stackrox · kurlov · Jul 1, 2025 · Jul 7, 2025 · Jul 7, 2025 · Jul 8, 2025
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,6 @@
 
 # Leftover staging directory for importing legacy catalog. Can be safely deleted
 /catalog-migrate/
+
+# Ignore VS code local settings
+.vscode
@@ -27,17 +27,15 @@ spec:
     - use
     - $(params.SOURCE_ARTIFACT)=/var/workdir/source
   - name: check-generated-files-up-to-date
-    image: registry.access.redhat.com/ubi9:latest@sha256:8851294389a8641bd6efcd60f615c69e54fb0e2216ec8259448b35e3d9a11b06
+    image: registry.redhat.io/ubi9/go-toolset@sha256:3ce6311380d5180599a3016031a9112542d43715244816d1d0eabc937952667b
     workingDir: /var/workdir/source
+    securityContext:
+      runAsUser: 0
     script: |
       #!/usr/bin/env bash
       set -euo pipefail
       set -x
 
-      time dnf -y upgrade --nobest
-      # TODO: find an image with these preinstalled to reduce flakiness
-      time dnf -y install git make jq
-
       time make clean
       cmd="make valid-catalogs"
       time $cmd

@@ -1,7 +1,7 @@
 apiVersion: tekton.dev/v1
 kind: Task
 metadata:
-  name: check-catalog-template-has-only-released-images
+  name: check-operator-images-are-only-released-images
   namespace: rh-acs-tenant
 spec:
   description: This task is to prevent operator bundle images from quay.io or any repositories other than release ones to be added to the `master` branch. This is to make sure `master` is in good state to be released and would not require first cleaning unreleased bundles from it.
@@ -30,7 +30,7 @@ spec:
       #!/usr/bin/env bash
       set -euo pipefail
 
-      if yq eval '.. | select(has("image")) | .image' catalog-template.yaml | grep -vE '^registry\.redhat\.io/advanced-cluster-security/rhacs-operator-bundle(:|@)'; then
-        echo >&2 "catalog-template.yaml has image(s) not from registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle. It is not allowed to merge such bundle images to master branch because it will no longer be releasable."
+      if yq eval '.images[].image' bundles.yaml | grep -vE '^registry\.redhat\.io/advanced-cluster-security/rhacs-operator-bundle(:|@)'; then
+        echo >&2 "bundles.yaml has image(s) not from registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle. It is not allowed to merge such bundle images to master branch because it will no longer be releasable."
         exit 1
       fi
@@ -83,6 +83,28 @@ spec:
       - name: basic-auth
         workspace: git-auth
 
+    - name: run-go-unit-tests
+      taskSpec:
+        metadata:
+          name: run-go-unit-tests
+        volumes:
+        - name: workdir
+          emptyDir: { }
+        stepTemplate:
+          volumeMounts:
+          - mountPath: /var/workdir
+            name: workdir
+        steps:
+        - name: use-trusted-artifact
+          image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:9b180776a41d9a22a1c51539f1647c60defbbd55b44bbebdd4130e33512d8b0d
+          args:
+          - use
+          - $(tasks.clone-repository.results.SOURCE_ARTIFACT)=/var/workdir/source
+        - name: run-go-tests
+          image: registry.redhat.io/ubi9/go-toolset@sha256:3ce6311380d5180599a3016031a9112542d43715244816d1d0eabc937952667b
+          workingDir: /var/workdir/source
+          script: time make go-test
+
     - name: check-generated-files-up-to-date
       params:
       - name: SOURCE_ARTIFACT
@@ -92,10 +114,9 @@ spec:
       taskRef:
         name: check-generated-files-up-to-date
 
-    - name: check-catalog-template-has-only-released-images
+    - name: check-operator-images-are-only-released-images
       params:
       - name: SOURCE_ARTIFACT
         value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
-      retries: 3
       taskRef:
-        name: check-catalog-template-has-only-released-images
+        name: check-operator-images-are-only-released-images
diff --git a/Makefile b/Makefile
@@ -6,13 +6,18 @@ MAKEFLAGS += "-j 2"
 
 OPM = .bin/opm-$(OPM_VERSION)
 
+GO := go
+
+GENERATE_SCRIPT_FOLDER = ./cmd/generate-catalog/
+
 .PHONY: valid-catalogs
 valid-catalogs: $(CATALOGS) $(OPM)
 	$(OPM) validate catalog-bundle-object
 	$(OPM) validate catalog-csv-metadata
 
 .PHONY: clean
 clean:
+	rm -f catalog-template.yaml
 	rm -f $(CATALOGS)
 	rm -rf $$(dirname $(OPM))
 
@@ -24,6 +29,13 @@ catalog-csv-metadata/rhacs-operator/catalog.json: catalog-template.yaml $(OPM)
 	mkdir -p "$$(dirname "$@")"
 	$(OPM) alpha render-template basic --migrate-level bundle-object-to-csv-metadata $< > $@
 
+# update template/catalog-template.yaml based on bundles.yaml file.
+catalog-template.yaml: bundles.yaml $(wildcard $(GENERATE_SCRIPT_FOLDER)/*.go)
+	@$(GO) run $(GENERATE_SCRIPT_FOLDER)
+
+go-test:
+	@$(GO) test -cover -v ./cmd/...
+
 $(OPM):
 	mkdir -p "$$(dirname $@)"
 	os_name="$$(uname | tr '[:upper:]' '[:lower:]')"; \

diff --git a/README.md b/README.md
@@ -13,97 +13,32 @@ See more in [our docs](https://spaces.redhat.com/display/StackRox/How+to+everyth
 
 ### <a name="add-bundle"></a> Adding new ACS operator version
 
-Do the following changes in the `catalog-template.yaml` file.
-
-1. Add bundle image.
-   1. Find entries with `schema: olm.bundle` towards the end of the file.
-   2. Add a new entry for your bundle image.  
-      It should look something like this:
-      ```yaml
-      - schema: olm.bundle
-        # 4.7.9
-        image: brew.registry.redhat.io/rh-osbs/rhacs-operator-bundle@sha256:c82e8330c257e56eb43cb5fa7b0c842a7f7f0414e32e26a792ef36817cb5ca02
-      ```
-      * Note that the image must be referenced by digest, not by tag.
-      * Keep entries sorted according to version.
-      * Add a comment stating the version, see how it's done for other items there.
-      * You may add bundle images from `quay.io`, `brew.registry.redhat.io` and so on (provided they exist and are
-        pullable) during development and/or when preparing to release.  
-        Ultimately, all released bundle images must come from
-        `registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle` repo because this is where customers expect
-        to find them. There's a CI check which prevents pushing to `master` if there's any bundle from
-        a different repo.
-      * If you're adding a bundle as part of downstream release, you will find bundle image's digest in the email with
-        a subject `[CVP] (SUCCESS) cvp-redhatadvancedclustersecurity: rhacs-operator-bundle-container-4.Y.Z-x`. Open the
-        link in `Brew Build Info` and find the digest of the
-        `registry-proxy.engineering.redhat.com/rh-osbs/rhacs-operator-bundle` image. Take that image and replace
-        `registry-proxy.engineering.redhat.com` with `brew.registry.redhat.io`.
-2. Add entry to the `stable` channel.
-   1. Find the `stable` channel block. It starts with:
-      ```yaml
-      - schema: olm.channel
-        name: stable
-      ```
-   2. Add a new item into its `entries` list.
-      * Entries must be sorted by version (e.g., you must insert `4.8.2` after `4.8.1` but before `4.9.0`).
-      * Ensure there are consistent blank lines between entries of different Y-streams.
-      * Entry format is
-        ```yaml
-        - &bundle-4-Y-Z
-          name: rhacs-operator.v4.Y.Z
-          replaces: rhacs-operator.v4.PREVIOUS_Y.PREVIOUS_Z
-          skipRange: '>= 4.(Y-1).0 < 4.Y.Z'
-        ```
-        Replace
-        * `Y` with minor version (e.g., `8` in `4.8.2`),
-        * `Z` with patch version (e.g., `2` in `4.8.2`),
-        * `PREVIOUS_Y` and `PREVIOUS_Z` with minor and patch versions of the previous item (e.g., when you add `4.8.2`
-          after `4.8.1`, that'd be `8` and `1`; when you add `4.9.0` after `4.8.3`, that'd be `8` and `3`),
-        * `(Y-1)` with the value of `Y` minus 1 (e.g., when you add `4.8.2`, that'd be `7`).
-   3. If the item you added is not the last one in the `entries` list, i.e., not the highest version, adjust the next
-      item in the `entries` list.  
-      Set its `replaces:` to be `rhacs-operator.v4.Y.Z`.  
-      For example:
-      ```yaml
-      - &bundle-4-7-4  # <-------- this was already there
-        name: rhacs-operator.v4.7.4
-        replaces: rhacs-operator.v4.7.3
-        skipRange: '>= 4.6.0 < 4.7.4'
-      - &bundle-4-7-5  # <-------- this one I'm adding
-        name: rhacs-operator.v4.7.5
-        replaces: rhacs-operator.v4.7.4
-        skipRange: '>= 4.6.0 < 4.7.5'
-
-      - &bundle-4-8-0  # <-------- this was already there
-        name: rhacs-operator.v4.8.0
-        replaces: rhacs-operator.v4.7.4   # <-------- must change here to rhacs-operator.v4.7.5
-        skipRange: '>= 4.7.0 < 4.8.0'
-      ```
-3. Add entry to `rhacs-4.?` channels.
-   * For every `schema: olm.channel` with `name` like `rhacs-4.?` where `?` is >= `Y`,
-   * add `- *bundle-4-Y-Z` to the `entries:` list (replacing `Y` and `Z` with minor and patch versions).
-   * Maintain the entries sorted and with consistent linebreaks.
-4. Add `rhacs-4.Y` channel. Skip this step if the channel already exists (i.e., when `Z` > `0`).
-   * Keep the channels sorted.
-   * In the `entries:`, reference all items from `4.0.0` up to (and including) `4.Y.Z`.
-
-   It should look something like this (replacing `Y`, `Z` as appropriate):
+1. Open `bundles.yaml` file.
+2. Add a new operator bundle image with version:
    ```yaml
-   - schema: olm.channel
-     name: rhacs-4.Y
-     package: rhacs-operator
-     entries:
-     - *bundle-4-0-0
-     - *bundle-4-0-1
-     # ... and so on ...
-
-     - *bundle-4-Y-Z
+      - image: brew.registry.redhat.io/rh-osbs/rhacs-operator-bundle@sha256:c82e8330c257e56eb43cb5fa7b0c842a7f7f0414e32e26a792ef36817cb5ca02
+        version: X.Y.Z
    ```
+   * Note that the image must be referenced by digest, not by tag.
+   * Keep entries sorted by version.
+   * You may add bundle images from `quay.io`, `brew.registry.redhat.io` and so on (provided they exist and are pullable) during development and/or when preparing to release.  
+      Ultimately, all released bundle images must come from
+      `registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle` repo because this is where customers expect
+      to find them. There's a CI check which should make it impossible to push to `master` if there's any bundle from
+      a different repo.
+   * If you're adding a bundle as part of downstream release, you will find bundle image's digest in
+      `[CVP] (SUCCESS) cvp-redhatadvancedclustersecurity: rhacs-operator-bundle-container-4.Y.Z-x` email. Open the
+      link in `Brew Build Info` and find the digest of the
+      `registry-proxy.engineering.redhat.com/rh-osbs/rhacs-operator-bundle` image. Take that image and replace
+      `registry-proxy.engineering.redhat.com` with `brew.registry.redhat.io`.
+3. Update `oldest_supported_version` value:
+   * Check `Life Cycle Dates` table in [Red Hat Advanced Cluster Security for Kubernetes Support Policy](https://access.redhat.com/support/policy/updates/rhacs).
+   * Set `oldest_supported_version` to be the oldest Y-Stream version still in support according to that table, including Maintenance Support. Patch number should always be `.0`. For example, if 4.6 is the oldest in support (maintenance phase), set `oldest_supported_version: 4.6.0`.
+4. Run `make catalog-template.yaml`. This step should update `catalog-template.yaml` with the new version.
+5. Update catalogs (follow [updating catalogs steps](#updating-catalogs))
+6. Open a PR with `Add 4.Y.Z version` title.
 
-Once done with `catalog-template.yaml`:
 
-1. Update catalogs (follow [updating catalogs](#updating-catalogs) steps below).
-2. Open a PR with `Add 4.Y.Z version` title.
 
 ### Updating catalogs