mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-23 14:39:40 -05:00
bazel: remove apko and Dockerfile where Bazel is used to build container images
This commit is contained in:
parent
19ff132ee8
commit
5145f806ea
111
.github/actions/build_apko/action.yml
vendored
111
.github/actions/build_apko/action.yml
vendored
@ -1,111 +0,0 @@
|
||||
name: Build container base images using apko
|
||||
description: Build one or multiple apko base images based on supplied .yaml files
|
||||
|
||||
inputs:
|
||||
apkoConfig:
|
||||
description: "Path to the apko .yaml config file. If left empty, all images will be built."
|
||||
required: false
|
||||
apkoArch:
|
||||
description: "Use this image architecture"
|
||||
required: false
|
||||
default: amd64
|
||||
containerTags:
|
||||
description: "Tags for the resulting container image, space separated"
|
||||
required: true
|
||||
registry:
|
||||
description: "Container registry to use"
|
||||
default: "ghcr.io"
|
||||
required: true
|
||||
githubToken:
|
||||
description: "GitHub authorization token"
|
||||
required: true
|
||||
cosignPublicKey:
|
||||
description: "Cosign public key"
|
||||
required: false
|
||||
default: ""
|
||||
cosignPrivateKey:
|
||||
description: "Cosign private key"
|
||||
required: false
|
||||
default: ""
|
||||
cosignPassword:
|
||||
description: "Password for Cosign private key"
|
||||
required: false
|
||||
default: ""
|
||||
|
||||
# Linux runner only (docker required)
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- name: Install deps
|
||||
shell: bash
|
||||
run: |
|
||||
echo "::group::Install dependencies"
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y zip
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Log in to the Container registry
|
||||
id: docker-login
|
||||
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
|
||||
with:
|
||||
registry: ${{ inputs.registry }}
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ inputs.githubToken }}
|
||||
|
||||
- name: Install Cosign
|
||||
if: |
|
||||
inputs.cosignPublicKey != '' &&
|
||||
inputs.cosignPrivateKey != '' &&
|
||||
inputs.cosignPassword != ''
|
||||
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
|
||||
|
||||
- name: Download apk repository
|
||||
shell: bash
|
||||
env:
|
||||
DOCKER_BUILDKIT: "1"
|
||||
run: |
|
||||
docker build -o ./apko -f hack/package-hasher/Containerfile.apk.downloader ./apko
|
||||
|
||||
- name: Build apko images and sign them
|
||||
shell: bash
|
||||
working-directory: apko
|
||||
env:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
||||
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
||||
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
||||
APKO_CONFIG: ${{ inputs.apkoConfig }}
|
||||
APKO_ARCH: ${{ inputs.apkoArch }}
|
||||
CONTAINER_TAGS: ${{ inputs.containerTags }}
|
||||
REGISTRY: ${{ inputs.registry }}
|
||||
run: ../.github/actions/build_apko/build_and_sign.sh
|
||||
|
||||
- name: Sign sboms
|
||||
if: |
|
||||
inputs.cosignPublicKey != '' &&
|
||||
inputs.cosignPrivateKey != '' &&
|
||||
inputs.cosignPassword != ''
|
||||
shell: bash
|
||||
working-directory: apko
|
||||
env:
|
||||
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
||||
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
||||
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
||||
run: |
|
||||
for dir in sboms/*; do
|
||||
for file in $dir/*; do
|
||||
cosign sign-blob \
|
||||
--key env://COSIGN_PRIVATE_KEY \
|
||||
$file \
|
||||
-y \
|
||||
> $file.sig
|
||||
done
|
||||
done
|
||||
|
||||
zip -r sboms.zip sboms
|
||||
|
||||
- name: Upload SBOMs
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
with:
|
||||
name: sboms
|
||||
path: apko/sboms.zip
|
68
.github/actions/build_apko/build_and_sign.sh
vendored
68
.github/actions/build_apko/build_and_sign.sh
vendored
@ -1,68 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -exuo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
# buildImage <apko_config_path>
|
||||
buildImage() {
|
||||
local imageConfig=$1
|
||||
|
||||
echo "Building image for ${imageConfig}"
|
||||
|
||||
local imageName
|
||||
imageName=$(basename "${imageConfig}" | cut -d. -f1)
|
||||
local registryPath
|
||||
registryPath="${REGISTRY}/edgelesssys/apko-${imageName}"
|
||||
local outTar
|
||||
outTar="${imageName}.tar"
|
||||
|
||||
mkdir -p "sboms/${imageName}"
|
||||
|
||||
# build the image
|
||||
docker run \
|
||||
-v "${PWD}":/work \
|
||||
cgr.dev/chainguard/apko@sha256:8952f4f3ce58052b7df5e46f230f7192b42b220d3e46c8b06178cc25fd700846 \
|
||||
build \
|
||||
"${imageConfig}" \
|
||||
--build-arch "${APKO_ARCH}" \
|
||||
--sbom \
|
||||
"${registryPath}" \
|
||||
"${outTar}"
|
||||
|
||||
docker load < "${outTar}"
|
||||
|
||||
for tag in ${CONTAINER_TAGS}; do
|
||||
tagSanitized=${tag//\//-}
|
||||
|
||||
docker image tag "${registryPath}" "${registryPath}:${tagSanitized}"
|
||||
docker push "${registryPath}:${tagSanitized}"
|
||||
|
||||
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
|
||||
|
||||
# write full image as Markdown code block to step summary
|
||||
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
|
||||
\`\`\`
|
||||
${imageDigest%%@*}:${tagSanitized}@${imageDigest##*@}
|
||||
\`\`\`
|
||||
EOF
|
||||
done
|
||||
|
||||
# cosign the container and push to registry
|
||||
cosign sign \
|
||||
--key env://COSIGN_PRIVATE_KEY \
|
||||
"${imageDigest}" \
|
||||
-y
|
||||
|
||||
# move sboms to folder
|
||||
mv sbom-*.* "sboms/${imageName}/"
|
||||
}
|
||||
|
||||
if [[ -n ${APKO_CONFIG} ]]; then
|
||||
buildImage "${APKO_CONFIG}"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Building all images in image"
|
||||
for imageConfig in ./*.yaml; do
|
||||
buildImage "${imageConfig}"
|
||||
done
|
115
.github/actions/build_ko/action.yml
vendored
115
.github/actions/build_ko/action.yml
vendored
@ -1,115 +0,0 @@
|
||||
name: Build micro service using Ko
|
||||
description: Build and upload a go micro service using ko
|
||||
inputs:
|
||||
name:
|
||||
description: "Name of the micro-service"
|
||||
required: true
|
||||
registry:
|
||||
description: "Name of the registry to use"
|
||||
required: false
|
||||
default: "ghcr.io"
|
||||
koConfig:
|
||||
description: "Path to the .ko.yaml config file"
|
||||
required: false
|
||||
default: ".ko.yaml"
|
||||
koTarget:
|
||||
description: "Go package to build with ko"
|
||||
required: true
|
||||
pushTag:
|
||||
description: "Use this image tag"
|
||||
required: true
|
||||
githubToken:
|
||||
description: "GitHub authorization token"
|
||||
required: true
|
||||
generateKoSBOM:
|
||||
description: "Generate unsigned ko SBOM"
|
||||
required: false
|
||||
default: "false"
|
||||
|
||||
outputs:
|
||||
container_full:
|
||||
description: "Full container reference"
|
||||
value: ${{ steps.build.container_full }}
|
||||
container_image:
|
||||
description: "Container image"
|
||||
value: ${{ steps.build.outputs.container_image }}
|
||||
container_tag:
|
||||
description: "Container tag"
|
||||
value: ${{ steps.build.container_tag }}
|
||||
|
||||
# Linux runner only
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Determine pseudo version
|
||||
if: ${{ !inputs.pushTag}}
|
||||
id: pseudo-version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
||||
with:
|
||||
go-version: "1.20.3"
|
||||
cache: true
|
||||
|
||||
- name: Set up ko
|
||||
uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
|
||||
with:
|
||||
ko-version: "v0.12.0"
|
||||
|
||||
- name: Build and upload ko container image
|
||||
id: build
|
||||
shell: bash
|
||||
env:
|
||||
KO_USER: ${{ github.actor }}
|
||||
KO_CONFIG_PATH: ${{ inputs.koConfig }}
|
||||
KO_PASSWORD: ${{ inputs.githubToken }}
|
||||
KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/constellation/${{ inputs.name }}
|
||||
run: |
|
||||
tags=""
|
||||
sbom=""
|
||||
|
||||
if [[ "$(git branch --show-current)" == "${{ github.event.repository.default_branch }}" ]]; then
|
||||
tags="latest"
|
||||
else
|
||||
tags="${{ github.sha }}"
|
||||
fi
|
||||
|
||||
if [[ -n "${{ inputs.pushTag }}" ]]; then
|
||||
if [[ -n "${tags}" ]]; then
|
||||
tags="${tags},${{ inputs.pushTag }}"
|
||||
else
|
||||
tags="${{ inputs.pushTag }}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ -n "${{ steps.pseudo-version.outputs.version }}" ]]; then
|
||||
if [[ -n "${tags}" ]]; then
|
||||
tags="${tags},${{ steps.pseudo-version.outputs.version }}"
|
||||
else
|
||||
tags="${{ steps.pseudo-version.outputs.version }}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ "${{ inputs.generateKoSBOM }}" == "false" ]]; then
|
||||
sbom="--sbom=none"
|
||||
fi
|
||||
|
||||
echo "Building container image with tags: ${tags}"
|
||||
container_full=$(ko build ${{ inputs.koTarget }} --bare --tags "${tags}" ${sbom})
|
||||
container_image=$(echo $container_full | cut -d@ -f1)
|
||||
container_sha256=$(echo $container_full | cut -d: -f2)
|
||||
|
||||
cat <<EOF > container_data_ko.json
|
||||
{
|
||||
"container_full": "${container_full}",
|
||||
"container_image": "${container_image}",
|
||||
"container_sha256": "${container_sha256}"
|
||||
}
|
||||
EOF
|
||||
|
||||
- name: Upload Container Data # since github censors hashes that may share data with secrets, we need to upload the data as an artifact
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
with:
|
||||
name: container_data_ko
|
||||
path: container_data_ko.json
|
@ -1,68 +0,0 @@
|
||||
name: Build micro service (KO)
|
||||
description: Build and upload a container image for a Constellation micro-service
|
||||
inputs:
|
||||
name:
|
||||
description: "Name of the micro-service"
|
||||
required: true
|
||||
koConfig:
|
||||
description: "Path to the .ko.yaml config file"
|
||||
default: ".ko.yaml"
|
||||
required: false
|
||||
koTarget:
|
||||
description: "Go package to build with ko"
|
||||
required: true
|
||||
pushTag:
|
||||
description: "Use this image tag"
|
||||
required: false
|
||||
githubToken:
|
||||
description: "GitHub authorization token"
|
||||
required: true
|
||||
generateKoSBOM:
|
||||
description: "Generate unsigned ko SBOM"
|
||||
required: false
|
||||
default: "false"
|
||||
cosignPublicKey:
|
||||
description: "Cosign public key"
|
||||
required: true
|
||||
cosignPrivateKey:
|
||||
description: "Cosign private key"
|
||||
required: true
|
||||
cosignPassword:
|
||||
description: "Password for Cosign private key"
|
||||
required: false
|
||||
|
||||
# Linux runner only
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Build and upload container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_ko
|
||||
with:
|
||||
name: ${{ inputs.name }}
|
||||
koConfig: ${{ inputs.koConfig }}
|
||||
koTarget: ${{ inputs.koTarget }}
|
||||
pushTag: ${{ inputs.pushTag }}
|
||||
githubToken: ${{ inputs.GITHUB_TOKEN }}
|
||||
|
||||
- name: Download ko Container Data
|
||||
id: download_container_data
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: container_data_ko
|
||||
path: CONTAINER_DATA_KO
|
||||
|
||||
- name: Set container url to Github Env
|
||||
shell: bash
|
||||
run: |
|
||||
container_full=$(jq -r .container_full < container_data_ko.json)
|
||||
echo CONTAINER_FULL=$container_full >> $GITHUB_ENV
|
||||
|
||||
- name: Generate SBOM
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false'
|
||||
uses: ./.github/actions/container_sbom
|
||||
with:
|
||||
containerReference: ${{ env.CONTAINER_FULL }}
|
||||
cosignPublicKey: ${{ inputs.cosignPublicKey }}
|
||||
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
|
||||
cosignPassword: ${{ inputs.cosignPassword }}
|
137
.github/actions/build_operator/action.yml
vendored
137
.github/actions/build_operator/action.yml
vendored
@ -1,137 +0,0 @@
|
||||
name: Build operator
|
||||
description: Build and upload a container image for a Constellation operator
|
||||
inputs:
|
||||
name:
|
||||
description: "Name of the operator"
|
||||
required: true
|
||||
sourceDir:
|
||||
description: "Path to the operators source directory"
|
||||
required: true
|
||||
pushTag:
|
||||
description: "Use this image tag"
|
||||
required: false
|
||||
githubToken:
|
||||
description: "GitHub authorization token"
|
||||
required: true
|
||||
cosignPublicKey:
|
||||
description: "Cosign public key"
|
||||
required: false
|
||||
cosignPrivateKey:
|
||||
description: "Cosign private key"
|
||||
required: false
|
||||
cosignPassword:
|
||||
description: "Password for Cosign private key"
|
||||
required: false
|
||||
|
||||
# Linux runner only (Docker required)
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Determine pseudo version
|
||||
id: pseudo-version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
- name: Install operator-sdk
|
||||
uses: ./.github/actions/install_operator_sdk
|
||||
with:
|
||||
version: v1.22.2
|
||||
|
||||
- name: Log in to the Container registry
|
||||
id: docker-login
|
||||
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ inputs.githubToken }}
|
||||
|
||||
- name: Docker metadata
|
||||
id: meta
|
||||
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
|
||||
with:
|
||||
images: |
|
||||
ghcr.io/${{ github.repository }}/${{ inputs.name }}
|
||||
tags: |
|
||||
type=raw,value=latest,enable={{is_default_branch}}
|
||||
type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }}
|
||||
type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }}
|
||||
type=ref,event=branch
|
||||
|
||||
- name: Build and push container image
|
||||
id: build-image
|
||||
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
|
||||
with:
|
||||
context: .
|
||||
file: ${{ inputs.sourceDir }}/Dockerfile
|
||||
push: true
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
|
||||
- name: Generate SBOM
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||
uses: ./.github/actions/container_sbom
|
||||
with:
|
||||
containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-image.outputs.digest }}
|
||||
cosignPublicKey: ${{ inputs.cosignPublicKey }}
|
||||
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
|
||||
cosignPassword: ${{ inputs.cosignPassword }}
|
||||
|
||||
- name: Bundle for pseudo version
|
||||
if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == ''
|
||||
shell: bash
|
||||
working-directory: ${{ inputs.sourceDir }}
|
||||
env:
|
||||
VERSION: ${{ steps.pseudo-version.outputs.version }}
|
||||
run: make bundle VERSION=${VERSION#v}
|
||||
|
||||
- name: Bundle for semantic version
|
||||
if: inputs.pushTag != ''
|
||||
shell: bash
|
||||
working-directory: ${{ inputs.sourceDir }}
|
||||
env:
|
||||
VERSION: ${{ inputs.pushTag }}
|
||||
run: make bundle VERSION=${VERSION#v}
|
||||
|
||||
- name: Docker metadata for bundle
|
||||
id: bundle-meta
|
||||
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
|
||||
with:
|
||||
images: |
|
||||
ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle
|
||||
tags: |
|
||||
type=raw,value=latest,enable={{is_default_branch}}
|
||||
type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }}
|
||||
type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }}
|
||||
type=ref,event=branch
|
||||
|
||||
- name: Build and push bundle image
|
||||
id: build-image-bundle
|
||||
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
|
||||
with:
|
||||
context: ${{ inputs.sourceDir }}
|
||||
file: ${{ inputs.sourceDir }}/bundle.Dockerfile
|
||||
push: true
|
||||
tags: ${{ steps.bundle-meta.outputs.tags }}
|
||||
|
||||
- name: Generate Bundle SBOM
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||
uses: ./.github/actions/container_sbom
|
||||
with:
|
||||
containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle@${{ steps.build-image-bundle.outputs.digest }}
|
||||
cosignPublicKey: ${{ inputs.cosignPublicKey }}
|
||||
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
|
||||
cosignPassword: ${{ inputs.cosignPassword }}
|
||||
|
||||
- name: Build and push catalog for pseudo versions
|
||||
if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == ''
|
||||
shell: bash
|
||||
working-directory: ${{ inputs.sourceDir }}
|
||||
env:
|
||||
VERSION: ${{ steps.pseudo-version.outputs.version }}
|
||||
run: make VERSION=${VERSION#v} catalog-build catalog-push
|
||||
|
||||
- name: Build and push catalog for releases
|
||||
if: inputs.pushTag != ''
|
||||
shell: bash
|
||||
working-directory: ${{ inputs.sourceDir }}
|
||||
env:
|
||||
VERSION: ${{ inputs.pushTag }}
|
||||
run: make VERSION=${VERSION#v} catalog-build catalog-push
|
17
.github/actions/setup_crane/action.yaml
vendored
17
.github/actions/setup_crane/action.yaml
vendored
@ -1,17 +0,0 @@
|
||||
name: Setup crane
|
||||
description: "Install crane (go-containerregistry)."
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- name: Install
|
||||
shell: bash
|
||||
env:
|
||||
VERSION: "0.12.1"
|
||||
OS: ${{ runner.os == 'Linux' && 'Linux' || 'Darwin' }}
|
||||
ARCH: ${{ runner.arch == 'X64' && 'x86_64' || runner.arch == 'ARM64' && 'arm64' }}
|
||||
run: |
|
||||
echo "::group::Install crane"
|
||||
curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
|
||||
tar -xzf go-containerregistry.tar.gz
|
||||
sudo mv krane gcrane crane /usr/local/bin/
|
||||
echo "::endgroup::"
|
39
.github/workflows/build-apko-image.yml
vendored
39
.github/workflows/build-apko-image.yml
vendored
@ -1,39 +0,0 @@
|
||||
name: Build and upload all apko container base images
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- "apko/**"
|
||||
- ".github/workflows/build-apko-image.yml"
|
||||
|
||||
jobs:
|
||||
build-apko-image:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Get pseudo version
|
||||
id: pseudo-version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
- name: Build and upload apko image
|
||||
uses: ./.github/actions/build_apko
|
||||
with:
|
||||
containerTags: |
|
||||
${{ steps.pseudo-version.outputs.version }}
|
||||
${{ github.ref_name == 'main' && 'latest' || github.ref_name }}
|
||||
registry: ghcr.io
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
@ -1,41 +0,0 @@
|
||||
name: Build and upload constellation node operator image
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
paths:
|
||||
- "operators/constellation-node-operator/**"
|
||||
- "internal/**"
|
||||
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
|
||||
- ".github/workflows/build-constellation-node-operator.yml"
|
||||
|
||||
jobs:
|
||||
build-constellation-node-operator:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
||||
with:
|
||||
go-version: "1.20.3"
|
||||
|
||||
- name: Build and upload constellation-node-operator container image
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: node-operator
|
||||
koTarget: ./operators/constellation-node-operator
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
44
.github/workflows/build-joinservice-image.yml
vendored
44
.github/workflows/build-joinservice-image.yml
vendored
@ -1,44 +0,0 @@
|
||||
name: Build and upload join service image
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
paths:
|
||||
- "joinservice/**"
|
||||
- "internal/**"
|
||||
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
|
||||
- ".github/workflows/build-joinservice-image.yml"
|
||||
|
||||
jobs:
|
||||
build-join-service:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
||||
with:
|
||||
go-version: "1.20.3"
|
||||
|
||||
- name: Build and upload join service container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: join-service
|
||||
koTarget: ./joinservice/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
45
.github/workflows/build-keyservice-image.yml
vendored
45
.github/workflows/build-keyservice-image.yml
vendored
@ -1,45 +0,0 @@
|
||||
name: Build and upload KeyService image
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
paths:
|
||||
- "keyservice/**"
|
||||
- "internal/**"
|
||||
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
|
||||
- ".github/workflows/build-keyservice-image.yml"
|
||||
|
||||
jobs:
|
||||
build-keyservice:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
||||
with:
|
||||
go-version: "1.20.3"
|
||||
|
||||
- name: Build and upload KeyService container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: key-service
|
||||
koConfig: .ko.yaml
|
||||
koTarget: ./keyservice/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
35
.github/workflows/build-libvirt-image.yml
vendored
35
.github/workflows/build-libvirt-image.yml
vendored
@ -1,35 +0,0 @@
|
||||
name: Build and upload libvirt image
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
paths:
|
||||
- "cli/internal/libvirt/**"
|
||||
- ".github/workflows/build-libvirt-image.yml"
|
||||
|
||||
jobs:
|
||||
build-qemu-metadata-api:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Build and upload libvirt container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service
|
||||
with:
|
||||
name: "libvirt"
|
||||
dockerfile: "cli/internal/libvirt/Dockerfile"
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
60
.github/workflows/build-operator-manual.yml
vendored
60
.github/workflows/build-operator-manual.yml
vendored
@ -1,60 +0,0 @@
|
||||
name: Build operator manually
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
imageTag:
|
||||
description: "Container image tag."
|
||||
required: false
|
||||
ref:
|
||||
type: string
|
||||
description: "Git ref to checkout"
|
||||
required: false
|
||||
release:
|
||||
type: boolean
|
||||
description: "Is this a release build?"
|
||||
required: false
|
||||
default: false
|
||||
workflow_call:
|
||||
inputs:
|
||||
imageTag:
|
||||
type: string
|
||||
description: "Container image tag"
|
||||
required: true
|
||||
ref:
|
||||
type: string
|
||||
description: "Git ref to checkout"
|
||||
required: false
|
||||
release:
|
||||
type: boolean
|
||||
description: "Is this a release build?"
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
build-operator-manual:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.head_ref }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
||||
with:
|
||||
go-version: "1.20.3"
|
||||
|
||||
- name: Build and upload constellation-node-operator container image
|
||||
uses: ./.github/actions/build_operator
|
||||
with:
|
||||
name: node-operator
|
||||
sourceDir: operators/constellation-node-operator
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
pushTag: ${{ inputs.imageTag }}
|
||||
cosignPublicKey: ${{ inputs.release && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ inputs.release && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ inputs.release && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
43
.github/workflows/build-qemu-metadata-image.yml
vendored
43
.github/workflows/build-qemu-metadata-image.yml
vendored
@ -1,43 +0,0 @@
|
||||
name: Build and upload qemu-metadata-api image
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
paths:
|
||||
- "hack/qemu-metadata-api/**"
|
||||
- "internal/**"
|
||||
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
|
||||
- ".github/workflows/build-qemu-metadata-image.yml"
|
||||
|
||||
jobs:
|
||||
build-qemu-metadata-api:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
||||
with:
|
||||
go-version: "1.20.3"
|
||||
|
||||
- name: Build and upload qemu-metadata server container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service
|
||||
with:
|
||||
name: qemu-metadata-api
|
||||
projectVersion: "0.0.0"
|
||||
dockerfile: hack/qemu-metadata-api/Dockerfile
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
42
.github/workflows/build-verification-service.yml
vendored
42
.github/workflows/build-verification-service.yml
vendored
@ -1,42 +0,0 @@
|
||||
name: Build and upload verification-service image
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
paths:
|
||||
- "verify/**"
|
||||
- "internal/**"
|
||||
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
|
||||
- ".github/workflows/build-verification-service.yml"
|
||||
|
||||
jobs:
|
||||
build-verification-service:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
|
||||
with:
|
||||
go-version: "1.20.3"
|
||||
|
||||
- name: Build and upload verification-service container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: verification-service
|
||||
koTarget: ./verify/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
72
.github/workflows/package-hasher.yml
vendored
72
.github/workflows/package-hasher.yml
vendored
@ -1,72 +0,0 @@
|
||||
name: Package hasher
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- ".github/workflows/package-hasher.yml"
|
||||
- "hack/package-hasher/Containerfile.hasher.apk"
|
||||
schedule:
|
||||
- cron: "0 22 */3 * *" # every 3 days at 22:00 UTC
|
||||
|
||||
jobs:
|
||||
hash:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Only run on main branch
|
||||
if: github.ref != 'refs/heads/main'
|
||||
run: |
|
||||
echo "::error::This workflow only runs on the main branch"
|
||||
exit 1
|
||||
|
||||
- name: Checkout Constellation
|
||||
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
|
||||
with:
|
||||
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
||||
|
||||
- name: Install oras
|
||||
env:
|
||||
ORAS_VERSION: "0.16.0"
|
||||
run: |
|
||||
curl -fsSLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz"
|
||||
mkdir -p oras-install/
|
||||
tar -zxf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" -C oras-install/
|
||||
mv oras-install/oras /usr/local/bin/
|
||||
rm -rf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" oras-install/
|
||||
|
||||
- name: Run apk hasher
|
||||
env:
|
||||
DOCKER_BUILDKIT: 1
|
||||
run: docker build -o apko -f hack/package-hasher/Containerfile.apk.hasher .
|
||||
|
||||
- name: Upload apk packages to container registry content addressed storage
|
||||
working-directory: apko/repository-apk
|
||||
run: |
|
||||
oras push \
|
||||
-u ${{ github.actor }} \
|
||||
-p ${{ secrets.GITHUB_TOKEN }} \
|
||||
ghcr.io/edgelesssys/constellation/packages-apk:latest ./*.apk
|
||||
|
||||
- name: Remove apk packages
|
||||
working-directory: apko
|
||||
run: rm -rf repository-apk
|
||||
|
||||
- name: Create new PR
|
||||
uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4
|
||||
with:
|
||||
branch: ci/hasher/apk
|
||||
title: "deps: update apk package hashes"
|
||||
commit-message: "deps: update apk package hashes"
|
||||
body: |
|
||||
:robot: *This is an automated PR.* :robot:
|
||||
|
||||
This PR updates (the hashes of) apk packages. It is generated by the package-hasher workflow.
|
||||
committer: edgelessci <edgelessci@users.noreply.github.com>
|
||||
labels: dependencies
|
||||
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
|
||||
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
|
80
.ko.yaml
80
.ko.yaml
@ -1,80 +0,0 @@
|
||||
defaultBaseImage: ghcr.io/edgelesssys/apko-alpine-base:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:b57063d5894acfe0193d5733b9c5fcee609e76f9dcb580a015e5b8274066fce1
|
||||
|
||||
baseImageOverrides:
|
||||
github.com/edgelesssys/constellation/operators/constellation-node-operator/v2: ghcr.io/edgelesssys/apko-alpine-base-user-65532:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:6a4572b4d42e320e63e01851c8d9b5832a588a10440c2990a2527e128983ae2e
|
||||
github.com/edgelesssys/constellation/v2/hack/qemu-metadata-api: ghcr.io/edgelesssys/apko-alpine-qemu-metadata-api:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:dd9f999ebe8828d6794c0b34fdf053f056afde82af73bfeee890ac4b834c9adf
|
||||
|
||||
builds:
|
||||
- id: keyservice
|
||||
dir: .
|
||||
main: ./keyservice/cmd
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
- GOOS=linux
|
||||
- GOARCH=amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
- -buildvcs=false
|
||||
- -a
|
||||
ldflags:
|
||||
- -s -w -buildid=''
|
||||
- -extldflags "-static"
|
||||
|
||||
- id: joinservice
|
||||
dir: .
|
||||
main: ./joinservice/cmd
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
- GOOS=linux
|
||||
- GOARCH=amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
- -buildvcs=false
|
||||
- -a
|
||||
ldflags:
|
||||
- -s -w -buildid=''
|
||||
- -extldflags "-static"
|
||||
|
||||
- id: constellation-node-operator
|
||||
dir: .
|
||||
main: ./operators/constellation-node-operator/
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
- GOOS=linux
|
||||
- GOARCH=amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
- -buildvcs=false
|
||||
- -a
|
||||
ldflags:
|
||||
- -s -w -buildid=''
|
||||
- -extldflags "-static"
|
||||
|
||||
- id: verification-service
|
||||
dir: .
|
||||
main: ./verify/cmd
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
- GOOS=linux
|
||||
- GOARCH=amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
- -buildvcs=false
|
||||
- -a
|
||||
ldflags:
|
||||
- -s -w -buildid=''
|
||||
- -extldflags "-static"
|
||||
|
||||
- id: qemu-metadata-api
|
||||
dir: .
|
||||
main: ./hack/qemu-metadata-api/
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
- GOOS=linux
|
||||
- GOARCH=amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
- -buildvcs=false
|
||||
- -a
|
||||
ldflags:
|
||||
- -s -w -buildid=''
|
@ -1,6 +1,5 @@
|
||||
/.github @katexochen
|
||||
/3rdparty/gcp-guest-agent @malt3
|
||||
/apko @katexochen
|
||||
/bazel @malt3
|
||||
/bazel/ci @katexochen
|
||||
/bazel/sh @katexochen
|
||||
|
@ -1,60 +0,0 @@
|
||||
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
|
||||
|
||||
RUN dnf -y update && \
|
||||
dnf -y install @development-tools pkg-config iproute iputils wget git jq openssl-devel cryptsetup-libs cryptsetup-devel && \
|
||||
dnf clean all
|
||||
|
||||
# Install Go
|
||||
ARG GO_VER=1.20.3
|
||||
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
|
||||
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
|
||||
rm go${GO_VER}.linux-amd64.tar.gz
|
||||
ENV PATH ${PATH}:/usr/local/go/bin
|
||||
|
||||
# Download go dependencies
|
||||
WORKDIR /constellation/
|
||||
# Necessary to make `go mod download all` work while having a local replace rule in the root-go.mod.
|
||||
COPY operators/constellation-node-operator/api/go.mod ./operators/constellation-node-operator/api/go.mod
|
||||
COPY operators/constellation-node-operator/api/go.sum ./operators/constellation-node-operator/api/go.sum
|
||||
COPY go.mod ./
|
||||
COPY go.sum ./
|
||||
RUN go mod download all
|
||||
|
||||
# Copy Repo
|
||||
COPY . /constellation
|
||||
RUN rm -rf ./hack/
|
||||
|
||||
FROM build AS build-bootstrapper
|
||||
WORKDIR /constellation/bootstrapper/
|
||||
|
||||
ARG PROJECT_VERSION
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build go build -o bootstrapper -tags=disable_tpm_simulator -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/bootstrapper/
|
||||
|
||||
FROM build AS build-disk-mapper
|
||||
WORKDIR /constellation/disk-mapper/
|
||||
|
||||
ARG PROJECT_VERSION
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build go build -o disk-mapper -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
|
||||
|
||||
FROM build AS build-upgrade-agent
|
||||
WORKDIR /constellation/upgrade-agent/
|
||||
|
||||
ARG PROJECT_VERSION
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build go build -o upgrade-agent -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
