feat: build operator image with chainguard (#250)

Author: emosbaugh

.github/workflows/deploy-helm-production.yaml

@@ -6,41 +6,47 @@ on:
     - 'v[0-9]+.[0-9]+.[0-9]+\-build\.[0-9]+'
 
 jobs:
-  package-and-publish-operator:
+
+  get-tag:
     runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
     steps:
     - name: Get tag
       id: tag
-      uses: dawidd6/action-get-tag@v1
-      with:
-        strip_v: true
+      run: |
+        TAG=${{ github.ref_name }}
+        echo "tag=${TAG#v}" >> "$GITHUB_OUTPUT"
+
+  package-and-publish-operator:
+    runs-on: ubuntu-latest
+    needs: [get-tag]
+    steps:
     - name: Checkout
       uses: actions/checkout@v4
     - name: Setup Go
       uses: actions/setup-go@v5
       with:
         go-version-file: go.mod
-    - name: Login to registry
-      uses: docker/login-action@v3
-      with:
-        registry: registry.replicated.com
-        username: ${{secrets.KOTS_HELM_USER_PROD}}
-        password: ${{secrets.KOTS_HELM_PASS_PROD}}
-    - name: Docker Image
-      uses: docker/build-push-action@v6
-      with:
-        push: true
-        tags: |
-          registry.replicated.com/library/embedded-cluster-operator-image:${{steps.tag.outputs.tag}}
+    - name: Build melange package
+      run: |
+        export VERSION=${{needs.get-tag.outputs.tag}}
+        make melange
+    - name: Publish apko image
+      run: |
+        export VERSION=${{needs.get-tag.outputs.tag}}
+        export IMAGE=replicated/embedded-cluster-operator-image:${VERSION}
+        make apko-login \
+          REGISTRY=docker.io \
+          USERNAME=${{secrets.DOCKERHUB_USER}} \
+          PASSWORD=${{secrets.DOCKERHUB_PASSWORD}}
+        make apko-publish
+        echo ::notice title=digest::$(cat build/digest)
+
   package-and-publish-helmchart:
     runs-on: 'ubuntu-20.04'
-    needs: package-and-publish-operator
+    needs: [get-tag, package-and-publish-operator]
     steps:
-    - name: Get tag
-      id: tag
-      uses: dawidd6/action-get-tag@v1
-      with:
-        strip_v: true
     - name: Checkout
       uses: actions/checkout@v4
     - name: Install Helm
@@ -53,28 +59,24 @@ jobs:
         HELM_USER: ${{secrets.KOTS_HELM_USER_PROD}}
         HELM_PASS: ${{secrets.KOTS_HELM_PASS_PROD}}
         HELM_REGISTRY: registry.replicated.com
-        CHART_VERSION: ${{steps.tag.outputs.tag}}
+        CHART_VERSION: ${{needs.get-tag.outputs.tag}}
       run: |
-        export OPERATOR_IMAGE_NAME=registry.replicated.com/library/embedded-cluster-operator-image
+        export OPERATOR_IMAGE_NAME=replicated/embedded-cluster-operator-image
         export OPERATOR_IMAGE_TAG=${CHART_VERSION}
         export CHART_REMOTE=oci://registry.replicated.com/library
 
         ../../scripts/publish-helm-chart.sh
 
   releaser:
     runs-on: ubuntu-latest
+    needs: [get-tag, package-and-publish-helmchart]
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-      - name: Build linux-amd64
+      - uses: imjasonh/setup-crane@v0.4
+      - name: Download artifact
         run: |
-          make build
+          mkdir -p bin
+          crane export --platform linux/amd64 docker.io/replicated/embedded-cluster-operator-image:${{needs.get-tag.outputs.tag}} \
+            | tar -Oxf - manager > bin/manager
       - name: Release
         uses: softprops/action-gh-release@v2
         with:

.github/workflows/deploy-helm-staging.yaml

@@ -6,41 +6,47 @@ on:
     - 'v[0-9]+.[0-9]+.[0-9]+\-alpha\.[0-9]+'
 
 jobs:
-  package-and-publish-operator:
+
+  get-tag:
     runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
     steps:
     - name: Get tag
       id: tag
-      uses: dawidd6/action-get-tag@v1
-      with:
-        strip_v: true
+      run: |
+        TAG=${{ github.ref_name }}
+        echo "tag=${TAG#v}" >> "$GITHUB_OUTPUT"
+
+  package-and-publish-operator:
+    runs-on: ubuntu-latest
+    needs: [get-tag]
+    steps:
     - name: Checkout
       uses: actions/checkout@v4
     - name: Setup Go
       uses: actions/setup-go@v5
       with:
         go-version-file: go.mod
-    - name: Login to registry
-      uses: docker/login-action@v3
-      with:
-        registry: registry.staging.replicated.com
-        username: ${{secrets.KOTS_HELM_USER_STAGING}}
-        password: ${{secrets.KOTS_HELM_PASS_STAGING}}
-    - name: Docker Image
-      uses: docker/build-push-action@v6
-      with:
-        push: true
-        tags: |
-          registry.staging.replicated.com/library/embedded-cluster-operator-image:${{steps.tag.outputs.tag}}
+    - name: Build melange package
+      run: |
+        export VERSION=${{needs.get-tag.outputs.tag}}
+        make melange
+    - name: Publish apko image
+      run: |
+        export VERSION=${{needs.get-tag.outputs.tag}}
+        export IMAGE=replicated/embedded-cluster-operator-image-staging:${VERSION}
+        make apko-login \
+          REGISTRY=docker.io \
+          USERNAME=${{secrets.DOCKERHUB_USER}} \
+          PASSWORD=${{secrets.DOCKERHUB_PASSWORD}}
+        make apko-publish
+        echo ::notice title=digest::$(cat build/digest)
+
   package-and-publish-helmchart:
     runs-on: 'ubuntu-20.04'
-    needs: package-and-publish-operator
+    needs: [get-tag, package-and-publish-operator]
     steps:
-    - name: Get tag
-      id: tag
-      uses: dawidd6/action-get-tag@v1
-      with:
-        strip_v: true
     - name: Checkout
       uses: actions/checkout@v4
     - name: Install Helm
@@ -53,9 +59,9 @@ jobs:
         HELM_USER: ${{secrets.KOTS_HELM_USER_STAGING}}
         HELM_PASS: ${{secrets.KOTS_HELM_PASS_STAGING}}
         HELM_REGISTRY: registry.staging.replicated.com
-        CHART_VERSION: ${{steps.tag.outputs.tag}}
+        CHART_VERSION: ${{needs.get-tag.outputs.tag}}
       run: |
-        export OPERATOR_IMAGE_NAME=registry.staging.replicated.com/library/embedded-cluster-operator-image
+        export OPERATOR_IMAGE_NAME=replicated/embedded-cluster-operator-image-staging
         export OPERATOR_IMAGE_TAG=${CHART_VERSION}
         export CHART_REMOTE=oci://registry.staging.replicated.com/library
 

.github/workflows/pull-request.yaml

@@ -1,10 +1,25 @@
 name: Pull request
 on:
 - pull_request
+
 jobs:
-  tests:
-    name: Unit tests
+
+  get-tag:
     runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Get tag
+        id: tag
+        run: echo "tag=$(git rev-parse --short=7 HEAD)" >> "$GITHUB_OUTPUT"
+
+  test:
+    runs-on: ubuntu-latest
+    needs: [get-tag]
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -18,29 +33,48 @@ jobs:
     - name: Unit tests
       run: |
         make test
+
   build:
-    name: Build
     runs-on: ubuntu-latest
+    needs: [get-tag]
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-    - name: Get short commit hash
-      run: echo "SHORT_SHA=$(git rev-parse --short=7 HEAD)" >> $GITHUB_ENV
     - name: Setup Go
       uses: actions/setup-go@v5
       with:
         go-version-file: go.mod
     - name: Build
       run: |
-        make build VERSION=dev-${{ env.SHORT_SHA }}
-    - name: Docker Image
-      uses: docker/build-push-action@v6
+        export VERSION=${{needs.get-tag.outputs.tag}}
+        make build
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: manager
+        path: ./bin/manager
+
+  package-operator:
+    runs-on: ubuntu-latest
+    needs: [get-tag]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Setup Go
+      uses: actions/setup-go@v5
       with:
-        push: true
-        tags: |
-          ttl.sh/embedded-cluster-operator-image:dev-${{ env.SHORT_SHA }}
+        go-version-file: go.mod
+    - name: Build melange package
+      run: |
+        export VERSION=${{needs.get-tag.outputs.tag}}
+        make melange
+    - name: Build apko image
+      run: |
+        export VERSION=${{needs.get-tag.outputs.tag}}
+        export IMAGE=ttl.sh/embedded-cluster-operator-image:dev-${VERSION}
+        make apko-build
+
   check-crds:
-    name: Check CRDs
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
@@ -49,10 +83,10 @@ jobs:
       run: make manifests
     - name: Check CRDs
       run: |
-          git diff --exit-code --name-only
-          if [ $? -eq 0 ]; then
-            echo "CRDs are up to date"
-          else
-            echo "CRDs are out of date"
-            exit 1
-          fi
+        git diff --exit-code --name-only
+        if [ $? -eq 0 ]; then
+          echo "CRDs are up to date"
+        else
+          echo "CRDs are out of date"
+          exit 1
+        fi

.gitignore

@@ -20,6 +20,7 @@
 # Go workspace file
 go.work
 
-bin/
+/bin/
+/build/
 
 *.tgz

Makefile

@@ -113,10 +113,11 @@ test: manifests fmt vet envtest ## Run tests.
 ##@ Build
 
 .PHONY: build
-build: GOOS = linux
-build: GOARCH = amd64
-build: manifests fmt vet ## Build manager binary.
-	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -o bin/manager main.go
+build: ## Build manager binary.
+	go build \
+		-tags osusergo,netgo \
+		-ldflags="-s -w -extldflags=-static" \
+		-o bin/manager main.go
 
 .PHONY: run
 run: manifests fmt vet ## Run a controller from your host.
@@ -299,9 +300,11 @@ catalog-push: ## Push a catalog image.
 
 # Push operator image to ttl.sh
 .PHONY: build-ttl.sh
-build-ttl.sh:
-	docker build --platform linux/amd64 -t ttl.sh/${CURRENT_USER}/embedded-cluster-operator-image:24h .
-	docker push ttl.sh/${CURRENT_USER}/embedded-cluster-operator-image:24h
+build-ttl.sh: export IMAGE = ttl.sh/${CURRENT_USER}/embedded-cluster-operator-image:24h
+build-ttl.sh: export VERSION = $(shell git describe --tags --dirty --always --abbrev=8 | sed 's/^v//')
+build-ttl.sh: export GOOS = linux
+build-ttl.sh: export GOARCH = amd64
+build-ttl.sh: build melange apko-publish
 
 .PHONY: build-chart-ttl.sh
 build-chart-ttl.sh: build-ttl.sh
@@ -311,3 +314,58 @@ build-chart-ttl.sh: export OPERATOR_IMAGE_TAG = 24h
 build-chart-ttl.sh: export CHART_REMOTE = oci://ttl.sh/${CURRENT_USER}
 build-chart-ttl.sh:
 	cd charts/embedded-cluster-operator && ../../scripts/publish-helm-chart.sh
+
+.PHONY: apko-build
+apko-build: export IMAGE ?= ttl.sh/${CURRENT_USER}/embedded-cluster-operator-image:24h
+apko-build: export ARCHS ?= amd64
+apko-build: apko-template
+	docker run -v "${PWD}":/work -w /work/build \
+		cgr.dev/chainguard/apko build apko.yaml ${IMAGE} apko.tar \
+			--arch ${ARCHS}
+
+.PHONY: apko-publish
+apko-publish: export IMAGE ?= ttl.sh/${CURRENT_USER}/embedded-cluster-operator-image:24h
+apko-publish: export ARCHS ?= amd64
+apko-publish: apko-template
+	docker run -v "${PWD}":/work -w /work/build -v "${PWD}"/build/.docker:/root/.docker \
+		cgr.dev/chainguard/apko publish apko.yaml ${IMAGE} \
+			--arch ${ARCHS} | tee build/digest
+
+.PHONY: apko-login
+apko-login: check-env-REGISTRY check-env-USERNAME check-env-PASSWORD
+	docker run -v "${PWD}":/work -v "${PWD}"/build/.docker:/root/.docker -w /work/build \
+		cgr.dev/chainguard/apko login -u "${USERNAME}" \
+			--password "${PASSWORD}" "${REGISTRY}"
+
+.PHONY: melange
+melange: export ARCHS ?= amd64
+melange: melange-template
+	mkdir -p build
+	for f in pkg controllers main.go go.mod go.sum Makefile ; do \
+		rm -rf "build/$$f" && cp -r $$f build/ ; \
+	done
+	docker run --rm -v "${PWD}":/work -w /work/build \
+		cgr.dev/chainguard/melange keygen melange.rsa
+	docker run --privileged --rm -v "${PWD}":/work -w /work \
+		-v "$(shell go env GOMODCACHE)":/go/pkg/mod \
+		cgr.dev/chainguard/melange build build/melange.yaml \
+			--arch ${ARCHS} \
+			--signing-key build/melange.rsa \
+			--cache-dir=/go/pkg/mod \
+			--out-dir build/packages/
+
+.PHONY: melange-template
+melange-template: check-env-VERSION
+	mkdir -p build
+	envsubst '$${VERSION}' < deploy/melange.tmpl.yaml > build/melange.yaml
+
+.PHONY: apko-template
+apko-template: check-env-VERSION
+	mkdir -p build
+	envsubst '$${VERSION}' < deploy/apko.tmpl.yaml > build/apko.yaml
+
+check-env-%:
+	@ if [ "${${*}}" = "" ]; then \
+		echo "Environment variable $* not set"; \
+		exit 1; \
+	fi