CAPI upgrade and rebase with main branch

.github/workflows/spectro-release.yaml

@@ -0,0 +1,77 @@
+name: Spectro Release
+run-name: Release for Cluster API Maas ${{ github.event.inputs.release_version }}
+on:
+ workflow_dispatch:
+ inputs:
+ release_version:
+ description: 'Cluster API Version to Build'
+ required: true
+ default: '0.0.0'
+ rel_type:
+ type: choice
+ description: Type of release
+ options:
+ - release
+ - rc
+jobs:
+ builder:
+ # edge-runner machine group is a bunch of machines in US Datacenter
+ runs-on: ubuntu-latest
+ # Initialize all secrets required for the job
+ # Ensure that the credentials are provided as encrypted secrets
+ env:
+ SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+ LEGACY_REGISTRY: gcr.io/spectro-images-public/release/cluster-api-maas
+ FIPS_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-maas
+ steps:
+ -
+ uses: mukunku/[email protected]
+ id: checkTag
+ with:
+ tag: v${{ github.event.inputs.release_version }}-spectro
+ -
+ if: ${{ steps.checkTag.outputs.exists == 'true' }}
+ run: |
+ echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
+ exit 1
+ -
+ if: ${{ github.event.inputs.rel_type == 'rc' }}
+ run: |
+ echo "LEGACY_REGISTRY=gcr.io/spectro-dev-public/release/cluster-api-maas" >> $GITHUB_ENV
+ echo "FIPS_REGISTRY=gcr.io/spectro-dev-public/release-fips/cluster-api-maas" >> $GITHUB_ENV
+ -
+ uses: actions/checkout@v3
+ -
+ name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v1
+ -
+ name: Login to private registry
+ uses: docker/login-action@v1
+ with:
+ registry: ${{ secrets.REGISTRY_URL }}
+ username: ${{ secrets.REGISTRY_USERNAME }}
+ password: ${{ secrets.REGISTRY_PASSWORD }}
+ -
+ name: Build Image
+ env:
+ REGISTRY: ${{ env.LEGACY_REGISTRY }}
+ run: |
+ make docker-build-all
+ make docker-push-all
+ -
+ name: Build Image - FIPS Mode
+ env:
+ FIPS_ENABLE: yes
+ REGISTRY: ${{ env.FIPS_REGISTRY }}
+ run: |
+ make docker-build-all
+ make docker-push-all
+ -
+ name: Create Tag
+ if: ${{ github.event.inputs.rel_type == 'release' }}
+ id: tag_create
+ uses: rickstaa/action-create-tag@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ tag: v${{ github.event.inputs.release_version }}-spectro

Dockerfile

@@ -1,28 +1,53 @@
 # Build the manager binary
-FROM golang:1.17 as builder
+ARG BUILDER_GOLANG_VERSION
+# First stage: build the executable.
+FROM --platform=$TARGETPLATFORM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain
 
+FROM toolchain as builder
 WORKDIR /workspace
+
+RUN apk update
+RUN apk add git gcc g++ curl
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN go mod download
+RUN --mount=type=cache,target=/root/.local/share/golang \
+ --mount=type=cache,target=/go/pkg/mod \
+ go mod download
 
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
 # Copy the go source
 COPY main.go main.go
 COPY api/ api/
 COPY pkg/ pkg/
 COPY controllers/ controllers/
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
+
+RUN --mount=type=cache,target=/root/.cache/go-build \
+ --mount=type=cache,target=/go/pkg/mod \
+ --mount=type=cache,target=/root/.local/share/golang \
+ if [ ${CRYPTO_LIB} ];\
+ then \
+ GOARCH=${ARCH} go-build-fips.sh -a -o manager . ;\
+ else \
+ GOARCH=${ARCH} go-build-static.sh -a -o manager . ;\
+ fi
+
+RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh manager; fi
+RUN scan-govulncheck.sh manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
-USER nonroot:nonroot
+# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
+USER 65532
 
 ENTRYPOINT ["/manager"]

Makefile

@@ -12,12 +12,23 @@ BUILD_DIR :=_build
 RELEASE_DIR := _build/release
 DEV_DIR := _build/dev
 REPO_ROOT := $(shell git rev-parse --show-toplevel)
+FIPS_ENABLE ?= ""
+BUILDER_GOLANG_VERSION ?= 1.22
+BUILD_ARGS = --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg BUILDER_GOLANG_VERSION=${BUILDER_GOLANG_VERSION}
+ARCH ?= amd64
+ALL_ARCH = amd64 arm64
+
+RELEASE_LOC := release
+ifeq ($(FIPS_ENABLE),yes)
+ RELEASE_LOC := release-fips
+endif
 
 # Image URL to use all building/pushing image targets
 IMAGE_NAME := cluster-api-provider-maas-controller
-IMG_URL ?= gcr.io/$(shell gcloud config get-value project)/${USER}
-IMG_TAG ?= latest
-IMG ?= ${IMG_URL}/cluster-api-provider-maas:${IMG_TAG}
+REGISTRY ?= gcr.io/spectro-dev-public/${RELEASE_LOC}/cluster-api
+SPECTRO_VERSION ?= 4.0.0-dev
+IMG_TAG ?= v0.3.0-spectro-${SPECTRO_VERSION}
+CONTROLLER_IMG ?= ${REGISTRY}/${IMAGE_NAME}
 
 # Set --output-base for conversion-gen if we are not within GOPATH
 ifneq ($(abspath $(REPO_ROOT)),$(shell go env GOPATH)/src/github.com/spectrocloud/cluster-api-provider-maas)
@@ -72,7 +83,7 @@ uninstall: manifests ## Uninstall CRDs from a cluster
 
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: manifests ## Deploy controller in the configured Kubernetes cluster
- cd config/manager && kustomize edit set image controller=${IMG}
+ cd config/manager && kustomize edit set image controller=$(CONTROLLER_IMG):$(IMG_TAG)
  kustomize build config/default | kubectl apply -f -
 
 $(MANIFEST_DIR):
@@ -108,7 +119,7 @@ release-overrides:
 
 .PHONY: dev-manifests
 dev-manifests:
- $(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(IMG)
+ $(MAKE) manifests STAGE=dev MANIFEST_DIR=$(DEV_DIR) PULL_POLICY=Always IMAGE=$(CONTROLLER_IMG):$(IMG_TAG)
  cp metadata.yaml $(DEV_DIR)/metadata.yaml
  $(MAKE) templates OUTPUT_DIR=$(DEV_DIR)
 
@@ -137,8 +148,8 @@ generate-go:
  $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
  $(CONVERSION_GEN) \
- --input-dirs=./api/v1alpha3 \
- --extra-peer-dirs=github.com/spectrocloud/cluster-api-provider-maas/api/v1alpha3 \
+ --input-dirs=./api/v1beta1 \
+ --extra-peer-dirs=github.com/spectrocloud/cluster-api-provider-maas/api/v1beta1 \
  --build-tag=ignore_autogenerated_core_v1alpha3 \
  --output-file-base=zz_generated.conversion $(GEN_OUTPUT_BASE) \
  --go-header-file=./hack/boilerplate.go.txt
@@ -148,15 +159,40 @@ generate-manifests: ## Generate manifests
 
 
 # Build the docker image
-docker-build: test
- docker build . -t ${IMG}
+.PHONY: docker-build
+docker-build: #test
+ docker buildx build --load --platform linux/$(ARCH) ${BUILD_ARGS} --build-arg ARCH=$(ARCH) --build-arg LDFLAGS="$(LDFLAGS)" --build-arg CRYPTO_LIB=${FIPS_ENABLE} . -t $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG)
 
 # Push the docker image
+.PHONY: docker-push
 docker-push: ## Push the docker image to gcr
- docker push ${IMG}
+ docker push $(CONTROLLER_IMG)-$(ARCH):$(IMG_TAG)
+
+## --------------------------------------
+## Docker — All ARCH
+## --------------------------------------
+.PHONY: docker-build-all ## Build all the architecture docker images
+docker-build-all: $(addprefix docker-build-,$(ALL_ARCH))
+
+docker-build-%:
+ $(MAKE) ARCH=$* docker-build
+
+.PHONY: docker-push-all ## Push all the architecture docker images
+docker-push-all: $(addprefix docker-push-,$(ALL_ARCH))
+ $(MAKE) docker-push-manifest
+
+docker-push-%:
+ $(MAKE) ARCH=$* docker-push
+
+.PHONY: docker-push-manifest
+docker-push-manifest: ## Push the fat manifest docker image.
+ ## Minimum docker version 18.06.0 is required for creating and pushing manifest images.
+ docker manifest create --amend $(CONTROLLER_IMG):$(IMG_TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(CONTROLLER_IMG)\-&:$(IMG_TAG)~g")
+ @for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${CONTROLLER_IMG}:${IMG_TAG} ${CONTROLLER_IMG}-$${arch}:${IMG_TAG}; done
+ docker manifest push --insecure --purge $(CONTROLLER_IMG):$(IMG_TAG)
 
 docker-rmi: ## Remove the docker image locally
- docker rmi ${IMG}
+ docker rmi $(CONTROLLER_IMG):$(IMG_TAG)
 
 mock: $(MOCKGEN)
  go generate ./...