From b1718dbc1285724367ea3a902cabaceef9a51131 Mon Sep 17 00:00:00 2001 From: Snehal Amrutkar Date: Thu, 13 Jun 2024 14:18:05 +0530 Subject: [PATCH] Spectro CICD --- .github/workflows/spectro-release.yaml | 35 ++++++++++------- Dockerfile | 33 ++++++++++++++-- Makefile | 52 ++++++++++++++++++++++---- 3 files changed, 95 insertions(+), 25 deletions(-) diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml index 7de01b2..831fb45 100644 --- a/.github/workflows/spectro-release.yaml +++ b/.github/workflows/spectro-release.yaml @@ -7,6 +7,12 @@ on: description: 'Cluster API Version to Build' required: true default: '0.0.0' + rel_type: + type: choice + description: Type of release + options: + - release + - rc jobs: builder: # edge-runner machine group is a bunch of machines in US Datacenter @@ -15,6 +21,8 @@ jobs: # Ensure that the credentials are provided as encrypted secrets env: SPECTRO_VERSION: ${{ github.event.inputs.release_version }} + LEGACY_REGISTRY: gcr.io/spectro-images-public/release/cluster-api-maas + FIPS_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-maas steps: - uses: mukunku/tag-exists-action@v1.2.0 @@ -26,6 +34,11 @@ jobs: run: | echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..." exit 1 + - + if: ${{ github.event.inputs.rel_type == 'rc' }} + run: | + echo "LEGACY_REGISTRY=gcr.io/spectro-dev-public/release/cluster-api-maas" >> $GITHUB_ENV + echo "FIPS_REGISTRY=gcr.io/spectro-dev-public/release-fips/cluster-api-maas" >> $GITHUB_ENV - uses: actions/checkout@v3 - @@ -41,28 +54,24 @@ jobs: - name: Build Image env: - REGISTRY: gcr.io/spectro-images-public/release/cluster-api-maas + REGISTRY: ${{ env.LEGACY_REGISTRY }} run: | - make docker-build - make docker-push + make docker-build-all + make docker-push-all - name: Build Image - FIPS Mode env: FIPS_ENABLE: yes - REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-maas + REGISTRY: ${{ env.FIPS_REGISTRY }} run: | make docker-build-all make docker-push-all - - name: Create Release - id: create_release - uses: actions/create-release@v1 + name: Create Tag + if: ${{ github.event.inputs.rel_type == 'release' }} + id: tag_create + uses: rickstaa/action-create-tag@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - tag_name: v${{ github.event.inputs.release_version }}-spectro - release_name: Release v${{ github.event.inputs.release_version }}-spectro - body: | - Release version ${{ github.event.inputs.release_version }} - draft: false - prerelease: false + tag: v${{ github.event.inputs.release_version }}-spectro diff --git a/Dockerfile b/Dockerfile index 552c3f7..556c600 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,25 @@ # Build the manager binary -FROM golang:1.19.8 as builder +ARG BUILDER_GOLANG_VERSION +# First stage: build the executable. +FROM --platform=$TARGETPLATFORM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain +FROM toolchain as builder WORKDIR /workspace + +RUN apk update +RUN apk add git gcc g++ curl + # Copy the Go Modules manifests COPY go.mod go.mod COPY go.sum go.sum # cache deps before building and copying source so that we don't need to re-download as much # and so that source changes don't invalidate our downloaded layer -RUN go mod download +RUN --mount=type=cache,target=/root/.local/share/golang \ + --mount=type=cache,target=/go/pkg/mod \ + go mod download +ARG CRYPTO_LIB +ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto} # Copy the go source COPY main.go main.go COPY api/ api/ @@ -16,13 +27,27 @@ COPY pkg/ pkg/ COPY controllers/ controllers/ # Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go + +RUN --mount=type=cache,target=/root/.cache/go-build \ + --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.local/share/golang \ + if [ ${CRYPTO_LIB} ];\ + then \ + GOARCH=${ARCH} go-build-fips.sh -a -o manager . ;\ + else \ + GOARCH=${ARCH} go-build-static.sh -a -o manager . ;\ + fi + +RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi +RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh manager; fi +RUN scan-govulncheck.sh manager # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/static:nonroot WORKDIR / COPY --from=builder /workspace/manager . -USER nonroot:nonroot +# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies +USER 65532 ENTRYPOINT ["/manager"] diff --git a/Makefile b/Makefile index f6750b0..7fcebce 100644 --- a/Makefile +++ b/Makefile @@ -12,12 +12,23 @@ BUILD_DIR :=_build RELEASE_DIR := _build/release DEV_DIR := _build/dev REPO_ROOT := $(shell git rev-parse --show-toplevel) +FIPS_ENABLE ?= "" +BUILDER_GOLANG_VERSION ?= 1.22 +BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION} +ARCH ?= amd64 +ALL_ARCH = amd64 arm64 + +RELEASE_LOC := release +ifeq ($(FIPS_ENABLE),yes) + RELEASE_LOC := release-fips +endif # Image URL to use all building/pushing image targets IMAGE_NAME := cluster-api-provider-maas-controller -IMG_URL ?= gcr.io/spectro-dev-public/release/cluster-api -IMG_TAG ?= v0.5.0 -IMG ?= ${IMG_URL}/${IMAGE_NAME}:${IMG_TAG} +REGISTRY ?= gcr.io/spectro-dev-public/${RELEASE_LOC}/cluster-api +SPECTRO_VERSION ?= 4.0.0-dev +IMG_TAG ?= v0.3.0-spectro-${SPECTRO_VERSION} +CONTROLLER_IMG ?= ${REGISTRY}/${IMAGE_NAME} # Set --output-base for conversion-gen if we are not within GOPATH ifneq ($(abspath $(REPO_ROOT)),$(shell go env GOPATH)/src/github.com/spectrocloud/cluster-api-provider-maas) @@ -72,7 +83,7 @@ uninstall: manifests ## Uninstall CRDs from a cluster # Deploy controller in the configured Kubernetes cluster in ~/.kube/config deploy: manifests ## Deploy controller in the configured Kubernetes cluster - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=$(CONTROLLER_IMG):$(IMG_TAG) kustomize build config/default | kubectl apply -f - $(MANIFEST_DIR): @@ -108,7 +119,7 @@ release-overrides: .PHONY: dev-manifests dev-manifests: - $(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(IMG) + $(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(CONTROLLER_IMG):$(IMG_TAG) cp metadata.yaml $(DEV_DIR)/metadata.yaml $(MAKE) templates OUTPUT_DIR=$(DEV_DIR) @@ -148,15 +159,40 @@ generate-manifests: ## Generate manifests # Build the docker image +.PHONY: docker-build docker-build: #test - docker build . -t ${IMG} + docker buildx build --load --platform linux/$(ARCH) ${BUILD_ARGS} --build-arg ARCH=$(ARCH) --build-arg LDFLAGS="$(LDFLAGS)" --build-arg CRYPTO_LIB=${FIPS_ENABLE} . -t $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG) # Push the docker image +.PHONY: docker-push docker-push: ## Push the docker image to gcr - docker push ${IMG} + docker push $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG) + +## -------------------------------------- +## Docker — All ARCH +## -------------------------------------- +.PHONY: docker-build-all ## Build all the architecture docker images +docker-build-all: $(addprefix docker-build-,$(ALL_ARCH)) + +docker-build-%: + $(MAKE) ARCH=$* docker-build + +.PHONY: docker-push-all ## Push all the architecture docker images +docker-push-all: $(addprefix docker-push-,$(ALL_ARCH)) + $(MAKE) docker-push-manifest + +docker-push-%: + $(MAKE) ARCH=$* docker-push + +.PHONY: docker-push-manifest +docker-push-manifest: ## Push the fat manifest docker image. + ## Minimum docker version 18.06.0 is required for creating and pushing manifest images. + docker manifest create --amend $(CONTROLLER_IMG):$(IMG_TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(CONTROLLER_IMG)\-&:$(IMG_TAG)~g") + @for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${CONTROLLER_IMG}:${IMG_TAG} ${CONTROLLER_IMG}-$${arch}:${IMG_TAG}; done + docker manifest push --insecure --purge $(CONTROLLER_IMG):$(IMG_TAG) docker-rmi: ## Remove the docker image locally - docker rmi ${IMG} + docker rmi $(CONTROLLER_IMG):$(IMG_TAG) mock: $(MOCKGEN) go generate ./...