Update CI workflow and update to use generic base images

Author: ciarams87

.github/workflows/ci.yml

@@ -3,7 +3,7 @@ name: Continuous Integration
 on:
   push:
     branches:
-      - 'main'
+      - main
     paths-ignore:
       - 'docs/**'
       - 'examples/**'
@@ -22,6 +22,9 @@ on:
       - 'examples/**'
       - '**.md'
 
+env:
+  platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
+
 concurrency:
   group: ${{ github.ref_name }}-ci
   cancel-in-progress: true
@@ -36,7 +39,7 @@ jobs:
       repo_name: ${{ steps.vars.outputs.repo }}
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Output Variables
         id: vars
         run: |
@@ -49,15 +52,27 @@ jobs:
     needs: vars
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: RedHat Registry Login
+      - name: DockerHub Login
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name != 'pull_request'
+      - name: Login to GitHub Container Registry
         uses: docker/login-action@v1
         with:
-          registry: registry.redhat.io
-          username: ${{ secrets.RH_DOCKER_USERNAME }}
-          password: ${{ secrets.RH_DOCKER_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        if: github.event_name != 'pull_request'
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: arm64,ppc64le,s390x
+        if: github.event_name != 'pull_request'
       - name: Docker Buildx
         uses: docker/setup-buildx-action@v1
       - name: Docker meta
@@ -66,6 +81,7 @@ jobs:
         with:
           images: |
             nginx/nginx-ingress-operator
+            ghcr.io/nginxinc/nginx-ingress-operator
           tags: |
             type=edge
             type=ref,event=pr
@@ -76,16 +92,13 @@ jobs:
       - name: Output Variables
         id: var
         run: |
-
           version=${{ steps.meta.outputs.version }}
-          operator_version=v$version
-          # TODO: Uncomment below once tags have been created
-          # if ${{ startsWith(github.ref, 'refs/tags/') }}; then
-          #     operator_version=v$version
-          # else
-          #     tag=$(git describe --tags --abbrev=0)
-          #     operator_version=$tag-$version-${{ needs.vars.outputs.sha_short }}
-          # fi
+          if ${{ startsWith(github.ref, 'refs/tags/') }}; then
+              operator_version=v$version
+          else
+              tag=$(git describe --tags --abbrev=0)
+              operator_version=$tag-$version-${{ needs.vars.outputs.sha_short }}
+          fi
           echo "::set-output name=version::$operator_version"
       - name: Build Image
         uses: docker/build-push-action@v2
@@ -95,19 +108,18 @@ jobs:
           cache-to: type=gha,mode=max
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          load: true
-          # TODO: Uncomment the following line when we are ready to push (multi-arch doesn't work woth "load")
-          # platforms: "linux/amd64,linux/arm64,linux/ppc64le, linux/s390x"
+          platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }}
+          load: ${{ github.event_name == 'pull_request' }}
+          push: ${{ github.event_name != 'pull_request' }}
           pull: true
           build-args: |
             VERSION=${{ steps.var.outputs.version }}
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/[email protected].1
+        uses: aquasecurity/[email protected].3
         continue-on-error: true
         with:
           image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
           ignore-unfixed: 'true'
       - name: Upload Trivy scan results to GitHub Security tab
@@ -116,7 +128,7 @@ jobs:
         with:
           sarif_file: 'trivy-results.sarif'
       - name: Upload Scan Results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         continue-on-error: true
         with:
           name: 'trivy-results.sarif'

.github/workflows/dockerhub-description.yml

@@ -15,14 +15,13 @@ jobs:
   dockerHubDescription:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Modify readme for DockerHub
         run: |
           sed -i '1,2d' README.md
-
       - name: Docker Hub Description
-        uses: peter-evans/dockerhub-description@v2
+        uses: peter-evans/dockerhub-description@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}

.github/workflows/fossa.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Scan
         uses: fossas/fossa-action@v1
         with:

.github/workflows/stale.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/stale@v4
+      - uses: actions/stale@v5
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'

Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.redhat.io/openshift4/ose-helm-operator:v4.10
+FROM quay.io/operator-framework/helm-operator:v1.16.0
 
 ARG VERSION
 

Makefile

@@ -192,3 +192,8 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+# Get medatada to prepare the bundle to be submitted at https://github.com/redhat-openshift-ecosystem/certified-operators/
+.PHONY: get-metadata-certification
+get-metadata-certification:
+	@./hack/get_image_info.sh ${IMAGE_TAG_BASE} ${VERSION}

README.md

@@ -31,7 +31,7 @@ Note: The NGINX Ingress Operator works only for NGINX Ingress Controller version
 
 1. Install the NGINX Ingress Operator. See [docs](./docs/installation.md).
    <br> NOTE: To use TransportServers as part of your NGINX Ingress Controller configuration, a GlobalConfiguration resource must be created *before* starting the Operator - [see the notes](./examples/deployment-oss-min/README.md#TransportServers)
-2. Create a default server secret on the cluster - an example yaml for this can be found in the [examples folder](https://github.com/nginxinc/nginx-ingress-operator-helm/blob/v1.0.0/examples/default-server-secret.yaml)
+2. Create a default server secret on the cluster - an example yaml for this can be found in the [examples folder](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/v1.0.0/examples/default-server-secret.yaml)
 3. (If using OpenShift) Create the scc resource on the cluster by applying the scc.yaml file found in the `resources` folder of this repo:
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-operator-helm/v1.0.0/resources/scc.yaml
@@ -44,6 +44,15 @@ Note: The NGINX Ingress Operator works only for NGINX Ingress Controller version
       * Set the `controller.serviceAccount.imagePullSecretName` if applicable
     * For full configuration details see the Helm documentation [here](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/#configuration).
 
