Changes for spectro-release image build

spectrocloud · Nov 7, 2024 · 23a2ed1 · 23a2ed1
1 parent be7d9ad
commit 23a2ed1
Show file tree

Hide file tree

Showing 3 changed files with 123 additions and 15 deletions.
diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
@@ -0,0 +1,82 @@
+name: Spectro Release
+run-name: Release for Cluster API  AWS ${{ github.event.inputs.release_version }}
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Cluster API Version to Build'
+        required: true
+        default: '0.0.0'
+      rel_type:
+        type: choice
+        description: Type of release
+        options:
+          - release
+          - rc
+jobs:
+  builder:
+    # edge-runner machine group is a bunch of machines in US Datacenter
+    runs-on: ubuntu-latest
+    # Initialize all secrets required for the job
+    # Ensure that the credentials are provided as encrypted secrets
+    env:
+      SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+      LEGACY_REGISTRY: gcr.io/spectro-images-public/release/cluster-api-aws
+      FIPS_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-aws
+    steps:
+      -
+        uses: mukunku/[email protected]
+        id: checkTag
+        with:
+          tag: v${{ github.event.inputs.release_version }}-spectro
+      -
+        if: ${{ steps.checkTag.outputs.exists == 'true' }}
+        run: |
+          echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
+          exit 1
+      -
+        if: ${{ github.event.inputs.rel_type == 'rc' }}
+        run: |
+          echo "LEGACY_REGISTRY=gcr.io/spectro-dev-public/release/cluster-api-aws" >> $GITHUB_ENV
+          echo "FIPS_REGISTRY=gcr.io/spectro-dev-public/release-fips/cluster-api-aws" >> $GITHUB_ENV
+      -
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to private registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.REGISTRY_URL }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      -
+        name: Build Image
+        env:
+          REGISTRY: ${{ env.LEGACY_REGISTRY }}
+        run: |
+          make docker-build-all
+          make docker-push-all
+      -
+        name: Build Image - FIPS Mode
+        env:
+          FIPS_ENABLE: yes
+          REGISTRY: ${{ env.FIPS_REGISTRY }}
+        run: |
+          make docker-build-all
+          make docker-push-all
+      -
+        name: Create Release
+        if: ${{ github.event.inputs.rel_type == 'release' }}
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ github.event.inputs.release_version }}-spectro
+          release_name: Release v${{ github.event.inputs.release_version }}-spectro
+          body: |
+            Release version v${{ github.event.inputs.release_version }}-spectro
+          draft: false
+          prerelease: false
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1.1-experimental
-
 # Copyright 2019 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,15 +13,23 @@
 # limitations under the License.
 
 # Build the manager binary
-FROM golang:1.17.3 as toolchain
-
+ARG BUILDER_GOLANG_VERSION
+# First stage: build the executable.
+FROM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain
 # Run this with docker build --build_arg $(go env GOPROXY) to override the goproxy
 ARG goproxy=https://proxy.golang.org
 ENV GOPROXY=$goproxy
 
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
+
 FROM toolchain as builder
 WORKDIR /workspace
 
+RUN apk update
+RUN apk add git gcc g++ curl
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
@@ -40,16 +46,23 @@ COPY ./ ./
 ARG package=.
 ARG ARCH
 ARG LDFLAGS
-RUN --mount=type=cache,target=/root/.cache/go-build \
+RUN  --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.local/share/golang \
-    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -ldflags "${LDFLAGS} -extldflags '-static'"  -o manager ${package}
+    if [ ${CRYPTO_LIB} ]; \
+    then \
+      GOARCH=${ARCH} go-build-fips.sh -a -o manager sigs.k8s.io/cluster-api-provider-aws ;\
+    else \
+      GOARCH=${ARCH} go-build-static.sh -a -o manager sigs.k8s.io/cluster-api-provider-aws ;\
+    fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh manager; fi
+RUN scan-govulncheck.sh manager
 ENTRYPOINT [ "/start.sh", "/workspace/manager" ]
-
 # Copy the controller-manager into a thin image
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
 # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
 USER 65532
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/manager"]
diff --git a/Makefile b/Makefile
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+BUILDER_GOLANG_VERSION ?= 1.22
 ROOT_DIR_RELATIVE := .
 
 include $(ROOT_DIR_RELATIVE)/common.mk
@@ -77,11 +78,10 @@ endif
 
 # Release variables
 
-STAGING_REGISTRY ?= gcr.io/k8s-staging-cluster-api-aws
+STAGING_REGISTRY ?= gcr.io/spectro-dev-public/cluster-api-aws
 STAGING_BUCKET ?= artifacts.k8s-staging-cluster-api-aws.appspot.com
 BUCKET ?= $(STAGING_BUCKET)
 PROD_REGISTRY := registry.k8s.io/cluster-api-aws
-REGISTRY ?= $(STAGING_REGISTRY)
 RELEASE_TAG ?= $(shell git describe --abbrev=0 2>/dev/null)
 PULL_BASE_REF ?= $(RELEASE_TAG) # PULL_BASE_REF will be provided by Prow
 RELEASE_ALIAS_TAG ?= $(PULL_BASE_REF)
@@ -92,9 +92,22 @@ BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 # image name used to build the cmd/clusterawsadm
 TOOLCHAIN_IMAGE := toolchain
 
-TAG ?= dev
-ARCH ?= $(shell go env GOARCH)
-ALL_ARCH ?= amd64 arm arm64 ppc64le s390x
+# Fips Flags
+FIPS_ENABLE ?= ""
+BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION}
+
+RELEASE_LOC := release
+ifeq ($(FIPS_ENABLE),yes)
+  RELEASE_LOC := release-fips
+endif
+
+SPECTRO_VERSION ?= 4.1.0-dev
+TAG ?= v1.5.2-spectro-${SPECTRO_VERSION}
+ARCH ?= amd64
+# ALL_ARCH = amd64 arm arm64 ppc64le s390x
+ALL_ARCH = amd64 arm64
+
+REGISTRY ?= gcr.io/spectro-dev-public/$(USER)/${RELEASE_LOC}
 
 # main controller
 CORE_IMAGE_NAME ?= cluster-api-aws-controller
@@ -343,7 +356,8 @@ clusterawsadm: ## Build clusterawsadm binary
 
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Build the docker image for controller-manager
-	docker build --build-arg ARCH=$(ARCH) --build-arg LDFLAGS="$(LDFLAGS)" . -t $(CORE_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS} --build-arg ARCH=$(ARCH) --build-arg LDFLAGS="$(LDFLAGS)" . -t $(CORE_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	@echo $(CORE_CONTROLLER_IMG)-$(ARCH):$(TAG)
 
 .PHONY: docker-build-all ## Build all the architecture docker images
 docker-build-all: $(addprefix docker-build-,$(ALL_ARCH))
@@ -678,4 +692,3 @@ clean-temporary: ## Remove all temporary files and folders
 	rm -rf test/e2e/capi-kubeadm-control-plane-controller-manager
 	rm -rf test/e2e/logs
 	rm -rf test/e2e/resources
-