Boilerplate: Update to 5fea264b458ec33913afb04eda6ff87d8013d9f4

Conventions:
- openshift/golang-osd-operator: Update
---
openshift/boilerplate@0ba6566...5fea264

commit: e6753c2a4252695328187dad83370e63f308e355
author: Christopher Collins
Updates the version of the openshift-operator-registry image

Updates the version of the openshift-operator-registry image to 4.8.0,
to address several high vulnerabilities found in the 4.7.0 image.

REF: [OSD-6831](https://issues.redhat.com/browse/OSD-6831)

Signed-off-by: Christopher Collins <collins.christopher@gmail.com>

commit: c35da9dd532d5ed389e4e93f83c75fe9e51e98c9
author: Eric Fried
Fix generated-files-checker for go 1.16

go 1.16 is stricter about go.sum being up to date for things like `go
-list`. Fix up the test (case & project) accordingly.

Also add test loops for missing supported asdk versions. Not sure when
we missed those.

Also fix the backing image -- it was hacking the go lib/cache
permissions too early.

Also make it possible to override the backing image used by
`container-make`, to ease debugging when writing commits like this.

commit: 0acfc9d8d31942977df26f49ec043038d2fd3320
author: Rob Rati
Update to use golang 1.16

commit: c49cf6f755ffab5c6e2ce6e4118b743e83093248
author: Eric Fried
Fix unbound local variable error

...noted in https://ci.int.devshift.net/job/app-sre-deployment-validation-operator-gh-build-master/60/console

commit: 3bcb750bd6dc9120f5458aa44d82fff6973d2171
author: Eric Fried
Improve `subscriber report release`

This commit improves the `subscriber report release` tool in the
following ways:
- It now requires a list of subscribers, or `ALL`, with the same
semantics as `subscriber propose update`.
- It now produces a diff with which you can `patch -R` what's in the
release repository to make it conform.

commit: 9062716c4df7b01b72ba4308e106b4c932ab5649
author: Christopher Collins
Adds .gitattributes to unacceptable_deltas "ignores" list

With a recent update to boilerplate, a .gitattributes file is created
during the bootstrap process.  This is causing failures in the
"framework/04-update-from-master-and-revert" test, which currently
doesn't expect the .gitattributes file to exist, uncommitted, after the
test bootstrap.

This adds the .gitattributes file to the "ignores" list in the
unacceptable_deltas function of boilerplate/update.

Also runs `./boilerplate/_lib/boilerplate-commit` to "clean" before the
next test run.

Signed-off-by: Christopher Collins <collins.christopher@gmail.com>

commit: 69519b47fcbd219aa4d30aeb28377c2113ea8272
author: Eric Fried
Secure freeze-check, enable hiding boilerplate deltas

- Document the "trust and ignore" philosophy that subscribers should
adopt when reviewing PRs that include boilerplate updates.
- Secure `freeze-check` so you actually _can_ trust such changes.
- Lay down .gitattributes content such that, if a subscriber decides to
suppress boilerplate deltas by default, certain files will still always
be shown:
  - Because an attacker could attempt to subvert `freeze-check` by
  modifying that script or its dependencies, we explicitly exclude those
  from the hiding-by-default.
  - Because an attacker could try to subvert the hiding by appending
  entries to .gitattributes, we exclude THAT file from the
  hiding-by-default as well.

Security is hard.

Author: clcollins

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: boilerplate
   namespace: openshift
-  tag: image-v0.5.2
+  tag: image-v1.0.0

.gitattributes

@@ -0,0 +1,13 @@
+### BEGIN BOILERPLATE GENERATED -- DO NOT EDIT    ###
+### This block must be the last thing in your     ###
+### .gitattributes file; otherwise the 'validate' ###
+### CI check will fail.                           ###
+# Used to ensure nobody mucked with boilerplate files.
+boilerplate/_lib/freeze-check linguist-generated=false
+# Show the boilerplate commit hash update. It's only one line anyway.
+boilerplate/_data/last-boilerplate-commit linguist-generated=false
+# Used by freeze-check. Good place for attackers to inject badness.
+boilerplate/update linguist-generated=false
+# Make sure attackers can't hide changes to this configuration
+.gitattributes linguist-generated=false
+### END BOILERPLATE GENERATED ###

boilerplate/_data/backing-image-tag

@@ -1 +1 @@
-image-v0.5.2
+image-v1.0.0

boilerplate/_data/last-boilerplate-commit

@@ -1 +1 @@
-0ba6566d544d0df9993a92b2286c131eb61f3e88
+5fea264b458ec33913afb04eda6ff87d8013d9f4

boilerplate/_lib/common.sh

@@ -197,4 +197,4 @@ if [[ -z "$LATEST_IMAGE_TAG" ]]; then
     fi
 fi
 # The public image location
-IMAGE_PULL_PATH=quay.io/app-sre/$IMAGE_NAME:$LATEST_IMAGE_TAG
+IMAGE_PULL_PATH=${IMAGE_PULL_PATH:-quay.io/app-sre/$IMAGE_NAME:$LATEST_IMAGE_TAG}

boilerplate/_lib/freeze-check

@@ -1,9 +1,17 @@
 #!/usr/bin/env bash
 
+# NOTE: For security reasons, everything imported or invoked (even
+# indirectly) by this script should be audited for vulnerabilities and
+# explicitly excluded from `linguist-generated` in the consuming
+# repository's .gitattributes. In other words, we want PRs to show
+# deltas to this script and all its dependencies by default so that
+# attempts to inject or circumvent code are visible.
+
 set -e
 