+
+## Notes: Multiple NIC Deployments
+* Please see [the NGINX Ingress Controller doumentation](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) for general information on running multiple NGINX Ingress Controllers in your cluster.
+* To run multiple NIC instances deployed by the NGINX Ingress Operator in your cluster in the same namespace, `rbac.create` should be set to `false`, and the ServiceAccount and ClusterRoleBinding need to be created independently of the deployments. Please note that `controller.serviceAccount.imagePullSecretName` will also be ignored in this configuration, and will need to be configured as part of the independant ServiceAccount creation.
+* The ClusterRoleBinding needs to configured to bind to the `nginx-ingress-operator-nginx-ingress-admin` ClusterRole.
+* See [RBAC example spec](../resources/rbac-example.yaml) for an example ServiceAccount and ClusterRoleBinding manifest.
+* To run multiple NIC instances deployed by the NGINX Ingress Operator in your cluster in any namespace but sharing an IngressClass, `controller.ingressClass` should be set to an empty string and the IngressClass resource needs to be created independantly of the deployments.Please note that `controller.setAsDefaultIngress` will also be ignored in this configuration, and will need to be configured as part of the independant IngressClass creation.
+* See [IngressClass example spec](../resources/ingress-class.yaml) for an example IngressClass manifest.
+
 ## Upgrades
 
 See [upgrade docs](./docs/upgrades)

bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml

@@ -139,17 +139,19 @@ metadata:
     containerImage: nginx/nginx-ingress-operator:1.0.0
     description: The NGINX Ingress Operator is a Kubernetes/OpenShift component which
       deploys and manages one or more NGINX/NGINX Plus Ingress Controllers
-    operators.operatorframework.io/builder: operator-sdk-v1.10.1-ocp
+    operators.operatorframework.io/builder: operator-sdk-v1.16.0-ocp
     operators.operatorframework.io/project_layout: helm.sdk.operatorframework.io/v1
-    repository: https://github.com/nginxinc/nginx-ingress-operator
+    repository: https://github.com/nginxinc/nginx-ingress-helm-operator
     support: NGINX Inc.
   name: nginx-ingress-operator.v1.0.0
-  namespace: openshift-operators
+  namespace: placeholder
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
-    - displayName: Nginx Ingress Controller
+    - description: The `NginxIngress` Custom Resource is the definition of a deployment
+        of the Ingress Controller.
+      displayName: Nginx Ingress Controller
       kind: NginxIngress
       name: nginxingresses.charts.nginx.org
       version: v1alpha1
@@ -287,6 +289,8 @@ spec:
           strategy: {}
           template:
             metadata:
+              annotations:
+                kubectl.kubernetes.io/default-container: manager
               labels:
                 control-plane: controller-manager
             spec:
@@ -296,7 +300,7 @@ spec:
                 - --metrics-bind-address=127.0.0.1:8080
                 - --leader-elect
                 - --leader-election-id=nginx-ingress-operator
-                image: registry.connect.redhat.com/nginx/nginx-ingress-operator:1.0.0
+                image: nginx/nginx-ingress-operator:1.0.0
                 livenessProbe:
                   httpGet:
                     path: /healthz
@@ -310,15 +314,21 @@ spec:
                     port: 8081
                   initialDelaySeconds: 5
                   periodSeconds: 10
-                resources: {}
+                resources:
+                  limits:
+                    cpu: 500m
+                    memory: 256Mi
+                  requests:
+                    cpu: 250m
+                    memory: 128Mi
                 securityContext:
                   allowPrivilegeEscalation: false
               - args:
                 - --secure-listen-address=0.0.0.0:8443
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=10
-                image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.9
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
                 name: kube-rbac-proxy
                 ports:
                 - containerPort: 8443
@@ -382,7 +392,7 @@ spec:
   - openshift
   links:
   - name: Nginx Ingress Operator
-    url: https://github.com/nginxinc/nginx-ingress-operator
+    url: https://github.com/nginxinc/nginx-ingress-helm-operator
   maintainers:
   - email: [email protected]
     name: NGINX Inc

config/default/manager_auth_proxy_patch.yaml

@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.10
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

config/manager/manager.yaml

@@ -51,9 +51,9 @@ spec:
         resources:
           limits:
             cpu: 500m
-            memory: 128Mi
+            memory: 256Mi
           requests:
-            cpu: 10m
-            memory: 64Mi
+            cpu: 250m
+            memory: 128Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10