diff --git a/cmd/kpromo/Dockerfile b/cmd/kpromo/Dockerfile new file mode 100644 index 00000000000..867591d4f74 --- /dev/null +++ b/cmd/kpromo/Dockerfile @@ -0,0 +1,51 @@ +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Build the manager binary +ARG GO_VERSION +ARG OS_CODENAME +# TODO(codename): Consider parameterizing in Makefile based on codename +ARG DISTROLESS_IMAGE +FROM golang:${GO_VERSION}-${OS_CODENAME} as builder + +WORKDIR /go/src/k8s.io/release + +# Copy the sources +ENV package="./cmd/kpromo" +COPY ../../go.mod ../../go.sum ./ +COPY ../../pkg ./pkg/ +COPY ../../cmd/kpromo ${package}/ + +RUN go mod download + +# Build +ARG ARCH + +ENV CGO_ENABLED=0 +ENV GOOS=linux +ENV GOARCH=${ARCH} + +RUN go build -trimpath -ldflags '-s -w -buildid= -extldflags "-static"' \ + -o kpromo ${package} + +# Production image +FROM gcr.io/distroless/${DISTROLESS_IMAGE}:latest + +LABEL maintainers="Kubernetes Authors" +LABEL description="kpromo: The Kubernetes project artifact promoter" + +WORKDIR / +COPY --from=builder /go/src/k8s.io/release/kpromo . + +ENTRYPOINT ["/kpromo"] diff --git a/cmd/kpromo/Makefile b/cmd/kpromo/Makefile new file mode 100644 index 00000000000..0732481f01d --- /dev/null +++ b/cmd/kpromo/Makefile @@ -0,0 +1,98 @@ +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# set default shell +SHELL=/bin/bash -o pipefail + +REGISTRY ?= gcr.io/k8s-staging-artifact-promoter +IMGNAME = kpromo +IMAGE_VERSION ?= v0.1.0-1 + +IMAGE = $(REGISTRY)/$(IMGNAME) + +TAG ?= $(shell git describe --tags --always --dirty) + +# Build args +GO_VERSION ?= 1.17 +OS_CODENAME ?= buster +DISTROLESS_IMAGE ?= static-debian10 + +# Configuration +CONFIG = $(OS_CODENAME) + +PLATFORMS ?= linux/amd64 + +HOST_GOOS ?= $(shell go env GOOS) +HOST_GOARCH ?= $(shell go env GOARCH) +GO_BUILD ?= go build + +BUILD_ARGS = --build-arg=GO_VERSION=$(GO_VERSION) \ + --build-arg=OS_CODENAME=$(OS_CODENAME) \ + --build-arg=DISTROLESS_IMAGE=$(DISTROLESS_IMAGE) + +# Ensure support for 'docker buildx' and 'docker manifest' commands +export DOCKER_CLI_EXPERIMENTAL=enabled + +.PHONY: all build clean + +.PHONY: all +all: build + +.PHONY: build +build: + $(GO_BUILD) + +.PHONY: clean +clean: + rm kpromo + +# build with buildx +# https://github.com/docker/buildx/issues/59 +.PHONY: container +container: init-docker-buildx + echo "Building $(IMGNAME) for the following platforms: $(PLATFORMS)" + @for platform in $(PLATFORMS); do \ + echo "Starting build for $${platform} platform"; \ + docker buildx build \ + --load \ + --progress plain \ + --platform $${platform} \ + --tag $(IMAGE)-$${platform##*/}:$(IMAGE_VERSION) \ + --tag $(IMAGE)-$${platform##*/}:$(TAG) \ + --tag $(IMAGE)-$${platform##*/}:latest \ + $(BUILD_ARGS) \ + -f $(CURDIR)/Dockerfile \ + ../../.; \ + done + +.PHONY: push +push: container + echo "Pushing $(IMGNAME) tags" + @for platform in $(PLATFORMS); do \ + echo "Pushing tags for $${platform} platform"; \ + docker push $(IMAGE)-$${platform##*/}:$(IMAGE_VERSION); \ + docker push $(IMAGE)-$${platform##*/}:$(TAG); \ + docker push $(IMAGE)-$${platform##*/}:latest; \ + done + +.PHONY: manifest +manifest: push + docker manifest create --amend $(IMAGE):$(IMAGE_VERSION) $(IMAGE)-$(subst linux/,,$(firstword $(PLATFORMS))):$(IMAGE_VERSION) + @for platform in $(PLATFORMS); do docker manifest annotate --arch "$${platform##*/}" ${IMAGE}:${IMAGE_VERSION} ${IMAGE}-$${platform##*/}:${IMAGE_VERSION}; done + docker manifest push --purge $(IMAGE):$(IMAGE_VERSION) + +# enable buildx +.PHONY: init-docker-buildx +init-docker-buildx: + ./../../hack/init-buildx.sh diff --git a/cmd/kpromo/README.md b/cmd/kpromo/README.md index 5be05f9a2d4..3716585d39d 100644 --- a/cmd/kpromo/README.md +++ b/cmd/kpromo/README.md @@ -111,4 +111,4 @@ Global Flags: - [`kOps`][kops-release-process] -[kops-release-process]: https://kops.sigs.k8s.io/development/release/ +[kops-release-process]: https://kops.sigs.k8s.io/contributing/release-process/ diff --git a/cmd/kpromo/cloudbuild.yaml b/cmd/kpromo/cloudbuild.yaml new file mode 100644 index 00000000000..f80972d5714 --- /dev/null +++ b/cmd/kpromo/cloudbuild.yaml @@ -0,0 +1,55 @@ +# See https://git.k8s.io/test-infra/config/jobs/image-pushing/README.md for +# more details on image pushing process + +# this must be specified in seconds. If omitted, defaults to 600s (10 mins) +timeout: 1200s + +# this prevents errors if you don't use both _GIT_TAG and _PULL_BASE_REF, +# or any new substitutions added in the future. +options: + substitution_option: ALLOW_LOOSE + machineType: 'N1_HIGHCPU_8' + +steps: + - name: 'gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f' + entrypoint: 'bash' + dir: ./cmd/kpromo + env: + - DOCKER_CLI_EXPERIMENTAL=enabled + - REGISTRY=gcr.io/$PROJECT_ID + - HOME=/root + - TAG=$_GIT_TAG + - PULL_BASE_REF=$_PULL_BASE_REF + - IMAGE_VERSION=$_IMAGE_VERSION + - GO_VERSION=$_GO_VERSION + - OS_CODENAME=$_OS_CODENAME + - DISTROLESS_IMAGE=$_DISTROLESS_IMAGE + args: + - '-c' + - | + gcloud auth configure-docker \ + && make manifest + +substitutions: + # _GIT_TAG will be filled with a git-based tag for the image, of the form + # vYYYYMMDD-hash, and can be used as a substitution + _GIT_TAG: '12345' + _PULL_BASE_REF: 'dev' + _IMAGE_VERSION: 'v0.0.0' + _GO_VERSION: '0.0.0' + _OS_CODENAME: 'codename' + _DISTROLESS_IMAGE: 'static-debian00' + +tags: +- 'kpromo' +- ${_GIT_TAG} +- ${_PULL_BASE_REF} +- ${_IMAGE_VERSION} +- ${_GO_VERSION} +- ${_OS_CODENAME} +- ${_DISTROLESS_IMAGE} + +images: + - 'gcr.io/$PROJECT_ID/kpromo-amd64:$_IMAGE_VERSION' + - 'gcr.io/$PROJECT_ID/kpromo-amd64:$_GIT_TAG' + - 'gcr.io/$PROJECT_ID/kpromo-amd64:latest' diff --git a/cmd/kpromo/variants.yaml b/cmd/kpromo/variants.yaml new file mode 100644 index 00000000000..20748285253 --- /dev/null +++ b/cmd/kpromo/variants.yaml @@ -0,0 +1,6 @@ +variants: + default: + IMAGE_VERSION: 'v0.1.0-1' + GO_VERSION: '1.17' + OS_CODENAME: 'buster' + DISTROLESS_IMAGE: 'static-debian10' diff --git a/cmd/vulndash/Dockerfile b/cmd/vulndash/Dockerfile index f8e2b4a05cf..0f6e748c7cb 100644 --- a/cmd/vulndash/Dockerfile +++ b/cmd/vulndash/Dockerfile @@ -36,7 +36,7 @@ ENV CGO_ENABLED=0 ENV GOOS=linux ENV GOARCH=${ARCH} -RUN go build -ldflags '-s -w -buildid= -extldflags "-static"' \ +RUN go build -trimpath -ldflags '-s -w -buildid= -extldflags "-static"' \ -o vulndash ${package} # Production image diff --git a/dependencies.yaml b/dependencies.yaml index 1f3c0ce0a6c..0c054789f55 100644 --- a/dependencies.yaml +++ b/dependencies.yaml @@ -66,6 +66,10 @@ dependencies: match: FROM golang:\d+.\d+(alpha|beta|rc)?\.?(\d+)-(bullseye|buster) AS builder - path: Dockerfile-kubepkg-rpm match: FROM golang:\d+.\d+(alpha|beta|rc)?\.?(\d+)-(bullseye|buster) AS builder + - path: cmd/kpromo/Makefile + match: GO_VERSION\ \?=\ \d+.\d+(alpha|beta|rc)?\.?(\d+)? + - path: cmd/kpromo/variants.yaml + match: "GO_VERSION: '\\d+.\\d+(alpha|beta|rc)?\\.?(\\d+)?'" - path: cmd/vulndash/Makefile match: GO_VERSION\ \?=\ \d+.\d+(alpha|beta|rc)?\.?(\d+)? - path: cmd/vulndash/variants.yaml @@ -157,6 +161,14 @@ dependencies: - path: images/releng/ci/variants.yaml match: REVISION:\ '\d+' + - name: "k8s.gcr.io/artifact-promoter/kpromo" + version: v0.1.0-1 + refPaths: + - path: cmd/kpromo/Makefile + match: IMAGE_VERSION\ \?=\ v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)-([0-9]+) + - path: cmd/kpromo/variants.yaml + match: v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)-([0-9]+) + - name: "k8s.gcr.io/artifact-promoter/vulndash" version: v0.4.3-8 refPaths: @@ -321,6 +333,11 @@ dependencies: version: buster refPaths: # Must match distroless Debian version as well + - path: cmd/kpromo/Makefile + match: OS_CODENAME\ \?=\ (bullseye|buster) + - path: cmd/kpromo/variants.yaml + match: "OS_CODENAME: '(bullseye|buster)'" + # Must match distroless Debian version as well - path: cmd/vulndash/Makefile match: OS_CODENAME\ \?=\ (bullseye|buster) - path: cmd/vulndash/variants.yaml