Skip to content

Commit

Permalink
feat: NVSHAS-9501 standalone Dockerfile
Browse files Browse the repository at this point in the history
1. Provide cross-platform/standalone Dockerfile
2. Release.yml to publish SLSA-capable artifacts
3. Provide build target, test-image, build-image and push-image to sync
   with rancher.
4. Switch to golang:1.22 as its base image
  • Loading branch information
holyspectral authored and BinX-Suse committed Dec 13, 2024
1 parent 1fedaec commit 7202b01
Show file tree
Hide file tree
Showing 7 changed files with 206 additions and 41 deletions.
File renamed without changes.
68 changes: 68 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Release

on:
push:
tags:
- 'v*'

jobs:

publish:
runs-on: ubuntu-latest
permissions:
contents: read
# write is needed for:
# - OIDC for cosign's use in ecm-distro-tools/publish-image.
# - Read vault secrets in rancher-eio/read-vault-secrets.
id-token: write

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
- name: Parse target tag
run: |
TARGET=${{ github.ref_name }}
echo "TAG=${TARGET#v}" >> $GITHUB_ENV
- name: Publish neuvector manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
push-to-public: true
push-to-prime: false
image: registry-adapter
tag: ${{ env.TAG }}
platforms: linux/amd64,linux/arm64

public-registry: docker.io
public-repo: neuvector
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
- name: Publish rancher manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
env:
IMAGE_PREFIX: neuvector-
with:
image: neuvector-registry-adapter
tag: ${{ env.TAG }}
platforms: linux/amd64,linux/arm64

public-registry: docker.io
public-repo: rancher
public-username: ${{ env.RANCHER_DOCKER_USERNAME }}
public-password: ${{ env.RANCHER_DOCKER_PASSWORD }}

prime-registry: ${{ env.PRIME_REGISTRY }}
prime-repo: rancher
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
89 changes: 71 additions & 18 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,26 +1,79 @@
BASE_IMAGE_TAG = latest
BUILD_IMAGE_TAG = v2
RUNNER := docker
IMAGE_BUILDER := $(RUNNER) buildx
MACHINE := neuvector
BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64

all:
go build -ldflags='-s -w' -buildvcs=false -o adapter
COMMIT = $(shell git rev-parse --short HEAD)
ifeq ($(VERSION),)
# Define VERSION, which is used for image tags or to bake it into the
# compiled binary to enable the printing of the application version,
# via the --version flag.
CHANGES = $(shell git status --porcelain --untracked-files=no)
ifneq ($(CHANGES),)
DIRTY = -dirty
endif


COMMIT = $(shell git rev-parse --short HEAD)
VERSION = $(COMMIT)$(DIRTY)

# Override VERSION with the Git tag if the current HEAD has a tag pointing to
# it AND the worktree isn't dirty.
GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)
ifneq ($(GIT_TAG),)
ifeq ($(DIRTY),)
VERSION = $(GIT_TAG)
endif
endif
endif

ifeq ($(TAG),)
TAG = $(VERSION)
ifneq ($(DIRTY),)
TAG = dev
endif
endif

TARGET_PLATFORMS ?= linux/amd64,linux/arm64
STAGE_DIR=stage
REPO ?= neuvector
IMAGE = $(REPO)/registry-adapter:$(TAG)
BUILD_ACTION = --load

STAGE_DIR = stage
.PHONY: all build test copy_adpt

copy_adpt:
all: test build copy_adpt

test:
go test ./...

copy_adpt: build
mkdir -p ${STAGE_DIR}/usr/local/bin/
#
cp registry-adapter/adapter ${STAGE_DIR}/usr/local/bin/
cp adapter ${STAGE_DIR}/usr/local/bin/

build:
go build -ldflags='-s -w' -buildvcs=false -o adapter

buildx-machine:
docker buildx ls
@docker buildx ls | grep $(MACHINE) || \
docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)

stage_init:
rm -rf ${STAGE_DIR}; mkdir -p ${STAGE_DIR}
test-image:
# Instead of loading image, target all platforms, effectivelly testing
# the build for the target architectures.
$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"

stage_adpt: stage_init copy_adpt
build-image: buildx-machine ## build (and load) the container image targeting the current platform.
$(IMAGE_BUILDER) build -f package/Dockerfile \
--builder $(MACHINE) $(IMAGE_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) .
@echo "Built $(IMAGE)"

adapter_image: stage_adpt
docker pull neuvector/adapter_base:${BASE_IMAGE_TAG}
docker build --build-arg NV_TAG=$(NV_TAG) --build-arg BASE_IMAGE_TAG=${BASE_IMAGE_TAG} -t neuvector/registry-adapter -f registry-adapter/build/Dockerfile .

binary:
@echo "Making $@ ..."
@docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG}
@docker run --rm -ia STDOUT --name build --net=none -v $(CURDIR):/go/src/github.com/neuvector/registry-adapter -w /go/src/github.com/neuvector/registry-adapter --entrypoint ./make_bin.sh neuvector/build_fleet:${BUILD_IMAGE_TAG}
push-image: buildx-machine
$(IMAGE_BUILDER) build -f package/Dockerfile \
--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/$(IMAGE_PREFIX)registry-adapter:$(TAG)" --push .
@echo "Pushed $(REPO)/$(IMAGE_PREFIX)registry-adapter:$(TAG)"
12 changes: 0 additions & 12 deletions build/Dockerfile

This file was deleted.

8 changes: 0 additions & 8 deletions make_bin.sh

This file was deleted.

67 changes: 67 additions & 0 deletions package/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#
# Builder image
FROM registry.suse.com/bci/golang:1.22 AS builder

ENV GOPATH=/go
ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

COPY config/ /src/config
COPY server/ /src/server
COPY vendor/ /src/vendor
COPY go.mod go.sum adapter.go version.go Makefile /src
WORKDIR /src
RUN make

#
# base image
FROM registry.suse.com/bci/bci-micro:15.6 AS micro
FROM registry.suse.com/bci/bci-base:15.6 AS base
FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 AS xx
FROM --platform=$BUILDPLATFORM registry.suse.com/bci/bci-base:15.6 AS basebuilder

ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH

COPY --from=xx / /
COPY --from=micro / /chroot/

RUN echo "[main]" > /etc/zypp/zypp.conf && \
echo -n "arch = " >> /etc/zypp/zypp.conf && \
xx-info march >> /etc/zypp/zypp.conf

COPY --from=base /etc/products.d/ /etc/products.d/
COPY --from=base /etc/zypp/ /chroot/etc/zypp/

# Runtime dependencies
RUN zypper refresh && zypper --non-interactive --installroot /chroot install --no-recommends \
ca-certificates && \
zypper --non-interactive --installroot /chroot clean -a && \
rm -rf /chroot/var/log/ /chroot/var/cache/zypp/* /chroot/etc/zypp/

RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch

RUN mkdir -p /chroot/etc/neuvector/certs/internal/

FROM micro
ARG VERSION
ARG COMMIT
WORKDIR /
COPY --from=basebuilder /chroot/ /
COPY --from=builder /src/stage /

LABEL "name"="registry-adapter" \
"vendor"="SUSE Security" \
"neuvector.image"="neuvector/registry-adapter" \
"neuvector.role"="registry-adapater" \
"neuvector.rev"="${COMMIT}" \
"io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
"io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/registry-adapter/${VERSION}/README.md" \
"org.opencontainers.image.description"="SUSE Security Registry Adapter" \
"org.opencontainers.image.title"="SUSE Security Registry Adapter" \
"org.opencontainers.image.source"="https://github.com/neuvector/registry-adapter/" \
"org.opencontainers.image.version"="${VERSION}" \
"org.opensuse.reference"="neuvector/registry-adapter:${VERSION}"


ENTRYPOINT ["/usr/local/bin/adapter"]
3 changes: 0 additions & 3 deletions unitest.sh

This file was deleted.

0 comments on commit 7202b01

Please sign in to comment.