[2.8] ci: Make release SLSA compliant

.github/workflows/release.yaml

@@ -16,47 +16,67 @@ on:
 #   - PUBLIC_REGISTRY_PASSWORD
 
 jobs:
-  release:
+  publish-images:
     permissions:
-      contents: write # required for creating GH release
-      id-token: write # required for reading vault secrets
+      contents: read
+      id-token: write # required for reading vault secrets and for cosign's use in ecm-distro-tools/publish-image
+    strategy:
+      matrix:
+        include:
+          # Three images are created:
+          # - Multi-arch manifest for both amd64 and arm64
+          - tag-suffix: ""
+            platforms: linux/amd64,linux/arm64
+          # - arm64 manifest
+          - tag-suffix: "-arm64"
+            platforms: linux/arm64
+          # - amd64 manifest
+          - tag-suffix: "-amd64"
+            platforms: linux/amd64
     runs-on: ubuntu-latest
     steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ github.ref_name }}
     - name: Read secrets
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ;
-    - name: Login to DockerHub
-      uses: docker/login-action@v3
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+    - name: Publish images
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
-        registry: ${{ vars.PUBLIC_REGISTRY }}
-        username: ${{ env.PUBLIC_REGISTRY_USERNAME }}
-        password: ${{ env.PUBLIC_REGISTRY_PASSWORD }}
-    - name: Setup QEMU
-      uses: docker/setup-qemu-action@v3
-    - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
+        image: aks-operator
+        tag: ${{ github.ref_name }}${{ matrix.tag-suffix }}
+        platforms: ${{ matrix.platforms }}
+        public-registry: docker.io
+        public-repo: rancher
+        public-username: ${{ env.PUBLIC_REGISTRY_USERNAME }}
+        public-password: ${{ env.PUBLIC_REGISTRY_PASSWORD }}
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+        make-target: image-push
+        push-to-prime: true
+
+  release:
+    permissions:
+      contents: write # required for creating GH release
+    runs-on: ubuntu-latest
+    needs: publish-images
+    steps:
     - name: Checkout code
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
         ref: ${{ github.ref_name}}
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        check-latest: true
-    - name: Build and push all image variations
-      run: |
-        make operator
-        make image-push
-        TAG="${TAG}-amd64" TARGET_PLATFORMS=linux/amd64 make image-push
-        TAG="${TAG}-arm64" TARGET_PLATFORMS=linux/arm64 make image-push
-      env:
-        TAG: ${{ github.ref_name }}
-        REPO: ${{ vars.PUBLIC_REGISTRY }}/${{ vars.PUBLIC_REGISTRY_REPO }}
     - name: Create release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for creating GH release
@@ -70,7 +90,7 @@ jobs:
     - name: Upload charts to release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for updating GH release
-        REPO: rancher/aks-operator # Docker repository to reference in `values.yaml` of the Helm chart release
+        REPO: rancher # First name component for Docker repository to reference in `values.yaml` of the Helm chart release, this is expected to be `rancher`, image name is appended to this value
         TAG: ${{ github.ref_name }} # image tag to be referenced in `values.yaml` of the Helm chart release
       run: |
         version=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.version')

Makefile

@@ -10,10 +10,17 @@ TAG?=${GIT_TAG}-${GIT_COMMIT_SHORT}
 OPERATOR_CHART?=$(shell find $(ROOT_DIR) -type f -name "rancher-aks-operator-[0-9]*.tgz" -print)
 CRD_CHART?=$(shell find $(ROOT_DIR) -type f -name "rancher-aks-operator-crd*.tgz" -print)
 CHART_VERSION?=900 # Only used in e2e to avoid downgrades from rancher
-REPO?=docker.io/rancher/aks-operator
-IMAGE = $(REPO):$(TAG)
+REPO?=docker.io/rancher
+IMAGE = $(REPO)/aks-operator:$(TAG)
 TARGET_PLATFORMS := linux/amd64,linux/arm64
 MACHINE := rancher
+# Define the target platforms that can be used across the ecosystem.
+# Note that what would actually be used for a given project will be
+# defined in TARGET_PLATFORMS, and must be a subset of the below:
+DEFAULT_PLATFORMS := linux/amd64,linux/arm64,darwin/arm64,darwin/amd64
+TARGET_PLATFORMS := linux/amd64,linux/arm64
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
+
 CLUSTER_NAME?="aks-operator-e2e"
 E2E_CONF_FILE ?= $(ROOT_DIR)/test/e2e/config/config.yaml
 
@@ -113,7 +120,7 @@ operator-chart:
 	mkdir -p $(BIN_DIR)
 	cp -rf $(ROOT_DIR)/charts/aks-operator $(BIN_DIR)/chart
 	sed -i -e 's/tag:.*/tag: '${TAG}'/' $(BIN_DIR)/chart/values.yaml
-	sed -i -e 's|repository:.*|repository: '${REPO}'|' $(BIN_DIR)/chart/values.yaml
+	sed -i -e 's|repository:.*|repository: '${REPO}/aks-operator'|' $(BIN_DIR)/chart/values.yaml
 	helm package --version ${CHART_VERSION} --app-version ${GIT_TAG} -d $(BIN_DIR)/ $(BIN_DIR)/chart
 	rm -Rf $(BIN_DIR)/chart
 
@@ -128,9 +135,9 @@ charts:
 	$(MAKE) operator-chart
 	$(MAKE) crd-chart
 
-buildx-machine:
+buildx-machine: ## create rancher dockerbuildx machine targeting platform defined by DEFAULT_PLATFORMS
 	@docker buildx ls | grep $(MACHINE) || \
-		docker buildx create --name=$(MACHINE) --platform=$(TARGET_PLATFORMS)
+		docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
 
 .PHONY: image-build
 image-build: buildx-machine ## build (and load) the container image targeting the current platform.
@@ -142,7 +149,7 @@ image-build: buildx-machine ## build (and load) the container image targeting th
 .PHONY: image-push
 image-push: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
 	docker buildx build -f package/Dockerfile \
-    --builder $(MACHINE) --build-arg VERSION=$(TAG) \
+    --builder $(MACHINE) $(IID_FILE_FLAG) $(BUILDX_ARGS) --build-arg COMMIT=$(GIT_COMMIT) --build-arg VERSION=$(TAG) \
     --platform=$(TARGET_PLATFORMS) -t "$(IMAGE)" --push .
 	@echo "Pushed $(IMAGE)"
 

main.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/rancher/aks-operator/controller"
 	aksv1 "github.com/rancher/aks-operator/pkg/generated/controllers/aks.cattle.io"
+	"github.com/rancher/aks-operator/pkg/version"
 	core3 "github.com/rancher/wrangler/v2/pkg/generated/controllers/core"
 	"github.com/rancher/wrangler/v2/pkg/kubeconfig"
 	"github.com/rancher/wrangler/v2/pkg/signals"
@@ -30,6 +31,8 @@ func main() {
 	// set up signals so we handle the first shutdown signal gracefully
 	ctx := signals.SetupSignalContext()
 
+	logrus.Infof("Starting aks-operator (version: %s, commit: %s)", version.Version, version.GitCommit)
+
 	// This will load the kubeconfig file in a style the same as kubectl
 	cfg, err := kubeconfig.GetNonInteractiveClientConfig(kubeconfigFile).ClientConfig()
 	if err != nil {

package/Dockerfile

@@ -1,17 +1,43 @@
-FROM registry.suse.com/bci/bci-base:15.6 AS builder
+# Image that provides cross compilation tooling.
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.5.0 AS xx
+
+FROM registry.suse.com/bci/bci-base:15.6 AS base
 RUN sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd
 RUN useradd --uid 1007 aks-operator
 
+FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.23 AS builder
+
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+
+COPY ./controller ./controller
+COPY ./pkg ./pkg
+COPY ./main.go ./main.go
+
+# Copy xx scripts to your build stage
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ARG COMMIT
+ARG VERSION
+ENV CGO_ENABLED=0
+RUN xx-go build -ldflags \
+           "-X github.com/rancher/aks-operator/pkg/version.GitCommit=${COMMIT} \
+            -X github.com/rancher/aks-operator/pkg/version.Version=${VERSION}" \
+       -o /aks-operator && \
+       xx-verify /aks-operator
+
 FROM registry.suse.com/bci/bci-micro:15.6
-COPY --from=builder /etc/passwd /etc/passwd
-COPY --from=builder /etc/shadow /etc/shadow
+COPY --from=base /etc/passwd /etc/passwd
+COPY --from=base /etc/shadow /etc/shadow
+COPY --from=builder /aks-operator /usr/bin/aks-operator
 
 RUN rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/*
 
 ENV KUBECONFIG="/home/aks-operator/.kube/config"
 ENV SSL_CERT_DIR="/etc/rancher/ssl"
 
-COPY bin/aks-operator /usr/bin/
 COPY package/entrypoint.sh /usr/bin
 RUN chmod +x /usr/bin/entrypoint.sh
 

pkg/version/version.go

@@ -0,0 +1,6 @@
+package version
+
+var (
+	GitCommit string
+	Version   string
+)