diff --git a/build/dockerignore b/.dockerignore similarity index 100% rename from build/dockerignore rename to .dockerignore diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..186eb36b --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,61 @@ +name: Release + +on: + push: + tags: + - 'v*' + +jobs: + + publish: + runs-on: ubuntu-latest + permissions: + contents: read + # write is needed for: + # - OIDC for cosign's use in ecm-distro-tools/publish-image. + # - Read vault secrets in rancher-eio/read-vault-secrets. + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD + - name: Parse target tag + run: | + TARGET=${{ github.ref_name }} + echo "TAG=${TARGET#v}" >> $GITHUB_ENV + - name: Publish public manifest + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + push-to-public: true + push-to-prime: false + image: registry-adapter + tag: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + + public-registry: docker.io + public-repo: neuvector + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + - name: Publish prime manifest + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + push-to-public: false + push-to-prime: true + image: neuvector-registry-adapter + tag: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-repo: rancher + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} diff --git a/Makefile b/Makefile index 62215615..774e5bba 100644 --- a/Makefile +++ b/Makefile @@ -1,26 +1,79 @@ -BASE_IMAGE_TAG = latest -BUILD_IMAGE_TAG = v2 +RUNNER := docker +IMAGE_BUILDER := $(RUNNER) buildx +MACHINE := neuvector +BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max +DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64 -all: - go build -ldflags='-s -w' -buildvcs=false -o adapter +COMMIT = $(shell git rev-parse --short HEAD) +ifeq ($(VERSION),) + # Define VERSION, which is used for image tags or to bake it into the + # compiled binary to enable the printing of the application version, + # via the --version flag. + CHANGES = $(shell git status --porcelain --untracked-files=no) + ifneq ($(CHANGES),) + DIRTY = -dirty + endif + + + COMMIT = $(shell git rev-parse --short HEAD) + VERSION = $(COMMIT)$(DIRTY) + + # Override VERSION with the Git tag if the current HEAD has a tag pointing to + # it AND the worktree isn't dirty. + GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1) + ifneq ($(GIT_TAG),) + ifeq ($(DIRTY),) + VERSION = $(GIT_TAG) + endif + endif +endif + +ifeq ($(TAG),) + TAG = $(VERSION) + ifneq ($(DIRTY),) + TAG = dev + endif +endif + +TARGET_PLATFORMS ?= linux/amd64,linux/arm64 +STAGE_DIR=stage +REPO ?= neuvector +IMAGE = $(REPO)/registry-adapter:$(TAG) +BUILD_ACTION = --load -STAGE_DIR = stage +.PHONY: all build test copy_adpt -copy_adpt: +all: test build copy_adpt + +test: + go test ./... + +copy_adpt: build mkdir -p ${STAGE_DIR}/usr/local/bin/ - # - cp registry-adapter/adapter ${STAGE_DIR}/usr/local/bin/ + cp adapter ${STAGE_DIR}/usr/local/bin/ + +build: + go build -ldflags='-s -w' -buildvcs=false -o adapter + +buildx-machine: + docker buildx ls + @docker buildx ls | grep $(MACHINE) || \ + docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS) -stage_init: - rm -rf ${STAGE_DIR}; mkdir -p ${STAGE_DIR} +test-image: + # Instead of loading image, target all platforms, effectivelly testing + # the build for the target architectures. + $(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)" -stage_adpt: stage_init copy_adpt +build-image: buildx-machine ## build (and load) the container image targeting the current platform. + $(IMAGE_BUILDER) build -f package/Dockerfile \ + --builder $(MACHINE) $(IMAGE_ARGS) \ + --build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) . + @echo "Built $(IMAGE)" -adapter_image: stage_adpt - docker pull neuvector/adapter_base:${BASE_IMAGE_TAG} - docker build --build-arg NV_TAG=$(NV_TAG) --build-arg BASE_IMAGE_TAG=${BASE_IMAGE_TAG} -t