Update CatalogSource Pod security context (#2782)

* Update ci artifact collection

Signed-off-by: perdasilva <[email protected]>

* Update e2e test images to use FBC

Signed-off-by: perdasilva <[email protected]>

* Update CatalogSource Pod security context

Signed-off-by: perdasilva <[email protected]>

Author: perdasilva

Dockerfile

@@ -2,7 +2,7 @@ FROM quay.io/fedora/fedora:34-x86_64 as builder
 LABEL stage=builder
 WORKDIR /build
 
-# install dependencies and go 1.16
+# install dependencies and go 1.17
 
 # copy just enough of the git repo to parse HEAD, used to record version in OLM binaries
 RUN dnf update -y && dnf install -y bash make git mercurial jq wget && dnf upgrade -y

pkg/controller/registry/reconciler/reconciler.go

@@ -113,7 +113,13 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 		pullPolicy = corev1.PullAlways
 	}
 
+	// Security context
 	readOnlyRootFilesystem := false
+	allowPrivilegeEscalation := false
+	runAsNonRoot := true
+
+	// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27
+	runAsUser := int64(1001)
 
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -167,12 +173,23 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 						},
 					},
 					SecurityContext: &corev1.SecurityContext{
-						ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+						ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
 					},
 					ImagePullPolicy:          pullPolicy,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},

pkg/controller/registry/reconciler/reconciler_test.go

@@ -79,8 +79,23 @@ func TestPullPolicy(t *testing.T) {
 
 func TestPodContainerSecurityContext(t *testing.T) {
 	expectedReadOnlyRootFilesystem := false
+	expectedAllowPrivilegeEscalation := false
+	expectedRunAsNonRoot := true
+	expectedRunAsUser := int64(1001)
+
 	expectedContainerSecCtx := &corev1.SecurityContext{
-		ReadOnlyRootFilesystem: &expectedReadOnlyRootFilesystem,
+		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
+		AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
+	expectedPodSecCtx := &corev1.PodSecurityContext{
+		RunAsNonRoot: &expectedRunAsNonRoot,
+		RunAsUser:    &expectedRunAsUser,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 
 	catsrc := &v1alpha1.CatalogSource{
@@ -92,7 +107,9 @@ func TestPodContainerSecurityContext(t *testing.T) {
 
 	gotPod := Pod(catsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0))
 	gotContainerSecCtx := gotPod.Spec.Containers[0].SecurityContext
+	gotPodSecCtx := gotPod.Spec.SecurityContext
 	require.Equal(t, expectedContainerSecCtx, gotContainerSecCtx)
+	require.Equal(t, expectedPodSecCtx, gotPodSecCtx)
 }
 
 func TestPodSchedulingOverrides(t *testing.T) {

scripts/build_test_images.sh

@@ -1,19 +1,43 @@
 #!/usr/bin/env bash
 
+set -e
+
+CATALOG_DIR=./test/catalogs
+CATALOG_DOCKER=${CATALOG_DIR}/catalog.Dockerfile
+
+# Given an image and a catalog name
+# This functions builds the image and pushes it to the repository
+function build_and_push() {
+  IMG_NAME=$1
+  CATALOG_NAME=$2
+  docker build -t "${IMG_NAME}" -f "${CATALOG_DOCKER}" "${CATALOG_DIR}/${CATALOG_NAME}"
+  docker push "${IMG_NAME}"
+}
+
+# olmtest images
+
 # Busybox Operator Index Image
-docker build -t quay.io/olmtest/busybox-bundle:1.0.0 ./test/images/busybox-index/busybox/1.0.0
-docker build -t quay.io/olmtest/busybox-bundle:2.0.0 ./test/images/busybox-index/busybox/2.0.0
+catalogs=( 1.0.0 2.0.0 )
+for c in "${catalogs[@]}"; do
+  build_and_push "quay.io/olmtest/busybox-dependencies-index:${c}-with-ListBundles-method" "busybox-${c}"
+done
+
+# single bundle index
+catalogs=( pdb-v1 objects objects-upgrade-samename objects-upgrade-diffname )
+for c in "${catalogs[@]}"; do
+  build_and_push "quay.io/olmtest/single-bundle-index:${c}" "single-bundle-index-${c}"
+done
 
-docker build -t quay.io/olmtest/busybox-dependency-bundle:1.0.0 ./test/images/busybox-index/busybox-dependency/1.0.0
-docker build -t quay.io/olmtest/busybox-dependency-bundle:2.0.0 ./test/images/busybox-index/busybox-dependency/2.0.0
+# catsrc-update-test catalogs
+catalogs=( old new related )
+for c in "${catalogs[@]}"; do
+  build_and_push "quay.io/olmtest/catsrc-update-test:${c}" "catsrc-update-test-${c}"
+done
 
-docker push quay.io/olmtest/busybox-bundle:1.0.0
-docker push quay.io/olmtest/busybox-bundle:2.0.0
-docker push quay.io/olmtest/busybox-dependency-bundle:1.0.0
-docker push quay.io/olmtest/busybox-dependency-bundle:2.0.0
+# operator-framework images
 
-opm index add --bundles quay.io/olmtest/busybox-dependency-bundle:1.0.0,quay.io/olmtest/busybox-bundle:1.0.0 --tag quay.io/olmtest/busybox-dependencies-index:1.0.0-with-ListBundles-method -c docker
-docker push quay.io/olmtest/busybox-dependencies-index:1.0.0-with-ListBundles-method
+# ci-index
+build_and_push quay.io/operator-framework/ci-index:latest "ci-index"
 
-opm index add --bundles quay.io/olmtest/busybox-dependency-bundle:2.0.0,quay.io/olmtest/busybox-bundle:2.0.0 --tag quay.io/olmtest/busybox-dependencies-index:2.0.0-with-ListBundles-method --from-index quay.io/olmtest/busybox-dependencies-index:1.0.0-with-ListBundles-method -c docker
-docker push quay.io/olmtest/busybox-dependencies-index:2.0.0-with-ListBundles-method
+# webhook-operator-index
+build_and_push quay.io/operator-framework/webhook-operator-index:0.0.3 "webhook-operator-index-0.0.3"

test/catalogs/busybox-1.0.0/busybox-dependency/catalog.json

@@ -0,0 +1,60 @@
+{
+    "schema": "olm.package",
+    "name": "busybox-dependency",
+    "defaultChannel": "alpha"
+}
+{
+    "schema": "olm.channel",
+    "name": "alpha",
+    "package": "busybox-dependency",
+    "entries": [
+        {
+            "name": "busybox-dependency.v1.0.0"
+        }
+    ]
+}
+{
+    "schema": "olm.bundle",
+    "name": "busybox-dependency.v1.0.0",
+    "package": "busybox-dependency",
+    "image": "quay.io/olmtest/busybox-dependency-bundle:1.0.0",
+    "properties": [
+        {
+            "type": "olm.gvk",
+            "value": {
+                "group": "olm.test.io",
+                "kind": "Foo",
+                "version": "v1"
+            }
+        },
+        {
+            "type": "olm.package",
+            "value": {
+                "packageName": "busybox-dependency",
+                "version": "1.0.0"
+            }
+        },
+        {
+            "type": "olm.bundle.object",
+            "value": {
+                "data": "eyJhcGlWZXJzaW9uIjoib3BlcmF0b3JzLmNvcmVvcy5jb20vdjFhbHBoYTEiLCJraW5kIjoiQ2x1c3RlclNlcnZpY2VWZXJzaW9uIiwibWV0YWRhdGEiOnsibmFtZSI6ImJ1c3lib3gtZGVwZW5kZW5jeS52MS4wLjAiLCJuYW1lc3BhY2UiOiJwbGFjZWhvbGRlciJ9LCJzcGVjIjp7ImN1c3RvbXJlc291cmNlZGVmaW5pdGlvbnMiOnsib3duZWQiOlt7ImRlc2NyaXB0aW9uIjoiRm9vIHJlc291cmNlcyBmb3IgdGVzdGluZyBkZXBlbmRlbmNpZXMiLCJkaXNwbGF5TmFtZSI6IkZvbyIsImdyb3VwIjoib2xtLnRlc3QuaW8iLCJraW5kIjoiRm9vIiwibmFtZSI6ImZvb3Mub2xtLnRlc3QuaW8iLCJ2ZXJzaW9uIjoidjEifV19LCJkZXNjcmlwdGlvbiI6IkEgYnVzeWJveC1kZXBlbmRlbmN5IENTVi5cbiIsImRpc3BsYXlOYW1lIjoiYnVzeWJveC1kZXBlbmRlbmN5IiwiaW5zdGFsbCI6eyJzcGVjIjp7ImRlcGxveW1lbnRzIjpbeyJuYW1lIjoiYnVzeWJveC1kZXBlbmRlbmN5Iiwic3BlYyI6eyJyZXBsaWNhcyI6MSwic2VsZWN0b3IiOnsibWF0Y2hMYWJlbHMiOnsiYXBwIjoiYnVzeWJveC1kZXBlbmRlbmN5In19LCJ0ZW1wbGF0ZSI6eyJtZXRhZGF0YSI6eyJsYWJlbHMiOnsiYXBwIjoiYnVzeWJveC1kZXBlbmRlbmN5In19LCJzcGVjIjp7ImNvbnRhaW5lcnMiOlt7ImNvbW1hbmQiOlsic2xlZXAiLCI5MDAwIl0sImltYWdlIjoiYnVzeWJveCIsIm5hbWUiOiJidXN5Ym94LWRlcGVuZGVuY3kifV19fX19XX0sInN0cmF0ZWd5IjoiZGVwbG95bWVudCJ9LCJpbnN0YWxsTW9kZXMiOlt7InN1cHBvcnRlZCI6dHJ1ZSwidHlwZSI6Ik93bk5hbWVzcGFjZSJ9LHsic3VwcG9ydGVkIjp0cnVlLCJ0eXBlIjoiU2luZ2xlTmFtZXNwYWNlIn0seyJzdXBwb3J0ZWQiOnRydWUsInR5cGUiOiJNdWx0aU5hbWVzcGFjZSJ9LHsic3VwcG9ydGVkIjp0cnVlLCJ0eXBlIjoiQWxsTmFtZXNwYWNlcyJ9XSwibWF0dXJpdHkiOiJhbHBoYSIsInByb3ZpZGVyIjp7Im5hbWUiOiJSZWQgSGF0In0sInZlcnNpb24iOiIxLjAuMCJ9fQ=="
+            }
+        },
+        {
+            "type": "olm.bundle.object",
+            "value": {
+                "data": "eyJhcGlWZXJzaW9uIjoiYXBpZXh0ZW5zaW9ucy5rOHMuaW8vdjEiLCJraW5kIjoiQ3VzdG9tUmVzb3VyY2VEZWZpbml0aW9uIiwibWV0YWRhdGEiOnsibmFtZSI6ImZvb3Mub2xtLnRlc3QuaW8ifSwic3BlYyI6eyJncm91cCI6Im9sbS50ZXN0LmlvIiwibmFtZXMiOnsia2luZCI6IkZvbyIsImxpc3RLaW5kIjoiRm9vTGlzdCIsInBsdXJhbCI6ImZvb3MiLCJzaW5ndWxhciI6ImZvbyJ9LCJzY29wZSI6Ik5hbWVzcGFjZWQiLCJ2ZXJzaW9ucyI6W3sibmFtZSI6InYxIiwic2NoZW1hIjp7Im9wZW5BUElWM1NjaGVtYSI6eyJ0eXBlIjoib2JqZWN0In19LCJzZXJ2ZWQiOnRydWUsInN0b3JhZ2UiOnRydWUsInN1YnJlc291cmNlcyI6eyJzdGF0dXMiOnt9fX1dfX0="
+            }
+        }
+    ],
+    "relatedImages": [
+        {
+            "name": "",
+            "image": "busybox"
+        },
+        {
+            "name": "",
+            "image": "quay.io/olmtest/busybox-dependency-bundle:1.0.0"
+        }
+    ]
+}

test/catalogs/busybox-1.0.0/busybox/catalog.json

@@ -0,0 +1,54 @@
+{
+    "schema": "olm.package",
+    "name": "busybox",
+    "defaultChannel": "alpha"
+}
+{
+    "schema": "olm.channel",
+    "name": "alpha",
+    "package": "busybox",
+    "entries": [
+        {
+            "name": "busybox.v1.0.0"
+        }
+    ]
+}
+{
+    "schema": "olm.bundle",
+    "name": "busybox.v1.0.0",
+    "package": "busybox",
+    "image": "quay.io/olmtest/busybox-bundle:1.0.0",
+    "properties": [
+        {
+            "type": "olm.gvk.required",
+            "value": {
+                "group": "olm.test.io",
+                "kind": "Foo",
+                "version": "v1"
+            }
+        },
+        {
+            "type": "olm.package",
+            "value": {
+                "packageName": "busybox",
+                "version": "1.0.0"
+            }
+        },
+        {
+            "type": "olm.bundle.object",
+            "value": {
+                "data": "eyJhcGlWZXJzaW9uIjoib3BlcmF0b3JzLmNvcmVvcy5jb20vdjFhbHBoYTEiLCJraW5kIjoiQ2x1c3RlclNlcnZpY2VWZXJzaW9uIiwibWV0YWRhdGEiOnsibmFtZSI6ImJ1c3lib3gudjEuMC4wIiwibmFtZXNwYWNlIjoicGxhY2Vob2xkZXIifSwic3BlYyI6eyJjdXN0b21yZXNvdXJjZWRlZmluaXRpb25zIjp7InJlcXVpcmVkIjpbeyJkZXNjcmlwdGlvbiI6IkZvbyByZXNvdXJjZXMgZm9yIHRlc3RpbmcgZGVwZW5kZW5jaWVzIiwiZGlzcGxheU5hbWUiOiJGb28iLCJraW5kIjoiRm9vIiwibmFtZSI6ImZvb3Mub2xtLnRlc3QuaW8iLCJ2ZXJzaW9uIjoidjEifV19LCJkZXNjcmlwdGlvbiI6IkEgYnVzeWJveCBDU1YuXG4iLCJkaXNwbGF5TmFtZSI6ImJ1c3lib3giLCJpbnN0YWxsIjp7InNwZWMiOnsiZGVwbG95bWVudHMiOlt7Im5hbWUiOiJidXN5Ym94Iiwic3BlYyI6eyJyZXBsaWNhcyI6MSwic2VsZWN0b3IiOnsibWF0Y2hMYWJlbHMiOnsiYXBwIjoiYnVzeWJveCJ9fSwidGVtcGxhdGUiOnsibWV0YWRhdGEiOnsibGFiZWxzIjp7ImFwcCI6ImJ1c3lib3gifX0sInNwZWMiOnsiY29udGFpbmVycyI6W3siY29tbWFuZCI6WyJzbGVlcCIsIjkwMDAiXSwiaW1hZ2UiOiJidXN5Ym94IiwibmFtZSI6ImJ1c3lib3gifV19fX19XX0sInN0cmF0ZWd5IjoiZGVwbG95bWVudCJ9LCJpbnN0YWxsTW9kZXMiOlt7InN1cHBvcnRlZCI6dHJ1ZSwidHlwZSI6Ik93bk5hbWVzcGFjZSJ9LHsic3VwcG9ydGVkIjp0cnVlLCJ0eXBlIjoiU2luZ2xlTmFtZXNwYWNlIn0seyJzdXBwb3J0ZWQiOnRydWUsInR5cGUiOiJNdWx0aU5hbWVzcGFjZSJ9LHsic3VwcG9ydGVkIjp0cnVlLCJ0eXBlIjoiQWxsTmFtZXNwYWNlcyJ9XSwibWF0dXJpdHkiOiJhbHBoYSIsInByb3ZpZGVyIjp7Im5hbWUiOiJSZWQgSGF0In0sInZlcnNpb24iOiIxLjAuMCJ9fQ=="
+            }
+        }
+    ],
+    "relatedImages": [
+        {
+            "name": "",
+            "image": "busybox"
+        },
+        {
+            "name": "",
+            "image": "quay.io/olmtest/busybox-bundle:1.0.0"
+        }
+    ]
+}

test/catalogs/busybox-2.0.0/busybox-dependency/catalog.json

@@ -0,0 +1,61 @@
+{
+    "schema": "olm.package",
+    "name": "busybox-dependency",
+    "defaultChannel": "alpha"
+}
+{
+    "schema": "olm.channel",
+    "name": "alpha",
+    "package": "busybox-dependency",
+    "entries": [
+        {
+            "name": "busybox-dependency.v2.0.0",
+            "skipRange": ">=0.0.0 <2.0.0"
+        }
+    ]
+}
+{
+    "schema": "olm.bundle",
+    "name": "busybox-dependency.v2.0.0",
+    "package": "busybox-dependency",
+    "image": "quay.io/olmtest/busybox-dependency-bundle:2.0.0",
+    "properties": [
+        {
+            "type": "olm.gvk",
+            "value": {
+                "group": "olm.test.io",
+                "kind": "Foo",
+                "version": "v1"
+            }
+        },
+        {
+            "type": "olm.package",
+            "value": {
+                "packageName": "busybox-dependency",
+                "version": "2.0.0"
+            }
+        },
+        {
+            "type": "olm.bundle.object",
+            "value": {
+                "data": "eyJhcGlWZXJzaW9uIjoib3BlcmF0b3JzLmNvcmVvcy5jb20vdjFhbHBoYTEiLCJraW5kIjoiQ2x1c3RlclNlcnZpY2VWZXJzaW9uIiwibWV0YWRhdGEiOnsiYW5ub3RhdGlvbnMiOnsib2xtLnNraXBSYW5nZSI6Ilx1MDAzZT0wLjAuMCBcdTAwM2MyLjAuMCJ9LCJuYW1lIjoiYnVzeWJveC1kZXBlbmRlbmN5LnYyLjAuMCIsIm5hbWVzcGFjZSI6InBsYWNlaG9sZGVyIn0sInNwZWMiOnsiY3VzdG9tcmVzb3VyY2VkZWZpbml0aW9ucyI6eyJvd25lZCI6W3siZGVzY3JpcHRpb24iOiJGb28gcmVzb3VyY2VzIGZvciB0ZXN0aW5nIGRlcGVuZGVuY2llcyIsImRpc3BsYXlOYW1lIjoiRm9vIiwiZ3JvdXAiOiJvbG0udGVzdC5pbyIsImtpbmQiOiJGb28iLCJuYW1lIjoiZm9vcy5vbG0udGVzdC5pbyIsInZlcnNpb24iOiJ2MSJ9XX0sImRlc2NyaXB0aW9uIjoiQSBidXN5Ym94LWRlcGVuZGVuY3kgQ1NWLlxuIiwiZGlzcGxheU5hbWUiOiJidXN5Ym94LWRlcGVuZGVuY3kiLCJpbnN0YWxsIjp7InNwZWMiOnsiZGVwbG95bWVudHMiOlt7Im5hbWUiOiJidXN5Ym94LWRlcGVuZGVuY3kiLCJzcGVjIjp7InJlcGxpY2FzIjoxLCJzZWxlY3RvciI6eyJtYXRjaExhYmVscyI6eyJhcHAiOiJidXN5Ym94LWRlcGVuZGVuY3kifX0sInRlbXBsYXRlIjp7Im1ldGFkYXRhIjp7ImxhYmVscyI6eyJhcHAiOiJidXN5Ym94LWRlcGVuZGVuY3kifX0sInNwZWMiOnsiY29udGFpbmVycyI6W3siY29tbWFuZCI6WyJzbGVlcCIsIjkwMDAiXSwiaW1hZ2UiOiJidXN5Ym94IiwibmFtZSI6ImJ1c3lib3gtZGVwZW5kZW5jeSJ9XX19fX1dfSwic3RyYXRlZ3kiOiJkZXBsb3ltZW50In0sImluc3RhbGxNb2RlcyI6W3sic3VwcG9ydGVkIjp0cnVlLCJ0eXBlIjoiT3duTmFtZXNwYWNlIn0seyJzdXBwb3J0ZWQiOnRydWUsInR5cGUiOiJTaW5nbGVOYW1lc3BhY2UifSx7InN1cHBvcnRlZCI6dHJ1ZSwidHlwZSI6Ik11bHRpTmFtZXNwYWNlIn0seyJzdXBwb3J0ZWQiOnRydWUsInR5cGUiOiJBbGxOYW1lc3BhY2VzIn1dLCJtYXR1cml0eSI6ImFscGhhIiwicHJvdmlkZXIiOnsibmFtZSI6IlJlZCBIYXQifSwidmVyc2lvbiI6IjIuMC4wIn19"
+            }
+        },
+        {
+            "type": "olm.bundle.object",
+            "value": {
+                "data": "eyJhcGlWZXJzaW9uIjoiYXBpZXh0ZW5zaW9ucy5rOHMuaW8vdjEiLCJraW5kIjoiQ3VzdG9tUmVzb3VyY2VEZWZpbml0aW9uIiwibWV0YWRhdGEiOnsibmFtZSI6ImZvb3Mub2xtLnRlc3QuaW8ifSwic3BlYyI6eyJncm91cCI6Im9sbS50ZXN0LmlvIiwibmFtZXMiOnsia2luZCI6IkZvbyIsImxpc3RLaW5kIjoiRm9vTGlzdCIsInBsdXJhbCI6ImZvb3MiLCJzaW5ndWxhciI6ImZvbyJ9LCJzY29wZSI6Ik5hbWVzcGFjZWQiLCJ2ZXJzaW9ucyI6W3sibmFtZSI6InYxIiwic2NoZW1hIjp7Im9wZW5BUElWM1NjaGVtYSI6eyJ0eXBlIjoib2JqZWN0In19LCJzZXJ2ZWQiOnRydWUsInN0b3JhZ2UiOnRydWUsInN1YnJlc291cmNlcyI6eyJzdGF0dXMiOnt9fX1dfX0="
+            }
+        }
+    ],
+    "relatedImages": [
+        {
+            "name": "",
+            "image": "busybox"
+        },
+        {
+            "name": "",
+            "image": "quay.io/olmtest/busybox-dependency-bundle:2.0.0"
+        }
+    ]
+}

test/catalogs/busybox-2.0.0/busybox/catalog.json

@@ -0,0 +1,55 @@
+{
+    "schema": "olm.package",
+    "name": "busybox",
+    "defaultChannel": "alpha"
+}
+{
+    "schema": "olm.channel",
+    "name": "alpha",
+    "package": "busybox",
+    "entries": [
+        {
+            "name": "busybox.v2.0.0",
+            "skipRange": ">=0.0.0 <2.0.0"
+        }
+    ]
+}
+{
+    "schema": "olm.bundle",
+    "name": "busybox.v2.0.0",
+    "package": "busybox",
+    "image": "quay.io/olmtest/busybox-bundle:2.0.0",
+    "properties": [
+        {
+            "type": "olm.gvk.required",
+            "value": {
+                "group": "olm.test.io",
+                "kind": "Foo",
+                "version": "v1"
+            }
+        },
+        {
+            "type": "olm.package",
+            "value": {
+                "packageName": "busybox",
+                "version": "2.0.0"
+            }
+        },
+        {
+            "type": "olm.bundle.object",
+            "value": {
+                "data": "eyJhcGlWZXJzaW9uIjoib3BlcmF0b3JzLmNvcmVvcy5jb20vdjFhbHBoYTEiLCJraW5kIjoiQ2x1c3RlclNlcnZpY2VWZXJzaW9uIiwibWV0YWRhdGEiOnsiYW5ub3RhdGlvbnMiOnsib2xtLnNraXBSYW5nZSI6Ilx1MDAzZT0wLjAuMCBcdTAwM2MyLjAuMCJ9LCJuYW1lIjoiYnVzeWJveC52Mi4wLjAiLCJuYW1lc3BhY2UiOiJwbGFjZWhvbGRlciJ9LCJzcGVjIjp7ImN1c3RvbXJlc291cmNlZGVmaW5pdGlvbnMiOnsicmVxdWlyZWQiOlt7ImRlc2NyaXB0aW9uIjoiRm9vIHJlc291cmNlcyBmb3IgdGVzdGluZyBkZXBlbmRlbmNpZXMiLCJkaXNwbGF5TmFtZSI6IkZvbyIsImtpbmQiOiJGb28iLCJuYW1lIjoiZm9vcy5vbG0udGVzdC5pbyIsInZlcnNpb24iOiJ2MSJ9XX0sImRlc2NyaXB0aW9uIjoiQSBidXN5Ym94IENTVi5cbiIsImRpc3BsYXlOYW1lIjoiYnVzeWJveCIsImluc3RhbGwiOnsic3BlYyI6eyJkZXBsb3ltZW50cyI6W3sibmFtZSI6ImJ1c3lib3giLCJzcGVjIjp7InJlcGxpY2FzIjoxLCJzZWxlY3RvciI6eyJtYXRjaExhYmVscyI6eyJhcHAiOiJidXN5Ym94In19LCJ0ZW1wbGF0ZSI6eyJtZXRhZGF0YSI6eyJsYWJlbHMiOnsiYXBwIjoiYnVzeWJveCJ9fSwic3BlYyI6eyJjb250YWluZXJzIjpbeyJjb21tYW5kIjpbInNsZWVwIiwiOTAwMCJdLCJpbWFnZSI6ImJ1c3lib3giLCJuYW1lIjoiYnVzeWJveCJ9XX19fX1dfSwic3RyYXRlZ3kiOiJkZXBsb3ltZW50In0sImluc3RhbGxNb2RlcyI6W3sic3VwcG9ydGVkIjp0cnVlLCJ0eXBlIjoiT3duTmFtZXNwYWNlIn0seyJzdXBwb3J0ZWQiOnRydWUsInR5cGUiOiJTaW5nbGVOYW1lc3BhY2UifSx7InN1cHBvcnRlZCI6dHJ1ZSwidHlwZSI6Ik11bHRpTmFtZXNwYWNlIn0seyJzdXBwb3J0ZWQiOnRydWUsInR5cGUiOiJBbGxOYW1lc3BhY2VzIn1dLCJtYXR1cml0eSI6ImFscGhhIiwicHJvdmlkZXIiOnsibmFtZSI6IlJlZCBIYXQifSwidmVyc2lvbiI6IjIuMC4wIn19"
+            }
+        }
+    ],
+    "relatedImages": [
+        {
+            "name": "",
+            "image": "busybox"
+        },
+        {
+            "name": "",
+            "image": "quay.io/olmtest/busybox-bundle:2.0.0"
+        }
+    ]
+}

test/catalogs/catalog.Dockerfile

@@ -0,0 +1,14 @@
+# The base image is expected to contain
+# /bin/opm (with a serve subcommand) and /bin/grpc_health_probe
+FROM quay.io/operator-framework/opm:latest
+
+# Configure the entrypoint and command
+ENTRYPOINT ["/bin/opm"]
+CMD ["serve", "/catalog"]
+
+# Copy declarative config root into image at /configs
+COPY . /catalog
+
+# Set label for the location of the catalog root directory
+# in the image
+LABEL operators.operatorframework.io.index.configs.v1=/catalog