Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

bazel: remove apko and Dockerfile where Bazel is used to build container images

Browse Source
This commit is contained in:
Malte Poll 2023-04-04 15:24:43 +02:00 committed by Malte Poll
parent 19ff132ee8
commit 5145f806ea
33 changed files with 15 additions and 1517 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
.github/actions/build_apko/action.yml vendored
View File

@ -1,111 +0,0 @@
name: Build container base images using apko
description: Build one or multiple apko base images based on supplied .yaml files
inputs:
apkoConfig:
description: "Path to the apko .yaml config file. If left empty, all images will be built."
required: false
apkoArch:
description: "Use this image architecture"
required: false
default: amd64
containerTags:
description: "Tags for the resulting container image, space separated"
required: true
registry:
description: "Container registry to use"
default: "ghcr.io"
required: true
githubToken:
description: "GitHub authorization token"
required: true
cosignPublicKey:
description: "Cosign public key"
required: false
default: ""
cosignPrivateKey:
description: "Cosign private key"
required: false
default: ""
cosignPassword:
description: "Password for Cosign private key"
required: false
default: ""
# Linux runner only (docker required)
runs:
using: composite
steps:
- name: Install deps
shell: bash
run: |
echo "::group::Install dependencies"
sudo apt-get update
sudo apt-get install -y zip
echo "::endgroup::"
- name: Log in to the Container registry
id: docker-login
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
with:
registry: ${{ inputs.registry }}
username: ${{ github.actor }}
password: ${{ inputs.githubToken }}
- name: Install Cosign
if: |
inputs.cosignPublicKey != '' &&
inputs.cosignPrivateKey != '' &&
inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- name: Download apk repository
shell: bash
env:
DOCKER_BUILDKIT: "1"
run: |
docker build -o ./apko -f hack/package-hasher/Containerfile.apk.downloader ./apko
- name: Build apko images and sign them
shell: bash
working-directory: apko
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
APKO_CONFIG: ${{ inputs.apkoConfig }}
APKO_ARCH: ${{ inputs.apkoArch }}
CONTAINER_TAGS: ${{ inputs.containerTags }}
REGISTRY: ${{ inputs.registry }}
run: ../.github/actions/build_apko/build_and_sign.sh
- name: Sign sboms
if: |
inputs.cosignPublicKey != '' &&
inputs.cosignPrivateKey != '' &&
inputs.cosignPassword != ''
shell: bash
working-directory: apko
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
for dir in sboms/*; do
for file in $dir/*; do
cosign sign-blob \
--key env://COSIGN_PRIVATE_KEY \
$file \
-y \
> $file.sig
done
done
zip -r sboms.zip sboms
- name: Upload SBOMs
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: sboms
path: apko/sboms.zip

68
.github/actions/build_apko/build_and_sign.sh vendored
View File

@ -1,68 +0,0 @@
#!/usr/bin/env bash
set -exuo pipefail
shopt -s inherit_errexit
# buildImage <apko_config_path>
buildImage() {
local imageConfig=$1
echo "Building image for ${imageConfig}"
local imageName
imageName=$(basename "${imageConfig}" | cut -d. -f1)
local registryPath
registryPath="${REGISTRY}/edgelesssys/apko-${imageName}"
local outTar
outTar="${imageName}.tar"
mkdir -p "sboms/${imageName}"
# build the image
docker run \
-v "${PWD}":/work \
cgr.dev/chainguard/apko@sha256:8952f4f3ce58052b7df5e46f230f7192b42b220d3e46c8b06178cc25fd700846 \
build \
"${imageConfig}" \
--build-arch "${APKO_ARCH}" \
--sbom \
"${registryPath}" \
"${outTar}"
docker load < "${outTar}"
for tag in ${CONTAINER_TAGS}; do
tagSanitized=${tag//\//-}
docker image tag "${registryPath}" "${registryPath}:${tagSanitized}"
docker push "${registryPath}:${tagSanitized}"
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
# write full image as Markdown code block to step summary
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
\`\`\`
${imageDigest%%@*}:${tagSanitized}@${imageDigest##*@}
\`\`\`
EOF
done
# cosign the container and push to registry
cosign sign \
--key env://COSIGN_PRIVATE_KEY \
"${imageDigest}" \
-y
# move sboms to folder
mv sbom-*.* "sboms/${imageName}/"
}
if [[ -n ${APKO_CONFIG} ]]; then
buildImage "${APKO_CONFIG}"
exit 0
fi
echo "Building all images in image"
for imageConfig in ./*.yaml; do
buildImage "${imageConfig}"
done

115
.github/actions/build_ko/action.yml vendored
View File

@ -1,115 +0,0 @@
name: Build micro service using Ko
description: Build and upload a go micro service using ko
inputs:
name:
description: "Name of the micro-service"
required: true
registry:
description: "Name of the registry to use"
required: false
default: "ghcr.io"
koConfig:
description: "Path to the .ko.yaml config file"
required: false
default: ".ko.yaml"
koTarget:
description: "Go package to build with ko"
required: true
pushTag:
description: "Use this image tag"
required: true
githubToken:
description: "GitHub authorization token"
required: true
generateKoSBOM:
description: "Generate unsigned ko SBOM"
required: false
default: "false"
outputs:
container_full:
description: "Full container reference"
value: ${{ steps.build.container_full }}
container_image:
description: "Container image"
value: ${{ steps.build.outputs.container_image }}
container_tag:
description: "Container tag"
value: ${{ steps.build.container_tag }}
# Linux runner only
runs:
using: "composite"
steps:
- name: Determine pseudo version
if: ${{ !inputs.pushTag}}
id: pseudo-version
uses: ./.github/actions/pseudo_version
- name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: "1.20.3"
cache: true
- name: Set up ko
uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
with:
ko-version: "v0.12.0"
- name: Build and upload ko container image
id: build
shell: bash
env:
KO_USER: ${{ github.actor }}
KO_CONFIG_PATH: ${{ inputs.koConfig }}
KO_PASSWORD: ${{ inputs.githubToken }}
KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/constellation/${{ inputs.name }}
run: |
tags=""
sbom=""
if [[ "$(git branch --show-current)" == "${{ github.event.repository.default_branch }}" ]]; then
tags="latest"
else
tags="${{ github.sha }}"
fi
if [[ -n "${{ inputs.pushTag }}" ]]; then
if [[ -n "${tags}" ]]; then
tags="${tags},${{ inputs.pushTag }}"
else
tags="${{ inputs.pushTag }}"
fi
fi
if [[ -n "${{ steps.pseudo-version.outputs.version }}" ]]; then
if [[ -n "${tags}" ]]; then
tags="${tags},${{ steps.pseudo-version.outputs.version }}"
else
tags="${{ steps.pseudo-version.outputs.version }}"
fi
fi
if [[ "${{ inputs.generateKoSBOM }}" == "false" ]]; then
sbom="--sbom=none"
fi
echo "Building container image with tags: ${tags}"
container_full=$(ko build ${{ inputs.koTarget }} --bare --tags "${tags}" ${sbom})
container_image=$(echo $container_full | cut -d@ -f1)
container_sha256=$(echo $container_full | cut -d: -f2)
cat <<EOF > container_data_ko.json
{
"container_full": "${container_full}",
"container_image": "${container_image}",
"container_sha256": "${container_sha256}"
}
EOF
- name: Upload Container Data # since github censors hashes that may share data with secrets, we need to upload the data as an artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: container_data_ko
path: container_data_ko.json

68
.github/actions/build_micro_service_ko/action.yml vendored
View File

@ -1,68 +0,0 @@
name: Build micro service (KO)
description: Build and upload a container image for a Constellation micro-service
inputs:
name:
description: "Name of the micro-service"
required: true
koConfig:
description: "Path to the .ko.yaml config file"
default: ".ko.yaml"
required: false
koTarget:
description: "Go package to build with ko"
required: true
pushTag:
description: "Use this image tag"
required: false
githubToken:
description: "GitHub authorization token"
required: true
generateKoSBOM:
description: "Generate unsigned ko SBOM"
required: false
default: "false"
cosignPublicKey:
description: "Cosign public key"
required: true
cosignPrivateKey:
description: "Cosign private key"
required: true
cosignPassword:
description: "Password for Cosign private key"
required: false
# Linux runner only
runs:
using: "composite"
steps:
- name: Build and upload container image
id: build-and-upload
uses: ./.github/actions/build_ko
with:
name: ${{ inputs.name }}
koConfig: ${{ inputs.koConfig }}
koTarget: ${{ inputs.koTarget }}
pushTag: ${{ inputs.pushTag }}
githubToken: ${{ inputs.GITHUB_TOKEN }}
- name: Download ko Container Data
id: download_container_data
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: container_data_ko
path: CONTAINER_DATA_KO
- name: Set container url to Github Env
shell: bash
run: |
container_full=$(jq -r .container_full < container_data_ko.json)
echo CONTAINER_FULL=$container_full >> $GITHUB_ENV
- name: Generate SBOM
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false'
uses: ./.github/actions/container_sbom
with:
containerReference: ${{ env.CONTAINER_FULL }}
cosignPublicKey: ${{ inputs.cosignPublicKey }}
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
cosignPassword: ${{ inputs.cosignPassword }}

137
.github/actions/build_operator/action.yml vendored
View File

@ -1,137 +0,0 @@
name: Build operator
description: Build and upload a container image for a Constellation operator
inputs:
name:
description: "Name of the operator"
required: true
sourceDir:
description: "Path to the operators source directory"
required: true
pushTag:
description: "Use this image tag"
required: false
githubToken:
description: "GitHub authorization token"
required: true
cosignPublicKey:
description: "Cosign public key"
required: false
cosignPrivateKey:
description: "Cosign private key"
required: false
cosignPassword:
description: "Password for Cosign private key"
required: false
# Linux runner only (Docker required)
runs:
using: "composite"
steps:
- name: Determine pseudo version
id: pseudo-version
uses: ./.github/actions/pseudo_version
- name: Install operator-sdk
uses: ./.github/actions/install_operator_sdk
with:
version: v1.22.2
- name: Log in to the Container registry
id: docker-login
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ inputs.githubToken }}
- name: Docker metadata
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
with:
images: |
ghcr.io/${{ github.repository }}/${{ inputs.name }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }}
type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }}
type=ref,event=branch
- name: Build and push container image
id: build-image
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with:
context: .
file: ${{ inputs.sourceDir }}/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
- name: Generate SBOM
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: ./.github/actions/container_sbom
with:
containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-image.outputs.digest }}
cosignPublicKey: ${{ inputs.cosignPublicKey }}
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
cosignPassword: ${{ inputs.cosignPassword }}
- name: Bundle for pseudo version
if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == ''
shell: bash
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ steps.pseudo-version.outputs.version }}
run: make bundle VERSION=${VERSION#v}
- name: Bundle for semantic version
if: inputs.pushTag != ''
shell: bash
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ inputs.pushTag }}
run: make bundle VERSION=${VERSION#v}
- name: Docker metadata for bundle
id: bundle-meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
with:
images: |
ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ inputs.pushTag }},enable=${{ '' != inputs.pushTag }}
type=raw,value=${{ steps.pseudo-version.outputs.version }},enable=${{ '' != steps.pseudo-version.outputs.version }}
type=ref,event=branch
- name: Build and push bundle image
id: build-image-bundle
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with:
context: ${{ inputs.sourceDir }}
file: ${{ inputs.sourceDir }}/bundle.Dockerfile
push: true
tags: ${{ steps.bundle-meta.outputs.tags }}
- name: Generate Bundle SBOM
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: ./.github/actions/container_sbom
with:
containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle@${{ steps.build-image-bundle.outputs.digest }}
cosignPublicKey: ${{ inputs.cosignPublicKey }}
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
cosignPassword: ${{ inputs.cosignPassword }}
- name: Build and push catalog for pseudo versions
if: steps.pseudo-version.outputs.version != '' && inputs.pushTag == ''
shell: bash
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ steps.pseudo-version.outputs.version }}
run: make VERSION=${VERSION#v} catalog-build catalog-push
- name: Build and push catalog for releases
if: inputs.pushTag != ''
shell: bash
working-directory: ${{ inputs.sourceDir }}
env:
VERSION: ${{ inputs.pushTag }}
run: make VERSION=${VERSION#v} catalog-build catalog-push

17
.github/actions/setup_crane/action.yaml vendored
View File

@ -1,17 +0,0 @@
name: Setup crane
description: "Install crane (go-containerregistry)."
runs:
using: composite
steps:
- name: Install
shell: bash
env:
VERSION: "0.12.1"
OS: ${{ runner.os == 'Linux' && 'Linux' || 'Darwin' }}
ARCH: ${{ runner.arch == 'X64' && 'x86_64' || runner.arch == 'ARM64' && 'arm64' }}
run: |
echo "::group::Install crane"
curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
tar -xzf go-containerregistry.tar.gz
sudo mv krane gcrane crane /usr/local/bin/
echo "::endgroup::"

39
.github/workflows/build-apko-image.yml vendored
View File

@ -1,39 +0,0 @@
name: Build and upload all apko container base images
on:
workflow_dispatch:
push:
branches:
- main
paths:
- "apko/**"
- ".github/workflows/build-apko-image.yml"
jobs:
build-apko-image:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ github.head_ref }}
- name: Get pseudo version
id: pseudo-version
uses: ./.github/actions/pseudo_version
- name: Build and upload apko image
uses: ./.github/actions/build_apko
with:
containerTags: |
${{ steps.pseudo-version.outputs.version }}
${{ github.ref_name == 'main' && 'latest' || github.ref_name }}
registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

41
.github/workflows/build-constellation-node-operator.yml vendored
View File

@ -1,41 +0,0 @@
name: Build and upload constellation node operator image
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "operators/constellation-node-operator/**"
- "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
- ".github/workflows/build-constellation-node-operator.yml"
jobs:
build-constellation-node-operator:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: "1.20.3"
- name: Build and upload constellation-node-operator container image
uses: ./.github/actions/build_micro_service_ko
with:
name: node-operator
koTarget: ./operators/constellation-node-operator
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

44
.github/workflows/build-joinservice-image.yml vendored
View File

@ -1,44 +0,0 @@
name: Build and upload join service image
env:
REGISTRY: ghcr.io
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "joinservice/**"
- "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
- ".github/workflows/build-joinservice-image.yml"
jobs:
build-join-service:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: "1.20.3"
- name: Build and upload join service container image
id: build-and-upload
uses: ./.github/actions/build_micro_service_ko
with:
name: join-service
koTarget: ./joinservice/cmd
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

45
.github/workflows/build-keyservice-image.yml vendored
View File

@ -1,45 +0,0 @@
name: Build and upload KeyService image
env:
REGISTRY: ghcr.io
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "keyservice/**"
- "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
- ".github/workflows/build-keyservice-image.yml"
jobs:
build-keyservice:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: "1.20.3"
- name: Build and upload KeyService container image
id: build-and-upload
uses: ./.github/actions/build_micro_service_ko
with:
name: key-service
koConfig: .ko.yaml
koTarget: ./keyservice/cmd
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

35
.github/workflows/build-libvirt-image.yml vendored
View File

@ -1,35 +0,0 @@
name: Build and upload libvirt image
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "cli/internal/libvirt/**"
- ".github/workflows/build-libvirt-image.yml"
jobs:
build-qemu-metadata-api:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Build and upload libvirt container image
id: build-and-upload
uses: ./.github/actions/build_micro_service
with:
name: "libvirt"
dockerfile: "cli/internal/libvirt/Dockerfile"
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

60
.github/workflows/build-operator-manual.yml vendored
View File

@ -1,60 +0,0 @@
name: Build operator manually
on:
workflow_dispatch:
inputs:
imageTag:
description: "Container image tag."
required: false
ref:
type: string
description: "Git ref to checkout"
required: false
release:
type: boolean
description: "Is this a release build?"
required: false
default: false
workflow_call:
inputs:
imageTag:
type: string
description: "Container image tag"
required: true
ref:
type: string
description: "Git ref to checkout"
required: false
release:
type: boolean
description: "Is this a release build?"
required: true
jobs:
build-operator-manual:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: "1.20.3"
- name: Build and upload constellation-node-operator container image
uses: ./.github/actions/build_operator
with:
name: node-operator
sourceDir: operators/constellation-node-operator
githubToken: ${{ secrets.GITHUB_TOKEN }}
pushTag: ${{ inputs.imageTag }}
cosignPublicKey: ${{ inputs.release && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ inputs.release && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ inputs.release && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

43
.github/workflows/build-qemu-metadata-image.yml vendored
View File

@ -1,43 +0,0 @@
name: Build and upload qemu-metadata-api image
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "hack/qemu-metadata-api/**"
- "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
- ".github/workflows/build-qemu-metadata-image.yml"
jobs:
build-qemu-metadata-api:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: "1.20.3"
- name: Build and upload qemu-metadata server container image
id: build-and-upload
uses: ./.github/actions/build_micro_service
with:
name: qemu-metadata-api
projectVersion: "0.0.0"
dockerfile: hack/qemu-metadata-api/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

42
.github/workflows/build-verification-service.yml vendored
View File

@ -1,42 +0,0 @@
name: Build and upload verification-service image
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "verify/**"
- "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
- ".github/workflows/build-verification-service.yml"
jobs:
build-verification-service:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup Go environment
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: "1.20.3"
- name: Build and upload verification-service container image
id: build-and-upload
uses: ./.github/actions/build_micro_service_ko
with:
name: verification-service
koTarget: ./verify/cmd
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

72
.github/workflows/package-hasher.yml vendored
View File

@ -1,72 +0,0 @@
name: Package hasher
on:
workflow_dispatch:
push:
branches:
- main
paths:
- ".github/workflows/package-hasher.yml"
- "hack/package-hasher/Containerfile.hasher.apk"
schedule:
- cron: "0 22 */3 * *" # every 3 days at 22:00 UTC
jobs:
hash:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Only run on main branch
if: github.ref != 'refs/heads/main'
run: |
echo "::error::This workflow only runs on the main branch"
exit 1
- name: Checkout Constellation
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Install oras
env:
ORAS_VERSION: "0.16.0"
run: |
curl -fsSLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" oras-install/
- name: Run apk hasher
env:
DOCKER_BUILDKIT: 1
run: docker build -o apko -f hack/package-hasher/Containerfile.apk.hasher .
- name: Upload apk packages to container registry content addressed storage
working-directory: apko/repository-apk
run: |
oras push \
-u ${{ github.actor }} \
-p ${{ secrets.GITHUB_TOKEN }} \
ghcr.io/edgelesssys/constellation/packages-apk:latest ./*.apk
- name: Remove apk packages
working-directory: apko
run: rm -rf repository-apk
- name: Create new PR
uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4
with:
branch: ci/hasher/apk
title: "deps: update apk package hashes"
commit-message: "deps: update apk package hashes"
body: |
:robot: *This is an automated PR.* :robot:
This PR updates (the hashes of) apk packages. It is generated by the package-hasher workflow.
committer: edgelessci <edgelessci@users.noreply.github.com>
labels: dependencies
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}

80
.ko.yaml
View File

@ -1,80 +0,0 @@
defaultBaseImage: ghcr.io/edgelesssys/apko-alpine-base:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:b57063d5894acfe0193d5733b9c5fcee609e76f9dcb580a015e5b8274066fce1
baseImageOverrides:
github.com/edgelesssys/constellation/operators/constellation-node-operator/v2: ghcr.io/edgelesssys/apko-alpine-base-user-65532:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:6a4572b4d42e320e63e01851c8d9b5832a588a10440c2990a2527e128983ae2e
github.com/edgelesssys/constellation/v2/hack/qemu-metadata-api: ghcr.io/edgelesssys/apko-alpine-qemu-metadata-api:v2.7.0-pre.0.20230330140329-cf3fb3a725e1@sha256:dd9f999ebe8828d6794c0b34fdf053f056afde82af73bfeee890ac4b834c9adf
builds:
- id: keyservice
dir: .
main: ./keyservice/cmd
env:
- CGO_ENABLED=0
- GOOS=linux
- GOARCH=amd64
flags:
- -trimpath
- -buildvcs=false
- -a
ldflags:
- -s -w -buildid=''
- -extldflags "-static"
- id: joinservice
dir: .
main: ./joinservice/cmd
env:
- CGO_ENABLED=0
- GOOS=linux
- GOARCH=amd64
flags:
- -trimpath
- -buildvcs=false
- -a
ldflags:
- -s -w -buildid=''
- -extldflags "-static"
- id: constellation-node-operator
dir: .
main: ./operators/constellation-node-operator/
env:
- CGO_ENABLED=0
- GOOS=linux
- GOARCH=amd64
flags:
- -trimpath
- -buildvcs=false
- -a
ldflags:
- -s -w -buildid=''
- -extldflags "-static"
- id: verification-service
dir: .
main: ./verify/cmd
env:
- CGO_ENABLED=0
- GOOS=linux
- GOARCH=amd64
flags:
- -trimpath
- -buildvcs=false
- -a
ldflags:
- -s -w -buildid=''
- -extldflags "-static"
- id: qemu-metadata-api
dir: .
main: ./hack/qemu-metadata-api/
env:
- CGO_ENABLED=0
- GOOS=linux
- GOARCH=amd64
flags:
- -trimpath
- -buildvcs=false
- -a
ldflags:
- -s -w -buildid=''

1
CODEOWNERS
View File

@ -1,6 +1,5 @@
/.github @katexochen /.github @katexochen
/3rdparty/gcp-guest-agent @malt3 /3rdparty/gcp-guest-agent @malt3
/apko @katexochen
/bazel @malt3 /bazel @malt3
/bazel/ci @katexochen /bazel/ci @katexochen
/bazel/sh @katexochen /bazel/sh @katexochen

60
Dockerfile.build
View File

@ -1,60 +0,0 @@
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
RUN dnf -y update && \
dnf -y install @development-tools pkg-config iproute iputils wget git jq openssl-devel cryptsetup-libs cryptsetup-devel && \
dnf clean all
# Install Go
ARG GO_VER=1.20.3
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
rm go${GO_VER}.linux-amd64.tar.gz
ENV PATH ${PATH}:/usr/local/go/bin
# Download go dependencies
WORKDIR /constellation/
# Necessary to make `go mod download all` work while having a local replace rule in the root-go.mod.
COPY operators/constellation-node-operator/api/go.mod ./operators/constellation-node-operator/api/go.mod
COPY operators/constellation-node-operator/api/go.sum ./operators/constellation-node-operator/api/go.sum
COPY go.mod ./
COPY go.sum ./
RUN go mod download all
# Copy Repo
COPY . /constellation
RUN rm -rf ./hack/
FROM build AS build-bootstrapper
WORKDIR /constellation/bootstrapper/
ARG PROJECT_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build go build -o bootstrapper -tags=disable_tpm_simulator -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/bootstrapper/
FROM build AS build-disk-mapper
WORKDIR /constellation/disk-mapper/
ARG PROJECT_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build go build -o disk-mapper -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
FROM build AS build-upgrade-agent
WORKDIR /constellation/upgrade-agent/
ARG PROJECT_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build go build -o upgrade-agent -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
FROM build AS build-measurement-reader
WORKDIR /constellation/measurement-reader/
RUN --mount=type=cache,target=/root/.cache/go-build go build -o measurement-reader -ldflags "-s -w -buildid=''" ./cmd/
FROM scratch AS bootstrapper
COPY --from=build-bootstrapper /constellation/bootstrapper/bootstrapper /
FROM scratch AS disk-mapper
COPY --from=build-disk-mapper /constellation/disk-mapper/disk-mapper /
FROM scratch AS upgrade-agent
COPY --from=build-upgrade-agent /constellation/upgrade-agent/upgrade-agent /
FROM scratch AS measurement-reader
COPY --from=build-measurement-reader /constellation/measurement-reader/measurement-reader /

89
apko/SHA256SUMS-apk-amd64
View File

@ -1,89 +0,0 @@
1a42c50ef0a1998b92bded41df051201dbc9cfc20fedbbb4b8b15e8fe1e11d99 v3.17/community/x86_64/libvirt-dev-8.9.0-r4.apk
95f83a74e872b62360f6c6623a773e07a864e3313a127f57910caba368fed04b v3.17/community/x86_64/libvirt-libs-8.9.0-r4.apk
c0e98093cbf8c824ff490cad1a4ea0037c1ff6b0bcb7c7069acb03e4aaf021d3 v3.17/main/x86_64/abuild-3.10.0-r0.apk
8c1086f697257360b6cc28816c2544b6fbc428d2419f4d78eb3d0598897a3d47 v3.17/main/x86_64/alpine-base-3.17.3-r0.apk
3f922d7d8dafdae6710d9d8bdc96eb72ed4d0a8192b39eda797034e00f38263e v3.17/main/x86_64/alpine-baselayout-3.4.0-r0.apk
ff98cab12123a0729fb1f2815bfa9e1611e5567f06d85b340b85f55d89ffa9c6 v3.17/main/x86_64/alpine-baselayout-data-3.4.0-r0.apk
6c17cdfebebe34bd50e871b1d68b1b8d85d64a068c54288b0953221713b51a6c v3.17/main/x86_64/alpine-conf-3.15.1-r1.apk
d1a3188b2e98957852418edbe5b32d816c428e34cd23f1003c99d4e52338ae1f v3.17/main/x86_64/alpine-keys-2.4-r1.apk
d4ff9adf2dbceac313b6d464588be5dd17d1c1d5bd8b644bffc546da76635c1c v3.17/main/x86_64/alpine-release-3.17.3-r0.apk
ac29bb040470e672d186c62bd9db5b7f0d29336b5992f024098a951754f43a22 v3.17/main/x86_64/apk-tools-2.12.10-r1.apk
9a60fb5126f84fabb1097bcb6d01bc0d298df8c362a69cd83178ae20d971cc38 v3.17/main/x86_64/attr-2.5.1-r2.apk
90b29b27ce45dda7810f2a4a1b7aae08ca7714451872139ca531326ce86de27f v3.17/main/x86_64/brotli-libs-1.0.9-r9.apk
27479b796bc8380af06dca70451ecd08c2ac87e0020b4352398535a7c8cf746e v3.17/main/x86_64/bsd-compat-headers-0.7.2-r3.apk
697fa2e3c66699f33e011a61ec1857938c00709e2626822b0f42548bec942e28 v3.17/main/x86_64/busybox-1.35.0-r29.apk
8452b877c019221740dc13040c8bf314a05b43d23d73ee1833775bcd77c03dae v3.17/main/x86_64/busybox-binsh-1.35.0-r29.apk
b413e1c8b38b53fb83ecc7b75a227aa7b520a9dac80f0d7c1fc912bc56416c2a v3.17/main/x86_64/busybox-mdev-openrc-1.35.0-r29.apk
f8239d8d4e8961e76e2e95caf9b6d2d89816b6f2562f7551aa8eb26c2268c6d6 v3.17/main/x86_64/busybox-openrc-1.35.0-r29.apk
ed5b7c94e805c94306ec6411ddc1b2b67b94336b5b9a218967f4e55daad7313b v3.17/main/x86_64/busybox-suid-1.35.0-r29.apk
7b89c64c33bc978e73d7b35c9b7cd3ecffd9c599f7763035c212b3697adf89b6 v3.17/main/x86_64/ca-certificates-20220614-r4.apk
afcc0a285b823f73526c1995cf9ce71f91fc99ce0969a3494926df94e2589e68 v3.17/main/x86_64/ca-certificates-bundle-20220614-r4.apk
966af3c474ca42d4a367b7d62ec9e80576e30a60198f9646a933b816769f6c7c v3.17/main/x86_64/curl-7.88.1-r1.apk
4d58ca90d21845a999d734be46db453c68d0f3db2263bc0d143e379db2f25ab9 v3.17/main/x86_64/e2fsprogs-dev-1.46.6-r0.apk
c3687cf0c19f8d1fbad0d2a9e49e0f1cea7f10b67f961f17b0f0173b56161d2f v3.17/main/x86_64/e2fsprogs-libs-1.46.6-r0.apk
3136d31832e74ac3fb53ec7f81dfdee5698a58ea72086533c4d1a82ceea5b72c v3.17/main/x86_64/fakeroot-1.29-r0.apk
6c629bb064a357de1792f454bf7cca43d6d07ac88f1168addc49beaa7793c1b8 v3.17/main/x86_64/gawk-5.1.1-r1.apk
f13865c26ebde846324dccea96d85f00a4a4d17338ff222e5cd80b8672e02247 v3.17/main/x86_64/gdbm-1.23-r0.apk
e7b759cc5972fdb09aa3b8ac9983e1da003d3607a58e06a1bf9927eadc13c36f v3.17/main/x86_64/glib-2.74.6-r0.apk
b51a7d5da574c6ecd2fc8bb711ea8d47e29875f0eb66ce6dc47f5fe53deeda47 v3.17/main/x86_64/gmp-6.2.1-r2.apk
38d2e91f7a59de07375655b8f1cd12a3ffa4d1f6c7afc8bd726ee0496aa62fe9 v3.17/main/x86_64/gnutls-3.7.8-r3.apk
736d8808f17603015b7766e0f88c703451cba97d987dfd1c92ceed7b55ecf24d v3.17/main/x86_64/ifupdown-ng-0.12.1-r1.apk
862e8d30f9be1a41632c7c575fbc8f81199a5fda650bc47384422bc017e09c4d v3.17/main/x86_64/keyutils-libs-1.6.3-r1.apk
948af973885559d30e7af8d435a5270f873160104ae6eb8578f0af1d74645b1f v3.17/main/x86_64/krb5-conf-1.0-r2.apk
a84e314c5e4f63c391c1074f74063597b20e4a4eddae47064bd46a22b1ef8d87 v3.17/main/x86_64/krb5-dev-1.20.1-r0.apk
a51399a9415101a98ffee5921fdf3fc24308c37e30cb4afe3c89ef9cf1da9bc7 v3.17/main/x86_64/krb5-libs-1.20.1-r0.apk
68bd8ac9a65ac74957925229667362739455421b7e048f12b0c838814c8a3d23 v3.17/main/x86_64/krb5-server-ldap-1.20.1-r0.apk
17af2d1ba520e8bf31c39f4756786ebe84faf89be852bc874f4adf56296ed896 v3.17/main/x86_64/libacl-2.3.1-r1.apk
5c0be2a5a9bc708afe8dc94c9da40c66f4c22505d236ef163aa292a4cde159a6 v3.17/main/x86_64/libattr-2.5.1-r2.apk
b1b3ac001c198712c2798ec70b8bb6245b06cdee342a4622f371f7df043ab82c v3.17/main/x86_64/libblkid-2.38.1-r1.apk
6c799e4779fb3cb018265293f1ba6047282cddd4a17312960ad695f8830f3a5b v3.17/main/x86_64/libc-utils-0.7.2-r3.apk
adfebf5fc4004f1460f5971913fcca3ea3d6fa56412d32ffc48f191e336a1cc5 v3.17/main/x86_64/libcap-ng-0.8.3-r1.apk
77342435302175fe0e9946d2b226d9d1a12e714849ddd7d4f421c93e63ca04f8 v3.17/main/x86_64/libcap2-2.66-r0.apk
51df3c3934695e14b222a293a720e087214f1d3980ccc40bb2e2c706b62de43f v3.17/main/x86_64/libcom_err-1.46.6-r0.apk
68a074d18ded51e1953bf3c97ea66877f9e6703fe357a315daac63b91c5ce8d9 v3.17/main/x86_64/libcrypto3-3.0.8-r3.apk
9f862823176dffebe2162a0d36178bed42356ee98ad14e206d8b6e93b3d06b53 v3.17/main/x86_64/libcurl-7.88.1-r1.apk
6ca645108699bcbf917dfdf4fdfe4eb48e1f407ea048098709d20e865109ecfc v3.17/main/x86_64/libev-4.33-r0.apk
5a0730375e1f6d2f70d4385f9b63b0957024bd6e2a80dc784d066cf714362b07 v3.17/main/x86_64/libevent-2.1.12-r5.apk
0c083d8c3d2511e8387e487c83aaa429de5a76fbf0219404c3afde63b715d2a4 v3.17/main/x86_64/libfdisk-2.38.1-r1.apk
42f2618b35e9404d64f752c22f9cd2cb7a7d72328ceff4292b0a2a6be355fdc6 v3.17/main/x86_64/libffi-3.4.4-r0.apk
2c0282ec5c2d78fe94b1e0ab676d6fe675e6656796b8a92e29ce4b17234add6a v3.17/main/x86_64/libgcc-12.2.1_git20220924-r4.apk
bdc90400c34b17772e2713154c3e4c34a8db37edace1e6dc8f07329eb09f4ac9 v3.17/main/x86_64/libintl-0.21.1-r1.apk
353f5caae4a1bcc06a0b44e540e5cec4740216482ec727121fd309ccfa150bf6 v3.17/main/x86_64/libldap-2.6.3-r6.apk
7aa402e7e4c4de9059048935f2893ebe606c6ec057b59daf6fc198fbe1ffdc2a v3.17/main/x86_64/libmount-2.38.1-r1.apk
ede0b4fa32c44ed13ef23616856f173d6f9fd7de1787426e8009cbd04f03802d v3.17/main/x86_64/libnl3-3.7.0-r0.apk
8731b00c9c091eb6a5e54c0c2582a5dfdc153f189efc9504e7130fc016489941 v3.17/main/x86_64/libsasl-2.1.28-r3.apk
c727fa15838b10908282453e3869081d3e93298dc6b55d45a4c3a48a89a676eb v3.17/main/x86_64/libsmartcols-2.38.1-r1.apk
2698e84ad84aa587bcd1745175f1744a10ea74685b30209845db89ecf2365b85 v3.17/main/x86_64/libssl3-3.0.8-r3.apk
495a88687dbc7a63e44c6555f1b6aca6ba80f772d359623f4da5edc362afae08 v3.17/main/x86_64/libstdc++-12.2.1_git20220924-r4.apk
ecca312cb85b634352aef41f1561f3f3f262e85b57a620859df2d0cbe6972ded v3.17/main/x86_64/libtasn1-4.19.0-r0.apk
35a9efc76af2d2ef85c1768e6e9e87078d19e1f452e7173b0fa7e6e0d5fd63e8 v3.17/main/x86_64/libtirpc-1.3.3-r0.apk
c1867e1f8bcdf1cee53b2e648a3f54f7f396c02b6e3131a445cc266962c5d5e0 v3.17/main/x86_64/libtirpc-conf-1.3.3-r0.apk
ba713024840265e1784a6bd3108b09fd3084925e32e5ed46e4f113d5981f5e4d v3.17/main/x86_64/libtirpc-dev-1.3.3-r0.apk
166733b0a046d79914f413eea1b15479961d00bb2bebb93f1c8aa5dfe92a2311 v3.17/main/x86_64/libtirpc-nokrb-1.3.3-r0.apk
d43569a2293a79ae7b7ee7d36f14b3f9893301a971e8534d104fa51a160b9607 v3.17/main/x86_64/libunistring-1.1-r0.apk
3013bcbddf3ff9eb812791a2e87fc2a0b72910cfd415590d21faa96d3bbbf1bc v3.17/main/x86_64/libuuid-2.38.1-r1.apk
f401d78b65a5067ef396c93a56950a87fa1b1fe3e1770489021f5924db7b10b0 v3.17/main/x86_64/libverto-0.3.2-r1.apk
8cf71d3c953a5fc83493e01dbe03ce893fad44eba87a606c8cb8a161159a02c1 v3.17/main/x86_64/libverto-dev-0.3.2-r1.apk
f9585399e58c15da6324f92e7ad92a757c01edb560e9c362ab4587c6158cd8e4 v3.17/main/x86_64/libverto-glib-0.3.2-r1.apk
a1060409c38e4d67e6ce67001108a35c2ade5a50cdff9c62fc555ef9a08717b9 v3.17/main/x86_64/libverto-libev-0.3.2-r1.apk
fee7860a5a1cb324bfe5ee4b5a68e834d57862743f062183681443e3387951da v3.17/main/x86_64/libverto-libevent-0.3.2-r1.apk
0d5bc88d04d7da3ad800f4dcaee4b7876c9c6ff3d2537a7b3471e4f488b5a5f0 v3.17/main/x86_64/libxml2-2.10.3-r1.apk
2564f7bb9985495a12b30a283acd53ad1c5e742b405bba2a031581eaac94b8f9 v3.17/main/x86_64/lzip-1.23-r0.apk
2a46230e00ba2e1c59c4d3dfc4bd74135d034191dc9fdf6606b3021c00efb5d3 v3.17/main/x86_64/mdev-conf-4.3-r0.apk
2a77f358c803ae9e2ec35ccf4906019df9b92d96c13e207d92ccabd13aec80eb v3.17/main/x86_64/musl-1.2.3-r4.apk
2f380042d7e80f124291ffaeed21700af13fbf112866a4caa663226cc9ba3468 v3.17/main/x86_64/musl-utils-1.2.3-r4.apk
b6f3592eb4fa228a8221f2b405cedbfe8fcadef07a7903a57d8e460af753fe48 v3.17/main/x86_64/nettle-3.8.1-r0.apk
82874c31d2fc4aa5bb2c3e7240d419643c20c5740e1f2c91099b6f04aad200ad v3.17/main/x86_64/nghttp2-libs-1.51.0-r0.apk
eba236b90c510fe01e9ef0182e8dd671b30d4ceaade79f410da26dda22780afd v3.17/main/x86_64/openrc-0.45.2-r7.apk
64337f9c3fe1cd25d0863a00e6fd2329f8e0976f2d6fb0210391de9593602585 v3.17/main/x86_64/openssl-3.0.8-r3.apk
83dd5cc59510198067ba0e4db76208f669218469417b909f82c2f9fbb1e1f20a v3.17/main/x86_64/p11-kit-0.24.1-r1.apk
baa3e5a7f248f0e34bcaa07b2c5dfbe39641e52feb878518cd6a7f6c579590e9 v3.17/main/x86_64/patch-2.7.6-r9.apk
1e4149304c4acc0e93c72aadf8df0f4643aee35f0294bf2deae019cca1bf5085 v3.17/main/x86_64/pcre2-10.42-r0.apk
455c58e9b66da6d7fe4b86cd9bab830e3963008b58bd87fe0e6b7aa05907af4c v3.17/main/x86_64/pkgconf-1.9.4-r0.apk
b3ad8d88fdae82cb1bd350f84298059ac8287a2855136580b2828f75ef846c4b v3.17/main/x86_64/scanelf-1.3.5-r1.apk
ceff279c448e9987e70a97a77fe57d84ff1eefd428345c525f2e21a00d1a54b4 v3.17/main/x86_64/ssl_client-1.35.0-r29.apk
981ccb518411d2e9f04249f6fe40568ce41e320d23a9550647852417be58bec6 v3.17/main/x86_64/tar-1.34-r2.apk
1ab16d81c9e7b59c51692626ac58b55d779f40bca4313be3d591d56a873c9434 v3.17/main/x86_64/util-linux-dev-2.38.1-r1.apk
da8ff707e8430169696ea971175a9fbb76a3ad599e4399ead7998a4d0ddbf94f v3.17/main/x86_64/xz-libs-5.2.9-r0.apk
935589dfe902b26cdbe09f54eb399ce2f5d6b5e13eb994de36abb495e4843df5 v3.17/main/x86_64/yajl-2.1.0-r5.apk
dc35929a53b3abaecb69b18dca79af25e38b8ab906aec5a912ec120b2cb4b731 v3.17/main/x86_64/zlib-1.2.13-r0.apk

26
apko/alpine-base-user-65532.yaml
View File

@ -1,26 +0,0 @@
contents:
keyring:
- index-signing-key.rsa.pub
repositories:
- "@local repository-apk"
packages:
- alpine-base@local
entrypoint:
command: /bin/sh -l
accounts:
groups:
- groupname: "65532"
gid: 65532
users:
- username: "65532"
gid: 65532
uid: 65532
run-as: "65532"
environment:
PATH: /usr/sbin:/sbin:/usr/bin:/bin
archs:
- amd64

16
apko/alpine-base.yaml
View File

@ -1,16 +0,0 @@
contents:
keyring:
- index-signing-key.rsa.pub
repositories:
- "@local repository-apk"
packages:
- alpine-base@local
entrypoint:
command: /bin/sh -l
environment:
PATH: /usr/sbin:/sbin:/usr/bin:/bin
archs:
- amd64

14
apko/alpine-qemu-metadata-api.yaml
View File

@ -1,14 +0,0 @@
contents:
keyring:
- index-signing-key.rsa.pub
repositories:
- "@local repository-apk"
packages:
- alpine-base@local
- libvirt-dev@local
environment:
PATH: /usr/sbin:/sbin:/usr/bin:/bin
archs:
- amd64

29
cli/internal/libvirt/Dockerfile
View File

@ -1,29 +0,0 @@
FROM fedora:37@sha256:ca620b6a713882989f2dfb31dd34705834c95bc23e493687828080f6e5ad1be6 AS release
RUN dnf -y update && \
dnf -y install dnf-plugins-core \
libvirt-daemon-config-network \
libvirt-daemon-kvm \
qemu-kvm \
swtpm \
swtpm-tools \
libvirt-client && \
dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c487bde4b4 -y && \
dnf remove -y python-setuptools && \
dnf clean all
# TODO(malt3): remove advisory FEDORA-2023-c487bde4b4 upgrade for libtpms to libtpms-0.9.6-1.fc37.x86_64 once it is in stable
# Prevent cgroup issues on Fedora and configure libvirt
RUN echo "cgroup_controllers = []" >> /etc/libvirt/qemu.conf && \
echo "listen_tls = 0" >> /etc/libvirt/libvirtd.conf && \
echo "listen_tcp = 1" >> /etc/libvirt/libvirtd.conf && \
echo "tcp_port = \"16599\"" >> /etc/libvirt/libvirtd.conf && \
echo "listen_addr = \"localhost\"" >> /etc/libvirt/libvirtd.conf && \
echo "auth_tcp = \"none\"" >> /etc/libvirt/libvirtd.conf
# Copy nvram templates
COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd
COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh
ENTRYPOINT ["/start.sh"]

5
cli/internal/libvirt/README.md
View File

@ -16,7 +16,10 @@ virsh -c "qemu+tcp://localhost:16599/system"
Build the image: Build the image:
```shell ```shell
DOCKER_BUILDKIT=1 docker build -t ghcr.io/edgelesssys/constellation/libvirt:latest -f cli/internal/libvirt/Dockerfile . bazel build //cli/internal/libvirt:constellation_libvirt
bazel build //bazel/release:libvirt_sum
bazel build //bazel/release:libvirt_tar
bazel run //bazel/release:libvirt_push
``` ```
A container of the image is automatically started by the CLI. A container of the image is automatically started by the CLI.

73
hack/package-hasher/Containerfile.apk.downloader
View File

@ -1,73 +0,0 @@
# syntax=docker/dockerfile:1.5-labs
FROM alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as builder
#
# Install dependencies
#
ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \
https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \
/usr/bin/repro-get
RUN chmod +x /usr/bin/repro-get
ADD --checksum=sha256:45ae2e1f566cdc26dd9ddf0ca37a494d3fa7db29946094ae2f0d91e16def827d \
https://github.com/oras-project/oras/releases/download/v0.16.0/oras_0.16.0_linux_amd64.tar.gz \
/tmp/oras.tar.gz
RUN tar -C /usr/bin -xzf /tmp/oras.tar.gz oras
RUN chmod +x /usr/bin/oras
COPY SHA256SUMS-apk-amd64 /SHA256SUMS-apk-amd64
# TODO(katexochen): reenable when bug is fixed upstream,
# see https://github.com/reproducible-containers/repro-get/issues/29
# RUN repro-get \
# --provider=oci://ghcr.io/katexochen/apk-repo-test \
# --cache ./cache \
# --distro alpine \
# download /SHA256SUMS-apk-amd64
# RUN repro-get \
# --cache ./cache \
# --distro alpine \
# cache export repository-apk
WORKDIR /workspace/repository-apk/x86_64
# Pull our pinned packages from the registry
RUN oras pull ghcr.io/edgelesssys/constellation/packages-apk:latest
# Need to remove the repository prefix from the hashes file
RUN sed -i -E 's%v[0-9].[0-9]+\/(main|community)\/x86_64/%%' /SHA256SUMS-apk-amd64
# Validate package hashes
RUN sha256sum -c /SHA256SUMS-apk-amd64
# Create an apk index from the packages
RUN apk index \
--rewrite-arch x86_64 \
-o APKINDEX.tar.gz \
*.apk
#
# We need package abuild to sign out index.
# This is not a security mesaure. It is just a requirement of apko.
# We installe the pinned abuild package from our registry, create
# a new keypair and sign the index.
#
RUN echo "/workspace/repository-apk" > /etc/apk/repositories
RUN apk update --allow-untrusted && apk add --allow-untrusted abuild
RUN abuild-keygen -a -n
RUN mv /root/.abuild/*.rsa /root/.abuild/index-signing-key.rsa
RUN mv /root/.abuild/*.rsa.pub /root/.abuild/index-signing-key.rsa.pub
RUN echo 'PACKAGER_PRIVKEY="/root/.abuild/index-signing-key.rsa"' > /root/.abuild/abuild.conf
RUN abuild-sign APKINDEX.tar.gz
FROM scratch as output
COPY --from=builder /workspace/repository-apk repository-apk
COPY --from=builder /root/.abuild/*.rsa.pub index-signing-key.rsa.pub

28
hack/package-hasher/Containerfile.apk.hasher
View File

@ -1,28 +0,0 @@
# syntax=docker/dockerfile:1.5-labs
FROM alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as builder
ADD --checksum=sha256:11968a8b706095a081ac30168849b351b0263a6df5c224119aa914d7e5afb0c1 \
https://github.com/reproducible-containers/repro-get/releases/download/v0.3.0/repro-get-v0.3.0.linux-amd64 \
/usr/bin/repro-get
RUN chmod +x /usr/bin/repro-get
RUN apk update && apk add \
alpine-base \
libvirt-dev \
abuild
WORKDIR /out
# Dump the hashes of the installed packages
RUN repro-get hash generate > SHA256SUMS
# Export the apks
RUN repro-get cache export repository-apk
# Sort the hashes
RUN sort -k2 -o SHA256SUMS SHA256SUMS
FROM scratch as output
COPY --from=builder /out/SHA256SUMS SHA256SUMS-apk-amd64
COPY --from=builder /out/repository-apk repository-apk

