diff --git a/.github/workflows/e2e-autogen-internals.yaml b/.github/workflows/e2e-autogen-internals.yaml index 10b61a2194..ef6adcaf61 100644 --- a/.github/workflows/e2e-autogen-internals.yaml +++ b/.github/workflows/e2e-autogen-internals.yaml @@ -54,10 +54,13 @@ jobs: restore-keys: | ${{ runner.os }}-go- - - name : Create dev images, kind cluster and setup kustomize + - name: Install ko + uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5 + + - name: Create dev images, kind cluster and setup kustomize run: | export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }} - make create-e2e-infrastruture + make create-e2e-infrastructure - name: e2e testing run: | diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 631697bdc4..efd5c580d8 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -52,10 +52,13 @@ jobs: restore-keys: | ${{ runner.os }}-go- + - name: Install ko + uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5 + - name : Create dev images, kind cluster and setup kustomize run: | export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }} - make create-e2e-infrastruture + make create-e2e-infrastructure - name: e2e testing run: | diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index ddf6f90ceb..a468c3be41 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -83,18 +83,11 @@ jobs: restore-keys: | ${{ runner.os }}-go- - - name: Set up QEMU - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 + - name: Install ko + uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0 - id: buildx - with: - install: true - - - name: docker images build - run: | - make docker-build-initContainer + - name: ko build + run: REGISTRY=ghcr.io/${{github.repository}} make ko-build-initContainer build-kyverno: runs-on: ubuntu-latest @@ -119,18 +112,11 @@ jobs: restore-keys: | ${{ runner.os }}-go- - - name: Set up QEMU - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 + - name: Install ko + uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0 - id: buildx - with: - install: true - - - name: docker images build - run: | - make docker-build-kyverno + - name: ko build + run: REGISTRY=ghcr.io/${{github.repository}} make ko-build-kyverno - name: Trivy Scan Image uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c @@ -164,15 +150,8 @@ jobs: restore-keys: | ${{ runner.os }}-go- - - name: Set up QEMU - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 + - name: Install ko + uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0 - id: buildx - with: - install: true - - - name: docker images build - run: | - make docker-build-cli + - name: ko build + run: REGISTRY=ghcr.io/${{github.repository}} make ko-build-cli diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 16745ced25..75cabf09b0 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -14,32 +14,20 @@ jobs: push-init-kyverno: uses: ./.github/workflows/reuse.yaml with: - publish_command: docker-publish-initContainer - digest_command: docker-get-initContainer-digest + publish_command: ko-build-initContainer image_name: kyvernopre tag: image - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} push-kyverno: uses: ./.github/workflows/reuse.yaml with: - publish_command: docker-publish-kyverno - digest_command: docker-get-kyverno-digest + publish_command: ko-build-kyverno image_name: kyverno tag: image - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} push-kyverno-cli: uses: ./.github/workflows/reuse.yaml with: - publish_command: docker-publish-cli - digest_command: docker-get-cli-digest + publish_command: ko-build-cli image_name: kyverno-cli tag: image - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ba9024d29d..e5221ba723 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,14 +12,10 @@ jobs: id-token: write uses: ./.github/workflows/reuse.yaml with: - publish_command: docker-publish-initContainer - digest_command: docker-get-initContainer-digest + publish_command: ko-build-initContainer image_name: kyvernopre tag: release main: cmd/initContainer - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} release-kyverno: permissions: @@ -28,14 +24,10 @@ jobs: id-token: write uses: ./.github/workflows/reuse.yaml with: - publish_command: docker-publish-kyverno - digest_command: docker-get-kyverno-digest + publish_command: ko-build-kyverno image_name: kyverno tag: release main: cmd/kyverno - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} release-kyverno-cli: permissions: @@ -44,14 +36,10 @@ jobs: id-token: write uses: ./.github/workflows/reuse.yaml with: - publish_command: docker-publish-cli - digest_command: docker-get-cli-digest + publish_command: ko-build-cli image_name: kyverno-cli tag: release main: cmd/cli/kubectl-kyverno - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} create-release: runs-on: ubuntu-latest diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml index 78c4bba368..a9d78ade15 100644 --- a/.github/workflows/reuse.yaml +++ b/.github/workflows/reuse.yaml @@ -6,9 +6,6 @@ on: publish_command: required: true type: string - digest_command: - required: true - type: string image_name: required: true type: string @@ -17,11 +14,6 @@ on: type: string main: type: string - secrets: - registry_username: - required: true - registry_password: - required: true jobs: build: @@ -63,21 +55,8 @@ jobs: restore-keys: | ${{ runner.os }}-go- - - name: Log into ghcr.io - uses: docker/login-action@7c79b598eaa33458e78e8d0d71e0a9c217dd92af - with: - registry: ghcr.io - username: ${{secrets.registry_username}} - password: ${{secrets.registry_password}} - - - name: Set up QEMU - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0 - id: buildx - with: - install: true + - name: Install ko + uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d #v0.5 - name: Run Trivy vulnerability scanner in repo mode if: ${{inputs.tag == 'release'}} @@ -122,27 +101,19 @@ jobs: echo ::set-output name=match::true fi - - name : Docker images publish + - name: ko build dev image + id: ko-build-dev if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - run: make ${{inputs.publish_command}}-dev - - - name : Docker release-images publish - if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} - run: make ${{inputs.publish_command}} - - - name: get image digest - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - id: get-step-image run: | - echo "::set-output name=digest::$(make ${{inputs.digest_command}}-dev)" + echo "::set-output name=digest::$(REGISTRY=ghcr.io/${{github.repository}} make ${{inputs.publish_command}}-dev)" - - name: get release-image digest + - name: ko build release image + id: ko-build if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} - id: get-step run: | - echo "::set-output name=digest::$(make ${{inputs.digest_command}})" + echo "::set-output name=digest::$(REGISTRY=ghcr.io/${{github.repository}} make ${{inputs.publish_command}})" - - name: Sign image + - name: Sign dev image if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} env: COSIGN_EXPERIMENTAL: "true" @@ -152,7 +123,7 @@ jobs: -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ - ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step-image.outputs.digest }} + ${{ steps.ko-build-dev.outputs.digest }} - name: Sign release-image if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} @@ -164,10 +135,10 @@ jobs: -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ - ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }} + ${{ steps.ko-build.outputs.digest }} - name : Attach SBOM if: ${{inputs.tag == 'release'}} env: COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" - run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }} + run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-build.outputs.digest }} diff --git a/.ko.yaml b/.ko.yaml new file mode 100644 index 0000000000..3d18afbcc2 --- /dev/null +++ b/.ko.yaml @@ -0,0 +1,15 @@ +builds: +- id: initContainer + main: ./cmd/initContainer + ldflags: + - "{{ .Env.LD_FLAGS }}" + +- id: kyverno + main: ./cmd/kyverno + ldflags: + - "{{ .Env.LD_FLAGS }}" + +- id: cli + main: ./cmd/cli + ldflags: + - "{{ .Env.LD_FLAGS }}" diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md new file mode 100644 index 0000000000..571180e1b7 --- /dev/null +++ b/DEVELOPMENT.md @@ -0,0 +1,68 @@ +# Developer Instructions + +## Building and publishing an image locally + +First, make sure you [install `ko`](https://github.com/google/ko#install) + +### Publishing to your local Docker daemon + +Set the `KO_DOCKER_REPO` environment variable to `ko.local`: + +``` +KO_DOCKER_REPO=ko.local +``` + +Then build and publish an image: + +``` +ko build ./cmd/kyverno --preserve-import-paths +``` + +The image will be available locally as `ko.local/github.com/kyverno/kyverno/cmd/kyverno`. + +### Publishing to a local [KinD](https://kind.sigs.k8s.io/) cluster + +First, create your KinD cluster: + +``` +kind create cluster +``` + +Set the `KO_DOCKER_REPO` environment variable to `kind.local`: + +``` +KO_DOCKER_REPO=kind.local +``` + +Then build and publish an image: + +``` +ko build ./cmd/kyverno --preserve-import-paths +``` + +This will build and load the image into your KinD cluster as: + +``` +kind.local/github.com/kyverno/kyverno/cmd/kyverno +``` + +If you have multiple KinD clusters, or created them with a non-default name, set `KIND_CLUSTER_NAME=`. + +### Publishing to a remote registry + +Set the `KO_DOCKER_REPO` environment variable to the registry you'd like to push to: +For example: + +``` +KO_DOCKER_REPO=gcr.io/my-project/kyverno +KO_DOCKER_REPO=my-dockerhub-user/my-dockerhub-repo +KO_DOCKER_REPO=.dkr.ecr..amazonaws.com +``` + +Then build and publish an image: + +``` +ko build ./cmd/kyverno +``` + +The output will tell you the image name and digest of the image you just built. diff --git a/Makefile b/Makefile index 88e6328e83..f972cb266d 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,7 @@ REPO=$(REGISTRY)/kyverno IMAGE_TAG_LATEST_DEV=$(shell git describe --match "[0-9].[0-9]-dev*" | cut -d '-' -f-2) IMAGE_TAG_DEV=$(GIT_VERSION_DEV) IMAGE_TAG?=$(GIT_VERSION) +GOARCH ?= $(shell go env GOARCH) GOOS ?= $(shell go env GOOS) ifeq ($(GOOS), darwin) SED=gsed @@ -23,8 +24,8 @@ else SED=sed endif PACKAGE ?=github.com/kyverno/kyverno -LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)" -LD_FLAGS_DEV="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION_DEV) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)" +export LD_FLAGS = -s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP) +export LD_FLAGS_DEV = -s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION_DEV) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP) K8S_VERSION ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-) export K8S_VERSION TEST_GIT_BRANCH ?= main @@ -110,106 +111,57 @@ PWD := $(CURDIR) INITC_PATH := cmd/initContainer INITC_IMAGE := kyvernopre initContainer: fmt vet - GOOS=$(GOOS) go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH) + GOOS=$(GOOS) go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags="$(LD_FLAGS)" $(PWD)/$(INITC_PATH) -.PHONY: docker-build-initContainer docker-push-initContainer +.PHONY: ko-build-initContainer -docker-buildx-builder: - if ! docker buildx ls | grep -q kyverno; then\ - docker buildx create --name kyverno --use;\ - fi +ko-build-initContainer: KO_DOCKER_REPO=$(REPO)/$(INITC_IMAGE) +ko-build-initContainer: + @ko build ./$(INITC_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64,linux/arm64,linux/s390x -docker-publish-initContainer: docker-buildx-builder docker-build-initContainer docker-push-initContainer +ko-build-initContainer-amd64: KO_DOCKER_REPO=$(REPO)/$(INITC_IMAGE) +ko-build-initContainer-amd64: + @ko build ./$(INITC_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64 -docker-build-initContainer: docker-buildx-builder - @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) +ko-build-initContainer-local: KO_DOCKER_REPO=kind.local +ko-build-initContainer-local: kind-e2e-cluster + @ko build ./$(INITC_PATH) --platform=linux/$(GOARCH) --tags=latest,$(IMAGE_TAG_DEV) --preserve-import-paths +INITC_KIND_IMAGE = kind.local/github.com/kyverno/kyverno/cmd/initcontainer -docker-build-initContainer-amd64: - @docker build -f $(PWD)/$(INITC_PATH)/Dockerfile \ - -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) \ - -t $(REPO)/$(INITC_IMAGE):latest \ - . \ - --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64" - -docker-push-initContainer: docker-buildx-builder - @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) - -docker-get-initContainer-digest: - @docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' - -docker-build-initContainer-local: - CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS_DEV) $(PWD)/$(INITC_PATH) - @docker build -f $(PWD)/$(INITC_PATH)/localDockerfile \ - -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) \ - -t $(REPO)/$(INITC_IMAGE):latest \ - $(PWD)/$(INITC_PATH) - -docker-publish-initContainer-dev: docker-buildx-builder docker-push-initContainer-dev - -docker-push-initContainer-dev: docker-buildx-builder - @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x \ - --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) \ - --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \ - --tag $(REPO)/$(INITC_IMAGE):latest \ - . \ - --build-arg LD_FLAGS=$(LD_FLAGS_DEV) - -docker-get-initContainer-digest-dev: - @docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' +# TODO(jason): LD_FLAGS_DEV +ko-build-initContainer-dev: KO_DOCKER_REPO=$(REPO)/$(INITC_IMAGE) +ko-build-initContainer-dev: + @ko build ./$(INITC_PATH) --platform=linux/amd64,linux/arm64,linux/s390x --tags=latest,$(IMAGE_TAG_DEV),$(IMAGE_TAG_LATEST_DEV) ################################## # KYVERNO CONTAINER ################################## -.PHONY: docker-build-kyverno docker-push-kyverno +.PHONY: ko-build-kyverno KYVERNO_PATH := cmd/kyverno KYVERNO_IMAGE := kyverno -local: - go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH) - go build -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH) - kyverno: fmt vet - GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH) + GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags"$(LD_FLAGS)" $(PWD)/$(KYVERNO_PATH) -docker-publish-kyverno: docker-buildx-builder docker-build-kyverno docker-push-kyverno +ko-build-kyverno: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_IMAGE) +ko-build-kyverno: + @ko build ./$(KYVERNO_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64,linux/arm64,linux/s390x -docker-build-kyverno: docker-buildx-builder - @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) +ko-build-kyverno-amd64: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_IMAGE) +ko-build-kyverno-amd64: + @ko build ./$(KYVERNO_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64 -docker-build-kyverno-local: - CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS_DEV) $(PWD)/$(KYVERNO_PATH) - @docker build -f $(PWD)/$(KYVERNO_PATH)/localDockerfile \ - -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) \ - -t $(REPO)/$(KYVERNO_IMAGE):latest \ - -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \ - $(PWD)/$(KYVERNO_PATH) +ko-build-kyverno-local: KO_DOCKER_REPO=kind.local +ko-build-kyverno-local: kind-e2e-cluster + @ko build ./$(KYVERNO_PATH) --platform=linux/$(GOARCH) --tags=latest,$(IMAGE_TAG_DEV) --preserve-import-paths -docker-build-kyverno-amd64: - @docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile \ - -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) \ - -t $(REPO)/$(KYVERNO_IMAGE):latest \ - . \ - --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64" +KYVERNO_KIND_IMAGE = kind.local/github.com/kyverno/kyverno/cmd/kyverno -docker-push-kyverno: docker-buildx-builder - @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) - -docker-get-kyverno-digest: - @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' - -docker-publish-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev - -docker-push-kyverno-dev: docker-buildx-builder - @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x \ - --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) \ - --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \ - --tag $(REPO)/$(KYVERNO_IMAGE):latest \ - . \ - --build-arg LD_FLAGS=$(LD_FLAGS_DEV) - -docker-get-kyverno-digest-dev: - @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' +# TODO(jason): LD_FLAGS_DEV +ko-build-kyverno-dev: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_IMAGE) +ko-build-kyverno-dev: + @ko build ./$(KYVERNO_PATH) --platform=linux/amd64,linux/arm64,linux/s390x --tags=latest,$(IMAGE_TAG_DEV),$(IMAGE_TAG_LATEST_DEV) ################################## # Generate Docs for types.go @@ -233,53 +185,37 @@ verify-api-docs: generate-api-docs ## Check api reference docs are up to date ################################## # CLI ################################## -.PHONY: docker-build-cli docker-push-cli +.PHONY: ko-build-cli CLI_PATH := cmd/cli/kubectl-kyverno KYVERNO_CLI_IMAGE := kyverno-cli cli: - GOOS=$(GOOS) go build -o $(PWD)/$(CLI_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH) + GOOS=$(GOOS) go build -o $(PWD)/$(CLI_PATH)/kyverno -ldflags="$(LD_FLAGS)" $(PWD)/$(CLI_PATH) -docker-publish-cli: docker-buildx-builder docker-build-cli docker-push-cli +ko-build-cli: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_CLI_IMAGE) +ko-build-cli: + @ko build ./$(CLI_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64,linux/arm64,linux/s390x -docker-build-cli: docker-buildx-builder - @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) +ko-build-cli-amd64: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_CLI_IMAGE) +ko-build-cli-amd64: + @ko build ./$(CLI_PATH) --bare --tags=latest,$(IMAGE_TAG) --platform=linux/amd64 -docker-build-cli-amd64: - @docker build -f $(PWD)/$(CLI_PATH)/Dockerfile \ - -t $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) \ - -t $(REPO)/$(KYVERNO_CLI_IMAGE):latest \ - . \ - --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64" +ko-build-cli-local: KO_DOCKER_REPO=ko.local +ko-build-cli-local: + @ko build ./$(CLI_PATH) --platform=linux/$(GOARCH) --tags=latest,$(IMAGE_TAG_DEV) -docker-push-cli: docker-buildx-builder - @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) - -docker-get-cli-digest: - @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' - -docker-publish-cli-dev: docker-buildx-builder docker-push-cli-dev - -docker-push-cli-dev: docker-buildx-builder - @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64,linux/s390x \ - --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) \ - --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest \ - --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest \ - . \ - --build-arg LD_FLAGS=$(LD_FLAGS_DEV) - -docker-get-cli-digest-dev: - @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' +# TODO(jason): LD_FLAGS_DEV +ko-build-cli-dev: KO_DOCKER_REPO=$(REPO)/$(KYVERNO_CLI_IMAGE) +ko-build-cli-dev: + @ko build ./$(CLI_PATH) --platform=linux/amd64,linux/arm64,linux/s390x --tags=latest,$(IMAGE_TAG_DEV),$(IMAGE_TAG_LATEST_DEV) ################################## -docker-publish-all: docker-buildx-builder docker-publish-initContainer docker-publish-kyverno docker-publish-cli +ko-build-all: ko-build-initContainer ko-build-kyverno ko-build-cli -docker-build-all: docker-buildx-builder docker-build-initContainer docker-build-kyverno docker-build-cli - -docker-build-all-amd64: docker-buildx-builder docker-build-initContainer-amd64 docker-build-kyverno-amd64 docker-build-cli-amd64 +ko-build-all-amd64: ko-build-initContainer-amd64 ko-build-kyverno-amd64 ko-build-cli-amd64 ################################## -# Create e2e Infrastruture +# Create e2e Infrastructure ################################## .PHONY: kind-e2e-cluster @@ -289,20 +225,12 @@ kind-e2e-cluster: $(KIND) ## Create kind cluster for e2e tests .PHONY: e2e-kustomize e2e-kustomize: $(KUSTOMIZE) ## Build kustomize manifests for e2e tests cd config && \ - $(KUSTOMIZE) edit set image $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) && \ - $(KUSTOMIZE) edit set image $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) - $(KUSTOMIZE) build config/ -o config/install.yaml + kustomize edit set image $(INITC_KIND_IMAGE):$(IMAGE_TAG_DEV) && \ + kustomize edit set image $(KYVERNO_KIND_IMAGE):$(IMAGE_TAG_DEV) + kustomize build config/ -o config/install.yaml -.PHONY: e2e-init-container -e2e-init-container: kind-e2e-cluster docker-build-initContainer-local - $(KIND) load docker-image $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) - -.PHONY: e2e-kyverno-container -e2e-kyverno-container: kind-e2e-cluster docker-build-kyverno-local - $(KIND) load docker-image $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) - -.PHONY: create-e2e-infrastruture -create-e2e-infrastruture: e2e-init-container e2e-kyverno-container e2e-kustomize ## Setup infrastructure for e2e tests +.PHONY: create-e2e-infrastructure +create-e2e-infrastructure: ko-build-initContainer-local ko-build-kyverno-local e2e-kustomize ## Setup infrastructure for e2e tests ################################## # Testing & Code-Coverage @@ -379,7 +307,9 @@ helm-test-values: sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml - sed -i -e "s|tag: # replaced in e2e tests.*|tag: $(GIT_VERSION_DEV)|" charts/kyverno/values.yaml + sed -i -e "s|tag: # replaced in e2e tests.*|tag: $(IMAGE_TAG_DEV)|" charts/kyverno/values.yaml + sed -i -e "s|repository: ghcr.io/kyverno/kyvernopre # init: replaced in e2e tests|repository: $(INITC_KIND_IMAGE)|" charts/kyverno/values.yaml + sed -i -e "s|repository: ghcr.io/kyverno/kyverno # kyverno: replaced in e2e tests|repository: $(KYVERNO_KIND_IMAGE)|" charts/kyverno/values.yaml # godownloader create downloading script for kyverno-cli godownloader: @@ -475,13 +405,12 @@ help: ## Shows the available commands @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' .PHONY: kind-deploy -kind-deploy: docker-build-initContainer-local docker-build-kyverno-local - kind load docker-image $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) - kind load docker-image $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) +kind-deploy: ko-build-initContainer-local ko-build-kyverno-local helm upgrade --install kyverno --namespace kyverno --wait --create-namespace ./charts/kyverno \ - --set image.repository=$(REPO)/$(KYVERNO_IMAGE) \ + --set image.repository=$(KYVERNO_KIND_IMAGE) \ --set image.tag=$(IMAGE_TAG_DEV) \ - --set initImage.repository=$(REPO)/$(INITC_IMAGE) \ + --set initImage.repository=$(INITC_KIND_IMAGE) \ --set initImage.tag=$(IMAGE_TAG_DEV) \ --set extraArgs={--autogenInternals=true} helm upgrade --install kyverno-policies --namespace kyverno --create-namespace ./charts/kyverno-policies + diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 1379c4a2f6..bf688b2ea2 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -24,7 +24,7 @@ rbac: image: # -- Image repository - repository: ghcr.io/kyverno/kyverno + repository: ghcr.io/kyverno/kyverno # kyverno: replaced in e2e tests # -- Image tag # Defaults to appVersion in Chart.yaml if omitted tag: # replaced in e2e tests @@ -36,7 +36,7 @@ image: initImage: # -- Image repository - repository: ghcr.io/kyverno/kyvernopre + repository: ghcr.io/kyverno/kyvernopre # init: replaced in e2e tests # -- Image tag # If initImage.tag is missing, defaults to image.tag tag: # replaced in e2e tests diff --git a/cmd/cli/kubectl-kyverno/Dockerfile b/cmd/cli/kubectl-kyverno/Dockerfile deleted file mode 100644 index 9a7aaaf958..0000000000 --- a/cmd/cli/kubectl-kyverno/Dockerfile +++ /dev/null @@ -1,34 +0,0 @@ -# Multi-stage docker build -# Build stage -FROM --platform=${BUILDPLATFORM} golang@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 AS base -WORKDIR /src -LABEL maintainer="Kyverno" - -COPY go.* . - -RUN --mount=type=cache,target=/go/pkg/mod \ - go mod download - -FROM --platform=${BUILDPLATFORM} tonistiigi/xx:1.1.1@sha256:23ca08d120366b31d1d7fad29283181f063b0b43879e1f93c045ca5b548868e9 AS xx - -FROM base AS builder - -# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed -ARG LD_FLAGS -ARG TARGETPLATFORM - -COPY --from=xx / / - -RUN --mount=type=bind,target=. \ - --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/ - -# Packaging stage -FROM ghcr.io/distroless/static:latest - -LABEL maintainer="Kyverno" - -COPY --from=builder /output/kyverno / - -ENTRYPOINT ["/kyverno"] diff --git a/cmd/initContainer/Dockerfile b/cmd/initContainer/Dockerfile deleted file mode 100644 index 1c1f4bcc3f..0000000000 --- a/cmd/initContainer/Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Multi-stage docker build -# Build stage -FROM --platform=${BUILDPLATFORM} golang@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 AS base -WORKDIR /src -LABEL maintainer="Kyverno" - -COPY go.* . - -RUN --mount=type=cache,target=/go/pkg/mod \ - go mod download - -FROM --platform=${BUILDPLATFORM} tonistiigi/xx:1.1.1@sha256:23ca08d120366b31d1d7fad29283181f063b0b43879e1f93c045ca5b548868e9 AS xx - -FROM base AS builder - -# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed -ARG LD_FLAGS -ARG TARGETPLATFORM - -COPY --from=xx / / - -RUN --mount=type=bind,target=. \ - --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - CGO_ENABLED=0 xx-go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/ - -# Packaging stage -FROM ghcr.io/distroless/static:latest - -LABEL maintainer="Kyverno" - -COPY --from=builder /output/kyvernopre / - - -ENTRYPOINT ["/kyvernopre"] diff --git a/cmd/initContainer/localDockerfile b/cmd/initContainer/localDockerfile deleted file mode 100644 index 166b114831..0000000000 --- a/cmd/initContainer/localDockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM scratch -ADD kyvernopre /kyvernopre -USER 10001 -ENTRYPOINT ["/kyvernopre"] diff --git a/cmd/kyverno/Dockerfile b/cmd/kyverno/Dockerfile deleted file mode 100644 index e845906068..0000000000 --- a/cmd/kyverno/Dockerfile +++ /dev/null @@ -1,37 +0,0 @@ -FROM --platform=${BUILDPLATFORM} golang:alpine AS certs - -LABEL maintainer="Kyverno" - -RUN apk add --no-cache ca-certificates - -FROM --platform=${BUILDPLATFORM} golang@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 AS base -WORKDIR /src -LABEL maintainer="Kyverno" - -COPY go.* . - -RUN --mount=type=cache,target=/go/pkg/mod \ - go mod download - -FROM --platform=${BUILDPLATFORM} tonistiigi/xx:1.1.1@sha256:23ca08d120366b31d1d7fad29283181f063b0b43879e1f93c045ca5b548868e9 AS xx - -FROM base AS builder - -# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed -ARG LD_FLAGS -ARG TARGETPLATFORM - -COPY --from=xx / / - -RUN --mount=type=bind,target=. \ - --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/ - -# Packaging stage -FROM ghcr.io/distroless/static:latest - -LABEL maintainer="Kyverno" -COPY --from=builder /output/kyverno / - -ENTRYPOINT ["/kyverno"] diff --git a/cmd/kyverno/localDockerfile b/cmd/kyverno/localDockerfile deleted file mode 100644 index dd8cc2bee1..0000000000 --- a/cmd/kyverno/localDockerfile +++ /dev/null @@ -1,5 +0,0 @@ -FROM golang:alpine -ADD kyverno /kyverno -RUN apk add --no-cache ca-certificates -USER 10001 -ENTRYPOINT ["/kyverno"] \ No newline at end of file