Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Make release SLSA compliant #749

Merged
merged 4 commits into from
Dec 16, 2024
Merged

ci: Make release SLSA compliant #749

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1ff6060
ci: Make build self-contained
yiannistri Dec 11, 2024
53cc3a1
ci: Push release images to Prime Registry
yiannistri Dec 12, 2024
d556585
ci: Replace release workflow steps with single call to `publish-image…
yiannistri Dec 12, 2024
9c3c82a
ci: Use xx (cross-compilation helpers) to build/verify target binary
yiannistri Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 35 additions & 28 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,43 +20,50 @@ jobs:
permissions:
contents: write # required for creating GH release
id-token: write # required for reading vault secrets
strategy:
matrix:
include:
# Three images are created:
# - Multi-arch manifest for both amd64 and arm64
- tag-suffix: ""
platforms: linux/amd64,linux/arm64
# - arm64 manifest
- tag-suffix: "-arm64"
platforms: linux/arm64
# - amd64 manifest
- tag-suffix: "-amd64"
platforms: linux/amd64
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.ref_name}}
- name: Read secrets
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ;
- name: Login to DockerHub
uses: docker/login-action@v3
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ;
- name: Publish images
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
registry: ${{ vars.PUBLIC_REGISTRY }}
username: ${{ env.PUBLIC_REGISTRY_USERNAME }}
password: ${{ env.PUBLIC_REGISTRY_PASSWORD }}
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.ref_name}}
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
check-latest: true
- name: Build and push all image variations
run: |
make operator
make image-push
TAG="${TAG}-amd64" TARGET_PLATFORMS=linux/amd64 make image-push
TAG="${TAG}-arm64" TARGET_PLATFORMS=linux/arm64 make image-push
env:
TAG: ${{ github.ref_name }}
REPO: ${{ vars.PUBLIC_REGISTRY }}/${{ vars.PUBLIC_REGISTRY_REPO }}
image: aks-operator
tag: ${{ github.ref_name }}${{ matrix.tag-suffix }}
platforms: ${{ matrix.platforms }}
public-registry: docker.io
public-repo: rancher
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
prime-registry: ${{ env.PRIME_REGISTRY }}
prime-repo: rancher
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
make-target: image-push
- name: Create release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for creating GH release
Expand Down
7 changes: 0 additions & 7 deletions .github/workflows/scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,6 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
check-latest: true
- name: Build operator
run: make operator
- name: Set up Docker Buildx
id: buildx
uses: docker/[email protected]
Expand Down
15 changes: 11 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,14 @@ CRD_CHART?=$(shell find $(ROOT_DIR) -type f -name "rancher-aks-operator-crd*.tgz
CHART_VERSION?=900 # Only used in e2e to avoid downgrades from rancher
REPO?=docker.io/rancher/aks-operator
IMAGE = $(REPO):$(TAG)
TARGET_PLATFORMS := linux/amd64,linux/arm64
MACHINE := rancher
# Define the target platforms that can be used across the ecosystem.
# Note that what would actually be used for a given project will be
# defined in TARGET_PLATFORMS, and must be a subset of the below:
DEFAULT_PLATFORMS := linux/amd64,linux/arm64,darwin/arm64,darwin/amd64
TARGET_PLATFORMS := linux/amd64,linux/arm64
BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max

CLUSTER_NAME?="aks-operator-e2e"
E2E_CONF_FILE ?= $(ROOT_DIR)/test/e2e/config/config.yaml

Expand Down Expand Up @@ -125,9 +131,10 @@ charts:
$(MAKE) operator-chart
$(MAKE) crd-chart

buildx-machine:
.PHONY: buildx-machine
buildx-machine: ## create rancher dockerbuildx machine targeting platform defined by DEFAULT_PLATFORMS
@docker buildx ls | grep $(MACHINE) || \
docker buildx create --name=$(MACHINE) --platform=$(TARGET_PLATFORMS)
docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)

.PHONY: image-build
image-build: buildx-machine ## build (and load) the container image targeting the current platform.
Expand All @@ -139,7 +146,7 @@ image-build: buildx-machine ## build (and load) the container image targeting th
.PHONY: image-push
image-push: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
docker buildx build -f package/Dockerfile \
--builder $(MACHINE) --build-arg VERSION=$(TAG) \
--builder $(MACHINE) $(IID_FILE_FLAG) $(BUILDX_ARGS) --build-arg VERSION=$(TAG) \
--platform=$(TARGET_PLATFORMS) -t "$(IMAGE)" --push .
@echo "Pushed $(IMAGE)"

Expand Down
17 changes: 13 additions & 4 deletions package/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,26 @@
FROM registry.suse.com/bci/bci-base:15.6 AS builder
FROM registry.suse.com/bci/bci-base:15.6 AS base
RUN sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd
RUN useradd --uid 1007 aks-operator

FROM registry.suse.com/bci/golang:1.23 AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download && go mod verify
COPY ./controller ./controller
COPY ./pkg ./pkg
COPY ./main.go ./main.go
RUN CGO_ENABLED=0 GOOS=linux go build -o /aks-operator

yiannistri marked this conversation as resolved.
Show resolved Hide resolved
FROM registry.suse.com/bci/bci-micro:15.6
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/shadow /etc/shadow
COPY --from=base /etc/passwd /etc/passwd
COPY --from=base /etc/shadow /etc/shadow
COPY --from=builder /aks-operator /usr/bin/aks-operator

RUN rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/*

ENV KUBECONFIG="/home/aks-operator/.kube/config"
ENV SSL_CERT_DIR="/etc/rancher/ssl"

COPY bin/aks-operator /usr/bin/
COPY package/entrypoint.sh /usr/bin
RUN chmod +x /usr/bin/entrypoint.sh

Expand Down
Loading