From 5145f806ea5c509050064cd033511d76413f14aa Mon Sep 17 00:00:00 2001 From: Malte Poll Date: Tue, 4 Apr 2023 15:24:43 +0200 Subject: [PATCH] bazel: remove apko and Dockerfile where Bazel is used to build container images --- .github/actions/build_apko/action.yml | 111 -------------- .github/actions/build_apko/build_and_sign.sh | 68 --------- .github/actions/build_ko/action.yml | 115 --------------- .../actions/build_micro_service_ko/action.yml | 68 --------- .github/actions/build_operator/action.yml | 137 ------------------ .github/actions/setup_crane/action.yaml | 17 --- .github/workflows/build-apko-image.yml | 39 ----- .../build-constellation-node-operator.yml | 41 ------ .github/workflows/build-joinservice-image.yml | 44 ------ .github/workflows/build-keyservice-image.yml | 45 ------ .github/workflows/build-libvirt-image.yml | 35 ----- .github/workflows/build-operator-manual.yml | 60 -------- .../workflows/build-qemu-metadata-image.yml | 43 ------ .../workflows/build-verification-service.yml | 42 ------ .github/workflows/package-hasher.yml | 72 --------- .ko.yaml | 80 ---------- CODEOWNERS | 1 - Dockerfile.build | 60 -------- apko/SHA256SUMS-apk-amd64 | 89 ------------ apko/alpine-base-user-65532.yaml | 26 ---- apko/alpine-base.yaml | 16 -- apko/alpine-qemu-metadata-api.yaml | 14 -- cli/internal/libvirt/Dockerfile | 29 ---- cli/internal/libvirt/README.md | 5 +- .../Containerfile.apk.downloader | 73 ---------- hack/package-hasher/Containerfile.apk.hasher | 28 ---- hack/qemu-metadata-api/Dockerfile | 34 ----- hack/qemu-metadata-api/README.md | 5 +- joinservice/Dockerfile | 31 ---- joinservice/README.md | 10 +- keyservice/Dockerfile | 31 ---- .../constellation-node-operator/Dockerfile | 33 ----- verify/Dockerfile | 30 ---- 33 files changed, 15 insertions(+), 1517 deletions(-) delete mode 100644 .github/actions/build_apko/action.yml delete mode 100755 .github/actions/build_apko/build_and_sign.sh delete mode 100644 .github/actions/build_ko/action.yml delete mode 100644 .github/actions/build_micro_service_ko/action.yml delete mode 100644 .github/actions/build_operator/action.yml delete mode 100644 .github/actions/setup_crane/action.yaml delete mode 100644 .github/workflows/build-apko-image.yml delete mode 100644 .github/workflows/build-constellation-node-operator.yml delete mode 100644 .github/workflows/build-joinservice-image.yml delete mode 100644 .github/workflows/build-keyservice-image.yml delete mode 100644 .github/workflows/build-libvirt-image.yml delete mode 100644 .github/workflows/build-operator-manual.yml delete mode 100644 .github/workflows/build-qemu-metadata-image.yml delete mode 100644 .github/workflows/build-verification-service.yml delete mode 100644 .github/workflows/package-hasher.yml delete mode 100644 .ko.yaml delete mode 100644 Dockerfile.build delete mode 100644 apko/SHA256SUMS-apk-amd64 delete mode 100644 apko/alpine-base-user-65532.yaml delete mode 100644 apko/alpine-base.yaml delete mode 100644 apko/alpine-qemu-metadata-api.yaml delete mode 100644 cli/internal/libvirt/Dockerfile delete mode 100644 hack/package-hasher/Containerfile.apk.downloader delete mode 100644 hack/package-hasher/Containerfile.apk.hasher delete mode 100644 hack/qemu-metadata-api/Dockerfile delete mode 100644 joinservice/Dockerfile delete mode 100644 keyservice/Dockerfile delete mode 100644 operators/constellation-node-operator/Dockerfile delete mode 100644 verify/Dockerfile diff --git a/.github/actions/build_apko/action.yml b/.github/actions/build_apko/action.yml deleted file mode 100644 index 4e9eb00d7..000000000 --- a/.github/actions/build_apko/action.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Build container base images using apko -description: Build one or multiple apko base images based on supplied .yaml files - -inputs: - apkoConfig: - description: "Path to the apko .yaml config file. If left empty, all images will be built." - required: false - apkoArch: - description: "Use this image architecture" - required: false - default: amd64 - containerTags: - description: "Tags for the resulting container image, space separated" - required: true - registry: - description: "Container registry to use" - default: "ghcr.io" - required: true - githubToken: - description: "GitHub authorization token" - required: true - cosignPublicKey: - description: "Cosign public key" - required: false - default: "" - cosignPrivateKey: - description: "Cosign private key" - required: false - default: "" - cosignPassword: - description: "Password for Cosign private key" - required: false - default: "" - -# Linux runner only (docker required) -runs: - using: composite - steps: - - name: Install deps - shell: bash - run: | - echo "::group::Install dependencies" - sudo apt-get update - sudo apt-get install -y zip - echo "::endgroup::" - - - name: Log in to the Container registry - id: docker-login - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 - with: - registry: ${{ inputs.registry }} - username: ${{ github.actor }} - password: ${{ inputs.githubToken }} - - - name: Install Cosign - if: | - inputs.cosignPublicKey != '' && - inputs.cosignPrivateKey != '' && - inputs.cosignPassword != '' - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - - - name: Download apk repository - shell: bash - env: - DOCKER_BUILDKIT: "1" - run: | - docker build -o ./apko -f hack/package-hasher/Containerfile.apk.downloader ./apko - - - name: Build apko images and sign them - shell: bash - working-directory: apko - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} - COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} - COSIGN_PASSWORD: ${{ inputs.cosignPassword }} - APKO_CONFIG: ${{ inputs.apkoConfig }} - APKO_ARCH: ${{ inputs.apkoArch }} - CONTAINER_TAGS: ${{ inputs.containerTags }} - REGISTRY: ${{ inputs.registry }} - run: ../.github/actions/build_apko/build_and_sign.sh - - - name: Sign sboms - if: | - inputs.cosignPublicKey != '' && - inputs.cosignPrivateKey != '' && - inputs.cosignPassword != '' - shell: bash - working-directory: apko - env: - COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} - COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} - COSIGN_PASSWORD: ${{ inputs.cosignPassword }} - run: | - for dir in sboms/*; do - for file in $dir/*; do - cosign sign-blob \ - --key env://COSIGN_PRIVATE_KEY \ - $file \ - -y \ - > $file.sig - done - done - - zip -r sboms.zip sboms - - - name: Upload SBOMs - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: sboms - path: apko/sboms.zip diff --git a/.github/actions/build_apko/build_and_sign.sh b/.github/actions/build_apko/build_and_sign.sh deleted file mode 100755 index e4154efd7..000000000 --- a/.github/actions/build_apko/build_and_sign.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash - -set -exuo pipefail -shopt -s inherit_errexit - -# buildImage -buildImage() { - local imageConfig=$1 - - echo "Building image for ${imageConfig}" - - local imageName - imageName=$(basename "${imageConfig}" | cut -d. -f1) - local registryPath - registryPath="${REGISTRY}/edgelesssys/apko-${imageName}" - local outTar - outTar="${imageName}.tar" - - mkdir -p "sboms/${imageName}" - - # build the image - docker run \ - -v "${PWD}":/work \ - cgr.dev/chainguard/apko@sha256:8952f4f3ce58052b7df5e46f230f7192b42b220d3e46c8b06178cc25fd700846 \ - build \ - "${imageConfig}" \ - --build-arch "${APKO_ARCH}" \ - --sbom \ - "${registryPath}" \ - "${outTar}" - - docker load < "${outTar}" - - for tag in ${CONTAINER_TAGS}; do - tagSanitized=${tag//\//-} - - docker image tag "${registryPath}" "${registryPath}:${tagSanitized}" - docker push "${registryPath}:${tagSanitized}" - - imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}") - - # write full image as Markdown code block to step summary - cat << EOF >> "${GITHUB_STEP_SUMMARY}" -\`\`\` -${imageDigest%%@*}:${tagSanitized}@${imageDigest##*@} -\`\`\` -EOF - done - - # cosign the container and push to registry - cosign sign \ - --key env://COSIGN_PRIVATE_KEY \ - "${imageDigest}" \ - -y - - # move sboms to folder - mv sbom-*.* "sboms/${imageName}/" -} - -if [[ -n ${APKO_CONFIG} ]]; then - buildImage "${APKO_CONFIG}" - exit 0 -fi - -echo "Building all images in image" -for imageConfig in ./*.yaml; do - buildImage "${imageConfig}" -done diff --git a/.github/actions/build_ko/action.yml b/.github/actions/build_ko/action.yml deleted file mode 100644 index 29784d605..000000000 --- a/.github/actions/build_ko/action.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Build micro service using Ko -description: Build and upload a go micro service using ko -inputs: - name: - description: "Name of the micro-service" - required: true - registry: - description: "Name of the registry to use" - required: false - default: "ghcr.io" - koConfig: - description: "Path to the .ko.yaml config file" - required: false - default: ".ko.yaml" - koTarget: - description: "Go package to build with ko" - required: true - pushTag: - description: "Use this image tag" - required: true - githubToken: - description: "GitHub authorization token" - required: true - generateKoSBOM: - description: "Generate unsigned ko SBOM" - required: false - default: "false" - -outputs: - container_full: - description: "Full container reference" - value: ${{ steps.build.container_full }} - container_image: - description: "Container image" - value: ${{ steps.build.outputs.container_image }} - container_tag: - description: "Container tag" - value: ${{ steps.build.container_tag }} - -# Linux runner only -runs: - using: "composite" - steps: - - name: Determine pseudo version - if: ${{ !inputs.pushTag}} - id: pseudo-version - uses: ./.github/actions/pseudo_version - - - name: Setup Go environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version: "1.20.3" - cache: true - - - name: Set up ko - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - with: - ko-version: "v0.12.0" - - - name: Build and upload ko container image - id: build - shell: bash - env: - KO_USER: ${{ github.actor }} - KO_CONFIG_PATH: ${{ inputs.koConfig }} - KO_PASSWORD: ${{ inputs.githubToken }} - KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/constellation/${{ inputs.name }} - run: | - tags="" - sbom="" - - if [[ "$(git branch --show-current)" == "${{ github.event.repository.default_branch }}" ]]; then - tags="latest" - else - tags="${{ github.sha }}" - fi - - if [[ -n "${{ inputs.pushTag }}" ]]; then - if [[ -n "${tags}" ]]; then - tags="${tags},${{ inputs.pushTag }}" - else - tags="${{ inputs.pushTag }}" - fi - fi - - if [[ -n "${{ steps.pseudo-version.outputs.version }}" ]]; then - if [[ -n "${tags}" ]]; then - tags="${tags},${{ steps.pseudo-version.outputs.version }}" - else - tags="${{ steps.pseudo-version.outputs.version }}" - fi - fi - - if [[ "${{ inputs.generateKoSBOM }}" == "false" ]]; then - sbom="--sbom=none" - fi - - echo "Building container image with tags: ${tags}" - container_full=$(ko build ${{ inputs.koTarget }} --bare --tags "${tags}" ${sbom}) - container_image=$(echo $container_full | cut -d@ -f1) - container_sha256=$(echo $container_full | cut -d: -f2) - - cat < container_data_ko.json - { - "container_full": "${container_full}", - "container_image": "${container_image}", - "container_sha256": "${container_sha256}" - } - EOF - - - name: Upload Container Data # since github censors hashes that may share data with secrets, we need to upload the data as an artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: container_data_ko - path: container_data_ko.json diff --git a/.github/actions/build_micro_service_ko/action.yml b/.github/actions/build_micro_service_ko/action.yml deleted file mode 100644 index 12bb85bc1..000000000 --- a/.github/actions/build_micro_service_ko/action.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: Build micro service (KO) -description: Build and upload a container image for a Constellation micro-service -inputs: - name: - description: "Name of the micro-service" - required: true - koConfig: - description: "Path to the .ko.yaml config file" - default: ".ko.yaml" - required: false - koTarget: - description: "Go package to build with ko" - required: true - pushTag: - description: "Use this image tag" - required: false - githubToken: - description: "GitHub authorization token" - required: true - generateKoSBOM: - description: "Generate unsigned ko SBOM" - required: false - default: "false" - cosignPublicKey: - description: "Cosign public key" - required: true - cosignPrivateKey: - description: "Cosign private key" - required: true - cosignPassword: - description: "Password for Cosign private key" - required: false - -# Linux runner only -runs: - using: "composite" - steps: - - name: Build and upload container image - id: build-and-upload - uses: ./.github/actions/build_ko - with: - name: ${{ inputs.name }} - koConfig: ${{ inputs.koConfig }} - koTarget: ${{ inputs.koTarget }} - pushTag: ${{ inputs.pushTag }} - githubToken: ${{ inputs.GITHUB_TOKEN }} - - - name: Download ko Container Data - id: download_container_data - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: container_data_ko - path: CONTAINER_DATA_KO - - - name: Set container url to Github Env - shell: bash - run: | - container_full=$(jq -r .container_full < container_data_ko.json) - echo CONTAINER_FULL=$container_full >> $GITHUB_ENV - - - name: Generate SBOM - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false' - uses: ./.github/actions/container_sbom - with: - containerReference: ${{ env.CONTAINER_FULL }} - cosignPublicKey: ${{ inputs.cosignPublicKey }} - cosignPrivateKey: ${{ inputs.cosignPrivateKey }} - cosignPassword: ${{ inputs.cosignPassword }} diff --git a/.github/actions/build_operator/action.yml b/.github/actions/build_operator/action.yml deleted file mode 100644 index 7923b790f..000000000 --- a/.github/actions/build_operator/action.yml +++ /dev/null @@ -1,137 +0,0 @@ -name: Build operator -description: Build and upload a container image for a Constellation operator -inputs: - name: - description: "Name of the operator" - required: true - sourceDir: - description: "Path to the operators source directory" - required: true - pushTag: - description: "Use this image tag" - required: false - githubToken: - description: "GitHub authorization token" - required: true - cosignPublicKey: - description: "Cosign public key" - required: false - cosignPrivateKey: - description: "Cosign private key" - required: false - cosignPassword: - description: "Password for Cosign private key" - required: false - -# Linux runner only (Docker required) -runs: - using: "composite" - steps: - - name: Determine pseudo version - id: pseudo-version - uses: ./.github/actions/pseudo_version - - - name: Install operator-sdk - uses: ./.github/actions/install_operator_sdk - with: - version: v1.22.2 - - - name: Log in to the Container registry - id: docker-login - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ inputs.githubToken }} - - - name: Docker metadata - id: meta - uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 - with: - images: | - ghcr.io/${{ github.repository }}/${{ inputs.name }} - tags: | - type=raw,value=latest,enable={{is_default_branch}} - type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }} - type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }} - type=ref,event=branch - - - name: Build and push container image - id: build-image - uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 - with: - context: . - file: ${{ inputs.sourceDir }}/Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - - - name: Generate SBOM - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - uses: ./.github/actions/container_sbom - with: - containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-image.outputs.digest }} - cosignPublicKey: ${{ inputs.cosignPublicKey }} - cosignPrivateKey: ${{ inputs.cosignPrivateKey }} - cosignPassword: ${{ inputs.cosignPassword }} - - - name: Bundle for pseudo version - if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == '' - shell: bash - working-directory: ${{ inputs.sourceDir }} - env: - VERSION: ${{ steps.pseudo-version.outputs.version }} - run: make bundle VERSION=${VERSION#v} - - - name: Bundle for semantic version - if: inputs.pushTag != '' - shell: bash - working-directory: ${{ inputs.sourceDir }} - env: - VERSION: ${{ inputs.pushTag }} - run: make bundle VERSION=${VERSION#v} - - - name: Docker metadata for bundle - id: bundle-meta - uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 - with: - images: | - ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle - tags: | - type=raw,value=latest,enable={{is_default_branch}} - type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }} - type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }} - type=ref,event=branch - - - name: Build and push bundle image - id: build-image-bundle - uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 - with: - context: ${{ inputs.sourceDir }} - file: ${{ inputs.sourceDir }}/bundle.Dockerfile - push: true - tags: ${{ steps.bundle-meta.outputs.tags }} - - - name: Generate Bundle SBOM - if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' - uses: ./.github/actions/container_sbom - with: - containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle@${{ steps.build-image-bundle.outputs.digest }} - cosignPublicKey: ${{ inputs.cosignPublicKey }} - cosignPrivateKey: ${{ inputs.cosignPrivateKey }} - cosignPassword: ${{ inputs.cosignPassword }} - - - name: Build and push catalog for pseudo versions - if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == '' - shell: bash - working-directory: ${{ inputs.sourceDir }} - env: - VERSION: ${{ steps.pseudo-version.outputs.version }} - run: make VERSION=${VERSION#v} catalog-build catalog-push - - - name: Build and push catalog for releases - if: inputs.pushTag != '' - shell: bash - working-directory: ${{ inputs.sourceDir }} - env: - VERSION: ${{ inputs.pushTag }} - run: make VERSION=${VERSION#v} catalog-build catalog-push diff --git a/.github/actions/setup_crane/action.yaml b/.github/actions/setup_crane/action.yaml deleted file mode 100644 index ff512ecd0..000000000 --- a/.github/actions/setup_crane/action.yaml +++ /dev/null @@ -1,17 +0,0 @@ -name: Setup crane -description: "Install crane (go-containerregistry)." -runs: - using: composite - steps: - - name: Install - shell: bash - env: - VERSION: "0.12.1" - OS: ${{ runner.os == 'Linux' && 'Linux' || 'Darwin' }} - ARCH: ${{ runner.arch == 'X64' && 'x86_64' || runner.arch == 'ARM64' && 'arm64' }} - run: | - echo "::group::Install crane" - curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz - tar -xzf go-containerregistry.tar.gz - sudo mv krane gcrane crane /usr/local/bin/ - echo "::endgroup::" diff --git a/.github/workflows/build-apko-image.yml b/.github/workflows/build-apko-image.yml deleted file mode 100644 index 0e8e3f9b9..000000000 --- a/.github/workflows/build-apko-image.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: Build and upload all apko container base images - -on: - workflow_dispatch: - push: - branches: - - main - paths: - - "apko/**" - - ".github/workflows/build-apko-image.yml" - -jobs: - build-apko-image: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ github.head_ref }} - - - name: Get pseudo version - id: pseudo-version - uses: ./.github/actions/pseudo_version - - - name: Build and upload apko image - uses: ./.github/actions/build_apko - with: - containerTags: | - ${{ steps.pseudo-version.outputs.version }} - ${{ github.ref_name == 'main' && 'latest' || github.ref_name }} - registry: ghcr.io - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-constellation-node-operator.yml b/.github/workflows/build-constellation-node-operator.yml deleted file mode 100644 index 367f0eb17..000000000 --- a/.github/workflows/build-constellation-node-operator.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Build and upload constellation node operator image - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - paths: - - "operators/constellation-node-operator/**" - - "internal/**" - - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops - - ".github/workflows/build-constellation-node-operator.yml" - -jobs: - build-constellation-node-operator: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Setup Go environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version: "1.20.3" - - - name: Build and upload constellation-node-operator container image - uses: ./.github/actions/build_micro_service_ko - with: - name: node-operator - koTarget: ./operators/constellation-node-operator - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-joinservice-image.yml b/.github/workflows/build-joinservice-image.yml deleted file mode 100644 index cd854ca1c..000000000 --- a/.github/workflows/build-joinservice-image.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Build and upload join service image -env: - REGISTRY: ghcr.io - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - paths: - - "joinservice/**" - - "internal/**" - - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops - - ".github/workflows/build-joinservice-image.yml" - -jobs: - build-join-service: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Setup Go environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version: "1.20.3" - - - name: Build and upload join service container image - id: build-and-upload - uses: ./.github/actions/build_micro_service_ko - with: - name: join-service - koTarget: ./joinservice/cmd - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-keyservice-image.yml b/.github/workflows/build-keyservice-image.yml deleted file mode 100644 index 5ca98ffc5..000000000 --- a/.github/workflows/build-keyservice-image.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Build and upload KeyService image -env: - REGISTRY: ghcr.io - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - paths: - - "keyservice/**" - - "internal/**" - - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops - - ".github/workflows/build-keyservice-image.yml" - -jobs: - build-keyservice: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Setup Go environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version: "1.20.3" - - - name: Build and upload KeyService container image - id: build-and-upload - uses: ./.github/actions/build_micro_service_ko - with: - name: key-service - koConfig: .ko.yaml - koTarget: ./keyservice/cmd - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-libvirt-image.yml b/.github/workflows/build-libvirt-image.yml deleted file mode 100644 index 6d5cc5a32..000000000 --- a/.github/workflows/build-libvirt-image.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: Build and upload libvirt image - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - paths: - - "cli/internal/libvirt/**" - - ".github/workflows/build-libvirt-image.yml" - -jobs: - build-qemu-metadata-api: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Build and upload libvirt container image - id: build-and-upload - uses: ./.github/actions/build_micro_service - with: - name: "libvirt" - dockerfile: "cli/internal/libvirt/Dockerfile" - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-operator-manual.yml b/.github/workflows/build-operator-manual.yml deleted file mode 100644 index ee806e4c6..000000000 --- a/.github/workflows/build-operator-manual.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Build operator manually - -on: - workflow_dispatch: - inputs: - imageTag: - description: "Container image tag." - required: false - ref: - type: string - description: "Git ref to checkout" - required: false - release: - type: boolean - description: "Is this a release build?" - required: false - default: false - workflow_call: - inputs: - imageTag: - type: string - description: "Container image tag" - required: true - ref: - type: string - description: "Git ref to checkout" - required: false - release: - type: boolean - description: "Is this a release build?" - required: true - -jobs: - build-operator-manual: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ inputs.ref || github.head_ref }} - - - name: Setup Go environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version: "1.20.3" - - - name: Build and upload constellation-node-operator container image - uses: ./.github/actions/build_operator - with: - name: node-operator - sourceDir: operators/constellation-node-operator - githubToken: ${{ secrets.GITHUB_TOKEN }} - pushTag: ${{ inputs.imageTag }} - cosignPublicKey: ${{ inputs.release && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ inputs.release && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ inputs.release && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-qemu-metadata-image.yml b/.github/workflows/build-qemu-metadata-image.yml deleted file mode 100644 index 19eeccbc7..000000000 --- a/.github/workflows/build-qemu-metadata-image.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Build and upload qemu-metadata-api image - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - paths: - - "hack/qemu-metadata-api/**" - - "internal/**" - - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops - - ".github/workflows/build-qemu-metadata-image.yml" - -jobs: - build-qemu-metadata-api: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Setup Go environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version: "1.20.3" - - - name: Build and upload qemu-metadata server container image - id: build-and-upload - uses: ./.github/actions/build_micro_service - with: - name: qemu-metadata-api - projectVersion: "0.0.0" - dockerfile: hack/qemu-metadata-api/Dockerfile - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-verification-service.yml b/.github/workflows/build-verification-service.yml deleted file mode 100644 index 2cfaa145d..000000000 --- a/.github/workflows/build-verification-service.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Build and upload verification-service image - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - paths: - - "verify/**" - - "internal/**" - - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops - - ".github/workflows/build-verification-service.yml" - -jobs: - build-verification-service: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Setup Go environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version: "1.20.3" - - - name: Build and upload verification-service container image - id: build-and-upload - uses: ./.github/actions/build_micro_service_ko - with: - name: verification-service - koTarget: ./verify/cmd - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/package-hasher.yml b/.github/workflows/package-hasher.yml deleted file mode 100644 index 640c520f5..000000000 --- a/.github/workflows/package-hasher.yml +++ /dev/null @@ -1,72 +0,0 @@ -name: Package hasher - -on: - workflow_dispatch: - push: - branches: - - main - paths: - - ".github/workflows/package-hasher.yml" - - "hack/package-hasher/Containerfile.hasher.apk" - schedule: - - cron: "0 22 */3 * *" # every 3 days at 22:00 UTC - -jobs: - hash: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Only run on main branch - if: github.ref != 'refs/heads/main' - run: | - echo "::error::This workflow only runs on the main branch" - exit 1 - - - name: Checkout Constellation - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Install oras - env: - ORAS_VERSION: "0.16.0" - run: | - curl -fsSLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" - mkdir -p oras-install/ - tar -zxf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" -C oras-install/ - mv oras-install/oras /usr/local/bin/ - rm -rf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" oras-install/ - - - name: Run apk hasher - env: - DOCKER_BUILDKIT: 1 - run: docker build -o apko -f hack/package-hasher/Containerfile.apk.hasher . - - - name: Upload apk packages to container registry content addressed storage - working-directory: apko/repository-apk - run: | - oras push \ - -u ${{ github.actor }} \ - -p ${{ secrets.GITHUB_TOKEN }} \ - ghcr.io/edgelesssys/constellation/packages-apk:latest ./*.apk - - - name: Remove apk packages - working-directory: apko - run: rm -rf repository-apk - - - name: Create new PR - uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4 - with: - branch: ci/hasher/apk - title: "deps: update apk package hashes" - commit-message: "deps: update apk package hashes" - body: | - :robot: *This is an automated PR.