PCP-1961: cluster api provider maas make and docker changes (#97)

.github/workflows/spectro-release.yaml

@@ -7,6 +7,12 @@ on:
         description: 'Cluster API Version to Build'
         required: true
         default: '0.0.0'
+      rel_type:
+        type: choice
+        description: Type of release
+        options:
+          - release
+          - rc
 jobs:
   builder:
     # edge-runner machine group is a bunch of machines in US Datacenter
@@ -15,6 +21,8 @@ jobs:
     # Ensure that the credentials are provided as encrypted secrets
     env:
       SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+      LEGACY_REGISTRY: gcr.io/spectro-images-public/release/cluster-api-maas
+      FIPS_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-maas
     steps:
       -
         uses: mukunku/[email protected]
@@ -26,6 +34,11 @@ jobs:
         run: |
           echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
           exit 1
+      -
+        if: ${{ github.event.inputs.rel_type == 'rc' }}
+        run: |
+          echo "LEGACY_REGISTRY=gcr.io/spectro-dev-public/release/cluster-api-maas" >> $GITHUB_ENV
+          echo "FIPS_REGISTRY=gcr.io/spectro-dev-public/release-fips/cluster-api-maas" >> $GITHUB_ENV
       -
         uses: actions/checkout@v3
       -
@@ -41,20 +54,21 @@ jobs:
       -
         name: Build Image
         env:
-          REGISTRY: gcr.io/spectro-images-public/release/cluster-api-maas
+          REGISTRY: ${{ env.LEGACY_REGISTRY }}
         run: |
           make docker-build
           make docker-push
       -
         name: Build Image - FIPS Mode
         env:
           FIPS_ENABLE: yes
-          REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-maas
+          REGISTRY: ${{ env.FIPS_REGISTRY }}
         run: |
           make docker-build
           make docker-push
       -
         name: Create Release
+        if: ${{ github.event.inputs.rel_type == 'release' }}
         id: create_release
         uses: actions/create-release@v1
         env:
@@ -63,6 +77,6 @@ jobs:
           tag_name: v${{ github.event.inputs.release_version }}-spectro
           release_name: Release v${{ github.event.inputs.release_version }}-spectro
           body: |
-            Release version ${{ github.event.inputs.release_version }}
+            Release version v${{ github.event.inputs.release_version }}-spectro
           draft: false
           prerelease: false

Dockerfile

@@ -1,16 +1,23 @@
 # Build the manager binary
-FROM golang:1.19.10-alpine3.18 as builder
+ARG BUILDER_GOLANG_VERSION
+# First stage: build the executable.
+FROM --platform=$TARGETPLATFORM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain
+
+FROM toolchain as builder
+WORKDIR /workspace
 
 RUN apk update
 RUN apk add git gcc g++ curl
 
-WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN go mod download
+RUN  --mount=type=cache,target=/root/.local/share/golang \
+     --mount=type=cache,target=/go/pkg/mod \
+     go mod download
+
 ARG CRYPTO_LIB
 ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
 # Copy the go source
@@ -21,18 +28,26 @@ COPY controllers/ controllers/
 
 # Build
 
-RUN if [ ${CRYPTO_LIB} ]; \
-    then \
-      CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GO111MODULE=on go build  -ldflags "-linkmode=external -extldflags=-static" -a -o manager main.go ;\
-    else \
-      CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go ;\
-    fi
+RUN  --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.local/share/golang \
+    if [ ${CRYPTO_LIB} ];\
+     then \
+        GOARCH=${ARCH} go-build-fips.sh -a -o manager . ;\
+     else \
+        GOARCH=${ARCH} go-build-static.sh -a -o manager . ;\
+     fi
+
+RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh manager; fi
+RUN scan-govulncheck.sh manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
-USER nonroot:nonroot
+# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
+USER 65532
 
 ENTRYPOINT ["/manager"]

Makefile

@@ -13,6 +13,9 @@ RELEASE_DIR := _build/release
 DEV_DIR := _build/dev
 REPO_ROOT := $(shell git rev-parse --show-toplevel)
 FIPS_ENABLE ?= ""
+BUILDER_GOLANG_VERSION ?= 1.21
+BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION}
+ALL_ARCH = amd64 arm64
 
