Build local-volume-provider image with chainguard (#37)

* Build local-volume-provider image with chainguard

.github/actions/build-push-lvp-image/action.yml

@@ -0,0 +1,50 @@
+name: 'Build and push local-volume-provider image'
+description: 'Composite action for building and pushing local-volume-provider image'
+inputs:
+  image-name:
+    description: 'Full destination local-volume-provider image name'
+    required: true
+
+  git-tag:
+    description: 'Git tag'
+    required: true
+
+  registry-username:
+    description: 'Username to login to registry'
+    default: ''
+    required: false
+
+  registry-password:
+    description: 'Password to login to registry'
+    default: ''
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: template melange and apko configs
+      shell: bash
+      run: |
+        export GIT_TAG=${{ inputs.git-tag }}
+        envsubst '${GIT_TAG}' < deploy/melange.yaml.tmpl > deploy/melange.yaml
+        envsubst '${GIT_TAG}' < deploy/apko.yaml.tmpl > deploy/apko.yaml
+
+    - id: cache-dir
+      shell: bash
+      run: echo "cache_dir=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - uses: chainguard-dev/actions/melange-build@main
+      with:
+        config: deploy/melange.yaml
+        archs: x86_64
+        sign-with-temporary-key: true
+        cache-dir: ${{ steps.cache-dir.outputs.cache_dir }}
+
+    - uses: chainguard-images/actions/apko-publish@main
+      with:
+        config: deploy/apko.yaml
+        archs: x86_64
+        tag: ${{ inputs.image-name }}
+        vcs-url: true
+        generic-user: ${{ inputs.registry-username }}
+        generic-pass: ${{ inputs.registry-password }}

.github/workflows/daily-scan.yaml

@@ -36,14 +36,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Build local-volume-provider image from Dockerfile
-        run: |
-          docker build --pull -t replicated/local-volume-provider:${{ github.sha }} -f deploy/local-volume-provider/Dockerfile --build-arg VERSION=${{ github.sha }} .
-          
+      - uses: ./.github/actions/build-push-lvp-image
+        with:
+          image-name: ttl.sh/automated-${{ github.run_id }}/local-volume-provider:${{ github.sha }}
+          git-tag: ${{ github.sha }}
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'replicated/local-volume-provider:${{ github.sha }}'
+          image-ref: 'ttl.sh/automated-${{ github.run_id }}/local-volume-provider:${{ github.sha }}'
           format: 'sarif'          
           output: 'trivy-results.sarif'
           ignore-unfixed: true

.github/workflows/deploy.yaml

@@ -15,16 +15,9 @@ jobs:
       id: get_tag
       shell: bash
       run: echo ::set-output name=GIT_TAG::${GITHUB_REF/refs\/tags\//}
-    - uses: azure/docker-login@v1
-      env:
-          DOCKER_CONFIG: ./.docker
+    - uses: ./.github/actions/build-push-lvp-image
       with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
-    - name: Build
-      env:
-        VERSION: ${{ steps.get_tag.outputs.GIT_TAG }}
-        DOCKER_CONFIG: ./.docker
-      run: |
-        make container 
-        make push
+        image-name: index.docker.io/replicated/local-volume-provider:${{ steps.get_tag.outputs.GIT_TAG }}
+        git-tag: ${{ steps.get_tag.outputs.GIT_TAG }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}

Makefile

@@ -2,9 +2,9 @@
 REGISTRY ?= replicated
 
 PLUGIN_NAME ?= local-volume-provider
-PLUGIN_IMAGE    ?= $(REGISTRY)/$(PLUGIN_NAME)
+PLUGIN_IMAGE ?= $(REGISTRY)/$(PLUGIN_NAME)
 
-VERSION  ?= main 
+VERSION ?= main 
 CURRENT_USER := $(shell id -u -n)
 
 GOOS   ?= $(shell go env GOOS)
@@ -32,7 +32,7 @@ ci: verify-modules local test
 
 .PHONY: container
 container:
-	docker build --pull -t $(PLUGIN_IMAGE):$(VERSION) -f deploy/local-volume-provider/Dockerfile --build-arg VERSION=$(VERSION) .
+	docker build --pull -t $(PLUGIN_IMAGE):$(VERSION) -f deploy/Dockerfile --build-arg VERSION=$(VERSION) .
 
 # push pushes the Docker image to its registry.
 .PHONY: push
@@ -45,7 +45,7 @@ endif
 
 .PHONY ttl.sh:
 ttl.sh:
-	docker build -t $(CURRENT_USER)/$(PLUGIN_NAME):12h -f deploy/local-volume-provider/Dockerfile .
+	docker build -t $(CURRENT_USER)/$(PLUGIN_NAME):12h -f deploy/Dockerfile .
 	docker tag $(CURRENT_USER)/$(PLUGIN_NAME):12h ttl.sh/$(CURRENT_USER)/$(PLUGIN_NAME):12h
 	@docker push ttl.sh/$(CURRENT_USER)/$(PLUGIN_NAME):12h
 

deploy/apko.yaml.tmpl

@@ -0,0 +1,19 @@
+contents:
+  repositories:
+    - https://packages.wolfi.dev/os
+    - ./packages/
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    - ./melange.rsa.pub
+  packages:
+    - local-volume-provider-head  # This is expected to be built locally by `melange`.
+    - bash
+    - busybox
+    - curl
+    - git
+    - wolfi-baselayout
+
+environment:
+  VERSION: ${GIT_TAG}
+
+cmd: /bin/bash -c "cp /plugins/* /target/."

deploy/melange.yaml.tmpl

@@ -0,0 +1,37 @@
+package:
+  name: local-volume-provider-head
+  version: ${GIT_TAG}
+  epoch: 0
+  description: local-volume-provider package
+  copyright:
+    - license: Apache-2.0
+
+environment:
+  contents:
+    repositories:
+      - https://packages.wolfi.dev/os
+    keyring:
+      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    packages:
+      - ca-certificates-bundle
+      - busybox
+      - git
+      - go
+  environment:
+    GOMODCACHE: '/var/cache/melange'
+
+pipeline:
+  - runs: |
+      set -x
+      export DESTDIR="${{targets.destdir}}"
+      mkdir -p "${DESTDIR}/plugins"
+
+      export VERSION=${{package.version}}
+
+      CGO_ENABLED=0 go build \
+        -ldflags=" -X github.com/replicatedhq/local-volume-provider/pkg/version.version=$VERSION " \
+        -o "${DESTDIR}/plugins/local-volume-provider" ./cmd/local-volume-provider
+
+      CGO_ENABLED=0 go build \
+        -ldflags=" -X github.com/replicatedhq/local-volume-provider/pkg/version.version=$VERSION " \
+        -o "${DESTDIR}/local-volume-fileserver" ./cmd/local-volume-fileserver