-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: NVSHAS-9501 standalone Dockerfile
1. Provide cross-platform/standalone Dockerfile 2. Release.yml to publish SLSA-capable artifacts 3. Provide build target, test-image, build-image and push-image to sync with rancher. 4. Switch to golang:1.22 as its base image
- Loading branch information
1 parent
1fedaec
commit 6f5d358
Showing
7 changed files
with
199 additions
and
41 deletions.
There are no files selected for viewing
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
name: Release | ||
|
||
on: | ||
push: | ||
tags: | ||
- 'v*' | ||
|
||
jobs: | ||
|
||
publish: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
# write is needed for: | ||
# - OIDC for cosign's use in ecm-distro-tools/publish-image. | ||
# - Read vault secrets in rancher-eio/read-vault-secrets. | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: Load Secrets from Vault | ||
uses: rancher-eio/read-vault-secrets@main | ||
with: | ||
secrets: | | ||
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ; | ||
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ; | ||
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; | ||
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; | ||
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD | ||
- name: Parse target tag | ||
run: | | ||
TARGET=${{ github.ref_name }} | ||
echo "TAG=${TARGET#v}" >> $GITHUB_ENV | ||
- name: Publish public manifest | ||
uses: rancher/ecm-distro-tools/actions/publish-image@master | ||
with: | ||
push-to-public: true | ||
push-to-prime: false | ||
image: registry-adapter | ||
tag: ${{ env.TAG }} | ||
platforms: linux/amd64,linux/arm64 | ||
|
||
public-registry: docker.io | ||
public-repo: neuvector | ||
public-username: ${{ env.DOCKER_USERNAME }} | ||
public-password: ${{ env.DOCKER_PASSWORD }} | ||
- name: Publish prime manifest | ||
uses: rancher/ecm-distro-tools/actions/publish-image@master | ||
with: | ||
push-to-public: false | ||
push-to-prime: true | ||
image: neuvector-registry-adapter | ||
tag: ${{ env.TAG }} | ||
platforms: linux/amd64,linux/arm64 | ||
|
||
prime-registry: ${{ env.PRIME_REGISTRY }} | ||
prime-repo: rancher | ||
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} | ||
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,79 @@ | ||
BASE_IMAGE_TAG = latest | ||
BUILD_IMAGE_TAG = v2 | ||
RUNNER := docker | ||
IMAGE_BUILDER := $(RUNNER) buildx | ||
MACHINE := neuvector | ||
BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max | ||
DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64 | ||
|
||
all: | ||
go build -ldflags='-s -w' -buildvcs=false -o adapter | ||
COMMIT = $(shell git rev-parse --short HEAD) | ||
ifeq ($(VERSION),) | ||
# Define VERSION, which is used for image tags or to bake it into the | ||
# compiled binary to enable the printing of the application version, | ||
# via the --version flag. | ||
CHANGES = $(shell git status --porcelain --untracked-files=no) | ||
ifneq ($(CHANGES),) | ||
DIRTY = -dirty | ||
endif | ||
|
||
|
||
COMMIT = $(shell git rev-parse --short HEAD) | ||
VERSION = $(COMMIT)$(DIRTY) | ||
|
||
# Override VERSION with the Git tag if the current HEAD has a tag pointing to | ||
# it AND the worktree isn't dirty. | ||
GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1) | ||
ifneq ($(GIT_TAG),) | ||
ifeq ($(DIRTY),) | ||
VERSION = $(GIT_TAG) | ||
endif | ||
endif | ||
endif | ||
|
||
ifeq ($(TAG),) | ||
TAG = $(VERSION) | ||
ifneq ($(DIRTY),) | ||
TAG = dev | ||
endif | ||
endif | ||
|
||
TARGET_PLATFORMS ?= linux/amd64,linux/arm64 | ||
STAGE_DIR=stage | ||
REPO ?= neuvector | ||
IMAGE = $(REPO)/registry-adapter:$(TAG) | ||
BUILD_ACTION = --load | ||
|
||
STAGE_DIR = stage | ||
.PHONY: all build test copy_adpt | ||
|
||
copy_adpt: | ||
all: test build copy_adpt | ||
|
||
test: | ||
go test ./... | ||
|
||
copy_adpt: build | ||
mkdir -p ${STAGE_DIR}/usr/local/bin/ | ||
# | ||
cp registry-adapter/adapter ${STAGE_DIR}/usr/local/bin/ | ||
cp adapter ${STAGE_DIR}/usr/local/bin/ | ||
|
||
build: | ||
go build -ldflags='-s -w' -buildvcs=false -o adapter | ||
|
||
buildx-machine: | ||
