make: Add PROJECT, CSV and other tooling to create bundles

Uses operator-sdk to create bundles based on existing manifests. By
default uses a single channel called "stable".

To build the bundle image run:
    make bundle; make bundle-build
basic validation is ran automatically as part of the build. To run the
full scorecard, run:
    ./build/operator-sdk scorecard -w 300s ./bundle

The PROJECT file has to be maintained from now on, keeping the list of
APIs as the SDK fills the APIs from PROJECT to the CSV scaffolding at
deploy/base/clusterserviceversion.yaml

Author: jhrozek

.gitignore

@@ -6,3 +6,5 @@ Vagrantfile
 build
 image.tar
 result
+bundle
+bundle.Dockerfile

Makefile

@@ -397,6 +397,80 @@ generate:
 	$(CONTROLLER_GEN_CMD) rbac:roleName=spod paths="./internal/pkg/daemon/..." output:rbac:stdout >> deploy/base/role.yaml
 	$(CONTROLLER_GEN_CMD) rbac:roleName=spo-webhook paths="./internal/pkg/webhooks/..." output:rbac:stdout >> deploy/base/role.yaml
 
+## Bundle packaging begins here
+## read more at https://sdk.operatorframework.io/docs/olm-integration/tutorial-bundle/
+
+.PHONY: operator-sdk
+OPERATOR_SDK = $(BUILD_DIR)/operator-sdk
+operator-sdk: $(BUILD_DIR) ## Download sdk locally if necessary.
+ifeq (,$(wildcard $(OPERATOR_SDK)))
+ifeq (,$(shell which operator-sdk 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(OPERATOR_SDK)) ;\
+	OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \
+	curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.17.0/operator-sdk_$${OS}_$${ARCH} ;\
+	chmod +x $(OPERATOR_SDK) ;\
+	}
+else
+OPERATOR_SDK = $(shell which operator-sdk)
+endif
+endif
+
+
+# CHANNELS define the bundle channels used in the bundle.
+# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
+# To re-generate a bundle for other specific channels without changing the standard setup, you can:
+# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable)
+# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable")
+CHANNELS="stable"
+ifneq ($(origin CHANNELS), undefined)
+BUNDLE_CHANNELS := --channels=$(CHANNELS)
+endif
+
+# DEFAULT_CHANNEL defines the default channel used in the bundle.
+# Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable")
+# To re-generate a bundle for any other default channel without changing the default setup, you can:
+# - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable)
+# - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable")
+DEFAULT_CHANNEL="stable"
+ifneq ($(origin DEFAULT_CHANNEL), undefined)
+BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
+endif
+BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
+
+# BUNDLE_IMG defines the image:tag used for the bundle.
+# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
+BUNDLE_IMG ?= $(PROJECT)-bundle:v$(VERSION)
+
+# These examples are added to the alm-examples annotation and subsequently
+# displayed in the UI
+OLM_EXAMPLES := \
+	examples/apparmorprofile.yaml \
+	examples/config.yaml \
+	examples/profilerecording-seccomp-bpf.yaml \
+	examples/profilebinding.yaml \
+	examples/rawselinuxprofile.yaml \
+	examples/seccompprofile.yaml \
+	examples/selinuxprofile.yaml
+
+.PHONY: bundle
+bundle: operator-sdk deployments ## Generate bundle manifests and metadata, then validate generated files.
+	sed -i "s/\(olm.skipRange: '>=.*\)<.*'/\1<$(VERSION)'/" deploy/base/clusterserviceversion.yaml
+	cat $(OLM_EXAMPLES) deploy/operator.yaml deploy/base/clusterserviceversion.yaml | $(OPERATOR_SDK) generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+	git restore deploy/base/clusterserviceversion.yaml
+	mkdir -p ./bundle/tests/scorecard
+	cp deploy/bundle-test-config.yaml ./bundle/tests/scorecard/config.yaml
+	$(OPERATOR_SDK) bundle validate ./bundle
+
+.PHONY: bundle-build
+bundle-build: ## Build the bundle image.
+	$(CONTAINER_RUNTIME) build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
+
+.PHONY: bundle-push
+bundle-push: ## Push the bundle image.
+	$(CONTAINER_RUNTIME) push $(BUNDLE_IMG)
+
 ## OpenShift-only
 ## These targets are meant to make development in OpenShift easier.
 

PROJECT

@@ -0,0 +1,66 @@
+domain: security-profiles-operator.x-k8s.io
+layout:
+- go.kubebuilder.io/v3
+plugins:
+  manifests.sdk.operatorframework.io/v2: {}
+  scorecard.sdk.operatorframework.io/v2: {}
+projectName: security-profiles-operator
+repo: github.com/kubernetes-sigs/security-profiles-operator
+resources:
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: security-profiles-operator.x-k8s.io
+  kind: SecurityProfileNodeStatus
+  path: sigs.k8s.io/security-profiles-operator/api/secprofnodestatus/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: security-profiles-operator.x-k8s.io
+  kind: SeccompProfile
+  path: sigs.k8s.io/security-profiles-operator/api/seccompprofile/v1beta1
+  version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: security-profiles-operator.x-k8s.io
+  kind: SecurityProfilesOperatorDaemon
+  path: sigs.k8s.io/security-profiles-operator/api/spod/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: security-profiles-operator.x-k8s.io
+  kind: SelinuxProfile
+  path: sigs.k8s.io/security-profiles-operator/api/selinuxprofile/v1alpha2
+  version: v1alpha2
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: security-profiles-operator.x-k8s.io
+  kind: AppArmorProfile
+  path: sigs.k8s.io/security-profiles-operator/api/apparmorprofile/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: security-profiles-operator.x-k8s.io
+  kind: ProfileBinding
+  path: sigs.k8s.io/security-profiles-operator/api/profilebinding/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: security-profiles-operator.x-k8s.io
+  kind: ProfileRecording
+  path: sigs.k8s.io/security-profiles-operator/api/profilerecording/v1alpha1
+  version: v1alpha1
+version: "3"

deploy/base/clusterserviceversion.yaml

@@ -0,0 +1,87 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  annotations:
+    alm-examples: '[]'
+    capabilities: Basic Install
+    olm.skipRange: '>=0.4.1 <0.4.2-dev'
+    operatorframework.io/suggested-namespace: security-profiles-operator`
+  name: security-profiles-operator.v0.0.0
+  namespace: placeholder
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned:
+    - description: AppArmorProfile is a cluster level specification for an AppArmor
+        profile.
+      displayName: App Armor Profile
+      kind: AppArmorProfile
+      name: apparmorprofiles.security-profiles-operator.x-k8s.io
+      version: v1alpha1
+    - description: ProfileBinding is the Schema for the profilebindings API.
+      displayName: Profile Binding
+      kind: ProfileBinding
+      name: profilebindings.security-profiles-operator.x-k8s.io
+      version: v1alpha1
+    - description: ProfileRecording is the Schema for the profilerecordings API.
+      displayName: Profile Recording
+      kind: ProfileRecording
+      name: profilerecordings.security-profiles-operator.x-k8s.io
+      version: v1alpha1
+    - description: SeccompProfile is a cluster level specification for a seccomp profile.
+        See https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
+      displayName: Seccomp Profile
+      kind: SeccompProfile
+      name: seccompprofiles.security-profiles-operator.x-k8s.io
+      version: v1beta1
+    - description: SecurityProfileNodeStatus is a per-node status of a security profile
+      displayName: Security Profile Node Status
+      kind: SecurityProfileNodeStatus
+      name: securityprofilenodestatuses.security-profiles-operator.x-k8s.io
+      version: v1alpha1
+    - description: SecurityProfilesOperatorDaemon is the Schema to configure the spod
+        deployment.
+      displayName: Security Profiles Operator Daemon
+      kind: SecurityProfilesOperatorDaemon
+      name: securityprofilesoperatordaemons.security-profiles-operator.x-k8s.io
+      version: v1alpha1
+    - description: SelinuxProfile is the Schema for the selinuxprofiles API.
+      displayName: Selinux Profile
+      kind: SelinuxProfile
+      name: selinuxprofiles.security-profiles-operator.x-k8s.io
+      version: v1alpha2
+  description: SPO is an operator which aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters
+  displayName: Security Profiles Operator
+  icon:
+  - base64data: ""
+    mediatype: ""
+  install:
+    spec:
+      deployments: null
+    strategy: ""
+  installModes:
+  - supported: true
+    type: OwnNamespace
+  - supported: true
+    type: SingleNamespace
+  - supported: false
+    type: MultiNamespace
+  - supported: false
+    type: AllNamespaces
+  keywords:
+  - security
+  - selinux
+  - seccomp
+  - apparmor
+  - ebpf
+  links:
+  - name: Security Profiles Operator
+    url: https://github.com/kubernetes-sigs/security-profiles-operator
+  maintainers:
+  - email: [email protected]
+    name: Kubernetes upstream
+  maturity: alpha
+  provider:
+    name: Kubernetes SIGs
+    url: https://github.com/kubernetes-sigs
+  version: 0.0.0

deploy/bundle-test-config.yaml

@@ -0,0 +1,70 @@
+apiVersion: scorecard.operatorframework.io/v1alpha3
+kind: Configuration
+metadata:
+  name: config
+stages:
+- parallel: true
+  tests:
+  - entrypoint:
+    - scorecard-test
+    - basic-check-spec
+    image: quay.io/operator-framework/scorecard-test:v1.17.0
+    labels:
+      suite: basic
+      test: basic-check-spec-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-bundle-validation
+    image: quay.io/operator-framework/scorecard-test:v1.17.0
+    labels:
+      suite: olm
+      test: olm-bundle-validation-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-crds-have-validation
+    image: quay.io/operator-framework/scorecard-test:v1.17.0
+    labels:
+      suite: olm
+      test: olm-crds-have-validation-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-crds-have-resources
+    image: quay.io/operator-framework/scorecard-test:v1.17.0
+    labels:
+      suite: olm
+      test: olm-crds-have-resources-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-spec-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.17.0
+    labels:
+      suite: olm
+      test: olm-spec-descriptors-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-status-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.17.0
+    labels:
+      suite: olm
+      test: olm-status-descriptors-test
+    storage:
+      spec:
+        mountPath: {}
+storage:
+  spec:
+    mountPath: {}

examples/config.yaml

@@ -7,4 +7,5 @@ metadata:
 spec:
   enableSelinux: false
   enableLogEnricher: false
-  enableAppArmor: false
+  enableAppArmor: false
+