ART-14816: Add Containerfile.art for ART builds

.gitignore

@@ -26,3 +26,7 @@ cover.html
 # dirs to ignore
 bin
 _output
+
+# do not apply ignore rules to anything in vendor/ dir
+!vendor/
+!vendor/**

Containerfile.art

@@ -0,0 +1,50 @@
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder
+
+# Values for below ARGs will passed from tekton configs for konflux builds.
+## Release version of the external-secrets-operator source code used in the build.
+ARG RELEASE_VERSION
+## Commit hash that considered for the image build.
+ARG COMMIT_SHA
+## GitHub URL of the external-secrets-operator source repository.
+ARG SOURCE_URL
+## The location where the source code is stored.
+ARG SOURCE_DIR="/go/src/github.com/openshift/external-secrets-operator"
+
+WORKDIR $SOURCE_DIR
+# ART builds from source repos without git submodules
+COPY . .
+COPY LICENSE /licenses/
+
+RUN IMG_VERSION=${BUILD_VERSION:-${RELEASE_VERSION#v}} SOURCE_GIT_COMMIT=${SOURCE_GIT_COMMIT:-${COMMIT_SHA}} make build
+
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183
+
+ARG RELEASE_VERSION
+ARG COMMIT_SHA
+ARG SOURCE_URL
+ARG SOURCE_DIR="/go/src/github.com/openshift/external-secrets-operator"
+
+COPY --from=builder $SOURCE_DIR/bin/external-secrets-operator /bin/external-secrets-operator
+COPY --from=builder /licenses /licenses
+
+USER 65534:65534
+
+LABEL com.redhat.component="external-secrets-operator-container" \
+      cpe="cpe:/a:redhat:external_secrets_operator:1.1::el9" \
+      name="external-secrets-operator/external-secrets-operator-rhel9" \
+      version="${RELEASE_VERSION}" \
+      summary="external-secrets-operator" \
+      maintainer="Red Hat, Inc." \
+      description="external-secrets-operator-container" \
+      vendor="Red Hat, Inc." \
+      release="${RELEASE_VERSION}" \
+      io.openshift.expose-services="" \
+      io.openshift.build.commit.id="${COMMIT_SHA}" \
+      io.openshift.build.source-location="${SOURCE_URL}" \
+      io.openshift.build.commit.url="${SOURCE_URL}/commit/${COMMIT_SHA}" \
+      io.openshift.maintainer.product="OpenShift Container Platform" \
+      io.openshift.tags="data,images,operator,external-secrets,external-secrets-operator" \
+      io.k8s.display-name="openshift-external-secrets-operator" \
+      io.k8s.description="external-secrets-operator-container"
+
+ENTRYPOINT ["/bin/external-secrets-operator"]

Makefile

@@ -139,14 +139,25 @@ OPERATOR_SDK_VERSION ?= v1.39.0
 YQ_VERSION = v4.50.1
 HELM_VERSION ?= v3.17.3
 
-# Include the library makefiles
-include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \
-    targets/openshift/bindata.mk \
-    targets/openshift/yq.mk \
-)
+# Include the library makefiles only when vendored (so e.g. `make update-vendor` works on a clean tree).
+BUILD_MACHINERY_GO_MAKE := $(PROJECT_ROOT)/vendor/github.com/openshift/build-machinery-go/make
 
-# generate bindata targets
+ifneq (,$(wildcard $(BUILD_MACHINERY_GO_MAKE)/targets/openshift/bindata.mk))
+include $(BUILD_MACHINERY_GO_MAKE)/targets/openshift/bindata.mk
+# Generate bindata targets
 $(call add-bindata,assets,./bindata/...,bindata,assets,pkg/operator/assets/bindata.go)
+endif
+
+ifneq (,$(wildcard $(BUILD_MACHINERY_GO_MAKE)/targets/openshift/yq.mk))
+include $(BUILD_MACHINERY_GO_MAKE)/targets/openshift/yq.mk
+else
+# Vendored yq.mk defines ensure-yq; stub so the Makefile parses before the first `go work vendor`.
+.PHONY: ensure-yq
+ensure-yq:
+	@echo >&2 "Missing $(BUILD_MACHINERY_GO_MAKE)/targets/openshift/yq.mk"
+	@echo >&2 "Populate vendor first: make update-vendor"
+	@exit 1
+endif
 
 .PHONY: all
 all: build verify

bundle/art.yaml

@@ -0,0 +1,2 @@
+---
+updates: []

bundle/image-references

@@ -0,0 +1,17 @@
+---
+kind: ImageStream
+apiVersion: image.openshift.io/v1
+spec:
+  tags:
+  - name: external-secrets-operator-rhel9
+    from:
+      kind: DockerImage
+      name: openshift.io/external-secrets-operator:latest
+  - name: external-secrets-rhel9
+    from:
+      kind: DockerImage
+      name: ghcr.io/external-secrets/external-secrets:v0.20.4
+  - name: bitwarden-sdk-server-rhel9
+    from:
+      kind: DockerImage
+      name: ghcr.io/external-secrets/bitwarden-sdk-server:v0.5.2

hack/govulncheck.sh

@@ -21,10 +21,14 @@ set -o errexit
 # - https://pkg.go.dev/vuln/GO-2025-3521 - Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes
 # - https://pkg.go.dev/vuln/GO-2025-3547 - Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
 #
-## Below vulnerabilities are in the go packages, which impacts the operator code and requires the fix to be available downstream.
-# - https://pkg.go.dev/vuln/GO-2026-4601 - Incorrect parsing of IPv6 host literals in net/url
-# - https://pkg.go.dev/vuln/GO-2026-4602 - FileInfo can escape from a Root in os
-KNOWN_VULNS_PATTERN="GO-2025-3521|GO-2025-3547|GO-2026-4601|GO-2026-4602"
+## Below vulnerabilities are in the go packages, which doesn't impact the operator code and requires the fix to be available downstream.
+# - https://pkg.go.dev/vuln/GO-2026-4918 - HTTP/2 infinite loop via SETTINGS_MAX_FRAME_SIZE of 0 in net/http, golang.org/x/net
+# - https://pkg.go.dev/vuln/GO-2026-4971 - Dial and LookupPort panic on Windows with NUL input in net
+# - https://pkg.go.dev/vuln/GO-2026-5026 - x/net/idna: ToUnicode accepts Punycode labels encoding pure ASCII labels
+# - https://pkg.go.dev/vuln/GO-2026-5037 - high-CPU VerifyHostname behavior via repeated hostname splitting.
+# - https://pkg.go.dev/vuln/GO-2026-5038 - Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
+# - https://pkg.go.dev/vuln/GO-2026-5039 - net/textproto package includes its input as part of the error.
+KNOWN_VULNS_PATTERN="GO-2025-3521|GO-2025-3547|GO-2026-4918|GO-2026-4971|GO-2026-5026|GO-2026-5037|GO-2026-5038|GO-2026-5039"
 
 GOVULNCHECK_BIN="${1:-}"
 OUTPUT_DIR="${2:-}"