mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

Use ko to build images (#4366)

Browse source 
This updates Makefile targets to build images using `docker buildx
build` to use `ko build` instead.

End-to-end tests are accomplished by building and loading the image
directly into the KinD cluster via ko.

Also:
- use GitHub Actions token to push to ghcr.io (setup-ko sets this up for us)
- allow forks to push to their forked repo's packages (useful for testing)

Signed-off-by: Jason Hall <jason@chainguard.dev>

Signed-off-by: Jason Hall <jason@chainguard.dev>
This commit is contained in:
Jason Hall 2022-08-25 14:32:40 -04:00 committed by GitHub
parent 3454635ece
commit 6055713dfc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 189 additions and 360 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/e2e-autogen-internals.yaml vendored
View file

@ -54,10 +54,13 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name : Create dev images, kind cluster and setup kustomize
- name: Install ko
uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5
- name: Create dev images, kind cluster and setup kustomize
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }}
make create-e2e-infrastruture
make create-e2e-infrastructure
- name: e2e testing
run: |

5
.github/workflows/e2e.yaml vendored
View file

@ -52,10 +52,13 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Install ko
uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5
- name : Create dev images, kind cluster and setup kustomize
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }}
make create-e2e-infrastruture
make create-e2e-infrastructure
- name: e2e testing
run: |

45
.github/workflows/image-build.yaml vendored
View file

@ -83,18 +83,11 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Set up QEMU
uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0
- name: Install ko
uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
id: buildx
with:
install: true
- name: docker images build
run: |
make docker-build-initContainer
- name: ko build
run: REGISTRY=ghcr.io/${{github.repository}} make ko-build-initContainer
build-kyverno:
runs-on: ubuntu-latest
@ -119,18 +112,11 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Set up QEMU
uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0
- name: Install ko
uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
id: buildx
with:
install: true
- name: docker images build
run: |
make docker-build-kyverno
- name: ko build
run: REGISTRY=ghcr.io/${{github.repository}} make ko-build-kyverno
- name: Trivy Scan Image
uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c
@ -164,15 +150,8 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Set up QEMU
uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0
- name: Install ko
uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
id: buildx
with:
install: true
- name: docker images build
run: |
make docker-build-cli
- name: ko build
run: REGISTRY=ghcr.io/${{github.repository}} make ko-build-cli

18
.github/workflows/image.yaml vendored
View file

@ -14,32 +14,20 @@ jobs:
push-init-kyverno:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: docker-publish-initContainer
digest_command: docker-get-initContainer-digest
publish_command: ko-build-initContainer
image_name: kyvernopre
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-kyverno:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: docker-publish-kyverno
digest_command: docker-get-kyverno-digest
publish_command: ko-build-kyverno
image_name: kyverno
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-kyverno-cli:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: docker-publish-cli
digest_command: docker-get-cli-digest
publish_command: ko-build-cli
image_name: kyverno-cli
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}

18
.github/workflows/release.yaml vendored
View file

@ -12,14 +12,10 @@ jobs:
id-token: write
uses: ./.github/workflows/reuse.yaml
with:
publish_command: docker-publish-initContainer
digest_command: docker-get-initContainer-digest
publish_command: ko-build-initContainer
image_name: kyvernopre
tag: release
main: cmd/initContainer
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
release-kyverno:
permissions:
@ -28,14 +24,10 @@ jobs:
id-token: write
uses: ./.github/workflows/reuse.yaml
with:
publish_command: docker-publish-kyverno
digest_command: docker-get-kyverno-digest
publish_command: ko-build-kyverno
image_name: kyverno
tag: release
main: cmd/kyverno
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
release-kyverno-cli:
permissions:
@ -44,14 +36,10 @@ jobs:
id-token: write
uses: ./.github/workflows/reuse.yaml
with:
publish_command: docker-publish-cli
digest_command: docker-get-cli-digest
publish_command: ko-build-cli
image_name: kyverno-cli
tag: release
main: cmd/cli/kubectl-kyverno
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
create-release:
runs-on: ubuntu-latest

