Spectro CICD

.github/workflows/spectro-release.yaml

@@ -7,6 +7,12 @@ on:
         description: 'Cluster API Version to Build'
         required: true
         default: '0.0.0'
+      rel_type:
+        type: choice
+        description: Type of release
+        options:
+          - release
+          - rc
 jobs:
   builder:
     # edge-runner machine group is a bunch of machines in US Datacenter
@@ -15,6 +21,8 @@ jobs:
     # Ensure that the credentials are provided as encrypted secrets
     env:
       SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+      LEGACY_REGISTRY: gcr.io/spectro-images-public/release/cluster-api-maas
+      FIPS_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-maas
     steps:
       -
         uses: mukunku/[email protected]
@@ -26,6 +34,11 @@ jobs:
         run: |
           echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
           exit 1
+      -
+        if: ${{ github.event.inputs.rel_type == 'rc' }}
+        run: |
+          echo "LEGACY_REGISTRY=gcr.io/spectro-dev-public/release/cluster-api-maas" >> $GITHUB_ENV
+          echo "FIPS_REGISTRY=gcr.io/spectro-dev-public/release-fips/cluster-api-maas" >> $GITHUB_ENV
       -
         uses: actions/checkout@v3
       -
@@ -41,28 +54,24 @@ jobs:
       -
         name: Build Image
         env:
-          REGISTRY: gcr.io/spectro-images-public/release/cluster-api-maas
+          REGISTRY: ${{ env.LEGACY_REGISTRY }}
         run: |
-          make docker-build
-          make docker-push
+          make docker-build-all
+          make docker-push-all
       -
         name: Build Image - FIPS Mode
         env:
           FIPS_ENABLE: yes
-          REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-maas
+          REGISTRY: ${{ env.FIPS_REGISTRY }}
         run: |
           make docker-build-all
           make docker-push-all
       -
-        name: Create Release
-        id: create_release
-        uses: actions/create-release@v1
+        name: Create Tag
+        if: ${{ github.event.inputs.rel_type == 'release' }}
+        id: tag_create
+        uses: rickstaa/action-create-tag@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: v${{ github.event.inputs.release_version }}-spectro
-          release_name: Release v${{ github.event.inputs.release_version }}-spectro
-          body: |
-            Release version ${{ github.event.inputs.release_version }}
-          draft: false
-          prerelease: false
+          tag: v${{ github.event.inputs.release_version }}-spectro

Dockerfile

@@ -1,28 +1,53 @@
 # Build the manager binary
-FROM golang:1.19.8 as builder
+ARG BUILDER_GOLANG_VERSION
+# First stage: build the executable.
+FROM --platform=$TARGETPLATFORM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain
 
+FROM toolchain as builder
 WORKDIR /workspace
+
+RUN apk update
+RUN apk add git gcc g++ curl
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN go mod download
+RUN  --mount=type=cache,target=/root/.local/share/golang \
+     --mount=type=cache,target=/go/pkg/mod \
+     go mod download
 
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
 # Copy the go source
 COPY main.go main.go
 COPY api/ api/
 COPY pkg/ pkg/
 COPY controllers/ controllers/
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
+
+RUN  --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.local/share/golang \
+    if [ ${CRYPTO_LIB} ];\
+     then \
+        GOARCH=${ARCH} go-build-fips.sh -a -o manager . ;\
+     else \
+        GOARCH=${ARCH} go-build-static.sh -a -o manager . ;\
+     fi
+
+RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh manager; fi
+RUN scan-govulncheck.sh manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
-USER nonroot:nonroot
+# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
+USER 65532
 
 ENTRYPOINT ["/manager"]

Makefile

@@ -12,12 +12,23 @@ BUILD_DIR :=_build
 RELEASE_DIR := _build/release
 DEV_DIR := _build/dev
 REPO_ROOT := $(shell git rev-parse --show-toplevel)
+FIPS_ENABLE ?= ""
+BUILDER_GOLANG_VERSION ?= 1.22
+BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION}
+ARCH ?= amd64
+ALL_ARCH = amd64 arm64
+
+RELEASE_LOC := release
+ifeq ($(FIPS_ENABLE),yes)
+  RELEASE_LOC := release-fips
+endif
 
