Merge branch 'main' into kb-starboard-vulns-fix

.goreleaser.yaml

@@ -40,6 +40,21 @@ builds:
       - ppc64le
     goarm:
       - "7"
+  - id: starboard-operator-fips
+    main: ./cmd/starboard-operator/main.go
+    binary: starboard-operator-fips
+    flags:
+      - -tags=fipsonly
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm
+      - arm64
+      - s390x
+      - ppc64le
+    goarm:
+      - "7"
   - id: starboard-scanner-aqua
     main: ./cmd/scanner-aqua/main.go
     binary: starboard-scanner-aqua
@@ -53,13 +68,15 @@ builds:
     goarm:
       - "7"
 archives:
-  - name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+  - name_template: >-
+      {{ .ProjectName }}_
+      {{- .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "arm" }}ARM
+      {{- else if eq .Arch "arm64" }}ARM64
+      {{- else }}{{ .Arch }}{{ end }}
     builds:
       - starboard
-    replacements:
-      amd64: x86_64
-      arm: ARM
-      arm64: ARM64
     format_overrides:
       - goos: windows
         format: zip
@@ -335,6 +352,86 @@ dockers:
       - "--platform=linux/ppc64le"
     extra_files:
       - LICENSE
+  - image_templates:
+      - "docker.io/aquasec/starboard-operator:{{ .Version }}-ubi8-fips-amd64"
+    use: buildx
+    goos: linux
+    dockerfile: build/starboard-operator/Dockerfile.fips.ubi8
+    goarch: amd64
+    ids:
+      - starboard-operator-fips
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title=starboard-operator"
+      - "--label=org.opencontainers.image.description=Keeps Starboard resources updated"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/"
+      - "--platform=linux/amd64"
+    extra_files:
+      - LICENSE
+  - image_templates:
+      - "docker.io/aquasec/starboard-operator:{{ .Version }}-ubi8-fips-arm64"
+    use: buildx
+    goos: linux
+    dockerfile: build/starboard-operator/Dockerfile.fips.ubi8
+    goarch: arm64
+    ids:
+      - starboard-operator-fips
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title=starboard-operator"
+      - "--label=org.opencontainers.image.description=Keeps Starboard resources updated"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/"
+      - "--platform=linux/arm64"
+    extra_files:
+      - LICENSE
+  - image_templates:
+      - "docker.io/aquasec/starboard-operator:{{ .Version }}-ubi8-fips-s390x"
+    use: buildx
+    goos: linux
+    dockerfile: build/starboard-operator/Dockerfile.fips.ubi8
+    goarch: s390x
+    ids:
+      - starboard-operator-fips
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title=starboard-operator"
+      - "--label=org.opencontainers.image.description=Keeps Starboard resources updated"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/"
+      - "--platform=linux/s390x"
+    extra_files:
+      - LICENSE
+  - image_templates:
+      - "docker.io/aquasec/starboard-operator:{{ .Version }}-ubi8-fips-ppc64le"
+    use: buildx
+    goos: linux
+    dockerfile: build/starboard-operator/Dockerfile.fips.ubi8
+    goarch: ppc64le
+    ids:
+      - starboard-operator-fips
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title=starboard-operator"
+      - "--label=org.opencontainers.image.description=Keeps Starboard resources updated"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/"
+      - "--platform=linux/ppc64le"
+    extra_files:
+      - LICENSE
 docker_manifests:
   - name_template: "aquasec/starboard:{{ .Version }}"
     image_templates:
@@ -353,6 +450,12 @@ docker_manifests:
       - "aquasec/starboard-operator:{{ .Version }}-ubi8-arm64"
       - "aquasec/starboard-operator:{{ .Version }}-ubi8-s390x"
       - "aquasec/starboard-operator:{{ .Version }}-ubi8-ppc64le"
+  - name_template: "aquasec/starboard-operator:{{ .Version }}-ubi8-fips"
+    image_templates:
+      - "aquasec/starboard-operator:{{ .Version }}-ubi8-fips-amd64"
+      - "aquasec/starboard-operator:{{ .Version }}-ubi8-fips-arm64"
+      - "aquasec/starboard-operator:{{ .Version }}-ubi8-fips-s390x"
+      - "aquasec/starboard-operator:{{ .Version }}-ubi8-fips-ppc64le"
   - name_template: "aquasec/starboard-scanner-aqua:{{ .Version }}"
     image_templates:
       - "aquasec/starboard-scanner-aqua:{{ .Version }}-amd64"

Makefile

@@ -20,6 +20,7 @@ STARBOARD_CLI_IMAGE := aquasec/starboard:$(IMAGE_TAG)
 STARBOARD_OPERATOR_IMAGE := aquasec/starboard-operator:$(IMAGE_TAG)
 STARBOARD_SCANNER_AQUA_IMAGE := aquasec/starboard-scanner-aqua:$(IMAGE_TAG)
 STARBOARD_OPERATOR_IMAGE_UBI8 := aquasec/starboard-operator:$(IMAGE_TAG)-ubi8
+STARBOARD_OPERATOR_IMAGE_UBI8_FIPS := aquasec/starboard-operator:$(IMAGE_TAG)-ubi8-fips
 
 MKDOCS_IMAGE := aquasec/mkdocs-material:starboard
 MKDOCS_PORT := 8000
@@ -38,6 +39,10 @@ build-starboard-cli: $(SOURCES)
 build-starboard-operator: $(SOURCES)
 	CGO_ENABLED=0 GOOS=linux go build -o ./bin/starboard-operator ./cmd/starboard-operator/main.go
 
+## Builds the starboard-operator binary
+build-starboard-operator-fips: $(SOURCES)
+	CGO_ENABLED=0 GOOS=linux GOEXPERIMENT=boringcrypto go build -tags fipsonly -o ./bin/starboard-operator-fips ./cmd/starboard-operator/main.go
+
 ## Builds the scanner-aqua binary
 build-starboard-scanner-aqua: $(SOURCES)
 	CGO_ENABLED=0 GOOS=linux go build -o ./bin/starboard-scanner-aqua ./cmd/scanner-aqua/main.go
@@ -139,7 +144,11 @@ docker-build-starboard-cli: build-starboard-cli
 ## Builds Docker image for Starboard operator
 docker-build-starboard-operator: build-starboard-operator
 	$(DOCKER) build --no-cache -t $(STARBOARD_OPERATOR_IMAGE) -f build/starboard-operator/Dockerfile bin
-
+
+## Builds Docker image for Starboard operator ubi8
+docker-build-starboard-operator-fips: build-starboard-operator-fips
+	$(DOCKER) build --no-cache -f build/starboard-operator/Dockerfile.fips.ubi8 -t $(STARBOARD_OPERATOR_IMAGE_UBI8_FIPS) bin
+
 ## Builds Docker image for Starboard operator ubi8
 docker-build-starboard-operator-ubi8: build-starboard-operator
 	$(DOCKER) build --no-cache -f build/starboard-operator/Dockerfile.ubi8 -t $(STARBOARD_OPERATOR_IMAGE_UBI8) bin

build/starboard-operator/Dockerfile.fips.ubi8

@@ -0,0 +1,16 @@
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+LABEL name="Starboard" \
+      vendor="Aqua Security Software Ltd." \
+      version="v0.15.17" \
+      summary="Starboard Operator."
+
+RUN microdnf install shadow-utils
+RUN useradd -u 10000 starboard
+WORKDIR /opt/bin/
+COPY starboard-operator-fips /usr/local/bin/starboard-operator
+COPY LICENSE /licenses/LICENSE
+
+USER starboard
+
+ENTRYPOINT ["starboard-operator"]

build/starboard-operator/Dockerfile.ubi8

@@ -2,7 +2,7 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal
 
 LABEL name="Starboard" \
       vendor="Aqua Security Software Ltd." \
-      version="v0.15.13" \
+      version="v0.15.17" \
       summary="Starboard Operator."
 
 RUN microdnf install shadow-utils

cmd/starboard-operator/fipsonly.go

@@ -0,0 +1,7 @@
+//go:build fipsonly
+
+package tls
+
+import (
+	_ "crypto/tls/fipsonly"
+)

deploy/crd/ciskubebenchreports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: ciskubebenchreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   versions:

deploy/crd/clustercompliancedetailreports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: clustercompliancedetailreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   versions:

deploy/crd/clustercompliancereports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: clustercompliancereports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   scope: Cluster

deploy/crd/clusterconfigauditreports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: clusterconfigauditreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   versions:

deploy/crd/clustervulnerabilityreports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: clustervulnerabilityreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   versions:

deploy/crd/configauditreports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: configauditreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   versions:

deploy/crd/kubehunterreports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: kubehunterreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   versions:

deploy/crd/vulnerabilityreports.crd.yaml

@@ -5,7 +5,7 @@ metadata:
   name: vulnerabilityreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
 spec:
   group: aquasecurity.github.io
   versions:

deploy/helm/Chart.yaml

@@ -6,12 +6,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.13
+version: 0.10.16
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.15.13
+appVersion: 0.15.17
 
 # kubeVersion: A SemVer range of compatible Kubernetes versions (optional)
 

deploy/specs/nsa-1.0.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 spec:
   name: nsa

deploy/static/01-starboard-operator.ns.yaml

@@ -6,5 +6,5 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl

deploy/static/02-starboard-operator.rbac.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -17,7 +17,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 rules:
   - apiGroups:
@@ -175,7 +175,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 roleRef:
   apiGroup: rbac.authorization.k8s.io

deploy/static/03-starboard-operator.config.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 ---
 apiVersion: v1
@@ -18,7 +18,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 ---
 apiVersion: v1
@@ -29,7 +29,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 data:
   vulnerabilityReports.scanner: "Trivy"
@@ -45,7 +45,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 data:
   trivy.imageRef: "docker.io/aquasec/trivy:0.25.2"
@@ -66,7 +66,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 data:
   polaris.imageRef: "quay.io/fairwinds/polaris:4.2"

deploy/static/04-starboard-operator.policies.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.15.13"
+    app.kubernetes.io/version: "0.15.17"
     app.kubernetes.io/managed-by: kubectl
 data:
   library.kubernetes.rego: