From 8946534b50d1815b9ec2498b877a4b4e6d012be3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 18:31:07 +0200 Subject: [PATCH 1/9] Add Goreleaser action --- .github/workflows/release.yaml | 36 ++++ .gitignore | 2 + .goreleaser.yaml | 58 ++++++ cmd/main.go | 12 ++ dist/install.yaml | 332 --------------------------------- 5 files changed, 108 insertions(+), 332 deletions(-) create mode 100644 .github/workflows/release.yaml create mode 100644 .goreleaser.yaml delete mode 100644 dist/install.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..2f398c1 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,36 @@ +--- +name: goreleaser + +on: + pull_request: + push: + # run only against tags + tags: + - "*" + +permissions: + contents: write + packages: write + +jobs: + goreleaser: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: stable + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + distribution: goreleaser + version: "~> v2" + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index ada68ff..73d94d7 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,5 @@ go.work *.swp *.swo *~ + +dist/ diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..56af22a --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,58 @@ +--- +version: 2 + +before: + hooks: + - go mod tidy + - go generate ./... + # - go fmt ./... + # - go vet ./... + # - go test ./... + +builds: + - env: + - CGO_ENABLED=0 + main: ./cmd/main.go + binary: istio-fortsa + flags: + - -trimpath + ldflags: + - -s -w -X main.Version={{ .Version }} -X main.Commit={{ .Commit }} -X main.Date={{ .CommitDate }} + goos: + - linux + - darwin + goarch: + - amd64 + - arm64 + +kos: + - repository: ghcr.io/hercynium/istio-fortsa + base_image: ghcr.io/distroless/static:nonroot + tags: + - "{{ .Tag }}" + - latest + platforms: + - linux/amd64 + - linux/arm64 + main: ./cmd/... + env: + - CGO_ENABLED=0 + flags: + - -trimpath + ldflags: + - -extldflags "-static" + - -s + - -w + bare: true + preserve_import_paths: false + base_import_paths: false + +changelog: + sort: asc + filters: + exclude: + - "^docs" + - "^test" + - "^chore" + - "Merge pull request" + - "Merge branch" diff --git a/cmd/main.go b/cmd/main.go index 4a03044..dce91f7 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -20,6 +20,7 @@ import ( "context" "crypto/tls" "flag" + "fmt" "os" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) @@ -42,6 +43,10 @@ import ( ) var ( + Version = "" // set at compile time with -ldflags "-X main.Version=x.y.yz" + Commit = "" // set at compile time with -ldflags "-X main.Commit=..." + CommitDate = "" // set at compile time with -ldflags "-X main.CommitDate=..." + scheme = runtime.NewScheme() setupLog = ctrl.Log.WithName("setup") istioData = istiodata.IstioData{} @@ -59,6 +64,7 @@ func main() { var probeAddr string var secureMetrics bool var enableHTTP2 bool + var version bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -68,12 +74,18 @@ func main() { "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers") + flag.BoolVar(&version, "version", false, "Print the version of the tool") opts := zap.Options{ Development: true, } opts.BindFlags(flag.CommandLine) flag.Parse() + if version { + fmt.Printf("%s (%s %s)\n", Version, Commit, CommitDate) + os.Exit(1) + } + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) // if the enable-http2 flag is false (the default), http/2 should be disabled diff --git a/dist/install.yaml b/dist/install.yaml deleted file mode 100644 index c670ab9..0000000 --- a/dist/install.yaml +++ /dev/null @@ -1,332 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - control-plane: controller-manager - name: istio-fortsa-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-leader-election-role - namespace: istio-fortsa-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-fortsa-manager-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - namespaces - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - namespaces/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-leader-election-rolebinding - namespace: istio-fortsa-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-fortsa-leader-election-role -subjects: -- kind: ServiceAccount - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-fortsa-manager-role -subjects: -- kind: ServiceAccount - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - name: istio-fortsa-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-fortsa-proxy-role -subjects: -- kind: ServiceAccount - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - control-plane: controller-manager - name: istio-fortsa-cm-metrics-svc - namespace: istio-fortsa-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: istio-fortsa - control-plane: controller-manager - name: istio-fortsa-controller-manager - namespace: istio-fortsa-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - command: - - /manager - image: sscaffidi/istio-fortsa:0.0.3 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - securityContext: - runAsNonRoot: true - serviceAccountName: istio-fortsa-controller-manager - terminationGracePeriodSeconds: 10 From 08947cb9caf8a1c3a04c00c183360ee35e6d2e1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 18:32:34 +0200 Subject: [PATCH 2/9] fix commitdate --- .goreleaser.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 56af22a..c28fbfd 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -17,7 +17,7 @@ builds: flags: - -trimpath ldflags: - - -s -w -X main.Version={{ .Version }} -X main.Commit={{ .Commit }} -X main.Date={{ .CommitDate }} + - -s -w -X main.Version={{ .Version }} -X main.Commit={{ .Commit }} -X main.CommitDate={{ .CommitDate }} goos: - linux - darwin From 20969a3bc2b40d1491602b17fb5e923129981f30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 19:05:10 +0200 Subject: [PATCH 3/9] Add .ko.yaml --- .goreleaser.yaml | 9 ++++++--- .ko.yaml | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 .ko.yaml diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c28fbfd..6e9bf69 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -27,22 +27,25 @@ builds: kos: - repository: ghcr.io/hercynium/istio-fortsa - base_image: ghcr.io/distroless/static:nonroot + base_image: gcr.io/distroless/static:nonroot tags: - "{{ .Tag }}" - latest platforms: - linux/amd64 - linux/arm64 - main: ./cmd/... + main: ./cmd env: - CGO_ENABLED=0 flags: - -trimpath ldflags: - - -extldflags "-static" - -s - -w + - -extldflags "-static" + - -X main.Version={{ .Git.Tag }} + - -X main.Commit={{ .Git.FullCommit }} + - -X main.CommitDate={{ .Git.CommitDate }} bare: true preserve_import_paths: false base_import_paths: false diff --git a/.ko.yaml b/.ko.yaml new file mode 100644 index 0000000..175c5cc --- /dev/null +++ b/.ko.yaml @@ -0,0 +1,20 @@ +--- +defaultBaseImage: gcr.io/distroless/static:nonroot + +defaultPlatforms: + - linux/amd64 + - linux/arm64 + +defaultEnv: + - CGO_ENABLED=0 + +defaultLdflags: + - -s + - -w + - -extldflags "-static" + - -X main.Version={{ .Git.Tag }} + - -X main.Commit={{ .Git.FullCommit }} + - -X main.CommitDate={{ .Git.CommitDate }} + +builds: + main: ./cmd From 9210a93e1902dcbf8a4f518baed937d728a12cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 19:09:28 +0200 Subject: [PATCH 4/9] Make image name depend on github repo name So that forks can also test image publishing. --- .github/workflows/release.yaml | 2 +- .goreleaser.yaml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2f398c1..2db6bf7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,7 +2,6 @@ name: goreleaser on: - pull_request: push: # run only against tags tags: @@ -34,3 +33,4 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 6e9bf69..5637d3b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -26,8 +26,7 @@ builds: - arm64 kos: - - repository: ghcr.io/hercynium/istio-fortsa - base_image: gcr.io/distroless/static:nonroot + - base_image: gcr.io/distroless/static:nonroot tags: - "{{ .Tag }}" - latest From 648c6fbe0e83245a335aa88c78777f6a6cf8d4ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 19:25:09 +0200 Subject: [PATCH 5/9] Drop darwin support Also only build arm binary for images for now. --- .goreleaser.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 5637d3b..d062b3e 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -20,10 +20,8 @@ builds: - -s -w -X main.Version={{ .Version }} -X main.Commit={{ .Commit }} -X main.CommitDate={{ .CommitDate }} goos: - linux - - darwin goarch: - amd64 - - arm64 kos: - base_image: gcr.io/distroless/static:nonroot @@ -42,9 +40,9 @@ kos: - -s - -w - -extldflags "-static" - - -X main.Version={{ .Git.Tag }} - - -X main.Commit={{ .Git.FullCommit }} - - -X main.CommitDate={{ .Git.CommitDate }} + - -X main.Version={{ .Version }} + - -X main.Commit={{ .Commit }} + - -X main.CommitDate={{ .CommitDate }} bare: true preserve_import_paths: false base_import_paths: false From 8ce451c12de58aaa848c21a2b7eccc7d86655ae8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 19:36:40 +0200 Subject: [PATCH 6/9] fix repository name --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2db6bf7..0318ab1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -33,4 +33,4 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/${{ github.repository_name }} + KO_DOCKER_REPO: ghcr.io/${{ github.repository }} From 3cc358f845d6d92dabc63e791694180229804d59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 19:56:08 +0200 Subject: [PATCH 7/9] Add labels --- .goreleaser.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index d062b3e..66f771f 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -25,6 +25,7 @@ builds: kos: - base_image: gcr.io/distroless/static:nonroot + repository: ghcr.io/{{ .Env.GITHUB_REPOSITORY }} tags: - "{{ .Tag }}" - latest @@ -46,6 +47,13 @@ kos: bare: true preserve_import_paths: false base_import_paths: false + labels: + org.opencontainers.image.title: "{{ .ProjectName }}" + org.opencontainers.image.description: "{{ .ProjectName }}" + org.opencontainers.image.revision: "{{ .FullCommit }}" + org.opencontainers.image.version: "{{ .Version }}" + org.opencontainers.image.url: "{{ .Env.GITHUB_SERVER_URL }}/{{ .Env.GITHUB_REPOSITORY }}" + org.opencontainers.image.source: "{{ .Env.GITHUB_SERVER_URL }}/{{ .Env.GITHUB_REPOSITORY }}" changelog: sort: asc From 1503436b9e18a757c804e57b83e0b52e20763fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 20:16:22 +0200 Subject: [PATCH 8/9] Tweak release --- .goreleaser.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 66f771f..c9543f2 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -12,7 +12,7 @@ before: builds: - env: - CGO_ENABLED=0 - main: ./cmd/main.go + main: ./cmd binary: istio-fortsa flags: - -trimpath @@ -32,7 +32,6 @@ kos: platforms: - linux/amd64 - linux/arm64 - main: ./cmd env: - CGO_ENABLED=0 flags: @@ -55,6 +54,16 @@ kos: org.opencontainers.image.url: "{{ .Env.GITHUB_SERVER_URL }}/{{ .Env.GITHUB_REPOSITORY }}" org.opencontainers.image.source: "{{ .Env.GITHUB_SERVER_URL }}/{{ .Env.GITHUB_REPOSITORY }}" + +release: + skip_upload: true + footer: | + Docker image: + + ```sh + repository: ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }} + ``` + changelog: sort: asc filters: From f93e3b5c35a4b4f022e994d9d940baf93d9016d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Reegn?= Date: Fri, 20 Sep 2024 20:25:30 +0200 Subject: [PATCH 9/9] fix tag --- .goreleaser.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c9543f2..8c3975c 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -58,10 +58,10 @@ kos: release: skip_upload: true footer: | - Docker image: + # Container images - ```sh - repository: ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }} + ``` + ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Tag }} ``` changelog: