Merge tag 'v0.13.1' of github.com:aquasecurity/starboard into main

Release v0.13.1

.github/workflows/build.yaml

@@ -30,7 +30,7 @@ env:
 jobs:
   unit-tests:
     name: Run unit tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -55,7 +55,7 @@ jobs:
     needs:
       - unit-tests
       - verify-code
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -72,14 +72,15 @@ jobs:
       - name: Release snapshot
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.175.0
+          version: v0.183.0
           args: release --snapshot --skip-publish --rm-dist
   itest-starboard:
     name: Run integration tests / Starboard CLI
     needs:
       - unit-tests
       - verify-code
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    timeout-minutes: 15
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -118,7 +119,8 @@ jobs:
     needs:
       - unit-tests
       - verify-code
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    timeout-minutes: 15
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -145,18 +147,15 @@ jobs:
       - name: Run integration tests
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-                 -f deploy/crd/configauditreports.crd.yaml \
-                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
-                 -f deploy/crd/ciskubebenchreports.crd.yaml
+            -f deploy/crd/configauditreports.crd.yaml \
+            -f deploy/crd/clusterconfigauditreports.crd.yaml \
+            -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make itests-starboard-operator
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
-          OPERATOR_SERVICE_ACCOUNT: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
       - name: Upload code coverage
         uses: codecov/codecov-action@v2
@@ -167,7 +166,8 @@ jobs:
     needs:
       - unit-tests
       - verify-code
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    timeout-minutes: 15
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -194,26 +194,23 @@ jobs:
       - name: Run integration tests
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-                 -f deploy/crd/configauditreports.crd.yaml \
-                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
-                 -f deploy/crd/ciskubebenchreports.crd.yaml
+            -f deploy/crd/configauditreports.crd.yaml \
+            -f deploy/crd/clusterconfigauditreports.crd.yaml \
+            -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make integration-operator-conftest
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
-          OPERATOR_SERVICE_ACCOUNT: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
       - name: Upload code coverage
         uses: codecov/codecov-action@v2
         with:
           files: ./itest/starboard-operator/configauditreport/conftest/coverage.txt
   verify-code:
     name: Verify code
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2

.github/workflows/publish-helm-chart.yaml

@@ -9,22 +9,40 @@ env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: deploy/helm
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:
   release:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
         with:
           version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 #v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts deploy/helm
       - name: Install chart-releaser
         run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
+
       - name: Package helm chart
         run: |
           ./cr package ${{ env.CHART_DIR }}
@@ -37,7 +55,7 @@ jobs:
         run: |
           ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
       - name: Push index file
-        uses: dmnemec/[email protected]
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
         env:
           API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
         with:

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ env:
 jobs:
   unit-tests:
     name: Run unit tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -32,7 +32,8 @@ jobs:
     name: Run integration tests / Starboard CLI
     needs:
       - unit-tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    timeout-minutes: 15
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -66,7 +67,8 @@ jobs:
     name: Run integration tests / Starboard Operator
     needs:
       - unit-tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    timeout-minutes: 15
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -93,24 +95,22 @@ jobs:
       - name: Run integration tests
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-                 -f deploy/crd/configauditreports.crd.yaml \
-                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
-                 -f deploy/crd/ciskubebenchreports.crd.yaml
+            -f deploy/crd/configauditreports.crd.yaml \
+            -f deploy/crd/clusterconfigauditreports.crd.yaml \
+            -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make itests-starboard-operator
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
-          OPERATOR_SERVICE_ACCOUNT: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
   integration-operator-conftest:
     name: Integration / Operator / Conftest
     needs:
       - unit-tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    timeout-minutes: 15
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -141,22 +141,19 @@ jobs:
                  -f deploy/crd/clusterconfigauditreports.crd.yaml \
                  -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make integration-operator-conftest
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
-          OPERATOR_SERVICE_ACCOUNT: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
   release:
     name: Release
     needs:
       - itest-starboard
       - itest-starboard-operator
       - integration-operator-conftest
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Setup Go
         uses: actions/setup-go@v2
@@ -186,7 +183,7 @@ jobs:
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.175.0
+          version: v0.183.0
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CONTRIBUTING.md

@@ -20,6 +20,7 @@ These guidelines will help you get started with the Starboard project.
   - [In Cluster](#in-cluster)
   - [Out of Cluster](#out-of-cluster)
   - [Uninstall](#uninstall)
+- [Update Static YAML Manifests](#update-static-yaml-manifests)
 - [Operator Lifecycle Manager (OLM)](#operator-lifecycle-manager-olm)
   - [Install OLM](#install-olm)
   - [Build the Catalog Image](#build-the-catalog-image)
@@ -178,9 +179,9 @@ code if any of the generated files is not up-to-date. We're running it as a step
 
 ## Test Starboard Operator
 
-You can deploy the operator in the `starboard-operator` namespace and configure it to watch the `default`
-namespace. In OLM terms such install mode is called *SingleNamespace*. The *SingleNamespace* mode is good to get
-started with a basic development workflow. For other install modes see [Operator Multitenancy with OperatorGroups][olm-operator-groups].
+You can deploy the operator in the `starboard-system` namespace and configure it to watch the `default` namespace.
+In OLM terms such install mode is called *SingleNamespace*. The *SingleNamespace* mode is good to get started with a
+basic development workflow. For other install modes see [Operator Multitenancy with OperatorGroups][olm-operator-groups].
 