neuvector/registry-adapter -f registry-adapter/build/Dockerfile . -binary: - @echo "Making $@ ..." - @docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG} - @docker run --rm -ia STDOUT --name build --net=none -v $(CURDIR):/go/src/github.com/neuvector/registry-adapter -w /go/src/github.com/neuvector/registry-adapter --entrypoint ./make_bin.sh neuvector/build_fleet:${BUILD_IMAGE_TAG} +push-image: buildx-machine + $(IMAGE_BUILDER) build -f package/Dockerfile \ + --builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \ + --build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-registry-adapter:$(TAG)" --push . + @echo "Pushed $(IMAGE)" diff --git a/build/Dockerfile b/build/Dockerfile deleted file mode 100644 index 7866fa8a..00000000 --- a/build/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -ARG BASE_IMAGE_TAG -FROM neuvector/adapter_base:${BASE_IMAGE_TAG} - -COPY stage / - -LABEL neuvector.image="neuvector/registry-adapter" \ - neuvector.role="registry-adapter" \ - version=${NV_TAG} \ - release=${NV_TAG} \ - neuvector.rev="git.xxxx" - -ENTRYPOINT ["/usr/local/bin/adapter"] diff --git a/make_bin.sh b/make_bin.sh deleted file mode 100755 index e4a20877..00000000 --- a/make_bin.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# This script is invoked by build container - -./unitest.sh || exit $? - -echo "==> Making adapter" -make || exit $? diff --git a/package/Dockerfile b/package/Dockerfile new file mode 100644 index 00000000..cd170edd --- /dev/null +++ b/package/Dockerfile @@ -0,0 +1,67 @@ +# +# Builder image +FROM registry.suse.com/bci/golang:1.22 AS builder + +ENV GOPATH=/go +ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin + +COPY config/ /src/config +COPY server/ /src/server +COPY vendor/ /src/vendor +COPY go.mod go.sum adapter.go version.go Makefile /src +WORKDIR /src +RUN make + +# +# base image +FROM registry.suse.com/bci/bci-micro:15.6 AS micro +FROM registry.suse.com/bci/bci-base:15.6 AS base +FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 AS xx +FROM --platform=$BUILDPLATFORM registry.suse.com/bci/bci-base:15.6 AS basebuilder + +ARG TARGETPLATFORM +ARG TARGETOS +ARG TARGETARCH + +COPY --from=xx / / +COPY --from=micro / /chroot/ + +RUN echo "[main]" > /etc/zypp/zypp.conf && \ + echo -n "arch = " >> /etc/zypp/zypp.conf && \ + xx-info march >> /etc/zypp/zypp.conf + +COPY --from=base /etc/products.d/ /etc/products.d/ +COPY --from=base /etc/zypp/ /chroot/etc/zypp/ + +# Runtime dependencies +RUN zypper refresh && zypper --non-interactive --installroot /chroot install --no-recommends \ + ca-certificates && \ + zypper --non-interactive --installroot /chroot clean -a && \ + rm -rf /chroot/var/log/ /chroot/var/cache/zypp/* /chroot/etc/zypp/ + +RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch + +RUN mkdir -p /chroot/etc/neuvector/certs/internal/ + +FROM micro +ARG VERSION +ARG COMMIT +WORKDIR / +COPY --from=basebuilder /chroot/ / +COPY --from=builder /src/stage / + +LABEL "name"="registry-adapter" \ + "vendor"="SUSE Security" \ + "neuvector.image"="neuvector/registry-adapter" \ + "neuvector.role"="registry-adapater" \ + "neuvector.rev"="${COMMIT}" \ + "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \ + "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/registry-adapter/${VERSION}/README.md" \ + "org.opencontainers.image.description"="SUSE Security Registry Adapter" \ + "org.opencontainers.image.title"="SUSE Security Registry Adapter" \ + "org.opencontainers.image.source"="https://github.com/neuvector/registry-adapter/" \ + "org.opencontainers.image.version"="${VERSION}" \ + "org.opensuse.reference"="neuvector/registry-adapter:${VERSION}" + + +ENTRYPOINT ["/usr/local/bin/adapter"] diff --git a/unitest.sh b/unitest.sh deleted file mode 100755 index 4a4508b0..00000000 --- a/unitest.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -go test ./... || exit $?