From dcb9fa2f1f90a44141ff03de33d5c94690787499 Mon Sep 17 00:00:00 2001
From: Rudraksh Pareek <rudraksh@accuknox.com>
Date: Thu, 23 May 2024 13:13:20 +0530
Subject: [PATCH] chore(CI): publish KubeArmor tars to dockerhub

Currently OS and arch is stored in the tag however once oras CLI
starts to support pushing multi-arch artifacts, we'll use that.
Ref - https://github.com/oras-project/oras/issues/1053

Signed-off-by: Rudraksh Pareek <rudraksh@accuknox.com>
Signed-off-by: Navin Chandra <navinchandra772@gmail.com>
---
 .github/workflows/ci-latest-release.yml  | 14 +++----
 .github/workflows/ci-systemd-release.yml | 52 +++++++++++++++++++++---
 KubeArmor/.goreleaser.yaml               |  7 +++-
 KubeArmor/go.mod                         |  2 +-
 4 files changed, 61 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml
index d6c64af00d..c41a7d7400 100644
--- a/.github/workflows/ci-latest-release.yml
+++ b/.github/workflows/ci-latest-release.yml
@@ -46,7 +46,7 @@ jobs:
     if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.kubearmor == 'true' || ${{ github.ref }} != 'refs/heads/main')
     runs-on: ubuntu-latest-16-cores
     permissions:
-      id-token: write 
+      id-token: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v3
@@ -81,7 +81,7 @@ jobs:
         run: |
           make docker-build TAG=${{ steps.vars.outputs.tag }}
 
-      - name: deploy pre existing pod 
+      - name: deploy pre existing pod
         run: |
           kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml
           sleep 60
@@ -93,7 +93,7 @@ jobs:
           docker save kubearmor/kubearmor:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
           docker save kubearmor/kubearmor-operator:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
           docker save kubearmor/kubearmor-snitch:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
-        
+
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=${{ steps.vars.outputs.tag }}
           kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
           kubectl get pods -A
@@ -145,12 +145,12 @@ jobs:
       - name: Push KubeArmor images to Docker
         run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }}
 
-      - name: Install Cosign 
+      - name: Install Cosign
         uses: sigstore/cosign-installer@main
 
       - name: Get Image Digest
         id: digest
-        run: | 
+        run: |
           echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
           echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT
           echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT
@@ -207,7 +207,7 @@ jobs:
           regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags
           regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags
           regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags
-  
+
   kubearmor-controller-release:
     name: Build & Push KubeArmorController
     needs: check
@@ -223,7 +223,7 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'KubeArmor/go.mod'
-  
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
 
diff --git a/.github/workflows/ci-systemd-release.yml b/.github/workflows/ci-systemd-release.yml
index 45157fac6c..61f83c2b63 100644
--- a/.github/workflows/ci-systemd-release.yml
+++ b/.github/workflows/ci-systemd-release.yml
@@ -1,6 +1,12 @@
 name: ci-systemd-release
 
 on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag which has to be updated"
+        type: "string"
+        required: true
   push:
     tags:
       - "*"
@@ -16,34 +22,70 @@ jobs:
       - uses: actions/checkout@v3
         with:
           submodules: true
+          fetch-depth: 0
 
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'KubeArmor/go.mod'
-      
 
       - name: Install the latest LLVM toolchain
         run: ./.github/workflows/install-llvm.sh
 
       - name: Compile libbpf
         run: ./.github/workflows/install-libbpf.sh
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
 
       - name: Install karmor
         run: curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b .
         working-directory: KubeArmor
-      
+
       - name: Build KubeArmor object files
-        run: make 
+        run: make
         working-directory: KubeArmor/BPF
-      
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_AUTHTOK }}
+
+      - name: Get release tag
+        id: vars
+        run: |
+          cp KubeArmor/.goreleaser.yaml /tmp/.goreleaser.yaml
+          if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
+            # checkout branch but use goreleaser config from latest
+            echo "Checking out tag: ${{ inputs.tag }}"
+            git checkout ${{ inputs.tag }}
+            echo "GORELEASER_CURRENT_TAG=${{ inputs.tag }}" >> $GITHUB_OUTPUT
+
+            REF=${{ inputs.tag }}
+            echo "tag=${REF#v}" >> $GITHUB_OUTPUT
+          else
+            REF=${GITHUB_REF#refs/*/}
+            echo "tag=${REF#v}" >> $GITHUB_OUTPUT
+          fi
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
           version: v1.25.0
-          args: release --clean
+          args: release --config=/tmp/.goreleaser.yaml
           workdir: KubeArmor
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_CURRENT_TAG: ${{ steps.vars.outputs.GORELEASER_CURRENT_TAG }}
+
+      - name: Setup ORAS
+        uses: oras-project/setup-oras@v1
+        with:
+          version: 1.0.0
+
+      - name: Publish release artifacts to Dockerhub
+        working-directory: KubeArmor/dist
+        run: |
+          oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-amd64 kubearmor_${{ steps.vars.outputs.tag }}_linux-amd64.tar.gz
+          oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-arm64 kubearmor_${{ steps.vars.outputs.tag }}_linux-arm64.tar.gz
diff --git a/KubeArmor/.goreleaser.yaml b/KubeArmor/.goreleaser.yaml
index 2fc835ee39..9480c1c9f4 100644
--- a/KubeArmor/.goreleaser.yaml
+++ b/KubeArmor/.goreleaser.yaml
@@ -11,6 +11,11 @@ builds:
     env:
       - CGO_ENABLED=0
 
+release:
+  replace_existing_artifacts: true
+  mode: replace
+  make_latest: false
+
 signs:
   - cmd: cosign
     certificate: '${artifact}.cert'
@@ -22,7 +27,7 @@ signs:
       - --yes
     artifacts: all
     output: true
-    
+
 archives:
   - id: "kubearmor"
     builds:
diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod
index dfcd6368b6..04ec7b2003 100644
--- a/KubeArmor/go.mod
+++ b/KubeArmor/go.mod
@@ -45,6 +45,7 @@ require (
 	k8s.io/apimachinery v0.29.0
 	k8s.io/client-go v0.29.0
 	k8s.io/cri-api v0.29.0
+	k8s.io/klog/v2 v2.120.0
 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57
 	sigs.k8s.io/controller-runtime v0.15.3
 )
@@ -130,7 +131,6 @@ require (
 	gotest.tools/v3 v3.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect
 	k8s.io/component-base v0.29.0 // indirect
-	k8s.io/klog/v2 v2.120.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect