Add support for linux/s390x and linux/arm64 (Red Hat) (#1152)

* Bump ubi10 to 10.1
* Update the build
* Run dependabot daily for all types
* Fix integration test make target
* Add bats test for CSI driver securityContext
* Rejig the build add arm64 support
* Drop vestigial build-docker-ubi-redhat step
* Add operator framework labels.

Helm:
- Add the ability set the securityContext for the CSI driver.


Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

---------

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Author: benashz

.github/dependabot.yaml

@@ -10,7 +10,7 @@ updates:
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "daily"
     groups:
       gomod-breaking:
         update-types:
@@ -22,7 +22,7 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "daily"
     # Disable version updates and only check security updates for github
     # actions, since we can't bump the versions until they're on our allow-list
     open-pull-requests-limit: 0

.github/workflows/build.yaml

@@ -122,7 +122,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        arch: ["arm64", "amd64"]
+        arch: ["arm64", "amd64", "s390x"]
       fail-fast: true
     steps:
       - name: Checkout
@@ -207,7 +207,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        arch: ["arm64", "amd64"]
+        arch: ["arm64", "amd64", "s390x"]
     env:
       repo: ${{github.event.repository.name}}
       version: ${{needs.get-product-version.outputs.product-version}}
@@ -227,6 +227,7 @@ jobs:
           version: ${{env.version}}
           target: release-ubi
           arch: ${{matrix.arch}}
+          redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}}
           tags: |
             docker.io/hashicorp/${{env.repo}}:${{env.image_tag}}
             public.ecr.aws/hashicorp/${{env.repo}}:${{env.image_tag}}
@@ -243,51 +244,6 @@ jobs:
             exit 1
           fi
 
-  build-docker-ubi-redhat:
-    name: UBI ${{ matrix.arch }} RedHat build
-    needs:
-      - get-product-version
-      - build-pre-checks
-      - build
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        # Building only amd64 for the RedHat registry for now
-        arch: ["amd64"]
-    env:
-      repo: ${{github.event.repository.name}}
-      version: ${{needs.get-product-version.outputs.product-version}}
-      image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup scripts directory
-        shell: bash
-        run: |
-          make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
-      - name: Docker Build (Action)
-        uses: hashicorp/actions-docker-build@v2
-        env:
-          VERSION: ${{ needs.get-product-version.outputs.product-version }}
-          GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }}
-        with:
-          version: ${{env.version}}
-          target: release-ubi-redhat
-          arch: ${{matrix.arch}}
-          # The quay id here corresponds to the project id on RedHat's portal
-          redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}}
-
-      - name: Check binary version in container
-        shell: bash
-        run: |
-          version_output=$(docker run quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}} --version --output=json)
-          echo $version_output
-          git_version=$(echo $version_output | jq -r .gitVersion)
-
-          if [ "$git_version" != "${{ env.version }}" ]; then
-            echo "$gitVersion expected to be ${{ env.version }}"
-            exit 1
-          fi
-
   chart-upgrade-tests:
     runs-on: ubuntu-latest
     needs:
@@ -312,6 +268,7 @@ jobs:
         - "0.9.1"
         - "0.10.0"
         - "1.0.0"
+        - "1.0.1"
     steps:
       - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
@@ -475,7 +432,6 @@ jobs:
       - build
       - build-docker
       - build-docker-ubi
-      - build-docker-ubi-redhat
       - chart-upgrade-tests
       - unit-tests
       - latest-vault

.release/vault-secrets-operator-artifacts.hcl

@@ -6,12 +6,17 @@ artifacts {
   zip = [
     "vault-secrets-operator_${version}_linux_amd64.zip",
     "vault-secrets-operator_${version}_linux_arm64.zip",
+    "vault-secrets-operator_${version}_linux_s390x.zip",
   ]
   container = [
     "vault-secrets-operator_release-default_linux_amd64_${version}_${commit_sha}.docker.tar",
     "vault-secrets-operator_release-default_linux_arm64_${version}_${commit_sha}.docker.tar",
-    "vault-secrets-operator_release-ubi-redhat_linux_amd64_${version}_${commit_sha}.docker.redhat.tar",
+    "vault-secrets-operator_release-default_linux_s390x_${version}_${commit_sha}.docker.tar",
+    "vault-secrets-operator_release-ubi_linux_amd64_${version}_${commit_sha}.docker.redhat.tar",
+    "vault-secrets-operator_release-ubi_linux_arm64_${version}_${commit_sha}.docker.redhat.tar",
+    "vault-secrets-operator_release-ubi_linux_s390x_${version}_${commit_sha}.docker.redhat.tar",
     "vault-secrets-operator_release-ubi_linux_amd64_${version}_${commit_sha}.docker.tar",
     "vault-secrets-operator_release-ubi_linux_arm64_${version}_${commit_sha}.docker.tar",
+    "vault-secrets-operator_release-ubi_linux_s390x_${version}_${commit_sha}.docker.tar",
   ]
 }

chart/templates/csi-driver.yaml

@@ -61,10 +61,14 @@ spec:
       annotations:
       {{- include "vso.csi.annotations" . | nindent 8 }}
     spec:
+      {{- with.Values.csi.securityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "vso.chart.fullname" . }}-csi
       {{- with .Values.csi.hostAliases }}
       hostAliases:
-      {{- toYaml . | nindent 8 }}
+      {{ toYaml . | nindent 8 }}
       {{- end }}
       {{- if .Values.csi.affinity }}
       affinity:
@@ -130,8 +134,10 @@ spec:
           value: {{ .value }}
         {{- end }}
         imagePullPolicy: {{ .Values.csi.driver.image.pullPolicy }}
+        {{- with .Values.csi.driver.securityContext }}
         securityContext:
-          privileged: true
+        {{- toYaml . | nindent 10 }}
+        {{- end }}
         livenessProbe:
             failureThreshold: 5
             httpGet:

chart/values.yaml

@@ -928,6 +928,12 @@ csi:
   # @type: boolean
   enabled: false
 
+  # Configures the Pod level security context
+  # https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+  #
+  # Note: the driver container security context can be configured below.
+  securityContext: {}
+
   # Host Aliases settings for the `vault-secrets-operator-csi` pods as
   # an array of PodSpec HostAlias maps.
   # ref: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
@@ -1006,6 +1012,16 @@ csi:
   annotations: {}
 
   driver:
+    # Configures the driver container's security context
+    # https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+    #
+    # Note: the Pod level security can also be configured above.
+    #
+    # Note: when deploying to an OpenShift cluster you should set:
+    #   privileged: true
+    #
+    securityContext: {}
+
     # Image information for the CSI driver.
     # ref: https://kubernetes.io/docs/concepts/containers/images/
     image:

config/manifests/bases/vault-secrets-operator.clusterserviceversion.yaml

@@ -72,6 +72,11 @@ metadata:
     features.operators.openshift.io/token-auth-gcp: "false"
     repository: https://github.com/hashicorp/vault-secrets-operator
     support: HashiCorp
+  labels:
+    operatorframework.io/arch.amd64: supported
+    operatorframework.io/arch.arm64: supported
+    operatorframework.io/arch.s390x: supported
+    operatorframework.io/os.linux: supported
   name: vault-secrets-operator.v0.0.0-dev
   namespace: placeholder
 spec:

test/integration/charts/postgresql/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

test/integration/charts/postgresql/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: postgresql
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "18.0"

test/integration/charts/postgresql/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "postgresql.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "postgresql.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

test/integration/charts/postgresql/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "postgresql.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "postgresql.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "postgresql.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "postgresql.labels" -}}
+helm.sh/chart: {{ include "postgresql.chart" . }}
+{{ include "postgresql.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "postgresql.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "postgresql.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "postgresql.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "postgresql.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}