From c67c8bf3b809132237556e488f27796d3cf785e1 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Mon, 17 Jan 2022 13:06:37 +0200 Subject: [PATCH] Push signed multi-arch image to GHCR - Build multi-arch image with Docker buildx and xx - Push image to GHCR - Sign image with Cosign and GitHub OIDC Signed-off-by: Stefan Prodan --- .github/workflows/release.yaml | 40 +++++++++++++++++++++++++++++++ .goreleaser.yaml | 11 +++++++++ CONTRIBUTING.md | 6 ++--- Dockerfile | 13 ++++++++-- Makefile | 16 +++++++++---- config/manager/deployment.yaml | 2 +- config/manager/kustomization.yaml | 6 ++--- 7 files changed, 81 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index df06823..4b41db5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,6 +10,9 @@ permissions: id-token: write # needed for keyless signing packages: write # needed for ghcr access +env: + CONTROLLER: ${{ github.event.repository.name }} + jobs: release: runs-on: ubuntu-latest @@ -28,6 +31,43 @@ jobs: ${{ runner.os }}-go- - uses: sigstore/cosign-installer@main - uses: anchore/sbom-action/download-syft@v0 + - uses: docker/login-action@v1 + with: + registry: ghcr.io + username: fluxcdbot + password: ${{ secrets.GHCR_TOKEN }} + - name: Prepare + id: prep + run: | + VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}" + if [[ $GITHUB_REF == refs/tags/* ]]; then + VERSION=${GITHUB_REF/refs\/tags\//} + fi + echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ') + echo ::set-output name=VERSION::${VERSION} + - name: Publish multi-arch container image + uses: docker/build-push-action@v2 + with: + push: true + builder: ${{ steps.buildx.outputs.name }} + context: . + file: ./Dockerfile + platforms: linux/amd64,linux/arm/v7,linux/arm64 + tags: | + ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} + labels: | + org.opencontainers.image.title=${{ github.event.repository.name }} + org.opencontainers.image.description=${{ github.event.repository.description }} + org.opencontainers.image.url=${{ github.event.repository.html_url }} + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }} + org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }} + - name: Sign multi-arch container image + env: + COSIGN_EXPERIMENTAL: 1 + run: | + cosign sign ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - uses: goreleaser/goreleaser-action@v2 with: version: latest diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 7089891..7080801 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -5,6 +5,17 @@ builds: release: prerelease: auto + footer: | + ## Signed images + + Verify and pull the container image: + + ``` + COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}} + docker pull ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}} + ``` + + Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`. changelog: use: github-native diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 81891b7..e7b263d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -40,9 +40,9 @@ meeting](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARD ### How to run the test suite Prerequisites: -* go >= 1.16 -* kubebuilder >= 3.0 -* kustomize >= 4.0 +* go >= 1.17 +* docker >= 20.10 +* kustomize >= 4.4 You can run the unit tests by simply doing diff --git a/Dockerfile b/Dockerfile index 8d09486..cbc6980 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,15 @@ -FROM golang:1.17-alpine as builder +FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine as builder + +# Copy the build utilities. +COPY --from=xx / / + +ARG TARGETPLATFORM WORKDIR /workspace +# copy api submodule +COPY api/ api/ + # copy modules manifests COPY go.mod go.mod COPY go.sum go.sum @@ -14,7 +22,8 @@ COPY main.go main.go COPY controllers/ controllers/ # build -RUN CGO_ENABLED=0 go build -a -o source-watcher main.go +ENV CGO_ENABLED=0 +RUN xx-go build -a -o source-watcher main.go FROM alpine:3.15 diff --git a/Makefile b/Makefile index d2c37f1..0f3d04c 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,5 @@ - # Image URL to use all building/pushing image targets -IMG ?= controller:latest +IMG ?= fluxcd/source-watcher:latest # Produce CRDs that work back to Kubernetes 1.16 CRD_OPTIONS ?= crd:crdVersions=v1 @@ -11,6 +10,11 @@ else GOBIN=$(shell go env GOBIN) endif +# Allows for defining additional Docker buildx arguments, e.g. '--push'. +BUILD_ARGS ?= +# Architectures to build images for. +BUILD_PLATFORMS ?= linux/amd64 + # Architecture to use envtest with ENVTEST_ARCH ?= amd64 @@ -63,8 +67,12 @@ generate: controller-gen $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." # Build the docker image -docker-build: test - docker build . -t ${IMG} +docker-build: + docker buildx build \ + --platform=$(BUILD_PLATFORMS) \ + -t ${IMG} \ + --load \ + ${BUILD_ARGS} . # Push the docker image docker-push: diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml index a7eb627..23cdaaa 100644 --- a/config/manager/deployment.yaml +++ b/config/manager/deployment.yaml @@ -20,7 +20,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: manager - image: source-watcher + image: ghcr.io/fluxcd/source-watcher imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 06567c4..7066531 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -3,6 +3,6 @@ kind: Kustomization resources: - deployment.yaml images: - - name: source-watcher - newName: source-watcher - newTag: v0.2.0 + - name: ghcr.io/fluxcd/source-watcher + newName: ghcr.io/fluxcd/source-watcher + newTag: v0.10.0