|
||||
|
||||
FROM build AS build-measurement-reader
|
||||
WORKDIR /constellation/measurement-reader/
|
||||
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build go build -o measurement-reader -ldflags "-s -w -buildid=''" ./cmd/
|
||||
|
||||
FROM scratch AS bootstrapper
|
||||
COPY --from=build-bootstrapper /constellation/bootstrapper/bootstrapper /
|
||||
|
||||
FROM scratch AS disk-mapper
|
||||
COPY --from=build-disk-mapper /constellation/disk-mapper/disk-mapper /
|
||||
|
||||
FROM scratch AS upgrade-agent
|
||||
COPY --from=build-upgrade-agent /constellation/upgrade-agent/upgrade-agent /
|
||||
|
||||
FROM scratch AS measurement-reader
|
||||
COPY --from=build-measurement-reader /constellation/measurement-reader/measurement-reader /
|
@ -1,89 +0,0 @@
|
||||
1a42c50ef0a1998b92bded41df051201dbc9cfc20fedbbb4b8b15e8fe1e11d99 v3.17/community/x86_64/libvirt-dev-8.9.0-r4.apk
|
||||
95f83a74e872b62360f6c6623a773e07a864e3313a127f57910caba368fed04b v3.17/community/x86_64/libvirt-libs-8.9.0-r4.apk
|
||||
c0e98093cbf8c824ff490cad1a4ea0037c1ff6b0bcb7c7069acb03e4aaf021d3 v3.17/main/x86_64/abuild-3.10.0-r0.apk
|
||||
8c1086f697257360b6cc28816c2544b6fbc428d2419f4d78eb3d0598897a3d47 v3.17/main/x86_64/alpine-base-3.17.3-r0.apk
|
||||
3f922d7d8dafdae6710d9d8bdc96eb72ed4d0a8192b39eda797034e00f38263e v3.17/main/x86_64/alpine-baselayout-3.4.0-r0.apk
|
||||
ff98cab12123a0729fb1f2815bfa9e1611e5567f06d85b340b85f55d89ffa9c6 v3.17/main/x86_64/alpine-baselayout-data-3.4.0-r0.apk
|
||||
6c17cdfebebe34bd50e871b1d68b1b8d85d64a068c54288b0953221713b51a6c v3.17/main/x86_64/alpine-conf-3.15.1-r1.apk
|
||||
d1a3188b2e98957852418edbe5b32d816c428e34cd23f1003c99d4e52338ae1f v3.17/main/x86_64/alpine-keys-2.4-r1.apk
|
||||
d4ff9adf2dbceac313b6d464588be5dd17d1c1d5bd8b644bffc546da76635c1c v3.17/main/x86_64/alpine-release-3.17.3-r0.apk
|
||||
ac29bb040470e672d186c62bd9db5b7f0d29336b5992f024098a951754f43a22 v3.17/main/x86_64/apk-tools-2.12.10-r1.apk
|
||||
9a60fb5126f84fabb1097bcb6d01bc0d298df8c362a69cd83178ae20d971cc38 v3.17/main/x86_64/attr-2.5.1-r2.apk
|
||||
90b29b27ce45dda7810f2a4a1b7aae08ca7714451872139ca531326ce86de27f v3.17/main/x86_64/brotli-libs-1.0.9-r9.apk
|
||||
27479b796bc8380af06dca70451ecd08c2ac87e0020b4352398535a7c8cf746e v3.17/main/x86_64/bsd-compat-headers-0.7.2-r3.apk
|
||||
697fa2e3c66699f33e011a61ec1857938c00709e2626822b0f42548bec942e28 v3.17/main/x86_64/busybox-1.35.0-r29.apk
|
||||
8452b877c019221740dc13040c8bf314a05b43d23d73ee1833775bcd77c03dae v3.17/main/x86_64/busybox-binsh-1.35.0-r29.apk
|
||||
b413e1c8b38b53fb83ecc7b75a227aa7b520a9dac80f0d7c1fc912bc56416c2a v3.17/main/x86_64/busybox-mdev-openrc-1.35.0-r29.apk
|
||||
f8239d8d4e8961e76e2e95caf9b6d2d89816b6f2562f7551aa8eb26c2268c6d6 v3.17/main/x86_64/busybox-openrc-1.35.0-r29.apk
|
||||
ed5b7c94e805c94306ec6411ddc1b2b67b94336b5b9a218967f4e55daad7313b v3.17/main/x86_64/busybox-suid-1.35.0-r29.apk
|
||||
7b89c64c33bc978e73d7b35c9b7cd3ecffd9c599f7763035c212b3697adf89b6 v3.17/main/x86_64/ca-certificates-20220614-r4.apk
|
||||
afcc0a285b823f73526c1995cf9ce71f91fc99ce0969a3494926df94e2589e68 v3.17/main/x86_64/ca-certificates-bundle-20220614-r4.apk
|
||||
966af3c474ca42d4a367b7d62ec9e80576e30a60198f9646a933b816769f6c7c v3.17/main/x86_64/curl-7.88.1-r1.apk
|
||||
4d58ca90d21845a999d734be46db453c68d0f3db2263bc0d143e379db2f25ab9 v3.17/main/x86_64/e2fsprogs-dev-1.46.6-r0.apk
|
||||
c3687cf0c19f8d1fbad0d2a9e49e0f1cea7f10b67f961f17b0f0173b56161d2f v3.17/main/x86_64/e2fsprogs-libs-1.46.6-r0.apk
|
||||
3136d31832e74ac3fb53ec7f81dfdee5698a58ea72086533c4d1a82ceea5b72c v3.17/main/x86_64/fakeroot-1.29-r0.apk
|
||||
6c629bb064a357de1792f454bf7cca43d6d07ac88f1168addc49beaa7793c1b8 v3.17/main/x86_64/gawk-5.1.1-r1.apk
|
||||
f13865c26ebde846324dccea96d85f00a4a4d17338ff222e5cd80b8672e02247 v3.17/main/x86_64/gdbm-1.23-r0.apk
|
||||
e7b759cc5972fdb09aa3b8ac9983e1da003d3607a58e06a1bf9927eadc13c36f v3.17/main/x86_64/glib-2.74.6-r0.apk
|
||||
b51a7d5da574c6ecd2fc8bb711ea8d47e29875f0eb66ce6dc47f5fe53deeda47 v3.17/main/x86_64/gmp-6.2.1-r2.apk
|
||||
38d2e91f7a59de07375655b8f1cd12a3ffa4d1f6c7afc8bd726ee0496aa62fe9 v3.17/main/x86_64/gnutls-3.7.8-r3.apk
|
||||
736d8808f17603015b7766e0f88c703451cba97d987dfd1c92ceed7b55ecf24d v3.17/main/x86_64/ifupdown-ng-0.12.1-r1.apk
|
||||
862e8d30f9be1a41632c7c575fbc8f81199a5fda650bc47384422bc017e09c4d v3.17/main/x86_64/keyutils-libs-1.6.3-r1.apk
|
||||
948af973885559d30e7af8d435a5270f873160104ae6eb8578f0af1d74645b1f v3.17/main/x86_64/krb5-conf-1.0-r2.apk
|
||||
a84e314c5e4f63c391c1074f74063597b20e4a4eddae47064bd46a22b1ef8d87 v3.17/main/x86_64/krb5-dev-1.20.1-r0.apk
|
||||
a51399a9415101a98ffee5921fdf3fc24308c37e30cb4afe3c89ef9cf1da9bc7 v3.17/main/x86_64/krb5-libs-1.20.1-r0.apk
|
||||
68bd8ac9a65ac74957925229667362739455421b7e048f12b0c838814c8a3d23 v3.17/main/x86_64/krb5-server-ldap-1.20.1-r0.apk
|
||||
17af2d1ba520e8bf31c39f4756786ebe84faf89be852bc874f4adf56296ed896 v3.17/main/x86_64/libacl-2.3.1-r1.apk
|
||||
5c0be2a5a9bc708afe8dc94c9da40c66f4c22505d236ef163aa292a4cde159a6 v3.17/main/x86_64/libattr-2.5.1-r2.apk
|
||||
b1b3ac001c198712c2798ec70b8bb6245b06cdee342a4622f371f7df043ab82c v3.17/main/x86_64/libblkid-2.38.1-r1.apk
|
||||
6c799e4779fb3cb018265293f1ba6047282cddd4a17312960ad695f8830f3a5b v3.17/main/x86_64/libc-utils-0.7.2-r3.apk
|
||||
adfebf5fc4004f1460f5971913fcca3ea3d6fa56412d32ffc48f191e336a1cc5 v3.17/main/x86_64/libcap-ng-0.8.3-r1.apk
|
||||
77342435302175fe0e9946d2b226d9d1a12e714849ddd7d4f421c93e63ca04f8 v3.17/main/x86_64/libcap2-2.66-r0.apk
