update image; build hash for kaniko

salrashid123 · May 9, 2023 · a0284c1 · a0284c1
1 parent 40c992e
commit a0284c1
Show file tree

Hide file tree

Showing 15 changed files with 210 additions and 123 deletions.
diff --git a/README.md b/README.md
diff --git a/app/BUILD.bazel b/app/BUILD.bazel
@@ -2,6 +2,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
 load("@io_bazel_rules_docker//go:image.bzl", "go_image")
 load("@io_bazel_rules_docker//container:container.bzl", "container_image")
 load("@bazel_gazelle//:def.bzl", "gazelle")
+load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
 
 gazelle(name = "gazelle")
 
@@ -16,6 +17,22 @@ go_binary(
     goarch = "amd64",     
 )
 
+pkg_tar(
+    name = "certs_bundle",
+    srcs = [
+        "//certs:root-ca-operator.crt",
+        "//certs:tee-operator.crt",
+        "//certs:tee-operator.key",
+        "//certs:root-ca-collaborator1.crt",
+        "//certs:tee-collaborator1.crt",
+        "//certs:tee-collaborator1.key",
+        "//certs:root-ca-collaborator2.crt",
+        "//certs:tee-collaborator2.crt",
+        "//certs:tee-collaborator2.key",
+    ],
+    package_dir = "/certs",
+)
+
 container_image(
     name = "server",
     base = "@distroless_base//image",
@@ -28,16 +45,8 @@ container_image(
     files = [
         ":main",
         ":config.json",
-        "//certs:root-ca-operator.crt",
-        "//certs:tee-operator.crt",
-        "//certs:tee-operator.key",
-        "//certs:root-ca-collaborator1.crt",
-        "//certs:tee-collaborator1.crt",
-        "//certs:tee-collaborator1.key",
-        "//certs:root-ca-collaborator2.crt",
-        "//certs:tee-collaborator2.crt",
-        "//certs:tee-collaborator2.key",
     ],
+    tars = [":certs_bundle"],
     ports = ["8081"],
     repository = "us-central1-docker.pkg.dev/builder-project/repo1/tee",
 )

diff --git a/app/Dockerfile b/app/Dockerfile
@@ -1,36 +1,24 @@
+# go1.19.8 linux/amd64
 FROM docker.io/golang@sha256:9f2dd04486e84eec72d945b077d568976981d9afed8b4e2aeb08f7ab739292b3 as build
 
 WORKDIR /go/src/app
 COPY . .
-
 RUN go mod download
-RUN go vet -v
-RUN go test -v
+RUN GOOS=linux GOARCH=amd64 go build -buildvcs=false  -o /go/bin/server
 
-RUN GOOS=linux GOARCH=amd64 go build -o /go/bin/server
+RUN chown root:root /go/bin/server && \
+  chown -R root:root /go/src/app
 
-FROM gcr.io/distroless/base@sha256:75f63d4edd703030d4312dc7528a349ca34d48bec7bd754652b2d47e5a0b7873
+# base-debian11-root
+FROM gcr.io/distroless/base-debian11@sha256:df13a91fd415eb192a75e2ef7eacf3bb5877bb05ce93064b91b83feef5431f37
 
 LABEL "tee.launch_policy.allow_cmd_override"="false"
 LABEL "tee.launch_policy.log_redirect"="always"
 
-COPY --from=build /go/bin/server /
+COPY --from=build /go/bin/server  /server
 COPY --from=build /go/src/app/config.json /config.json
-
-COPY --from=build /go/src/app/certs/root-ca-operator.crt /root-ca-operator.crt
-COPY --from=build /go/src/app/certs/tee-operator.crt /tee-operator.crt
-COPY --from=build /go/src/app/certs/tee-operator.key /tee-operator.key
-
-COPY --from=build /go/src/app/certs/root-ca-collaborator1.crt /root-ca-collaborator1.crt
-COPY --from=build /go/src/app/certs/tee-collaborator1.crt /tee-collaborator1.crt
-COPY --from=build /go/src/app/certs/tee-collaborator1.key /tee-collaborator1.key
-
-COPY --from=build /go/src/app/certs/root-ca-collaborator2.crt /root-ca-collaborator2.crt
-COPY --from=build /go/src/app/certs/tee-collaborator2.crt /tee-collaborator2.crt
-COPY --from=build /go/src/app/certs/tee-collaborator2.key /tee-collaborator2.key
+COPY --from=build /go/src/app/certs /certs
 
 EXPOSE 8081
-
-ENTRYPOINT ["/server"]
-
+ENTRYPOINT ["./server"]
 CMD []
diff --git a/app/cloudbuild_bazel.yaml b/app/cloudbuild_bazel.yaml
@@ -1,5 +1,6 @@
 steps:
 
+  # bazel 5.3.1
   - name: gcr.io/cloud-builders/bazel@sha256:f00a985c3196cc58819b6f7e8e40353273bc20e8f24b54d9c92d5279bb5b3fad
     id: build
     args: ['run', '--platforms=@io_bazel_rules_go//go/toolchain:linux_amd64', ':server']
@@ -12,7 +13,7 @@ steps:
     - |
       gcloud auth print-access-token > /workspace/token
 
-  - name: quay.io/containers/skopeo@sha256:2f90e4c091a45cf0f92916642a97227531c4242ea18979b16359966ca358ec63
+  - name: quay.io/containers/skopeo@sha256:282ec8da6e903232320f5ef8bb3bd88bf26872d569cfa79f5cb8faa5f0368a30
     id: push
     entrypoint: '/bin/bash'
     args:

diff --git a/app/cloudbuild_kaniko.yaml b/app/cloudbuild_kaniko.yaml
@@ -131,4 +131,3 @@ steps:
 serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/cosign@$PROJECT_ID.iam.gserviceaccount.com'
 options:
   logging: CLOUD_LOGGING_ONLY
-  machineType: 'N1_HIGHCPU_32'
diff --git a/app/main.go b/app/main.go
@@ -42,18 +42,18 @@ var (
 	project_id             = flag.String("project_id", "", "ProjectID for pubsub subscription and logging")
 
 	// for mtls certificates
-	default_ca      = flag.String("default_ca", "root-ca-operator.crt", "Operator RootCA Chain (PEM)")
-	default_tls_crt = flag.String("default_tls_crt", "tee-operator.crt", "Operator TLS Certificate (PEM)")
-	default_tls_key = flag.String("default_tls_key", "tee-operator.key", "Operator TLS KEY (PEM)")
+	default_ca      = flag.String("default_ca", "certs/root-ca-operator.crt", "Operator RootCA Chain (PEM)")
+	default_tls_crt = flag.String("default_tls_crt", "certs/tee-operator.crt", "Operator TLS Certificate (PEM)")
+	default_tls_key = flag.String("default_tls_key", "certs/tee-operator.key", "Operator TLS KEY (PEM)")
 
 	// collaborator mtls certs and keys materialized within the TEE
-	collaborator1_ca      = flag.String("collaborator1_ca", "root-ca-collaborator1.crt", "Collaborator 1 RootCA Chain (PEM)")
-	collaborator1_tls_crt = flag.String("collaborator1_tls_crt", "tee-collaborator1.crt", "Collaborator 1 TLS Certificate (PEM)")
-	collaborator1_tls_key = flag.String("collaborator1_tls_key", "tee-collaborator1.key", "Collaborator 1 TLS KEY (PEM)")
+	collaborator1_ca      = flag.String("collaborator1_ca", "certs/root-ca-collaborator1.crt", "Collaborator 1 RootCA Chain (PEM)")
+	collaborator1_tls_crt = flag.String("collaborator1_tls_crt", "certs/tee-collaborator1.crt", "Collaborator 1 TLS Certificate (PEM)")
+	collaborator1_tls_key = flag.String("collaborator1_tls_key", "certs/tee-collaborator1.key", "Collaborator 1 TLS KEY (PEM)")
 
-	collaborator2_ca      = flag.String("collaborator2_ca", "root-ca-collaborator2.crt", "Collaborator 2 RootCA Chain (PEM)")
-	collaborator2_tls_crt = flag.String("collaborator2_tls_crt", "tee-collaborator2.crt", "Collaborator 2 TLS Certificate (PEM)")
-	collaborator2_tls_key = flag.String("collaborator2_tls_key", "tee-collaborator2.key", "Collaborator 2 TLS KEY (PEM)")
+	collaborator2_ca      = flag.String("collaborator2_ca", "certs/root-ca-collaborator2.crt", "Collaborator 2 RootCA Chain (PEM)")
+	collaborator2_tls_crt = flag.String("collaborator2_tls_crt", "certs/tee-collaborator2.crt", "Collaborator 2 TLS Certificate (PEM)")
+	collaborator2_tls_key = flag.String("collaborator2_tls_key", "certs/tee-collaborator2.key", "Collaborator 2 TLS KEY (PEM)")
 
 	// map to hold all the users currently found and the number of times
 	// they've been sent

diff --git a/images/artifacts.png b/images/artifacts.png
diff --git a/images/build_hash.png b/images/build_hash.png
diff --git a/images/cc_logs.png b/images/cc_logs.png
diff --git a/images/cc_startup.png b/images/cc_startup.png
diff --git a/images/cloud_logging.png b/images/cloud_logging.png
diff --git a/images/conf_space.png b/images/conf_space.png
diff --git a/images/kms.png b/images/kms.png
diff --git a/images/launch_spec.png b/images/launch_spec.png
diff --git a/images/sts.png b/images/sts.png