From 3b125614de49047027aec5c639e442fe109dc671 Mon Sep 17 00:00:00 2001 From: Bharath B Date: Thu, 19 Feb 2026 16:39:10 +0530 Subject: [PATCH 1/5] NO-JIRA: logs operator version details during startup Signed-off-by: Bharath B --- Makefile | 23 +++++++++-- cmd/external-secrets-operator/main.go | 7 +++- pkg/version/version.go | 55 +++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 6 deletions(-) create mode 100644 pkg/version/version.go diff --git a/Makefile b/Makefile index 252e81f7..f7a80912 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ # Project path. -PROJECT_ROOT := $(shell git rev-parse --show-toplevel) +PROJECT_ROOT := $(shell git rev-parse --show-toplevel 2>/dev/null || pwd) # Warn when an undefined variable is referenced, helping catch typos and missing definitions. MAKEFLAGS += --warn-undefined-variables @@ -92,9 +92,24 @@ endif # tools. (i.e. podman) CONTAINER_TOOL ?= podman -COMMIT ?= $(shell git rev-parse HEAD) -SHORTCOMMIT ?= $(shell git rev-parse --short HEAD) -GOBUILD_VERSION_ARGS = -ldflags "-X $(PACKAGE)/pkg/version.SHORTCOMMIT=$(SHORTCOMMIT) -X $(PACKAGE)/pkg/version.COMMIT=$(COMMIT)" +# GO_PACKAGE is the Go module path (used for ldflags to embed version info). +GO_PACKAGE ?= $(shell go list -m) + +# Version information for ldflags injection. +SOURCE_GIT_COMMIT ?= $(shell git rev-parse HEAD 2>/dev/null) +BUILD_DATE ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ') + +# Extract major/minor from IMG_VERSION (e.g., 1.1.0 -> major=1, minor=1) +IMG_VERSION_MAJOR = $(word 1,$(subst ., ,$(IMG_VERSION))) +IMG_VERSION_MINOR = $(word 2,$(subst ., ,$(IMG_VERSION))) + +GOBUILD_VERSION_ARGS = -ldflags " \ + -X $(GO_PACKAGE)/pkg/version.commitFromGit=$(SOURCE_GIT_COMMIT) \ + -X $(GO_PACKAGE)/pkg/version.versionFromGit=v$(IMG_VERSION) \ + -X $(GO_PACKAGE)/pkg/version.majorFromGit=$(IMG_VERSION_MAJOR) \ + -X $(GO_PACKAGE)/pkg/version.minorFromGit=$(IMG_VERSION_MINOR) \ + -X $(GO_PACKAGE)/pkg/version.buildDate=$(BUILD_DATE) \ + " # Location to install dependencies to. LOCALBIN ?= $(PROJECT_ROOT)/bin diff --git a/cmd/external-secrets-operator/main.go b/cmd/external-secrets-operator/main.go index e1cf05f8..c5ef93f4 100644 --- a/cmd/external-secrets-operator/main.go +++ b/cmd/external-secrets-operator/main.go @@ -45,6 +45,7 @@ import ( operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1" escontroller "github.com/openshift/external-secrets-operator/pkg/controller/external_secrets" "github.com/openshift/external-secrets-operator/pkg/operator" + "github.com/openshift/external-secrets-operator/pkg/version" // +kubebuilder:scaffold:imports ) @@ -142,6 +143,8 @@ func main() { logConfig := textlogger.NewConfig(textlogger.Verbosity(logLevel)) ctrl.SetLogger(textlogger.NewLogger(logConfig)) + setupLog.Info("starting external-secrets-operator", "version", version.String()) + if !enableHTTP2 { // if the enable-http2 flag is false (the default), http/2 should be disabled // due to its vulnerabilities. @@ -159,7 +162,7 @@ func main() { // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. // More info: - // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/server + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/metrics/server // - https://book.kubebuilder.io/reference/metrics.html metricsServerOptions := metricsserver.Options{ BindAddress: metricsAddr, @@ -167,7 +170,7 @@ func main() { // FilterProvider is used to protect the metrics endpoint with authn/authz. // These configurations ensure that only authorized users and service accounts // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: - // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization + // https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/metrics/filters#WithAuthenticationAndAuthorization FilterProvider: filters.WithAuthenticationAndAuthorization, } diff --git a/pkg/version/version.go b/pkg/version/version.go new file mode 100644 index 00000000..4d5c8cc2 --- /dev/null +++ b/pkg/version/version.go @@ -0,0 +1,55 @@ +// Package version provides build-time version information for the operator. +package version + +import ( + "fmt" + + "k8s.io/apimachinery/pkg/version" +) + +// These variables are populated at build time via ldflags. +// Example: go build -ldflags "-X github.com/openshift/external-secrets-operator/pkg/version.commitFromGit=$(git rev-parse HEAD)" +var ( + // commitFromGit is the source version that generated this build. + // Set via -ldflags during build. + commitFromGit string + + // versionFromGit is the version tag that generated this build. + // Set via -ldflags during build. + versionFromGit string + + // majorFromGit is the major version component. + // Set via -ldflags during build. + majorFromGit string + + // minorFromGit is the minor version component. + // Set via -ldflags during build. + minorFromGit string + + // buildDate is the build timestamp in ISO8601 format. + // Set via -ldflags during build using: $(date -u +'%Y-%m-%dT%H:%M:%SZ') + buildDate string +) + +// Get returns the overall codebase version information. +// It's used for detecting what code a binary was built from. +func Get() version.Info { + return version.Info{ + Major: majorFromGit, + Minor: minorFromGit, + GitCommit: commitFromGit, + GitVersion: versionFromGit, + BuildDate: buildDate, + } +} + +// String returns a human-readable version string. +// Format: "vX.Y.Z (commit: abc1234, built: 2024-01-01T00:00:00Z)" +func String() string { + v := Get() + commit := v.GitCommit + if len(commit) > 7 { + commit = commit[:7] + } + return fmt.Sprintf("%s (commit: %s, built: %s)", v.GitVersion, commit, v.BuildDate) +} From d70092dc0703596d1f4c0e23e0a757c6c6b44bfe Mon Sep 17 00:00:00 2001 From: Bharath B Date: Thu, 19 Feb 2026 16:40:11 +0530 Subject: [PATCH 2/5] NO-JIRA: Updates the version NP manifests to macth operator version Signed-off-by: Bharath B --- ...kpolicy_allow-api-server-and-webhook-traffic.yaml | 2 +- ..._allow-api-server-egress-for-bitwarden-sever.yaml | 2 +- ...pi-server-egress-for-cert-controller-traffic.yaml | 2 +- ...pi-server-egress-for-main-controller-traffic.yaml | 2 +- .../external-secrets/networkpolicy_allow-dns.yaml | 2 +- bindata/external-secrets/networkpolicy_deny-all.yaml | 2 +- images/ci/operand.Dockerfile | 2 +- pkg/operator/assets/bindata.go | 12 ++++++------ 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml index e0c19049..8623ad3e 100644 --- a/bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml +++ b/bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator external-secrets.io/component: webhook spec: diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml index 54cb9afb..497aa0fc 100644 --- a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml +++ b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: bitwarden-sdk-server app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml index 5db1a64b..d0c1868d 100644 --- a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml +++ b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml index 9882e4dd..7403600e 100644 --- a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml +++ b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: diff --git a/bindata/external-secrets/networkpolicy_allow-dns.yaml b/bindata/external-secrets/networkpolicy_allow-dns.yaml index 5e39bb77..50a94901 100644 --- a/bindata/external-secrets/networkpolicy_allow-dns.yaml +++ b/bindata/external-secrets/networkpolicy_allow-dns.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator name: allow-to-dns spec: diff --git a/bindata/external-secrets/networkpolicy_deny-all.yaml b/bindata/external-secrets/networkpolicy_deny-all.yaml index 1e1273f7..6c091ad8 100644 --- a/bindata/external-secrets/networkpolicy_deny-all.yaml +++ b/bindata/external-secrets/networkpolicy_deny-all.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: {} diff --git a/images/ci/operand.Dockerfile b/images/ci/operand.Dockerfile index edaccc35..b3d94ad8 100644 --- a/images/ci/operand.Dockerfile +++ b/images/ci/operand.Dockerfile @@ -1,6 +1,6 @@ FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.21 AS builder -ARG RELEASE_BRANCH=v0.19.0 +ARG RELEASE_BRANCH=v0.20.4 ARG GO_BUILD_TAGS=strictfipsruntime,openssl ARG SRC_DIR=/go/src/github.com/openshift/external-secrets diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go index 017f7c02..7c681348 100644 --- a/pkg/operator/assets/bindata.go +++ b/pkg/operator/assets/bindata.go @@ -159,7 +159,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator external-secrets.io/component: webhook spec: @@ -209,7 +209,7 @@ metadata: labels: app.kubernetes.io/name: bitwarden-sdk-server app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: @@ -254,7 +254,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: @@ -300,7 +300,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: @@ -344,7 +344,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator name: allow-to-dns spec: @@ -399,7 +399,7 @@ metadata: labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v0.19.0" + app.kubernetes.io/version: "v1.1.0" app.kubernetes.io/managed-by: external-secrets-operator spec: podSelector: {} From 664c025d62a042e088f3c92c4544e64b00957a30 Mon Sep 17 00:00:00 2001 From: Bharath B Date: Thu, 19 Feb 2026 16:40:47 +0530 Subject: [PATCH 3/5] NO-JIRA: Improves CRD discovery error handling Signed-off-by: Bharath B --- pkg/controller/external_secrets/controller.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/controller/external_secrets/controller.go b/pkg/controller/external_secrets/controller.go index 519ec9c6..dc525d72 100644 --- a/pkg/controller/external_secrets/controller.go +++ b/pkg/controller/external_secrets/controller.go @@ -317,9 +317,14 @@ func isCRDInstalled(config *rest.Config, name, groupVersion string) (bool, error } resources, err := discoveryClient.ServerPreferredResources() - if err != nil { + // ServerPreferredResources() may return a partial result along with an error (e.g., when some API groups are + // unavailable). Currently, any error causes an immediate return, potentially missing CRDs that were successfully discovered. + if err != nil && len(resources) == 0 { return false, fmt.Errorf("failed to discover resources list: %w", err) } + if err != nil { + ctrl.Log.V(1).WithName("crd-discovery").Info("ServerPreferredResources returned partial results", "error", err) + } for _, resource := range resources { if resource.GroupVersion == groupVersion { From f9a1a76bf0be39da96fe8b58e1de80a3252f9ec5 Mon Sep 17 00:00:00 2001 From: Bharath B Date: Thu, 19 Feb 2026 16:41:40 +0530 Subject: [PATCH 4/5] NO-JIRA: fips check depends on a sample go program instead of tools dir Signed-off-by: Bharath B --- hack/go-fips.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hack/go-fips.sh b/hack/go-fips.sh index ffee324f..0bbb53e2 100755 --- a/hack/go-fips.sh +++ b/hack/go-fips.sh @@ -6,7 +6,13 @@ set -o errexit GOFLAGS="${GOFLAGS:-}" -if GOEXPERIMENT="strictfipsruntime" go build ./tools > /dev/null 2>&1 ; then +# Test if the go compiler supports GOEXPERIMENT=strictfipsruntime by building a minimal program. +# Using ./tools doesn't work as it contains only tool dependency imports that aren't buildable. +fips_test_file=$(mktemp --suffix=.go) +trap 'rm -f ${fips_test_file}' EXIT +echo 'package main; func main(){}' > "${fips_test_file}" + +if GOEXPERIMENT="strictfipsruntime" go build -o /dev/null "${fips_test_file}" > /dev/null 2>&1 ; then echo "INFO: building with FIPS support" export GOEXPERIMENT="strictfipsruntime" From 0edb62964e15504a356147208bbed847e6ebed7b Mon Sep 17 00:00:00 2001 From: Bharath B Date: Thu, 19 Feb 2026 17:35:53 +0530 Subject: [PATCH 5/5] NO-JIRA: Adds GO-2026-4337 to excluded list Signed-off-by: Bharath B --- hack/govulncheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/govulncheck.sh b/hack/govulncheck.sh index 31af2ec4..fd568dde 100755 --- a/hack/govulncheck.sh +++ b/hack/govulncheck.sh @@ -27,7 +27,8 @@ set -o errexit # - https://pkg.go.dev/vuln/GO-2026-4340 - Handshake messages may be processed at the incorrect encryption level in crypto/tls # - https://pkg.go.dev/vuln/GO-2025-4175 - Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 # - https://pkg.go.dev/vuln/GO-2025-4155 - Excessive resource consumption when printing error string for host certificate validation in crypto/x509 -KNOWN_VULNS_PATTERN="GO-2025-3547|GO-2025-3521|GO-2025-4240|GO-2026-4341|GO-2026-4340|GO-2025-4175|GO-2025-4155" +# - https://pkg.go.dev/vuln/GO-2026-4337 - During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. +KNOWN_VULNS_PATTERN="GO-2025-3547|GO-2025-3521|GO-2025-4240|GO-2026-4341|GO-2026-4340|GO-2025-4175|GO-2025-4155|GO-2026-4337" GOVULNCHECK_BIN="${1:-}" OUTPUT_DIR="${2:-}"