docker buildx ls | ||
@docker buildx ls | grep $(MACHINE) || \ | ||
docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS) | ||
|
||
stage_init: | ||
rm -rf ${STAGE_DIR}; mkdir -p ${STAGE_DIR} | ||
test-image: | ||
# Instead of loading image, target all platforms, effectivelly testing | ||
# the build for the target architectures. | ||
$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)" | ||
|
||
stage_adpt: stage_init copy_adpt | ||
build-image: buildx-machine ## build (and load) the container image targeting the current platform. | ||
$(IMAGE_BUILDER) build -f package/Dockerfile \ | ||
--builder $(MACHINE) $(IMAGE_ARGS) \ | ||
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) . | ||
@echo "Built $(IMAGE)" | ||
|
||
adapter_image: stage_adpt | ||
docker pull neuvector/adapter_base:${BASE_IMAGE_TAG} | ||
docker build --build-arg NV_TAG=$(NV_TAG) --build-arg BASE_IMAGE_TAG=${BASE_IMAGE_TAG} -t neuvector/registry-adapter -f registry-adapter/build/Dockerfile . | ||
|
||
binary: | ||
@echo "Making $@ ..." | ||
@docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG} | ||
@docker run --rm -ia STDOUT --name build --net=none -v $(CURDIR):/go/src/github.com/neuvector/registry-adapter -w /go/src/github.com/neuvector/registry-adapter --entrypoint ./make_bin.sh neuvector/build_fleet:${BUILD_IMAGE_TAG} | ||
push-image: buildx-machine | ||
$(IMAGE_BUILDER) build -f package/Dockerfile \ | ||
--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \ | ||
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-registry-adapter:$(TAG)" --push . | ||
@echo "Pushed $(IMAGE)" |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# | ||
# Builder image | ||
FROM registry.suse.com/bci/golang:1.22 AS builder | ||
|
||
ENV GOPATH=/go | ||
ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin | ||
|
||
COPY config/ /src/config | ||
COPY server/ /src/server | ||
COPY vendor/ /src/vendor | ||
COPY go.mod go.sum adapter.go version.go Makefile /src | ||
WORKDIR /src | ||
RUN make | ||
|
||
# | ||
# base image | ||
FROM registry.suse.com/bci/bci-micro:15.6 AS micro | ||
FROM registry.suse.com/bci/bci-base:15.6 AS base | ||
FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 AS xx | ||
FROM --platform=$BUILDPLATFORM registry.suse.com/bci/bci-base:15.6 AS basebuilder | ||
|
||
ARG TARGETPLATFORM | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
|
||
COPY --from=xx / / | ||
COPY --from=micro / /chroot/ | ||
|
||
RUN echo "[main]" > /etc/zypp/zypp.conf && \ | ||
echo -n "arch = " >> /etc/zypp/zypp.conf && \ | ||
xx-info march >> /etc/zypp/zypp.conf | ||
|
||
COPY --from=base /etc/products.d/ /etc/products.d/ | ||
COPY --from=base /etc/zypp/ /chroot/etc/zypp/ | ||
|
||
# Runtime dependencies | ||
RUN zypper refresh && zypper --non-interactive --installroot /chroot install --no-recommends \ | ||
ca-certificates && \ | ||
zypper --non-interactive --installroot /chroot clean -a && \ | ||
rm -rf /chroot/var/log/ /chroot/var/cache/zypp/* /chroot/etc/zypp/ | ||
|
||
RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch | ||
|
||
RUN mkdir -p /chroot/etc/neuvector/certs/internal/ | ||
|
||
FROM micro | ||
ARG VERSION | ||
ARG COMMIT | ||
WORKDIR / | ||
COPY --from=basebuilder /chroot/ / | ||
COPY --from=builder /src/stage / | ||
|
||
LABEL "name"="registry-adapter" \ | ||
"vendor"="SUSE Security" \ | ||
"neuvector.image"="neuvector/registry-adapter" \ | ||
"neuvector.role"="registry-adapater" \ | ||
"neuvector.rev"="${COMMIT}" \ | ||
"io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \ | ||
"io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/registry-adapter/${VERSION}/README.md" \ | ||
"org.opencontainers.image.description"="SUSE Security Registry Adapter" \ | ||
"org.opencontainers.image.title"="SUSE Security Registry Adapter" \ | ||
"org.opencontainers.image.source"="https://github.com/neuvector/registry-adapter/" \ | ||
"org.opencontainers.image.version"="${VERSION}" \ | ||
"org.opensuse.reference"="neuvector/registry-adapter:${VERSION}" | ||
|
||
|
||
ENTRYPOINT ["/usr/local/bin/adapter"] |
This file was deleted.
Oops, something went wrong.