 # Image URL to use all building/pushing image targets
 IMAGE_NAME := cluster-api-provider-maas-controller
-IMG_URL ?= gcr.io/spectro-dev-public/release/cluster-api
-IMG_TAG ?= v0.5.0
-IMG ?= ${IMG_URL}/${IMAGE_NAME}:${IMG_TAG}
+REGISTRY ?= gcr.io/spectro-dev-public/${RELEASE_LOC}/cluster-api
+SPECTRO_VERSION ?= 4.0.0-dev
+IMG_TAG ?= v0.3.0-spectro-${SPECTRO_VERSION}
+CONTROLLER_IMG ?= ${REGISTRY}/${IMAGE_NAME}
 
 # Set --output-base for conversion-gen if we are not within GOPATH
 ifneq ($(abspath $(REPO_ROOT)),$(shell go env GOPATH)/src/github.com/spectrocloud/cluster-api-provider-maas)
@@ -72,7 +83,7 @@ uninstall: manifests ## Uninstall CRDs from a cluster
 
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: manifests  ## Deploy controller in the configured Kubernetes cluster
-	cd config/manager && kustomize edit set image controller=${IMG}
+	cd config/manager && kustomize edit set image controller=$(CONTROLLER_IMG):$(IMG_TAG)
 	kustomize build config/default | kubectl apply -f -
 
 $(MANIFEST_DIR):
@@ -108,7 +119,7 @@ release-overrides:
 
 .PHONY: dev-manifests
 dev-manifests:
-	$(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(IMG)
+	$(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(CONTROLLER_IMG):$(IMG_TAG)
 	cp metadata.yaml $(DEV_DIR)/metadata.yaml
 	$(MAKE) templates OUTPUT_DIR=$(DEV_DIR)
 
@@ -148,15 +159,40 @@ generate-manifests:  ## Generate manifests
 
 
 # Build the docker image
+.PHONY: docker-build
 docker-build: #test
-	docker build . -t ${IMG}
+	docker buildx build --load --platform linux/$(ARCH) ${BUILD_ARGS} --build-arg ARCH=$(ARCH)  --build-arg  LDFLAGS="$(LDFLAGS)" --build-arg CRYPTO_LIB=${FIPS_ENABLE} . -t $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG)
 
 # Push the docker image
+.PHONY: docker-push
 docker-push: ## Push the docker image to gcr
-	docker push ${IMG}
+	docker push  $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG)
+
+## --------------------------------------
+## Docker — All ARCH
+## --------------------------------------
+.PHONY: docker-build-all ## Build all the architecture docker images
+docker-build-all: $(addprefix docker-build-,$(ALL_ARCH))
+
+docker-build-%:
+	$(MAKE) ARCH=$* docker-build
+
+.PHONY: docker-push-all ## Push all the architecture docker images
+docker-push-all: $(addprefix docker-push-,$(ALL_ARCH))
+	$(MAKE) docker-push-manifest
+
+docker-push-%:
+	$(MAKE) ARCH=$* docker-push
+
+.PHONY: docker-push-manifest
+docker-push-manifest: ## Push the fat manifest docker image.
+	## Minimum docker version 18.06.0 is required for creating and pushing manifest images.
+	docker manifest create --amend $(CONTROLLER_IMG):$(IMG_TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(CONTROLLER_IMG)\-&:$(IMG_TAG)~g")
+	@for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${CONTROLLER_IMG}:${IMG_TAG} ${CONTROLLER_IMG}-$${arch}:${IMG_TAG}; done
+	docker manifest push --insecure --purge $(CONTROLLER_IMG):$(IMG_TAG)
 
 docker-rmi: ## Remove the docker image locally
-	docker rmi ${IMG}
+	docker rmi $(CONTROLLER_IMG):$(IMG_TAG)
 
 mock: $(MOCKGEN)
 	go generate ./...