From cb4453bbdab4dc8023dfc2755a5bcd766f00995d Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 07:20:10 +0100 Subject: [PATCH 01/14] add docker build --- .github/workflows/build.yaml | 66 ++++++++++++++++++++++++++++++++++++ Dockerfile | 35 +++++++++++++++++++ cosign.pub | 4 +++ 3 files changed, 105 insertions(+) create mode 100644 .github/workflows/build.yaml create mode 100644 Dockerfile create mode 100644 cosign.pub diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..c760384 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,66 @@ +name: Build Image + +on: + push: + branches: + - feat/container + - main + tags: + - '*' + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + mtr.devops.telekom.de/caas/vcluster-backup + ghcr.io/eumel8/vcluster-backup/vcluster-backup + tags: | + type=ref,event=tag + type=ref,event=branch + type=ref,event=pr + type=raw,value=latest + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v2.2.0' + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to MTR + uses: docker/login-action@v3 + with: + registry: mtr.devops.telekom.de + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + id: build-push + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: | + mtr.devops.telekom.de/caas/vcluster-backup:latest + ghcr.io/eumel8/vcluster-backup/vcluster-backup:latest + ${{ steps.meta.outputs.tags }} + - name: Sign Push + run: | + cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} + cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} + env: + COSIGN_KEY: ${{secrets.COSIGN_KEY}} + diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..5761f8a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,35 @@ +FROM golang:alpine AS builder + +RUN apk update && apk add --no-cache git + +WORKDIR /app + +COPY go.mod ./ +COPY go.sum ./ +RUN go mod download + +COPY *.go ./ + +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o vcluster-backup vcluster-backup.go + +RUN adduser \ + --disabled-password \ + --gecos "" \ + --home "/app" \ + --shell "/sbin/nologin" \ + --no-create-home \ + --uid 1000 \ + appuser + +FROM scratch +LABEL org.opencontainers.image.authors="f.kloeker@telekom.de" +LABEL version="1.0.0" +LABEL description="Create backup K3s sqllite and push in S3" + +WORKDIR /app +COPY --from=builder /etc/passwd /etc/passwd +COPY --from=builder /etc/group /etc/group +COPY --from=builder /app/rds /app/rds +USER appuser +CMD ["/app/vcluster-backup"] + diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..3976e90 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN2LUwvs7XT7CIwzOnlMgUuDadH5e +TNtL7qt65tegWPilQeuc6umEUzaRzNAn9xI6RkjkydFQ3u5TRgyReaOLzw== +-----END PUBLIC KEY----- From dd4450e57a436f253054b8cc724a3bbde2d9955c Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 07:24:36 +0100 Subject: [PATCH 02/14] fix binary --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5761f8a..52c3350 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,7 +29,7 @@ LABEL description="Create backup K3s sqllite and push in S3" WORKDIR /app COPY --from=builder /etc/passwd /etc/passwd COPY --from=builder /etc/group /etc/group -COPY --from=builder /app/rds /app/rds +COPY --from=builder /app/vcluster-backup /app/vcluster-backup USER appuser CMD ["/app/vcluster-backup"] From bb119a77652317a22c19e7d3ab29e3b00ef7c3af Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 08:13:00 +0100 Subject: [PATCH 03/14] test sign --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c760384..477458a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -5,6 +5,7 @@ on: branches: - feat/container - main + - dev tags: - '*' From e5977e9bfe5828f88324ab96a8c295f78ada0c31 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 08:22:40 +0100 Subject: [PATCH 04/14] test sign --- .github/workflows/build.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 477458a..3dc22ff 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,8 +60,9 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} - cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} + cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.meta.outputs.tag }} + #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} + # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} From 3e9b78d6543ecff7a5a25e0de2c07c890663a2ba Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 09:24:17 +0100 Subject: [PATCH 05/14] fix tag --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3dc22ff..3e8e9f6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,7 +60,7 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.meta.outputs.tag }} + cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:${{ steps.meta.outputs.tag }} #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: From 2d74dde519d992ceda4367ff194bb8cefba78d1c Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 09:29:16 +0100 Subject: [PATCH 06/14] fix tag --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3e8e9f6..0001a37 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,7 +60,7 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:${{ steps.meta.outputs.tag }} + cosign sign --key env://$COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:${{ steps.meta.outputs.tag }} #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: From f56345bc8cd7b5202a36d4e462e606c68a4e5df1 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 09:45:05 +0100 Subject: [PATCH 07/14] fix tag --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0001a37..d2fd276 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,7 +60,7 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign --key env://$COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:${{ steps.meta.outputs.tag }} + cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:${{ steps.meta.outputs.tags }} #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: From b98fc3716e98110b94ca8c94275042c27c57e859 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 09:57:51 +0100 Subject: [PATCH 08/14] fix tag --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d2fd276..431dfef 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,7 +60,7 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:${{ steps.meta.outputs.tags }} + cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:latest #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: From 8a6df30ccb77d48d403ac6ab2f00dac3d01059e6 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 10:19:59 +0100 Subject: [PATCH 09/14] fix tag --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 431dfef..082a331 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,7 +60,7 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:latest + cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:dev #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: From 49385d18c729484398384fb5e27c678690e31a3f Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 10:52:36 +0100 Subject: [PATCH 10/14] fix tag --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 082a331..4048ad3 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,7 +60,7 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:dev + cosign sign -d --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:dev #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: From 4873042670e3848c527d61bab28de52b60e3141c Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 12:58:11 +0100 Subject: [PATCH 11/14] fix tag --- .github/workflows/build.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4048ad3..e55b768 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,9 +60,8 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | - cosign sign -d --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:dev - #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} - # cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} + #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:dev + cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} + cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} - From 66aaaf3a6a20240d8a3b28541e35f53dc9f1687b Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 13:07:53 +0100 Subject: [PATCH 12/14] fix tag --- .github/workflows/build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e55b768..433d298 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -61,7 +61,7 @@ jobs: - name: Sign Push run: | #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:dev - cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} - cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} + cosign sign --yes --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} + cosign sign --yes --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} From 02edb6f4b286199bf770732739f78c02ba8a0dcf Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Mar 2024 13:15:37 +0100 Subject: [PATCH 13/14] fix tag --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 433d298..3e097cf 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -65,3 +65,4 @@ jobs: cosign sign --yes --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} + COSIGN_PASSWORD: '' From 2cfe645c3096b63b6000e144d3f367e22ad95d3e Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Mon, 4 Mar 2024 15:19:53 +0100 Subject: [PATCH 14/14] deactivate non-working image signing --- .github/workflows/build.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3e097cf..5871188 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,9 +60,10 @@ jobs: ${{ steps.meta.outputs.tags }} - name: Sign Push run: | + # doesn't work #cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup:dev - cosign sign --yes --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} - cosign sign --yes --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} + #cosign sign --yes --key env://COSIGN_KEY --tlog-upload=false ghcr.io/eumel8/vcluster-backup/vcluster-backup@${{ steps.build-push.outputs.digest }} + #cosign sign --yes --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/vcluster-backup@${{ steps.build-push.outputs.digest }} env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} COSIGN_PASSWORD: ''