diff --git a/.circleci/config.yml b/.circleci/config.yml index 065ecc0d..aa27cc97 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -34,13 +34,30 @@ references: only: /.*/ tags: ignore: /.*/ + enable_experimental_features: &enable_experimental_docker_features + run: + name: enable experimental features + command: | + set -ex + apk --update add openssh + ssh remote-docker \< /etc/docker/daemon.json' + sudo systemctl restart docker + EOF + install_vault_alpine: &install_vault_alpine + run: + name: install hashicorp vault + command: | + apk --update add curl yq + cd /tmp + curl -LO https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip + unzip vault_1.9.4_linux_amd64.zip + mv vault /usr/bin/vault jobs: test: working_directory: /go/src/github.com/fairwindsops/reckoner docker: - image: circleci/golang:1.17 - environment: - GO111MODULE: "on" steps: - checkout - run: make test @@ -53,7 +70,7 @@ jobs: - setup_remote_docker - run: name: Goreleaser Snapshot - command: goreleaser --snapshot --skip-sign + command: goreleaser --snapshot --skip-sign -p 1 - store_artifacts: path: dist destination: snapshot @@ -61,6 +78,28 @@ jobs: root: /go/src/github.com/fairwindsops/reckoner paths: - dist + release: + working_directory: /home/circleci/go/src/github.com/fairwindsops/reckoner + resource_class: large + shell: /bin/bash + docker: + - image: goreleaser/goreleaser:v1.5.0 + steps: + - checkout + - setup_remote_docker: + version: 20.10.6 + - *enable_experimental_docker_features + - *install_vault_alpine + - rok8s/get_vault_env: + vault_path: repo/global/env + - rok8s/get_vault_env: + vault_path: repo/reckoner/env + - run: + name: docker login + command: | + docker login -u _json_key -p "$(echo $GCP_ARTIFACTREADWRITE_JSON_KEY | base64 -d)" us-docker.pkg.dev + - run: echo 'export GORELEASER_CURRENT_TAG="${CIRCLE_TAG}"' >> $BASH_ENV + - run: goreleaser -p 1 publish_docs: docker: - image: cimg/node:15.5.1 @@ -131,19 +170,17 @@ workflows: name: "End-To-End Kubernetes 1.22.0" kind_node_image: "kindest/node:v1.22.0@sha256:b8bda84bb3a190e6e028b1760d277454a72267a5454b57db34437c34a588d047" <<: *e2e_configuration - # release: - # jobs: - # - publish_docs: - # filters: - # branches: - # ignore: /.*/ - # tags: - # only: /.*/ - # - rok8s/github_release: - # requires: - # - release - # filters: - # branches: - # ignore: /.*/ - # tags: - # only: /.*/ + release: + jobs: + - publish_docs: + filters: + branches: + ignore: /.*/ + tags: + only: /^v[0-9]+\.[0-9]+\.[0-9]+$/ + - release: + filters: + branches: + ignore: /.*/ + tags: + only: /^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$/ diff --git a/.goreleaser.yml b/.goreleaser.yml index ce610fc1..7ee05659 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -10,12 +10,73 @@ builds: goos: - linux - darwin + - windows goarm: - 6 - 7 +checksum: + name_template: "checksums.txt" +release: + prerelease: auto + footer: | + You can verify the signatures of both the checksums.txt file and the published docker images using [cosign](https://github.com/sigstore/cosign). + + ``` + cosign verify-blob checksums.txt --signature=checksums.txt.sig --key https://artifacts.fairwinds.com/cosign.pub + ``` + + ``` + cosign verify us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v6 --key https://artifacts.fairwinds.com/cosign.pub + ``` +signs: +- cmd: cosign + args: ["sign-blob", "--key=hashivault://cosign", "-output-signature=${signature}", "${artifact}"] + artifacts: checksum + +docker_signs: +- artifacts: all + args: ["sign", "--key=hashivault://cosign", "${artifact}", "-r"] + dockers: - image_templates: - - "quay.io/fairwinds/reckoner:go-{{ .Tag }}" - - "quay.io/fairwinds/reckoner:go-v{{ .Major }}" - - "quay.io/fairwinds/reckoner:go-v{{ .Major }}.{{ .Minor }}" - dockerfile: Dockerfile-go + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:{{ .Tag }}-amd64" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}-amd64" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}.{{ .Minor }}-amd64" + use: buildx + dockerfile: Dockerfile + build_flag_templates: + - "--platform=linux/amd64" +- image_templates: + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:{{ .Tag }}-arm64v8" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}-arm64v8" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}.{{ .Minor }}-arm64v8" + use: buildx + goarch: arm64 + dockerfile: Dockerfile + build_flag_templates: + - "--platform=linux/arm64/v8" +- image_templates: + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:{{ .Tag }}-armv7" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}-armv7" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}.{{ .Minor }}-armv7" + use: buildx + goarch: arm64 + dockerfile: Dockerfile + build_flag_templates: + - "--platform=linux/arm/v7" +docker_manifests: +- name_template: us-docker.pkg.dev/fairwinds-ops/oss/reckoner:{{ .Tag }} + image_templates: + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:{{ .Tag }}-amd64" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:{{ .Tag }}-arm64v8" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:{{ .Tag }}-armv7" +- name_template: us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }} + image_templates: + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}-amd64" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}-arm64v8" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}-armv7" +- name_template: us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}.{{ .Minor }} + image_templates: + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}.{{ .Minor }}-amd64" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}.{{ .Minor }}-arm64v8" + - "us-docker.pkg.dev/fairwinds-ops/oss/reckoner:v{{ .Major }}.{{ .Minor }}-armv7" diff --git a/Dockerfile b/Dockerfile index 8056d3ab..bdf9fab3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,6 @@ -FROM python:3.8 +FROM scratch -ADD . /bin/reckoner -RUN pip install ./reckoner - -ENTRYPOINT ["reckoner"] -CMD ["--help"] +USER nobody +COPY reckoner / +WORKDIR / +ENTRYPOINT ["/reckoner"] diff --git a/Dockerfile-go b/Dockerfile-go deleted file mode 100644 index bdf9fab3..00000000 --- a/Dockerfile-go +++ /dev/null @@ -1,6 +0,0 @@ -FROM scratch - -USER nobody -COPY reckoner / -WORKDIR / -ENTRYPOINT ["/reckoner"]