 ### Prerequisites
 
@@ -196,18 +197,16 @@ started with a basic development workflow. For other install modes see [Operator
 
    ```
    kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-     -f deploy/static/02-starboard-operator.sa.yaml \
-     -f deploy/static/03-starboard-operator.clusterrole.yaml \
-     -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+     -f deploy/static/02-starboard-operator.rbac.yaml
    ```
 
-   This will create the `starboard-operator` namespace, and the `starboard-operator` service account. Beyond that,
+   This will create the `starboard-system` namespace, and the `starboard-operator` service account. Beyond that,
    it will create the `starboard-operator` ClusterRole and bind it to the `starboard-operator` service account in the
-   `starboard-operator` namespace via the `starboard-operator` ClusterRoleBinding.
+   `starboard-system` namespace via the `starboard-operator` ClusterRoleBinding.
 3. (Optional) Create configuration objects:
 
    ```
-   kubectl apply -f deploy/static/05-starboard-operator.config.yaml
+   kubectl apply -f deploy/static/03-starboard-operator.config.yaml
    ```
 
 ### In cluster
@@ -222,7 +221,7 @@ started with a basic development workflow. For other install modes see [Operator
    ```
    kind load docker-image aquasec/starboard-operator:dev
    ```
-3. Create the `starboard-operator` Deployment in the `starboard-operator` namespace to run the operator's container:
+3. Create the `starboard-operator` Deployment in the `starboard-system` namespace to run the operator's container:
 
    ```
    kubectl apply -k deploy/static
@@ -233,7 +232,7 @@ started with a basic development workflow. For other install modes see [Operator
 1. Run the main method of the operator program:
 
    ```
-   OPERATOR_NAMESPACE=starboard-operator \
+   OPERATOR_NAMESPACE=starboard-system \
      OPERATOR_TARGET_NAMESPACES=default \
      OPERATOR_LOG_DEV_MODE=true \
      OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED=true \
@@ -248,17 +247,35 @@ started with a basic development workflow. For other install modes see [Operator
 
 ```
 kubectl delete -k deploy/static
-kubectl delete -f deploy/static/05-starboard-operator.config.yaml
-kubectl delete -f deploy/static/01-starboard-operator.ns.yaml \
-  -f deploy/static/02-starboard-operator.sa.yaml \
-  -f deploy/static/03-starboard-operator.clusterrole.yaml \
-  -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+kubectl delete -f deploy/static/03-starboard-operator.config.yaml
+kubectl delete -f deploy/static/02-starboard-operator.rbac.yaml \
+  -f deploy/static/01-starboard-operator.ns.yaml
 kubectl delete -f deploy/crd/vulnerabilityreports.crd.yaml \
   -f deploy/crd/configauditreports.crd.yaml \
   -f deploy/crd/clusterconfigauditreports.crd.yaml \
   -f deploy/crd/ciskubebenchreports.crd.yaml
 ```
 
+## Update Static YAML Manifests
+
+```
+mkdir -p $TMPDIR/starboard-helm-template
+```
+
+```
+helm template starboard-operator ./deploy/helm \
+  --namespace starboard-system --create-namespace \
+  --set="targetNamespaces=default" \
+  --set="managedBy=kubectl" \
+  --output-dir=$TMPDIR/starboard-helm-template
+```
+
+```
+cp $TMPDIR/starboard-helm-template/starboard-operator/templates/rbac.yaml deploy/static/02-starboard-operator.rbac.yaml
+cp $TMPDIR/starboard-helm-template/starboard-operator/templates/config.yaml deploy/static/03-starboard-operator.config.yaml
+cp $TMPDIR/starboard-helm-template/starboard-operator/templates/deployment.yaml deploy/static/04-starboard-operator.deployment.yaml
+```
+
 ## Operator Lifecycle Manager (OLM)
 
 ### Install OLM
@@ -280,7 +297,7 @@ chmod +x install.sh
 
 ### Build the Catalog Image
 
-The Starboard Operator metadata is formatted in *packagemanifest* layout so you need to place it in the directory
+The Starboard Operator metadata is formatted in *packagemanifest* layout, so you need to place it in the directory
 structure of the [community-operators] repository.
 
 ```