[2.8] ci: Make release SLSA compliant

.github/workflows/build.yaml

@@ -10,9 +10,5 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.21.x
-      - name: Build GKE operator binary
-        run: make operator
+      - name: Build
+        run: make image-build

.github/workflows/release.yaml

@@ -16,47 +16,69 @@ on:
 #   - PUBLIC_REGISTRY_PASSWORD
 
 jobs:
-  release:
+  publish-images:
     permissions:
-      contents: write # required for creating GH release
-      id-token: write # required for reading vault secrets
+      contents: read
+      id-token: write # required for reading vault secrets and for cosign's use in ecm-distro-tools/publish-image
+    strategy:
+      matrix:
+        include:
+          # Three images are created:
+          # - Multi-arch manifest for both amd64 and arm64
+          - tag-suffix: ""
+            platforms: linux/amd64,linux/arm64
+          # - arm64 manifest
+          - tag-suffix: "-arm64"
+            platforms: linux/arm64
+          # - amd64 manifest
+          - tag-suffix: "-amd64"
+            platforms: linux/amd64
     runs-on: ubuntu-latest
     steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ github.ref_name}}
     - name: Read secrets
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ;
-    - name: Login to DockerHub
-      uses: docker/login-action@v3
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+    - name: Publish images
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
-        registry: ${{ vars.PUBLIC_REGISTRY }}
-        username: ${{ env.PUBLIC_REGISTRY_USERNAME }}
-        password: ${{ env.PUBLIC_REGISTRY_PASSWORD }}
-    - name: Setup QEMU
-      uses: docker/setup-qemu-action@v3
-    - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
+        image: gke-operator
+        tag: ${{ github.ref_name }}${{ matrix.tag-suffix }}
+        platforms: ${{ matrix.platforms }}
+        public-registry: docker.io
+        public-repo: rancher
+        public-username: ${{ env.PUBLIC_REGISTRY_USERNAME }}
+        public-password: ${{ env.PUBLIC_REGISTRY_PASSWORD }}
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+        make-target: image-push
+        push-to-prime: true
+    - name: Cleanup checksum files # in order to avoid goreleaser dirty state error, remove once rancher/ecm-distro-tools/actions/publish-image@main gets updated
+      run: rm -f slsactl_*_checksums.txt*
+
+  release:
+    permissions:
+      contents: write # required for creating GH release
+    runs-on: ubuntu-latest
+    needs: publish-images
+    steps:
     - name: Checkout code
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
-        ref: ${{ github.ref_name }}     
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        check-latest: true
-    - name: Build and push all image variations
-      run: |
-        make operator 
-        make image-push
-        TAG="${TAG}-amd64" TARGET_PLATFORMS=linux/amd64 make image-push
-        TAG="${TAG}-arm64" TARGET_PLATFORMS=linux/arm64 make image-push
-      env:
-        TAG: ${{ github.ref_name }}
-        REPO: ${{ vars.PUBLIC_REGISTRY }}/${{ vars.PUBLIC_REGISTRY_REPO }}
+        ref: ${{ github.ref_name }}
     - name: Create release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for creating GH release
@@ -70,7 +92,7 @@ jobs:
     - name: Upload charts to release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for updating GH release
-        REPO: rancher/gke-operator # Docker repository to reference in `values.yaml` of the Helm chart release
+        REPO: rancher # First name component for Docker repository to reference in `values.yaml` of the Helm chart release, this is expected to be `rancher`, image name is appended to this value
         TAG: ${{ github.ref_name }} # image tag to be referenced in `values.yaml` of the Helm chart release
       run: |
         version=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.version')
@@ -83,5 +105,4 @@ jobs:
           echo "Uploading $f to GitHub release $TAG"
           gh release upload $TAG $f
         done
-        echo "Charts successfully uploaded to GitHub release $TAG"
-
+        echo "Charts successfully uploaded to GitHub release $TAG"

Makefile

@@ -7,13 +7,19 @@ ifneq ($(GIT_BRANCH), main)
 GIT_TAG?=$(shell git describe --abbrev=0 --tags 2>/dev/null || echo "v0.0.0" )
 endif
 TAG?=${GIT_TAG}-${GIT_COMMIT_SHORT}
+REPO?=docker.io/rancher
+IMAGE = $(REPO)/gke-operator:$(TAG)
+MACHINE := rancher
+# Define the target platforms that can be used across the ecosystem.
+# Note that what would actually be used for a given project will be
+# defined in TARGET_PLATFORMS, and must be a subset of the below:
+DEFAULT_PLATFORMS := linux/amd64,linux/arm64,darwin/arm64,darwin/amd64
+TARGET_PLATFORMS := linux/amd64,linux/arm64
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
+
 OPERATOR_CHART?=$(shell find $(ROOT_DIR) -type f -name "rancher-gke-operator-[0-9]*.tgz" -print)
 CRD_CHART?=$(shell find $(ROOT_DIR) -type f -name "rancher-gke-operator-crd*.tgz" -print)
 CHART_VERSION?=900 # Only used in e2e to avoid downgrades from rancher
-REPO?=docker.io/rancher/gke-operator
-IMAGE = $(REPO):$(TAG)
-TARGET_PLATFORMS := linux/amd64,linux/arm64
-MACHINE := rancher
 CLUSTER_NAME?="gke-operator-e2e"
 E2E_CONF_FILE ?= $(ROOT_DIR)/test/e2e/config/config.yaml
 
@@ -52,6 +58,11 @@ default: operator
 	@./.dapper.tmp -v
 	@mv .dapper.tmp .dapper
 
+
+.PHONY: generate-go
+generate-go: $(MOCKGEN)
+	go generate ./pkg/gke/...
+
 .PHONY: generate-crd
 generate-crd: $(MOCKGEN)
 	go generate main.go
@@ -61,6 +72,10 @@ generate:
 	$(MAKE) generate-go
 	$(MAKE) generate-crd
 
+.PHONY: clean
+clean:
+	rm -rf build bin dist
+
 .PHONY: $(TARGETS)
 $(TARGETS): .dapper
 	./.dapper $@
@@ -84,18 +99,10 @@ operator:
              -X github.com/rancher/gke-operator/pkg/version.Version=$(TAG)" \
         -o bin/gke-operator .
 
-.PHONY: generate-go
-generate-go: $(MOCKGEN)
-	go generate ./pkg/gke/...
-
 .PHONY: test
 test: $(SETUP_ENVTEST) $(GINKGO)
 	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" $(GINKGO) -v -r -p --trace --race ./pkg/... ./controller/...
 
-.PHONY: clean
-clean:
-	rm -rf build bin dist
-
 ALL_VERIFY_CHECKS = generate
 
 .PHONY: verify
@@ -113,7 +120,7 @@ operator-chart:
 	mkdir -p $(BIN_DIR)
 	cp -rf $(ROOT_DIR)/charts/gke-operator $(BIN_DIR)/chart
 	sed -i -e 's/tag:.*/tag: '${TAG}'/' $(BIN_DIR)/chart/values.yaml
-	sed -i -e 's|repository:.*|repository: '${REPO}'|' $(BIN_DIR)/chart/values.yaml
+	sed -i -e 's|repository:.*|repository: '${REPO}/gke-operator'|' $(BIN_DIR)/chart/values.yaml
 	helm package --version ${CHART_VERSION} --app-version ${GIT_TAG} -d $(BIN_DIR)/ $(BIN_DIR)/chart
 	rm -Rf $(BIN_DIR)/chart
 
@@ -128,21 +135,21 @@ charts:
 	$(MAKE) operator-chart
 	$(MAKE) crd-chart
 
-buildx-machine:
+buildx-machine: ## create rancher dockerbuildx machine targeting platform defined by DEFAULT_PLATFORMS
 	@docker buildx ls | grep $(MACHINE) || \
-		docker buildx create --name=$(MACHINE) --platform=$(TARGET_PLATFORMS)
+		docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
 
 .PHONY: image-build
 image-build: buildx-machine ## build (and load) the container image targeting the current platform.
 	docker buildx build -f package/Dockerfile \
-    --builder $(MACHINE) --build-arg VERSION=$(TAG) \
+    --builder $(MACHINE) --build-arg COMMIT=$(GIT_COMMIT) --build-arg VERSION=$(TAG) \
     -t "$(IMAGE)" $(BUILD_ACTION) .
 	@echo "Built $(IMAGE)"
 
 .PHONY: image-push
 image-push: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
 	docker buildx build -f package/Dockerfile \
-    --builder $(MACHINE) --build-arg VERSION=$(TAG) \
+    --builder $(MACHINE) $(IID_FILE_FLAG) $(BUILDX_ARGS) --build-arg COMMIT=$(GIT_COMMIT) --build-arg VERSION=$(TAG) \
     --platform=$(TARGET_PLATFORMS) -t "$(IMAGE)" --push .
 	@echo "Pushed $(IMAGE)"
 
@@ -161,7 +168,7 @@ e2e-tests: $(GINKGO) charts
 
 .PHONY: kind-e2e-tests
 kind-e2e-tests: docker-build-e2e setup-kind
-	kind load docker-image --name $(CLUSTER_NAME) ${REPO}:${TAG}
+	kind load docker-image --name $(CLUSTER_NAME) ${IMAGE}
 	$(MAKE) e2e-tests
 
 kind-deploy-operator:
@@ -174,7 +181,7 @@ docker-build-e2e:
 		--build-arg "TAG=${GIT_TAG}" \
 		--build-arg "COMMIT=${GIT_COMMIT}" \
 		--build-arg "COMMITDATE=${COMMITDATE}" \
-		-t ${REPO}:${TAG} .
+		-t ${IMAGE} .
 
 .PHOHY: delete-local-kind-cluster
 delete-local-kind-cluster: ## Delete the local kind cluster

package/Dockerfile

@@ -1,22 +1,43 @@
-FROM registry.suse.com/bci/bci-base:15.6 AS builder
+# Image that provides cross compilation tooling.
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.5.0 AS xx
+
+FROM registry.suse.com/bci/bci-base:15.6 AS base
 RUN sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd
 RUN useradd --uid 1007 gke-operator
 
+FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.23 AS builder
+
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+
+COPY ./controller ./controller
+COPY ./pkg ./pkg
+COPY ./main.go ./main.go
+
+# Copy xx scripts to your build stage
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ARG COMMIT
+ARG VERSION
+ENV CGO_ENABLED=0 
+RUN xx-go build -ldflags \
+           "-X github.com/rancher/gke-operator/pkg/version.GitCommit=${COMMIT} \
+            -X github.com/rancher/gke-operator/pkg/version.Version=${VERSION}" \
+       -o /gke-operator && \
+       xx-verify /gke-operator
+
 FROM registry.suse.com/bci/bci-micro:15.6
-COPY --from=builder /etc/passwd /etc/passwd
-COPY --from=builder /etc/shadow /etc/shadow
+COPY --from=base /etc/passwd /etc/passwd
+COPY --from=base /etc/shadow /etc/shadow
+COPY --from=builder /gke-operator /usr/bin/gke-operator
 
 RUN rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/*
 
 ENV KUBECONFIG="/home/gke-operator/.kube/config"
 ENV SSL_CERT_DIR="/etc/rancher/ssl"
 
-# Once this image is migrated to be SLSA compliant and the Go build happens
-# inside a build layer, we must pass the version and commit ID to the build,
-# similar to what was done in https://github.com/rancher/aks-operator/pull/803 .
-# This is just a reference for future changes, because it's needed for our VEX
-# work.
-COPY bin/gke-operator /usr/bin/
 COPY package/entrypoint.sh /usr/bin
 RUN chmod +x /usr/bin/entrypoint.sh
 

pkg/version/version.go

@@ -0,0 +1,6 @@
+package version
+
+var (
+	GitCommit string
+	Version   string
+)