* :robot: - - This PR updates (the hashes of) apk packages. It is generated by the package-hasher workflow. - committer: edgelessci - labels: dependencies - # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work. - token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }} diff --git a/.ko.yaml b/.ko.yaml deleted file mode 100644 index c582dcc1f..000000000 --- a/.ko.yaml +++ /dev/null @@ -1,80 +0,0 @@ -defaultBaseImage: ghcr.io/edgelesssys/apko-alpine-base:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:b57063d5894acfe0193d5733b9c5fcee609e76f9dcb580a015e5b8274066fce1 - -baseImageOverrides: - github.com/edgelesssys/constellation/operators/constellation-node-operator/v2: ghcr.io/edgelesssys/apko-alpine-base-user-65532:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:6a4572b4d42e320e63e01851c8d9b5832a588a10440c2990a2527e128983ae2e - github.com/edgelesssys/constellation/v2/hack/qemu-metadata-api: ghcr.io/edgelesssys/apko-alpine-qemu-metadata-api:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:dd9f999ebe8828d6794c0b34fdf053f056afde82af73bfeee890ac4b834c9adf - -builds: - - id: keyservice - dir: . - main: ./keyservice/cmd - env: - - CGO_ENABLED=0 - - GOOS=linux - - GOARCH=amd64 - flags: - - -trimpath - - -buildvcs=false - - -a - ldflags: - - -s -w -buildid='' - - -extldflags "-static" - - - id: joinservice - dir: . - main: ./joinservice/cmd - env: - - CGO_ENABLED=0 - - GOOS=linux - - GOARCH=amd64 - flags: - - -trimpath - - -buildvcs=false - - -a - ldflags: - - -s -w -buildid='' - - -extldflags "-static" - - - id: constellation-node-operator - dir: . - main: ./operators/constellation-node-operator/ - env: - - CGO_ENABLED=0 - - GOOS=linux - - GOARCH=amd64 - flags: - - -trimpath - - -buildvcs=false - - -a - ldflags: - - -s -w -buildid='' - - -extldflags "-static" - - - id: verification-service - dir: . - main: ./verify/cmd - env: - - CGO_ENABLED=0 - - GOOS=linux - - GOARCH=amd64 - flags: - - -trimpath - - -buildvcs=false - - -a - ldflags: - - -s -w -buildid='' - - -extldflags "-static" - - - id: qemu-metadata-api - dir: . - main: ./hack/qemu-metadata-api/ - env: - - CGO_ENABLED=0 - - GOOS=linux - - GOARCH=amd64 - flags: - - -trimpath - - -buildvcs=false - - -a - ldflags: - - -s -w -buildid='' diff --git a/CODEOWNERS b/CODEOWNERS index ec0c23e3e..dae290217 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,6 +1,5 @@ /.github @katexochen /3rdparty/gcp-guest-agent @malt3 -/apko @katexochen /bazel @malt3 /bazel/ci @katexochen /bazel/sh @katexochen diff --git a/Dockerfile.build b/Dockerfile.build deleted file mode 100644 index 379227840..000000000 --- a/Dockerfile.build +++ /dev/null @@ -1,60 +0,0 @@ -FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build - -RUN dnf -y update && \ - dnf -y install @development-tools pkg-config iproute iputils wget git jq openssl-devel cryptsetup-libs cryptsetup-devel && \ - dnf clean all - -# Install Go -ARG GO_VER=1.20.3 -RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ - tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ - rm go${GO_VER}.linux-amd64.tar.gz -ENV PATH ${PATH}:/usr/local/go/bin - -# Download go dependencies -WORKDIR /constellation/ -# Necessary to make `go mod download all` work while having a local replace rule in the root-go.mod. -COPY operators/constellation-node-operator/api/go.mod ./operators/constellation-node-operator/api/go.mod -COPY operators/constellation-node-operator/api/go.sum ./operators/constellation-node-operator/api/go.sum -COPY go.mod ./ -COPY go.sum ./ -RUN go mod download all - -# Copy Repo -COPY . /constellation -RUN rm -rf ./hack/ - -FROM build AS build-bootstrapper -WORKDIR /constellation/bootstrapper/ - -ARG PROJECT_VERSION -RUN --mount=type=cache,target=/root/.cache/go-build go build -o bootstrapper -tags=disable_tpm_simulator -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/bootstrapper/ - -FROM build AS build-disk-mapper -WORKDIR /constellation/disk-mapper/ - -ARG PROJECT_VERSION -RUN --mount=type=cache,target=/root/.cache/go-build go build -o disk-mapper -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/ - -FROM build AS build-upgrade-agent -WORKDIR /constellation/upgrade-agent/ - -ARG PROJECT_VERSION -RUN --mount=type=cache,target=/root/.cache/go-build go build -o upgrade-agent -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/ - -FROM build AS build-measurement-reader -WORKDIR /constellation/measurement-reader/ - -RUN --mount=type=cache,target=/root/.cache/go-build go build -o measurement-reader -ldflags "-s -w -buildid=''" ./cmd/ - -FROM scratch AS bootstrapper -COPY --from=build-bootstrapper /constellation/bootstrapper/bootstrapper / - -FROM scratch AS disk-mapper -COPY --from=build-disk-mapper /constellation/disk-mapper/disk-mapper / - -FROM scratch AS upgrade-agent -COPY --from=build-upgrade-agent /constellation/upgrade-agent/upgrade-agent / - -FROM scratch AS measurement-reader -COPY --from=build-measurement-reader /constellation/measurement-reader/measurement-reader / diff --git a/apko/SHA256SUMS-apk-amd64 b/apko/SHA256SUMS-apk-amd64 deleted file mode 100644 index 834f4f383..000000000 --- a/apko/SHA256SUMS-apk-amd64 +++ /dev/null @@ -1,89 +0,0 @@ -1a42c50ef0a1998b92bded41df051201dbc9cfc20fedbbb4b8b15e8fe1e11d99 v3.17/community/x86_64/libvirt-dev-8.9.0-r4.apk -95f83a74e872b62360f6c6623a773e07a864e3313a127f57910caba368fed04b v3.17/community/x86_64/libvirt-libs-8.9.0-r4.apk -c0e98093cbf8c824ff490cad1a4ea0037c1ff6b0bcb7c7069acb03e4aaf021d3 v3.17/main/x86_64/abuild-3.10.0-r0.apk -8c1086f697257360b6cc28816c2544b6fbc428d2419f4d78eb3d0598897a3d47 v3.17/main/x86_64/alpine-base-3.17.3-r0.apk -3f922d7d8dafdae6710d9d8bdc96eb72ed4d0a8192b39eda797034e00f38263e v3.17/main/x86_64/alpine-baselayout-3.4.0-r0.apk -ff98cab12123a0729fb1f2815bfa9e1611e5567f06d85b340b85f55d89ffa9c6 v3.17/main/x86_64/alpine-baselayout-data-3.4.0-r0.apk -6c17cdfebebe34bd50e871b1d68b1b8d85d64a068c54288b0953221713b51a6c v3.17/main/x86_64/alpine-conf-3.15.1-r1.apk -d1a3188b2e98957852418edbe5b32d816c428e34cd23f1003c99d4e52338ae1f v3.17/main/x86_64/alpine-keys-2.4-r1.apk -d4ff9adf2dbceac313b6d464588be5dd17d1c1d5bd8b644bffc546da76635c1c v3.17/main/x86_64/alpine-release-3.17.3-r0.apk -ac29bb040470e672d186c62bd9db5b7f0d29336b5992f024098a951754f43a22 v3.17/main/x86_64/apk-tools-2.12.10-r1.apk -9a60fb5126f84fabb1097bcb6d01bc0d298df8c362a69cd83178ae20d971cc38 v3.17/main/x86_64/attr-2.5.1-r2.apk -90b29b27ce45dda7810f2a4a1b7aae08ca7714451872139ca531326ce86de27f v3.17/main/x86_64/brotli-libs-1.0.9-r9.apk -27479b796bc8380af06dca70451ecd08c2ac87e0020b4352398535a7c8cf746e v3.17/main/x86_64/bsd-compat-headers-0.7.2-r3.apk -697fa2e3c66699f33e011a61ec1857938c00709e2626822b0f42548bec942e28 v3.17/main/x86_64/busybox-1.35.0-r29.apk -8452b877c019221740dc13040c8bf314a05b43d23d73ee1833775bcd77c03dae v3.17/main/x86_64/busybox-binsh-1.35.0-r29.apk -b413e1c8b38b53fb83ecc7b75a227aa7b520a9dac80f0d7c1fc912bc56416c2a v3.17/main/x86_64/busybox-mdev-openrc-1.35.0-r29.apk -f8239d8d4e8961e76e2e95caf9b6d2d89816b6f2562f7551aa8eb26c2268c6d6 v3.17/main/x86_64/busybox-openrc-1.35.0-r29.apk -ed5b7c94e805c94306ec6411ddc1b2b67b94336b5b9a218967f4e55daad7313b v3.17/main/x86_64/busybox-suid-1.35.0-r29.apk -7b89c64c33bc978e73d7b35c9b7cd3ecffd9c599f7763035c212b3697adf89b6 v3.17/main/x86_64/ca-certificates-20220614-r4.apk -afcc0a285b823f73526c1995cf9ce71f91fc99ce0969a3494926df94e2589e68 v3.17/main/x86_64/ca-certificates-bundle-20220614-r4.apk -966af3c474ca42d4a367b7d62ec9e80576e30a60198f9646a933b816769f6c7c v3.17/main/x86_64/curl-7.88.1-r1.apk -4d58ca90d21845a999d734be46db453c68d0f3db2263bc0d143e379db2f25ab9 v3.17/main/x86_64/e2fsprogs-dev-1.46.6-r0.apk -c3687cf0c19f8d1fbad0d2a9e49e0f1cea7f10b67f961f17b0f0173b56161d2f v3.17/main/x86_64/e2fsprogs-libs-1.46.6-r0.apk -3136d31832e74ac3fb53ec7f81dfdee5698a58ea72086533c4d1a82ceea5b72c v3.17/main/x86_64/fakeroot-1.29-r0.apk -6c629bb064a357de1792f454bf7cca43d6d07ac88f1168addc49beaa7793c1b8 v3.17/main/x86_64/gawk-5.1.1-r1.apk -f13865c26ebde846324dccea96d85f00a4a4d17338ff222e5cd80b8672e02247 v3.17/main/x86_64/gdbm-1.23-r0.apk -e7b759cc5972fdb09aa3b8ac9983e1da003d3607a58e06a1bf9927eadc13c36f v3.17/main/x86_64/glib-2.74.6-r0.apk -b51a7d5da574c6ecd2fc8bb711ea8d47e29875f0eb66ce6dc47f5fe53deeda47 v3.17/main/x86_64/gmp-6.2.1-r2.apk -38d2e91f7a59de07375655b8f1cd12a3ffa4d1f6c7afc8bd726ee0496aa62fe9 v3.17/main/x86_64/gnutls-3.7.8-r3.apk -736d8808f17603015b7766e0f88c703451cba97d987dfd1c92ceed7b55ecf24d v3.17/main/x86_64/ifupdown-ng-0.12.1-r1.apk -862e8d30f9be1a41632c7c575fbc8f81199a5fda650bc47384422bc017e09c4d v3.17/main/x86_64/keyutils-libs-1.6.3-r1.apk -948af973885559d30e7af8d435a5270f873160104ae6eb8578f0af1d74645b1f v3.17/main/x86_64/krb5-conf-1.0-r2.apk -a84e314c5e4f63c391c1074f74063597b20e4a4eddae47064bd46a22b1ef8d87 v3.17/main/x86_64/krb5-dev-1.20.1-r0.apk -a51399a9415101a98ffee5921fdf3fc24308c37e30cb4afe3c89ef9cf1da9bc7 v3.17/main/x86_64/krb5-libs-1.20.1-r0.apk -68bd8ac9a65ac74957925229667362739455421b7e048f12b0c838814c8a3d23 v3.17/main/x86_64/krb5-server-ldap-1.20.1-r0.apk -17af2d1ba520e8bf31c39f4756786ebe84faf89be852bc874f4adf56296ed896 v3.17/main/x86_64/libacl-2.3.1-r1.apk -5c0be2a5a9bc708afe8dc94c9da40c66f4c22505d236ef163aa292a4cde159a6 v3.17/main/x86_64/libattr-2.5.1-r2.apk -b1b3ac001c198712c2798ec70b8bb6245b06cdee342a4622f371f7df043ab82c v3.17/main/x86_64/libblkid-2.38.1-r1.apk -6c799e4779fb3cb018265293f1ba6047282cddd4a17312960ad695f8830f3a5b v3.17/main/x86_64/libc-utils-0.7.2-r3.apk -adfebf5fc4004f1460f5971913fcca3ea3d6fa56412d32ffc48f191e336a1cc5 v3.17/main/x86_64/libcap-ng-0.8.3-r1.apk -77342435302175fe0e9946d2b226d9d1a12e714849ddd7d4f421c93e63ca04f8 v3.17/main/x86_64/libcap2-2.66-r0.apk -51df3c3934695e14b222a293a720e087214f1d3980ccc40bb2e2c706b62de43f v3.17/main/x86_64/libcom_err-1.46.6-r0.apk -68a074d18ded51e1953bf3c97ea66877f9e6703fe357a315daac63b91c5ce8d9 v3.17/main/x86_64/libcrypto3-3.0.8-r3.apk -9f862823176dffebe2162a0d36178bed42356ee98ad14e206d8b6e93b3d06b53 v3.17/main/x86_64/libcurl-7.88.1-r1.apk -6ca645108699bcbf917dfdf4fdfe4eb48e1f407ea048098709d20e865109ecfc v3.17/main/x86_64/libev-4.33-r0.apk -5a0730375e1f6d2f70d4385f9b63b0957024bd6e2a80dc784d066cf714362b07 v3.17/main/x86_64/libevent-2.1.12-r5.apk -0c083d8c3d2511e8387e487c83aaa429de5a76fbf0219404c3afde63b715d2a4 v3.17/main/x86_64/libfdisk-2.38.1-r1.apk -42f2618b35e9404d64f752c22f9cd2cb7a7d72328ceff4292b0a2a6be355fdc6 v3.17/main/x86_64/libffi-3.4.4-r0.apk -2c0282ec5c2d78fe94b1e0ab676d6fe675e6656796b8a92e29ce4b17234add6a v3.17/main/x86_64/libgcc-12.2.1_git20220924-r4.apk -bdc90400c34b17772e2713154c3e4c34a8db37edace1e6dc8f07329eb09f4ac9 v3.17/main/x86_64/libintl-0.21.1-r1.apk -353f5caae4a1bcc06a0b44e540e5cec4740216482ec727121fd309ccfa150bf6 v3.17/main/x86_64/libldap-2.6.3-r6.apk -7aa402e7e4c4de9059048935f2893ebe606c6ec057b59daf6fc198fbe1ffdc2a v3.17/main/x86_64/libmount-2.38.1-r1.apk -ede0b4fa32c44ed13ef23616856f173d6f9fd7de1787426e8009cbd04f03802d v3.17/main/x86_64/libnl3-3.7.0-r0.apk -8731b00c9c091eb6a5e54c0c2582a5dfdc153f189efc9504e7130fc016489941 v3.17/main/x86_64/libsasl-2.1.28-r3.apk -c727fa15838b10908282453e3869081d3e93298dc6b55d45a4c3a48a89a676eb v3.17/main/x86_64/libsmartcols-2.38.1-r1.apk -2698e84ad84aa587bcd1745175f1744a10ea74685b30209845db89ecf2365b85 v3.17/main/x86_64/libssl3-3.0.8-r3.apk -495a88687dbc7a63e44c6555f1b6aca6ba80f772d359623f4da5edc362afae08 v3.17/main/x86_64/libstdc++-12.2.1_git20220924-r4.apk -ecca312cb85b634352aef41f1561f3f3f262e85b57a620859df2d0cbe6972ded v3.17/main/x86_64/libtasn1-4.19.0-r0.apk -35a9efc76af2d2ef85c1768e6e9e87078d19e1f452e7173b0fa7e6e0d5fd63e8 v3.17/main/x86_64/libtirpc-1.3.3-r0.apk -c1867e1f8bcdf1cee53b2e648a3f54f7f396c02b6e3131a445cc266962c5d5e0 v3.17/main/x86_64/libtirpc-conf-1.3.3-r0.apk -ba713024840265e1784a6bd3108b09fd3084925e32e5ed46e4f113d5981f5e4d v3.17/main/x86_64/libtirpc-dev-1.3.3-r0.apk -166733b0a046d79914f413eea1b15479961d00bb2bebb93f1c8aa5dfe92a2311 v3.17/main/x86_64/libtirpc-nokrb-1.3.3-r0.apk -d43569a2293a79ae7b7ee7d36f14b3f9893301a971e8534d104fa51a160b9607 v3.17/main/x86_64/libunistring-1.1-r0.apk -3013bcbddf3ff9eb812791a2e87fc2a0b72910cfd415590d21faa96d3bbbf1bc v3.17/main/x86_64/libuuid-2.38.1-r1.apk -f401d78b65a5067ef396c93a56950a87fa1b1fe3e1770489021f5924db7b10b0 v3.17/main/x86_64/libverto-0.3.2-r1.apk -8cf71d3c953a5fc83493e01dbe03ce893fad44eba87a606c8cb8a161159a02c1 v3.17/main/x86_64/libverto-dev-0.3.2-r1.apk -f9585399e58c15da6324f92e7ad92a757c01edb560e9c362ab4587c6158cd8e4 v3.17/main/x86_64/libverto-glib-0.3.2-r1.apk -a1060409c38e4d67e6ce67001108a35c2ade5a50cdff9c62fc555ef9a08717b9 v3.17/main/x86_64/libverto-libev-0.3.2-r1.apk -fee7860a5a1cb324bfe5ee4b5a68e834d57862743f062183681443e3387951da v3.17/main/x86_64/libverto-libevent-0.3.2-r1.apk -0d5bc88d04d7da3ad800f4dcaee4b7876c9c6ff3d2537a7b3471e4f488b5a5f0 v3.17/main/x86_64/libxml2-2.10.3-r1.apk -2564f7bb9985495a12b30a283acd53ad1c5e742b405bba2a031581eaac94b8f9 v3.17/main/x86_64/lzip-1.23-r0.apk -2a46230e00ba2e1c59c4d3dfc4bd74135d034191dc9fdf6606b3021c00efb5d3 v3.17/main/x86_64/mdev-conf-4.3-r0.apk -2a77f358c803ae9e2ec35ccf4906019df9b92d96c13e207d92ccabd13aec80eb v3.17/main/x86_64/musl-1.2.3-r4.apk -2f380042d7e80f124291ffaeed21700af13fbf112866a4caa663226cc9ba3468 v3.17/main/x86_64/musl-utils-1.2.3-r4.apk -b6f3592eb4fa228a8221f2b405cedbfe8fcadef07a7903a57d8e460af753fe48 v3.17/main/x86_64/nettle-3.8.1-r0.apk -82874c31d2fc4aa5bb2c3e7240d419643c20c5740e1f2c91099b6f04aad200ad v3.17/main/x86_64/nghttp2-libs-1.51.0-r0.apk -eba236b90c510fe01e9ef0182e8dd671b30d4ceaade79f410da26dda22780afd v3.17/main/x86_64/openrc-0.45.2-r7.apk -64337f9c3fe1cd25d0863a00e6fd2329f8e0976f2d6fb0210391de9593602585 v3.17/main/x86_64/openssl-3.0.8-r3.apk -83dd5cc59510198067ba0e4db76208f669218469417b909f82c2f9fbb1e1f20a v3.17/main/x86_64/p11-kit-0.24.1-r1.apk -baa3e5a7f248f0e34bcaa07b2c5dfbe39641e52feb878518cd6a7f6c579590e9 v3.17/main/x86_64/patch-2.7.6-r9.apk -1e4149304c4acc0e93c72aadf8df0f4643aee35f0294bf2deae019cca1bf5085 v3.17/main/x86_64/pcre2-10.42-r0.apk -455c58e9b66da6d7fe4b86cd9bab830e3963008b58bd87fe0e6b7aa05907af4c v3.17/main/x86_64/pkgconf-1.9.4-r0.apk -b3ad8d88fdae82cb1bd350f84298059ac8287a2855136580b2828f75ef846c4b v3.17/main/x86_64/scanelf-1.3.5-r1.apk -ceff279c448e9987e70a97a77fe57d84ff1eefd428345c525f2e21a00d1a54b4 v3.17/main/x86_64/ssl_client-1.35.0-r29.apk -981ccb518411d2e9f04249f6fe40568ce41e320d23a9550647852417be58bec6 v3.17/main/x86_64/tar-1.34-r2.apk -1ab16d81c9e7b59c51692626ac58b55d779f40bca4313be3d591d56a873c9434 v3.17/main/x86_64/util-linux-dev-2.38.1-r1.apk -da8ff707e8430169696ea971175a9fbb76a3ad599e4399ead7998a4d0ddbf94f v3.17/main/x86_64/xz-libs-5.2.9-r0.apk -935589dfe902b26cdbe09f54eb399ce2f5d6b5e13eb994de36abb495e4843df5 v3.17/main/x86_64/yajl-2.1.0-r5.apk -dc35929a53b3abaecb69b18dca79af25e38b8ab906aec5a912ec120b2cb4b731 v3.17/main/x86_64/zlib-1.2.13-r0.apk diff --git a/apko/alpine-base-user-65532.yaml b/apko/alpine-base-user-65532.yaml deleted file mode 100644 index 4e4c12030..000000000 --- a/apko/alpine-base-user-65532.yaml +++ /dev/null @@ -1,26 +0,0 @@ -contents: - keyring: - - index-signing-key.rsa.pub - repositories: - - "@local repository-apk" - packages: - - alpine-base@local - -entrypoint: - command: /bin/sh -l - -accounts: - groups: - - groupname: "65532" - gid: 65532 - users: - - username: "65532" - gid: 65532 - uid: 65532 - run-as: "65532" - -environment: - PATH: /usr/sbin:/sbin:/usr/bin:/bin - -archs: - - amd64 diff --git a/apko/alpine-base.yaml b/apko/alpine-base.yaml deleted file mode 100644 index a6a5af444..000000000 --- a/apko/alpine-base.yaml +++ /dev/null @@ -1,16 +0,0 @@ -contents: - keyring: - - index-signing-key.rsa.pub - repositories: - - "@local repository-apk" - packages: - - alpine-base@local - -entrypoint: - command: /bin/sh -l - -environment: - PATH: /usr/sbin:/sbin:/usr/bin:/bin - -archs: - - amd64 diff --git a/apko/alpine-qemu-metadata-api.yaml b/apko/alpine-qemu-metadata-api.yaml deleted file mode 100644 index 36dc08e75..000000000 --- a/apko/alpine-qemu-metadata-api.yaml +++ /dev/null @@ -1,14 +0,0 @@ -contents: - keyring: - - index-signing-key.rsa.pub - repositories: - - "@local repository-apk" - packages: - - alpine-base@local - - libvirt-dev@local - -environment: - PATH: /usr/sbin:/sbin:/usr/bin:/bin - -archs: - - amd64 diff --git a/cli/internal/libvirt/Dockerfile b/cli/internal/libvirt/Dockerfile deleted file mode 100644 index b7a3e4dd8..000000000 --- a/cli/internal/libvirt/Dockerfile +++ /dev/null @@ -1,29 +0,0 @@ -FROM fedora:37@sha256:ca620b6a713882989f2dfb31dd34705834c95bc23e493687828080f6e5ad1be6 AS release -RUN dnf -y update && \ - dnf -y install dnf-plugins-core \ - libvirt-daemon-config-network \ - libvirt-daemon-kvm \ - qemu-kvm \ - swtpm \ - swtpm-tools \ - libvirt-client && \ - dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c487bde4b4 -y && \ - dnf remove -y python-setuptools && \ - dnf clean all -# TODO(malt3): remove advisory FEDORA-2023-c487bde4b4 upgrade for libtpms to libtpms-0.9.6-1.fc37.x86_64 once it is in stable - -# Prevent cgroup issues on Fedora and configure libvirt -RUN echo "cgroup_controllers = []" >> /etc/libvirt/qemu.conf && \ - echo "listen_tls = 0" >> /etc/libvirt/libvirtd.conf && \ - echo "listen_tcp = 1" >> /etc/libvirt/libvirtd.conf && \ - echo "tcp_port = \"16599\"" >> /etc/libvirt/libvirtd.conf && \ - echo "listen_addr = \"localhost\"" >> /etc/libvirt/libvirtd.conf && \ - echo "auth_tcp = \"none\"" >> /etc/libvirt/libvirtd.conf - -# Copy nvram templates -COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd -COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd - -COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh - -ENTRYPOINT ["/start.sh"] diff --git a/cli/internal/libvirt/README.md b/cli/internal/libvirt/README.md index 51fcc49ec..8eaf8a541 100644 --- a/cli/internal/libvirt/README.md +++ b/cli/internal/libvirt/README.md @@ -16,7 +16,10 @@ virsh -c "qemu+tcp://localhost:16599/system" Build the image: ```shell -DOCKER_BUILDKIT=1 docker build -t ghcr.io/edgelesssys/constellation/libvirt:latest -f cli/internal/libvirt/Dockerfile . +bazel build //cli/internal/libvirt:constellation_libvirt +bazel build //bazel/release:libvirt_sum +bazel build //bazel/release:libvirt_tar +bazel run //bazel/release:libvirt_push ``` A container of the image is automatically started by the CLI. diff --git a/hack/package-hasher/Containerfile.apk.downloader b/hack/package-hasher/Containerfile.apk.downloader deleted file mode 100644 index 8a72fff3c..000000000 --- a/hack/package-hasher/Containerfile.apk.downloader +++ /dev/null @@ -1,73 +0,0 @@ -# syntax=docker/dockerfile:1.5-labs -FROM alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as builder - -# -# Install dependencies -# - -ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \ - https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \ - /usr/bin/repro-get -RUN chmod +x /usr/bin/repro-get - -ADD --checksum=sha256:45ae2e1f566cdc26dd9ddf0ca37a494d3fa7db29946094ae2f0d91e16def827d \ - https://github.com/oras-project/oras/releases/download/v0.16.0/oras_0.16.0_linux_amd64.tar.gz \ - /tmp/oras.tar.gz -RUN tar -C /usr/bin -xzf /tmp/oras.tar.gz oras -RUN chmod +x /usr/bin/oras - -COPY SHA256SUMS-apk-amd64 /SHA256SUMS-apk-amd64 - -# TODO(katexochen): reenable when bug is fixed upstream, -# see https://github.com/reproducible-containers/repro-get/issues/29 - -# RUN repro-get \ -# --provider=oci://ghcr.io/katexochen/apk-repo-test \ -# --cache ./cache \ -# --distro alpine \ -# download /SHA256SUMS-apk-amd64 - -# RUN repro-get \ -# --cache ./cache \ -# --distro alpine \ -# cache export repository-apk - - -WORKDIR /workspace/repository-apk/x86_64 - -# Pull our pinned packages from the registry -RUN oras pull ghcr.io/edgelesssys/constellation/packages-apk:latest - -# Need to remove the repository prefix from the hashes file -RUN sed -i -E 's%v[0-9].[0-9]+\/(main|community)\/x86_64/%%' /SHA256SUMS-apk-amd64 - -# Validate package hashes -RUN sha256sum -c /SHA256SUMS-apk-amd64 - -# Create an apk index from the packages -RUN apk index \ - --rewrite-arch x86_64 \ - -o APKINDEX.tar.gz \ - *.apk - -# -# We need package abuild to sign out index. -# This is not a security mesaure. It is just a requirement of apko. -# We installe the pinned abuild package from our registry, create -# a new keypair and sign the index. -# - -RUN echo "/workspace/repository-apk" > /etc/apk/repositories -RUN apk update --allow-untrusted && apk add --allow-untrusted abuild -RUN abuild-keygen -a -n - -RUN mv /root/.abuild/*.rsa /root/.abuild/index-signing-key.rsa -RUN mv /root/.abuild/*.rsa.pub /root/.abuild/index-signing-key.rsa.pub -RUN echo 'PACKAGER_PRIVKEY="/root/.abuild/index-signing-key.rsa"' > /root/.abuild/abuild.conf - -RUN abuild-sign APKINDEX.tar.gz - -FROM scratch as output - -COPY --from=builder /workspace/repository-apk repository-apk -COPY --from=builder /root/.abuild/*.rsa.pub index-signing-key.rsa.pub diff --git a/hack/package-hasher/Containerfile.apk.hasher b/hack/package-hasher/Containerfile.apk.hasher deleted file mode 100644 index 1e6055d42..000000000 --- a/hack/package-hasher/Containerfile.apk.hasher +++ /dev/null @@ -1,28 +0,0 @@ -# syntax=docker/dockerfile:1.5-labs -FROM alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as builder - -ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \ - https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \ - /usr/bin/repro-get -RUN chmod +x /usr/bin/repro-get - -RUN apk update && apk add \ - alpine-base \ - libvirt-dev \ - abuild - -WORKDIR /out - -# Dump the hashes of the installed packages -RUN repro-get hash generate > SHA256SUMS - -# Export the apks -RUN repro-get cache export repository-apk - -# Sort the hashes -RUN sort -k2 -o SHA256SUMS SHA256SUMS - -FROM scratch as output - -COPY --from=builder /out/SHA256SUMS SHA256SUMS-apk-amd64 -COPY --from=builder /out/repository-apk repository-apk diff --git a/hack/qemu-metadata-api/Dockerfile b/hack/qemu-metadata-api/Dockerfile deleted file mode 100644 index 4803b84c5..000000000 --- a/hack/qemu-metadata-api/Dockerfile +++ /dev/null @@ -1,34 +0,0 @@ -FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build - -RUN dnf -y update && \ - dnf -y install libvirt-devel @development-tools pkg-config wget git && \ - dnf clean all - -ARG GO_VER=1.20.3 -RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ - tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ - rm go${GO_VER}.linux-amd64.tar.gz -ENV PATH ${PATH}:/usr/local/go/bin - -WORKDIR /qemu-metadata-api -# Necessary to make `go mod download all` work while having a local replace rule in the root-go.mod. -COPY operators/constellation-node-operator/api/go.mod ./operators/constellation-node-operator/api/go.mod -COPY operators/constellation-node-operator/api/go.sum ./operators/constellation-node-operator/api/go.sum -COPY go.mod ./ -COPY go.sum ./ -RUN go mod download all - -WORKDIR /qemu-metadata-api/hack -COPY hack/go.mod ./go.mod -COPY hack/go.sum ./go.sum -RUN go mod download all - -COPY . /qemu-metadata-api -WORKDIR /qemu-metadata-api/hack/qemu-metadata-api -RUN go build -o api-server . - -FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as release -RUN dnf -y install libvirt-devel && \ - dnf clean all -COPY --from=build /qemu-metadata-api/hack/qemu-metadata-api/api-server /server -ENTRYPOINT [ "/server" ] diff --git a/hack/qemu-metadata-api/README.md b/hack/qemu-metadata-api/README.md index 064eaa998..cbb8fe2e1 100644 --- a/hack/qemu-metadata-api/README.md +++ b/hack/qemu-metadata-api/README.md @@ -36,7 +36,10 @@ sudo firewall-cmd --zone libvirt --add-port 8080/tcp --permanent Build the image: ```shell -DOCKER_BUILDKIT=1 docker build -t ghcr.io/edgelesssys/constellation/qemu-metadata-api:latest -f hack/qemu-metadata-api/Dockerfile . +bazel build //hack/qemu-metadata-api:qemumetadata +bazel build //bazel/release:qemumetadata_sum +bazel build //bazel/release:qemumetadata_tar +bazel run //bazel/release:qemumetadata_push ``` A container of the image is automatically started by Terraform. diff --git a/joinservice/Dockerfile b/joinservice/Dockerfile deleted file mode 100644 index 723faa590..000000000 --- a/joinservice/Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build - -RUN dnf -y update && \ - dnf install -y iproute iputils wget git && \ - dnf clean all - -# Install Go -ARG GO_VER=1.20.3 -RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ - tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ - rm go${GO_VER}.linux-amd64.tar.gz -ENV PATH ${PATH}:/usr/local/go/bin - -# Download go dependencies -WORKDIR /constellation/ -COPY go.mod ./ -COPY go.sum ./ -RUN go mod download all - -# Copy Repo -COPY . /constellation -RUN rm -rf ./hack/ - -WORKDIR /constellation/joinservice -ARG PROJECT_VERSION=0.0.0 -RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o join-service -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/ - -# Use gcr.io/distroless/static here since we need CA certificates to be installed for aTLS operations on GCP. -FROM gcr.io/distroless/static@sha256:8d4cc4a622ce09a75bd7b1eea695008bdbff9e91fea426c2d353ea127dcdc9e3 as release -COPY --from=build /constellation/joinservice/join-service /joinservice -ENTRYPOINT [ "/joinservice" ] diff --git a/joinservice/README.md b/joinservice/README.md index 2c50eca2c..18b715fcd 100644 --- a/joinservice/README.md +++ b/joinservice/README.md @@ -40,9 +40,13 @@ This is needed for fetching data encryption keys for joining nodes. Implements interaction with the Kubernetes API to create join tokens for new nodes. -## [Dockerfile](./Dockerfile) +## Docker image + +Build the image: ```shell -export VERSION=0.0.0 -DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile . +bazel build //joinservice/cmd:joinservice +bazel build //bazel/release:joinservice_sum +bazel build //bazel/release:joinservice_tar +bazel run //bazel/release:joinservice_push ``` diff --git a/keyservice/Dockerfile b/keyservice/Dockerfile deleted file mode 100644 index 3034e49f4..000000000 --- a/keyservice/Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build - -RUN dnf -y update && \ - dnf install -y wget git - -# Install Go -ARG GO_VER=1.20.3 -RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ - tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ - rm go${GO_VER}.linux-amd64.tar.gz -ENV PATH ${PATH}:/usr/local/go/bin - -# Download go dependencies -WORKDIR /constellation/ -COPY go.mod ./ -COPY go.sum ./ -RUN go mod download all - -# Copy Repo -COPY . /constellation -RUN rm -rf ./hack/ - -# Build -RUN mkdir -p /constellation/build -WORKDIR /constellation/keyservice/cmd -ARG PROJECT_VERSION=0.0.0 -RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/keyservice -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" - -FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec as release -COPY --from=build /constellation/build/keyservice /keyservice -ENTRYPOINT ["/keyservice"] diff --git a/operators/constellation-node-operator/Dockerfile b/operators/constellation-node-operator/Dockerfile deleted file mode 100644 index cd6d5f5a2..000000000 --- a/operators/constellation-node-operator/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -# Build the manager binary -FROM golang:1.20.3@sha256:89924bd0abc1001141e0415648d90914ebc9a9d60d4cbbc696ee53f1d1a9a136 as builder - -# Download project root dependencies -WORKDIR /workspace -# Copy the Go Modules manifests -COPY go.mod go.mod -COPY go.sum go.sum -# cache deps before building and copying source so that we don't need to re-download as much -# and so that source changes don't invalidate our downloaded layer -RUN go mod download - -# Download operator dependencies -WORKDIR /workspace/operators/constellation-node-operator -COPY operators/constellation-node-operator/go.mod ./ -COPY operators/constellation-node-operator/go.sum ./ -RUN go mod download all - -WORKDIR /workspace -COPY . . - -# Build -WORKDIR /workspace/operators/constellation-node-operator -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go - -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec as release -WORKDIR / -COPY --from=builder /workspace/operators/constellation-node-operator/manager . -USER 65532:65532 - -ENTRYPOINT ["/manager"] diff --git a/verify/Dockerfile b/verify/Dockerfile deleted file mode 100644 index 5bbca5c6b..000000000 --- a/verify/Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build - -RUN dnf -y update && \ - dnf install -y iproute iputils wget git && \ - dnf clean all - -# Install Go -ARG GO_VER=1.20.3 -RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ - tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ - rm go${GO_VER}.linux-amd64.tar.gz -ENV PATH ${PATH}:/usr/local/go/bin - -# Download go dependencies -WORKDIR /constellation/ -COPY go.mod ./ -COPY go.sum ./ -RUN go mod download all - -# Copy Repo -COPY . /constellation -RUN rm -rf ./hack/ - -WORKDIR /constellation/verify -ARG PROJECT_VERSION=0.0.0 -RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o verify-service -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/ - -FROM scratch AS release -COPY --from=build /constellation/verify/verify-service /verify -ENTRYPOINT [ "/verify" ]