spectrocloud · zulfilee · Oct 3, 2023 · Oct 3, 2023
diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
@@ -7,6 +7,12 @@ on:
         description: 'Cluster API Version to Build'
         required: true
         default: '0.0.0'
+      rel_type:
+        type: choice
+        description: Type of release
+        options:
+        - release
+        - rc
 jobs:
   builder:
     # edge-runner machine group is a bunch of machines in US Datacenter
@@ -15,6 +21,7 @@ jobs:
     # Ensure that the credentials are provided as encrypted secrets
     env:
       SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+      REGISTRY: gcr.io/spectro-images-public/release/cluster-api-azure
     steps:
       -
         uses: mukunku/[email protected]
@@ -26,6 +33,9 @@ jobs:
         run: |
           echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
           exit 1
+      -
+        if: ${{ github.event.inputs.rel_type == 'rc' }}
+        run: echo "REGISTRY=gcr.io/spectro-dev-public/release/cluster-api-azure" >> $GITHUB_ENV
       -
         uses: actions/checkout@v3
       -
@@ -40,21 +50,19 @@ jobs:
           password: ${{ secrets.REGISTRY_PASSWORD }}
       -
         name: Build Image
-        env:
-          REGISTRY: gcr.io/spectro-images-public/release/cluster-api-azure
         run: |
           make docker-build-all
           make docker-push-all
       -
         name: Build Image - FIPS Mode
         env:
           FIPS_ENABLE: yes
-          REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-azure
         run: |
           make docker-build-all
           make docker-push-all
       -
         name: Create Release
+        if: ${{ github.event.inputs.rel_type == 'release' }}
         id: create_release
         uses: actions/create-release@v1
         env:

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1.4
-
 # Copyright 2019 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,24 +13,26 @@
 # limitations under the License.
 
 # Build the manager binary
-FROM golang:1.19.10-alpine3.18 as builder
-WORKDIR /workspace
-
+ARG BUILDER_GOLANG_VERSION
+# First stage: build the executable.
+FROM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain
 # Run this with docker build --build_arg $(go env GOPROXY) to override the goproxy
 ARG goproxy=https://proxy.golang.org
 ENV GOPROXY=$goproxy
 
-RUN apk update
-RUN apk add git gcc g++ curl
-
 # FIPS
 ARG CRYPTO_LIB
 ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
 
+FROM toolchain as builder
+WORKDIR /workspace
+
+RUN apk update
+RUN apk add git gcc g++ curl
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
-
 # Cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
 RUN --mount=type=cache,target=/go/pkg/mod \
@@ -49,21 +49,19 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 # Build
 ARG package=.
 ARG ARCH
-ARG ldflags
 
 # Do not force rebuild of up-to-date packages (do not use -a) and use the compiler cache folder
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     if [ ${CRYPTO_LIB} ]; \
     then \
-    CGO_ENABLED=1 GOOS=linux GOARCH=${ARCH} \
-    go build -ldflags "${ldflags}  -linkmode=external -extldflags '-static'" \
-    -o manager ${package} ;\
+      GOARCH=${ARCH} go-build-fips.sh -a -o manager ${package};\
     else \
-    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
-    go build -ldflags "${ldflags} -extldflags '-static'" \
-    -o manager ${package} ;\
+      GOARCH=${ARCH} go-build-static.sh -a -o manager ${package} ;\
     fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh manager; fi
+RUN scan-govulncheck.sh manager
 
 # Production image
 FROM gcr.io/distroless/static:nonroot

diff --git a/Makefile b/Makefile
@@ -15,6 +15,7 @@
 # If you update this file, please follow
 # https://suva.sh/posts/well-documented-makefiles
 
+
 # Ensure Make is run with bash shell as some syntax below is bash-specific
 SHELL:=/usr/bin/env bash
 
@@ -123,6 +124,8 @@ ETCD=$(TOOLS_BIN_DIR)/etcd
 # Define Docker related variables. Releases should modify and double check these vars.
 # Fips Flags
 FIPS_ENABLE ?= ""
+BUILDER_GOLANG_VERSION ?= 1.21
+BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION}
 
 RELEASE_LOC := release
 ifeq ($(FIPS_ENABLE),yes)
@@ -133,7 +136,7 @@ SPECTRO_VERSION ?= 4.0.0-dev
 TAG ?= v1.3.2-spectro-${SPECTRO_VERSION}
 ARCH ?= amd64
 # ALL_ARCH = amd64 arm arm64 ppc64le s390x
-ALL_ARCH = amd64 
+ALL_ARCH = amd64 arm64
 
 REGISTRY ?= gcr.io/spectro-dev-public/$(USER)/${RELEASE_LOC}
 
@@ -352,7 +355,7 @@ docker-pull-prerequisites: ## Pull prerequisites for building controller-manager
 
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Build the docker image for controller-manager.
-	DOCKER_BUILDKIT=1 docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG)
+	docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS}  --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml"