-
Notifications
You must be signed in to change notification settings - Fork 63
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adapts the team's standard Makefile to use on GitHub, and migrates the controller's Docker base image library/golang and distroless.
- Loading branch information
1 parent
de44ccc
commit 0f08be4
Showing
12 changed files
with
147 additions
and
125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
bin/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,26 @@ | ||
name: Docker | ||
on: | ||
push: | ||
tags: | ||
- 'v*' | ||
- pull_request | ||
- push | ||
jobs: | ||
publish-docker: | ||
docker: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: nixbuild/nix-quick-install-action@v4 | ||
- run: nix-build ./hack/docker.nix -o docker-amd64 | ||
- run: nix-build ./hack/docker.nix --arg pkgs '(import ./hack/nixpkgs.nix {}).pkgsCross.aarch64-multiplatform' -o docker-arm64 | ||
- run: | | ||
nix run -f ./hack/nixpkgs.nix pkgs.buildah<<EOF | ||
buildah manifest create origin-ca-issuer | ||
buildah manifest add origin-ca-issuer docker-archive:./docker-amd64 | ||
buildah manifest add origin-ca-issuer docker-archive:./docker-arm64 | ||
buildah manifest inspect origin-ca-issuer | ||
buildah manifest push --all --creds ${DOCKER_HUB_USERNAME}:${DOCKER_HUB_TOKEN} -f v2s2 origin-ca-issuer docker://cloudflare/origin-ca-issuer:${GITHUB_REF#refs/tags/} | ||
EOF | ||
env: | ||
DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }} | ||
- uses: actions/checkout@v4 | ||
- uses: docker/setup-qemu-action@v3 | ||
- uses: docker/metadata-action@v5 | ||
id: docker-meta | ||
with: | ||
images: cloudflare/origin-ca-issuer | ||
- uses: docker/setup-buildx-action@v3 | ||
- uses: docker/login-action@v3 | ||
if: ${{ startsWith(github.ref, 'refs/tags/v') }} | ||
with: | ||
username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
password: ${{ secrets.DOCKER_HUB_TOKEN }} | ||
- uses: docker/build-push-action@v5 | ||
with: | ||
file: ./cmd/controller/Dockerfile | ||
platforms: linux/amd64, linux/arm64 | ||
tags: ${{ steps.docker-meta.outputs.tags }} | ||
push: ${{ startsWith(github.ref, 'refs/tags/v') }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
result | ||
result-* | ||
.envrc | ||
/bin/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
.DEFAULT_GOAL := binaries | ||
|
||
KERNEL := $(shell uname -s) | ||
GOTESTSUM := $(shell command -v gotestsum 2> /dev/null) | ||
|
||
DIB ?= docker | ||
IMAGE_ROOT ?= localhost/origin-ca-issuer | ||
IMAGE_VERSION ?= $(shell git log -1 --pretty=format:%cd-%h --date short HEAD) | ||
VERSION := $(shell git describe --tags --always --dirty=-dev) | ||
# Build docker images for the native arch, but allow overriding in the environment for local development | ||
PLATFORM ?= local | ||
|
||
# Bind mount $SSL_CERT_FILE (or default) to build container if the file exists. | ||
SSL_CERT_FILE ?= /etc/ssl/certs/ca-certificates.crt | ||
ifneq (,$(wildcard ${SSL_CERT_FILE})) | ||
SECRETS = --secret id=certificates,src=${SSL_CERT_FILE} | ||
endif | ||
|
||
# When compiling for Linux enable Security's recommend hardening to satisfy `checksec' checks. | ||
# Unfortunately, most of these flags aren't portable to other operating systems. | ||
ifeq (${KERNEL},Linux) | ||
CGO_ENABLED ?= 1 | ||
CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -fstack-protector-all | ||
CFLAGS ?= -O2 -pipe -fno-plt | ||
CXXFLAGS ?= -O2 -pipe -fno-plt | ||
LDFLAGS ?= -Wl,-O1,-sort-common,-as-needed,-z,relro,-z,now | ||
GO_LDFLAGS ?= -linkmode=external | ||
GOFLAGS ?= -buildmode=pie | ||
endif | ||
|
||
GO_LDFLAGS += -w -s -X main.version=${VERSION} | ||
GOFLAGS += -v | ||
|
||
export CGO_ENABLED | ||
export CGO_CPPFLAGS ?= ${CPPFLAGS} | ||
export CGO_CFLAGS ?= ${CFLAGS} | ||
export CGO_CXXFLAGS ?= ${CXXFLAGS} | ||
export CGO_LDFLAGS ?= ${LDFLAGS} | ||
|
||
CMDS := $(shell find cmd -mindepth 1 -maxdepth 1 -type d | awk -F '/' '{ print $$NF }' ) | ||
IMAGES := $(shell find cmd -mindepth 1 -type f -name Dockerfile | awk -F '/' '{ print $$2 }') | ||
|
||
define make-go-target | ||
.PHONY: bin/$1 | ||
bin/$1: | ||
go build ${GOFLAGS} -o $$@ -ldflags "${GO_LDFLAGS}" ./cmd/$1 | ||
endef | ||
|
||
define make-dib-targets | ||
.PHONY: images/$1 | ||
images/$1: | ||
${DIB} buildx build --platform "$(PLATFORM)" ${SECRETS} -f cmd/$1/Dockerfile -t "${IMAGE_ROOT}/$1:${IMAGE_VERSION}" . | ||
|
||
.PHONY: push/images/$1 | ||
push/images/$1: | ||
${DIB} push "${IMAGE_ROOT}/$1:${IMAGE_VERSION}" | ||
endef | ||
|
||
$(foreach element,$(CMDS), $(eval $(call make-go-target,$(element)))) | ||
$(foreach element,$(IMAGES), $(eval $(call make-dib-targets,$(element)))) | ||
|
||
.PHONY: binaries | ||
binaries: $(CMDS:%=bin/%) | ||
|
||
.PHONY: images | ||
images: $(IMAGES:%=images/%) | ||
|
||
.PHONY: push-images | ||
push-images: $(IMAGES:%=push/images/%) | ||
|
||
.PHONY: clean | ||
clean: | ||
rm -rf bin | ||
|
||
.PHONY: test | ||
test: | ||
ifdef GOTESTSUM | ||
"${GOTESTSUM}" -- -count 1 ./... | ||
else | ||
go test -cover -count 1 ./... | ||
endif | ||
|
||
.PHONY: lint | ||
lint: | ||
staticcheck -tags suite ./... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
FROM docker.io/library/golang:1.21.5-bookworm AS builder | ||
WORKDIR /go/src/app | ||
ADD . /go/src/app | ||
|
||
RUN --mount=type=cache,target=/go/pkg/mod \ | ||
--mount=type=cache,target=/root/.cache/go-build \ | ||
--mount=type=secret,id=certificates,target=/etc/ssl/certs/ca-certificates.crt \ | ||
make bin/controller | ||
|
||
|
||
FROM gcr.io/distroless/base-nossl-debian12:nonroot | ||
COPY --from=builder /go/src/app/bin/controller /bin | ||
ENTRYPOINT ["/bin/controller"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.