53
.github/workflows/reuse.yaml vendored
View file

@ -6,9 +6,6 @@ on:
publish_command:
required: true
type: string
digest_command:
required: true
type: string
image_name:
required: true
type: string
@ -17,11 +14,6 @@ on:
type: string
main:
type: string
secrets:
registry_username:
required: true
registry_password:
required: true
jobs:
build:
@ -63,21 +55,8 @@ jobs:
restore-keys: |
${{ runner.os }}-go-
- name: Log into ghcr.io
uses: docker/login-action@7c79b598eaa33458e78e8d0d71e0a9c217dd92af
with:
registry: ghcr.io
username: ${{secrets.registry_username}}
password: ${{secrets.registry_password}}
- name: Set up QEMU
uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
id: buildx
with:
install: true
- name: Install ko
uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5
- name: Run Trivy vulnerability scanner in repo mode
if: ${{inputs.tag == 'release'}}
@ -122,27 +101,19 @@ jobs:
echo ::set-output name=match::true
fi
- name : Docker images publish
- name: ko build dev image
id: ko-build-dev
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
run: make ${{inputs.publish_command}}-dev
- name : Docker release-images publish
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
run: make ${{inputs.publish_command}}
- name: get image digest
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
id: get-step-image
run: |
echo "::set-output name=digest::$(make ${{inputs.digest_command}}-dev)"
echo "::set-output name=digest::$(REGISTRY=ghcr.io/${{github.repository}} make ${{inputs.publish_command}}-dev)"
- name: get release-image digest
- name: ko build release image
id: ko-build
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
id: get-step
run: |
echo "::set-output name=digest::$(make ${{inputs.digest_command}})"
echo "::set-output name=digest::$(REGISTRY=ghcr.io/${{github.repository}} make ${{inputs.publish_command}})"
- name: Sign image
- name: Sign dev image
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
env:
COSIGN_EXPERIMENTAL: "true"
@ -152,7 +123,7 @@ jobs:
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step-image.outputs.digest }}
${{ steps.ko-build-dev.outputs.digest }}
- name: Sign release-image
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
@ -164,10 +135,10 @@ jobs:
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
${{ steps.ko-build.outputs.digest }}
- name : Attach SBOM
if: ${{inputs.tag == 'release'}}
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-build.outputs.digest }}

15
.ko.yaml Normal file
View file

@ -0,0 +1,15 @@
builds:
- id: initContainer
main: ./cmd/initContainer
ldflags:
- "{{ .Env.LD_FLAGS }}"
- id: kyverno
main: ./cmd/kyverno
ldflags:
- "{{ .Env.LD_FLAGS }}"
- id: cli
main: ./cmd/cli
ldflags:
- "{{ .Env.LD_FLAGS }}"

68
DEVELOPMENT.md Normal file
View file

@ -0,0 +1,68 @@
# Developer Instructions
## Building and publishing an image locally
First, make sure you [install `ko`](https://github.com/google/ko#install)
### Publishing to your local Docker daemon
Set the `KO_DOCKER_REPO` environment variable to `ko.local`:
```
KO_DOCKER_REPO=ko.local
```
Then build and publish an image:
```
ko build ./cmd/kyverno --preserve-import-paths
```
The image will be available locally as `ko.local/github.com/kyverno/kyverno/cmd/kyverno`.
### Publishing to a local [KinD](https://kind.sigs.k8s.io/) cluster
First, create your KinD cluster:
```
kind create cluster
```
Set the `KO_DOCKER_REPO` environment variable to `kind.local`:
```
KO_DOCKER_REPO=kind.local
```
Then build and publish an image:
```
ko build ./cmd/kyverno --preserve-import-paths
```
This will build and load the image into your KinD cluster as:
```
kind.local/github.com/kyverno/kyverno/cmd/kyverno
```
If you have multiple KinD clusters, or created them with a non-default name, set `KIND_CLUSTER_NAME=<your-cluster-name>`.
### Publishing to a remote registry
Set the `KO_DOCKER_REPO` environment variable to the registry you'd like to push to:
For example:
```
KO_DOCKER_REPO=gcr.io/my-project/kyverno
KO_DOCKER_REPO=my-dockerhub-user/my-dockerhub-repo
KO_DOCKER_REPO=<ACCOUNTID>.dkr.ecr.<REGION>.amazonaws.com
```
Then build and publish an image:
```
ko build ./cmd/kyverno
```
The output will tell you the image name and digest of the image you just built.

201
Makefile
View file

@ -16,6 +16,7 @@ REPO=$(REGISTRY)/kyverno
IMAGE_TAG_LATEST_DEV=$(shell git describe --match "[0-9].[0-9]-dev*" | cut -d '-' -f-2)
IMAGE_TAG_DEV=$(GIT_VERSION_DEV)
IMAGE_TAG?=$(GIT_VERSION)
GOARCH ?= $(shell go env GOARCH)
GOOS ?= $(shell go env GOOS)
ifeq ($(GOOS), darwin)
SED=gsed
@ -23,8 +24,8 @@ else
SED=sed
endif
PACKAGE ?=github.com/kyverno/kyverno
LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
LD_FLAGS_DEV="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION_DEV) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
export LD_FLAGS = -s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)
export LD_FLAGS_DEV = -s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION_DEV) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)
K8S_VERSION ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-)
export K8S_VERSION
TEST_GIT_BRANCH ?= main
@ -110,106 +111,57 @@ PWD := $(CURDIR)
INITC_PATH := cmd/initContainer
INITC_IMAGE := kyvernopre
initContainer: fmt vet
GOOS=$(GOOS) go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)
GOOS=$(GOOS) go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags="$(LD_FLAGS)" $(PWD)/$(INITC_PATH)
.PHONY: docker-build-initContainer docker-push-initContainer
.PHONY: ko-build-initContainer
docker-buildx-builder:
if ! docker buildx ls | grep -q kyverno; then\
docker buildx create --name kyverno --use;\
fi
ko-build-initContainer: KO_DOCKER_REPO=$(REPO)/$(INITC_IMAGE)
ko-build-initContainer:
@ko build ./$(INITC_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64,linux/arm64,linux/s390x
docker-publish-initContainer: docker-buildx-builder docker-build-initContainer docker-push-initContainer
ko-build-initContainer-amd64: KO_DOCKER_REPO=$(REPO)/$(INITC_IMAGE)
ko-build-initContainer-amd64:
@ko build ./$(INITC_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64
docker-build-initContainer: docker-buildx-builder
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
ko-build-initContainer-local: KO_DOCKER_REPO=kind.local
ko-build-initContainer-local: kind-e2e-cluster
@ko build ./$(INITC_PATH) --platform=linux/$(GOARCH) --tags=latest,$(IMAGE_TAG_DEV) --preserve-import-paths
INITC_KIND_IMAGE = kind.local/github.com/kyverno/kyverno/cmd/initcontainer
docker-build-initContainer-amd64:
@docker build -f $(PWD)/$(INITC_PATH)/Dockerfile \
-t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) \
-t $(REPO)/$(INITC_IMAGE):latest \
. \
--build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
docker-push-initContainer: docker-buildx-builder
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
docker-get-initContainer-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-build-initContainer-local:
CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS_DEV) $(PWD)/$(INITC_PATH)
@docker build -f $(PWD)/$(INITC_PATH)/localDockerfile \
-t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) \
-t $(REPO)/$(INITC_IMAGE):latest \
$(PWD)/$(INITC_PATH)
docker-publish-initContainer-dev: docker-buildx-builder docker-push-initContainer-dev
docker-push-initContainer-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x \
--tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) \
--tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \
--tag $(REPO)/$(INITC_IMAGE):latest \
. \
--build-arg LD_FLAGS=$(LD_FLAGS_DEV)
docker-get-initContainer-digest-dev:
@docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
# TODO(jason): LD_FLAGS_DEV
ko-build-initContainer-dev: KO_DOCKER_REPO=$(REPO)/$(INITC_IMAGE)
ko-build-initContainer-dev:
@ko build ./$(INITC_PATH) --platform=linux/amd64,linux/arm64,linux/s390x --tags=latest,$(IMAGE_TAG_DEV),$(IMAGE_TAG_LATEST_DEV)
##################################
# KYVERNO CONTAINER
##################################
.PHONY: docker-build-kyverno docker-push-kyverno
.PHONY: ko-build-kyverno
KYVERNO_PATH := cmd/kyverno
KYVERNO_IMAGE := kyverno
local:
go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)
go build -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)
kyverno: fmt vet
GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)
GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags"$(LD_FLAGS)" $(PWD)/$(KYVERNO_PATH)