 REPO_ROOT=$(git rev-parse --show-toplevel)
-source $REPO_ROOT/boilerplate/_lib/common.sh
+# Hardcoded rather than sourced to reduce attack surface.
+BOILERPLATE_GIT_REPO=https://github.com/openshift/boilerplate.git
 
 # Validate that no subscribed boilerplate artifacts have been changed.
 # PR checks may wish to gate on this.
@@ -28,7 +36,8 @@ source $REPO_ROOT/boilerplate/_lib/common.sh
 # seriously ticked off if something went wrong and lost my in-flight
 # changes.
 if ! [ -z "$(git status --porcelain)" ]; then
-  err "Can't validate boilerplate in a dirty repository. Please commit your changes and try again."
+  echo "Can't validate boilerplate in a dirty repository. Please commit your changes and try again." >&2
+  exit 1
 fi
 
 # We glean the last boilerplate commit from the
@@ -52,19 +61,19 @@ git remote add origin $BOILERPLATE_GIT_REPO
 git fetch origin $(cat $LBCF) --tags
 git reset --hard FETCH_HEAD
 
-# Now invoke the update script, bypassing the exec step because we
-# already downloaded what we want
+# Now invoke the update script, overriding the source repository we've
+# just downloaded at the appropriate commit.
+# We invoke the script explicitly rather than via the make target to
+# close a security hole whereby the latter is overridden.
 echo "Running update"
 cd $REPO_ROOT
-boilerplate/update $TMPD
+BOILERPLATE_GIT_CLONE="git clone $TMPD" boilerplate/update
 
 # Okay, if anything has changed, that's bad.
 if [[ $(git status --porcelain | wc -l) -ne 0 ]]; then
-  err "Your boilerplate is dirty!
-Run 'git diff' to see what we think you shouldn't have changed.
-You can commit those changes to pass this check.
-Or you can run 'git reset --hard HEAD' to get back to where you were before."
-
+  echo "Your boilerplate is dirty!" >&2
+  git status --porcelain
+  exit 1
 fi
 
 echo "Your boilerplate is clean!"

boilerplate/_lib/release.sh

@@ -24,7 +24,7 @@ Failed to determine consumer name"
 #
 # E.g. "master"
 # This will produce something like refs/remotes/origin/master
-DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/upstream/HEAD || git symbolic-ref refs/remotes/origin/HEAD || echo defaulting/to/master)
+DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/upstream/HEAD 2>/dev/null || git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null || echo defaulting/to/master)
 # Strip off refs/remotes/{upstream|origin}/
 DEFAULT_BRANCH=${DEFAULT_BRANCH##*/}
 [[ -z "$DEFAULT_BRANCH" ]] && err "

boilerplate/_lib/subscriber-propose-update

@@ -33,36 +33,18 @@ source $REPO_ROOT/boilerplate/_lib/subscriber.sh
 # Arguments are required
 [[ $# -eq 0 ]] && usage
 
-declare -A to_update
-
-ALL=0
-if [[ $# -eq 1 ]] && [[ "$1" == ALL ]]; then
-    ALL=1
-    shift
-fi
-for subscriber in $(subscriber_list onboarded); do
-    to_update[$subscriber]=$ALL
-done
-
-# Parse specified subscribers
-for a in "$@"; do
-    [[ $a == ALL ]] && err "Can't specify ALL with explicit subscribers"
-
-    [[ -n "${to_update[$a]}" ]] || err "Not an onboarded subscriber: '$a'"
-    if [[ "${to_update[$a]}" -eq 1 ]]; then
-        echo "Ignoring duplicate: '$a'"
-        continue
-    fi
-    to_update[$a]=1
-done
-
 TMPD=$(mktemp -d)
 trap "rm -fr $TMPD" EXIT
 
 propose_update() {
     local subscriber=$1
     local proj=${subscriber#*/}
 
+    if [[ -z "$DRY_RUN" ]]; then
+        echo "DRY RUN: Would propose update for $subscriber"
+        return 0
+    fi
+
     (
         # Clone my fork of the subscriber repo
         cd $TMPD
@@ -93,8 +75,7 @@ propose_update() {
 
 bp_master=$(git rev-parse master)
 
-for subscriber in "${!to_update[@]}"; do
-    [[ "${to_update[$subscriber]}" -eq 1 ]] || continue
+for subscriber in $(subscriber_args "$@"); do
 
     # Does this one need an update?
     lbc=$(last_bp_commit $subscriber)

boilerplate/_lib/subscriber-report-release

@@ -6,17 +6,26 @@ source $REPO_ROOT/boilerplate/_lib/release.sh
 
 usage() {
     cat <<EOF
-$CMD
+$CMD SUBSCRIBER ...
 