34
hack/qemu-metadata-api/Dockerfile
View File

@ -1,34 +0,0 @@
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
RUN dnf -y update && \
dnf -y install libvirt-devel @development-tools pkg-config wget git && \
dnf clean all
ARG GO_VER=1.20.3
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
rm go${GO_VER}.linux-amd64.tar.gz
ENV PATH ${PATH}:/usr/local/go/bin
WORKDIR /qemu-metadata-api
# Necessary to make `go mod download all` work while having a local replace rule in the root-go.mod.
COPY operators/constellation-node-operator/api/go.mod ./operators/constellation-node-operator/api/go.mod
COPY operators/constellation-node-operator/api/go.sum ./operators/constellation-node-operator/api/go.sum
COPY go.mod ./
COPY go.sum ./
RUN go mod download all
WORKDIR /qemu-metadata-api/hack
COPY hack/go.mod ./go.mod
COPY hack/go.sum ./go.sum
RUN go mod download all
COPY . /qemu-metadata-api
WORKDIR /qemu-metadata-api/hack/qemu-metadata-api
RUN go build -o api-server .
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as release
RUN dnf -y install libvirt-devel && \
dnf clean all
COPY --from=build /qemu-metadata-api/hack/qemu-metadata-api/api-server /server
ENTRYPOINT [ "/server" ]

5
hack/qemu-metadata-api/README.md
View File

@ -36,7 +36,10 @@ sudo firewall-cmd --zone libvirt --add-port 8080/tcp --permanent
Build the image: Build the image:
```shell ```shell
DOCKER_BUILDKIT=1 docker build -t ghcr.io/edgelesssys/constellation/qemu-metadata-api:latest -f hack/qemu-metadata-api/Dockerfile . bazel build //hack/qemu-metadata-api:qemumetadata
bazel build //bazel/release:qemumetadata_sum
bazel build //bazel/release:qemumetadata_tar
bazel run //bazel/release:qemumetadata_push
``` ```
A container of the image is automatically started by Terraform. A container of the image is automatically started by Terraform.

31
joinservice/Dockerfile
View File

@ -1,31 +0,0 @@
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
RUN dnf -y update && \
dnf install -y iproute iputils wget git && \
dnf clean all
# Install Go
ARG GO_VER=1.20.3
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
rm go${GO_VER}.linux-amd64.tar.gz
ENV PATH ${PATH}:/usr/local/go/bin
# Download go dependencies
WORKDIR /constellation/
COPY go.mod ./
COPY go.sum ./
RUN go mod download all
# Copy Repo
COPY . /constellation
RUN rm -rf ./hack/
WORKDIR /constellation/joinservice
ARG PROJECT_VERSION=0.0.0
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o join-service -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
# Use gcr.io/distroless/static here since we need CA certificates to be installed for aTLS operations on GCP.
FROM gcr.io/distroless/static@sha256:8d4cc4a622ce09a75bd7b1eea695008bdbff9e91fea426c2d353ea127dcdc9e3 as release
COPY --from=build /constellation/joinservice/join-service /joinservice
ENTRYPOINT [ "/joinservice" ]

10
joinservice/README.md
View File

@ -40,9 +40,13 @@ This is needed for fetching data encryption keys for joining nodes.
Implements interaction with the Kubernetes API to create join tokens for new nodes. Implements interaction with the Kubernetes API to create join tokens for new nodes.
## [Dockerfile](./Dockerfile) ## Docker image
Build the image:
```shell ```shell
export VERSION=0.0.0 bazel build //joinservice/cmd:joinservice
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile . bazel build //bazel/release:joinservice_sum
bazel build //bazel/release:joinservice_tar
bazel run //bazel/release:joinservice_push
``` ```

31
keyservice/Dockerfile
View File

@ -1,31 +0,0 @@
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
RUN dnf -y update && \
dnf install -y wget git
# Install Go
ARG GO_VER=1.20.3
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
rm go${GO_VER}.linux-amd64.tar.gz
ENV PATH ${PATH}:/usr/local/go/bin
# Download go dependencies
WORKDIR /constellation/
COPY go.mod ./
COPY go.sum ./
RUN go mod download all
# Copy Repo
COPY . /constellation
RUN rm -rf ./hack/
# Build
RUN mkdir -p /constellation/build
WORKDIR /constellation/keyservice/cmd
ARG PROJECT_VERSION=0.0.0
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/keyservice -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}"
FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec as release
COPY --from=build /constellation/build/keyservice /keyservice
ENTRYPOINT ["/keyservice"]

33
operators/constellation-node-operator/Dockerfile
View File

@ -1,33 +0,0 @@
# Build the manager binary
FROM golang:1.20.3@sha256:89924bd0abc1001141e0415648d90914ebc9a9d60d4cbbc696ee53f1d1a9a136 as builder
# Download project root dependencies
WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
# Download operator dependencies
WORKDIR /workspace/operators/constellation-node-operator
COPY operators/constellation-node-operator/go.mod ./
COPY operators/constellation-node-operator/go.sum ./
RUN go mod download all
WORKDIR /workspace
COPY . .
# Build
WORKDIR /workspace/operators/constellation-node-operator
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot@sha256:149531e38c7e4554d4a6725d7d70593ef9f9881358809463800669ac89f3b0ec as release
WORKDIR /
COPY --from=builder /workspace/operators/constellation-node-operator/manager .
USER 65532:65532
ENTRYPOINT ["/manager"]

30
verify/Dockerfile
View File

@ -1,30 +0,0 @@
FROM fedora:37@sha256:3f987b7657e944cf87a129cc262982d4f80e38bd98f7db313ccaf90ca7069dd2 as build
RUN dnf -y update && \
dnf install -y iproute iputils wget git && \
dnf clean all
# Install Go
ARG GO_VER=1.20.3
RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
rm go${GO_VER}.linux-amd64.tar.gz
ENV PATH ${PATH}:/usr/local/go/bin
# Download go dependencies
WORKDIR /constellation/
COPY go.mod ./
COPY go.sum ./
RUN go mod download all
# Copy Repo
COPY . /constellation
RUN rm -rf ./hack/
WORKDIR /constellation/verify
ARG PROJECT_VERSION=0.0.0
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o verify-service -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.versionInfo=${PROJECT_VERSION}" ./cmd/
FROM scratch AS release
COPY --from=build /constellation/verify/verify-service /verify
ENTRYPOINT [ "/verify" ]