From 7bdc2936bbffaa04c0e92ba738219e9ed898b091 Mon Sep 17 00:00:00 2001
From: Jayesh Srivastava <jayesh0200@gmail.com>
Date: Sun, 15 Oct 2023 20:01:24 +0530
Subject: [PATCH] PCP-1995: Update Dockerfile, Makefile and
 spectro-release.yaml

---
 .github/workflows/spectro-release.yaml | 29 ++++++++++++++--
 Dockerfile                             | 28 ++++++++++++---
 Makefile                               | 48 ++++++++++++++++++--------
 3 files changed, 83 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
index 6a0d0ec..a4d5bac 100644
--- a/.github/workflows/spectro-release.yaml
+++ b/.github/workflows/spectro-release.yaml
@@ -7,6 +7,12 @@ on:
         description: 'Microk8s Cluster API Controlplane provider Version to Build'
         required: true
         default: '0.0.0'
+      rel_type:
+        type: choice
+        description: Type of release
+        options:
+          - release
+          - rc
 jobs:
   builder:
     # edge-runner machine group is a bunch of machines in US Datacenter
@@ -15,6 +21,8 @@ jobs:
     # Ensure that the credentials are provided as encrypted secrets
     env:
       SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+      LEGACY_REGISTRY: gcr.io/spectro-images-public/release/cluster-api/capi-control-plane-provider-microk8s
+      FIPS_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api/capi-control-plane-provider-microk8s
     steps:
       -
         uses: mukunku/tag-exists-action@v1.2.0
@@ -26,6 +34,11 @@ jobs:
         run: |
           echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
           exit 1
+      -
+        if: ${{ github.event.inputs.rel_type == 'rc' }}
+        run: |
+          echo "LEGACY_REGISTRY=gcr.io/spectro-dev-public/release/cluster-api/capi-control-plane-provider-microk8s" >> $GITHUB_ENV
+          echo "FIPS_REGISTRY=gcr.io/spectro-dev-public/release-fips/cluster-api/capi-control-plane-provider-microk8s" >> $GITHUB_ENV
       -
         uses: actions/checkout@v3
       -
@@ -41,12 +54,22 @@ jobs:
       -
         name: Build Image
         env:
-          REGISTRY: gcr.io/spectro-images-public/release/cluster-api/capi-control-plane-provider-microk8s
+          REGISTRY: ${{ env.LEGACY_REGISTRY }}
+        run: |
+          make docker-build-all
+          make docker-push-all
+      -
+        name: Build Image - FIPS Mode
+        env:
+          FIPS_ENABLE: yes
+          REGISTRY: ${{ env.FIPS_REGISTRY }}
+          ALL_ARCH: amd64
         run: |
-          make docker-build
-          make docker-manifest
+          make docker-build-all
+          make docker-push-all
       -
         name: Create Release
+        if: ${{ github.event.inputs.rel_type == 'release' }}
         id: create_release
         uses: actions/create-release@v1
         env:
diff --git a/Dockerfile b/Dockerfile
index 446cadb..37a6d05 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,19 @@
-# Build the manager binary
-FROM gcr.io/spectro-images-public/golang:1.21-alpine as builder
+ARG BUILDER_GOLANG_VERSION
+# First stage: build the executable.
+FROM --platform=$TARGETPLATFORM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain
+# Run this with docker build --build_arg $(go env GOPROXY) to override the goproxy
+ARG goproxy=https://proxy.golang.org
+ENV GOPROXY=$goproxy
 
-ARG arch
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
 
+FROM toolchain as builder
 WORKDIR /workspace
+
+RUN apk update
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
@@ -17,7 +27,17 @@ COPY api/ api/
 COPY controllers/ controllers/
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=$arch go build -a -ldflags '-s -w' -o manager main.go
+ARG ARCH
+ARG ldflags
+RUN if [ ${CRYPTO_LIB} ]; \
+    then \
+      GOARCH=${ARCH} go-build-fips.sh -a -o manager main.go;\
+    else \
+      GOARCH=${ARCH} go-build-static.sh -a -o manager main.go;\
+    fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh manager; fi
+RUN scan-govulncheck.sh manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
diff --git a/Makefile b/Makefile
index 2c46e19..fe513dd 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,14 @@
+ARCH ?= amd64
+ALL_ARCH = amd64 arm64
 SPECTRO_VERSION ?= 4.1.0-dev
 TAG ?= v0.4.0-spectro-${SPECTRO_VERSION}
 # Image URL to use all building/pushing image targets
 REGISTRY ?= gcr.io/spectro-dev-public/$(USER)/capi-control-plane-provider-microk8s
 IMG ?= ${REGISTRY}:${TAG}
 
+BUILDER_GOLANG_VERSION ?= 1.21
+BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION}
+
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.23
 # Components file to be used by clusterctl
@@ -80,23 +85,36 @@ build: generate fmt vet ## Build manager binary.
 run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
-.PHONY: docker-build
-docker-build-%: ## Build docker image with the manager.
-	docker build -t ${IMG}-$* . --build-arg arch=$*
-docker-build: docker-build-amd64 docker-build-arm64
+## Docker build
+
+docker-build-%: ## Build docker images for a given ARCH
+	$(MAKE) ARCH=$* docker-build
+
+.PHONY: docker-build-all ## Build all the architecture docker images
+docker-build-all: $(addprefix docker-build-,$(ALL_ARCH))
+
+docker-build:  ## Build docker image with the manager.
+	DOCKER_BUILDKIT=1 docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS} --build-arg ARCH=$(ARCH) -t $(REGISTRY)-$(ARCH):$(TAG) .
+
+## Docker push
+
+.PHONY: docker-push-all ## Push all the architecture docker images
+docker-push-all: $(addprefix docker-push-,$(ALL_ARCH))
+	$(MAKE) docker-push-manifest
 
 .PHONY: docker-push
-docker-push-%: docker-build-% ## Push docker image with the manager.
-	docker push ${IMG}-$*
-docker-push: docker-push-amd64 docker-push-arm64
-
-.PHONY: docker-manifest
-docker-manifest: docker-push ## Push docker multi-arch manifest.
-	docker manifest rm ${IMG} || true
-	docker manifest create ${IMG} --amend ${IMG}-amd64 --amend ${IMG}-arm64
-	docker manifest annotate ${IMG} ${IMG}-amd64 --arch=amd64
-	docker manifest annotate ${IMG} ${IMG}-arm64 --arch=arm64
-	docker manifest push ${IMG}
+docker-push: ## Push the docker image
+	docker push $(REGISTRY)-$(ARCH):$(TAG)
+
+docker-push-%:
+	$(MAKE) ARCH=$* docker-push
+
+.PHONY: docker-push-manifest
+docker-push-manifest: ## Push the fat manifest docker image.
+	## Minimum docker version 18.06.0 is required for creating and pushing manifest images.
+	docker manifest create --amend $(REGISTRY):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(REGISTRY)\-&:$(TAG)~g")
+	@for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${REGISTRY}:${TAG} ${REGISTRY}-$${arch}:${TAG}; done
+	docker manifest push --purge ${REGISTRY}:${TAG}
 
 ##@ Deployment