|
||||
51df3c3934695e14b222a293a720e087214f1d3980ccc40bb2e2c706b62de43f v3.17/main/x86_64/libcom_err-1.46.6-r0.apk
|
||||
68a074d18ded51e1953bf3c97ea66877f9e6703fe357a315daac63b91c5ce8d9 v3.17/main/x86_64/libcrypto3-3.0.8-r3.apk
|
||||
9f862823176dffebe2162a0d36178bed42356ee98ad14e206d8b6e93b3d06b53 v3.17/main/x86_64/libcurl-7.88.1-r1.apk
|
||||
6ca645108699bcbf917dfdf4fdfe4eb48e1f407ea048098709d20e865109ecfc v3.17/main/x86_64/libev-4.33-r0.apk
|
||||
5a0730375e1f6d2f70d4385f9b63b0957024bd6e2a80dc784d066cf714362b07 v3.17/main/x86_64/libevent-2.1.12-r5.apk
|
||||
0c083d8c3d2511e8387e487c83aaa429de5a76fbf0219404c3afde63b715d2a4 v3.17/main/x86_64/libfdisk-2.38.1-r1.apk
|
||||
42f2618b35e9404d64f752c22f9cd2cb7a7d72328ceff4292b0a2a6be355fdc6 v3.17/main/x86_64/libffi-3.4.4-r0.apk
|
||||
2c0282ec5c2d78fe94b1e0ab676d6fe675e6656796b8a92e29ce4b17234add6a v3.17/main/x86_64/libgcc-12.2.1_git20220924-r4.apk
|
||||
bdc90400c34b17772e2713154c3e4c34a8db37edace1e6dc8f07329eb09f4ac9 v3.17/main/x86_64/libintl-0.21.1-r1.apk
|
||||
353f5caae4a1bcc06a0b44e540e5cec4740216482ec727121fd309ccfa150bf6 v3.17/main/x86_64/libldap-2.6.3-r6.apk
|
||||
7aa402e7e4c4de9059048935f2893ebe606c6ec057b59daf6fc198fbe1ffdc2a v3.17/main/x86_64/libmount-2.38.1-r1.apk
|
||||
ede0b4fa32c44ed13ef23616856f173d6f9fd7de1787426e8009cbd04f03802d v3.17/main/x86_64/libnl3-3.7.0-r0.apk
|
||||
8731b00c9c091eb6a5e54c0c2582a5dfdc153f189efc9504e7130fc016489941 v3.17/main/x86_64/libsasl-2.1.28-r3.apk
|
||||
c727fa15838b10908282453e3869081d3e93298dc6b55d45a4c3a48a89a676eb v3.17/main/x86_64/libsmartcols-2.38.1-r1.apk
|
||||
2698e84ad84aa587bcd1745175f1744a10ea74685b30209845db89ecf2365b85 v3.17/main/x86_64/libssl3-3.0.8-r3.apk
|
||||
495a88687dbc7a63e44c6555f1b6aca6ba80f772d359623f4da5edc362afae08 v3.17/main/x86_64/libstdc++-12.2.1_git20220924-r4.apk
|
||||
ecca312cb85b634352aef41f1561f3f3f262e85b57a620859df2d0cbe6972ded v3.17/main/x86_64/libtasn1-4.19.0-r0.apk
|
||||
35a9efc76af2d2ef85c1768e6e9e87078d19e1f452e7173b0fa7e6e0d5fd63e8 v3.17/main/x86_64/libtirpc-1.3.3-r0.apk
|
||||
c1867e1f8bcdf1cee53b2e648a3f54f7f396c02b6e3131a445cc266962c5d5e0 v3.17/main/x86_64/libtirpc-conf-1.3.3-r0.apk
|
||||
ba713024840265e1784a6bd3108b09fd3084925e32e5ed46e4f113d5981f5e4d v3.17/main/x86_64/libtirpc-dev-1.3.3-r0.apk
|
||||
166733b0a046d79914f413eea1b15479961d00bb2bebb93f1c8aa5dfe92a2311 v3.17/main/x86_64/libtirpc-nokrb-1.3.3-r0.apk
|
||||
d43569a2293a79ae7b7ee7d36f14b3f9893301a971e8534d104fa51a160b9607 v3.17/main/x86_64/libunistring-1.1-r0.apk
|
||||
3013bcbddf3ff9eb812791a2e87fc2a0b72910cfd415590d21faa96d3bbbf1bc v3.17/main/x86_64/libuuid-2.38.1-r1.apk
|
||||
f401d78b65a5067ef396c93a56950a87fa1b1fe3e1770489021f5924db7b10b0 v3.17/main/x86_64/libverto-0.3.2-r1.apk
|
||||
8cf71d3c953a5fc83493e01dbe03ce893fad44eba87a606c8cb8a161159a02c1 v3.17/main/x86_64/libverto-dev-0.3.2-r1.apk
|
||||
f9585399e58c15da6324f92e7ad92a757c01edb560e9c362ab4587c6158cd8e4 v3.17/main/x86_64/libverto-glib-0.3.2-r1.apk
|
||||
a1060409c38e4d67e6ce67001108a35c2ade5a50cdff9c62fc555ef9a08717b9 v3.17/main/x86_64/libverto-libev-0.3.2-r1.apk
|
||||
fee7860a5a1cb324bfe5ee4b5a68e834d57862743f062183681443e3387951da v3.17/main/x86_64/libverto-libevent-0.3.2-r1.apk
|
||||
0d5bc88d04d7da3ad800f4dcaee4b7876c9c6ff3d2537a7b3471e4f488b5a5f0 v3.17/main/x86_64/libxml2-2.10.3-r1.apk
|
||||
2564f7bb9985495a12b30a283acd53ad1c5e742b405bba2a031581eaac94b8f9 v3.17/main/x86_64/lzip-1.23-r0.apk
|
||||
2a46230e00ba2e1c59c4d3dfc4bd74135d034191dc9fdf6606b3021c00efb5d3 v3.17/main/x86_64/mdev-conf-4.3-r0.apk
|
||||
2a77f358c803ae9e2ec35ccf4906019df9b92d96c13e207d92ccabd13aec80eb v3.17/main/x86_64/musl-1.2.3-r4.apk
|
||||
2f380042d7e80f124291ffaeed21700af13fbf112866a4caa663226cc9ba3468 v3.17/main/x86_64/musl-utils-1.2.3-r4.apk
|
||||
b6f3592eb4fa228a8221f2b405cedbfe8fcadef07a7903a57d8e460af753fe48 v3.17/main/x86_64/nettle-3.8.1-r0.apk
|
||||
82874c31d2fc4aa5bb2c3e7240d419643c20c5740e1f2c91099b6f04aad200ad v3.17/main/x86_64/nghttp2-libs-1.51.0-r0.apk
|
||||
eba236b90c510fe01e9ef0182e8dd671b30d4ceaade79f410da26dda22780afd v3.17/main/x86_64/openrc-0.45.2-r7.apk
|
||||
64337f9c3fe1cd25d0863a00e6fd2329f8e0976f2d6fb0210391de9593602585 v3.17/main/x86_64/openssl-3.0.8-r3.apk
|
||||
83dd5cc59510198067ba0e4db76208f669218469417b909f82c2f9fbb1e1f20a v3.17/main/x86_64/p11-kit-0.24.1-r1.apk
|
||||
baa3e5a7f248f0e34bcaa07b2c5dfbe39641e52feb878518cd6a7f6c579590e9 v3.17/main/x86_64/patch-2.7.6-r9.apk
|
||||
1e4149304c4acc0e93c72aadf8df0f4643aee35f0294bf2deae019cca1bf5085 v3.17/main/x86_64/pcre2-10.42-r0.apk
|
||||
455c58e9b66da6d7fe4b86cd9bab830e3963008b58bd87fe0e6b7aa05907af4c v3.17/main/x86_64/pkgconf-1.9.4-r0.apk
|
||||
b3ad8d88fdae82cb1bd350f84298059ac8287a2855136580b2828f75ef846c4b v3.17/main/x86_64/scanelf-1.3.5-r1.apk
|
||||
ceff279c448e9987e70a97a77fe57d84ff1eefd428345c525f2e21a00d1a54b4 v3.17/main/x86_64/ssl_client-1.35.0-r29.apk
|
||||
981ccb518411d2e9f04249f6fe40568ce41e320d23a9550647852417be58bec6 v3.17/main/x86_64/tar-1.34-r2.apk
|
||||
1ab16d81c9e7b59c51692626ac58b55d779f40bca4313be3d591d56a873c9434 v3.17/main/x86_64/util-linux-dev-2.38.1-r1.apk
|
||||
da8ff707e8430169696ea971175a9fbb76a3ad599e4399ead7998a4d0ddbf94f v3.17/main/x86_64/xz-libs-5.2.9-r0.apk
|
||||
935589dfe902b26cdbe09f54eb399ce2f5d6b5e13eb994de36abb495e4843df5 v3.17/main/x86_64/yajl-2.1.0-r5.apk
|
||||
dc35929a53b3abaecb69b18dca79af25e38b8ab906aec5a912ec120b2cb4b731 v3.17/main/x86_64/zlib-1.2.13-r0.apk
|
@ -1,26 +0,0 @@
|
||||
contents:
|
||||
keyring:
|
||||
- index-signing-key.rsa.pub
|
||||
repositories:
