Merge pull request #1354 from splunk/promote-develop-to-main-2.6.0

Promote Develop to main for Splunk Operator Release 2.6.0

Author: akondur

.env

@@ -6,4 +6,4 @@ KUBECTL_VERSION=v1.29.1
 AZ_CLI_VERSION=2.30.0
 EKSCTL_VERSION=v0.143.0
 EKS_CLUSTER_K8_VERSION=1.27
-SPLUNK_ENTERPRISE_RELEASE_IMAGE=splunk/splunk:9.1.3
+SPLUNK_ENTERPRISE_RELEASE_IMAGE=splunk/splunk:9.2.2

.github/workflows/automated-release-workflow.yml

@@ -20,6 +20,9 @@ jobs:
       pull-requests: write
     if: github.ref == 'refs/heads/main'
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
+
     - name: Checkout code
       uses: actions/checkout@v2
 
@@ -87,4 +90,18 @@ jobs:
 
     - name: Push Release Image
       run: |
-        docker push splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+        docker push splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+    
+    - name: Sign Splunk Operator image with a key
+      run: |
+        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+    
+    - name: Verify Splunk Operator image with a key
+      run: |
+        cosign verify --key env://COSIGN_PUBLIC_KEY  splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
+      env:
+        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+

.github/workflows/build-test-push-workflow.yml

@@ -54,6 +54,9 @@ jobs:
       ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
+
     - uses: actions/checkout@v2
     - name: Dotenv Action
       id: dotenv
@@ -84,22 +87,41 @@ jobs:
     - name: Login to Amazon ECR
       id: login-ecr
       uses: aws-actions/amazon-ecr-login@v1
+    - name: Login to Redhat registry
+      uses: docker/login-action@v3
+      with:
+        registry: registry.redhat.io
+        username: ${{ secrets.REDHAT_REGISTRY_ID }}
+        password: ${{ secrets.REDHAT_REGISTRY_PASSWORD }}
     - name: Make Splunk Operator Image
       run: |
         make docker-build IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
     - name: Push Splunk Operator Image to ECR
       run: |
         echo "Uploading Image to ECR:: ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA"
-        make docker-push IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
+        make docker-push IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+    - name: Sign Splunk Operator image with a key
+      run: |
+        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
   vulnerability-scan:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
     needs: build-operator-image
     env:
       SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }}
       SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
       ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+      IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
     - uses: actions/checkout@v2
     - name: Dotenv Action
       id: dotenv
@@ -112,22 +134,30 @@ jobs:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
+
     - name: Login to Amazon ECR
       uses: aws-actions/amazon-ecr-login@v1
     - name: Pull Splunk Operator Image Locally
       run: |
-        docker pull ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
-    - name: Setup clair scanner
-      run: make setup_clair_scanner
-    - name: Scan container image
-      run: make run_clair_scan IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
-    - name: Stop clair scanner
-      run: make stop_clair_scanner
-    - name: Save scan results as artifacts
-      uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
+        docker pull ${{ env.IMAGE_NAME }}
+    - name: Verify Signed Splunk Operator image 
+      run: |
+        cosign verify --key env://COSIGN_PUBLIC_KEY  ${{ env.IMAGE_NAME }}
+      env:
+        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: '${{ env.IMAGE_NAME }}'
+        format: sarif
+        #exit-code: 1
+        severity: 'CRITICAL'
+        ignore-unfixed: true
+        output: 'trivy-results.sarif'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
       with:
-        name: clair-scanner-logs
-        path: clair-scanner-logs
+        sarif_file: 'trivy-results.sarif'
   smoke-tests:
     needs: vulnerability-scan
     strategy:

.github/workflows/nightly-int-test-workflow.yml

@@ -207,6 +207,8 @@ jobs:
       SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
       TAG: edge
     steps:
+    - name: Set up cosign
+      uses: sigstore/cosign-installer@main
     - uses: actions/checkout@v2
       with:
           ref: develop
@@ -235,4 +237,16 @@ jobs:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PUSH_TOKEN}}
     - name: Push Splunk Operator Image to Docker Hub
-      run: docker push ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ env.TAG }}
+      run: docker push ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ env.TAG }}
+    - name: Sign Splunk Operator image with a key
+      run: |
+        cosign sign --yes --key env://COSIGN_PRIVATE_KEY  ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+    - name: Verify Signed Splunk Operator image 
+      run: |
+        cosign verify --key env://COSIGN_PUBLIC_KEY  ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
+      env:
+        COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+ 

Dockerfile

@@ -22,8 +22,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM registry.access.redhat.com/ubi8/ubi:latest
-
+FROM registry.access.redhat.com/ubi8/ubi:8.10
 ENV OPERATOR=/manager \
     USER_UID=1001 \
     USER_NAME=nonroot

api/v4/clustermanager_types.go

@@ -67,6 +67,9 @@ type ClusterManagerStatus struct {
 
 	// Telemetry App installation flag
 	TelAppInstalled bool `json:"telAppInstalled"`
+
+	// Auxillary message describing CR status
+	Message string `json:"message"`
 }
 
 // BundlePushInfo Indicates if bundle push required
@@ -87,6 +90,7 @@ type BundlePushInfo struct {
 // +kubebuilder:printcolumn:name="Desired",type="integer",JSONPath=".status.replicas",description="Desired number of indexer peers"
 // +kubebuilder:printcolumn:name="Ready",type="integer",JSONPath=".status.readyReplicas",description="Current number of ready indexer peers"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age of cluster manager"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message",description="Auxillary message describing CR status"
 // +kubebuilder:storageversion
 type ClusterManager struct {
 	metav1.TypeMeta   `json:",inline"`

api/v4/indexercluster_types.go

@@ -108,6 +108,9 @@ type IndexerClusterStatus struct {
 
 	// status of each indexer cluster peer
 	Peers []IndexerClusterMemberStatus `json:"peers"`
+
+	// Auxillary message describing CR status
+	Message string `json:"message"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -123,6 +126,7 @@ type IndexerClusterStatus struct {
 // +kubebuilder:printcolumn:name="Desired",type="integer",JSONPath=".status.replicas",description="Desired number of indexer peers"
 // +kubebuilder:printcolumn:name="Ready",type="integer",JSONPath=".status.readyReplicas",description="Current number of ready indexer peers"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age of indexer cluster"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message",description="Auxillary message describing CR status"
 // +kubebuilder:storageversion
 type IndexerCluster struct {
 	metav1.TypeMeta   `json:",inline"`

api/v4/licensemanager_types.go

@@ -52,6 +52,9 @@ type LicenseManagerStatus struct {
 
 	// Telemetry App installation flag
 	TelAppInstalled bool `json:"telAppInstalled"`
+
+	// Auxillary message describing CR status
+	Message string `json:"message"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -62,6 +65,7 @@ type LicenseManagerStatus struct {
 // +kubebuilder:resource:path=licensemanagers,scope=Namespaced,shortName=lmanager
 // +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase",description="Status of license manager"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age of license manager"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message",description="Auxillary message describing CR status"
 // +kubebuilder:storageversion
 type LicenseManager struct {
 	metav1.TypeMeta   `json:",inline"`

api/v4/monitoringconsole_types.go

@@ -58,6 +58,9 @@ type MonitoringConsoleStatus struct {
 
 	// App Framework status
 	AppContext AppDeploymentContext `json:"appContext,omitempty"`
+
+	// Auxillary message describing CR status
+	Message string `json:"message"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -70,6 +73,7 @@ type MonitoringConsoleStatus struct {
 // +kubebuilder:printcolumn:name="Desired",type="integer",JSONPath=".status.replicas",description="Desired number of monitoring console members"
 // +kubebuilder:printcolumn:name="Ready",type="integer",JSONPath=".status.readyReplicas",description="Current number of ready monitoring console members"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age of monitoring console"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message",description="Auxillary message describing CR status"
 // +kubebuilder:storageversion
 type MonitoringConsole struct {
 	metav1.TypeMeta   `json:",inline"`

api/v4/searchheadcluster_types.go

@@ -119,6 +119,9 @@ type SearchHeadClusterStatus struct {
 
 	// Telemetry App installation flag
 	TelAppInstalled bool `json:"telAppInstalled"`
+
+	// Auxillary message describing CR status
+	Message string `json:"message"`
 }
 
 // SearchHeadCluster is the Schema for a Splunk Enterprise search head cluster
@@ -132,6 +135,7 @@ type SearchHeadClusterStatus struct {
 // +kubebuilder:printcolumn:name="Desired",type="integer",JSONPath=".status.replicas",description="Desired number of search head cluster members"
 // +kubebuilder:printcolumn:name="Ready",type="integer",JSONPath=".status.readyReplicas",description="Current number of ready search head cluster members"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age of search head cluster"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message",description="Auxillary message describing CR status"
 // +kubebuilder:storageversion
 type SearchHeadCluster struct {
 	metav1.TypeMeta   `json:",inline"`