docker-publish-kyverno: docker-buildx-builder docker-build-kyverno docker-push-kyverno
ko-build-kyverno: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_IMAGE)
ko-build-kyverno:
@ko build ./$(KYVERNO_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64,linux/arm64,linux/s390x
docker-build-kyverno: docker-buildx-builder
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
ko-build-kyverno-amd64: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_IMAGE)
ko-build-kyverno-amd64:
@ko build ./$(KYVERNO_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64
docker-build-kyverno-local:
CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS_DEV) $(PWD)/$(KYVERNO_PATH)
@docker build -f $(PWD)/$(KYVERNO_PATH)/localDockerfile \
-t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) \
-t $(REPO)/$(KYVERNO_IMAGE):latest \
-t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \
$(PWD)/$(KYVERNO_PATH)
ko-build-kyverno-local: KO_DOCKER_REPO=kind.local
ko-build-kyverno-local: kind-e2e-cluster
@ko build ./$(KYVERNO_PATH) --platform=linux/$(GOARCH) --tags=latest,$(IMAGE_TAG_DEV) --preserve-import-paths
docker-build-kyverno-amd64:
@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile \
-t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) \
-t $(REPO)/$(KYVERNO_IMAGE):latest \
. \
--build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
KYVERNO_KIND_IMAGE = kind.local/github.com/kyverno/kyverno/cmd/kyverno
docker-push-kyverno: docker-buildx-builder
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
docker-get-kyverno-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-publish-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev
docker-push-kyverno-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x \
--tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) \
--tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \
--tag $(REPO)/$(KYVERNO_IMAGE):latest \
. \
--build-arg LD_FLAGS=$(LD_FLAGS_DEV)
docker-get-kyverno-digest-dev:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
# TODO(jason): LD_FLAGS_DEV
ko-build-kyverno-dev: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_IMAGE)
ko-build-kyverno-dev:
@ko build ./$(KYVERNO_PATH) --platform=linux/amd64,linux/arm64,linux/s390x --tags=latest,$(IMAGE_TAG_DEV),$(IMAGE_TAG_LATEST_DEV)
##################################
# Generate Docs for types.go
@ -233,53 +185,37 @@ verify-api-docs: generate-api-docs ## Check api reference docs are up to date
##################################
# CLI
##################################
.PHONY: docker-build-cli docker-push-cli
.PHONY: ko-build-cli
CLI_PATH := cmd/cli/kubectl-kyverno
KYVERNO_CLI_IMAGE := kyverno-cli
cli:
GOOS=$(GOOS) go build -o $(PWD)/$(CLI_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)
GOOS=$(GOOS) go build -o $(PWD)/$(CLI_PATH)/kyverno -ldflags="$(LD_FLAGS)" $(PWD)/$(CLI_PATH)
docker-publish-cli: docker-buildx-builder docker-build-cli docker-push-cli
ko-build-cli: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_CLI_IMAGE)
ko-build-cli:
@ko build ./$(CLI_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64,linux/arm64,linux/s390x
docker-build-cli: docker-buildx-builder
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
ko-build-cli-amd64: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_CLI_IMAGE)
ko-build-cli-amd64:
@ko build ./$(CLI_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64
docker-build-cli-amd64:
@docker build -f $(PWD)/$(CLI_PATH)/Dockerfile \
-t $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) \
-t $(REPO)/$(KYVERNO_CLI_IMAGE):latest \
. \
--build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
ko-build-cli-local: KO_DOCKER_REPO=ko.local
ko-build-cli-local:
@ko build ./$(CLI_PATH) --platform=linux/$(GOARCH) --tags=latest,$(IMAGE_TAG_DEV)
docker-push-cli: docker-buildx-builder
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
docker-get-cli-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-publish-cli-dev: docker-buildx-builder docker-push-cli-dev
docker-push-cli-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x \
--tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) \
--tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \
--tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest \
. \
--build-arg LD_FLAGS=$(LD_FLAGS_DEV)
docker-get-cli-digest-dev:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
# TODO(jason): LD_FLAGS_DEV
ko-build-cli-dev: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_CLI_IMAGE)
ko-build-cli-dev:
@ko build ./$(CLI_PATH) --platform=linux/amd64,linux/arm64,linux/s390x --tags=latest,$(IMAGE_TAG_DEV),$(IMAGE_TAG_LATEST_DEV)
##################################
docker-publish-all: docker-buildx-builder docker-publish-initContainer docker-publish-kyverno docker-publish-cli
ko-build-all: ko-build-initContainer ko-build-kyverno ko-build-cli
docker-build-all: docker-buildx-builder docker-build-initContainer docker-build-kyverno docker-build-cli
docker-build-all-amd64: docker-buildx-builder docker-build-initContainer-amd64 docker-build-kyverno-amd64 docker-build-cli-amd64
ko-build-all-amd64: ko-build-initContainer-amd64 ko-build-kyverno-amd64 ko-build-cli-amd64
##################################
# Create e2e Infrastruture
# Create e2e Infrastructure
##################################
.PHONY: kind-e2e-cluster
@ -289,20 +225,12 @@ kind-e2e-cluster: $(KIND) ## Create kind cluster for e2e tests
.PHONY: e2e-kustomize
e2e-kustomize: $(KUSTOMIZE) ## Build kustomize manifests for e2e tests
cd config && \
$(KUSTOMIZE) edit set image $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) && \
$(KUSTOMIZE) edit set image $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV)
$(KUSTOMIZE) build config/ -o config/install.yaml
kustomize edit set image $(INITC_KIND_IMAGE):$(IMAGE_TAG_DEV) && \
kustomize edit set image $(KYVERNO_KIND_IMAGE):$(IMAGE_TAG_DEV)
kustomize build config/ -o config/install.yaml
.PHONY: e2e-init-container
e2e-init-container: kind-e2e-cluster docker-build-initContainer-local
$(KIND) load docker-image $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV)
.PHONY: e2e-kyverno-container
e2e-kyverno-container: kind-e2e-cluster docker-build-kyverno-local
$(KIND) load docker-image $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV)
.PHONY: create-e2e-infrastruture
create-e2e-infrastruture: e2e-init-container e2e-kyverno-container e2e-kustomize ## Setup infrastructure for e2e tests
.PHONY: create-e2e-infrastructure
create-e2e-infrastructure: ko-build-initContainer-local ko-build-kyverno-local e2e-kustomize ## Setup infrastructure for e2e tests
##################################
# Testing & Code-Coverage
@ -379,7 +307,9 @@ helm-test-values:
sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml
sed -i -e "s|tag: # replaced in e2e tests.*|tag: $(GIT_VERSION_DEV)|" charts/kyverno/values.yaml
sed -i -e "s|tag: # replaced in e2e tests.*|tag: $(IMAGE_TAG_DEV)|" charts/kyverno/values.yaml
sed -i -e "s|repository: ghcr.io/kyverno/kyvernopre # init: replaced in e2e tests|repository: $(INITC_KIND_IMAGE)|" charts/kyverno/values.yaml
sed -i -e "s|repository: ghcr.io/kyverno/kyverno # kyverno: replaced in e2e tests|repository: $(KYVERNO_KIND_IMAGE)|" charts/kyverno/values.yaml
# godownloader create downloading script for kyverno-cli
godownloader:
@ -475,13 +405,12 @@ help: ## Shows the available commands
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
.PHONY: kind-deploy
kind-deploy: docker-build-initContainer-local docker-build-kyverno-local
kind load docker-image $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV)
kind load docker-image $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV)
kind-deploy: ko-build-initContainer-local ko-build-kyverno-local
helm upgrade --install kyverno --namespace kyverno --wait --create-namespace ./charts/kyverno \
--set image.repository=$(REPO)/$(KYVERNO_IMAGE) \
--set image.repository=$(KYVERNO_KIND_IMAGE) \
--set image.tag=$(IMAGE_TAG_DEV) \
--set initImage.repository=$(REPO)/$(INITC_IMAGE) \
--set initImage.repository=$(INITC_KIND_IMAGE) \
--set initImage.tag=$(IMAGE_TAG_DEV) \
--set extraArgs={--autogenInternals=true}
helm upgrade --install kyverno-policies --namespace kyverno --create-namespace ./charts/kyverno-policies

4
charts/kyverno/values.yaml
View file

@ -24,7 +24,7 @@ rbac:
image:
# -- Image repository
repository: ghcr.io/kyverno/kyverno
repository: ghcr.io/kyverno/kyverno # kyverno: replaced in e2e tests
# -- Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: # replaced in e2e tests
@ -36,7 +36,7 @@ image:
initImage:
# -- Image repository
repository: ghcr.io/kyverno/kyvernopre
repository: ghcr.io/kyverno/kyvernopre # init: replaced in e2e tests
# -- Image tag
# If initImage.tag is missing, defaults to image.tag
tag: # replaced in e2e tests

34
cmd/cli/kubectl-kyverno/Dockerfile
View file

@ -1,34 +0,0 @@
# Multi-stage docker build
# Build stage
FROM --platform=${BUILDPLATFORM} golang@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 AS base
WORKDIR /src
LABEL maintainer="Kyverno"
COPY go.* .
RUN --mount=type=cache,target=/go/pkg/mod \
go mod download
FROM --platform=${BUILDPLATFORM} tonistiigi/xx:1.1.1@sha256:23ca08d120366b31d1d7fad29283181f063b0b43879e1f93c045ca5b548868e9 AS xx
FROM base AS builder
# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
ARG LD_FLAGS
ARG TARGETPLATFORM
COPY --from=xx / /
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \
CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/
# Packaging stage
FROM ghcr.io/distroless/static:latest
LABEL maintainer="Kyverno"
COPY --from=builder /output/kyverno /
ENTRYPOINT ["/kyverno"]

35
cmd/initContainer/Dockerfile
View file

@ -1,35 +0,0 @@
# Multi-stage docker build
# Build stage
FROM --platform=${BUILDPLATFORM} golang@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 AS base
WORKDIR /src
LABEL maintainer="Kyverno"
COPY go.* .
RUN --mount=type=cache,target=/go/pkg/mod \
go mod download
FROM --platform=${BUILDPLATFORM} tonistiigi/xx:1.1.1@sha256:23ca08d120366b31d1d7fad29283181f063b0b43879e1f93c045ca5b548868e9 AS xx
FROM base AS builder
# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
ARG LD_FLAGS
ARG TARGETPLATFORM
COPY --from=xx / /
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \
CGO_ENABLED=0 xx-go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/
# Packaging stage
FROM ghcr.io/distroless/static:latest
LABEL maintainer="Kyverno"
COPY --from=builder /output/kyvernopre /
ENTRYPOINT ["/kyvernopre"]

4
cmd/initContainer/localDockerfile
View file

@ -1,4 +0,0 @@
FROM scratch
ADD kyvernopre /kyvernopre
USER 10001
ENTRYPOINT ["/kyvernopre"]

37
cmd/kyverno/Dockerfile
View file

@ -1,37 +0,0 @@
FROM --platform=${BUILDPLATFORM} golang:alpine AS certs
LABEL maintainer="Kyverno"
RUN apk add --no-cache ca-certificates
FROM --platform=${BUILDPLATFORM} golang@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 AS base
WORKDIR /src
LABEL maintainer="Kyverno"
COPY go.* .
RUN --mount=type=cache,target=/go/pkg/mod \
go mod download
FROM --platform=${BUILDPLATFORM} tonistiigi/xx:1.1.1@sha256:23ca08d120366b31d1d7fad29283181f063b0b43879e1f93c045ca5b548868e9 AS xx
FROM base AS builder
# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
ARG LD_FLAGS
ARG TARGETPLATFORM
COPY --from=xx / /
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \
CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
# Packaging stage
FROM ghcr.io/distroless/static:latest
LABEL maintainer="Kyverno"
COPY --from=builder /output/kyverno /
ENTRYPOINT ["/kyverno"]

5
cmd/kyverno/localDockerfile
View file

@ -1,5 +0,0 @@
FROM golang:alpine
ADD kyverno /kyverno
RUN apk add --no-cache ca-certificates
USER 10001
ENTRYPOINT ["/kyverno"]