/6] update SAE repo and tag --- hack/pko/clusterpackage.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/pko/clusterpackage.yaml b/hack/pko/clusterpackage.yaml index f58ecdc6..61baa9ca 100644 --- a/hack/pko/clusterpackage.yaml +++ b/hack/pko/clusterpackage.yaml @@ -826,7 +826,7 @@ objects: limits: cpu: 100m memory: 256Mi - image: quay.io/app-sre/splunk-audit-exporter@sha256:798113f5c79248bc24418ff0d149058c04e5eaa35ea7b4ff42a1e6983a37d24a # 0.1.213-118042f + image: quay.io/redhat-services-prod/splunk-audit-exporter-tenant/splunk-audit-exporter/splunk-audit-exporter@sha256:8d45f6580bfebb742a669cb1930578a0aaf28091f54ff4755460811054b2480a # 7a9f63e imagePullPolicy: Always securityContext: privileged: true From b1d3f8d249e049f01baf59a6eabd7461c5751389 Mon Sep 17 00:00:00 2001 From: Jason Healy Date: Thu, 28 May 2026 12:04:03 -0400 Subject: [PATCH 6/6] update go version --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 51c24841..7ad9e3ae 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/openshift/splunk-forwarder-operator -go 1.24.4 +go 1.25.9 require ( github.com/onsi/ginkgo/v2 v2.9.5