|
||||
- "@local repository-apk"
|
||||
packages:
|
||||
- alpine-base@local
|
||||
|
||||
entrypoint:
|
||||
command: /bin/sh -l
|
||||
|
||||
accounts:
|
||||
groups:
|
||||
- groupname: "65532"
|
||||
gid: 65532
|
||||
users:
|
||||
- username: "65532"
|
||||
gid: 65532
|
||||
uid: 65532
|
||||
run-as: "65532"
|
||||
|
||||
environment:
|
||||
PATH: /usr/sbin:/sbin:/usr/bin:/bin
|
||||
|
||||
archs:
|
||||
- amd64
|
@ -1,16 +0,0 @@
|
||||
contents:
|
||||
keyring:
|
||||
- index-signing-key.rsa.pub
|
||||
repositories:
|
||||
- "@local repository-apk"
|
||||
packages:
|
||||
- alpine-base@local
|
||||
|
||||
entrypoint:
|
||||
command: /bin/sh -l
|
||||
|
||||
environment:
|
||||
PATH: /usr/sbin:/sbin:/usr/bin:/bin
|
||||
|
||||
archs:
|
||||
- amd64
|
@ -1,14 +0,0 @@
|
||||
contents:
|
||||
keyring:
|
||||
- index-signing-key.rsa.pub
|
||||
repositories:
|
||||
- "@local repository-apk"
|
||||
packages:
|
||||
- alpine-base@local
|
||||
- libvirt-dev@local
|
||||
|
||||
environment:
|
||||
PATH: /usr/sbin:/sbin:/usr/bin:/bin
|
||||
|
||||
archs:
|
||||
- amd64
|
@ -1,29 +0,0 @@
|
||||
FROM fedora:37@sha256:ca620b6a713882989f2dfb31dd34705834c95bc23e493687828080f6e5ad1be6 AS release
|
||||
RUN dnf -y update && \
|
||||
dnf -y install dnf-plugins-core \
|
||||
libvirt-daemon-config-network \
|
||||
libvirt-daemon-kvm \
|
||||
qemu-kvm \
|
||||
swtpm \
|
||||
swtpm-tools \
|
||||
libvirt-client && \
|
||||
dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c487bde4b4 -y && \
|
||||
dnf remove -y python-setuptools && \
|
||||
dnf clean all
|
||||
# TODO(malt3): remove advisory FEDORA-2023-c487bde4b4 upgrade for libtpms to libtpms-0.9.6-1.fc37.x86_64 once it is in stable
|
||||
|
||||
# Prevent cgroup issues on Fedora and configure libvirt
|
||||
RUN echo "cgroup_controllers = []" >> /etc/libvirt/qemu.conf && \
|
||||
echo "listen_tls = 0" >> /etc/libvirt/libvirtd.conf && \
|
||||
echo "listen_tcp = 1" >> /etc/libvirt/libvirtd.conf && \
|
||||
echo "tcp_port = \"16599\"" >> /etc/libvirt/libvirtd.conf && \
|
||||
echo "listen_addr = \"localhost\"" >> /etc/libvirt/libvirtd.conf && \
|
||||
echo "auth_tcp = \"none\"" >> /etc/libvirt/libvirtd.conf
|
||||
|
||||
# Copy nvram templates
|
||||
COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd
|
||||
COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
|
||||
|
||||
COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh
|
||||
|
||||
ENTRYPOINT ["/start.sh"]
|
@ -16,7 +16,10 @@ virsh -c "qemu+tcp://localhost:16599/system"
|
||||
Build the image:
|
||||
|
||||
```shell
|
||||
DOCKER_BUILDKIT=1 docker build -t ghcr.io/edgelesssys/constellation/libvirt:latest -f cli/internal/libvirt/Dockerfile .
|
||||
bazel build //cli/internal/libvirt:constellation_libvirt
|
||||
bazel build //bazel/release:libvirt_sum
|
||||
bazel build //bazel/release:libvirt_tar
|
||||
bazel run //bazel/release:libvirt_push
|
||||
```
|
||||
|
||||
A container of the image is automatically started by the CLI.
|
||||
|
@ -1,73 +0,0 @@
|
||||
# syntax=docker/dockerfile:1.5-labs
|
||||
FROM alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as builder
|
||||
|
||||
#
|
||||
# Install dependencies
|
||||
#
|
||||
|
||||
ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \
|
||||
https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \
|
||||
/usr/bin/repro-get
|
||||
RUN chmod +x /usr/bin/repro-get
|
||||
|
||||
ADD --checksum=sha256:45ae2e1f566cdc26dd9ddf0ca37a494d3fa7db29946094ae2f0d91e16def827d \
|
||||
https://github.com/oras-project/oras/releases/download/v0.16.0/oras_0.16.0_linux_amd64.tar.gz \
|
||||
/tmp/oras.tar.gz
|
||||
RUN tar -C /usr/bin -xzf /tmp/oras.tar.gz oras
|
||||
RUN chmod +x /usr/bin/oras
|
||||
|
||||
COPY SHA256SUMS-apk-amd64 /SHA256SUMS-apk-amd64
|
||||
|
||||
# TODO(katexochen): reenable when bug is fixed upstream,
|
||||
# see https://github.com/reproducible-containers/repro-get/issues/29
|
||||
|
||||
# RUN repro-get \
|
||||
# --provider=oci://ghcr.io/katexochen/apk-repo-test \
|
||||
# --cache ./cache \
|
||||
# --distro alpine \
|
||||
# download /SHA256SUMS-apk-amd64
|
||||
|
||||
# RUN repro-get \
|
||||
# --cache ./cache \
|
||||
# --distro alpine \
|
||||
# cache export repository-apk
|
||||
|
||||
|
||||
WORKDIR /workspace/repository-apk/x86_64
|
||||
|
||||
# Pull our pinned packages from the registry
|
||||
RUN oras pull ghcr.io/edgelesssys/constellation/packages-apk:latest
|
||||
|
||||
# Need to remove the repository prefix from the hashes file
|
||||
RUN sed -i -E 's%v[0-9].[0-9]+\/(main|community)\/x86_64/%%' /SHA256SUMS-apk-amd64
|
||||
|
||||
# Validate package hashes
|
||||
RUN sha256sum -c /SHA256SUMS-apk-amd64
|
||||
|
||||
# Create an apk index from the packages
|
||||
RUN apk index \
|
||||
--rewrite-arch x86_64 \
|
||||
-o APKINDEX.tar.gz \
|
||||
*.apk
|
||||
|
||||
#
|
||||
# We need package abuild to sign out index.
|
||||
# This is not a security mesaure. It is just a requirement of apko.
|
||||
# We installe the pinned abuild package from our registry, create
|
||||
# a new keypair and sign the index.
|
||||
#
|
||||
|
||||
RUN echo "/workspace/repository-apk" > /etc/apk/repositories
|
||||
RUN apk update --allow-untrusted && apk add --allow-untrusted abuild
|
||||
RUN abuild-keygen -a -n
|
||||
|
||||
RUN mv /root/.abuild/*.rsa /root/.abuild/index-signing-key.rsa
|
||||
RUN mv /root/.abuild/*.rsa.pub /root/.abuild/index-signing-key.rsa.pub
|
||||
RUN echo 'PACKAGER_PRIVKEY="/root/.abuild/index-signing-key.rsa"' > /root/.abuild/abuild.conf
|
||||
|
||||
RUN abuild-sign APKINDEX.tar.gz
|
||||
|
||||
FROM scratch as output
|
||||
|
||||
COPY --from=builder /workspace/repository-apk repository-apk
|
||||
COPY --from=builder /root/.abuild/*.rsa.pub index-signing-key.rsa.pub
|
@ -1,28 +0,0 @@
|
||||
# syntax=docker/dockerfile:1.5-labs
|
||||
FROM alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as builder
|
||||
|
||||
ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \
|
||||
https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \
|
||||
/usr/bin/repro-get
|
||||
RUN chmod +x /usr/bin/repro-get
|
||||
|
||||
RUN apk update && apk add \
|
||||
alpine-base \
|
||||
libvirt-dev \
|
||||
abuild
|
||||
|
||||
WORKDIR /out
|
||||
|
||||
# Dump the hashes of the installed packages
|
||||
RUN repro-get hash generate > SHA256SUMS
|
||||
|
||||
# Export the apks
|
||||
RUN repro-get cache export repository-apk
|
||||
|
||||
# Sort the hashes
|
||||
RUN sort -k2 -o SHA256SUMS SHA256SUMS
|
||||
|
||||
FROM scratch as output
|
||||
|
||||
COPY --from=builder /out/SHA256SUMS SHA256SUMS-apk-amd64
|
||||
COPY --from=builder /out/repository-apk repository-apk
|
@ -1,34 +0,0 @@
|
||||
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
|
||||
|
||||
RUN dnf -y update && \
|
||||
dnf -y install libvirt-devel @development-tools pkg-config wget git && \
|
||||
dnf clean all
|
||||
|
||||
ARG GO_VER=1.20.3
|
||||
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
|
||||
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
|
||||
rm go${GO_VER}.linux-amd64.tar.gz
|
||||
ENV PATH ${PATH}:/usr/local/go/bin
|
||||
|
||||
WORKDIR /qemu-metadata-api
|
||||
# Necessary to make `go mod download all` work while having a local replace rule in the root-go.mod.
|
||||
COPY operators/constellation-node-operator/api/go.mod ./operators/constellation-node-operator/api/go.mod
|
||||
COPY operators/constellation-node-operator/api/go.sum ./operators/constellation-node-operator/api/go.sum
|
||||
COPY go.mod ./
|
||||
COPY go.sum ./
|
||||
RUN go mod download all
|
||||
|
||||
WORKDIR /qemu-metadata-api/hack
|
||||
COPY hack/go.mod ./go.mod
|
||||
COPY hack/go.sum ./go.sum
|
||||
RUN go mod download all
|
||||
|
||||
COPY . /qemu-metadata-api
|
||||
WORKDIR /qemu-metadata-api/hack/qemu-metadata-api
|
||||
RUN go build -o api-server .
|
||||
|
||||
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as release
|
||||
RUN dnf -y install libvirt-devel && \
|
||||
dnf clean all
|
||||
COPY --from=build /qemu-metadata-api/hack/qemu-metadata-api/api-server /server
|
||||
ENTRYPOINT [ "/server" ]
|
@ -36,7 +36,10 @@ sudo firewall-cmd --zone libvirt --add-port 8080/tcp --permanent
|
||||
Build the image:
|
||||
|
||||
```shell
|
||||
DOCKER_BUILDKIT=1 docker build -t ghcr.io/edgelesssys/constellation/qemu-metadata-api:latest -f hack/qemu-metadata-api/Dockerfile .
|
||||
bazel build //hack/qemu-metadata-api:qemumetadata
|
||||
bazel build //bazel/release:qemumetadata_sum
|
||||
bazel build //bazel/release:qemumetadata_tar
|
||||
bazel run //bazel/release:qemumetadata_push
|
||||
```
|
||||
|
||||
A container of the image is automatically started by Terraform.
|
||||
|
@ -1,31 +0,0 @@
|
||||
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
|
||||
|
||||
RUN dnf -y update && \
|
||||
dnf install -y iproute iputils wget git && \
|
||||
dnf clean all
|
||||
|
||||
# Install Go
|
||||
ARG GO_VER=1.20.3
|
||||
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
|
||||
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
|
||||
rm go${GO_VER}.linux-amd64.tar.gz
|
||||
ENV PATH ${PATH}:/usr/local/go/bin
|
||||
|
||||
# Download go dependencies
|
||||
WORKDIR /constellation/
|
||||
COPY go.mod ./
|
||||
COPY go.sum ./
|
||||
RUN go mod download all
|
||||
|
||||
# Copy Repo
|
||||
COPY . /constellation
|
||||
RUN rm -rf ./hack/
|
||||
|
||||
WORKDIR /constellation/joinservice
|
||||
ARG PROJECT_VERSION=0.0.0
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o join-service -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
|
||||
|
||||
# Use gcr.io/distroless/static here since we need CA certificates to be installed for aTLS operations on GCP.
|
||||
FROM gcr.io/distroless/static@sha256:8d4cc4a622ce09a75bd7b1eea695008bdbff9e91fea426c2d353ea127dcdc9e3 as release
|
||||
COPY --from=build /constellation/joinservice/join-service /joinservice
|
||||
ENTRYPOINT [ "/joinservice" ]
|
@ -40,9 +40,13 @@ This is needed for fetching data encryption keys for joining nodes.
|
||||
|
||||
Implements interaction with the Kubernetes API to create join tokens for new nodes.
|
||||
|
||||
## [Dockerfile](./Dockerfile)
|
||||
## Docker image
|
||||
|
||||
Build the image:
|
||||
|
||||
```shell
|
||||
export VERSION=0.0.0
|
||||
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile .
|
||||
bazel build //joinservice/cmd:joinservice
|
||||
bazel build //bazel/release:joinservice_sum
|
||||
bazel build //bazel/release:joinservice_tar
|
||||
bazel run //bazel/release:joinservice_push
|
||||
```
|
||||
|
@ -1,31 +0,0 @@
|
||||
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
|
||||
|
||||
RUN dnf -y update && \
|
||||
dnf install -y wget git
|
||||
|
||||
# Install Go
|
||||
ARG GO_VER=1.20.3
|
||||
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
|
||||
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
|
||||
rm go${GO_VER}.linux-amd64.tar.gz
|
||||
ENV PATH ${PATH}:/usr/local/go/bin
|
||||
|
||||
# Download go dependencies
|
||||
WORKDIR /constellation/
|
||||
COPY go.mod ./
|
||||
COPY go.sum ./
|
||||
RUN go mod download all
|
||||
|
||||
# Copy Repo
|
||||
COPY . /constellation
|
||||
RUN rm -rf ./hack/
|
||||
|
||||
# Build
|
||||
RUN mkdir -p /constellation/build
|
||||
WORKDIR /constellation/keyservice/cmd
|
||||
ARG PROJECT_VERSION=0.0.0
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/keyservice -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}"
|
||||
|
||||
FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec as release
|
||||
COPY --from=build /constellation/build/keyservice /keyservice
|
||||
ENTRYPOINT ["/keyservice"]
|
@ -1,33 +0,0 @@
|
||||
# Build the manager binary
|
||||
FROM golang:1.20.3@sha256:89924bd0abc1001141e0415648d90914ebc9a9d60d4cbbc696ee53f1d1a9a136 as builder
|
||||
|
||||
# Download project root dependencies
|
||||
WORKDIR /workspace
|
||||
# Copy the Go Modules manifests
|
||||
COPY go.mod go.mod
|
||||
COPY go.sum go.sum
|
||||
# cache deps before building and copying source so that we don't need to re-download as much
|
||||
# and so that source changes don't invalidate our downloaded layer
|
||||
RUN go mod download
|
||||
|
||||
# Download operator dependencies
|
||||
WORKDIR /workspace/operators/constellation-node-operator
|
||||
COPY operators/constellation-node-operator/go.mod ./
|
||||
COPY operators/constellation-node-operator/go.sum ./
|
||||
RUN go mod download all
|
||||
|
||||
WORKDIR /workspace
|
||||
COPY . .
|
||||
|
||||
# Build
|
||||
WORKDIR /workspace/operators/constellation-node-operator
|
||||
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
|
||||
|
||||
# Use distroless as minimal base image to package the manager binary
|
||||
# Refer to https://github.com/GoogleContainerTools/distroless for more details
|
||||
FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec as release
|
||||
WORKDIR /
|
||||
COPY --from=builder /workspace/operators/constellation-node-operator/manager .
|
||||
USER 65532:65532
|
||||
|
||||
ENTRYPOINT ["/manager"]
|
@ -1,30 +0,0 @@
|
||||
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
|
||||
|
||||
RUN dnf -y update && \
|
||||
dnf install -y iproute iputils wget git && \
|
||||
dnf clean all
|
||||
|
||||
# Install Go
|
||||
ARG GO_VER=1.20.3
|
||||
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
|
||||
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
|
||||
rm go${GO_VER}.linux-amd64.tar.gz
|
||||
ENV PATH ${PATH}:/usr/local/go/bin
|
||||
|
||||
# Download go dependencies
|
||||
WORKDIR /constellation/
|
||||
COPY go.mod ./
|
||||
COPY go.sum ./
|
||||
RUN go mod download all
|
||||
|
||||
# Copy Repo
|
||||
COPY . /constellation
|
||||
RUN rm -rf ./hack/
|
||||
|
||||
WORKDIR /constellation/verify
|
||||
ARG PROJECT_VERSION=0.0.0
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o verify-service -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
|
||||
|
||||
FROM scratch AS release
|
||||
COPY --from=build /constellation/verify/verify-service /verify
|
||||
ENTRYPOINT [ "/verify" ]
|
Loading…
Reference in New Issue
Block a user