 RELEASE_LOC := release
 ifeq ($(FIPS_ENABLE),yes)
@@ -24,7 +27,7 @@ IMAGE_NAME := cluster-api-provider-maas-controller
 REGISTRY ?= gcr.io/spectro-dev-public/${RELEASE_LOC}/cluster-api
 SPECTRO_VERSION ?= 4.0.0-dev
 IMG_TAG ?= v0.2.0-spectro-${SPECTRO_VERSION}
-IMG ?= ${REGISTRY}/${IMAGE_NAME}:${IMG_TAG}
+CONTROLLER_IMG ?= ${REGISTRY}/${IMAGE_NAME}
 
 # Set --output-base for conversion-gen if we are not within GOPATH
 ifneq ($(abspath $(REPO_ROOT)),$(shell go env GOPATH)/src/github.com/spectrocloud/cluster-api-provider-maas)
@@ -79,7 +82,7 @@ uninstall: manifests ## Uninstall CRDs from a cluster
 
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: manifests  ## Deploy controller in the configured Kubernetes cluster
-	cd config/manager && kustomize edit set image controller=${IMG}
+	cd config/manager && kustomize edit set image controller=$(CONTROLLER_IMG):$(IMG_TAG)
 	kustomize build config/default | kubectl apply -f -
 
 $(MANIFEST_DIR):
@@ -115,7 +118,7 @@ release-overrides:
 
 .PHONY: dev-manifests
 dev-manifests:
-	$(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(IMG)
+	$(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(CONTROLLER_IMG):$(IMG_TAG)
 	cp metadata.yaml $(DEV_DIR)/metadata.yaml
 	$(MAKE) templates OUTPUT_DIR=$(DEV_DIR)
 
@@ -150,20 +153,46 @@ generate-go:
 		--output-file-base=zz_generated.conversion $(GEN_OUTPUT_BASE) \
 		--go-header-file=./hack/boilerplate.go.txt
 
+.PHONY: generate-manifests
 generate-manifests:  ## Generate manifests
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 
 # Build the docker image
+.PHONY: docker-build
 docker-build: #test
-	docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE}  . -t ${IMG}
+	docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS} --build-arg ARCH=$(ARCH)  --build-arg  LDFLAGS="$(LDFLAGS)" --build-arg CRYPTO_LIB=${FIPS_ENABLE} . -t $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG)
 
 # Push the docker image
+.PHONY: docker-push
 docker-push: ## Push the docker image to gcr
-	docker push ${IMG}
+	docker push  $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG)
+
+## --------------------------------------
+## Docker — All ARCH
+## --------------------------------------
+.PHONY: docker-build-all ## Build all the architecture docker images
+docker-build-all: $(addprefix docker-build-,$(ALL_ARCH))
+
+docker-build-%:
+	$(MAKE) ARCH=$* docker-build
+
+.PHONY: docker-push-all ## Push all the architecture docker images
+docker-push-all: $(addprefix docker-push-,$(ALL_ARCH))
+	$(MAKE) docker-push-manifest
+
+docker-push-%:
+	$(MAKE) ARCH=$* docker-push
+
+.PHONY: docker-push-manifest
+docker-push-manifest: ## Push the fat manifest docker image.
+	## Minimum docker version 18.06.0 is required for creating and pushing manifest images.
+	docker manifest create --amend $(CONTROLLER_IMG):$(IMG_TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(CONTROLLER_IMG)\-&:$(IMG_TAG)~g")
+	@for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${CONTROLLER_IMG}:${IMG_TAG} ${CONTROLLER_IMG}-$${arch}:${IMG_TAG}; done
+	docker manifest push --insecure --purge $(CONTROLLER_IMG):$(IMG_TAG)
 
 docker-rmi: ## Remove the docker image locally
-	docker rmi ${IMG}
+	docker rmi $(CONTROLLER_IMG):$(IMG_TAG)
 
 mock: $(MOCKGEN)
 	go generate ./...

go.mod

@@ -1,6 +1,6 @@
 module github.com/spectrocloud/cluster-api-provider-maas
 
-go 1.19
+go 1.21
 
 require (
 	github.com/go-logr/logr v1.2.0
@@ -58,7 +58,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e // indirect
 	k8s.io/cluster-bootstrap v0.23.0 // indirect
 	k8s.io/component-base v0.23.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect