Merge pull request #40 from rancher/sc

Refactoring build logic

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+name: Release
+
+on:
+  push:
+    tags:        
+      - v*
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: 'stable'
+
+    - run: make build
+      env:
+        PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
+        PRIVATE_KEY_PASS_PHRASE: ${{ secrets.PRIVATE_KEY_PASS_PHRASE }}
+        TESTING_PRIVATE_KEY: ${{ secrets.TESTING_PRIVATE_KEY }}
+        TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ secrets.TESTING_PRIVATE_KEY_PASS_PHRASE }}
+
+    - run: make upload
+      env:
+        TESTING_AWS_ACCESS_KEY_ID: ${{ secrets.TESTING_AWS_ACCESS_KEY_ID }}
+        TESTING_AWS_SECRET_ACCESS_KEY: ${{ secrets.TESTING_AWS_SECRET_ACCESS_KEY }}
+        TESTING_AWS_S3_BUCKET: ${{ secrets.TESTING_AWS_S3_BUCKET }}
+        PRODUCTION_AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
+        PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
+        PRODUCTION_AWS_S3_BUCKET: ${{ secrets.PRODUCTION_AWS_S3_BUCKET }}

.github/workflows/tests.yml

@@ -0,0 +1,22 @@
+name: Tests
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: 'stable'
+
+    - run: make build DRY_RUN=true

.gitignore

@@ -1,3 +1,4 @@
 .dapper
 /dist
 /.idea
+/build

Dockerfile

@@ -0,0 +1,80 @@
+ARG POLICY
+
+# This Dockerfile is used to create the appropriate environment
+# to build the SELinux policies and package them as RPM for each
+# of the target platforms.
+
+FROM quay.io/centos/centos:centos7 as centos7
+RUN yum install -y \
+        createrepo_c \
+        epel-release \
+        container-selinux \
+        selinux-policy-devel \
+        yum-utils \
+        rpm-build \
+        rpm-sign expect
+
+# Confirm this is needed, move to final if not.
+COPY hack/centos7_sign /usr/local/bin/sign
+
+FROM quay.io/centos/centos:stream8 as centos8
+RUN yum install -y \
+        createrepo_c \
+        epel-release \
+        container-selinux \
+        selinux-policy-devel \
+        yum-utils \
+        rpm-build \
+        rpm-sign
+
+# Move to final stage if centos7_sign is removed.
+COPY hack/sign /usr/local/bin/sign
+
+FROM quay.io/centos/centos:stream9 as centos9
+RUN yum install -y \
+        createrepo_c \
+        epel-release \
+        container-selinux \
+        selinux-policy-devel \
+        yum-utils \
+        rpm-build \
+        rpm-sign
+
+# Move to final stage if centos7_sign is removed.
+COPY hack/sign /usr/local/bin/sign
+
+FROM fedora:37 as fedora37
+RUN dnf install -y \
+        createrepo_c \
+        container-selinux \
+        selinux-policy-devel \
+        rpm-build \
+        rpm-sign
+
+# Move to final stage if centos7_sign is removed.
+COPY hack/sign /usr/local/bin/sign
+
+FROM opensuse/tumbleweed as microos
+RUN zypper install -y \
+        container-selinux \
+        selinux-policy-devel \
+        rpm-build \
+        rpm
+
+# libglib is required to install createrepo_c in Tumbleweed.
+RUN zypper install -y libglib-2_0-0 createrepo_c
+
+# Move to final stage if centos7_sign is removed.
+COPY hack/sign /usr/local/bin/sign
+
+# Pick base image based on the target policy.
+FROM ${POLICY} as final
+
+WORKDIR /src
+
+ARG POLICY
+COPY policy/${POLICY}/rancher-selinux.spec \
+     policy/${POLICY}/rancher.fc \
+     policy/${POLICY}/rancher.te \
+     hack/build \
+     hack/metadata .

Makefile

@@ -1,29 +1,95 @@
-CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts))
-CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts))
-CENTOS9_TARGETS := $(addprefix centos9-,$(shell ls policy/centos9/scripts))
-MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts))
-FEDORA37_TARGETS := $(addprefix fedora37-,$(shell ls policy/fedora37/scripts))
+RUNNER ?= docker
+POLICIES = $(shell find policy -mindepth 1 -maxdepth 1 -type d | sort -u | cut -f 2 -d'/')
 
-.dapper:
-	@echo Downloading dapper
-	@curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp
-	@@chmod +x .dapper.tmp
-	@./.dapper.tmp -v
-	@mv .dapper.tmp .dapper
+# GPG Signing
+DRY_RUN ?= false
+SIGN_KEY_EMAIL ?= [email protected]
+PRIVATE_KEY ?=
+PRIVATE_KEY_PASS_PHRASE ?=
+TESTING_PRIVATE_KEY ?= 
+TESTING_PRIVATE_KEY_PASS_PHRASE ?=
 
-$(CENTOS7_TARGETS): .dapper
-	./.dapper -f Dockerfile.centos7.dapper $(@:centos7-%=%)
+# S3 Upload
+TESTING_AWS_ACCESS_KEY_ID ?=
+TESTING_AWS_SECRET_ACCESS_KEY ?=
+TESTING_AWS_S3_BUCKET ?=
+PRODUCTION_AWS_ACCESS_KEY_ID ?=
+PRODUCTION_AWS_SECRET_ACCESS_KEY ?=
+PRODUCTION_AWS_S3_BUCKET ?=
 
-$(CENTOS8_TARGETS): .dapper
-	./.dapper -f Dockerfile.centos8.dapper $(@:centos8-%=%)
+ifeq ($(DRY_RUN),true)
+	DRY_RUN_SIGN := --dry-run
+endif
 
-$(CENTOS9_TARGETS): .dapper
-	./.dapper -f Dockerfile.centos9.dapper $(@:centos9-%=%)
+SHELL := /bin/bash
 
-$(MICROOS_TARGETS): .dapper
-	./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%)
+include hack/make/version.mk
+include hack/make/tools.mk
 
-$(FEDORA37_TARGETS): .dapper
-	./.dapper -f Dockerfile.fedora37.dapper $(@:fedora37-%=%)
+.PHONY: build
+build: ## build all policies.
+	$(MAKE) $(addsuffix -build, $(POLICIES))
 
-.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(CENTOS9_TARGETS) $(MICROOS_TARGETS) $(FEDORA37_TARGETS)
+%-build: version ## build a specific policy.
+	$(MAKE) $(subst :,/,$*)-build-clean
+	$(MAKE) $(subst :,/,$*)-build-image
+	$(MAKE) $(subst :,/,$*)-build-artefacts
+	$(MAKE) $(subst :,/,$*)-build-sign
+	$(MAKE) $(subst :,/,$*)-build-metadata
+
+%-build-image: ## build the container image used to generate a given policy.
+	$(RUNNER) build --build-arg POLICY=$(subst :,/,$*) \
+		-t rancher-selinux:$(subst :,/,$*) -f Dockerfile .
+
+%-build-clean: ## remove any artefacts related to the building of a policy.
+	rm -rf $(shell pwd)/build/$(subst :,/,$*)
+	mkdir -p $(shell pwd)/build/$(subst :,/,$*)
+
+%-build-artefacts: ## generate artefacts of a given policy.
+	$(RUNNER) run --rm \
+		-e USER=$(shell id -u) -e GROUP=$(shell id -g) \
+		-v $(shell pwd)/build/$(subst :,/,$*):/out \
+		rancher-selinux:$(subst :,/,$*) ./build $(RPM_VERSION) $(RPM_RELEASE)
+
+%-build-sign: ## sign the generate rpms of a given policy.
+	@$(RUNNER) run --rm \
+		-e USER=$(shell id -u) -e GROUP=$(shell id -g) \
+		-e SIGN_KEY_EMAIL -e RPM_CHANNEL="$(RPM_CHANNEL)" \
+		-e TESTING_PRIVATE_KEY_PASS_PHRASE \
+		-e TESTING_PRIVATE_KEY \
+		-e PRIVATE_KEY -e PRIVATE_KEY_PASS_PHRASE \
+		-v $(shell pwd)/build/$(subst :,/,$*):/dist \
+		rancher-selinux:$(subst :,/,$*) sign $(DRY_RUN_SIGN)
+
+%-build-metadata: ## generate repository metadata for a given policy.
+	$(RUNNER) run --rm \
+		-e USER=$(shell id -u) -e GROUP=$(shell id -g) \
+		-v $(shell pwd)/build/$(subst :,/,$*):/dist \
+		rancher-selinux:$(subst :,/,$*) ./metadata
+
+upload: $(AWSCLI) version ## uploads all artefacts from each policy into S3.
+	$(MAKE) $(addsuffix -upload, $(POLICIES))
+
+%-upload: 
+	RPM_CHANNEL=$(RPM_CHANNEL) POLICY=$(subst :,/,$*) \
+    TESTING_AWS_ACCESS_KEY_ID="$(TESTING_AWS_ACCESS_KEY_ID)" \
+    TESTING_AWS_SECRET_ACCESS_KEY="$(TESTING_AWS_SECRET_ACCESS_KEY)" \
+    TESTING_AWS_S3_BUCKET="$(TESTING_AWS_S3_BUCKET)" \
+    PRODUCTION_AWS_ACCESS_KEY_ID="$(PRODUCTION_AWS_ACCESS_KEY_ID)" \
+    PRODUCTION_AWS_SECRET_ACCESS_KEY="$(PRODUCTION_AWS_SECRET_ACCESS_KEY)" \
+    PRODUCTION_AWS_S3_BUCKET="$(PRODUCTION_AWS_S3_BUCKET)" \
+		./hack/upload
+
+version: ## parse and display version.
+ifdef VERSION_MSG
+	@echo  $(VERSION_MSG); exit 1
+endif
+
+	@echo Version Information
+	@echo RPM_VERSION: $(RPM_VERSION)
+	@echo RPM_RELEASE: $(RPM_RELEASE)
+	@echo RPM_CHANNEL: $(RPM_CHANNEL)
+	@echo VERSION: $(VERSION)
+
+help: ## display Makefile's help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

hack/build

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -eoux pipefail
+
+OUTDIR="${OUTDIR:-/out}"
+USER="${USER:-1000}"
+GROUP="${GROUP:-1000}"
+
+function build(){
+    local RPM_VERSION=$1
+    local RPM_RELEASE=$2
+
+    make -f /usr/share/selinux/devel/Makefile rancher.pp
+
+    rpmbuild \
+        --define "rancher_selinux_version ${RPM_VERSION}" \
+        --define "rancher_selinux_release ${RPM_RELEASE}" \
+        --define "_sourcedir $PWD" \
+        --define "_specdir $PWD" \
+        --define "_builddir $PWD" \
+        --define "_srcrpmdir ${OUTDIR}/source" \
+        --define "_buildrootdir $PWD/.build" \
+        --define "_rpmdir ${OUTDIR}" \
+        -ba rancher-selinux.spec
+}
+
+function main(){
+    build "$1" "$2"
+    chown -R "${USER}:${GROUP}" "${OUTDIR}/"
+}
+
+if [ "$#" -ne 2 ]; then
+    echo "usage: $0 <RPM_VERSION> <RPM_RELEASE>"
+    exit 1
+fi
+
+main "$1" "$2"

hack/centos7_sign

@@ -0,0 +1,93 @@
+#!/bin/bash
+set -eo pipefail
+
+PASSPHRASE_VAR=""
+
+function dryrun() {
+		export TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20)
+    export PASSPHRASE_VAR=TESTING_PRIVATE_KEY_PASS_PHRASE
+
+    cat <<\EOF >~/.rpmmacros 
+%_signature gpg
+%_gpg_name disposable-ci-test-key
+EOF
+
+    gpg --gen-key --batch <(echo "Key-Type: 1"; \
+                            echo "Key-Length: 2048"; \
+                            echo "Subkey-Type: 1"; \
+                            echo "Subkey-Length: 2048"; \
+                            echo "Expire-Date: 0"; \
+                            echo "Name-Real: disposable-ci-test-key"; \
+                            echo "Name-Email: disposable-ci-test-key"; \
+                            echo "%no-protection"; )
+
+    sign_rpms
+}
+
+function check_vars()
+{
+    echo "checking for required vars"
+
+    local required_vars
+    required_vars=(SIGN_KEY_EMAIL RPM_CHANNEL)
+
+    for var in "${required_vars[@]}"; do
+        [ -z "${!var}" ] && echo "$var is not set." && var_unset=true
+    done
+
+    [ -n "${var_unset}" ] && exit 1
+    return 0
+}
+
+function import_key() {
+    cat <<\EOF >~/.rpmmacros 
+%_signature gpg
+%_gpg_name [email protected]
+EOF
+
+    case "${RPM_CHANNEL}" in
+      "testing")
+        PASSPHRASE_VAR="TESTING_PRIVATE_KEY_PASS_PHRASE"
+        KEY_VAR="TESTING_PRIVATE_KEY"
+        ;;
+      "production")
+        PASSPHRASE_VAR="PRIVATE_KEY_PASS_PHRASE"
+        KEY_VAR="PRIVATE_KEY"
+        ;;
+      *)
+        echo "RPM_CHANNEL ${RPM_CHANNEL} does not match one of: [testing, production]"
+        exit 1
+        ;;
+    esac
+
+    if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"${!KEY_VAR}"; then
+      echo "${KEY_VAR} not defined, failing rpm sign"
+      exit 1
+    fi
+    gpg --import - <<<"${!KEY_VAR}"
+    echo "Signing keys imported successfully"
+}
+
+function sign_rpms() {
+    expect <<EOF
+set timeout 60
+spawn sh -c "rpmsign --addsign /dist/**/rancher-*.rpm"
+expect "Enter pass phrase:"
+send -- "${!PASSPHRASE_VAR}\r"
+expect eof
+lassign [wait] _ _ _ code
+exit \$code
+EOF
+}
+
+function main (){    
+    check_vars
+    import_key
+    sign_rpms
+}
+
+if [[ "$1" == "--dry-run" ]]; then
+  dryrun
+else
+  main
+fi