 Analyzes the openshift/release footprint of onboarded boilerplate
 subscribers. For each subscriber, prints the delta, if any, between the
 existing and expected prow configuration.
+
+Arguments:
+    SUBSCRIBER  One or more subscriber repositories of the form
+                "org/name" (e.g. "openshift/deadmanssnitch-operator");
+                or the special keyword "ALL" to report on all onboarded
+                subscribers.
 EOF
     exit -1
 }
 
 source $REPO_ROOT/boilerplate/_lib/subscriber.sh
 
+# Arguments are required
+[[ $# -eq 0 ]] && usage
+
 ## prow_config ORG PROJ
 #
 # Downloads the ci-operator configuration file from openshift/release for the
@@ -33,20 +42,21 @@ prow_config() {
         f=$org-$proj-$branch.yaml
         local c="$(curl -s $p/$f)"
         if [[ "$c" != "404: Not Found" ]]; then
-            # Remove the zz_generated_metadata section
-            echo "$c" | yq d - zz_generated_metadata > $TMPD/$f
+            echo "$c" > $TMPD/$f
             echo $TMPD/$f
             return
         fi
     done
 }
 
-## expected_prow_config PROJ
+## expected_prow_config ORG PROJ BRANCH
 #
-# Prints to stdout (most of) the expected prow configuration for the specified
-# PROJ. The `zz_generated_metadata` section is omitted.
+# Prints to stdout the expected prow configuration for the specified
+# ORG/PROJ.
 expected_prow_config() {
-    local consumer_name=$1
+    local org=$1
+    local consumer_name=$2
+    local branch=$3
     # TODO: DRY this with what's in prow-config.
     # Do it by making it a template in the convention dir.
     cat <<EOF
@@ -94,21 +104,28 @@ tests:
   commands: make validate
   container:
     from: src
+zz_generated_metadata:
+  branch: ${branch}
+  org: ${org}
+  repo: ${consumer_name}
 EOF
 }
 
 TMPD=$(mktemp -d)
 trap "rm -fr $TMPD" EXIT
 
-for subscriber in $(subscriber_list onboarded); do
+for subscriber in $(subscriber_args "$@"); do
     banner $subscriber
     org=${subscriber%/*}
     proj=${subscriber#*/}
     pc=$(prow_config $org $proj)
+    # Filename is of the form ...-$branch.yaml
+    branch=${pc##*-}
+    branch=${branch%.yaml}
     if [[ -z "$pc" ]]; then
         echo "=== No configuration ==="
     else
-        d="$(expected_prow_config $proj | diff -w - $pc)"
+        d="$(expected_prow_config $org $proj $branch | diff - $pc)"
         if [[ -z "$d" ]]; then
             echo "=== A-OK ==="
         else

boilerplate/_lib/subscriber.sh

@@ -111,3 +111,47 @@ commits_behind_bp_master() {
     git rev-list --count --merges $range
 }
 
+## subscriber_args SUBSCRIBER ...
+#
+# Processes arguments as a list of onboarded subscribers of the form
+# "org/name" (e.g. "openshift/deadmanssnitch-operator"); or the special
+# keyword "ALL".
+#
+# Outputs to stderr a space-separated list of subscribers. If "ALL" was
+# specified, these are all onboarded subscribers.
+#
+# Errors if:
+# - "ALL" is specified along with one or more explicit subscriber names.
+# - Any specified subscriber is nonexistent or not listed as onboarded
+# in the config.
+subscriber_args() {
+    local -A to_process
+    local ALL=0
+    local subscriber
+    local a
+
+    if [[ $# -eq 1 ]] && [[ "$1" == ALL ]]; then
+        ALL=1
+        shift
+    fi
+    for subscriber in $(subscriber_list onboarded); do
+        to_process[$subscriber]=$ALL
+    done
+
+    # Parse specified subscribers
+    for a in "$@"; do
+        [[ $a == ALL ]] && err "Can't specify ALL with explicit subscribers"
+
+        [[ -n "${to_process[$a]}" ]] || err "Not an onboarded subscriber: '$a'"
+        if [[ "${to_process[$a]}" -eq 1 ]]; then
+            echo "Ignoring duplicate: '$a'" >&2
+            continue
+        fi
+        to_process[$a]=1
+    done
+
+    for subscriber in "${!to_process[@]}"; do
+        [[ "${to_process[$subscriber]}" -eq 1 ]] || continue
+        echo -n "${subscriber} "
+    done
+}